Does your D-link product need to be on ?? - Routers

This is a discussion on Does your D-link product need to be on ?? - Routers ; You may be aware from the BBC article http://news.bbc.co.uk/1/hi/technology/4906138.stm . or elsewhere that there is a serious flaw on many D-link products which get the time from the Internet using time servers. Whilst many time servers are open for anyone ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 31

Thread: Does your D-link product need to be on ??

  1. Does your D-link product need to be on ??

    You may be aware from the BBC article

    http://news.bbc.co.uk/1/hi/technology/4906138.stm .

    or elsewhere that there is a serious flaw on many D-link products which
    get the time from the Internet using time servers. Whilst many time
    servers are open for anyone to use, D-link products are using those
    which are not.

    The time servers being abused are owned by individuals, the military,
    the US Government, some academic institutions and commercial companies.

    One owner of a Dutch time server at least is incurring very large costs
    due to this and even more costs in paying a consultant to find the problem.

    http://people.freebsd.org/~phk/dlink/

    To my knowledge no owners have asked for users to switch off their
    D-link products, but given they are abusing the time servers, it would
    be sensible to keep them switched off when not absolutely necessary.


    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.



  2. Re: Does your D-link product need to be on ??

    Its not a dutch but a danish server.
    "Dave (from the UK)"
    skrev i en meddelelse news:444119fc@212.67.96.135...
    > You may be aware from the BBC article
    >
    > http://news.bbc.co.uk/1/hi/technology/4906138.stm .
    >
    > or elsewhere that there is a serious flaw on many D-link products which
    > get the time from the Internet using time servers. Whilst many time
    > servers are open for anyone to use, D-link products are using those which
    > are not.
    >
    > The time servers being abused are owned by individuals, the military, the
    > US Government, some academic institutions and commercial companies.
    >
    > One owner of a Dutch time server at least is incurring very large costs
    > due to this and even more costs in paying a consultant to find the
    > problem.
    >
    > http://people.freebsd.org/~phk/dlink/
    >
    > To my knowledge no owners have asked for users to switch off their D-link
    > products, but given they are abusing the time servers, it would be
    > sensible to keep them switched off when not absolutely necessary.
    >
    >
    > --
    > Dave K MCSE.
    >
    > MCSE = Minefield Consultant and Solitaire Expert.
    >
    > Please note my email address changes periodically to avoid spam.
    > It is always of the form: month-year@domain. Hitting reply will work
    > for a couple of months only. Later set it manually.
    >
    >




  3. Re: Does your D-link product need to be on ??

    Jakob Salomonsson wrote:

    > Its not a dutch but a danish server.


    Sorry. You are right of course - I don't know what I was thinking of there.

    But it now appears there are forty odd servers throughout the world

    http://people.freebsd.org/~phk/dlink/letter2.html

    where this abuse is happening. So people with D-link products might
    well be using several of these without permission.


    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  4. Re: Does your D-link product need to be on ??

    Its stupid done of D-Link
    "Dave (from the UK)"
    skrev i en meddelelse news:444133e3@212.67.96.135...
    > Jakob Salomonsson wrote:
    >
    >> Its not a dutch but a danish server.

    >
    > Sorry. You are right of course - I don't know what I was thinking of
    > there.
    >
    > But it now appears there are forty odd servers throughout the world
    >
    > http://people.freebsd.org/~phk/dlink/letter2.html
    >
    > where this abuse is happening. So people with D-link products might well
    > be using several of these without permission.
    >
    >
    > --
    > Dave K MCSE.
    >
    > MCSE = Minefield Consultant and Solitaire Expert.
    >
    > Please note my email address changes periodically to avoid spam.
    > It is always of the form: month-year@domain. Hitting reply will work
    > for a couple of months only. Later set it manually.




  5. Re: Does your D-link product need to be on ??

    Scott Alfter wrote:

    > It would be even more sensible to change router settings to use an alternate
    > address (like us.pool.ntp.org) instead. Instead of your router pinging
    > addresses it shouldn't when it's on, it'll never ping those addresses at
    > all. There's an option in there (in the DI-604, at least) to specify an NTP
    > server to use. Fill it with something from *.pool.ntp.org and you're all
    > set.


    True, but for many models the time servers can't be changed - the
    DWL-700AP I own is one such model. But the time servers it uses are OK
    to use.
    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  6. Re: Does your D-link product need to be on ??

    nobody@nowhere.net wrote:
    >
    > My old DI-804U doesn't seem to have such an option. But it surely
    > pre-dates 2005 (that's when the problem started, as the BBC article
    > states).
    >
    > NNN


    That BBC article is not well written, so I would not tend to put much
    weight on what it says.

    Although the issue with the Danish time server started in 2005, there
    are many other time servers which are being accessed by D-link products
    which have restricted access.

    I have no idea if the names or IP addresses of any of those time servers
    were coded into older models - I suggest you ask D-link about the
    particular model(s) you have. You can get to their support page at:

    http://support.dlink.com/


    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  7. Re: Does your D-link product need to be on ??

    On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
    wrote:

    >You may be aware from the BBC article
    >
    >http://news.bbc.co.uk/1/hi/technology/4906138.stm .


    Hmmm, usual Bimbo Broadcasting "Science & Technology" reporting job. Where
    do they get those people?

    >or elsewhere that there is a serious flaw on many D-link products which
    >get the time from the Internet using time servers. Whilst many time
    >servers are open for anyone to use, D-link products are using those
    >which are not.


    Uhh.... where are those "many time servers"?

    >The time servers being abused are owned by individuals, the military,
    >the US Government, some academic institutions and commercial companies.
    >
    >One owner of a Dutch time server at least is incurring very large costs
    >due to this and even more costs in paying a consultant to find the problem.
    >
    >http://people.freebsd.org/~phk/dlink/
    >
    >To my knowledge no owners have asked for users to switch off their
    >D-link products, but given they are abusing the time servers, it would
    >be sensible to keep them switched off when not absolutely necessary.


    This is not a question of "switch off". In fact, if the gateway/routers
    work well this would aggravate the "problem" because every switch-on would
    cause a look-up. Besides, people with ADSL or cable access want/need a
    permanent connection anyway.

    Why don't you check the NTP server which your Internet Gateway/router is
    using for NTP look-up? Mine -- not a D-Link -- is set from the factory to
    look up clock.isc.org and is so documented in the mfr's docs. In fact I've
    tried to find a Stratum-2 NTP server but none of those which were
    "documented" worked. The problem here is that the NTP "community" has
    their heads up their a... err, in the sand with their "open access - please
    notify by e-mail" and "use name only" comments and their docs are either
    obsolete or impossible to follow. Do'h this is not a lot of help.

