Home » Data Protection » Network Security

Right on Time? The Security Implications of the Humble Computer Clock

If your company's computer clocks aren't in sync, forensics, backups, and much more can suffer. Simson Garfinkel on getting the time right.

Microsoft and Apple both operate their own time servers and the names of these time servers are built in to their respective operating systems. MacOS, for example, will use the sever "time.apple.com" in North America. Many universities and businesses operate their own time servers as well: Using a local server can both give you more accurate time (because there is less network delay) and can cut down on network traffic from your organization. If you want to run a local time server, you can get the time from one of the public NTP servers operated by the NTP Pool Project (www.pool.ntp.org). In January 2009, there were more than 1,734 public servers operated around the globe, mostly in Europe and the U.S. There are detailed instructions on the website for configuring most operating systems to have accurate time.

Ironically, most of the time servers on the Internet get their time from other time servers. But NTP also has support for so-called "stratum-0" time devices, which get their time reference from one of the agreed-upon time standards. These stratum-0 devices connect to stratum-1 servers on the Internet. Servers that get their time from stratum-1 servers are called stratum-2 servers, and so on. When I wrote this article, "time.apple .com" was actually four separate stratum-2 servers, which presumably connect to other stratum-1 servers inside Apple.

If you are paying attention closely, something about the previous paragraph should have troubled you—that bit about "agreed-upon time standards," with emphasis on the plural. Although it seems like there should only be one time standard, sadly there are multiple ones. The official U.S. time is operated collaboratively by the Time and Frequency division of the National Institute of Standards and Technology and the Time Service Department U.S. Naval Observatory. Both of those organizations operate their own highly accurate clocks and compare them once a week; the two clocks are typically within 20 nanoseconds of each other, which is good enough for most applications. The time is available on the Internet, the telephone system and transmitted on three radio stations (WWVB, WWV and WWVH). If you have one of those clocks that sets itself by the radio (or by an "atomic clock"), it's probably listening to WWVB. U.S. Government time is contributed to UTC time, also known as Coordinated Universal Time, GMT (Greenwich Mean Time) or Zulu time.

But there are other time systems out there. For example, there are many low-cost GPS receivers available that will provide the time to your computer. There are also cellular receivers that will pick up the time from Sprint or Verizon, since the CDMA telephone system that those companies use requires accurate time as well. Unfortunately, each of these systems is slightly out of sync with each other, but in practice, this really won't affect you most of the time. (Several years ago I noticed that Sprint's CDMA system in Boston was transmitting a time that was precisely five hours off; it looked like somebody had not properly set the time zone offset. The problem wasn't corrected for several hours.)