Does your D-link product need to be on ??

  • Thread starter Thread starter Dave (from the UK)
  • Start date Start date
D

Dave (from the UK)

You may be aware from the BBC article

http://news.bbc.co.uk/1/hi/technology/4906138.stm .

or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

The time servers being abused are owned by individuals, the military,
the US Government, some academic institutions and commercial companies.

One owner of a Dutch time server at least is incurring very large costs
due to this and even more costs in paying a consultant to find the problem.

http://people.freebsd.org/~phk/dlink/

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
You may be aware from the BBC article

http://news.bbc.co.uk/1/hi/technology/4906138.stm .

or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

The time servers being abused are owned by individuals, the military,
the US Government, some academic institutions and commercial companies.

One owner of a Dutch time server at least is incurring very large costs
due to this and even more costs in paying a consultant to find the problem.

http://people.freebsd.org/~phk/dlink/

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.

It is, in fact, a Danish server, not Dutch.
The guy already payed $5000 to find out where the trafic came from.
 
Jakob said:
Its not a dutch but a danish server.

Sorry. You are right of course - I don't know what I was thinking of there.

But it now appears there are forty odd servers throughout the world

http://people.freebsd.org/~phk/dlink/letter2.html

where this abuse is happening. So people with D-link products might
well be using several of these without permission.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
Its stupid done of D-Link
Dave (from the UK) said:
Sorry. You are right of course - I don't know what I was thinking of
there.

But it now appears there are forty odd servers throughout the world

http://people.freebsd.org/~phk/dlink/letter2.html

where this abuse is happening. So people with D-link products might well
be using several of these without permission.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.

It would be even more sensible to change router settings to use an alternate
address (like us.pool.ntp.org) instead. Instead of your router pinging
addresses it shouldn't when it's on, it'll never ping those addresses at
all. There's an option in there (in the DI-604, at least) to specify an NTP
server to use. Fill it with something from *.pool.ntp.org and you're all
set.

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( http://alfter.us/ Top-posting!
\_^_/ rm -rf /bin/laden >What's the most annoying thing on Usenet?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEQVoZVgTKos01OwkRAnxmAKDPm4UsgAkgGg6JOS8ADovd8CxyiACfQbPo
wp9xSamK+rbVDeNjxDUDjTo=
=SQgD
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



It would be even more sensible to change router settings to use an alternate
address (like us.pool.ntp.org) instead. Instead of your router pinging
addresses it shouldn't when it's on, it'll never ping those addresses at
all. There's an option in there (in the DI-604, at least) to specify an NTP
server to use. Fill it with something from *.pool.ntp.org and you're all
set.

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( http://alfter.us/ Top-posting!
\_^_/ rm -rf /bin/laden >What's the most annoying thing on Usenet?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEQVoZVgTKos01OwkRAnxmAKDPm4UsgAkgGg6JOS8ADovd8CxyiACfQbPo
wp9xSamK+rbVDeNjxDUDjTo=
=SQgD
-----END PGP SIGNATURE-----

My old DI-804U doesn't seem to have such an option. But it surely
pre-dates 2005 (that's when the problem started, as the BBC article
states).

NNN
 
Scott said:
It would be even more sensible to change router settings to use an alternate
address (like us.pool.ntp.org) instead. Instead of your router pinging
addresses it shouldn't when it's on, it'll never ping those addresses at
all. There's an option in there (in the DI-604, at least) to specify an NTP
server to use. Fill it with something from *.pool.ntp.org and you're all
set.

True, but for many models the time servers can't be changed - the
DWL-700AP I own is one such model. But the time servers it uses are OK
to use.
--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
My old DI-804U doesn't seem to have such an option. But it surely
pre-dates 2005 (that's when the problem started, as the BBC article
states).

NNN

That BBC article is not well written, so I would not tend to put much
weight on what it says.

Although the issue with the Danish time server started in 2005, there
are many other time servers which are being accessed by D-link products
which have restricted access.

I have no idea if the names or IP addresses of any of those time servers
were coded into older models - I suggest you ask D-link about the
particular model(s) you have. You can get to their support page at:

http://support.dlink.com/


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
It is, in fact, a Danish server, not Dutch.
The guy already payed $5000 to find out where the trafic came from.