    In the office I have our DC set to use time.nist.gov because I couldn't
    find anything else which worked - my ISP has a NTP. which maps to
    an IP address but the time look-up fails there. I suppose there's
    time.windows.com but I had trouble getting a response there - hardly
    surprising because that's what every (U.S.) Windows XP system is set to
    use.... and do we all want to depend on Bill Gates for our clock-time
    now?;-)

    I wonder how the conclusion was reached that *only* D-Link was at fault
    here? AFAIK D-Link is one of the few vendors which actually makes such
    equipment - it might be that their OEMs don't reprogram the NTP-Server
    field/algorithm in the configuration. It could also be that D-Link owners
    spend a lot of time re-booting their gateway/routers.:-) If the Danish guy
    is getting a lot of hits, who do you think is responsible for programming
    his NTP Server address into D-Link routers?

    Calling this "vandalism" and "abuse" is nuts IMO. If you set up a Time
    Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
    obsolete, non-functioning addresses. I have to ask what gateway/router
    vendors are supposed to program into their devices for "default" NTP
    look-up, given that most end-users are not expert enough to be fiddling
    with the configuration settings. Ideally, the ISP who supplies them to
    end-users would have a functioning NTP Server and then program that address
    in before delivery but that does not happen... apparently.

    --
    Rgds, George Macdonald

  8. Re: Does your D-link product need to be on ??

    George Macdonald wrote:
    > On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
    > wrote:
    >
    >
    >>You may be aware from the BBC article
    >>
    >>http://news.bbc.co.uk/1/hi/technology/4906138.stm .

    >
    >
    > Hmmm, usual Bimbo Broadcasting "Science & Technology" reporting job. Where
    > do they get those people?


    Yes - I agree. That is particularly badly written I think.

    >>or elsewhere that there is a serious flaw on many D-link products which
    >>get the time from the Internet using time servers. Whilst many time
    >>servers are open for anyone to use, D-link products are using those
    >>which are not.

    >
    >
    > Uhh.... where are those "many time servers"?


    http://ntp.isc.org/bin/view/Servers/WebHome

    > Why don't you check the NTP server which your Internet Gateway/router is
    > using for NTP look-up?


    I have done - but it is not easy to do.

    It required downloading the firmware, decompressing *part* of the file
    and then using the strings command in UNIX to find the IP addresses.
    From that, the name of the servers could be found.

    The buy in Denmark whose time-server is affected told me how to do it.

    > Mine -- not a D-Link -- is set from the factory to
    > look up clock.isc.org and is so documented in the mfr's docs.


    I doubt you should be using that.

    http://ntp.isc.org/bin/view/Servers/ClockIscOrg

    ServiceArea: BARRnet, Alternet-west, CIX-west
    AccessPolicy: OpenAccess

    > In fact I've
    > tried to find a Stratum-2 NTP server but none of those which were
    > "documented" worked. The problem here is that the NTP "community" has
    > their heads up their a... err, in the sand with their "open access - please
    > notify by e-mail" and "use name only" comments and their docs are either
    > obsolete or impossible to follow. Do'h this is not a lot of help.


    Have a look at the above site and find one. Or use this (explanation a
    bit further down)

    Worldwide pool.ntp.org
    Asia asia.pool.ntp.org
    Europe europe.pool.ntp.org
    North America north-america.pool.ntp.org
    Oceania oceania.pool.ntp.org
    South America south-america.pool.ntp.org

    > Calling this "vandalism" and "abuse" is nuts IMO.


    What is abuse then? Accocding to

    http://en.wikipedia.org/wiki/Abuse

    * Abuse is a general term for the use or treatment of
    * something (person, thing, idea, etc.) that causes some
    * kind of harm (to the abused person or thing, to the
    * abusers themselves, or to someone else) or is unlawful
    * or wrongful.

    If, as in this case, Pou-Henning is getting a large bill for the
    lockups, which are making up 90% of his traffic, then it is causing him
    harm. So it is abuse.

    > If you set up a Time
    > Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
    > obsolete, non-functioning addresses.


    I don't think it is a mess, but even if it was, that does not excuse you
    using one you don't have permission to use.

    My comptuer might be slow. Does tham meean I can use your computers
    resources without your permission?

    > I have to ask what gateway/router
    > vendors are supposed to program into their devices for "default" NTP
    > look-up, given that most end-users are not expert enough to be fiddling
    > with the configuration settings.


    How about gateway/router vendors providing their own time servers,
    rather than use others without permission? It is not actually that
    expensive. A GPS receiver with a 1 pulse per second output connected to
    a Standford Research PRS-10 rubidium source would make a nice one with a
    72-hour holdover for stratum 2 if the GPS is lost.

    Or vendors can use a pool that have agreed to be in a pool

    http://ntp.isc.org/bin/view/Servers/NTPPoolServers

    i.e.

    Worldwide pool.ntp.org
    Asia asia.pool.ntp.org
    Europe europe.pool.ntp.org
    North America north-america.pool.ntp.org
    Oceania oceania.pool.ntp.org
    South America south-america.pool.ntp.org

    There are several more ways they could do it. They could for example use
    something like DNS. The router contacts the vendor's server which
    returns the IP address of a publically available time server. The router
    then connects to that to get the time.

    There are *many* way this could be implemented, but using a random NTP
    server that does not allow access is not a good way.

    > Ideally, the ISP who supplies them to
    > end-users would have a functioning NTP Server and then program that address
    > in before delivery but that does not happen... apparently.


    Also, many like myself don't use a modem supplied by my ISP. And there
    are other devices, like my WiFi adapter which are not suplied by the ISP.


    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  9. Re: Does your D-link product need to be on ??

    On Sun, 16 Apr 2006 02:08:58 +0100, "Dave (from the UK)"
    wrote:

    >George Macdonald wrote:
    >> On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
    >> wrote:


    >>
    >> Uhh.... where are those "many time servers"?

    >
    >http://ntp.isc.org/bin/view/Servers/WebHome


    Yeah I knw where the "list" is but like I've said, many just don't work -
    the list is obsolete.

    >> Why don't you check the NTP server which your Internet Gateway/router is
    >> using for NTP look-up?

    >
    >I have done - but it is not easy to do.
    >
    >It required downloading the firmware, decompressing *part* of the file
    >and then using the strings command in UNIX to find the IP addresses.
    > From that, the name of the servers could be found.
    >
    >The buy in Denmark whose time-server is affected told me how to do it.


    So they're selling routers which are not configurable for that setting? I
    haven't seen a lot of different brands but my router does not show or allow
    changing the setting from its Web-based interface - have to use the Command
    Line from a Telnet session... which means reading the docs. This is not
    stuff for the average "consumer".

    >> Mine -- not a D-Link -- is set from the factory to
    >> look up clock.isc.org and is so documented in the mfr's docs.

