lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: stephane.nasdrovisky at paradigmo.com (stephane nasdrovisky)
Subject: Re: Fwd: Re: FullDisclosure: Security aspects of
 time synchronization infrastructure

gadgeteer@...gantinnovations.org wrote:

>>Depending upon the criticality of the time sensitive applications on
>>the network, you might want to reconsider the use of "radio clocks"
>>and especially "GPS clocks". 
>>    
>>
>[...]
>
>For a fixed installation detecting if someone is dinking the gps signal
>is trivial.  The unit starts thinking it is not in Kansas anymore.
>  
>
As far as I can remember, the gps is not accurate ... during US raids 
(i.e. against Iraq) I could not tell if time is affected or if it only 
reduce the precision over the location (50-20 meters during normal 
operation, 100-1000 meters during raids). Anyway, I use a couple 
internet & free ntp services (my ISP, some european & US labs, ...)  If 
all the servers are compromised, I'm too (as far as time and I are 
concerned, I want my whole network to be synchronized, I don't really 
care for the real time, before configuring a remote ntp server, there 
was only a 'virtual' time (my whatch), which was enough for my logs), if 
only a few are, I can see there's a difference in the timing they 
provide (which,anyway, I don't care about).

In germany (which means anywhere between spain and russia), there is an 
official radio-clock (known as dcf-77) which does not suffer the gps 
limitation (this is not a military toy).  As an official clock (used for 
synching administratins, parking payments,... ) it have to be up and 
give the official accurate time 24-7, You (or at least I) can be 
confident with this time. Unfortunatly, most receivers do not work in 
machine rooms (too many ecm noise, sometimes, the building is 
radio-protected,...) you have to put your receivers (yes, one is not to 
be concidered reliable) out of your building !

These radio clock are easier to corrupt than gps (plain old fm against 
spread spectrum)... I never faced any real time-critical project,so for 
me (and I guess most admins), even the worst solution (internet NTP) is 
more than enough right now (it may change in the future).

Anyway if you consider this kind of solution (internet NTP), do not 
forget ACL on your routers/firewalls, use a single/cluster ntp server 
for synching your network, do not let multile servers sync with the 
internet NTP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040823/4053e6f6/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