Slashdot Mirror

• Failure to obey the Stratum structure of the NTP system
• Failure to follow the permisions structure of the NTP system
• Failure to properly impliment the NTP connection protocol
  

DI-604

Ugh. I use one of those at home. I'm glad now that I set a default NTP server when I first set it up, but I doubt this is something most users would do. Here are the instructions for doing this. I don't know if this applies to the other models listed above.

This might also be useful: List of NTP Pool Servers

Beat me too. Still, here's the link.

According to the internet filter company N2H2, its database of pages identified as pornography grew from 14 million in 1998 to 260 million in 2003, a 1,800 per cent increase.

Never mind that the number of internet hosts rose 960% over the same period (mid 1998 to mid 2005). Never mind finding out what total internet traffic did over that same period.

Here. Guaranteed not to be exploited by any javascript or plugin vulnerability. Or by any site that uses frames.

To be exact, ARPANET switched from NCP to TCP/IP on January 1, 1983. NCP had a few shortcomings

• Like UDP, NCP had no way of handling lost packets. TCP introduced packet acknowledgement to fix this.
• NCP had no real routing. TCP/IP introduced the concept of gateways, routers, and independant networks/subnets.

The difference between IPv4 and IPv6? The size of the address space and the human representation of the addresses (hexadecimal instead of decimal).

While we're on the subject, it took over 8 years from the publication of Vint Cerf and Robert Kahn's A Protocol for Packet Network Interconnection (May 1974), which described TCP, for ARPANET to incorporate TCP/IP.

It's also important to note that the size of the Internet in the 1980s was nothing like it is today. The Internet only had 562 hosts in August 1983, 8 months after the changeover. The same source states that the Internet had 353,284,187 hosts in July 2005. (Source: Hobbes' Internet Timeline, with data taken from Mark Lottor's zone program reports, and the ISC)

what constitutes a "public" NTP server - the DNS name, or its inclusion on a particular published list?

That makes sense, and is probably the case. For speculation's sake, what if the virus didn't use the computer time to find out what day it was, but checked a Stratum 2 Time Server instead?

3) one of only 13 ROOT DNS servers globally (C.ROOT-SERVERS.NET is in Cogent's 192.33.4.0/24 IP space)

That means nothing. F has HOW many anycasted instances? Let's count them...

Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.

Open Groupware, SuSE's Open Exchange and OSER will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.

That just leaves the Active Directories part. ISC's DHCP supports Dynamic DNS. However, you may want to add in DHCP2LDAP to get a good link between DHCP and BIND. OpenLDAP provides the LDAP implementation part. Kerberos and DNS are easy (although some may quibble with my choice of Kerberos version!)

Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.

The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.

Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.

Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.

Open Groupware, SuSE's Open Exchange and OSER will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.

That just leaves the Active Directories part. ISC's DHCP supports Dynamic DNS. However, you may want to add in DHCP2LDAP to get a good link between DHCP and BIND. OpenLDAP provides the LDAP implementation part. Kerberos and DNS are easy (although some may quibble with my choice of Kerberos version!)

Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.

The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.

Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.

I run ntpd built for Win32 on one of my Windows hosts. I can't remember if I built it or just downloaded a pre-built binary. Try the links or download page at http://ntp.isc.org/ Strictly it isn't an answer to the question you asked (enable NTP) but it does solve the problem (install NTP).

Don't be so needlessly antisocial. Pick a nice public stratum-2 server and leave the big guys alone. It reduces load (thus latency, thus inaccuracy) at the top and probably gives you better accuracy, assuming you're not in the same building as tycho.

I'd much rather sync against my ISP's GPS-based NTP server than a better source far away. It's better in every way, and it won't make the stratum-1 guys want to punch you.

By the way, clockspeed hasn't been updated since October 1998. OpenNTPD is a light, modern client that you might wish to consider.

