[ntp:hackers] Workflow and issues surrounding security issueswithNTP

todd glassey tglassey at earthlink.net
Sat Aug 26 00:05:49 UTC 2006


Here is what I suggest Harlan and David -

    1)     That ALL individuals working in the NTP effort execute
Hold-harmless agreements. And that a Hold-Harmless agreement is placed in
the License for the Code and that it is propagated as a compiled ASCII
String in the actual executable. This way the Code is branded permanently
inside the executable.

    2)    That all of the partnering companies also sign an agreement to
hold the NTP development team harmless for anything done in extending,
supporting, or characterizing NTP which opens or illustrates security
liabilities already existing in the Partnering Company's products.

    3)    That there is also a very clear statement that any and all
security issues with NTP and its packaging are the
distributor/reseller/vendor's responsibility to address. And that like #1 it
also is encoded into the executable.

    4)    The NTP.ORG upper management team may also want to consider this -
that it have Cignacert or one of the other branding company's that work with
NIST to start a program for branding the code.

This might even include you Judah - Wyatt Starnes the CEO of Cignacert is
part of Hratch S's team of advisors so it would make sense for NIST to use
them for certifying the NIST NTP footprint.

None of this of course applies to the USNO or NIST instances of NTP because
they already belong to the people as it were.

Just my two cents as a lay guy.

T.
----- Original Message ----- 
From: "todd glassey" <tglassey at earthlink.net>
To: "Hal Murray" <hmurray at suespammers.org>; "Harlan Stenn"
<stenn at ntp.isc.org>
Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
<mills at udel.edu>
Sent: Friday, August 25, 2006 4:29 PM
Subject: Re: [ntp:hackers] Workflow and issues surrounding security
issueswithNTP


> Harlan - while these are noble ideas there is a commercial and fiduciary
> liability that is created by much of what was discussed here.
Unfortunately
> when you emerge from a Public Access type Org as the NTP Org is, this
> creates IMHO some serious liabilities by pulling services that people are
> already dependant on away from them.
>
> ----- Original Message ----- 
> From: "Harlan Stenn" <stenn at ntp.isc.org>
> To: "Hal Murray" <hmurray at suespammers.org>
> Cc: "Harlan Stenn" <stenn at ntp.isc.org>; <hackers at ntp.isc.org>;
> <mills at udel.edu>
> Sent: Friday, August 25, 2006 2:56 PM
> Subject: Re: [ntp:hackers] Workflow and issues surrounding security
> issueswith NTP
>
>
> > > > Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
> > > > greatly appreciated.
> > >
> > > I assume the big picture is to minimize publicity for an exploit until
> it
> > > gets fixed.
> >
> > Yes.
>
> This may have legal implications where there is a warranty of fitness or
not
> in the license.
>
> >
> > > How many vendors have a copy of the sources that they modify and/or
> > > distribute?  Is there any way to contact them?  If not, it might be a
> good
> > > idea to collect a list of people to contact.
> >
> > At the moment, whoever is working on the bug works with whoever reported
> > the bug and when a fix is ready we publish it.
>
> The problem is that the Vendor's all rely on your testing of the product
and
> that is what possibly creates the enduring liability no matter what you
want
> to say about it.
>
> >
> > For better or worse, to my knowledge we have had >1< CERT report
> > involving a string overflow with ntpq (or was it ntpdc), and no exploit
> > was ever demonstrated.
> >
> > We have been cleaning up some similar overflow/overrun issues as they
> > are discovered.
> >
> > We have been fortunate enough to not have to deal with any significant
> > security issues, but I want to be prepared in case one shows up.
>
> You may be legally speaking better off not addressing the security issues
at
> all and claiming that they are the responsibility of those using the Code
to
> address and if this is made as a decision - the license langusge for the
use
> of the code base must reflect this IMHO
>
> >
> > I am working on exploring the creation of an "NTP Forum", where
> > membership in the group would allow for:
> >
> > - setting product direction and feature priorities
>
> Unless you are planning on assuming liability for pulling the rug out from
> under someone then this may be an issue. There should at least be a
> Hold-Harmless Agreement that one is required to have their Sponsor's and
> their execution of prior to playing in this sandbox. This is not meant to
be
> nasty - just to protect everyone.
>
> > - early security vulnerability notices and patch releases
>
> This is a real liability since it creates a dependency which will if its
> ever pulled out from under a relying party will cause more than $5000 in
> damage making the NTP.ISC.ORG quite suable in both State and Federal
Courts
> under the Computer Fraud and Abuse Act.
>
> You will initially probably disagree - but in fact I am right here I bet.
>
> > - 3rd line support for integration and complicated customer issues
>
> This is a nightmare because support means liability.
>
> > - Possibly limiting non-release-candidate development releases to this
> >   group
>
> Since you havent started out that way changing now will also violate the
> expectations of people relying on these now. Again a liability.
>
> > - priority bug fixes
> > - direct access to developers on a priority basis to discuss strategy
> >   and assist in deployment planning
>
> This is a commercial service and that means Liability in spades.
>
> > - direct input to further release planning
> >
> > Please note this is a preliminary list, and >IF< this group is created
> > the above list is merely the starting point.
> >
> > I also expect there will be different "membership levels" for the group,
> > and for certain "higher" membership/benefit levels it will cost money
> > for commercial (not freeware) organizations to join.  There will also be
> > a very useful number of membership levels that will not cost money.
> >
> > If you reply to this message with information about the Subject: thread,
> > great.  If you reply to this message with information about the NTP
> > Forum thread, please change the Subject: accordingly.
> >
> > H
> > _______________________________________________
> > hackers mailing list
> > hackers at support.ntp.org
> > https://support.ntp.org/mailman/listinfo/hackers
>
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers



More information about the hackers mailing list