[arch-general] Leap seconds ntp and chrony?
Kevin Chadwick
ma1l1ists at yahoo.co.uk
Wed Jul 4 07:05:18 EDT 2012
> > I think I've been quite clear, similar to negative coding.
>
> You haven't, similar to people spreading FUD.
>
> Feel free to share your deep knowledge and thorough understanding of NTP
> with us ignorants by contributing to this neat little project you might
> have heard of, Wikipedia:
>
> http://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns
>
Funny how people read what they will. I guess you haven't looked up
negative coding. What I mean by similar to is if it doesn't benefit you,
you will have less bugs and a more stable and secure system by reducing
code usage. Therefore I wouldn't even need to know about ntp details,
or the work of some very clever people who have looked at the details to
make the right choice for me. Some security books say code redcution is
pointless, I guess rop attacks have put a pin in that but aside from
rop it has served me very well. Disabling ipv6 for example. One of
about the two remote root exploits (so far) for OpenBSD was in ipv6
ages ago and more recently this.
http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf
I guess I regurgitate too many thoughts at once without enough
explanation. I Wish I hadn't mentioned the alternative that would
certainly not negatively affect most users now. Who knows maybe the bug
fix will break something too. Though I'm sure they will test very well
considering.
> > OpenBSD has a security measure called securelevel which if raised from
> > one to two prevents even root setting the clock backwards or near
> > overflow as this can have consequences for the entropy pool. They also
> > put in place measures to reduce client time leakage. The obvious point
> > I ignored is network exploits as clock adjustment is a root process,
> > which is why OpenBSDs implements priviledge seperation and chroot.
>
> So what? You want to switch to OpenBSD? Please do.
I use OpenBSD more than arch actually, almost entirely for servers.
--
________________________________________________________
Why not do something good every day and install BOINC.
________________________________________________________
More information about the arch-general
mailing list