$5000.? WOW - sounds like easy money to me.
 

Hmmm, usual Bimbo Broadcasting "Science & Technology" reporting job. Where
do they get those people?
or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

Uhh.... where are those "many time servers"?
The time servers being abused are owned by individuals, the military,
the US Government, some academic institutions and commercial companies.

One owner of a Dutch time server at least is incurring very large costs
due to this and even more costs in paying a consultant to find the problem.

http://people.freebsd.org/~phk/dlink/

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.

This is not a question of "switch off". In fact, if the gateway/routers
work well this would aggravate the "problem" because every switch-on would
cause a look-up. Besides, people with ADSL or cable access want/need a
permanent connection anyway.

Why don't you check the NTP server which your Internet Gateway/router is
using for NTP look-up? Mine -- not a D-Link -- is set from the factory to
look up clock.isc.org and is so documented in the mfr's docs. In fact I've
tried to find a Stratum-2 NTP server but none of those which were
"documented" worked. The problem here is that the NTP "community" has
their heads up their a... err, in the sand with their "open access - please
notify by e-mail" and "use name only" comments and their docs are either
obsolete or impossible to follow. Do'h this is not a lot of help.

In the office I have our DC set to use time.nist.gov because I couldn't
find anything else which worked - my ISP has a NTP.<ISPName> which maps to
an IP address but the time look-up fails there. I suppose there's
time.windows.com but I had trouble getting a response there - hardly
surprising because that's what every (U.S.) Windows XP system is set to
use.... and do we all want to depend on Bill Gates for our clock-time
now?;-)

I wonder how the conclusion was reached that *only* D-Link was at fault
here? AFAIK D-Link is one of the few vendors which actually makes such
equipment - it might be that their OEMs don't reprogram the NTP-Server
field/algorithm in the configuration. It could also be that D-Link owners
spend a lot of time re-booting their gateway/routers.:-) If the Danish guy
is getting a lot of hits, who do you think is responsible for programming
his NTP Server address into D-Link routers?

Calling this "vandalism" and "abuse" is nuts IMO. If you set up a Time
Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
obsolete, non-functioning addresses. I have to ask what gateway/router
vendors are supposed to program into their devices for "default" NTP
look-up, given that most end-users are not expert enough to be fiddling
with the configuration settings. Ideally, the ISP who supplies them to
end-users would have a functioning NTP Server and then program that address
in before delivery but that does not happen... apparently.
 
Borked said:
Better yet, how about making the time server the thing uses configurable so that users can simply set them to use a public server... or even provide a list of acceptable servers to use.

D-link need to do that although the Danish time server will still be
affected, as only a small percentage will update firmware.
Turn it off? You MUST be joking! My operation is active 24/7/365 Turning it off costs money and the board of directors tends to frown on things that cost money without producing a larger profit. Turning off a D-Link product is one example of such.

What if the owner/admin of a time-server asked you to stop accessing
their server? Would the directors say "Tuff, we are going to leave our
D-link product(s) running, accessing your time-server, against your
published wishes and do nothing about it?"

There might well be legal implications for doing that. I suspect that
could come under laws about mis-use of computers if you are connecting
to computers you have no right to do so, and ignore requests to cease.
People pay for bandwidth, so your actions are costing them money.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
George said:
Hmmm, usual Bimbo Broadcasting "Science & Technology" reporting job. Where
do they get those people?

Yes - I agree. That is particularly badly written I think.
Uhh.... where are those "many time servers"?
http://ntp.isc.org/bin/view/Servers/WebHome

Why don't you check the NTP server which your Internet Gateway/router is
using for NTP look-up?

I have done - but it is not easy to do.

It required downloading the firmware, decompressing *part* of the file
and then using the strings command in UNIX to find the IP addresses.
From that, the name of the servers could be found.

The buy in Denmark whose time-server is affected told me how to do it.
Mine -- not a D-Link -- is set from the factory to
look up clock.isc.org and is so documented in the mfr's docs.

I doubt you should be using that.

http://ntp.isc.org/bin/view/Servers/ClockIscOrg

ServiceArea: BARRnet, Alternet-west, CIX-west
AccessPolicy: OpenAccess
In fact I've
tried to find a Stratum-2 NTP server but none of those which were
"documented" worked. The problem here is that the NTP "community" has
their heads up their a... err, in the sand with their "open access - please
notify by e-mail" and "use name only" comments and their docs are either
obsolete or impossible to follow. Do'h this is not a lot of help.