    >
    >I doubt you should be using that.
    >
    >http://ntp.isc.org/bin/view/Servers/ClockIscOrg
    >
    >ServiceArea: BARRnet, Alternet-west, CIX-west
    >AccessPolicy: OpenAccess


    Why should I not use it? It's one of the few with Open Access and no
    notification message required. It's even possible that the router mfr has
    obtained permission based on assurances of non-abuse and reasonably coded
    frequency of look-ups. If someone wants me to obey some "Service Area"
    convention, they'd better explain what that means - no such explanation is
    easily found.

    >> Calling this "vandalism" and "abuse" is nuts IMO.

    >
    >What is abuse then? Accocding to
    >
    >http://en.wikipedia.org/wiki/Abuse
    >
    >* Abuse is a general term for the use or treatment of
    >* something (person, thing, idea, etc.) that causes some
    >* kind of harm (to the abused person or thing, to the
    >* abusers themselves, or to someone else) or is unlawful
    >* or wrongful.
    >
    >If, as in this case, Pou-Henning is getting a large bill for the
    >lockups, which are making up 90% of his traffic, then it is causing him
    >harm. So it is abuse.


    "Vandalism" requires some intent to do harm or "abuse". This was a mistake
    - the indignation of the recipient is overblown IMO given the extent of
    (lack of) guidance offered by, and the functional state of, the NTP
    infrastructure. It also appears that DK has no Stratum-2 servers at all
    and only two Restricted Access ones in Stratum-1 which both say "Open
    access to servers, please, no client use". Hmm, difficult to know what
    they mean by "servers" but it does seem like there is a problem with the DK
    Internet NTP infrastructure.

    The ethics of the situation are quite well covered in the University of
    Wisconsin/Netgear case - there's plenty of blame to go around and plenty of
    targets - things could have been done better all around.

    >> If you set up a Time
    >> Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
    >> obsolete, non-functioning addresses.

    >
    >I don't think it is a mess, but even if it was, that does not excuse you
    >using one you don't have permission to use.


    When you go look up a source of documentation, and follow their obscure,
    poorly written descriptions, written in their byzantine terminology, and
    find that after trying 3 or 4 of the apparently recommended "active" sites
    and none of them work, frustration generally leads to something which does
    work... even if it requires a "notification message".

    >My comptuer might be slow. Does tham meean I can use your computers
    >resources without your permission?


    Ridiculous extrapolation. For one thing, I do not "publish" the method of
    access to my computer. What will most people do when faced with "here it
    is; don't use it... but nothing else, which is geographically close, is
    available"?

    >> I have to ask what gateway/router
    >> vendors are supposed to program into their devices for "default" NTP
    >> look-up, given that most end-users are not expert enough to be fiddling
    >> with the configuration settings.

    >
    >How about gateway/router vendors providing their own time servers,
    >rather than use others without permission? It is not actually that
    >expensive. A GPS receiver with a 1 pulse per second output connected to
    >a Standford Research PRS-10 rubidium source would make a nice one with a
    >72-hour holdover for stratum 2 if the GPS is lost.
    >
    >Or vendors can use a pool that have agreed to be in a pool
    >
    >http://ntp.isc.org/bin/view/Servers/NTPPoolServers
    >
    >i.e.
    >
    >Worldwide pool.ntp.org
    >Asia asia.pool.ntp.org
    >Europe europe.pool.ntp.org
    >North America north-america.pool.ntp.org
    >Oceania oceania.pool.ntp.org
    >South America south-america.pool.ntp.org
    >
    >There are several more ways they could do it. They could for example use
    >something like DNS. The router contacts the vendor's server which
    >returns the IP address of a publically available time server. The router
    >then connects to that to get the time.
    >
    >There are *many* way this could be implemented, but using a random NTP
    >server that does not allow access is not a good way.


    Making up rules after the fact is always easy. AFAIK the "pool" concept is
    relatively new - things are continually evolving here and the rules in
    place now are not necessarily what was offered when firmware for any given
    router was being written. Also, the "Rules of Engagement" and other docs
    are hardly written for a quick reference.

    >> Ideally, the ISP who supplies them to
    >> end-users would have a functioning NTP Server and then program that address
    >> in before delivery but that does not happen... apparently.

    >
    >Also, many like myself don't use a modem supplied by my ISP. And there
    >are other devices, like my WiFi adapter which are not suplied by the ISP.


    I'd think *most* gateway/routers are acquired by end-users and SMBs from an
    ISP - it would certainly help if NTP had a similar hierarchical structure
    to DNS name caching.

    --
    Rgds, George Macdonald

  10. Re: Does your D-link product need to be on ??

    George Macdonald wrote:
    >
    >>http://ntp.isc.org/bin/view/Servers/WebHome

    >
    >
    > Yeah I knw where the "list" is but like I've said, many just don't work -
    > the list is obsolete.


    Most seem to work for me, but I use a Sun workstation, not a D-link
    router, so I can't say I have tried with this. I suspect the muppet
    routers don't implement the protocol as well as the Sun.

    > So they're selling routers which are not configurable for that setting? I
    > haven't seen a lot of different brands but my router does not show or allow
    > changing the setting from its Web-based interface - have to use the Command
    > Line from a Telnet session... which means reading the docs. This is not
    > stuff for the average "consumer".


    I'm not aware it can be done on mine at all. Luckily, none accessed have
    any restrictions.


    >>ServiceArea: BARRnet, Alternet-west, CIX-west
    >>AccessPolicy: OpenAccess

    >
    >
    > Why should I not use it? It's one of the few with Open Access and no
    > notification message required. It's even possible that the router mfr has
    > obtained permission based on assurances of non-abuse and reasonably coded
    > frequency of look-ups. If someone wants me to obey some "Service Area"
    > convention, they'd better explain what that means - no such explanation is
    > easily found.


    The ServiceArea is the geographic and/or network area the TimeServer is
    intended to serve.

    >>>Calling this "vandalism" and "abuse" is nuts IMO.




    > "Vandalism" requires some intent to do harm or "abuse".


    I personally did not use the word vandalism. But I think abuse is correct.

    > It also appears that DK has no Stratum-2 servers at all
    > and only two Restricted Access ones in Stratum-1 which both say "Open
    > access to servers, please, no client use". Hmm, difficult to know what
    > they mean by "servers" but it does seem like there is a problem with the DK
    > Internet NTP infrastructure.


    Well, you don't have to use a local server and should not use a local
    one if it restricts access.

    >>My comptuer might be slow. Does tham meean I can use your computers
    >>resources without your permission?

    >
    >
    > Ridiculous extrapolation. For one thing, I do not "publish" the method of
    > access to my computer.


    I accept there is a *big* difference between intentionally hacking a
    machine (me hacking yours) and you or anyone else using an NTP server
    without realizing it. One is an accident, the other a deliberate act.

    But once you are aware you are not welcome at an NTP server, then I
    think the difference disappears.

