I clicked, thinking it is a video about relativity.

"..., but where does the NTP server get it's time from?" In Europe I think the most common answer is DCF77. It's a long-wave radio signal broadcasted from Germany which signals date and time information since 1973. The signal so easy to receive and decode that you can find building block modules for under 15€ and of cause there is a wide range of ready to use serial and USB versions. My NTP server at home (runnign on a RasPi) still uses an old serial DCF77 receiver I bought for my PC in 1991. The cool thing is that the signal now also carries data from Germans catastrophe warning system as well as a 4 day weather forecast for 60 European regions without the internet :-D

I am a database engineer, and for concensus, the system I make have a general way of seeing time: 1/ the server is always in the right, the client can be slightly in the wrong (by a few seconds or so) 2/ The time is not a date, the time is just a value that will always steadily increase from the server point of view. 3/ You always read data from the past and write data in the present from the client. the server always receive requests of data from the past and send back data from further in the past

Our locked down school ipads had the wrong time on them (they were set to the first jan 2007) so we were unable to access internet

Why you are late for work? Sorry, I just don't trust time

There's a much simpler solution for the games, one that is based on "complexity ~ error susceptibility". If there is no timer implemented stopping us from playing, we couldn't break the timer.

LiveOverflow: "Don't trust time!" People who take Psychedelics: "Yeah, obviously."

i remember i had this old desktop computer with a dead CMOS battery, i had a demo version of Mixcraft 7 installed and because the system time never updated correctly, i had an unlimited trial period. until my mother set the system time to the correct one and then the trial ended. but a few years after that i bought Mixcraft 8 Home Studio edition on steam. best 20$ ive spent. for the most part.

When your pc didn't have power for a week the time comes from the bios clock and not from NTP -> Power off your pc and unplug your ethernet cable. Reboot your pc and the time is still correct without NTP.

4:55 If you in can ensure that the user won't close the app, you can simply store a counting variable in memory. Since that's a rare case, your best bet is to store that information in a file that you hide from the user ("hide" by putting it in a folder that's not a popular - whether you create one or use an existing one). Otherwise - you simply have to rely on the device's time, like you said

Overall good video, but you say "how does your computer know the time after it has been offline for a week...well you probably know about NTP". Actually, that's not really how this works, and almost all computers use a small battery (on desktops, often a little circular one you can easily find if you take the side panel off) to keep timers running (very low power) even when fully "shut down" (and unplugged), and that's how they keep track...NTP is only synchronized occasionally.

"time is complicated" the Doctor: "yeah, let's talk about it"

There's a game called Disco Zoo for mobile that does a clever trick to mess with cheaters. It uses your system time, so you can cheat all you want by setting the time ahead, but obviously you will need to know the actual time sooner or later. You will set back the clock to the current time after you are done cheating, but next time you enter the game you get a message: Some of your animals were lost in a time travel incident. I think this is a fun and clever way to set cheaters back, while not requireing server side tracking of time. (Although obviously this system can be improved with calculating the time difference for a penalty of the similar level etc.)

It is pretty common to use GPS as time source. BTS towers and ATMs are just glaring examples for that. Also you may want to check your stratum level if it comes to synchronized time on device.

The Nintendo DS has an interesting protection against just changing the clock used by the Pokemon games: when you change the system time, another variable is edited by the same amount which reflects an offset of the current time from when the firmware was last cleared. The Pokemon games would save this time offset with the time, and a substantial difference would indicate attempted time travel.

I'm not much in programming but your videos are so interesting. I would never suppose that my time on computer might be so complicated!

fantastic video -- the quality of what you makes visibly, AND quickly seems to be going up ... or my clock's running fast ... who knows ...

I once downloaded a piece of software that only checked if the demo time was out when you launched it, so as long as you didn't close the software, you could keep using it.

This is a really great video! Thanks I hope to see more technical stuff like this in the future.

wow! this is mind boggling. so important and yet it's (potentially) flawed.

Applications often have to trust user input. To keep them secure programmers have to be conscious about what exactly they are trusting the input *with*, and whether the user is someone who is appropriate to give that trust to. For instance KZbin trusts me with my own online reputation. It presumably trusts some employees at Google with the ability to delete my comment, but unless it has a bug it does not trust me to be able to delete theirs.