Have a look at the above site and find one. Or use this (explanation a
bit further down)

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org
Calling this "vandalism" and "abuse" is nuts IMO.

What is abuse then? Accocding to

http://en.wikipedia.org/wiki/Abuse

* Abuse is a general term for the use or treatment of
* something (person, thing, idea, etc.) that causes some
* kind of harm (to the abused person or thing, to the
* abusers themselves, or to someone else) or is unlawful
* or wrongful.

If, as in this case, Pou-Henning is getting a large bill for the
lockups, which are making up 90% of his traffic, then it is causing him
harm. So it is abuse.
If you set up a Time
Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
obsolete, non-functioning addresses.

I don't think it is a mess, but even if it was, that does not excuse you
using one you don't have permission to use.

My comptuer might be slow. Does tham meean I can use your computers
resources without your permission?
I have to ask what gateway/router
vendors are supposed to program into their devices for "default" NTP
look-up, given that most end-users are not expert enough to be fiddling
with the configuration settings.

How about gateway/router vendors providing their own time servers,
rather than use others without permission? It is not actually that
expensive. A GPS receiver with a 1 pulse per second output connected to
a Standford Research PRS-10 rubidium source would make a nice one with a
72-hour holdover for stratum 2 if the GPS is lost.

Or vendors can use a pool that have agreed to be in a pool

http://ntp.isc.org/bin/view/Servers/NTPPoolServers

i.e.

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org

There are several more ways they could do it. They could for example use
something like DNS. The router contacts the vendor's server which
returns the IP address of a publically available time server. The router
then connects to that to get the time.

There are *many* way this could be implemented, but using a random NTP
server that does not allow access is not a good way.
Ideally, the ISP who supplies them to
end-users would have a functioning NTP Server and then program that address
in before delivery but that does not happen... apparently.

Also, many like myself don't use a modem supplied by my ISP. And there
are other devices, like my WiFi adapter which are not suplied by the ISP.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 

Yeah I knw where the "list" is but like I've said, many just don't work -
the list is obsolete.
I have done - but it is not easy to do.

It required downloading the firmware, decompressing *part* of the file
and then using the strings command in UNIX to find the IP addresses.
From that, the name of the servers could be found.

The buy in Denmark whose time-server is affected told me how to do it.

So they're selling routers which are not configurable for that setting? I
haven't seen a lot of different brands but my router does not show or allow
changing the setting from its Web-based interface - have to use the Command
Line from a Telnet session... which means reading the docs. This is not
stuff for the average "consumer".
I doubt you should be using that.

http://ntp.isc.org/bin/view/Servers/ClockIscOrg

ServiceArea: BARRnet, Alternet-west, CIX-west
AccessPolicy: OpenAccess

Why should I not use it? It's one of the few with Open Access and no
notification message required. It's even possible that the router mfr has
obtained permission based on assurances of non-abuse and reasonably coded
frequency of look-ups. If someone wants me to obey some "Service Area"
convention, they'd better explain what that means - no such explanation is
easily found.
What is abuse then? Accocding to

http://en.wikipedia.org/wiki/Abuse

* Abuse is a general term for the use or treatment of
* something (person, thing, idea, etc.) that causes some
* kind of harm (to the abused person or thing, to the
* abusers themselves, or to someone else) or is unlawful
* or wrongful.

If, as in this case, Pou-Henning is getting a large bill for the
lockups, which are making up 90% of his traffic, then it is causing him
harm. So it is abuse.

"Vandalism" requires some intent to do harm or "abuse". This was a mistake
- the indignation of the recipient is overblown IMO given the extent of
(lack of) guidance offered by, and the functional state of, the NTP
infrastructure. It also appears that DK has no Stratum-2 servers at all
and only two Restricted Access ones in Stratum-1 which both say "Open
access to servers, please, no client use". Hmm, difficult to know what
they mean by "servers" but it does seem like there is a problem with the DK
Internet NTP infrastructure.

