LOL! D-Link NTP PR SNAFU (and quick beard)

Welcome back to IT Blogwatch, in which D-Link is accused of misusing the Internet's timekeeping infrastructure. Not to mention time-lapse face fungus...

D-Link is causing untold hurt in Denmark -- perhaps other places too. It seems that many of its consumer routers are making unauthorized connections to tier 1 NTP servers (NTP is the Network Time Protocol). Aubrey Turner writes us a spiffing summary: "D-Link is causing considerable grief for a guy in Denmark who was attempting to provide a public service for Denmark's internet infrastructure ... The problem is that a lot of these routers are picking GPS.DIX.dk and are eating up his bandwidth (despite the NTP server’s description showing that it’s intended for the local infrastructure and that end-client use is PROHIBITED) ... Up until now, the management has been allowing him to host the NTP server for free, since he’s providing a service (there would normally be a $4400 connection fee).  But because of the traffic, DIX is looking to charge him for the increase in usage."

» Richard Clayton: "Last October I was approached by Poul-Henning Kamp, ... one of the FreeBSD developers. One of his interests is precision timekeeping and he runs a stratum 1 timeserver which is located at DIX, the neutral Danish IX (Internet Exchange Point). Because it provides a valuable service (extremely accurate timing) to Danish ISPs, the charges for his hosting at DIX are waived. Unfortunately, his NTP server has been coming under constant attack by a stream of Network Time Protocol (NTP) time request packets coming from random IP addresses all over the world. These were ... consuming a very great deal of bandwidth. He was very interested in finding out the source of this denial of service attack -- and making it stop! ... the firmware contains a list of 50 or so [tier 1] NTP time servers and it will choose one at random and ask it for the time ... over the years [D-Link] shipped tens of millions of devices. So all of these enquires add up (especially the unanswered ones)… to about 37 packets a second on each of the world's stratum one timeservers! This isn't how NTP is meant to work. Consumer devices should ask one of their ISP's time service machines (probably running at stratum 3)."

» Poul-Henning Kamp: "When I contacted D-Link back in November 2005 about the way D-Link products abused my NTP-server, I expected to get in touch with somebody who understood what they were talking about, I expected them to admit that D-Link had made a bad decision and I expected that D-Link would make good on the damage they were responsible for. For the last five months I have wasted a lot of time trying to reach some kind of agreement ... I can't quite make up my mind if D-Link's lawyer negotiates in bad faith or is merely uninformed ... I realize that it will be inconvenient and embarrassing for D-Link to have this matter exposed in public this way, but I seem to have no other choice ... hopefully somebody, somewhere in D-Link will contact me so we can get this matter resolved." And later he writes: "it did not occur to me until now that D-Link would be stupid enough to harvest the stratum-1 server list for their devices, but it seems that is exactly what they did ... this calls for serious legal response from the NTP community or the Stratum 1 operators. Does anybody have access to some kick-ass lawyers?"

» Channel9'er spoofnozzle: "as I see it, this problem is really with NTP and the whole stupid stratum system... which relies on everyone to 'play nice' and be a 'good internet citizen' ... The thing needs a re-design, and the stratum system needs to be designed so that access to stratum-1 servers requires authentication, not rely on 'please don't use this server unless you really, really need to'. Ideally, all ISP's should provide at least one (preferably 2) stratum-2 servers. If getting NTP became as easy as getting POP or SMTP, then the whole issue would become a non-event."

» Joseph Koshy: "In 2005, I had the opportunity to visit D-Link India's development office in Bangalore. I found that they were using Linux on a few routers that they were developing. This surprised me ... In response to a direct question, the VP of Development (at Bangalore) indicated that he didn't think that they needed to make the Linux source code that went into their products available to their customers. I didn't have the opportunity to ask why he thought that the GPL didn't apply to his product line ... The impression I came away with after going through the material on the Internet is that D-Link, as a company, gives short shrift to the network of gentlemen's agreements that hold the internet (and modern society) up. They have demonstrated that they are not above abusing a free service if they can find one, and if the anonymous poster's information is correct, that they are willing to work-around technical protective blocks with impunity. They use GPL'ed code without honoring its copyright fully and completely. Whether this attitude arises due to malice or due to plain incompetence is not clear yet. Either way, this is one company whose products I'm personally going to avoid in the future, following the principle of giving my business to the least sucky corporation that I can find."

» Last word goes to Andy Smith: "If they weren't so crap already, I might even boycott them. D-Link: Don't understand how not to abuse a public service, and then would rather use a metric f***tonne of lawyers as opposed to a nanoteaspoon of clue."

Buffer overflow:

• Jason D. O'Grady: Apple vs. Me
• Ryan: This May Help Your Firefox Memory Leak
• Alice Hall: Did Intel Forget to Mention that Palladium/Trusted Computing DRM is Embedded in New Intel Macs?
• Lewis R Cunningham: Get the XML out of your database
• Mark Rittman: Top Ten Things I Hate About the Oracle Database
• Payton Byrd: Improve Exception Handling with Reflection and Generics.
• Martin MC Brown: Boot Camp report round-up
• Alex Scoble: Blackberries are not just toys
• Alex Scoble: Potential LCD stuck pixel fix
• CJ Kelly: IM - the sexual predator's tool
• Jerri Ledford: Rightshoring?
• CJ Kelly: Porn and P2P
• Martin McKeay: Free training DVD's from the USPS
• Shark Tank: But the name change? That came out swell
• Douglas Schweitzer: It’s tax season, don’t forget to password protect your return!

And finally... time-lapse beard growth [hat tip: b3ta]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.