[idiot@localhost] wget http://ntp.isc.org/Main/DownloadViaHTTP?file=ntp4/ ntp-4.2.0.tar.gz
[idiot@localhost] tar -xzf ntp-4.2.0.tar.gz
[idiot@localhost] cd ntp-4.2.0
[idiot@localhost] ./configure ; make ; sudo make install
Add to root cron:
0 2 * * * /usr/local/bin/ntptimeset -s -S 1 2&1>/dev/null

The fix in question here is available. The BIND webpage has a scary warning box on the right with details. Everyone should be upgrading to the new version.

But it's not surprising that there's still vulnerable servers out there. In fact, I'm surprised the total is so low. Aside from the few admins who just aren't doing their jobs, these kinds of things often run into bureaucracy. In many organizations, upgrades have to be thoroughly tested before release and there's standard schedules for patch cycles. An admin who wants to simply stick a new version of something on the production server may be told to wait until approval comes. That could take a while. And occasionally you'll have some crappy system that doesn't work well with the new software, and they're stuck rolling back until the problem is solved.

I had a friend who worked at a small ISP that had some serious security issues. The guy who should have been patching things "resigned"-something to do with the smell of pot lingering in his office. Anyways, the position went vacant for a little while and the task fell to the two new interns, my friend and another girl. Coincidentally they were both young women and had no experience relevant to the job, proof of quality hiring practices. To make a long story short, the (not terribly large) customer database got hacked and the company was sued. The owner, who had been heavily in debt already, vanished completely. Naturally the whole thing went down in flames and my friend didn't even get a reference out of it.

Most of you are probably sitting there thinking this story is too outlandish to be true. Haha, well, this is the internet so you never know what to trust, but you know there's places out there where things just aren't done the way they're supposed to be. It's shocking what goes on, and there will always be vulnerable servers around.

Getting it down to the numbers in the article this quickly is actually pretty good. The real lesson here is that you need to insulate yourself from the fools who won't take responsibility. Always assume 10% of the internet is out to get you, because they probably are. Hey, I don't even want to think about what 10% of slashdotters would want to do to me.

HTTP servers send a Date: modifier in their response. It doesn't get you millisecond resolution but it's better than nothing the way some machines' clocks drift.

$ telnet ntp.isc.org 80
Trying 204.152.184.138...
Connected to ntp.isc.org.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 302 Found
Date: Sun, 31 Jul 2005 17:10:58 GMT
Server: Apache
Location: http://ntp.isc.org/bin/view/Main/WebHome
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

You might try some of these. http://mozilla.isc.org/pub/mozilla.org/ http://mozilla.ussg.indiana.edu/pub/mozilla.org/ http://mozilla.osuosl.org/pub/mozilla.org/

The most obvious method is a basic opinion poll. Take a large enough random sample of the earth population, ask simple questions like "have you used the Internet ever, this year, this month, this week, today", compute the average and extrapolate.

In practice, taking a world-wide poll is not very practical, but it is certainly possible to perform polls on a country by country basis, and then compute the results. In fact, such polls are regularly conducted, and the results are just a google search away, at least for major countries.

Polls are snapshot at a moment in time, and this is problematic. If you don't pay attention, you end up adding the number of users measured in China last January, in the US last month, in Finland in May, etc. So, you want to complement the polls by an indication of trend, something that you can easily measure at frequent interval.

One possibility is to use Internet host counts, which can be obtained by sampling the DNS (see the Internet Domain Survey). One can measure the number of host in a country and the number of users at the time of the poll, the current number of host in the same country, and extrapolate.

There are other potential sources, e.g. measure the volume of traffic, the number of dial-up and broadband subscriptions, etc. Again, it is possible to link these numbers to various poll data, and maintain estimates.

By the way, the Internet Domain Survey in January 2005 showed 317.6 million IP addresses in use. The typical broadband connection uses one IP address per household, i.e. for 1 to maybe 4 or 5 users. A dial-up connection typically only use an address only a fraction of the time, so the ratio is even higher. Then, there are about 650 million PC available worlwide, many of which are shared. Based on that, there were probably somewhere between 500 millions and a billion users on the Internet.

sendmail
bind
BSD (FreeBSD)

come back when you have a point to make.