The ethics of the situation are quite well covered in the University of
Wisconsin/Netgear case - there's plenty of blame to go around and plenty of
targets - things could have been done better all around.
I don't think it is a mess, but even if it was, that does not excuse you
using one you don't have permission to use.

When you go look up a source of documentation, and follow their obscure,
poorly written descriptions, written in their byzantine terminology, and
find that after trying 3 or 4 of the apparently recommended "active" sites
and none of them work, frustration generally leads to something which does
work... even if it requires a "notification message".
My comptuer might be slow. Does tham meean I can use your computers
resources without your permission?

Ridiculous extrapolation. For one thing, I do not "publish" the method of
access to my computer. What will most people do when faced with "here it
is; don't use it... but nothing else, which is geographically close, is
available"?
How about gateway/router vendors providing their own time servers,
rather than use others without permission? It is not actually that
expensive. A GPS receiver with a 1 pulse per second output connected to
a Standford Research PRS-10 rubidium source would make a nice one with a
72-hour holdover for stratum 2 if the GPS is lost.

Or vendors can use a pool that have agreed to be in a pool

http://ntp.isc.org/bin/view/Servers/NTPPoolServers

i.e.

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org

There are several more ways they could do it. They could for example use
something like DNS. The router contacts the vendor's server which
returns the IP address of a publically available time server. The router
then connects to that to get the time.

There are *many* way this could be implemented, but using a random NTP
server that does not allow access is not a good way.

Making up rules after the fact is always easy. AFAIK the "pool" concept is
relatively new - things are continually evolving here and the rules in
place now are not necessarily what was offered when firmware for any given
router was being written. Also, the "Rules of Engagement" and other docs
are hardly written for a quick reference.
Also, many like myself don't use a modem supplied by my ISP. And there
are other devices, like my WiFi adapter which are not suplied by the ISP.

I'd think *most* gateway/routers are acquired by end-users and SMBs from an
ISP - it would certainly help if NTP had a similar hierarchical structure
to DNS name caching.
 
George said:
Yeah I knw where the "list" is but like I've said, many just don't work -
the list is obsolete.

Most seem to work for me, but I use a Sun workstation, not a D-link
router, so I can't say I have tried with this. I suspect the muppet
routers don't implement the protocol as well as the Sun.
So they're selling routers which are not configurable for that setting? I
haven't seen a lot of different brands but my router does not show or allow
changing the setting from its Web-based interface - have to use the Command
Line from a Telnet session... which means reading the docs. This is not
stuff for the average "consumer".

I'm not aware it can be done on mine at all. Luckily, none accessed have
any restrictions.

Why should I not use it? It's one of the few with Open Access and no
notification message required. It's even possible that the router mfr has
obtained permission based on assurances of non-abuse and reasonably coded
frequency of look-ups. If someone wants me to obey some "Service Area"
convention, they'd better explain what that means - no such explanation is
easily found.

The ServiceArea is the geographic and/or network area the TimeServer is
intended to serve.

"Vandalism" requires some intent to do harm or "abuse".

I personally did not use the word vandalism. But I think abuse is correct.
It also appears that DK has no Stratum-2 servers at all
and only two Restricted Access ones in Stratum-1 which both say "Open
access to servers, please, no client use". Hmm, difficult to know what
they mean by "servers" but it does seem like there is a problem with the DK
Internet NTP infrastructure.

Well, you don't have to use a local server and should not use a local
one if it restricts access.
Ridiculous extrapolation. For one thing, I do not "publish" the method of
access to my computer.

I accept there is a *big* difference between intentionally hacking a
machine (me hacking yours) and you or anyone else using an NTP server
without realizing it. One is an accident, the other a deliberate act.

But once you are aware you are not welcome at an NTP server, then I
think the difference disappears.

I will ask you the same question I asked the person posting as:

Borked Pseudo Mail - '(e-mail address removed)'

If you were asked by an NTP server administrator (such as the owner of
the Danish one) to stop accessing that server, and you were unable to do
so by a firmware upgrade or reconfiguring the router, would you continue
to access his server, even though he had asked you not to? If you had
no other option, would you switch your router/modem off and not use it?

Furthermore, what if the person asking you was from the US government or
the US Navy, both of whom timeservers are being abused? Would you
continue to use their time servers if you had no way of stopping your
D-link product from doing it without switching it off?