Hey, i want to say Thanks allot. You have changed my life with your Videos. I learn coding (I am not that good) but it is hell of fun :) thanks alot and Keep it up :)

Great video, I would have never considered time

7:56 I won't tell you I rolled my own atomic clock! :P Joking aside, normal PCs should have RTC included in the motherboard with coin cell battery as backup. The timing operation is low powered enough to be run with the single coin cell, via a 32.768KHz crystal (32768=2^15, which can be divided to 1Hz easily) Newer RTC chips even have integrated extremely accurate TCXO to ensure precision timing.

You can't "just" skew time massively with NTP as a remote attacker. Most NTP clients will refuse to update if there's more than 1000 seconds difference, and slewing is limited in speed. For example, it can take 2000 seconds to move the clock by a single second. The exception to this is when the *client* forcefully sets the clock from cold, for example with ntpdate - an event which a remote attacker could not easily control.

Very beneficial video, highly appreciated!

Don't forget the cost of all those requests over time as well, from the dev standpoint. One is not much, but if you have 100k players sending hundreds of extra packets every day it adds up quick.

Even if I think i know a subject very well its still nice to see the "meat" you bring to the discussion. I was doing this back in windows 95 :P

There's a very simple solution for games: Single player: Who cares? Cheaters aren't hurting anyone else. Multiplayer: You have to be online for a multiplayer game anyway, so you might as well get the time from your server.

Funny thing is the time hack for games is so simple a kid could figure it out. I certainly did and I have no knowledge of hacking or code. I just turn the device time forward. Works for far too many games.

When you are designing hardware with the anticipation of using time in the firmware, as long as the power limit and other constraints permits build a low power GPS receiver in there. Those modules are cheap enough to be a dime a dozen now, and they give you a good idea what time it is, and the PPS pulses are often also good reference clocks for calibrating internal timers.

i did this in my phone 7 years ago and this what introduced me to game development today

great video as always, intresting topic too i have an idea can you do a video where showing how easy it sounds but how difficult can it be to exploit these attacks? i know i know it is a big request but yeah :)

A problem with this was recently discovered with the national COVID-19 wallet app in the Czech Republic. The app is able to load vaccination and testing certificates and display their details, including whether these certificates are valid ways to prove one's eligibility to enter various places. This, however, requires the current time-certificates are valid from a while after the second dose and of course tests are valid only a while after they were performed-and people figured out one can set the system time to make the app show that the certificate is valid. Obviously, the app shows the time frame of the validity of the certificate, but many people who check simply see the green colour and the text "valid" and assume that it's valid.

Your videos is all i need right now! Thank you

9:00 when I saw IoT, I chuckled, IoT and security do rarely go together well

This is quite interesting, I work with some embedded Android systems, a couple of weeks ago I discovered that we had major clock syncing issues, Android refused to auto-adjust the clock. So I have implemented custom time syncing on the systems that uses the server time when syncing with the remote. So every time a request is made the clock is validated and compared to the remote, if it's fallen behind by too much adjusted for timezones, it uses the remote server's time instead. I didn't think of it as an attack vector aswell, so it's really cool to see a video exploring this subject more as it's much more critical than people think it is. Android has a stupid fallback to set the clock to 2011 if it loses track, which means all HTTPS requests will fail because of invalid SSL certificate dates.... You aren't likely to see this on phones though. And yeah, I've used the "set the clock 15min into the future, to skip cooldown" exploit on a bunch of time-based games, sometimes it even works on text-based browser games for some reason....

Notice that UTC is always computed after the fact, based on an average between different atomic clocks. This means that your wall clock is always wrong.

There is quite a simple solution to the matter (for games at least), breakable but not very easily. * Firstly, one rule is that you can never go back in time. * Secondly, most systems have an internal `ticks since boot` which you can hook onto, so you track the time from the moment the app was started onwards with the ticks instead, and when it is out of sinc with the time date of the system, they can be assumed to try to cheat. And then to pack it all up, you do a server request every x seconds just to check up on things from the server side also, but the rest just plays as a `secure prediction`. PS, great video! Very interesting and underestimated topic!

