"..., but where does the NTP server get it's time from?" In Europe I think the most common answer is DCF77. It's a long-wave radio signal broadcasted from Germany which signals date and time information since 1973. The signal so easy to receive and decode that you can find building block modules for under 15€ and of cause there is a wide range of ready to use serial and USB versions. My NTP server at home (runnign on a RasPi) still uses an old serial DCF77 receiver I bought for my PC in 1991. The cool thing is that the signal now also carries data from Germans catastrophe warning system as well as a 4 day weather forecast for 60 European regions without the internet :-D

I clicked, thinking it is a video about relativity.

Why you are late for work? Sorry, I just don't trust time

There's a much simpler solution for the games, one that is based on "complexity ~ error susceptibility". If there is no timer implemented stopping us from playing, we couldn't break the timer.

4:55 If you in can ensure that the user won't close the app, you can simply store a counting variable in memory. Since that's a rare case, your best bet is to store that information in a file that you hide from the user ("hide" by putting it in a folder that's not a popular - whether you create one or use an existing one). Otherwise - you simply have to rely on the device's time, like you said

I once downloaded a piece of software that only checked if the demo time was out when you launched it, so as long as you didn't close the software, you could keep using it.

9:00 when I saw IoT, I chuckled, IoT and security do rarely go together well

When you are designing hardware with the anticipation of using time in the firmware, as long as the power limit and other constraints permits build a low power GPS receiver in there. Those modules are cheap enough to be a dime a dozen now, and they give you a good idea what time it is, and the PPS pulses are often also good reference clocks for calibrating internal timers.

The most important thing about traffic monetization is choosing a good ad network that pays off your traffic investments.. Been looking for the best ones, my profit is currently the highest on MonadPlug ad network.

i did this in my phone 7 years ago and this what introduced me to game development today

This is quite interesting, I work with some embedded Android systems, a couple of weeks ago I discovered that we had major clock syncing issues, Android refused to auto-adjust the clock. So I have implemented custom time syncing on the systems that uses the server time when syncing with the remote. So every time a request is made the clock is validated and compared to the remote, if it's fallen behind by too much adjusted for timezones, it uses the remote server's time instead. I didn't think of it as an attack vector aswell, so it's really cool to see a video exploring this subject more as it's much more critical than people think it is. Android has a stupid fallback to set the clock to 2011 if it loses track, which means all HTTPS requests will fail because of invalid SSL certificate dates.... You aren't likely to see this on phones though. And yeah, I've used the "set the clock 15min into the future, to skip cooldown" exploit on a bunch of time-based games, sometimes it even works on text-based browser games for some reason....

Easiest solution: Do no implement cashgrab timers :P

Time constantly progresses so technically, we're all time travellers. Great video!

Big fan. Programmer myself, 25 years, and learning so much from your videos.

Protip for wannabe PC technicans. Time mismatch can often cause weird results in PCs, like (real life situations of my clients): 1) some pages word, most don't, some partially (CMOS battery died, clock got reseted and without NTP sync all SSL certs weren't valid yet) 2) misorder in instant messaging - both local apps and webapps (often to sort app takes server time for incoming messages + local for outgoing). So, if you all would fix PCs someday - either as a help or as a work - you could include time+date check as one of the first things you do. It won't take much time and clock which is really off might give you very weird results. IMO it's worth to spend 5 seconds on time check than find out hour later that it was the thing that broke something.

.content{overflow:hidden} Hahahahahaha

I had an app that only run when you set your time to 'get from internet'

Oh shit, that's old. There was even an old, Windows 95 program, which attached a tiny loader to an exe, which set the system clock to a specific date and time, then started the program and set it back. This was known as "Time crack" Even Microsoft is guilty. I use Visual Studio express 2008. This free version has a time limit and locks after a couple of months until it was registered. Problem, the page is down, you cannot register it anymore. So, I just deleted it's registry, set my date to 2030 started it up, closed it and set my date back. Guess what, it works. I have negative days left and do what I want until I die or have to reformat.

chrome really has it own built-in ntp... seriously

1:40 miniclip do it in the eight ball pool game

I used to do that all the time in Candy Crush on Android. XD One question I have. If you really need a time clock, how do you make sure that the time you are accessing is correct?

6:50, except theres diffie helman !

Now, what if your user moves near the speed of light? Or if your server does?

Firefox behave oddly when you change system time. Sites still work and show a valid certificate even when by system time it should be expired, so it seems to be doing a check with a remote server. However when you view the certificate it says that it's invalid.