BTW, your ISP, Tellurian, might have something to say about it, as it
would be against their rules:

http://www.tellurian.com/usagepolicy.asp

In particular:

* Any "denial of service" attack, any attempt to breach
* authentication or security measures, or any unauthorized attempt
* to gain access to any other account, host or network is
* prohibited, and will result in immediate service termination,
* which may be without notice.

I think you using the NTP server then would be an unauthorized attempt
to gain access to another host.
What will most people do when faced with "here it
is; don't use it... but nothing else, which is geographically close, is
available"?

So that makes it right?

I suggest if they are in the US, it would be rather foolish to continue
to do it should a US government or navy official ask you to stop.
Making up rules after the fact is always easy. AFAIK the "pool" concept is
relatively new - things are continually evolving here and the rules in
place now are not necessarily what was offered when firmware for any given
router was being written. Also, the "Rules of Engagement" and other docs
are hardly written for a quick reference.

No, the rules were in place before. I am not suggesting any rules at all.

If vendors chose to implement products which use NTP servers it is up to
them to work out how to do it without accessing other servers their
intended end users are not supposed to. It is not up to me, or anyone
else to tell them how to do it. I am just saying there are ways, but it
is their decision. The rules have been in place a long while.
I'd think *most* gateway/routers are acquired by end-users and SMBs from an
ISP - it would certainly help if NTP had a similar hierarchical structure
to DNS name caching.

I suspect, but don't know, that for a gateway router where the time can
only be set to 1 second resolution, it makes no difference if you use a
near or distant NTP server. The protocol corrects for network delays.
Correction improves when multiple time servers are used but I doubt it
is necessary unless the resolution is better than 1 second.

On my own system, 5 time servers are used and corrections rarely exceed
50 ms.

My PDA usually syncs to a local time server (one of my own computers),
but even if I send it to a distant one the other side of the Atlantic,
the corrections are under 1 s.

But to what accuracy you can set the time is really irrelevant for the
discussion. You should not access ones you are not welcome at and to me
at least continuing to do so once you are aware of the issue is no
different from hacking another machine.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
You may be aware from the BBC article

http://news.bbc.co.uk/1/hi/technology/4906138.stm .

or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

I have a DSL-302G modem/router. I don't use SNTP because the modem
appears to write the updated time to its flash EEPROM every 15
minutes. If I ran it 24/7, then this would result in approximately
32,000 writes per year. IMO, it would have been better for the time to
have been stored in RAM.

- Franc Zabkar
 
I have a DSL-302G modem/router. I don't use SNTP because the modem
appears to write the updated time to its flash EEPROM every 15
minutes. If I ran it 24/7, then this would result in approximately
32,000 writes per year. IMO, it would have been better for the time to
have been stored in RAM.

...and it wouldn't last more than 30 years at that rate! Sheesh!
 
Dave said:
You may be aware from the BBC article

http://news.bbc.co.uk/1/hi/technology/4906138.stm .

or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

The time servers being abused are owned by individuals, the military,
the US Government, some academic institutions and commercial companies.

One owner of a Dutch time server at least is incurring very large costs
due to this and even more costs in paying a consultant to find the problem.

http://people.freebsd.org/~phk/dlink/

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.

Not if it defaults to a 24 hour update like mine does as I doubt very many
broadband users operate their machine(s) less than once a day. And if it
syncs at power up your suggestion would make the problem worse.
 
Dave said:
Most seem to work for me, but I use a Sun workstation, not a D-link
router, so I can't say I have tried with this. I suspect the muppet
routers don't implement the protocol as well as the Sun.



I'm not aware it can be done on mine at all. Luckily, none accessed have
any restrictions.

A bit Draconian to hold the user 'responsible' for something they're not
only clueless about but unable to change even if they knew, don't you think?

The ServiceArea is the geographic and/or network area the TimeServer is
intended to serve.






I personally did not use the word vandalism. But I think abuse is correct.

The question is 'who'?, knowledge, and intent.

Well, you don't have to use a local server and should not use a local
one if it restricts access.



I accept there is a *big* difference between intentionally hacking a
machine (me hacking yours) and you or anyone else using an NTP server
without realizing it. One is an accident, the other a deliberate act.