    I will ask you the same question I asked the person posting as:

    Borked Pseudo Mail - 'nobody@pseudo.borked.net'

    If you were asked by an NTP server administrator (such as the owner of
    the Danish one) to stop accessing that server, and you were unable to do
    so by a firmware upgrade or reconfiguring the router, would you continue
    to access his server, even though he had asked you not to? If you had
    no other option, would you switch your router/modem off and not use it?

    Furthermore, what if the person asking you was from the US government or
    the US Navy, both of whom timeservers are being abused? Would you
    continue to use their time servers if you had no way of stopping your
    D-link product from doing it without switching it off?

    BTW, your ISP, Tellurian, might have something to say about it, as it
    would be against their rules:

    http://www.tellurian.com/usagepolicy.asp

    In particular:

    * Any "denial of service" attack, any attempt to breach
    * authentication or security measures, or any unauthorized attempt
    * to gain access to any other account, host or network is
    * prohibited, and will result in immediate service termination,
    * which may be without notice.

    I think you using the NTP server then would be an unauthorized attempt
    to gain access to another host.

    > What will most people do when faced with "here it
    > is; don't use it... but nothing else, which is geographically close, is
    > available"?


    So that makes it right?

    I suggest if they are in the US, it would be rather foolish to continue
    to do it should a US government or navy official ask you to stop.

    >>There are *many* way this could be implemented, but using a random NTP
    >>server that does not allow access is not a good way.

    >
    >
    > Making up rules after the fact is always easy. AFAIK the "pool" concept is
    > relatively new - things are continually evolving here and the rules in
    > place now are not necessarily what was offered when firmware for any given
    > router was being written. Also, the "Rules of Engagement" and other docs
    > are hardly written for a quick reference.


    No, the rules were in place before. I am not suggesting any rules at all.

    If vendors chose to implement products which use NTP servers it is up to
    them to work out how to do it without accessing other servers their
    intended end users are not supposed to. It is not up to me, or anyone
    else to tell them how to do it. I am just saying there are ways, but it
    is their decision. The rules have been in place a long while.

    >>>Ideally, the ISP who supplies them to
    >>>end-users would have a functioning NTP Server and then program that address
    >>>in before delivery but that does not happen... apparently.

    >>
    >>Also, many like myself don't use a modem supplied by my ISP. And there
    >>are other devices, like my WiFi adapter which are not suplied by the ISP.

    >
    >
    > I'd think *most* gateway/routers are acquired by end-users and SMBs from an
    > ISP - it would certainly help if NTP had a similar hierarchical structure
    > to DNS name caching.


    I suspect, but don't know, that for a gateway router where the time can
    only be set to 1 second resolution, it makes no difference if you use a
    near or distant NTP server. The protocol corrects for network delays.
    Correction improves when multiple time servers are used but I doubt it
    is necessary unless the resolution is better than 1 second.

    On my own system, 5 time servers are used and corrections rarely exceed
    50 ms.

    My PDA usually syncs to a local time server (one of my own computers),
    but even if I send it to a distant one the other side of the Atlantic,
    the corrections are under 1 s.

    But to what accuracy you can set the time is really irrelevant for the
    discussion. You should not access ones you are not welcome at and to me
    at least continuing to do so once you are aware of the issue is no
    different from hacking another machine.

    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  11. Re: Does your D-link product need to be on ??

    On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
    put finger to
    keyboard and composed:

    >You may be aware from the BBC article
    >
    >http://news.bbc.co.uk/1/hi/technology/4906138.stm .
    >
    >or elsewhere that there is a serious flaw on many D-link products which
    >get the time from the Internet using time servers. Whilst many time
    >servers are open for anyone to use, D-link products are using those
    >which are not.


    I have a DSL-302G modem/router. I don't use SNTP because the modem
    appears to write the updated time to its flash EEPROM every 15
    minutes. If I ran it 24/7, then this would result in approximately
    32,000 writes per year. IMO, it would have been better for the time to
    have been stored in RAM.

    - Franc Zabkar
    --
    Please remove one 'i' from my address when replying by email.

  12. Re: Does your D-link product need to be on ??

    In article ,
    fzabkar@iinternode.on.net says...
    > On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
    > put finger to
    > keyboard and composed:
    >
    > >You may be aware from the BBC article
    > >
    > >http://news.bbc.co.uk/1/hi/technology/4906138.stm .
    > >
    > >or elsewhere that there is a serious flaw on many D-link products which
    > >get the time from the Internet using time servers. Whilst many time
    > >servers are open for anyone to use, D-link products are using those
    > >which are not.

    >
    > I have a DSL-302G modem/router. I don't use SNTP because the modem
    > appears to write the updated time to its flash EEPROM every 15
    > minutes. If I ran it 24/7, then this would result in approximately
    > 32,000 writes per year. IMO, it would have been better for the time to
    > have been stored in RAM.


    ...and it wouldn't last more than 30 years at that rate! Sheesh!

    --
    Keith

  13. Re: Does your D-link product need to be on ??

    Dave (from the UK) wrote:
    > You may be aware from the BBC article
    >
    > http://news.bbc.co.uk/1/hi/technology/4906138.stm .
    >
    > or elsewhere that there is a serious flaw on many D-link products which
    > get the time from the Internet using time servers. Whilst many time
    > servers are open for anyone to use, D-link products are using those
    > which are not.
    >
    > The time servers being abused are owned by individuals, the military,
    > the US Government, some academic institutions and commercial companies.
    >
    > One owner of a Dutch time server at least is incurring very large costs
    > due to this and even more costs in paying a consultant to find the problem.
    >
    > http://people.freebsd.org/~phk/dlink/
    >
    > To my knowledge no owners have asked for users to switch off their
    > D-link products, but given they are abusing the time servers, it would
    > be sensible to keep them switched off when not absolutely necessary.
    >
    >


    Not if it defaults to a 24 hour update like mine does as I doubt very many
    broadband users operate their machine(s) less than once a day. And if it
    syncs at power up your suggestion would make the problem worse.


  14. Re: Does your D-link product need to be on ??

    Dave (from the UK) wrote:

    > George Macdonald wrote:
    >
    >>
    >>> http://ntp.isc.org/bin/view/Servers/WebHome

    >>
    >>
    >>
    >> Yeah I knw where the "list" is but like I've said, many just don't work -
    >> the list is obsolete.

    >
    >
    > Most seem to work for me, but I use a Sun workstation, not a D-link
    > router, so I can't say I have tried with this. I suspect the muppet
    > routers don't implement the protocol as well as the Sun.
    >
    >> So they're selling routers which are not configurable for that
    >> setting? I
    >> haven't seen a lot of different brands but my router does not show or
    >> allow
    >> changing the setting from its Web-based interface - have to use the
    >> Command
    >> Line from a Telnet session... which means reading the docs. This is not
    >> stuff for the average "consumer".

