back to article Network Time Protocol updated to spook-harden user comms

The Internet Engineering Task Force has taken another small step in protecting everybody's privacy – this time, in making the Network Time Protocol a bit less spaffy. This Internet Draft, published last week, calls for changes in Network Time Protocol (NTP) clients – and devs will be pleased to hear it won't be that difficult …

  1. John Smith 19 Gold badge
    Thumb Up

    Probably more of an inconvenience to govt snoopers than criminals

    Good.

    Although I think from a sysadmins PoV there's no real difference. They're all information thieves in the end. Their motivation is irrelevant ("We were trained to do it, encouraged to do it and in the end we got to like it," as a former govt contractor might have put it).

    It'll be interesting if, when this is implemented someone's server code is broken because they have been using the return fields (I'm looking at you MS) and some developer has been "clever."

  2. Adam 1

    Can we kill off monlist while we're at it? Why does the protocol need a way to forge a flood of UDP traffic to the IP address of choice from an unauthenticated user?

    1. Anonymous Coward
      Anonymous Coward

      monlist = so much Grey Data.

      Very odd monlist even exists in a production environment. Even mentioning the word, is equivalent of finding a new hidden door, behind which has hidden treasure to cause havoc/snoop. Little details that have big consequences, that few know about. Can't see it being killed off anytime soon, too valuable to those in the know.

  3. sitta_europea Silver badge

    Be patient. The mrulist command replaced monlist but has only been available for seven years:

    https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

  4. Doctor_Wibble
    Windows

    Conspiracy!

    They announce this after the weekend where a couple of my machines mysteriously had different times on them, by at least a minute? Weirdly the external ntp servers were fine when I checked and there's no indication of when the clocks here diverged.

    They were correct on Thursday* but not on Friday, obviously there is no such thing as coincidence, therefore the thing that caused this also caused the BA system outage and I am privileged to be able to say my network is at least as good as a multinational airline's setup.

    * possibly, I'm reasonably sure I looked...

    1. Dazed and Confused

      Re: Conspiracy!

      Could be that you just rely on BA to fly in your NTP packets for you.

      1. Doctor_Wibble
        Facepalm

        Re: Conspiracy!

        It was my flashy modern tech update from RFC1149...

  5. John Smith 19 Gold badge
    Unhappy

    I suspect NTP has been one of those protocols that "just worked"

    So people have been slow to upgrade to current versions.

    And when they have they have used default configuration.

    "Monlist" sounds like one of those commands that should only be accessible to internal server sysadmins.

  6. Woza
    Coat

    It's about

    time!

  7. Version 1.0 Silver badge

    Good Example!

    Let's learn from this - we need a rewrite for most of the Internet, it was created in a friendly environment where we are trusted each other - those days are long gone. All communications need to be inspected to ensure these sort of information leaks are removed and then encrypted - preferably is a way that allows multiple methods so that as each encryption fails (and they all will eventually) it can be transparently replaced.

    Only then will we be able to think that we might (just possible) be safe.

  8. John Smith 19 Gold badge

    "Only then will we be able to think that we might (just possible) be safe."

    No.

    Either set a key length that's a long way in the future or arrange for an upgrade path that lets you gradually increase it.

    In the 1970 the DES at around 50bits was "long" by the standards of the time, if you didn't have access nation state level funding to design custom hardware (which the NSA did). By the end of the 80's it was shaky at best. It was only when the EFF actually designed and fabricated a "DES Cracker" chip and showed how to build a machine to run an array of them (late 90's)that the NSA (who's also responsible for USG comms security) admitted that it was vulnerable and the search for a replacement started.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like