David Maynard wrote:

Peronsally I think the manufacturer (D-link) should take responsibility.

At the minute users have not been made aware except via news reports and
posts on newsgroups, but in principle they could be notified.

According to The Register

http://www.theregister.co.uk/2006/04...row_escelates/

D-link have said they are aware of it and there may be a statement after
Easter.

I'm not blaming end users - I think the manufacturer is to blame. But
end-users are actually using the time servers now. The legal
implications of this in England are far from clear - I have no idea in
another country.

In the case of the Danish time-server, it is personally owned by an
individual with an interest in accurate time measurement.

http://people.freebsd.org/~phk/

Well, despite claims on sites like the BBC that there is a problem,
there is a distinct lack of denials from D-link, so you might reasonably
assume there is some truth in this.

A technically savvy end-user could determine it for him/her self. They
may be able to inspect the firmware downloaded from the D-link site (as
I did) following the suggestion of the Danish time server owner

Or they could look at their firewall logs which should show the
connections.

Well it has hit the BBC in England, which has a reasonable amount of
respect worldwide - although I am the first to admit this article is not
very well written.

http://news.bbc.co.uk/1/hi/technology/4906138.stm

The technical reasons are not that hard to follow.

I agree the manufacturer should be responsible, but it is not clear (at
least in England) who is legally responsible.

D-link have offered some money to the owner of the Danish time-server,
but he feels it is insufficient.

http://people.freebsd.org/~phk/dlink/

Having had dealing with him before and know how much he has contributed
to the FreeBSD project, I know that the extortion D-link claim would not
be valid.

But the manufacturer really can't do much about units in the field
unless the end-user updates firmware.

To me, the only sensible solution now, given many users will not update
firmware, is for D-link to pay the time-server owners for the increased
bandwidth. Then end users don't have to even update the firmware, as
access to the time servers will be allowed.

I agree they may not be aware (but some will be, as a results of posts
like this).

There is not. That is why I used the word "should" in there.

It is not inconceivable that such a request will follow from one of the
many US government time servers being abused. Not even the owner of the
Danish time-server has requested it.

However, more likely the military will move the names and IP address of
their time-servers, alter all the machines that connect to the time
servers, then send D-link the bill. That could be huge.

If I had shares in D-link at the minute I would sell them!!

<snip loads of stuff out>

No, but here it is a bit different.

1) The story has hit numerous newsgroups, websites, including the BBC.
Google has 73,000 hits as I write, but there is no denial from D-link.

I think it would be reasonable to assume there is a problem if places
like the BBC report it, but never report a denial from the company.
There is no denial of this on the D-link web site.

2) I can understand the logic here, but I would not the toaster/coffee
maker one.

I am *not* trying to lay blame on the end users. I feel D-link are to
blame and should pay for their cock-up. If I was an end-user, and it was
not possible to solve it with a firmware upgrade, I'd look at returning
it under a warranty.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

Dave (from the UK) wrote:

'Could be' but they still had nothing to do with it.

About time (too good a pun to pass up)

Glad to hear it but your whole argument, after stating 'the problem', has
centered around the end users.

See? After saying you weren't blaming end users you didn't manage even one
more sentence before an implied threat of "legal implications."


That's nice.

Might. Might not. Might not know about it. Might wonder why it's 'their
problem'. Might assume a 'business' is always wrong. Might think it's a
matter for the courts. Might notice that there are tons of accusations and
law suits everyday and not everyone is 'right'. Might imagine that if
they're to do something someone will will at least drop a hint. Lot's of
'mights'.


"Technically savvy end-user" is almost an oxymoron and most people have
enough things on their plate, some of which they actually care about, to
become 'investigators' over a problem they likely don't understand in the
first place even after being supposedly 'told', much less with a muddy story.

Read the "theregister" link you just posted. There's not the slightest
*hint* the end user is even involved, much less any clue whatsoever they
should 'do' something about it. It's all 'd-link is' this or that. "D-Link
is freeloading..."

They'd have hard enough time getting clueless users to understand the
matter if they *asked* for something. What would you expect the odds to be
when they don't?


No need to: "D-Link is now taking action."

Nothing for the end-user to think about.

Besides, if Mr. Poul-Henning Kamp and his gurus "have no way of figuring it
out" then don't expect the end-user to.