    >
    >
    > I'm not aware it can be done on mine at all. Luckily, none accessed have
    > any restrictions.


    A bit Draconian to hold the user 'responsible' for something they're not
    only clueless about but unable to change even if they knew, don't you think?


    >>> ServiceArea: BARRnet, Alternet-west, CIX-west
    >>> AccessPolicy: OpenAccess

    >>
    >>
    >>
    >> Why should I not use it? It's one of the few with Open Access and no
    >> notification message required. It's even possible that the router mfr
    >> has
    >> obtained permission based on assurances of non-abuse and reasonably coded
    >> frequency of look-ups. If someone wants me to obey some "Service Area"
    >> convention, they'd better explain what that means - no such
    >> explanation is
    >> easily found.

    >
    >
    > The ServiceArea is the geographic and/or network area the TimeServer is
    > intended to serve.
    >
    >>>> Calling this "vandalism" and "abuse" is nuts IMO.

    >
    >
    >
    >
    >> "Vandalism" requires some intent to do harm or "abuse".

    >
    >
    > I personally did not use the word vandalism. But I think abuse is correct.


    The question is 'who'?, knowledge, and intent.


    >> It also appears that DK has no Stratum-2 servers at all
    >> and only two Restricted Access ones in Stratum-1 which both say "Open
    >> access to servers, please, no client use". Hmm, difficult to know what
    >> they mean by "servers" but it does seem like there is a problem with
    >> the DK
    >> Internet NTP infrastructure.

    >
    >
    > Well, you don't have to use a local server and should not use a local
    > one if it restricts access.
    >
    >>> My comptuer might be slow. Does tham meean I can use your computers
    >>> resources without your permission?

    >>
    >>
    >>
    >> Ridiculous extrapolation. For one thing, I do not "publish" the
    >> method of
    >> access to my computer.

    >
    >
    > I accept there is a *big* difference between intentionally hacking a
    > machine (me hacking yours) and you or anyone else using an NTP server
    > without realizing it. One is an accident, the other a deliberate act.
    >
    > But once you are aware you are not welcome at an NTP server,


    And just how is the individual user made 'aware'? And that includes made
    'aware' by an authority recognized to have the claimed authority.


    > then I
    > think the difference disappears.


    Things are seldom that simple and especially not when trying to lay blame
    and responsibility on people who had not one shred of participation in, nor
    knowledge of, the decisions leading to the alleged 'abuse'.


    > I will ask you the same question I asked the person posting as:
    >
    > Borked Pseudo Mail - 'nobody@pseudo.borked.net'
    >
    > If you were asked by an NTP server administrator (such as the owner of
    > the Danish one) to stop accessing that server, and you were unable to do
    > so by a firmware upgrade or reconfiguring the router, would you continue
    > to access his server, even though he had asked you not to?


    First, your premise is self serving, pardon the pun. Accessing his server?
    You must be kidding. According to your comments above there's essentially
    no way for the user to even know a server is being accessed at all and now
    someone completely unknown claims a 'perfectly fine', according to the
    manufacturer of said item, is 'abusing' his server? Why should the end user
    believe this story?

    > If you had
    > no other option, would you switch your router/modem off and not use it?


    Now the end user *knows* he's kidding, or has no idea what the heck he's
    talking about, or is some new kind of internet fraud.

    > Furthermore, what if the person asking you was from the US government or
    > the US Navy, both of whom timeservers are being abused? Would you
    > continue to use their time servers if you had no way of stopping your
    > D-link product from doing it without switching it off?


    The end user has no reason to worry about such a scenario because the gov
    knows who to go after: the manufacturer.


    > BTW, your ISP, Tellurian, might have something to say about it, as it
    > would be against their rules:
    >
    > http://www.tellurian.com/usagepolicy.asp
    >
    > In particular:
    >
    > * Any "denial of service" attack, any attempt to breach
    > * authentication or security measures, or any unauthorized attempt
    > * to gain access to any other account, host or network is
    > * prohibited, and will result in immediate service termination,
    > * which may be without notice.
    >
    > I think you using the NTP server then would be an unauthorized attempt
    > to gain access to another host.


    The user is doing *nothing* nor making any 'attempt' to do something nor
    even aware anything is being done.


    >> What will most people do when faced with "here it
    >> is; don't use it... but nothing else, which is geographically close, is
    >> available"?

    >
    >
    > So that makes it right?
    >
    > I suggest if they are in the US, it would be rather foolish to continue
    > to do it should a US government or navy official ask you to stop.


    Maybe I missed it but I'm not aware of any 'US government' announcement to
    stop using home routers.

    >
    >>> There are *many* way this could be implemented, but using a random
    >>> NTP server that does not allow access is not a good way.

    >>
    >>
    >>
    >> Making up rules after the fact is always easy. AFAIK the "pool"
    >> concept is
    >> relatively new - things are continually evolving here and the rules in
    >> place now are not necessarily what was offered when firmware for any
    >> given
    >> router was being written. Also, the "Rules of Engagement" and other docs
    >> are hardly written for a quick reference.

    >
    >
    > No, the rules were in place before. I am not suggesting any rules at all.
    >
    > If vendors chose to implement products which use NTP servers it is up to
    > them to work out how to do it without accessing other servers their
    > intended end users are not supposed to. It is not up to me, or anyone
    > else to tell them how to do it. I am just saying there are ways, but it
    > is their decision. The rules have been in place a long while.
    >
    >>>> Ideally, the ISP who supplies them to
    >>>> end-users would have a functioning NTP Server and then program that
    >>>> address
    >>>> in before delivery but that does not happen... apparently.
    >>>
    >>>
    >>> Also, many like myself don't use a modem supplied by my ISP. And
    >>> there are other devices, like my WiFi adapter which are not suplied
    >>> by the ISP.

    >>
    >>
    >>
    >> I'd think *most* gateway/routers are acquired by end-users and SMBs
    >> from an
    >> ISP - it would certainly help if NTP had a similar hierarchical structure
    >> to DNS name caching.

    >
    >
    > I suspect, but don't know, that for a gateway router where the time can
    > only be set to 1 second resolution, it makes no difference if you use a
    > near or distant NTP server. The protocol corrects for network delays.
    > Correction improves when multiple time servers are used but I doubt it
    > is necessary unless the resolution is better than 1 second.
    >
    > On my own system, 5 time servers are used and corrections rarely exceed
    > 50 ms.
    >
    > My PDA usually syncs to a local time server (one of my own computers),
    > but even if I send it to a distant one the other side of the Atlantic,
    > the corrections are under 1 s.
    >
    > But to what accuracy you can set the time is really irrelevant for the
    > discussion. You should not access ones you are not welcome at and to me
    > at least continuing to do so once you are aware of the issue is no
    > different from hacking another machine.
    >


    And if you got an unsolicited phone call from someone you never heard of
    saying your perfectly fine coffee maker was screwing up their toaster oven
    on the other side of the world you'd immediately unplug the thing and stop
    using it, right?

