RE: Open Letter to D-Link about their NTP vandalism

["David Schwartz" <davids () webmaster com>]

> 2) *Who*says* there is 'malicious intent' involved?   I'm going to be
> travelling 'off network'(with the 'network' being defined as the one where
> I have published that I'm providing time-server services to), and I happen
> to have a recurring need for 32-bit units of a specifically
> transformed out-
> put of a local hardware-based "/dev/random". So, I put up a
> server to deliver
> that data when requested.  For reasons of 'convenience' in my programming,
> I choose to format the queries/responses like a particular 'well known'
> protocol, and run it on the port associated with that well-known protocol.
> Do I have any responsibility to 'announce' that I'm doing something like
> that, for 'private' use?

        I don't understand how you can think that a hypothetical where we don't
know what the intent is constitutes a response to a situation where we do
know exactly what the intent is. I hope your argument is not "if you can lie
and get away with it, then it's okay". That doesn't sound like a good
business model to me.

> again, denying service (assuming there's no explicit contract to provide
> it) is unquestionably safe.  i was responding to the proposal that the
wrong
> time be deliberately returned.  you'd be betting that nobody would notice
> or that it would cost nobody money -- which isn't a safe bet, since
someone
> can always find ways to allege that your intentional actions cost them
money.
> (as opposed to your deliberate inaction, as in the case of denying
service.)

        The problem is this case is that there is no perfect way to deny service.
If bums are trampling your garden to take food out of your garbage, you can
lock the garbage can, but you can't poison the food. The problem becomes
when the locked garbage can is a problem for the garbage collectors.

        I don't think anything short of legal action against D-Link is likely to
solve this. I'd love to be proben wrong.

        DS