Candy Crush running on Android 4.? is a lot more fun when messing around with the system date settings. No more waiting. Kudos to my mom for finding that out! XD

mobile apps often don't care, cuz the people who are willing to go through the hustle of changing the time won't buy anything anyways. Plus, once you changed the time, WhatsApp and others start f*cking everything up, at least on Android 4.*

Imagine animal crossing with server sided time lol

OK avoid time. GOT IT

First! (comment submitted Dec 19 1972)

from the point of a security aware person: IoT is a truly terrifying thing. XD - Anyway, we can talk about how it went in 10 years...... hopefully. XD

Could our computers just use the global GPS clock-signal? If not, why not? Oh, I know why... A copper cage, and fake radio [a radio impostering GPS], would let you (illegally, I presume) be a tyrant to your poor computer🙁

Can't we get a chip that can't be modified but provides timers?

Voxal Voice Changer is a really stupid one. It checks the time, but uninstalling and then reinstalling it allows you to use the trial again?

Never trust time... if it comes from time.windows.com. I've solved a lot of sync and server problems with websites and servers because no-one realized how much Windows' default time server sucks... It's a problem that stumps even experienced sysadmins and developers... A good time source is everything. Combine that with sysadmins that don't know how to let the domain controller control time across the domain it's no wonder time.windows.com is severely overloaded. What I used to do, was check the system time ONLY if it was properly set up with a time server(that was NOT time.windows.com), AND had synced within the last X minutes or hours. If not, it would trigger a time sync through the OS (if available) or hook up to nist time servers or the DC or web server. Raspberry Pis are lovely in this way; they are dependant on time servers unless you invest in an RTC module :)

All data can be edited

6:50 Why fax and not teletype? Fax is just needlessly complicated, if they're going to do it over POTS, at least use an appropriate mode.

always when i start backbox by computer clock on windows have 2 hour difference ;v

Check out Network Time Security (NTS): datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/, which will help solve the authentication problem. Here's an accessible blogpost: blog.cloudflare.com/secure-time/

Our locked down school ipads had the wrong time on them (they were set to the first jan 2007) so we were unable to access internet

LiveOverflow: "Don't trust time!" People who take Psychedelics: "Yeah, obviously."

I am a database engineer, and for concensus, the system I make have a general way of seeing time: 1/ the server is always in the right, the client can be slightly in the wrong (by a few seconds or so) 2/ The time is not a date, the time is just a value that will always steadily increase from the server point of view. 3/ You always read data from the past and write data in the present from the client. the server always receive requests of data from the past and send back data from further in the past

i remember i had this old desktop computer with a dead CMOS battery, i had a demo version of Mixcraft 7 installed and because the system time never updated correctly, i had an unlimited trial period. until my mother set the system time to the correct one and then the trial ended. but a few years after that i bought Mixcraft 8 Home Studio edition on steam. best 20$ ive spent. for the most part.

Overall good video, but you say "how does your computer know the time after it has been offline for a week...well you probably know about NTP". Actually, that's not really how this works, and almost all computers use a small battery (on desktops, often a little circular one you can easily find if you take the side panel off) to keep timers running (very low power) even when fully "shut down" (and unplugged), and that's how they keep track...NTP is only synchronized occasionally.

This comment is coming from the future

The Nintendo DS has an interesting protection against just changing the clock used by the Pokemon games: when you change the system time, another variable is edited by the same amount which reflects an offset of the current time from when the firmware was last cleared. The Pokemon games would save this time offset with the time, and a substantial difference would indicate attempted time travel.

wow! this is mind boggling. so important and yet it's (potentially) flawed.

When your pc didn't have power for a week the time comes from the bios clock and not from NTP -> Power off your pc and unplug your ethernet cable. Reboot your pc and the time is still correct without NTP.

It is pretty common to use GPS as time source. BTS towers and ATMs are just glaring examples for that. Also you may want to check your stratum level if it comes to synchronized time on device.

Tried this method on Fallout Shelter. Worked great but I wouldn´t find loot for 30 Years since then.. hehe...

Even if I think i know a subject very well its still nice to see the "meat" you bring to the discussion. I was doing this back in windows 95 :P

There's a game called Disco Zoo for mobile that does a clever trick to mess with cheaters. It uses your system time, so you can cheat all you want by setting the time ahead, but obviously you will need to know the actual time sooner or later. You will set back the clock to the current time after you are done cheating, but next time you enter the game you get a message: Some of your animals were lost in a time travel incident. I think this is a fun and clever way to set cheaters back, while not requireing server side tracking of time. (Although obviously this system can be improved with calculating the time difference for a penalty of the similar level etc.)