    The point isn't that the technical details are equivalent, the point is
    you're trying to lay blame onto folks who might think the analogy is accurate.




  15. Re: Does your D-link product need to be on ??

    David Maynard wrote:
    > Dave (from the UK) wrote:
    >
    >> it would
    >> be sensible to keep them switched off when not absolutely necessary.
    >>
    >>

    >
    > Not if it defaults to a 24 hour update like mine does as I doubt very
    > many broadband users operate their machine(s) less than once a day. And
    > if it syncs at power up your suggestion would make the problem worse.
    >


    Yes I accept that if it only updates once/day. It seems to vary an awful
    lot - on some the time server can be configured, on others it can't. On
    some the update interval may be configured, on others it may not.

    I know mine can not be configured, but I also know all the servers are
    open-access, so it is not an issue.

    However, many of these D-link products are connecting to US military or
    government sites for which access is restricted.

    If the product is under warranty and you can't configure it to avoid
    restricted time servers, it *might* be possible to get a
    refund/replacement - it would depend an awful lot on the law in your
    country and/or the dealer you bought it from.

    If you can configure the ntp servers, the following will connect you to
    a random time server which has no access restrictions.

    Worldwide pool.ntp.org
    Asia asia.pool.ntp.org
    Europe europe.pool.ntp.org
    North America north-america.pool.ntp.org
    Oceania oceania.pool.ntp.org
    South America south-america.pool.ntp.org


    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  16. Re: Does your D-link product need to be on ??

    On Sun, 16 Apr 2006 15:35:42 +0100, "Dave (from the UK)"
    wrote:

    >George Macdonald wrote:
    >>
    >>>http://ntp.isc.org/bin/view/Servers/WebHome

    >>
    >>
    >> Yeah I knw where the "list" is but like I've said, many just don't work -
    >> the list is obsolete.

    >
    >Most seem to work for me, but I use a Sun workstation, not a D-link
    >router, so I can't say I have tried with this. I suspect the muppet
    >routers don't implement the protocol as well as the Sun.


    I am not using a D-Link router. The list has nothing to do with routers
    per se - it's principal purpose for me is setting accurate time for our DC
    which, of course propagates to all other computers on the domain. The
    experience of finding a reasonably close, working, reliable NTP server was
    extremely frustrating... to the point of having to examine the Win 2K
    server logs for the evidence - I didn't need that diversion. I eventually
    found a recommended doc somewhere which said it's "OK" to use
    time.nist.gov, as long as it's not excessive, so I used it.

    >> So they're selling routers which are not configurable for that setting? I
    >> haven't seen a lot of different brands but my router does not show or allow
    >> changing the setting from its Web-based interface - have to use the Command
    >> Line from a Telnet session... which means reading the docs. This is not
    >> stuff for the average "consumer".

    >
    >I'm not aware it can be done on mine at all. Luckily, none accessed have
    >any restrictions.


    That would be surprising.

    >>>ServiceArea: BARRnet, Alternet-west, CIX-west
    >>>AccessPolicy: OpenAccess

    >>
    >>
    >> Why should I not use it? It's one of the few with Open Access and no
    >> notification message required. It's even possible that the router mfr has
    >> obtained permission based on assurances of non-abuse and reasonably coded
    >> frequency of look-ups. If someone wants me to obey some "Service Area"
    >> convention, they'd better explain what that means - no such explanation is
    >> easily found.

    >
    >The ServiceArea is the geographic and/or network area the TimeServer is
    >intended to serve.


    Yes, I can gather that much... OBVIOUSLY. This does not preclude that a
    mfr whose HQ is in a given area cannot arrange to use a server in that area
    for all its U.S. sales. For the "network areas" it's not a lot of use to
    specify a bunch of inner-circle coded names without explaining to the
    end-user what they mean. It's almost like those people *want* to
    obfuscate... invent some cryptic language for themselves and then have the
    nerve to complain when some naif violates their *unexplained* encoded
    rules.

    >>>>Calling this "vandalism" and "abuse" is nuts IMO.

    >
    >
    >
    >> "Vandalism" requires some intent to do harm or "abuse".

    >
    >I personally did not use the word vandalism. But I think abuse is correct.


    Depends what you mean - their after the fact attitude on correcting the
    situation and financial/technical compensation is abusive (U.S. lawyers...
    which I gather the UK lawyers are "learning" from). The incident itself is
    just an honest -- but likely incompetent -- mistake... with catastrophic
    results.

    OTOH, the guy is supplying a service to the majority(?) of the Danish ISP
    industry... who are profiting from the Internet in general... some of whose
    clients are no doubt using D-Link gateway-routers. The silence about their
    reaction, other than apparently wanting to apply excessive charges to their
    NTP "supplier", is incongruous to say the least... clean hands??

    >> It also appears that DK has no Stratum-2 servers at all
    >> and only two Restricted Access ones in Stratum-1 which both say "Open
    >> access to servers, please, no client use". Hmm, difficult to know what
    >> they mean by "servers" but it does seem like there is a problem with the DK
    >> Internet NTP infrastructure.

    >
    >Well, you don't have to use a local server and should not use a local
    >one if it restricts access.


    The trouble is "restricted" has degrees of enforcement in general - the
    guidelines are malformed and badly expressed... and the anecdotal reports
    are ambiguous.

    >>>My comptuer might be slow. Does tham meean I can use your computers
    >>>resources without your permission?

    >>
    >>
    >> Ridiculous extrapolation. For one thing, I do not "publish" the method of
    >> access to my computer.

    >
    >I accept there is a *big* difference between intentionally hacking a
    >machine (me hacking yours) and you or anyone else using an NTP server
    >without realizing it. One is an accident, the other a deliberate act.
    >
    >But once you are aware you are not welcome at an NTP server, then I
    >think the difference disappears.
    >
    >I will ask you the same question I asked the person posting as:
    >
    >Borked Pseudo Mail - 'nobody@pseudo.borked.net'
    >
    >If you were asked by an NTP server administrator (such as the owner of
    >the Danish one) to stop accessing that server, and you were unable to do
    >so by a firmware upgrade or reconfiguring the router, would you continue
    >to access his server, even though he had asked you not to? If you had
    >no other option, would you switch your router/modem off and not use it?


    That depends: e.g. my router only does a look-up on restarts, cold or warm,
    and AFAIK does not poll excessively to get synced, so I don't feel that's
    an enormous abuse; the Netgear and D-Link cases should have probably been
    the subject of a recall. I still don't understand why they continue to
    poll every hour or so once synced but, given that the D-Links have a
    configurable NTP address the ISP industry, at least those who supply D-Link
    gateway-routers bears some blame for the situation.