According to a link I just read, POSIX doesn't handle leap seconds. So yes, if you use NTP, like someone else suggested, your time will be correct, but any measurements of time crossing leap seconds won't.

The correct solution in my opinion would be to store leap seconds along with the timezone information. That's really what they are. Unix time could be stored in TAI instead of UTC, and thus subtracting two times from each other would still give the correct result.

Whenever a leap second was announced you'd have to download a new timezone file, and if you didn't download the file in time your displayed time would be off by a second. Alternatively, if you synced using NTP, which is in UTC, and you didn't update your timezone file, then your computer would incorrectly slow down the clock by one second. Once you installed the timezone file, and resynced with NTP, this would be corrected.

Eventually NTP should probably be switched over to TAI. I see a proposal for this in a mailing list in January 2004. Would have been nice to do it before the leap second, but that's probably too soon to expect many people to change at this point.

Actually some of the nodes does some distribution like ISC's F-root using anycast:

http://www.isc.org/index.pl?/ops/f-root/

The NORDUnet rootserver is also distributed (to three locations in europe).

PuTTY+Lynx is my web browser.

Pictures only take more time to view, and most of our WAP/GPRS providers charge per kB.

He already runs a successful business.

He's not afraid to make controversial decisions and stand behind them (something one is going to need when one decides to donate to Project X and not to Project Y).

He already runs a successful business.

He's not afraid to make controversial decisions and stand behind them (something one is going to need when one decides to donate to Project X and not to Project Y).

You can download a copy here.

If you really suspect a web site as being a vector for attack, then use lynx and study the output before surfing to it with a modern browser. Alternatively, you could use an anonymous proxy.

There is, no doubt, information, that is best presented using SVG, but -- with even less doubt -- the feature will be abused to create even more pages, that are readable only on the web-author's desktop.

Good thing I am 16 now

Now is the time to put your nose to the grindstone. Start talking with your school's internship coordinator and start seeing about getting placed someplace where you can geek out and learn more, preferably someplace that you can use the skills you already have while learning new ones. Start hosting your own server (and not on Windows, and do it *all*, right down to hosting your own DNS. I got where I am now with my Linux experience, and extensive knowledge of bind and exim. I also dabble around with mysql and PHP, two things I need to bone up a bit on for my current role.

Being well rounded is also important. Years of Scouting

I hope this at least gives you a starting place.

Precisely...
For example, Bind (one of the most popular dns servers) has this in the CHANGES file of its version 9.2.3+:

1429. [bug] Prevent the cache getting locked to old servers.

This bug is ttl related... bind 9.2.2 resets the ttl countdown on cached domains without any reason. It keeps the old zone info forever!!! (until restart or manual cache flush, of course)

As I understand it, a lot of DNS resolvers are based on BIND code. Note that the link is only the products that openly admit to being based on BIND -- it's anyone's guess as to how many others there are.

Get with the program, the beta version of Lynx supports Alpha Channel PNG now.

Also not a problem with lynx.

Could be. In the war between the lynx browser and the some say superior links browser, lynx hasn't had a new release since Feb 4 2004, over a year now. Perhaps they've thrown in the towel.

But then, links hasn't released anything new since July 24 2004. Perhaps it's just not a very hot war.

Anyone have any news on the text browser war? It doesn't seem to be very well covered.

which last time I checked, all C programmers deal with.

