Network Time Protocol

#1

Interesting bug - apparently ntpd only cares about the 32 lowest bits of your system time. But your system stores more than 32 bits of time:
https://rachelbythebay.com/w/2017/09/27/2153/

Edit: good going Discourse, de-capitalized the thread from NTP to Ntp.

#2

Wouldn’t your time have to be off by a couple decades for that to matter?

#3

Yes, but it’s still a bug.

#4

This thread reminded me of this video about the fact the devs often trust your system time when they shouldn’t. Especially because the most widely adopted forms of NTP (NTPv1 and NTPv2) have no authentication methods. NTPv3 has a symmetric key crypto scheme to authenticate that there was non MitM or other tom foolery. Sadly however NTPv3 isn’t widely adopted but that doesn’t matter because even if it were the newest NTP version requires that the keys be shared ‘out of band’. Which is excellent because NIST offers to help you with this by transmitting your symmetric keys IN A GODDAMN ENVELOPE. (seriously the video is entertaining)

Perhaps one of the only interesting things to say about NTP, other than like an in depth how-to on setting it up.

#5

If NTP doesn’t suit your time-related needs, I hear PTP is the way people are going.

1 Like
#6

A well configured NTP daemon, even without any crypto, is pretty resilient to meaningful attacks. You point it at 3-5 disparate time servers. Someone would have to compromise the majority of THEM to attack you, and even then could only push your time slowly away from real time.

Or, you’d have to control the network enough to redirect the NTP requests to compromised servers.

PTP is what all the cool kids are using. Unless it’s production servers, there’s no reason to do this.

#7

I see you all in my notifications, breaking upon Discourse’s walls, trying to update that title.

1 Like
#8

:face_with_symbols_over_mouth:

#9

Fixed it.

#10

You think you’re so smart.

#11

Not true at all. No need to compromise any desperate time servers. Because NTP itself was written in a time before secure communication was really a concern it just casually throws it’s traffic in plain text across wires. Owning any hop between your host and those time servers is enough to casually alter on the fly any and all NTP traffic.

#12

Owning one of those hops is itself an unlikely proposition, and even if it were to occur you still can’t push the time too much. Over time you can skew a clock, but you can’t just set a different time. ntpd will just crash if the time is too far off, and a human will then have to investigate.

#13

You don’t even need to do that, Vampire clamps at the top of a pole will get the job done.

Yeah that’s a fair point. This isn’t a glaring flaw or anything, I just thought it very interesting when I found out about it.

#14

What type of cable do you expect to put these vampire clamps into? What signalling is going over that cable?

This ain’t 10base5 and some baby-ass Manchester.

#15

Honestly I have no idea. Going from OSI exactly bits are going over that cable but what form those bits take is beyond me. Probably like a voltage differential. Point I’m making is unencrypted is unencrypted. If you know the protocol you can read and modify the traffic.

#16

Europe is doing it! We can do it!

The European commission will recommend that EU member states abandon the practice of changing the clocks in spring and autumn, with many people in favour of staying on summer time throughout the year.

3 Likes
#17

I took part in that consultation. If it works out I will be proud of having done my part.

2 Likes
#18

Add Morocco to the list.

1 Like
#19

This reminds me of something. Nothing has come of this, but this has been kicking around here in Massachusetts for a while:

The effect of moving to the Atlantic Time Zone would basically be Eastern Daylight Time year round. I can totally get behind that.

1 Like
#20

NTP is dead, long live NTP