On Tue, Mar 10, 2026 at 01:02:13PM +0700, hahahahacker2009 wrote:
> Vào CN, 8 thg 3, 2026 vào lúc 19:14 Crystal Kolipe
> <[email protected]> đã viết:
> >
> > On Sun, Mar 08, 2026 at 12:49:30PM +0100, Peter N. M. Hansteen wrote:
> > > On Sun, Mar 08, 2026 at 11:44:15AM +0000, hmjsp wrote:
> > > > disable ntpd? why?
> > >
> > > See https://marc.info/?l=openbsd-bugs&m=177296357231841&w=2
> >
> > Just to make it clear to anyone reading the archives in the future, the
> > suggestion to disable ntpd was a joke and a form of irony.
> >
> > Unfortunately the original two messages were posted to different lists,
> > (-bugs
> > and -misc), so it's entirely possible that this could be missed by casual
> > readers of just one list.
> >
> > There is _no serious suggestion_ to disable ntpd.
> >
>
> You are their friend and have met them face to face?
>
> I will provide some context about the suggestion to disable NTP.
>
> It is possible that [email protected] came from one of the
> following ``privacy security'' communities (most suspected first)
>
> - GrapheneOS (Hardened Android with a Hardened Linux Kernel)
> - Madaidan's Insecurity (https://madaidans-insecurities.github.io)
> - privsec.dev (Systemd Lovers and Kernel Hardener)
> - Secureblue (Fedora Lovers, Kernel Hardener and Chromium Hardener)
> - isopenbsdsecu.re (Is Open BSD Secure)
> - PrivacyGuides
> - CalyxOS
> - Techlore
> - ...
>
> The first 4 communities agreed that NTP is not secure:
> > The most popular time synchronisation method, NTP, is insecure,
> > as it is unencrypted and unauthenticated, allowing an attacker to
> > trivially intercept and modify requests. NTP also leaks your local
> > system time in NTP timestamp format, which can be used for
> > clock skew fingerprinting, as briefly mentioned before.
>
> And they came up with this solution:
> > Thus, you should uninstall any NTP clients and disable
> > systemd-timesyncd if it is in use.
> > Instead of NTP, you can connect to a trusted website over a
> > secure connection (HTTPS or, preferably, a Tor onion service)
> > and extract the current time from the HTTP header
> (madaidan's insecurity)
>
> bios_23498234908, I suggest we to create a C study group
> (or any programming language) and help each other motivated.
> Do you know that Tommy (the owner of privsec.dev, who made
> a long post about linux hardening, F-Droid security analysis, etc)
> **haven't written a single line of code**, but can still talk about
> encryption, security and hardening all the days?
>
You might find it interesting that OpenBSD ntpd does have measures
(like contacting sites over https) to make it more secure than
bare ntp.
-Otto