I'm not a court but, so far, nothing you've posted in the way of 'news' has
even hinted the end-user has been asked to do anything and it's my guess
that you suggesting some unspecified number of end-users 'probably heard
about' the problem and should have then jumped to attention, investigated
the matter, somehow figured out if their router is an affected model then
taught themselves about time servers and router firmware, found a
'solution' and then implemented it, all on their own, even though no one
asked them to do anything, is going to be a hard sell.


How the responsible parties resolve, or not, their dispute is their matter.


I was dealing with your claimed point that simply because something the
end-user had no knowledge of, nor decision process in, supposedly creates a
'problem' he knows virtually nothing about, and likely wouldn't fully
understand even if they had heard of it, and for which they haven't been
asked to do a blessed thing even if all the rest were known, then that
constitutes sufficient cause to accuse the end-user of "abuse." I'm saying
it doesn't.


But the point was that the hypothetical you proposed is inappropriate
because no such thing has taken place from either the government *or* the
owner of the time server in question, nor from any news article I've seen
you post.

Actually, it is because they would, at least first, go after the
manufacturer who created the problem.

Precisely, so it's premature, at best, to start accusing end-users of
'abuse' when none one of any authority has asked them to do a blessed thing.


Not without first contacting d-link to register the complaint and attempt a
resolution.


Which I said in the very next line.

If you had waiting to respond till you read the next sentence you'd know
that the end-user 'not understanding' was the point. Especially when the
'news' gives no indication of the affected models, does not ask for
anything to be done, and states "D-Link is now taking action."


Then why are you arguing about end-user 'abuse' and how 'they could find
out', should 'do something', and postulate 'legal implications'?

The typical end-user won't because no one's even hinted they should/could
do anything, much less asked, there's no clue given as to which models are
affected (in the 'news' anyway) and everything 'works fine' as far as they
can tell.

Dave (from the UK) wrote:

I don't know. What percentage of d-link routers update more or less often?
Because if more are on 24 hours than less then the idea to turn them off
will make his problem worse.


I'm not surprised as the internet is full of examples/tutorials showing
tick and/or tock usno.navy.mil as the server to enter.

These folks are celebrating 8 years of their NTP client product and look at
the example screen shot.

http://www.thinkman.com/dimension4/screenshots.htm

Not only is tick.usno.navy.mil available it's the one in use.


On what basis would you claim it's 'defective'? An unadjudicated complaint
that, according to the 'news' you heard about it from in the first place,
is being dealt with and has no observable impact on your system even if you
had any idea whether yours was 'one of them' or not?

David Maynard wrote:

IANAL, but I would try arguing that if the device is connecting to time
server(s) for which it has no right to do, then there is a design fault.

I did say

" ...and you can't configure it to avoid restricted time servers"

so I had already stated it was "one of them" as you put it.

Even ignoring anything on the usenet/web/BBC etc, if you are technically
savvy (and I accept not many are), you can do all the testing yourself.

1) Put a firewall in place
2) Log packets
3) Determine what the D-link product connects to.
4) Check if those IP addresses allow a device such as what you are using.

It is not particularly difficult. There is no need to cite any document
on the web - of course some information on the web might help your
cause, but it is not actually necessary.




--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

Dave (from the UK) wrote:
Might get away with it if the store is nice but you seem to think everyone
is as technical as you are and that's even more unlikely at the store than
with the average clueless end-user. Not to mention they'd be making a claim
that isn't 'officially' substantiated.

I just think you're expecting way too much.


Ok, you established an unlikely premise.


For you and I but a big chunk of users don't know their windows logon isn't
the isp logon and the next step up brighter ones don't know why. For them,
and a gaggle of even brighter ones, the 'simple' steps you just listed off
might as well be written in Klingonese.


I'm just being realistic. The average user isn't going to do squat till
someone tells them, in clear terms, that their unit has a problem and what
to do about it; and it better be free, or close to it, because, by golly,
it's PAID FOR. The 'socially conscious' might bother with a web search to
see if their model is affected, check the d-link web site, and/or ask the
store and, if they're brave enough, try a flash, if one is available (what
I did as soon as I read your post. The flash description reads "fixed
ntp."). The 'techno' user might check the admin interface to see what the
setting are (plus above) and then we come to the rare 'uber geekdom' types
who might think it's jolly good fun to 'debug' the thing; your 'simple' steps.

