I told the story of how NTP had become a liability not just to the science projects that depend on accurate time, but to the internet as a whole. CTSC had a chance to make a difference in a failing system by partnering with nonprofit ICEI in a short, intense intervention. About a year later the work we made possible has been carried on by others. The NTP Security Project (NTPSec) has taken the lead, resulting in a new life for this critical infrastructure:
- NTPSec's code base is down to 75kloc (75,000 lines of code) from the original 227klok. That 2/3 reduction in attack surface has paid off: NTPSec has been immune to about half of old NTP's vulnerabilities before discovery, and 84% in the past year.
- NTPSec's code is now stored in a standard git repository, accessible to all. Its documentation has been brought up to date, and the project has begun onboarding and training new developers.
- NTPSec's success has helped increase awareness of critical infrastructure in need, and made fixing it approachable. Recent articles by Brady Dale of the NY Observer and the (in)famous Cory Doctorow helped spread the story.
At the time it felt like a scurrying few months amid a busy year. It seemed like a last ditch effort to ensure that our friends in science could get accurate time signals without taking on a security nightmare. It's nice to see how much more it became.