lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: eli at typhoon.xnet.com (Robert Brown)
Subject: Re: Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure

gadgeteer@...gantinnovations.org writes:
 > On Fri, Aug 20, 2004 at 10:26:08AM +0400, 3APA3A (3APA3A@...URITY.NNOV.RU) wrote:
 > [...]
 > > you state:
 > > 
 > >     If there is a host with reliable time on the network (that is host
 > >     synchronized with some hardware source, like radio clocks, cesium
 > >     clocks, GPS clocks, etc) - whole network will be finally, after some
 > >     time, synchronized with this host.
 > > 
 > > Depending upon the criticality of the time sensitive applications on
 > > the network, you might want to reconsider the use of "radio clocks"
 > > and especially "GPS clocks".  These time sources are also subject to
 > > attacks.  Any free air broadcast is subject to jamming.  This is
 > > essentially a DoS.  Spoofing to provide incorrect time signal is also
 > > possible with free air broadcast, but less easy to do.
 > [...]
 > 
 > For a fixed installation detecting if someone is dinking the gps signal
 > is trivial.  The unit starts thinking it is not in Kansas anymore.
 > -- 
 > Chief Gadgeteer
 > Elegant Innovations
 > 

That's fine as long as your time receiver actually interprets
locations also.  I have seen GPS time signal receivers that only
extract the time, not the locaation.  These receivers do not know or
care where they are; they just want to know what time it is.

Also, what about a GPS time receiver on a moving vehicle, such as a
ship at sea?  They would not necessarily know that the location
information was wrong, unles they also had other means of determining
location.  Besides, it might only be *SLIGHTLY* wrong, but wrong
enough to cause the time signal to be off enough to cause the
application to produce erroneous results.  It all depends on the
application. 

-- 
--------  "And there came a writing to him from Elijah"  [2Ch 21:12]  --------
R. J. Brown III  rj@...labs.com http://www.elilabs.com/~rj  voice 859 567-7311
Elijah Laboratories Inc.    P. O. Box 166, Warsaw KY 41095    fax 859 567-7311
-----  M o d e l i n g   t h e   M e t h o d s   o f   t h e   M i n d  ------


Powered by blists - more mailing lists