Oh no did I see NIST? If I’ve learned anything from FTCs, it’s never trust the NSA... ecc bad

Meh. Your problem is that your app is on the user device. You can't really safeguard a system when the attacker has full access to it, proved by all DRM systems. At most you can make it harder to attack, but it's not worth it for simple apps.

If lastKnowTime > currentTime then { AccuseCheater(); } Function AccuseCheater() { // Take away valuables here }

Im using ms office 30 days trial for years by setting the time on my device lmao

7:56 I won't tell you I rolled my own atomic clock! :P Joking aside, normal PCs should have RTC included in the motherboard with coin cell battery as backup. The timing operation is low powered enough to be run with the single coin cell, via a 32.768KHz crystal (32768=2^15, which can be divided to 1Hz easily) Newer RTC chips even have integrated extremely accurate TCXO to ensure precision timing.

Applications often have to trust user input. To keep them secure programmers have to be conscious about what exactly they are trusting the input *with*, and whether the user is someone who is appropriate to give that trust to. For instance KZbin trusts me with my own online reputation. It presumably trusts some employees at Google with the ability to delete my comment, but unless it has a bug it does not trust me to be able to delete theirs.

There's a very simple solution for games: Single player: Who cares? Cheaters aren't hurting anyone else. Multiplayer: You have to be online for a multiplayer game anyway, so you might as well get the time from your server.

Great video, I would have never considered time

Don’t trust edited comments.

Don't forget the cost of all those requests over time as well, from the dev standpoint. One is not much, but if you have 100k players sending hundreds of extra packets every day it adds up quick.

You can't "just" skew time massively with NTP as a remote attacker. Most NTP clients will refuse to update if there's more than 1000 seconds difference, and slewing is limited in speed. For example, it can take 2000 seconds to move the clock by a single second. The exception to this is when the *client* forcefully sets the clock from cold, for example with ntpdate - an event which a remote attacker could not easily control.

the comments here defending their choice to trust time are highly concerning... even if you use some sort of super advanced hardware method to get your time, that can always be modified in the memory. fact of the matter is, you can't trust it, point blank, so you have to think of interesting ways to mitigate that. in order to properly mitigate it, without sacrificing user experience, you have to think of really clever ways to capture the point from multiple angles as well as do some data analysis. not infallible, but done correctly it would be more work to fake it than to just do it legitimately.

Funny thing is the time hack for games is so simple a kid could figure it out. I certainly did and I have no knowledge of hacking or code. I just turn the device time forward. Works for far too many games.

Very beneficial video, highly appreciated!

fantastic video -- the quality of what you makes visibly, AND quickly seems to be going up ... or my clock's running fast ... who knows ...

I would have tought that you have an Android device, you really can do way more with them than IOS devices.

I'm not much in programming but your videos are so interesting. I would never suppose that my time on computer might be so complicated!

Just have the game run in background with it's own clock

"time is complicated" the Doctor: "yeah, let's talk about it"

Your computer has the time after being unplugged for a week because of the CMOS battery :P

if i remember correctly, fucking with system time in The Sims 2 on Nintendo DS got you abducted by aliens or something :D i just thought maybe "burning" past time (i.e. safely, unalterably storing dates that are safely known to have passed) might alleviate issues with ssl. But then again, this might open up DoS-scenarios where manipulating ntp to be a few years ahead might make any current certs permanently unusable.

As an embedded software developer working on microgrid systems, I really don't care what time it is, so long as it's correct to the microsecond modulo the current grid frequency's period. If someone with physical access can disconnect the sync input on our machine this would cause a DoS attack, but the same goal can be achieved with a sledgehammer. This is a niche use case, but other embedded systems might get trusted time information from the UART output of satellite navigation modules (assuming GPS jamming isn't part of your threat model, since only nation-state level attackers would risk operating a GPS jammer on the open airwaves). You can also embed a cheap microcontroller with an RTC battery that has strong anti-tampering features, but then you need a trusted synchronization source since quartz crystals go out of whack with extreme temperatures. Ever wondered why your wristwatch never needs adjusting but your old Civic's clock drifts by many minutes during the cold Canadian winter? It's the same reasons tuning forks go out of tune in the freezer. Physics.