    >Furthermore, what if the person asking you was from the US government or
    >the US Navy, both of whom timeservers are being abused? Would you
    >continue to use their time servers if you had no way of stopping your
    >D-link product from doing it without switching it off?


    I'm not using their servers and I'm not that interested in discussing
    hypotheticals as they apply to me.

    >BTW, your ISP, Tellurian, might have something to say about it, as it
    >would be against their rules:
    >
    >http://www.tellurian.com/usagepolicy.asp
    >
    >In particular:
    >
    >* Any "denial of service" attack, any attempt to breach
    >* authentication or security measures, or any unauthorized attempt
    >* to gain access to any other account, host or network is
    >* prohibited, and will result in immediate service termination,
    >* which may be without notice.
    >
    >I think you using the NTP server then would be an unauthorized attempt
    >to gain access to another host.


    What NTP server are you talking about? Now you're getting impudent without
    assimilating already presented facts. I think you know what the above
    means and is targeted at - applying it to a published list of servers which
    are poorly documented might result in some "advice" on how to do things
    right *BUT* he'd have trouble taking things further since ntp.tellurian.com
    *does* exist but does not work. This same ISP supplied the gateway-router
    which is hitting clock.isc.org.

    >> What will most people do when faced with "here it
    >> is; don't use it... but nothing else, which is geographically close, is
    >> available"?

    >
    >So that makes it right?
    >
    >I suggest if they are in the US, it would be rather foolish to continue
    >to do it should a US government or navy official ask you to stop.


    RIGHT!

    >>>There are *many* way this could be implemented, but using a random NTP
    >>>server that does not allow access is not a good way.

    >>
    >>
    >> Making up rules after the fact is always easy. AFAIK the "pool" concept is
    >> relatively new - things are continually evolving here and the rules in
    >> place now are not necessarily what was offered when firmware for any given
    >> router was being written. Also, the "Rules of Engagement" and other docs
    >> are hardly written for a quick reference.

    >
    >No, the rules were in place before. I am not suggesting any rules at all.
    >
    >If vendors chose to implement products which use NTP servers it is up to
    >them to work out how to do it without accessing other servers their
    >intended end users are not supposed to. It is not up to me, or anyone
    >else to tell them how to do it. I am just saying there are ways, but it
    >is their decision. The rules have been in place a long while.


    No, the rules have been in flux for a while.

    >>>>Ideally, the ISP who supplies them to
    >>>>end-users would have a functioning NTP Server and then program that address
    >>>>in before delivery but that does not happen... apparently.
    >>>
    >>>Also, many like myself don't use a modem supplied by my ISP. And there
    >>>are other devices, like my WiFi adapter which are not suplied by the ISP.

    >>
    >>
    >> I'd think *most* gateway/routers are acquired by end-users and SMBs from an
    >> ISP - it would certainly help if NTP had a similar hierarchical structure
    >> to DNS name caching.

    >
    >I suspect, but don't know, that for a gateway router where the time can
    >only be set to 1 second resolution, it makes no difference if you use a
    >near or distant NTP server. The protocol corrects for network delays.
    >Correction improves when multiple time servers are used but I doubt it
    >is necessary unless the resolution is better than 1 second.


    Depends on how the algorithm is implemented. Windows 2K/XP gives up if it
    can't get a consistent delay. It seems self-evident to me that use of a
    geographically close server is a better choice from several POVs.

    --
    Rgds, George Macdonald

  17. Re: Does your D-link product need to be on ??

    Dave (from the UK) wrote:

    > David Maynard wrote:
    >
    >> Dave (from the UK) wrote:
    >>
    >>> it would
    >>> be sensible to keep them switched off when not absolutely necessary.
    >>>
    >>>

    >>
    >> Not if it defaults to a 24 hour update like mine does as I doubt very
    >> many broadband users operate their machine(s) less than once a day.
    >> And if it syncs at power up your suggestion would make the problem worse.
    >>

    >
    > Yes I accept that if it only updates once/day. It seems to vary an awful
    > lot - on some the time server can be configured, on others it can't. On
    > some the update interval may be configured, on others it may not.


    I don't know. What percentage of d-link routers update more or less often?
    Because if more are on 24 hours than less then the idea to turn them off
    will make his problem worse.


    > I know mine can not be configured, but I also know all the servers are
    > open-access, so it is not an issue.
    >
    > However, many of these D-link products are connecting to US military or
    > government sites for which access is restricted.


    I'm not surprised as the internet is full of examples/tutorials showing
    tick and/or tock usno.navy.mil as the server to enter.

    These folks are celebrating 8 years of their NTP client product and look at
    the example screen shot.

    http://www.thinkman.com/dimension4/screenshots.htm

    Not only is tick.usno.navy.mil available it's the one in use.


    > If the product is under warranty and you can't configure it to avoid
    > restricted time servers, it *might* be possible to get a
    > refund/replacement - it would depend an awful lot on the law in your
    > country and/or the dealer you bought it from.


    On what basis would you claim it's 'defective'? An unadjudicated complaint
    that, according to the 'news' you heard about it from in the first place,
    is being dealt with and has no observable impact on your system even if you
    had any idea whether yours was 'one of them' or not?


    > If you can configure the ntp servers, the following will connect you to
    > a random time server which has no access restrictions.
    >
    > Worldwide pool.ntp.org
    > Asia asia.pool.ntp.org
    > Europe europe.pool.ntp.org
    > North America north-america.pool.ntp.org
    > Oceania oceania.pool.ntp.org
    > South America south-america.pool.ntp.org
    >
    >



  18. Re: Does your D-link product need to be on ??

    David Maynard wrote:

    >> If the product is under warranty and you can't configure it to avoid
    >> restricted time servers, it *might* be possible to get a
    >> refund/replacement - it would depend an awful lot on the law in your
    >> country and/or the dealer you bought it from.

    >
    >
    > On what basis would you claim it's 'defective'?


    IANAL, but I would try arguing that if the device is connecting to time
    server(s) for which it has no right to do, then there is a design fault.

    > An unadjudicated
    > complaint that, according to the 'news' you heard about it from in the
    > first place, is being dealt with and has no observable impact on your
    > system even if you had any idea whether yours was 'one of them' or not?


    I did say

    " ...and you can't configure it to avoid restricted time servers"

    so I had already stated it was "one of them" as you put it.

    Even ignoring anything on the usenet/web/BBC etc, if you are technically
    savvy (and I accept not many are), you can do all the testing yourself.

    1) Put a firewall in place
    2) Log packets
    3) Determine what the D-link product connects to.
    4) Check if those IP addresses allow a device such as what you are using.