Don't get me wrong, I'm not saying any of them are 'stupid'. It just isn't
the average user's field of expertise nor do they want it to be. It's an
appliance that does something useful and they have no more interest in
dissecting it than they do in dismantling their car motor to see what mains
bearings were installed. It, and the car, are supposed to work and when
they do, 'no problem'. And the only time they've been on the web admin page
is when something didn't work and support told them to, and how, and what
to set; all of which they promptly forget as soon as it began working.

Seriously, the vast majority (not counting in here, of course) don't know,
or care, whether they've got a router, switch, gateway, or a modem combo
'whatever', what the difference is, what's in it, who made it or what model
it is much less whether it's got a... uh.. what? oh yes, a 'time thingie
something or other'.

David Maynard wrote:

Trying to get refunds/replacements is clearly only going to be done by a
very small fraction of users. It might be unnecessary, since if updated
firmware were made available, then flashing the devices should correct it.

But according to the web page Poul-Henning wrote

http://people.freebsd.org/~phk/dlink/

despite the fact D-link were made aware of it in Nov 2005, by 16th March
2006 there were at least 25 products for which firmware files had the
string "GPS.dix.dk" in them.

Clearly D-link have not been working overtime to correct the problem.
Perhaps a few people seeking refunds might hurry them up. If dealers
give refunds on D-link products, they might be inclined to sell less of
them and more Linksys or whatever. So a few refunds here and there might
really worry D-link - far more so than one private individual who owns
an NTP server, who they know can't afford to sue them.

But I did say "for a technically savvy user". I don't know how many
D-link products are about with this problem, but even if 0.5% of the
owners were cable of doing this, it would still be a lot of owners. One
in 200 does not seem unreasonable.

As I said, they are simple for a technically savvy user. Of course there
are various degrees of technical ability, but I do not work in IT for a
living but I understand the technical aspects quite well.


As a matter of interest, what is the date on your firmware file? Within
the last 10 days, which is when this was made public (7th April 2006).

Yes I agree.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

On Sun, 16 Apr 2006 21:05:05 -0400, Keith <krw@att.bizzzz> put finger
to keyboard and composed:

The modem's only flash device appears to be an Atmel AT45DB161B. Its
datasheet makes no claims as to the minimum number of write/erase
cycles.

By comparison, early AMD flash parts (AM29Fxx) are guaranteed for a
minimum of 100,000 writes. OTOH, some early digital automobile
odometers (eg Ford Australia) use serial EEPROMs (eg Xicor X2444) that
are spec'ed for 1 million store cycles.

I'm not 100% sure that my modem updates the flash memory after *every*
time query. It may be that it updates it only when there is a
significant disparity. What *is* certain is that the modem powers up
with the date and time of the last SNTP enabled session. I can change
the time manually, and the modem will then keep the correct time, but
doing it this way does not update the EEPROM.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

On Mon, 17 Apr 2006 05:58:43 -0500, David Maynard <nospam@private.net>
wrote:

FWIW my DI-524 defaults to updating once every 24 hours, with the
option to change this. I now have it set to once every 72 hours and
using the manually entered NTP server address of
"north-america.pool.ntp.org".

-------------
Tony Hill
hilla <underscore> 20 <at> yahoo <dot> ca

Dave (from the UK) wrote:

I think this is a little strange that everyone on this group, did not
do some research before purchasing a router! I thought that the
carefull research that is done about chips, would carry over into
routers, and internet gear.

Ok maybe someone was going for the cheap solution, and did not eat
their own dog food, but I must say I find that a little bit annoying.
It makes me wonder what other company does this same stuff, without us
knowing about it?

I know my router is set from a site in TW, maybe I will change it, just
to get a better ntp server. I also wonder just how many different
compainies make the hardware, I know a few years ago about two or three
companies where making all the hardware, let other people lable it as
their own brand. It was not uncommon to see the same hardware in four
or five rebadged brands. I also thought it was strange that if one had
a security flaw that all of a sudden you seen multi brand name updates
as well?

I have been using ZyXel; but for the last few years I was unable to
find any firmware updates. My router is a one off 802.11b version and
they don't even list it on their website. At least I can change the ntp
server, but it is buggy, and closed source but it does not drop
connections. I have to factory flash it about once a year, as some bug
in the firmware starts stop access to some sites for no reason, is
fixed with a flash back to factory settings.

Gnu_Raiz

On Tue, 18 Apr 2006 06:13:29 +1000, Franc Zabkar wrote:

....and those are the *MINIMUM* cycles (most do 10x that these days)
assuming they write back and erase exactly the same sector each time.
Sheesh - twice. Grow up Franc!

