backtop

Print 22 comment(s) - last by dmcanally.. on Apr 10 at 2:03 PM
Danish developer makes one last push for cooperation

A report on Slashdot makes public one Danish FreeBSD developer's moral and financial issues with D-Link as a company regarding unapproved use of his NTP server.

Poul-Henning Kamp, a Danish citizen, has approached D-Link Corporation numerous times regarding the issues he has with the company's products including his NTP server in a hard-coded list which their routers ship with. In an open letter, Poul-Hening Kamp clearly states his concerns over D-Link's unapproved use of his NTP server.
A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it.

This is about as wrong a way to do things as one can imagine. There is no way D-Link can change the list once the product is shipped, unless D-Link can persuade the customer to upgrade the firmware.

Poul-Henning Kamp goes on to explain how NTP can be integrated in the right way to avoid certain legal and security issues with other entities, claiming:
The correct way, as I have pointed out to D-Link repeatedly, is to query a D-Link controlled DNS entry like "ntp.dlink.com" and populate this DNS entry with the list of NTP servers to be queried. That would allow D-Link to add or remove servers from the list by changing the DNS server files and all deployed devices would automatically see the update next time.
As it stands, about 75-90% of packets seen on this open NTP server are said to originate from D-Link devices. Also, even if the IP address of the open server is changed, D-Link's devices will still be able to find it because of the hardcoded domain name associated with it. This is why Kamp has approached D-Link for its cooperation but has not been so lucky in seeing any efforts to resolve the issue besides lawyers trying to pay him off, Kamp states in on his website.

Netgear had also been involved in a similar situation where they basically took down the University of Wisconsin's network.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Silly to Me
By TomZ on 4/8/2006 3:05:07 PM , Rating: 1
Sorry, I don't have any sympathy. This guy put a public NTP server on the Internet. He doesn't have any terms & conditions of use that someone has to agree to ahead of time. He has no limited number of connections, or other throttles.

It's like, if I got a phone number, and put an ad in the paper advertising free time service, people just have to call this number. Then it gets into the national news, and I get lots more calls. Who gets the blame here? Probably I do.




RE: Silly to Me
By mjrpes3 on 4/8/2006 3:54:10 PM , Rating: 2
It's obvious you haven't read the his letter, as he goes over point by point why he can't throttle the connection.


RE: Silly to Me
By TomZ on 4/8/2006 4:16:08 PM , Rating: 2
Doesn't change the fact that he offered a server for public use. People are using his server for the very purpose he intended. The only issue seems to be that it is too popular.


RE: Silly to Me
By Lifted on 4/8/2006 5:35:31 PM , Rating: 2
DK Denmark GPS.dix.dk (192.38.7.240)
Location: Lyngby, Denmark
Geographic Coordinates: 55:47:03.36N, 12:03:21.48E
Synchronization: NTP V4 GPS with OCXO timebase
Service Area: Networks BGP-announced on the DIX
Access Policy: open access to servers, please, no client use
Contacts: Poul-Henning Kamp (phk@FreeBSD.org )
Note: timestamps better than +/-5 usec.


He makes two things clear here. One, that you should be in Denmark to use this time server. Two, no client users, only servers (I would think he is actually referring to internal network time servers to minimize load on his server).

So D-Link ignored both restictions for use of his time server. While it may not be illegal, it is definitely not becoming of good netizenship, especially for a comany producing networking products. It just go to show the caliber of employees they have working there, and the overall ethics of the company with regards to being a team player when it comes to use of services on the internet.

I've purchased one or two cheap D-Link switches in the past... never again.


RE: Silly to Me
By masher2 (blog) on 4/8/2006 6:29:34 PM , Rating: 3
> "He makes two things clear here."

Does he? I think both are actually a bit unclear actually. You yourself admit to some uncertainty as to his real meaning.

Furthermore, we only have his word that the disclaimer hasn't been modified since D-Link originally referenced it, or that he didn't openly advertise it for use outside Denmark.

As I said, I'll wait till I hear more than one side of the story before making a judgement.


RE: Silly to Me
By Zelvek on 4/8/2006 8:03:46 PM , Rating: 2
None the less this is still bad practice what if this individual does decide to shut down his server then D-link has to release a manditory firmware update wich leaves many costomers with a problem.


