SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 10 submissions in the queue.
SoylentNews
posted by
martyb
on Thursday October 22 2015, @10:44PM
from the does-anyone-really-know-what-time-it-is? dept.
from the does-anyone-really-know-what-time-it-is? dept.
Ars Technica reports on a vulnerability where unencrypted Network Time Protocol (NTP) traffic can be exploited by man-in-the-middle attacks to arbitrarily set the times of computers to cause general chaos and/or carry out other attacks, such as exploiting expired HTTPS certificates.
While NTP clients have features to prevent drastic time changes, such as setting the date to ten years in the past, the paper on the attacks presents various methods for bypassing these protections.
There is a pdf of the report available.
This discussion has been archived.
No new comments can be posted.
New Attacks on Network Time Protocol can Defeat HTTPS and Create Chaos
|
Log In/Create an Account
| Top
| 19 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
You are capable of planning your future.
(Score: 4, Informative) by MrNemesis on Friday October 23 2015, @07:11AM
Those who are either truly paranoid or in need of really accurate time can buy themselves a GPS or radio clock and plug it into their local NTP server, thus having a stratum 1 inside your data centre and obviating the need for reliance on an external network.
If you don't have true paranoia or the need for really accurate time, it's not expensive to do it because it's geeky and cool.
Turning your Raspberry Pi into a stratum 1 server [satsignal.eu]
GPS and radio inputs [pvelectronics.co.uk] for your Nixie Tube clock [pvelectronics.co.uk].
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 2) by Hyperturtle on Friday October 23 2015, @07:24PM
(Awesome, someone who knows what the nixie tube clock is! I wanted one to put into my pipboy 3000 burned out clock from the fallout 3 collectors clock. Those things broke within weeks. Having a real nixie tube clock in it would be awesome... but then I guess I am a geek when it comes to that.)
I entirely approve of the raspberry pi; it can do it, managed switches can do it, routers can do it, windows servers can do it, and windows servers can do it with the addition of 3rd party software so that way they can more reliably do it (that windows time service is not very good.. maybe its fixed up post 2012 but I've had to take pains to correct for drift).
I have to concede that perhaps a raspberry pi or core switch is not the most reliable of time clocks -- i really dont know how reliable the clock in a raspberry pi is, or if it is emulated or what. But if it acts as a server and pulls time from another location, it can be used as the focus point for a small network. That source may still be at risk, but it prevents everything from going out and keeps this traffic local.
I imagine the raspberry pi can do the NTPSEC, do you know if that has been ported to any of the distributions?
I get the idea that many people here do not work in large environments, and that some of my ideas can be bit overkill (or simply not applicable) -- but for a place with network hardware that is unmanaged and such, your solution is a great choice.
I expect MS to push the existing "IOT" windows 10 for raspberry pi into a windows 2016 nano server for raspberry pi. If they do, I'd hope to use that to create a type of headless read only DC for small offices, but that's just me speculating. It could be the cost is prohibitive compared to $50, but we'll see. Many places, I expect would adopt this type of solution than have to learn linux, cool not withstanding.
Anyway this type of solution is great for the small business/medium business and for home use to experiment with, so if anyone wants to ignore my other thoughts, go with this one to keep traffic mostly local and limit the exposure of regular NTP traffic. I recommended a similar choice for network switches and such, but it now occurs to me that this may be easier for many to do, and cheaper besides!