Time constantly progresses so technically, we're all time travellers. Great video!

As an embedded software developer working on microgrid systems, I really don't care what time it is, so long as it's correct to the microsecond modulo the current grid frequency's period. If someone with physical access can disconnect the sync input on our machine this would cause a DoS attack, but the same goal can be achieved with a sledgehammer. This is a niche use case, but other embedded systems might get trusted time information from the UART output of satellite navigation modules (assuming GPS jamming isn't part of your threat model, since only nation-state level attackers would risk operating a GPS jammer on the open airwaves). You can also embed a cheap microcontroller with an RTC battery that has strong anti-tampering features, but then you need a trusted synchronization source since quartz crystals go out of whack with extreme temperatures. Ever wondered why your wristwatch never needs adjusting but your old Civic's clock drifts by many minutes during the cold Canadian winter? It's the same reasons tuning forks go out of tune in the freezer. Physics.

Hello LiveOverflow. Definitely i like your videos and i am always amaze. Please can you make a video on how you started about hacking and what was your school carrer , your first programming language and a guide for those want to be as strong as you in computer security.

Big fan. Programmer myself, 25 years, and learning so much from your videos.

Pokemon Go: you can only get one raid pass a day, some people change the timezone to get the tomorrow's raid pass.

other one of simplest solution is to make your own time counting process history of the phone that are running in the background. if the process history is (enough) count it as a unit of time, thus a second has occured. It would be completely independent with time.

Im loving this channel, thanks for the entertainment!

My grandad had an issue that he couldn't browse the web on his iPad because it was a year or two in the future to skip the wait times on Candy Crush.

Tried this method on Fallout Shelter. Worked great but I wouldn´t find loot for 30 Years since then.. hehe...

the best trick I have for software that expire is creating a VM in the future and freezing it, so every time I need to use the software I start the VM, and because its in the future, it'll never expire. and yes, there are ways to hide the fact you're running inside an hypervisor, but no one checks those

what software are you using for the animations

I think some games remember the last timestamp they got, and detect backwards jumps in time. Not sure what they do when they detect it though.

ez you store the current time in the background, then, if time < than stored time, erase all progress store the time at the start of each countdown and allow timezone changes once a day (or, if possible, query the timezone, not clock info)

for iot applications, i'll suggest user-built/compiled client instead of obscure auto update. at least the server/ user have a way to know if the running program is trustworthy.

if i remember correctly, fucking with system time in The Sims 2 on Nintendo DS got you abducted by aliens or something :D i just thought maybe "burning" past time (i.e. safely, unalterably storing dates that are safely known to have passed) might alleviate issues with ssl. But then again, this might open up DoS-scenarios where manipulating ntp to be a few years ahead might make any current certs permanently unusable.

Anyone getting flashbacks to setting your phone's time to manually '2890' to get more cookies in cookie clicker

The most important thing about traffic monetization is choosing a good ad network that pays off your traffic investments.. Been looking for the best ones, my profit is currently the highest on MonadPlug ad network.

You got new subscriber :) ! great job

I always used this while playing games on my Nintendo DSi as a kid! 😄

I just always imagined putting a timer logic event nestled in the code of the game based off of app run time although that does come with a specific downside. You can't close the app while the time is ticking down so I guess for most purposes that wouldn't work would it...

I think the systems rely on materials like small valuable crystals. Even atomic clocks are known to be useful for operationally running a secured business. It is also a known fact that we get the crystals in our smartphones from Asia.

Don’t trust edited comments.