    It is not particularly difficult. There is no need to cite any document
    on the web - of course some information on the web might help your
    cause, but it is not actually necessary.




    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

  19. Re: Does your D-link product need to be on ??

    Dave (from the UK) wrote:
    > David Maynard wrote:
    >
    >>> If the product is under warranty and you can't configure it to avoid
    >>> restricted time servers, it *might* be possible to get a
    >>> refund/replacement - it would depend an awful lot on the law in your
    >>> country and/or the dealer you bought it from.

    >>
    >>
    >>
    >> On what basis would you claim it's 'defective'?

    >
    >
    > IANAL, but I would try arguing that if the device is connecting to time
    > server(s) for which it has no right to do, then there is a design fault.


    Might get away with it if the store is nice but you seem to think everyone
    is as technical as you are and that's even more unlikely at the store than
    with the average clueless end-user. Not to mention they'd be making a claim
    that isn't 'officially' substantiated.

    I just think you're expecting way too much.


    >> An unadjudicated complaint that, according to the 'news' you heard
    >> about it from in the first place, is being dealt with and has no
    >> observable impact on your system even if you had any idea whether
    >> yours was 'one of them' or not?

    >
    >
    > I did say
    >
    > " ...and you can't configure it to avoid restricted time servers"
    >
    > so I had already stated it was "one of them" as you put it.


    Ok, you established an unlikely premise.


    > Even ignoring anything on the usenet/web/BBC etc, if you are technically
    > savvy (and I accept not many are), you can do all the testing yourself.
    >
    > 1) Put a firewall in place
    > 2) Log packets
    > 3) Determine what the D-link product connects to.
    > 4) Check if those IP addresses allow a device such as what you are using.
    >
    > It is not particularly difficult.


    For you and I but a big chunk of users don't know their windows logon isn't
    the isp logon and the next step up brighter ones don't know why. For them,
    and a gaggle of even brighter ones, the 'simple' steps you just listed off
    might as well be written in Klingonese.


    > There is no need to cite any document
    > on the web - of course some information on the web might help your
    > cause, but it is not actually necessary.


    I'm just being realistic. The average user isn't going to do squat till
    someone tells them, in clear terms, that their unit has a problem and what
    to do about it; and it better be free, or close to it, because, by golly,
    it's PAID FOR. The 'socially conscious' might bother with a web search to
    see if their model is affected, check the d-link web site, and/or ask the
    store and, if they're brave enough, try a flash, if one is available (what
    I did as soon as I read your post. The flash description reads "fixed
    ntp."). The 'techno' user might check the admin interface to see what the
    setting are (plus above) and then we come to the rare 'uber geekdom' types
    who might think it's jolly good fun to 'debug' the thing; your 'simple' steps.

    Don't get me wrong, I'm not saying any of them are 'stupid'. It just isn't
    the average user's field of expertise nor do they want it to be. It's an
    appliance that does something useful and they have no more interest in
    dissecting it than they do in dismantling their car motor to see what mains
    bearings were installed. It, and the car, are supposed to work and when
    they do, 'no problem'. And the only time they've been on the web admin page
    is when something didn't work and support told them to, and how, and what
    to set; all of which they promptly forget as soon as it began working.

    Seriously, the vast majority (not counting in here, of course) don't know,
    or care, whether they've got a router, switch, gateway, or a modem combo
    'whatever', what the difference is, what's in it, who made it or what model
    it is much less whether it's got a... uh.. what? oh yes, a 'time thingie
    something or other'.


  20. Re: Does your D-link product need to be on ??

    David Maynard wrote:

    >> IANAL, but I would try arguing that if the device is connecting to
    >> time server(s) for which it has no right to do, then there is a design
    >> fault.

    >
    >
    > Might get away with it if the store is nice but you seem to think
    > everyone is as technical as you are and that's even more unlikely at the
    > store than with the average clueless end-user. Not to mention they'd be
    > making a claim that isn't 'officially' substantiated.


    Trying to get refunds/replacements is clearly only going to be done by a
    very small fraction of users. It might be unnecessary, since if updated
    firmware were made available, then flashing the devices should correct it.

    But according to the web page Poul-Henning wrote

    http://people.freebsd.org/~phk/dlink/

    despite the fact D-link were made aware of it in Nov 2005, by 16th March
    2006 there were at least 25 products for which firmware files had the
    string "GPS.dix.dk" in them.

    Clearly D-link have not been working overtime to correct the problem.
    Perhaps a few people seeking refunds might hurry them up. If dealers
    give refunds on D-link products, they might be inclined to sell less of
    them and more Linksys or whatever. So a few refunds here and there might
    really worry D-link - far more so than one private individual who owns
    an NTP server, who they know can't afford to sue them.

    >> Even ignoring anything on the usenet/web/BBC etc, if you are
    >> technically savvy (and I accept not many are), you can do all the
    >> testing yourself.
    >>
    >> 1) Put a firewall in place
    >> 2) Log packets
    >> 3) Determine what the D-link product connects to.
    >> 4) Check if those IP addresses allow a device such as what you are using.
    >>
    >> It is not particularly difficult.

    >
    >
    > For you and I but a big chunk of users don't know their windows logon
    > isn't the isp logon and the next step up brighter ones don't know why.


    But I did say "for a technically savvy user". I don't know how many
    D-link products are about with this problem, but even if 0.5% of the
    owners were cable of doing this, it would still be a lot of owners. One
    in 200 does not seem unreasonable.

    > For them, and a gaggle of even brighter ones, the 'simple' steps you
    > just listed off might as well be written in Klingonese.


    As I said, they are simple for a technically savvy user. Of course there
    are various degrees of technical ability, but I do not work in IT for a
    living but I understand the technical aspects quite well.

    >> There is no need to cite any document on the web - of course some
    >> information on the web might help your cause, but it is not actually
    >> necessary.

    >
    >
    > I'm just being realistic. The average user isn't going to do squat till
    > someone tells them, in clear terms, that their unit has a problem and
    > what to do about it; and it better be free, or close to it, because, by
    > golly, it's PAID FOR. The 'socially conscious' might bother with a web
    > search to see if their model is affected, check the d-link web site,
    > and/or ask the store and, if they're brave enough, try a flash, if one
    > is available (what I did as soon as I read your post. The flash
    > description reads "fixed ntp.").



    As a matter of interest, what is the date on your firmware file? Within
    the last 10 days, which is when this was made public (7th April 2006).

    > Seriously, the vast majority (not counting in here, of course) don't
    > know, or care, whether they've got a router, switch, gateway, or a modem
    > combo 'whatever', what the difference is, what's in it, who made it or
    > what model it is much less whether it's got a... uh.. what? oh yes, a
    > 'time thingie something or other'.


    Yes I agree.

    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

+ Reply to Thread
Page 1 of 2 1 2 LastLast