--
Keith

Dave (from the UK) wrote:
Not to mention having no real basis for the refund.


Well, someone at D-link was made aware that someone had a complaint but I
seriously doubt that any company, no matter how noble, would, or even
could, drop everything and instantaneously revise their product simply
because someone 'notified' them. Inertia alone would prevent it and all
bets are off once you call a lawyer.

It's an interesting theory but you're nibbling at crumbs around the cookie
and apparently expecting some kind of 'popular uprising' but we're not
talking about taxes, nuclear war, or world peace here. Hard enough to get
folks worked up, and agree, about those things but you're asking them to go
through the pain and misery of disrupting their system, then battle the
warranty department, for no discernible benefit to themselves, and over a
matter the 'news' says is already being dealt with.

There just aren't that many Don Quixotes out there.


One can make almost any argument sound 'plausible' if you pre-select the
appropriate assumptions but that doesn't means it's plausible in reality
and while you did say "technically savvy" the premise ignored how many of
them there might be. That's what I was addressing.

I don't know how you arrive at .5% but you then have to multiply that by
the fraction that'll give enough of a whit to exercise that expertise and I
contend the end result would be so small as to not matter.

Well, the date on my "file" is April 16 because that's when I downloaded
it. The web site release date says March 20, two and a half weeks prior to
the 7 April 2006 date. The firmware date reported by the router, however,
is 16 Nov 2005.

So while it seems "clear" to you that d-link wasn't busting their buns to
respond it appears they did at least begin to make changes rather soon
after the complaint. 4 months from change, through qualification testing,
to release sounds a bit long but then I don't know what else was in the
queue and whether mine was the 'first', middle, or last one out.

Oh wait, I noticed the DI-624 was mentioned so I looked it up and the web
site firmware update gives a release date of 12/19/2005 (rev A&B 624) with
"Fixes NTP server issue" in the description, although that one says it's a
beta. Don't see it mentioned for rev C&D.

Too bad we'll not likely to hear what the settlement is because some of the
arguments sounded like they could be fun. For example, one of the articles
accused D-link of "freeloading." I mean, besides that being a misleading
way of putting it, d-link was supposedly 'freeloading' on an open access
server that, under proper usage restrictions, is free and run by someone
who's an active member of FreeBSD, an organization which supports the idea
of open source free software. An argument over money around all those
'frees' would just *have* to be fun to hear

Tony Hill wrote:

Good man

On 17 Apr 2006 17:46:14 -0700, Gnu.Raiz@gmail.com wrote:

Anand wrote in an article a few months ago, after visiting one of their
plants, that D-Link was one of the few real mfrs of networking
equipment.:-)

--
Rgds, George Macdonald

On Mon, 17 Apr 2006 21:57:35 -0400, Keith <krw@att.bizzzz> put finger
to keyboard and composed:

Nonsense.

Spansion now specifies "100,000 erase cycles per sector TYPICAL" for
its current product line.

See http://www.spansion.com/datasheets/s...xn_00_a6_e.pdf

You really are a pathetic little man.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

On Wed, 19 Apr 2006 16:57:15 +1000, Franc Zabkar wrote:

You still haven't learned how to read, eh' Franc?

You are truely clueless. Now run away again while you have a chance.

--
Keith

In article <hhp2425gfmcnq2fjegahghsl2tju6kunir@4ax.com>, George
Macdonald <fammacd=!SPAM^nothanks@tellurian.com> writes

pool.ntp.org.

And if the unit has any country configuration, XX.pool.ntp.org, where XX
is the country code.

--
(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.

On Fri, 21 Apr 2006 18:01:07 +0100, Mike Tomlinson
<mike@NOSPAM.jasper.org.uk> wrote:

If you had read the thread, instead of letting one off, that suggestion had
been made and "pool" is a relatively recent facility, which appears to not
be very well publicized. Also there are routers which only allow a number
to be entered as a target... if they allow anything at all.

--
Rgds, George Macdonald

On Wed, 19 Apr 2006 22:28:36 -0400, Keith <krw@att.bizzzz> put finger
to keyboard and composed:

What is it about the word, "typical", that you don't understand?

Hint: think Gaussian distribution.

Then ask yourself, why is it that AMD/Spansion has gone from
specifying a guaranteed *minimum* of 100K cycles to 100K *typical*? Do
you even understand the difference?

Run away from what? Your rapier wit? Your technical prowess?

There are many in this group whose opinions I respect. You are not one
of them.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.