Phones usually get their time from incoming calls as well as the internet in case the internet connection has not been set up. When a call is sent to a phone there is a packet of data sent to the phone before it starts ringing. This is true for both landlines and mobile networks. This data contains the number of the caller (if not blocked) and a time/date stamp plus some other data not relevant this discussion. This data was often used by devices like answering machines so that they could keep a record of the time the call was received without having to have a built in clock. I know this because in the late 90's I worked for a company that designed and made an electronic device that let a PC answer the phone and play a WAV file to the caller through the parallel port, we needed it to be cheaper than the then expensive internal modems that could also act as an answering machine, we did not need all the functions of a modem anyway. So, we had to use an IC that was authorised to connect to the phone line and it came with the information on what to expect when a call was received. It was for a guard monitoring system. Guards at a remote site would be able to call in to the system back at the base and give it codes with the touch tone. Instructions had to be relayed to the guards. I was a programmer at the time and wrote the software that monitored the guards as well as answer the calls. It was an interesting project :)

Fun fact: It's possible to find forensic artifacts when someone has been tampering with the time on a windows computer. It's in the system log. Sure, people can wipe the log easily, but that leaves a mark in the new log. Of course, change it in the BIOS and there will be no OS to write to the log, but who goes that far these days?

Protip for wannabe PC technicans. Time mismatch can often cause weird results in PCs, like (real life situations of my clients): 1) some pages word, most don't, some partially (CMOS battery died, clock got reseted and without NTP sync all SSL certs weren't valid yet) 2) misorder in instant messaging - both local apps and webapps (often to sort app takes server time for incoming messages + local for outgoing). So, if you all would fix PCs someday - either as a help or as a work - you could include time+date check as one of the first things you do. It won't take much time and clock which is really off might give you very weird results. IMO it's worth to spend 5 seconds on time check than find out hour later that it was the thing that broke something.

There's a separate battery in computers that keep track of time when they're off. They do not need to connect to a network.

For the main Pokémon games, which run on dedicated gaming hardware, the game can detect the changing of system time, and lock out time-related functions temporarily. I suspect the game is able to read the real-time clock (RTC) values directly, and changing the system time only modifies an offset on top of the RTC. (Some older Pokémon games, that ran on systems that don't have a system clock, came with an RTC inside the game cartridge, and those would ask you to set the wall clock at the start of the game. Certainly Game Freak have thought a lot about this type of vulnerability, which makes its existence in a spinoff game surprising. )

Easiest solution: Do no implement cashgrab timers :P

I had an app that only run when you set your time to 'get from internet'

One way to detect if the user has turned back the system clock: Every time the program starts you can check system time and save it. By comparing the current time with the saved time you have some protection, if time now is before the time of last start up the user is cheating. The weak point is the file containing the last start up time could have been modified by the user as well.

Just have the game run in background with it's own clock

This even works with the new Whatsapp message deletion feature. It normally only allows deleting the message 10 minutes after it has been sent. If you set your clock accordingly you can still delete the messages.

.content{overflow:hidden} Hahahahahaha

I can't remember the game, it was a cheesy ftp mmo from the mid to late 00's. I noticed that the time between skill usage was slightly different between different computers. I looked into it and it turned out that it worked off FPS not time and it also turned out that there was no server verification......... Yeah, I quickly became a cheat chr

the comments here defending their choice to trust time are highly concerning... even if you use some sort of super advanced hardware method to get your time, that can always be modified in the memory. fact of the matter is, you can't trust it, point blank, so you have to think of interesting ways to mitigate that. in order to properly mitigate it, without sacrificing user experience, you have to think of really clever ways to capture the point from multiple angles as well as do some data analysis. not infallible, but done correctly it would be more work to fake it than to just do it legitimately.

You could request location services on your app to verify the time as gps satellites have precise time.

There is one bummer for mobile games - really most mobile games here: iOS does not allow the use of GPS time or UMTS time directly inside apps. Those clocks originated from the user's mobile carrier or the GPS satellites are more trustworthy than the user-controllable system time. With those time sources independently available the games can be built to use GPS/UMTS time whenever possible, keep track of the delta between those trustworthy time sources and the system time to allow some offline operation. As of myself my mobile devices are configured to use GPS and UMTS time whenever possible; and computers are configured to use a local Raspberry Pi based NTP server on my home network, which has a GPS module connected to serve GPS time.