Not all C programmers...

another good serverpool:
us.pool.ntp.org
that is if you're in the US
or if you're not in the US, check out:http://ntp.isc.org/bin/view/Servers/NTPPoolSer vers
for a list of the more nation-specific pool servers

http://www.artfiles.org/mozilla.org/firefox/releas es/1.0/(Germany)
ftp://ftp.lab.kdd.co.jp/Mozilla/firefox/releases/1 .0/
http://ftp.kaist.ac.kr/pub/mozilla/firefox/release s/1.0/
ftp://ftp.kaist.ac.kr/pub/mozilla/firefox/releases /1.0/
ftp://ftp.rediris.es/mirror/mozilla/firefox/releas es/1.0/
http://ftp.rediris.es/mirror/mozilla/firefox/relea ses/1.0/
http://sunsite.rediris.es/pub/mozilla.org/firefox/ releases/1.0/
ftp://sunsite.rediris.es/pub/mozilla.org/firefox/r eleases/1.0/
ftp://sunsite.cnlab-switch.ch/mirror/mozilla/firef ox/releases/1.0/
ftp://mozilla.isc.org/pub/mozilla.org/firefox/rele ases/1.0/ (US)
ftp://trillian.cc.gatech.edu/pub/mozilla.org/firef ox/releases/1.0/
ftp://mozilla.ussg.indiana.edu/pub/mozilla.org/fir efox/releases/1.0/
ftp://mozilla.oregonstate.edu/pub/mozilla.org/fire fox/releases/1.0/
http://mirrors.kernel.org/mozilla/firefox/releases /1.0/ (US)
ftp://mirrors.kernel.org/mozilla/firefox/releases/ 1.0/ (US)

ftp://mozilla.isc.org/pub/mozilla.org/firefox/rele ases/1.0/
ftp://mozilla.ussg.indiana.edu/pub/mozilla.org/fir efox/releases/1.0/
ftp://mozilla.oregonstate.edu/pub/mozilla.org/fire fox/releases/1.0/
Official mozilla.org torrent for Win32:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/rele ases/1.0/win32/en-US/Firefox%20Setup%201.0.exe.tor rent

I use Lynx, you insensitive clod!

Must you post in HTML? I use telnet to fetch/post my web traffic you insensitive clod! It's people like you who clog up the web! ;)

All browsers have been reported vulnerable to different vulnerabilities today.

I use Lynx, you insensitive clod!

This story seems to be about a worm that can infect a machine through the BIND nameserver, if said nameserver is running as root. Not only does this not affect desktop systems (I'm not running my own nameserver, are you ?), but it requries you to run BIND as root, which is stupid. Oh, and this article is from year 2001 AND according to it the patch to fix this vulnerability had been out for months at the time the article was published.

Misconfigured server machines running server software that hasn't been patched for three years with root privileges and exposed to the Internet might be hit by a worm. This is certainly alarming and a reason to panic.

Please mod the parent as Troll/Flamebait/FUD as it deserves.

http://www.isc.org/index.pl?/sw/bind/delegation-on ly.php

Basically you can define certain zones to be delegation-only, or you can tell it that they should all be treated that way, except for the specified list.

• Jörg Schilling, cdrtools
  
• Donald Becker, linux ethernet drivers, Beowulf
  
• thekonst, centericq (a console IM client)
  
• Alan Cox, linux kernel guru (I hate that word, but it fits), including being the primary maintainer of the 2.2 tree
  
• Paul Vixie, Vixie cron, BIND, ISC

As the 1980s came to a close, a high tech web browsing tool called LYNX stormed the scene. It was the the browser of choice on my text only VAX account at Wright State University. The arrow keys moved up and down through the links and the spacebar represented the 'click'. I hope microsoft sue on this one, so that they can be laughed out of court. You can still download and use Lynx at http://lynx.isc.org/.

SD

If all software was free, why would anyone bother developing it?

Gee, I can't think of anyone who would develop software without getting paid for it...