RE: Silly to Me
By josmala on 4/9/2006 9:47:38 AM , Rating: 2
No not really, the D-Link has a list of servers that they use, so the traffic on rest of the servers in question is increased.


RE: Silly to Me
By Stele on 4/8/2006 10:07:13 PM , Rating: 2
quote:
As I said, I'll wait till I hear more than one side of the story before making a judgement.


Well said! Although it doesn't detract from the effort and practices which D-Link puts into their products/firmware, which is fairly well known by now.


RE: Silly to Me
By Zoomer on 4/10/2006 9:30:39 AM , Rating: 2
Read slashdot at score 5 to see why.

Basically: YES, this is the practice of ntp server admins for twenty years or more.


RE: Silly to Me
By nickromeo on 4/9/2006 10:48:09 AM , Rating: 2
Your attitude is morally wrong on many levels. A perfect example of "the tragedy of the commons" in action.

You might consider studying the history of the Internet and the philosophy of the many who originally developed it. Start by reading the RFC's. Good luck.


RE: Silly to Me
By TomZ on 4/9/2006 3:33:47 PM , Rating: 2
Internet morals? That's funny!


RE: Silly to Me
By dmcanally on 4/10/2006 2:03:16 PM , Rating: 2
Actually….

Its like, if I got a phone number, and put an in the paper advertising free time service, people just have to call this number. Then company X uses my free service in a product they sell.

That example doesn’t do this situation any justice…

Its like, if I put a bench under a shade tree for public use in my front yard. Then the city I live in puts a bus stop at my free public bench. Now instead of one or two people sitting there every now and again I have 20-30 people in my yard every hour.

This is abuse of a free service provided by a generous person. D-Link is selling his free service in their products.


Get with the program, d-link...
By devolutionist on 4/7/2006 11:35:06 PM , Rating: 2
Why in the world wouldn't they use the NTP pool servers like everyone else in the world??

This is the specific reason why the public NTP server pool project was set up by ntp.org... you point your NTP requests to pool.ntp.org and then your time requests are serviced in a round-robin fashion by one of a slew of public NTP servers that have opted into participating.

http://www.pool.ntp.org/

If I was Kamp I'd damn sure be firewalling my NTP server to only serve IP blocks assigned to Danish ISPs... but he's probably just too nice of a guy to do something like that - he's a FreeBSD developer for crying out loud, so "openness" is probably deeply engrained in his view of the world and certainly his efforts involving the Internet.

D-Link needs to be writing him a monthly check at a minimum, but it sounds like that's not really what he wants. Sounds like he just wants them to do the right thing and fix their crappy firmware.




d-link and programming
By BikeDude on 4/8/2006 1:54:54 AM , Rating: 3
There is a fundamental flaw to all suggestions thus far: D-Link couldn't write decent software if their very lives depended on it.

We (because my boss is too cheap sometimes) bought a couple of 24-port D-Link switches last year. Since I have javascript turned off by default, I discovered that this particular device wasn't really password protected.

All I needed to do was enable javascript after I had arrived at the management menu, and I was good to go.

If I started browsing to the admin menu with javascript enabled, the authentication routine finally kicked in!

Granted, their IP-based access list seemed to work, but even so...

Bottom line: Don't expect ISP-grade equipment from a toy manufacturer.


RE: Get with the program, d-link...
By Wwhat on 4/8/2006 8:35:55 AM , Rating: 2
Don't most half-decent ISP's run their own ntp server? seems that this d-link system is indeed weird on more than one count.
Mind you, I think many taiwanese router also have firmware burned NTP servers, seems a common thing to do, and the ones they pick are often rather uhm, random?


RE: Get with the program, d-link...
By masher2 (blog) on 4/8/2006 10:20:15 AM , Rating: 2
> "D-Link needs to be writing him a monthly check at a minimum..."

From the article, it sounds like D-Link has offered to do just that.


RE: Get with the program, d-link...
By Stele on 4/8/2006 11:39:34 AM , Rating: 3
quote:
From the article, it sounds like D-Link has offered to do just that.