So timezones are easy. Work in UTC. Let the UI modify display for user. I've worked in places where the way they handled time was consensus. NTP from NIST + FM broadcast from local time station + GPS all concur for example so set the time. Use local TCXOs to maintain time within your closed system. Maintain consensus across TCXOs Use a dice roll to determine if time is verified that "tick". One of the most basic NTP protections is that it will not update large differences, anything more than a few seconds (I forget the actual number) will generally be ignored unless but it's a forced update by a client. It only corrects it by milliseconds usually. So a network attacker attempting to mitm a NTP server and change the time to last week, will likely fail.

it's good article about time check, if me, I will give two same target time stamp to run client and server tick at the same time, when client request and server side will it self time to validate verification. client side time stamp just was used for display time display or basic logic contorl

I used to do that all the time in Candy Crush on Android. XD One question I have. If you really need a time clock, how do you make sure that the time you are accessing is correct?

Don't forget daylight savings time!

"Not to mention that timezones and people who travel and all this crap makes programming time really annoying" I'm glad I always use UTC time. I had a problem with daylight saving once in my business program, been using UTC since then and never went back;

Is it a good/secure option using the data base with a date/time field ? (while having prepared data base about SQL injection) I mean you start training your magikarp -> server set a date time -> you're forced to wait datetime >= (last datetime + timer). I'm new, just want to know if it's secure or there's some security failures I didn't know ?

You can simply build your own time system whether its countdown , runtime. And whenever the application is closed, change the user database information to the lastest time. This way is will not be possible to edit the memory or manipulate the time. Its very simple.

Great video! Subscribed

Jokes on you, my project just uses time for logs and in the new version to be displayed on the title of the cmd/graphical window

I remember writing a SQL-based tool for comparing sales year over year. Great, it works! All done in less than 10 hours. But shit, we forgot about 29th of February happening every four years! Hence another 150 hours had been sunk into the project rebuilding the whole thing to account for a single 24 hour period. Screw time.

Good Work!

I used to do that on Candy Crush. Not sure if the game still allows it

Fuck, they are going to know my timezone!

Meh. Your problem is that your app is on the user device. You can't really safeguard a system when the attacker has full access to it, proved by all DRM systems. At most you can make it harder to attack, but it's not worth it for simple apps.

I propose that we install a daylight sensor on the computer, and it sets the time based off the sun's position relative to the device.

Oh shit, that's old. There was even an old, Windows 95 program, which attached a tiny loader to an exe, which set the system clock to a specific date and time, then started the program and set it back. This was known as "Time crack" Even Microsoft is guilty. I use Visual Studio express 2008. This free version has a time limit and locks after a couple of months until it was registered. Problem, the page is down, you cannot register it anymore. So, I just deleted it's registry, set my date to 2030 started it up, closed it and set my date back. Guess what, it works. I have negative days left and do what I want until I die or have to reformat.

Such an amazing thumbnail

There is technically an easy way out of the time problem on the mobile platform: since most mobile devices have satellite positioning system like GPS, your software can require either an Internet connection (for NTP to a trusted server, preferably over a VPN for added authentication) or a GPS fix (for GPS-based time.) Also if you are building an authenticated local NTP server, GPS can also work as a trusted time source. If you want to make sure your GPS receiver is not tied to just USAF, you can use quad-band GNSS modules that can receive and process signals of GPS, Galileo (EU,) GLONASS (Russia) and Beidou (China) systems at the same time. Such a system would only fall out of trustworthiness when the nuclear powers of the world are at war against each other.

Firefox behave oddly when you change system time. Sites still work and show a valid certificate even when by system time it should be expired, so it seems to be doing a check with a remote server. However when you view the certificate it says that it's invalid.

What if you run a "test for," that will compare the last minute to the next minute, and if there is more than a % of the time then the program will subtract the between time and keep running the game as if no time had passed between that time jump. Ex: 12:00 -> 12:01 -> 12:02 -> 7:30 -> 7:31 (the program subtracts 7 hours and 28 minutes of in-game time and then runs as normal.)

The mobile game Battle Cats seems to handle the issue very well, at least on a surface level. If the player changes system time, the game stops all time related calculations (mainly energy for playing stages) for about a day. I dont know howhever if cheaters found any way of bypassing that

Oh no did I see NIST? If I’ve learned anything from FTCs, it’s never trust the NSA... ecc bad

This comment is coming from the future

this channel is fucking lit for anyone interested in comp sci