Maarten Wiltink wrote: > "Richard B. Gilbert" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >>Maarten Wiltink wrote: >> >>>"Richard B. Gilbert" <[EMAIL PROTECTED]> wrote in message >>>news:[EMAIL PROTECTED] > > >>>>As far as anyone here knows there are no "exploits" associated with >>>>NTP. > > >>>After a short look-around on SecurityFocus, I would like to exclude >>>myself from that 'anyone' group. > > >>All right, there are, or were, fifteen reported exploits. None is dated >>more recently than 2004 and some seem to be complaining about ten year >>old software distributed by companies such as Sun, Redhat, Debian, etc. > > > Still distributed right now, yes. For all those people who aren't allowed > to run something not backed by RFCs, and then come here with questions > about something called xntp. Sound familiar? > > > [...] > >>I'd say that the proper response is not to forbid the use of the NTP >>protocol but rather to avoid running defective implementations thereof! > > > That would be nice. However, letting your guard down is _never_ a > secure response. I will work on the assumption that there are exploits > in the current NTP until you _prove_ to me it's safe, and I'm not > holding my breath.
If you want "proof" that ANY piece of software is free from bugs or exploits, you may have a very long wait! Ever wonder why half the world failed to handle the last leap second properly??? A large number of servers were running software with a bug. _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
