-----Original Message----- From: Gary E. Miller [mailto:gem@rellim.com] Sent: Tuesday, May 10, 2016 3:58 PM To: Chuck Church <chuckchurch@gmail.com> Cc: 'Majdi S. Abbas' <msa@latt.net>; nanog@nanog.org Subject: Re: NIST NTP servers Yo Chuck! On Tue, 10 May 2016 10:29:35 -0400 "Chuck Church" <chuckchurch@gmail.com> wrote:
Changing time on devices is more an annoyance than anything, and doesn't necessarily get you into a device.
So, you are not worried about getting DoS'ed? How about you set the time on your server ahead by 5 years. Got any idea what would happen? Most of your passwords would expire. All your SSL certs would expire. All your TOTPs, like Google Authenticator would fail. All your IPSEC tunnels would drop, and refuse to restart. Many of your cron jobs would got nuts, possibly deleting all your logs. Much of your DNSSEC would expire. Many of your backups would be deleted since they 'expired'. Until recently, setting your iPhone to 1 Jan 1970 would brick it. I'm sure there are many more examples, but likely you can no longer log in, via SSH or HTTPS, and your iPhone is dead. I think any of those would qualify as more than an annoyance. RGDS GARY ---------------------------------------------------------------------------- ---------------------------------------------------------------- Ok, annoyance might have been a little light on the severity wording. Still, modifying all your incoming NTP packets from all your sources to actually get your NTP servers to agree on a bad time is tricky. That is assuming you've got multiple links, multiple sources from multiple organizations (more than 4), they're all authenticated, etc. Even if a criminal was to do all that damage you listed, it still probably doesn't result in obtaining sensitive data or money that would be the main motivators for such extreme hacking. If I had an iPhone, perhaps I'd worry about that as well. But fortunately, not an issue ;) Chuck