Apparently, from the original article over at slashdot, they offered money but in all the wrong amounts and for the wrong things in exchange:

quote:
I can however summarize them: I have been accused of extortion. I have been told that I have no claim, been told that I exaggerate the claim. I have been told to submit myself to California law but would have to sign away all my rights under it.

I have also been offered a specfic amount of "hush-money" if I would just shut up and go away, but the amount offered would not even cover my most direct expenses.

In return D-Link would admit to nothing, promise nothing and do nothing to induce their customers to upgrade their firmware.


As a learned poster here has commented (also having read the original article), "its a case of big company screwing the little guy and doing nothing for him". Herr Kemp had offered very clear and easily-implemented advice as to how D-Link could do things the proper way - especially the method already quoted here on DailyTech. A learned forum member at slashdot commented that it should take about 1-2 weeks worth of one guy's coding to set it right. Yet somehow, for some reason, D-Link opts instead to go head-on aggressively with lawyers and threats. Quite possibly one reason is the refusal to back down and hence 'lose face', which not uncommonly dominates decision-making here in the Far East :-/

As for their products, fellow members here have noted some glaring holes in their design. Having used D-Links for just over half a decade both in corporate and home environments, I can't help but agree. Sloppy firmware is virtually a signature 'feature'... we once deployed a router only to discover later that while it was uPnP on paper, its implementation was terrible and when it encountered applications that tried to make use of the uPnP features, it frequently went on strike (by freezing) or, better still, occasionally completely resetting itself (that means all settings erased to factory defaults, poof). Only after we replaced it with an SMC did the problems finally disappear.

Admittedly, nobody's perfect, but some other brands try a lot harder to get it right and if not the first time, then through rapid updates. D-Link's updates are few and far between, and when we once tried to share our findings with them regarding the uPnP implementation problems, they arrogantly brushed us aside and treated us as if we didn't know jack about networking, so that it was all our fault. As such, their handling of Herr Kemp's problem was depressingly familiar alright :-/


By masher2 (blog) on 4/8/2006 12:45:16 PM , Rating: 2
> "Apparently, from the original article over at slashdot, they offered money but in all the wrong amounts and for the wrong things in exchange..."

Quite very well true. However, since the only side of the story we've heard is the perspective of "the little guy", I'm wary of making a snap judgement. It's quite common for a plaintiff making demands to exaggerate his side, and minimize his opponent's defense.




By johnsonx on 4/8/2006 12:57:55 PM , Rating: 2
It's just wonderful what one stumbles across on the internet. Thanks devolutionist for the info on pool.ntp.org. For years I've had my and most of my customer's servers polling NTP servers at places like NASA, US Naval Observatory, MIT, etc., from a short list of NTP servers Novell had in a support document. I always figured I wasn't really supposed to be using those servers without permission, but it was one of those 'if it ain't broke, don't fix it' sort of things so I didn't worry much about it.

So now, I just configured my server to use '0.us.pool.ntp.org', '1.us.pool.ntp.org', and '2.us.pool.ntp.org', and it's working perfectly. I'll update each customer's server when I get a chance.

Regarding DLink, they clearly suck for not dealing with this problem in a reasonable way. Their wireless products suck too.


Man I suck...
By Bremen7000 on 4/7/2006 10:18:11 PM , Rating: 2
I had to go look up what NTP stood for.




RE: Man I suck...
By NerV04 on 4/7/2006 11:08:16 PM , Rating: 2
im with you.....i have no clue what the whole article is about
:(


What its about
By dennis1911 on 4/7/2006 11:15:43 PM , Rating: 2
All NTP is is a clock service.
The big deal about this is the guy ran a clock service for free to service denmark, performing a great service to many people and businesses, kind of like HAM radio guys in an emergency, time synchronization is very important to servers.

However, DLINK made their little firewalls/routers for residential broadband with this guys free service hardcoded into them. The amount of traffic going to them is costing this poor guy alot of money, and his service wasnt intended for use outside of denmark.

Its a case of big company screwing the little guy and doing nothing for him. If you get a chance read his original article, and spread the word - I'll never recommend d-link again for any products, stick with linksys or some other product.




"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad









botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki