Researchers Warn Computer Clocks Can Be Easily Scrambled Via NTP Flaws (networkworld.com)

← Back to Stories (view on slashdot.org)

Researchers Warn Computer Clocks Can Be Easily Scrambled Via NTP Flaws (networkworld.com)

Posted by timothy on Thursday October 22, 2015 @02:25AM from the when-was-that-again dept.

alphadogg writes: Researchers at Boston University said this week that they've found flaws in the Network Time Protocol (NTP), a 30-year-old Internet protocol whose security shortcomings could undermine encrypted communications and even jam up bitcoin transactions. The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy's servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems. There is at least one alternative out there, and reason to use it.

132 comments

Min score:

Reason:

Sort:

Bitcoin! by Anonymous Coward · 2015-10-22 02:31 · Score: 1, Funny

Oh boy not Bitcoin! Save us!
1. Re:Bitcoin! by U2xhc2hkb3QgU3Vja3M · 2015-10-22 03:12 · Score: 1
  
  Dogecoin is seven times more secure to clock changes than Bitcoin.
2. Re:Bitcoin! by Anonymous Coward · 2015-10-22 03:55 · Score: 0
  
  Yeah well my host file is ==> 17 times more secure then any NTP or bitcoin protocol.
  The fact that you losers cannot come up with any alternatives to my host file program which makes systemd look like a bash script shows ====> how superior I am to all of you.
  ~APK
3. Re: Bitcoin! by Anonymous Coward · 2015-10-22 04:28 · Score: 0
  
  No posts about ad-blocking for you to troll today?
4. Re: Bitcoin! by truck_soccer · 2015-10-22 04:38 · Score: 2
  
  I feel that this isn't a real apk post.
5. Re:Bitcoin! by dave420 · 2015-10-22 19:55 · Score: 1
  
  7/10. Nice use of "==>" and bold text, but you didn't include any rambling of how awesome APK is, and he uses a different signature. You also didn't include a P.S. containing the actual message of your post. To really finish this off, you should now stalk me in apparent ignorance of how insane it is.
Most NTP clients I've seen... by Chris+Mattern · 2015-10-22 02:31 · Score: 4, Insightful

have an option for ignoring server updates if the time differential is too great.
1. Re:Most NTP clients I've seen... by Penguinisto · 2015-10-22 02:52 · Score: 4, Insightful
  
  Not only that, but there are loads of other options, the most basic being that you can use your own personal stratum 1 device, and point all your servers to that. Hell, you can even build your own if you're truly paranoid.
  IIRC by default the Windows AD infrastructure has member clients/servers using the Domain Controllers as their local source, and then you only need to re-point the DCs to whatever you want (the registry info documentation for NTP was a bit hinkey as late as Win7/Win2k8, so if you go mucking around in there, do it at your own risk). On the Linux/BSD/*nix side, there's a zillion options to beef up security, and they are drop-easy to enforce with any competent orchestration software (puppet, cfengine, chef, whatever). I only remember the Windows side because a previous employer had a distributed BI system that demanded that all component client devices (a mixture of Windows and Linux) must remain within 5 seconds of each other time-wise (else the whole thing threw an error and stopped).
  Like sibling said though, most sysadmins don't dork around with NTP once they get a time source running - few will set up a local NTP relay of sorts, fewer still will have those sources use at least three different and vastly disparate sources to check against, and very few will set up a local authoritative stratum 1 box.
  Lots of workarounds, and you really only have to set it up right once, with maybe an occasional (as in once-a-year-or-so) review and tuneup of the infrastructure.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
2. Re:Most NTP clients I've seen... by alvinrod · 2015-10-22 02:52 · Score: 1
  
  Couldn't an attacker still exploit the vulnerability by incrementally making small adjustments that fall within the differential though? Just because it can prevent a single large inadvertent mistake doesn't mean it's completely safe.
3. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 03:01 · Score: 0
  
  Distributed Denial of Time Attack?
4. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 03:02 · Score: 1
  
  it's nontrivial in the first place, doing it repeatedly over a period of time would require a focused attacker. and nothing stops a focused attacker.
5. Re: Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 03:06 · Score: 0
  
  aka VCR clock attack.
6. Re:Most NTP clients I've seen... by the_other_chewey · 2015-10-22 03:11 · Score: 3, Informative
  
  That would work if the attackee uses only the attacker's server.
  That's not how NTP is supposed to be used: It is designed to pull
  time from multiple sources, weigh their accuracy/trustworthyness
  over a longer time window against each other (with rather sophisticated
  algorithms), and use the best ones as the time source to follow.
  
  I usually go for 5-6 independent sources (with independent stratum0 masters!):
  some national labs' PPS; GPS; etc. - this doesn't make an attack impossible,
  but it mitigates the "the master time source is wrong" problem. This has
  happend by accident before, so even without considering active attacks, it's
  just the sensible thing to do.
7. Re:Most NTP clients I've seen... by arglebargle_xiv · 2015-10-22 03:26 · Score: 5, Informative
  
  There is at least one alternative out there
  Whoever proposed tlsdate as an alternative to NTP has no idea how either NTP or tlsdate work. What moving to tlsdate is doing is replacing a well-designed clock-synchronisation protocol talking to precise time servers with an opportunistic gimme-whatver-time-you've-got mechanism that returns a one-off estimate of an approximate time on a web server, assuming the server doesn't just set the time field to random bytes as many do. They're totally different things.
  If you're really worried about this, run your own stratum 1 clock and serve NTP off that. If you're worried about the cost of a dedicated NTP server, build it yourself using any number of instructions on the Internet, e.g. these ones.
8. Re:Most NTP clients I've seen... by jabuzz · 2015-10-22 03:31 · Score: 2
  
  An additional idea for a cheap personal stratum 1 device if you happen to live in the reception area of a suitable LW radioclock.
  http://www.buzzard.me.uk/jonat...
  Had my own personal dual source (MSF/DF77) stratum 1 time server for over a decade now.
9. Re:Most NTP clients I've seen... by drinkypoo · 2015-10-22 03:45 · Score: 1
  
  Hell, you can even build your own if you're truly paranoid.
  It's a good idea, but the forty euro GPS shield can easily be replaced by a twenty euro GPS board, a NEO-6M. These are also favored for drones because they are teensy tiny and they are smart enough to store configuration settings such that they will wake up, acquire, and start spewing GPS data on their serial port at your chosen baudrate. They also feature a PPS pin. Buy one with a header strip on and you can connect it to the Pi without soldering. Plus, they are useful for other projects if you decide to replace your R-Pi with something else down the road, because they are so very very tiny.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
10. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 03:58 · Score: 0
  
  When synchronizing with several servers - a minimum of 3 is recommended - the official NTP client will discard the haywire time source automatically.
11. Re: Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 04:06 · Score: 0
  
  OH NO JIM
  The server is blinking 12:00 in red LED. We missed our recording of Cheers!
12. Re:Most NTP clients I've seen... by Technician · 2015-10-22 04:18 · Score: 3, Informative
  
  Many devices such as tablets and cell phones contain GPS, another hard to spoof time source. Multi factor authentication checking NTP, Cell tower time, and GPS would make a very robust system that could detect tampering. On an IMSI catcher, Time wrong, GPS time difference would catch it. NTP spoof, Cell and GPS mismatch would catch it. Local area GPS spoof, Cell and NTP would catch it. Targeting a mobile device with 3 factor time authentication + internal clock for 4 factor would be very hard to spoof undetected.
  If you want to roll your own, GPS receiver modules for RC drones are under $20 online. Adding GPS to your NTP corporate servers is not difficult. You can protect your network with a little hardware and software.
  
  --
  The truth shall set you free!
13. Re:Most NTP clients I've seen... by idontgno · 2015-10-22 04:48 · Score: 2
  
  That's good advice (it may actually be formal Best Practice for NTP configuration), but does violate Segal's Law:
  
  "A man with a watch knows what time it is. A man with two watches is never sure."
  Which ultimately demonstrates that "a witty saying proves nothing."
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
14. Re:Most NTP clients I've seen... by Aqualung812 · 2015-10-22 06:07 · Score: 2
  
  This is why it pains me when I see two NTP servers setup. You NEVER know which one is right. Having just 1 is better than that.
  To me, the minimum is 4: This gives you n+1, since you need at least 3 clocks to know if the time is right, and NTP will actually play ball with this logic: It will first look to see if 1 of the 3 are way off and exclude it, then it will sync time from the clock that is the lowest stratum and most stable.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
15. Re:Most NTP clients I've seen... by vtcodger · 2015-10-22 06:45 · Score: 1
  
  Besides which, doesn't IBM have a patent on inaccurate computer clocks? Tromp on that and you'll probably find them suing you for your car, home, savings, and first born son.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
16. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 07:04 · Score: 0
  
  Also another way of keeping time is by the oscillation of AC power.
  80s electronics such as VCRs and AC powered wall clocks did this. On top of that regulate the supply like a UPS.
17. Re:Most NTP clients I've seen... by angel'o'sphere · 2015-10-22 07:58 · Score: 1
  
  They can have my first born son! But they never get my Sun!
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
18. Re: Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 09:05 · Score: 0
  
  Agreed!
  Tolerate stinks which is why it has been ignored since it was made.
19. Re:Most NTP clients I've seen... by rthille · 2015-10-22 09:36 · Score: 1
  
  Yes, and if you read the article, you'll see they found ways around them.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
20. Re:Most NTP clients I've seen... by Cramer · 2015-10-22 10:06 · Score: 1
  
  AC power is NOT precise. Install a logger and you'll see just how much it varies throughout the day.
21. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 10:11 · Score: 0
  
  This is why it pains me when I see two NTP servers setup. You NEVER know which one is right. Having just 1 is better than that.
  To me, the minimum is 4: This gives you n+1, since you need at least 3 clocks to know if the time is right, and NTP will actually play ball with this logic: It will first look to see if 1 of the 3 are way off and exclude it, then it will sync time from the clock that is the lowest stratum and most stable.
  Isn't that just like the old Chinese Proverb - "Man who wears two watches never knows what time it is." This is valuable advice. If you have 2 sources, you really have no idea what time it is. Well done, sir.
22. Re:Most NTP clients I've seen... by metrix007 · 2015-10-22 11:25 · Score: 1
  
  How is GPS a time source?
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
23. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 12:40 · Score: 0
  
  It's not that simple. The short-term stability may be bad, but the long-term stability is actually very good. This is monitored continously (in Laufenburg, Switzerland, if you live anywhere near me) and adjusted such that the average frequency is exactly 50 Hz if you measure it over a sufficiently long period of time.
24. Re:Most NTP clients I've seen... by pipedwho · 2015-10-22 12:46 · Score: 1
  
  In the short term they may seem all over the place, but the AC frequency is accurate when averaged over the entire day.
  In the '60s, '70s, '80s the wall clocks in schools and other public places were simple AC motors. In the absence of a loss of power, those clocks were accurate to with a few seconds over a year. Even our old AC powered kitchen clock kept perfect time.
  These days, you can't even trust a wall clock to be accurate to within a few minutes.
25. Re:Most NTP clients I've seen... by jroysdon · 2015-10-22 12:50 · Score: 1
  
  GPS Time
  "The GPS system allows a maximum of 32 satellites around the earth which each transmit their own position and time on a regular interval to the earth."
26. Re:Most NTP clients I've seen... by mikael · 2015-10-22 13:55 · Score: 1
  
  Each GPS satellite transmits a time code along with its ID number. When the receiver is able to locate a signal from four or more satellites, it can determine the distances to those satellites. Some simple spherical trigonometry allows the latitude, longitude and altitude to be calculated for the receiver.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
27. Re:Most NTP clients I've seen... by dbIII · 2015-10-22 14:04 · Score: 1
  
  And/or get their time from a few sources.
28. Re:Most NTP clients I've seen... by Anonymous Coward · 2015-10-22 16:03 · Score: 0
  
  Radio clocks lose something like 1 second for every 300km from transmission and are affected by weather and atmospheric conditions. They are a convenience for things like travel alarm or car radios but it's pretty silly to hook one up to a internet connected device where much more accurate time sources are available.
29. Re: Most NTP clients I've seen... by jabuzz · 2015-10-22 21:37 · Score: 1
  
  The idea that LW clocks lose 1s for every 300km is a laughable. I have two in operation one MSF and the other DCF77, the difference in the distances from me is well over 300km, more like 1000km. I have a decade of data showing them to be milliseconds apart. Sure GPS is better, but multiple sources are better still, and a lw radiology is better than some random time-served on the Internet; again I have a decade of data to prove that.
30. Re:Most NTP clients I've seen... by Technician · 2015-10-23 08:55 · Score: 2
  
  Many GPS receivers will output a very accurate 1 sec tic. I've used this to check for multipath drift from WWV in maintaining a cesium beam atomic clock in one installation. The time standards were used to callibrate RF equipment to NIST standards. Multi source verification validates source drift and gives the degree of confidence for the certification paperwork. If your tracable standards are accurate to each other with jitter and drift to 8 9's, you can validate equipment as to being within 7 9's. This would mean a 1 MHZ frequency standard could be validated to be between 999,999.9 hz to 1,000,000.1 hz against national standards.
  Multiple calibrated standards would then not hetrodyne with each other more than 1 beat every 10 seconds. Most of the time the max obsurved beat would be less then 1 in 100 seconds.
  http://www.nist.gov/pml/mercur...
  GPS time is locked to a tracable standard along with WWV.
  
  --
  The truth shall set you free!
31. Re:Most NTP clients I've seen... by RockDoctor · 2015-10-23 22:12 · Score: 1
  
  I was about to Google for exactly that. There is this RaspberryPi based solution too : http://www.satsignal.eu/ntp/Ra...
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
32. Re:Most NTP clients I've seen... by RockDoctor · 2015-10-23 22:16 · Score: 1
  
  Adding GPS to your NTP corporate servers is not difficult.
  Adding a window to the server room, or running a GPS antenna cable through the cable trunking to the outside world is likely to be the harder part of the process. PARTICULARLY if you have anything resembling Management Of Change procedures for your physical cabling.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
33. Re:Most NTP clients I've seen... by RockDoctor · 2015-10-23 22:20 · Score: 1
  
  As I routinely say to my trainees.
  "One measurement is a datum. Two measurements is a disagreement. Three measurements is a majority opinion. Four measurements is statistics."
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Authenticated NTP? by sinij · 2015-10-22 02:32 · Score: 2

RFC 5906
1. Re:Authenticated NTP? by Anonymous Coward · 2015-10-22 02:38 · Score: 0
  
  RFC stands for request for COMMENTS. What the fuck good is a comment going to do? Except this one to STRAIGHTEN your DUM ASS up. Stupid people should not be on the internet.
  Obvious troll is obvious.
2. Re:Authenticated NTP? by halivar · 2015-10-22 02:41 · Score: 4, Funny
  
  Once an RFC is adopted by IETF (as the linked RFC is), it becomes a standard. Bro, do you even internet?
3. Re:Authenticated NTP? by WaffleMonster · 2015-10-22 05:21 · Score: 1
  
  What a great idea let every protocol invent its own crappy little authentication scheme.
4. Re:Authenticated NTP? by WaffleMonster · 2015-10-22 05:27 · Score: 2
  
  Once an RFC is adopted by IETF (as the linked RFC is), it becomes a standard. Bro, do you even internet?
  Most RFCs are standards only in the minds of their authors.
5. Re:Authenticated NTP? by pipedwho · 2015-10-22 12:52 · Score: 1
  
  Different protocols have different requirements; especially something as time sensitive as NTP.
  Treating security with a 'one size fits all' approach is never a good idea.
6. Re:Authenticated NTP? by WaffleMonster · 2015-10-23 19:00 · Score: 1
  
  Different protocols have different requirements; especially something as time sensitive as NTP.
  DTLS adds no latency over UDP for purpose of time synchronization.
  
  Treating security with a 'one size fits all' approach is never a good idea.
  Unless it actually fits then its a great idea.
Re:Most users I've seen... by Anonymous Coward · 2015-10-22 02:35 · Score: 4, Insightful

don't screw around with options once they get the thing initially functioning.
not really by Anonymous Coward · 2015-10-22 02:45 · Score: 0

NTP is a protocol for synchronizing your clock with another clock. It's not the protocol's fault if you choose a dumb clock to synchronize with, and if the resulting time ends up causing problems with your system.
1. Re:not really by KGIII · 2015-10-22 08:01 · Score: 1
  
  I also recall that there's like one person, and he's ancient, maintaining the package. He basically controls the keys. Fortunately, he's good and smart but he's pretty much the definition of the bus problem.
  
  --
  "So long and thanks for all the fish."
2. Re:not really by fisted · 2015-10-22 10:02 · Score: 1
  
  What "the package"? This about a specification.
  
  --
  CLI paste? paste.pr0.tips!
3. Re:not really by KGIII · 2015-10-22 10:10 · Score: 1
  
  IIRC he was maintaining the package for Linux/Unix and not the specs. 'Twas a /. article like a month or so ago. Obviously, I didn't RTFA. I'm no heretic.
  
  --
  "So long and thanks for all the fish."
4. Re:not really by fisted · 2015-10-22 10:24 · Score: 1
  
  Fortunately "the package" it isn't the only ntp implementation, so there's no bus problem.
  
  --
  CLI paste? paste.pr0.tips!
5. Re:not really by metrix007 · 2015-10-22 11:27 · Score: 1
  
  You're not a heretic, just the next hairyfeet. God I'm sick of reading your bullshit anecdotes that never contribute anything.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
Quick! Stop using NTP! by Anonymous Coward · 2015-10-22 02:45 · Score: 0

Because fenceposting, drifting time that's as accurate as asking someone who glances at their watch (kids, look that up) is what everyone needs!
Eric Raymond rewrite by hgriggs · 2015-10-22 02:45 · Score: 2

Isn't Eric Raymond in the middle of a major rewrite of the NTP software, with emphasis on security?
1. Re:Eric Raymond rewrite by 0123456 · 2015-10-22 02:57 · Score: 4, Funny
  
  Isn't Eric Raymond in the middle of a major rewrite of the NTP software, with emphasis on security?
  I heard it was going to become part of systemd.
2. Re:Eric Raymond rewrite by Penguinisto · 2015-10-22 02:58 · Score: 2
  
  No, but he and someone else are working to improve it a little, IIRC
  OTOH, this guy maintains it
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Eric Raymond rewrite by Anonymous Coward · 2015-10-22 03:00 · Score: 1
  
  Yes, it is called ntpsec:
  http://www.ntpsec.org/
  http://esr.ibiblio.org/?p=6820
  http://esr.ibiblio.org/?p=6846
4. Re:Eric Raymond rewrite by Bengie · 2015-10-22 03:22 · Score: 3, Informative
  
  OpenNTP uses a pool of HTTPS servers to do basic sanity checks against the NTP time. It does a kind of simple NTP using TLS, then uses NTP against your time servers. If the NTP time is too far off from the TLS time, it rejects it. Pretty much all of the practical security of NTPSEC without all of the accuracy reducing overhead.
5. Re:Eric Raymond rewrite by QuietLagoon · 2015-10-22 03:40 · Score: 2
  
  Isn't Eric Raymond in the middle of a major rewrite of the NTP software, with emphasis on security?
  You're probably thinking of ntimed.
6. Re:Eric Raymond rewrite by NotInHere · 2015-10-22 04:07 · Score: 3, Funny
  
  Time synchronisation is in systemd already:
  http://lists.freedesktop.org/a...
  And it uses SNTP, not NTP.
7. Re:Eric Raymond rewrite by Anonymous Coward · 2015-10-22 05:27 · Score: 0
  
  The official NTP client allows for multiple sync time sources and will elect only those that are in approximate agreement, automatically discarding bad time sources.
8. Re:Eric Raymond rewrite by theendlessnow · 2015-10-22 05:58 · Score: 1
  
  Isn't Eric Raymond in the middle of a major rewrite of the NTP software, with emphasis on security?
  I heard it was going to become part of systemd.
  Doubtful, unless you're talking about fetchd?
9. Re:Eric Raymond rewrite by chihowa · 2015-10-22 08:57 · Score: 1
  
  Those consumed by hubris will continually reinvent what already exists, poorly.
  "Scrambling" an SNTP client's clock doesn't require this exploit because SNTP doesn't retain any state (and all the complexities that come from that). The systemd time sync client is especially naive, even for SNTP.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Experience Y2K Again...and again... and again... by xystren · 2015-10-22 02:46 · Score: 1

How fun! Now we can advance right past the next Y2K type bug...
And around and around we go... by Anonymous Coward · 2015-10-22 02:51 · Score: 1

Researchers warn [X] is unsafe.
"We should replace [X] with [Y]!"
Later:
Researchers warn [Y] is unsafe.
Can we, like, audit something rather that just keep replacing things and letting the users figure out which new ones were broken? Maybe the researchers could take a look at [Y] and make sure that's working before we switch it out?
I have seen this in action already by Anonymous Coward · 2015-10-22 02:54 · Score: 0

Yesterday I dared venture to reddit.com and the stories all said they were posted 30 years ago. Great Scott, I'm not sure what could have happened. Their nptds must have been off by several jigawatts.
Ob by Hognoxious · 2015-10-22 02:56 · Score: 4, Funny

systemd automatically knows what time it is, but it'll only tell you in binary.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
1. Re:Ob by bobbied · 2015-10-22 04:17 · Score: 1
  
  Is that true or false?
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Ob by Dog-Cow · 2015-10-22 04:55 · Score: 2
  
  Yes.
3. Re:Ob by bobbied · 2015-10-22 05:06 · Score: 1
  
  There you go, using that fuzzy logic again...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
NOPE by Anonymous Coward · 2015-10-22 02:58 · Score: 0

Once an RFC is adopted by IETF (as the linked RFC is), it becomes a standard. Bro, do you even internet?
Not so fast son. RFC 1796 - Not All RFCs are Standards .
RFC becomes standard provided, it's been put on standards track. As you can observe from above RFC 1796 it's status is Informational ie. it's not standard.
1. Re:NOPE by Anonymous Coward · 2015-10-22 04:53 · Score: 0
  
  Give up. You were an ignorant ass that attempted to make others look like ignorant asses on a site filled with tens of thousands of veteran technology professionals. Trying to pick a different argument and failing at that* wont help your ego any.
  *For the freshman in the crowd, there are two types of standards: official and ad-hoc. Industry does not give two shits about which one it is so long as everybody plays nice until it can be formalized. See the decades of history making products months to years before the standard is finalized for details. If an RFC isn't chosen to be a standard from the start yet still becomes a standard later, well who the fuck cares what its status is. Welcome to the real world where even standards are informal.
2. Re: NOPE by Anonymous Coward · 2015-10-22 05:19 · Score: 0
  
  That's what makes standards so wonderful. There are so many to choose from.
3. Re:NOPE by Anonymous Coward · 2015-10-22 07:22 · Score: 0
  
  Give up. You were an ignorant ass that attempted to make others look like ignorant asses on a site filled with tens of thousands of veteran technology professionals. Trying to pick a different argument and failing at that* wont help your ego any.
  I have nothing to give up, but you should really read that RFC 1796 "Not All RFCs Are Standards" chapter, to understand that claim all RFC's are standard -- No they aren't and anyone claiming that has misunderstood things badly. RFC's are publication channel of the bodies mentioned in that RFC 1796 chapter.
  Rest of the crap you wrote doesn't preserve even commenting.
4. Re:NOPE by AK+Marc · 2015-10-22 08:38 · Score: 1
  
  So the RFC that defines "standard" isn't a standard? But you didn't mention whether 5906 was a standard.
  
  Put the crack down and try again.
  
  --
  Learn to love Alaska
So design things to not require synced clocks. by tlambert · 2015-10-22 03:00 · Score: 4, Interesting

So design things to not require synced clocks.
It's not like you couldn't include your idea of your local time (whatever it is) in your NFS requests, and then have the server take its idea of its local time, generate a delta, and apply that to all the timestamps that you are trying to set on a file. Or conversely, when you do a stat, the server could include its idea of the local time, the client could use that to generate a delta vs. its own idea of local time, and apply that delta to the time being reported up from the kernel to user space.
The whole idea of having to synchronize clocks between machines is rather moronic. When you have a billion mechanical computers wandering around in your body with robot bodies to e.g. fight a nasty cancer, do you really think there's going to be enough spare CPU cycles, RAM, or communications bandwidth for them to run NTP requests around to each other?
I recently fielded a request from someone who was building an embedded device; the trick was, it was going to be pre-programmed, then deployed everywhere, and not have local time beacons (i.e. it couldn't access local beacons, such as local cell towers, which send out "time is now" broadcasts). The question was: "How do I sync the time to the local time?".
My response was "Why?".
The reason finally boiled down to wanting to put the time in log files, and to display it on an LCD.
There was no reason for either of these: if the devices are Internet connected, just grab an HTTP header by hitting a known HTTP server, and log in UTC, since the time in the header will be reported as a UTC time + a zone delta. For the display: why the hell do you need to display the time on the small LCD? Because it was the only neutral thing he could think of to display on the LCD. "Can't I just look at my watch/iPhone/VCR/microwave/refrigerator/dishwasher/clock? Or just display it in UTC? Or display a PacMan animation instead of a clock?". "I guess so".
Problem solved with no need to sync clocks.
Non-synchronized clocks are only a problem if you let them be a problem/make them a problem.
1. Re:So design things to not require synced clocks. by UnknowingFool · 2015-10-22 03:24 · Score: 3, Interesting
  
  So design things to not require synced clocks.
  Practically all of modern humanity requires clocks so I'm not sure how we can design modern life without clocks.
  
  The whole idea of having to synchronize clocks between machines is rather moronic.
  Synchronizing clocks is necessary because clocks drift. Clocks have always drifted since the dawn of humanity. Humans have been able to make clocks that are more accurate but unless you want every machine to have an atomic clock built-in, synchronizing is one way to ensure they all agree.
  
  When you have a billion mechanical computers wandering around in your body with robot bodies to e.g. fight a nasty cancer, do you really think there's going to be enough spare CPU cycles, RAM, or communications bandwidth for them to run NTP requests around to each other?
  Um we are not talking about nanobots in the future. We are talking about today and servers: servers that run everything from email to shopping to banking. They all rely on correct clocks
  
  There was no reason for either of these: if the devices are Internet connected, just grab an HTTP header by hitting a known HTTP server, and log in UTC, since the time in the header will be reported as a UTC time + a zone delta.
  
  And how can your ensure that the web server that was hit has the correct time? That web server used an NTP server somewhere.
  
  Problem solved with no need to sync clocks.
  In your one example of an embedded device, you can question whether it needed to sync a clock. For the rest of the world, it is needed. Your sample size of one does not translate to the whole world.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re: So design things to not require synced clocks. by Anonymous Coward · 2015-10-22 04:38 · Score: 0
  
  The point is, stop designing shit that needs an accurate clock. Sure, it is a requirement for the 0.01% of things that actually truly must have accurate clock synchronization.
  But there is far too much software that supposedly "requires" an accurate clock, but they really don't if the software was redesigned so the accurate clock is not needed.
3. Re:So design things to not require synced clocks. by Anonymous Coward · 2015-10-22 04:51 · Score: 0
  
  The problem with delta's as you describe is how you account for network latency in your delta. Its impossible to tell clock drift from network latency when syncing two clocks in this way.
  Why do you need sync'd clocks? For many many reasons... For example... There is regulation coming in over the next year or so that will require financial institutions to very accurately report on transactions in realtime. These will require AT LEAST millisecond accuracy. Most systems will not consist on single machines, therefore an accurate and sync'd time source is critical.
  Not to mention how time is used by HFT firms to measure latencies between exchanges and their co-located machines. This is why many exchanges will offer a time signal themselves to allow the colocated customers to sync accurately with the exchange time source.
  As someone else mentioned, forensics are also a good case.
  All in all there are more reasons for time sync than not I would say
  Thanks,
  James
4. Re:So design things to not require synced clocks. by Anonymous Coward · 2015-10-22 04:57 · Score: 0
  
  You and your every device should have an independent mechanism to identify the time idea. Christ. It's stupid. You make the same comment every fucking time NTP is mentioned.
5. Re: So design things to not require synced clocks. by UnknowingFool · 2015-10-22 05:00 · Score: 1
  
  That does not stop the requirement for NTP. If we stopped all mobile devices from needing NTP, it does not remove the requirement for servers. There is always the requirement for servers to use NTP or something like it.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
6. Re:So design things to not require synced clocks. by WaffleMonster · 2015-10-22 05:45 · Score: 1
  
  So design things to not require synced clocks.
  What happens when you can't or such a design would be more difficult than a global shared time reference?
  
  It's not like you couldn't include your idea of your local time (whatever it is) in your NFS requests, and then have the server take its idea of its local time, generate a delta, and apply that to all the timestamps that you are trying to set on a file. Or conversely, when you do a stat, the server could include its idea of the local time, the client could use that to generate a delta vs. its own idea of local time, and apply that delta to the time being reported up from the kernel to user space.
  What happens when every system can't just stamp their own "idea of local time" on to an event when it occurs? What happens when every systems "idea of local time" changes over time?
  
  Non-synchronized clocks are only a problem if you let them be a problem/make them a problem.
  Obviously it is best to avoid dependencies which require synchronization where possible. Unfortunately it isn't always possible.
7. Re:So design things to not require synced clocks. by tlambert · 2015-10-22 07:58 · Score: 1
  
  The problem with delta's as you describe is how you account for network latency in your delta. Its impossible to tell clock drift from network latency when syncing two clocks in this way.
  That a fair ask, assuming an asymmetric latency.
  The easy way to handle this is to also send along your delta calculation with your packet as well, so that the other end can compare its delta calculation with your delta calculation.
  Another alternative is to include this information in the establishment of the connection, as part of the encryption startup and the authentication handshake which establishes the credentials authorizing the server operations by the client. Although that would not account for variable latency across connections with long durations, as carrying around the extra delta would.
8. Re:So design things to not require synced clocks. by tlambert · 2015-10-22 08:01 · Score: 1
  
  So design things to not require synced clocks.
  What happens when you can't or such a design would be more difficult than a global shared time reference?
  What happens when every system can't just stamp their own "idea of local time" on to an event when it occurs? What happens when every systems "idea of local time" changes over time?
  
  Non-synchronized clocks are only a problem if you let them be a problem/make them a problem.
  Obviously it is best to avoid dependencies which require synchronization where possible. Unfortunately it isn't always possible.
  In those cases, use NTP. Or use direct tier one information from GPS or cell tower data (if you are OK with the +/- 1 second on the cell tower's idea of the time). Or set the device's idea of local time as part of the handshake establishing the connection with the server (although this last one wouldn't work for mesh networks not communicating with servers).
9. Re:So design things to not require synced clocks. by david_bonn · 2015-10-22 11:43 · Score: 1
  
  Good luck on that.
  Try getting a database spread across multiple servers without good clock sync. Try getting version control + build systems working well over a network without good clock sync.
  It is kind of like having unguarded critical sections in your code. You might get something that works most of the time but you'll be left with mysterious and messy failures that are hard to explain, hard to reproduce, and make you want to gouge your own eyeballs out. I'd rather keep my eyeballs in their sockets where they belong, thank you.
  And most of us are too busy to write our own multi-server database systems that don't require clock sync. When you come out with yours let me know.
10. Re:So design things to not require synced clocks. by dbIII · 2015-10-22 14:19 · Score: 1
  
  Another thing, the Zune with the spectacular leap year bug that meant it would run 365 days a year and not run at all on the last day of a leap year unless the user changed the date. It only had a clock because of some braindead DRM bullshit of having an expiry time on music files. Such a scheme was an afterthought so a clock was needed and put on as an afterthought and not properly tested. Apart from that it didn't need to know what day or even year it was.
11. Re:So design things to not require synced clocks. by Anonymous Coward · 2015-10-22 21:21 · Score: 0
  
  Any multi-server, replicated database that requires synchronized real-time clocks to maintain consistency is inherently broken. A system that lies about consistency is worse than a system that doesn't pretend to be consistent.
  Google's Spanner database, for example, uses high-precision timestamps, but only for optimizing reads other housekeeping chores. Transactions are kept consistent and synchronized using proper consensus protocols (e.g. Paxos).
12. Re:So design things to not require synced clocks. by tlambert · 2015-10-23 09:55 · Score: 1
  
  Any multi-server, replicated database that requires synchronized real-time clocks to maintain consistency is inherently broken. A system that lies about consistency is worse than a system that doesn't pretend to be consistent.
  Google's Spanner database, for example, uses high-precision timestamps, but only for optimizing reads other housekeeping chores. Transactions are kept consistent and synchronized using proper consensus protocols (e.g. Paxos).
  One of the major things that allows this optimization (and I agree, it's merely an optimization, and any data model that doesn't maintain consistency is inherently broken), id that all of the systems on which it as developed and deployed have working TSC's, meaning that they count while in low power states, and they are invariant under "speedboost" style short term clock accelerations, so once you get them synced up, they *stay* synced up. then reading the TSC is practically free.
Not for Windows? by DERoss · 2015-10-22 03:02 · Score: 3, Interesting

It appears to me that all the NTP patches and all the NTP alternatives are for UNIX or Linux systems.
I use SocketWatch on Windows 7 to synchronize my PC clock with external time servers around the world. I have it set to run every hour. It warns me whenever an adjustment to my PC clock is excessive (using my definition of "excessive").
The questions are: How do the reported problems with NTP affect me. Or do those problems only affect time servers?
Yes, I know SocketWatch is no longer being maintained. The developer is going out of business and will soon stop distributing it. As long as it works for me, I hope to keep using it.
1. Re:Not for Windows? by thegarbz · 2015-10-22 03:27 · Score: 1
  
  Hasn't Windows automatically synched time out of the box since the first Lord of the Rings movie was released?
2. Re:Not for Windows? by drinkypoo · 2015-10-22 03:58 · Score: 1
  
  Hasn't Windows automatically synched time out of the box since the first Lord of the Rings movie was released?
  ISTR it's had the feature since Win2k. It's pretty sloppy, though.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Not for Windows? by Anonymous Coward · 2015-10-22 04:53 · Score: 0
  
  https://en.wikipedia.org/wiki/Network_Time_Protocol#Windows_Time_service
  Basically, 2000/XP used SNTP and later use a more robust implementation but not the full suite. It also aims for a clock skew of 2 seconds, so that way even if the server and client are both off 2 minutes, plus error, in opposite directions, Kerberos will still work with the default 5 minute clock difference allowance.
4. Re:Not for Windows? by DERoss · 2015-10-22 05:18 · Score: 2
  
  The Windows capability to synchronize my PC clock depends on a single time server. The default is Microsoft's own time.windows.com, which is not always up.
  SocketWatch does not tie me to one particular time server the way the Windows capability does. SocketWatch has a list of servers, which I have edited. My list now has over 200 entries. Per my option settings, SocketWatch queries the top five entries from the list hourly, scoring each entry primarily on how quickly the server responds. The server with the best (lowest) score is then used to reset my PC clock. During that process, the servers in the list are sorted according to their latest scores with the lowest score at the top. Thus, a time server that was in the top five but has problems is replaced with a server that has a better score.
  My list includes some stratum 1 servers, which are atomic clocks. Microsoft's time.windows.com is a stratum 2 server, which means it is not a clock but instead is a server that gets its time by synchronizing with stratum 1 servers. Thus, I can get synchronization more accurately than provided by Microsoft's default server.
5. Re:Not for Windows? by thegarbz · 2015-10-22 08:02 · Score: 1
  
  The Windows capability to synchronize my PC clock depends on a single time server.
  time.windows.com is a pool, it's not a single server. The only real risk you have is DNS going down.
  
  My list includes some stratum 1 servers, which are atomic clocks.
  Do you run a small cluster of stratum 2 servers for the express purpose of serving time to hundreds of other machines? If not you have no business syncing to stratum 1 servers. If you have a specific application for a single device that needs a high accuracy clock then why not spend $50 on a GPS unit with which you can sync your way to stratum 1 precision.
6. Re:Not for Windows? by DERoss · 2015-10-22 08:34 · Score: 1
  
  I only use those stratum 1 servers that (a) either serve my geographical area or are worldwide, (b) that have "open access", and (c) do not require me to notify them that I am using them. Also, I only use those stratum 2 servers that meet the same criteria.
  The "Rules of Engagement" state: "There are many scenarios where the above rules may not apply, especially ... clients with intermittent connectivity ..." Given that I disconnect from the Internet whenever I walk away from my PC and I shut down my PC whenever I leave my house or go to sleep, I am indeed a client "with intermittent connectivity".
7. Re:Not for Windows? by Anonymous Coward · 2015-10-22 09:01 · Score: 0
  
  Windows has provided alternatives to the default time.windows.com for sync since at least XP. NIST has been offered since at least 7. It just works, unlike time.windows.
8. Re:Not for Windows? by dbIII · 2015-10-22 14:25 · Score: 1
  
  It's one of many MS Windows products that ask NTP servers for the time. If they go out of business just use another, which may not be quite as good but will be better than the built in MS thing that seems to deliver strange results several times per year.
9. Re:Not for Windows? by Anonymous Coward · 2015-10-22 16:12 · Score: 0
  
  Ignore patches and implementations. We are talking about the protocol.
  Socketwatch uses the NTP protocol. Pretty much EVERYTHING uses the NTP protocol somewhere in the stack, it's just hidden.
OpenBSD's OpenNTPd with constraints by QuietLagoon · 2015-10-22 03:07 · Score: 1

OpenBSD's OpenNTPd with https constraints is mentioned in the Update section of one of the URLs cited in the summary. Constraints use the time in a https header to "constrain" the ntp time to reasonableness.
.
A quick description of OpenNTPd's constraints is here.
Bad Example by mrlinux11 · 2015-10-22 03:11 · Score: 1

This would have been an issue with either time sync protocol since the source clock was changed.
1. Re:Bad Example by bobbied · 2015-10-22 04:21 · Score: 1
  
  How true. Wouldn't it be the fault of the system who accepted a time 12 years in the past and started up without so much as a "Hey, System Administrator! You might want to look at this! Do you really intend to go back 12 years in time here?" I know it wouldn't fix anything because such warnings would likely be ignored anyway, but at least the system Administrator would be to blame then.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Reasons for timestamps by Etherwalk · 2015-10-22 03:12 · Score: 1

...
Problem solved with no need to sync clocks.
Non-synchronized clocks are only a problem if you let them be a problem/make them a problem.
You have to be able to have an accurate time reference because a lot of devices interact with the real world. Logs, audit trails, signals intelligence, even photographs and surveillance cameras are a lot more meaningful if they have timestamps. If you can manipulate timestamps by using a flaw in NTP, then you can have an alibi for... anything.
Synced clocks are necessary by sjbe · 2015-10-22 03:20 · Score: 3, Insightful

So design things to not require synced clocks.
They do when that is a sane thing to do. Sometimes a precise notion of time isn't important. But many activities are impossible without a rather precise determination of the time across multiple devices.

It's not like you couldn't include your idea of your local time (whatever it is) in your NFS requests, and then have the server take its idea of its local time, generate a delta, and apply that to all the timestamps that you are trying to set on a file.

The only way to ensure the local time on your clock is correct is to synchronize with another clock. A clock providing arbitrary time stamps is worse than useless. In fact for many activities what you suggest would lead to accidents, fraud and all sorts of confusion.
Any time you have a measuring device where you care about its accuracy you have to compare it to a reference standard. That's why we have highly accurate atomic clocks maintained by standards organizations to calibrate our clocks to.

Non-synchronized clocks are only a problem if you let them be a problem/make them a problem.
Sorry my friend but that's simply not true for a lot of problems.
1. Re:Synced clocks are necessary by tlambert · 2015-10-22 07:52 · Score: 1
  
  They do when that is a sane thing to do. Sometimes a precise notion of time isn't important. But many activities are impossible without a rather precise determination of the time across multiple devices.
  [...]
  The only way to ensure the local time on your clock is correct is to synchronize with another clock. A clock providing arbitrary time stamps is worse than useless. In fact for many activities what you suggest would lead to accidents, fraud and all sorts of confusion.
  Any time you have a measuring device where you care about its accuracy you have to compare it to a reference standard. That's why we have highly accurate atomic clocks maintained by standards organizations to calibrate our clocks to.
  These are reasonable arguments for a UTC time. Which you can get by hitting a known HTTP server, which I've already pointed out.
  These are not reasonable arguments for trying to do NTP from an IoT device, and they are not reasonable arguments for trying to do NTP for most applications.
So long as we're talking about NTPd by QuietLagoon · 2015-10-22 03:22 · Score: 1

Recent Vulnerabilities --- October 2015 NTP Security Vulnerability Announcement (Medium)
Why spend more time fixing than a problem's worth? by Anonymous Coward · 2015-10-22 03:34 · Score: 0

I remember that day in 2012. Less than an hour and I had my work network (fifty workstations, about six servers doing various things) corrected, and it was less than four hours until the Navy fixed their problem and everything was restored back to normal operation.
So, seeing that NTP has been around before 1985 per Wikipedia, but I'll give it credit that I didn't start using it until 1995ish, and I'll even credit the full four hours out even though actual disruption was one hour. Four hours in twenty years. 12 minutes per year of problem time, or about 1 minute down per 3,650 minutes of uptime. 99.9726027397% uptime.
YMMV certainly. But yeah, I think I'll wait until this actually becomes a problem to do anything about it, thanks.
GPS and Tardis by kheldan · 2015-10-22 03:42 · Score: 1

My desktop is updated via a GPS receiver connected to Tardis 2000 so I don't have to use any Internet-connected time server.

--
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
1. Re:GPS and Tardis by bobbied · 2015-10-22 04:25 · Score: 1
  
  Oh man, ditch the windows machine for a Linux box..... But good for you. Most folks won't have the necessary infrastructure to support a GPS based time sync directly, for them NTP, pointing to a server that is based on some time standard like GPS, is a viable solution. For them the problem becomes picking a time server they trust to be right...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:GPS and Tardis by Dog-Cow · 2015-10-22 05:00 · Score: 2
  
  If you're relying on a Tardis for accurate time, you're in for a world of pain.
3. Re:GPS and Tardis by kheldan · 2015-10-22 05:48 · Score: 1
  
  I'm not sure if you're trying to make a Doctor Who joke, or if you don't get what I'm doing, but Tardis 2000 is just what's interpreting the serial data stream from the GPS receiver I'm using.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Not Again! by truck_soccer · 2015-10-22 03:55 · Score: 1

It's Y2K all over again! Horde the ammo and water! Dig your bunkers a few meters deeper! Gird your loins!?
1. Re:Not Again! by bobbied · 2015-10-22 04:30 · Score: 1
  
  I'm worried about 2038 myself... It's going to make Y2K look like a walk in the park and drop us all back into the dark ages of the 1970's...
  You won't survive without your Fondue pots, plaid bell bottoms, leisure suits and disco moves....
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Not Again! by truck_soccer · 2015-10-22 04:37 · Score: 1
  
  I have a store room full of baby powder, anxiously awaiting the polyester monstrosity's return.
3. Re:Not Again! by The-Ixian · 2015-10-22 05:35 · Score: 1
  
  Disco Stu will be born anew!
  
  --
  My eyes reflect the stars and a smile lights up my face.
4. Re:Not Again! by Hognoxious · 2015-10-22 05:36 · Score: 1
  
  Horde the ammo and water!
  
  Is their a hoard common this whey?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
5. Re:Not Again! by truck_soccer · 2015-10-22 05:43 · Score: 1
  
  Damn homophones.
6. Re:Not Again! by Anonymous Coward · 2015-10-22 13:07 · Score: 0
  
  Error: I gridded my loins. Now I can't play tic-tac-toe on them. Please help?
tlsdate isn't a NTP replacement by plcurechax · 2015-10-22 04:30 · Score: 3, Informative

The mentioned TLSdate isn't a NTP replacement.
It openly admits is roughly only good for a <1-5 second accuracy. That's crap. A typical NTP setup can easily maintain ~10-15 millisecond accuracy using public stratum 2 or 3 NTP servers from the Internet.
Sure, tlsdate is a simple, secure rdate replacement, and while many people without precise timing requirements it is good enough, it is simply not suitable for a huge range of applications that are time sensitive, or are timing / synchronization critical.
1. Re:tlsdate isn't a NTP replacement by The-Ixian · 2015-10-22 04:59 · Score: 2
  
  Not only that but:
  TLS 1.3 and tlsdate
  In the upcoming version of TLS, tlsdate might not function anymore.
  
  --
  My eyes reflect the stars and a smile lights up my face.
Clocks by Alypius · 2015-10-22 04:32 · Score: 1

"Researchers Warn Computer Clocks Can Be Easily Scrambled Via NTP Flaws" But can it be disassembled and put into a briefcase? Clockmed wants to know!
1. Re:Clocks by __aaclcg7560 · 2015-10-22 05:09 · Score: 1
  
  Depends on my eggs you want to break.
Give up? by Anonymous Coward · 2015-10-22 05:41 · Score: 0

Says the loser.
This particular RFC has this status:
Status: Rejected (1)
But also notice this request for comments is not used or even cited but by this one person - who probably wrote the thing (how many times now?).
INFORMATIONAL
Errata Exist
Internet Engineering Task Force(IETF)
Request for Comments: 5906
Category: Informational
B. Haberman, Ed.
D. Mills
ISSN: 2070-1721
U. Delaware
June 2010
You see! by Anonymous Coward · 2015-10-22 05:57 · Score: 0

I told you the Y2K thing was real!!
"...rolled back their clocks 12 years, deciding it was the year 2000."
1. Re:You see! by Anonymous Coward · 2015-10-22 07:10 · Score: 0
  
  Wow that’s almost 15 years!
  wait...
overblown by Anonymous Coward · 2015-10-22 06:31 · Score: 0

Yes, this can happen if one is an idiot and does not set up their not properly. Simply use an app that sets a maximum amount of time that the clock can be shifted. I don't allow my network to be altered more than 5 minutes as the time check is implemented daily and their is no good reason why a clock would be off by even this amount.
Are 3D Printers affected?? by trevc · 2015-10-22 07:23 · Score: 1

Need to know..
Computer Clocks used to be scrambled via NTP flaws by nickweller · 2015-10-22 08:33 · Score: 1

"Researchers at Boston University said this week that they've found flaws in the Network Time Protocol (NTP)" .. and it's been patched already ..

'We thank the Network Time Foundation, NTPsec, Cisco, and RedHat's security team for quickly issuing patches for various issues described in this work'
Rubbish! by Anonymous Coward · 2015-10-22 09:28 · Score: 0

The Windows capability to synchronize my PC clock depends on a single time server.
Rubbish! I think you might be solely aware of the GUI. The following command will let you set a list of time servers.
w32tm /config /manualpeerlist:server1,server2,server3 /syncfromflags:manual /update
But, even if you only entered one address in the GUI, the us.pool.ntp.org pool is presently over 800 NTP servers.
There has been absolutely zero need to use any third party time sync system on Windows for over 12 years. It's built in and it works fine, even if you are clueless.