But once you are aware you are not welcome at an NTP server,

And just how is the individual user made 'aware'? And that includes made
'aware' by an authority recognized to have the claimed authority.

then I
think the difference disappears.

Things are seldom that simple and especially not when trying to lay blame
and responsibility on people who had not one shred of participation in, nor
knowledge of, the decisions leading to the alleged 'abuse'.

I will ask you the same question I asked the person posting as:

Borked Pseudo Mail - '(e-mail address removed)'

If you were asked by an NTP server administrator (such as the owner of
the Danish one) to stop accessing that server, and you were unable to do
so by a firmware upgrade or reconfiguring the router, would you continue
to access his server, even though he had asked you not to?

First, your premise is self serving, pardon the pun. Accessing his server?
You must be kidding. According to your comments above there's essentially
no way for the user to even know a server is being accessed at all and now
someone completely unknown claims a 'perfectly fine', according to the
manufacturer of said item, is 'abusing' his server? Why should the end user
believe this story?
If you had
no other option, would you switch your router/modem off and not use it?

Now the end user *knows* he's kidding, or has no idea what the heck he's
talking about, or is some new kind of internet fraud.
Furthermore, what if the person asking you was from the US government or
the US Navy, both of whom timeservers are being abused? Would you
continue to use their time servers if you had no way of stopping your
D-link product from doing it without switching it off?

The end user has no reason to worry about such a scenario because the gov
knows who to go after: the manufacturer.

BTW, your ISP, Tellurian, might have something to say about it, as it
would be against their rules:

http://www.tellurian.com/usagepolicy.asp

In particular:

* Any "denial of service" attack, any attempt to breach
* authentication or security measures, or any unauthorized attempt
* to gain access to any other account, host or network is
* prohibited, and will result in immediate service termination,
* which may be without notice.

I think you using the NTP server then would be an unauthorized attempt
to gain access to another host.

The user is doing *nothing* nor making any 'attempt' to do something nor
even aware anything is being done.

So that makes it right?

I suggest if they are in the US, it would be rather foolish to continue
to do it should a US government or navy official ask you to stop.

Maybe I missed it but I'm not aware of any 'US government' announcement to
stop using home routers.
No, the rules were in place before. I am not suggesting any rules at all.

If vendors chose to implement products which use NTP servers it is up to
them to work out how to do it without accessing other servers their
intended end users are not supposed to. It is not up to me, or anyone
else to tell them how to do it. I am just saying there are ways, but it
is their decision. The rules have been in place a long while.



I suspect, but don't know, that for a gateway router where the time can
only be set to 1 second resolution, it makes no difference if you use a
near or distant NTP server. The protocol corrects for network delays.
Correction improves when multiple time servers are used but I doubt it
is necessary unless the resolution is better than 1 second.

On my own system, 5 time servers are used and corrections rarely exceed
50 ms.

My PDA usually syncs to a local time server (one of my own computers),
but even if I send it to a distant one the other side of the Atlantic,
the corrections are under 1 s.

But to what accuracy you can set the time is really irrelevant for the
discussion. You should not access ones you are not welcome at and to me
at least continuing to do so once you are aware of the issue is no
different from hacking another machine.

And if you got an unsolicited phone call from someone you never heard of
saying your perfectly fine coffee maker was screwing up their toaster oven
on the other side of the world you'd immediately unplug the thing and stop
using it, right?

The point isn't that the technical details are equivalent, the point is
you're trying to lay blame onto folks who might think the analogy is accurate.
 
David said:
Not if it defaults to a 24 hour update like mine does as I doubt very
many broadband users operate their machine(s) less than once a day. And
if it syncs at power up your suggestion would make the problem worse.

Yes I accept that if it only updates once/day. It seems to vary an awful
lot - on some the time server can be configured, on others it can't. On
some the update interval may be configured, on others it may not.

I know mine can not be configured, but I also know all the servers are
open-access, so it is not an issue.

However, many of these D-link products are connecting to US military or
government sites for which access is restricted.

If the product is under warranty and you can't configure it to avoid
restricted time servers, it *might* be possible to get a
refund/replacement - it would depend an awful lot on the law in your
country and/or the dealer you bought it from.

If you can configure the ntp servers, the following will connect you to
a random time server which has no access restrictions.

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
Back
Top