A problem with this was recently discovered with the national COVID-19 wallet app in the Czech Republic. The app is able to load vaccination and testing certificates and display their details, including whether these certificates are valid ways to prove one's eligibility to enter various places. This, however, requires the current time-certificates are valid from a while after the second dose and of course tests are valid only a while after they were performed-and people figured out one can set the system time to make the app show that the certificate is valid. Obviously, the app shows the time frame of the validity of the certificate, but many people who check simply see the green colour and the text "valid" and assume that it's valid.

Wow. Great video. An easy way around all this time hacking, would be using GPS time. At least for mobile devices. As for PCs, they are usually on-line all the time, so requiring always on internet is not such a big deal.

don't trust time because time slow down when you get close to speed of light....

Is it a good/secure option using the data base with a date/time field ? (while having prepared data base about SQL injection) I mean you start training your magikarp -> server set a date time -> you're forced to wait datetime >= (last datetime + timer). I'm new, just want to know if it's secure or there's some security failures I didn't know ?

I wanna make a chat site where you can change your system time to make your texts be "---Dec 27, 2083---" in 2020.

cant you use run time of the device? magikarp should level up (past runtime_now + 30mins) OR (before current_runtime (for resets) AND past current_time + 30) Then it gets annoying to cheat the game at that point as youd need to reset the device and change the time or have a root device that allows uptime to be changed?

I use this gimmickry I made by myself to get time locally in untrusted stations: github.com/felyperennan/Figlotech/blob/master/Figlotech.Core/SyncTimeStampSource.cs gist.github.com/felyperennan/ccc8d409a73737343e200778c413e865 The second one is an angular service, it's a little bit entangled with my other services, but not so much. I initialize the time from either NTP or THE server and then everytime i ask for a timestamp I get a good one without having to roundtrip to server again. Of course I still have to rely on the NTP to be trusty and the SSL to be trusty and that the RAM isn't being tampered with. And also obviously this requires internet at least once. One thing I've seen Tap Titans 2 do is, they record time constantly, so that when you roll back to the real time the game knows that you cheated.

Notice that UTC is always computed after the fact, based on an average between different atomic clocks. This means that your wall clock is always wrong.

I always used this while playing games on my Nintendo DSi as a kid! 😄

I know this isn't what you meant, but the concept of developers of microtransaction-ridden timeout mobile games being "engineers" makes me laugh.

Cough cough new horizons cough cough

The mobile game Battle Cats seems to handle the issue very well, at least on a surface level. If the player changes system time, the game stops all time related calculations (mainly energy for playing stages) for about a day. I dont know howhever if cheaters found any way of bypassing that

What if you run a "test for," that will compare the last minute to the next minute, and if there is more than a % of the time then the program will subtract the between time and keep running the game as if no time had passed between that time jump. Ex: 12:00 -> 12:01 -> 12:02 -> 7:30 -> 7:31 (the program subtracts 7 hours and 28 minutes of in-game time and then runs as normal.)

Couldn't you just periodically sync up a timestamp and only allow a discrepancy of like 2-4 times the ping?

ypu can use gns (gps, galileo, glonas, ...) for acurate time. even Meinberg NZP Server (uses in enterprice) use gns time.

Jokes on you, my project just uses time for logs and in the new version to be displayed on the title of the cmd/graphical window

why do you use apple devices

I guess you can still spoof it on a rooted phone, but since most phones have GPS could an app developer query raw GPS signals to get satellite time based on location?

Anyone getting flashbacks to setting your phone's time to manually '2890' to get more cookies in cookie clicker

I guess sms wasn't a thing when NTP postal mail service was created. Then again why they didn;t use diffie hellman ?

if you make a game then you shouldn't spend your time preventing cheaters (as long as it isnt a multiplayer game) cause chwating just ruins the player's fun and nothing else.

the best trick I have for software that expire is creating a VM in the future and freezing it, so every time I need to use the software I start the VM, and because its in the future, it'll never expire. and yes, there are ways to hide the fact you're running inside an hypervisor, but no one checks those

Are these vulnerabilities still applicable if a monotonic clock is used which measures time since epoch? I can understand these being an issue with real-time clocks.

The psvita and PS4 devkits have this problem with the activation period lol

Pokemon Go: you can only get one raid pass a day, some people change the timezone to get the tomorrow's raid pass.

My grandad had an issue that he couldn't browse the web on his iPad because it was a year or two in the future to skip the wait times on Candy Crush.

lmao last time I travelled abroad and some time change the game think I cheat block the game so I can't play until I change back the time but I aint bout to have incorrect time just for some game so when I got back home it changed back to the normal timezone and they still block it lmao I can't even play it anymore is pretty old forgot the game name