Securing NTP Servers

Rarely am I using ntpd to serve ntp information. It is more useful for clock-correction than a strict ntp/sntp client. Thus I don’t want the service listening on a wildcard address, even when there is certainly a firewall in place. I prefer the service to not be listening at all, or listening only to the loopback interface. Here is how to configure that in ntpd and chrony.


interface ignore wildcard


port 0
cmdport 0

How can I make chronyd more secure?

NTP Servers

There are many NTP server implementations now. Here are some:

  • ntpd
  • chrony
  • ntpsec
  • openntpd
  • sntp clients
    • systemd-timesyncd
    • sntp
  • also:


I plan to give chrony a try.

More Facebook Awfulness

Firefox Monitor

I’m quite happy with my initial use of Firefox Monitor. I’ve recommended it to family, friend, co-workers. I recommend signing up for continuous monitoring. Anyone who has had a password compromise should consider that password and permutations there-of to be public knowledge.

For me the near constant data breaches we’ve seen in recent months is more evidence that strict regulation of retained personal information is necessary in the US and that it would be wise for more websites to consider whether storing passwords is even wise. I have argued that most websites should not be storing user passwords.

The CPU I’d Like to Buy

  • AMD Ryzen 5 PRO 2400GE Processor with Radeon™ Vega 11 Graphics
    • Quad-Core, 3.2GHz, 35W TDP, ECC Support (allegedly)

Not only cannot I not buy that but I cannot buy:

  • any AMD Ryzen PRO
  • any AMD Ryzen GE

I’ve read speculation that they are going to OEMs. That’s fine I guess. I would like to build a new desktop sometime soon. The Ryzen 5 2400G is an option but it would be preferable to get what I actually want.

So Many Crypto Libraries

In general I’m in favor of people running with ideas of how to make a better software library or app. The more ideas that are manifest the more data people have to identify what works best. However, especially in the open source world, I sometimes feel like there is too much effort being spread around when it could be focused to greater effect. I’ve been feeling this way about crypto libraries for some time. Here are a few.

    • OpenSSL – C
    • GnuTLS – FSF, C
    • BoringSSL – Google, C
    • LibreSSL – OpenBSD, C
    • S2n – Amazon, C
    • NSS – C
    • Also
  • Crypto
    • NaCl
    • libsodium – API compatible with NaCL
    • zinc – linux kernel
    • Tink – Google
    • Libgcrypt
    • Also
      • TweetNaCl – API compatible with NaCL but seemingly unmaintained
      • underlock – Ruby
      • many others

I understand that people feel this problem has not been solved well and that API’s and implementation goals and needs shift over time. Still, a common goal in software security is reducing the attack surface. It would be nice to see some coalescing in this space.

Update: Further Reading:

New Keyboard 2018

I’m once again looking for a new keyboard. I really liked the BTC 6100C and I haven’t found anything as good a fit for me since. I tried the Genius LuxeMate i200 and was not impressed by it. Here is what I’m looking at, mostly the most-popular mini-keyboard on various sites:

  • BTC 6100C on Amazon for picture reference, 86 keys, scissor-switch
  • SIIG JK-US0312-S1 ($17) – Similar layout to the BTC 6100C. Membrane key switches, tight keys.
  • Perixx PERIBOARD-407B – Spaced keys. Similar to Genius board.
  • GMYLE NPL710007 – Only 78 keys, different layout, full right shift, no dedicated Home, End, Page Up, Page Down, instead those are Fn + Up, Down, Left, Right. F11 and F12 are Fn + F1 and F2, spaced keys.

I think I’ll try the SIIG JK-US0312-S1 and see how that goes.