But seriously, there are several reasons people would write software whose price is 0:

• People want better software to do $WHATEVER (for values of $WHATEVER that make money, which is most of them), so they write it
• People want to get a job as a programmer so they write a software package to prove they aren't total code monkeys
• People like fame; they like being admired and appreciated
• An industry consortium decides they need an open, standard, free way to do $WHATEVER
• Some people have a political motivation to undermine proprietary software (we may not have that same motivation; but it is a real driving force for some people)
• Some people like to help others (ditto)
• Your company might want to make your product universally (or nearly so) used in order to be able to charge money for training, certification, etc.
• I mentioned 15 high-profile products that are competitive with best-of-breed and are available for $0 (and not all of it is Free as in speech). All of them were written because one of the above bullet points (or one I forgot) applied.

There are lots of motivations for people's actions besides money.

As the AC above states, BIND hasn't been vulnerable to DNS poisons for many years.

Because system administrators are anal and fail to realize that software like BIND is not written to be secure.
Not sure why you say this, ISC have released a constant stream of patches since BIND was released and every announced security hole has been fixed. Not only that but they even added options to chroot the daemon and run it as an unprivileged user. They also have links on its homepage to guides on how to chroot the entire server.

The BIND company sells paches for their software.
No, they sell support, go read their website. Patches are, and have always been, free.

Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and
Er, you have to know the crusty details of DNS to be able to write proper zonefiles and configure named.conf otherwise you'll struggle.

2) Linux comes with BIND as it's default name library.
Except BIND is a server application, not a library. Linux's DNS library is part of glibc.

Stop slandering the ISC, they do a great job providing some very useful software and they also fix it when problems crop up.

Umm... links appears to be younger, less developed version of the old standby lynx.

In terms of sites, I recommend a local css file to block things like banners, large images, and other bandwidth intesive content. You may even try a css file that strips out everything but text, links, and layout info (e.g., no images, no animations, etc).

...a browser that doesn't have machine learning in it. Seriously, Firefox is slow enough for me. What on earth would you possibly need "machine learning" for in a web page browser? I'd immediately switch back to Opera (I don't use it simply because input forms lag during page-loading, some sort of multithreading issue).

Ah one of the "I Don't want any feature because it will slow down this product person even though I have no idea on how it is implemented". Don't complain about it until you see it in action. Most of the time people load a page and read it. during this time the processor is often idl (unless you are always running a important time sensitive task in the background where 1 second loss over 1 hour is that important. That case you should get an other PC. Plus how long do you think it would take for Opera to incorporate that feature once firefox does (the next version, perhaps 2 or 3). So in time you will still have it but you will also get the input forms lag during page-loading, some sort of multithreading issue

That kind of automatic crap is the same sort of stuff people would bitch about if Microsoft put it into IE. I mean, do you really want your browser actually learning anything about you? Imagine the havoc it could wreak, especially if trojans started fucking around with it.
Well I never heard much real bitching about IE, except for security issues, and popups, and add/spyware adding (which I think is the same as a security issue). There is a big different to a feature that just finds your browsing habits vs. say downloading any activeX control that has full access to your computer and all the person needs to do is hit yes. This type of feature if done right can be very secure and non evasive to the user.

ust give me the leanest, meanest browser out there. That's all Firefox 2.0 needs to be. Not a damn learning machine. Sheesh.

Well if you want lean and mean then try Lynx now that is lean and mean, Or if you really want to be an uber geek,,,
telnet slashdot.org 80 and type your favorite http command.

You have to realize the tools like firefox are tools that are designed to use of the general population and they can't be ultra lean and mean there are limits because there is a point where the general population wont have most of the features they need or want. Plus if they like it better then the others then it helps too.

it's about the root name servers

No, it's about "one" particular root nameserver, F-root, which is the root ISC operate. It's one IPv4 address, but actually a whole bunch of machines located across the world.

it's about the root name servers

No, it's about "one" particular root nameserver, F-root, which is the root ISC operate. It's one IPv4 address, but actually a whole bunch of machines located across the world.

it's about the root name servers

No, it's about "one" particular root nameserver, F-root, which is the root ISC operate. It's one IPv4 address, but actually a whole bunch of machines located across the world.