"..., but where does the NTP server get it's time from?" In Europe I think the most common answer is DCF77. It's a long-wave radio signal broadcasted from Germany which signals date and time information since 1973. The signal so easy to receive and decode that you can find building block modules for under 15€ and of cause there is a wide range of ready to use serial and USB versions. My NTP server at home (runnign on a RasPi) still uses an old serial DCF77 receiver I bought for my PC in 1991. The cool thing is that the signal now also carries data from Germans catastrophe warning system as well as a 4 day weather forecast for 60 European regions without the internet :-D
I am a database engineer, and for concensus, the system I make have a general way of seeing time: 1/ the server is always in the right, the client can be slightly in the wrong (by a few seconds or so) 2/ The time is not a date, the time is just a value that will always steadily increase from the server point of view. 3/ You always read data from the past and write data in the present from the client. the server always receive requests of data from the past and send back data from further in the past
@@puffingin2d490 well, that always depends on how accuracy is important for you, in a game like Magikarp jump, a few seconds of accuracy are good enough, in a more complicated system, you sometimes need a much better time resolution, for me it often is near 250ms of accuracy, for other purposes it can go as low as a dozen microseconds, and for science applications, it can go up to nanosecond scale accuracy
@@kingonduty2825 Was no point. IT department was one guy who barely knew computers it felt like. Appstore was removed with the help of a music teacher, but no Google Docs or MS word was installed so they were basically useless
There's a much simpler solution for the games, one that is based on "complexity ~ error susceptibility". If there is no timer implemented stopping us from playing, we couldn't break the timer.
i remember i had this old desktop computer with a dead CMOS battery, i had a demo version of Mixcraft 7 installed and because the system time never updated correctly, i had an unlimited trial period. until my mother set the system time to the correct one and then the trial ended. but a few years after that i bought Mixcraft 8 Home Studio edition on steam. best 20$ ive spent. for the most part.
4:55 If you in can ensure that the user won't close the app, you can simply store a counting variable in memory. Since that's a rare case, your best bet is to store that information in a file that you hide from the user ("hide" by putting it in a folder that's not a popular - whether you create one or use an existing one). Otherwise - you simply have to rely on the device's time, like you said
When your pc didn't have power for a week the time comes from the bios clock and not from NTP -> Power off your pc and unplug your ethernet cable. Reboot your pc and the time is still correct without NTP.
Overall good video, but you say "how does your computer know the time after it has been offline for a week...well you probably know about NTP". Actually, that's not really how this works, and almost all computers use a small battery (on desktops, often a little circular one you can easily find if you take the side panel off) to keep timers running (very low power) even when fully "shut down" (and unplugged), and that's how they keep track...NTP is only synchronized occasionally.
+Mark Polyakov btw. My laptop battery is completely dead today. Have to replace it. But now it also doesn't remember the time :P not every motherboard has an extra battery
I once downloaded a piece of software that only checked if the demo time was out when you launched it, so as long as you didn't close the software, you could keep using it.
It is pretty common to use GPS as time source. BTS towers and ATMs are just glaring examples for that. Also you may want to check your stratum level if it comes to synchronized time on device.
GPS can be spoofed. It's not a software attack, but it can be done even for a moving receiver. It was used to detour cruise ships without anybody noticing it until it was too late.
Sure. The only way of being sure that i am aware of, is buying atomic clock and setting up that as stratum 0 for other devices. And we have one in our lab.
There's a game called Disco Zoo for mobile that does a clever trick to mess with cheaters. It uses your system time, so you can cheat all you want by setting the time ahead, but obviously you will need to know the actual time sooner or later. You will set back the clock to the current time after you are done cheating, but next time you enter the game you get a message: Some of your animals were lost in a time travel incident. I think this is a fun and clever way to set cheaters back, while not requireing server side tracking of time. (Although obviously this system can be improved with calculating the time difference for a penalty of the similar level etc.)
Paper Mario: The Thousand Year Door has similar: there's a lottery minigame you can play once per day. If you adjust the clock forward, the game can't tell (no other time source to compare to), but if you turn it back, the lotto guy will tell you off. Unfortunately it is possible to get bit by that with legit time zone changes too...
The Nintendo DS has an interesting protection against just changing the clock used by the Pokemon games: when you change the system time, another variable is edited by the same amount which reflects an offset of the current time from when the firmware was last cleared. The Pokemon games would save this time offset with the time, and a substantial difference would indicate attempted time travel.
There is quite a simple solution to the matter (for games at least), breakable but not very easily. * Firstly, one rule is that you can never go back in time. * Secondly, most systems have an internal `ticks since boot` which you can hook onto, so you track the time from the moment the app was started onwards with the ticks instead, and when it is out of sinc with the time date of the system, they can be assumed to try to cheat. And then to pack it all up, you do a server request every x seconds just to check up on things from the server side also, but the rest just plays as a `secure prediction`. PS, great video! Very interesting and underestimated topic!
Applications often have to trust user input. To keep them secure programmers have to be conscious about what exactly they are trusting the input *with*, and whether the user is someone who is appropriate to give that trust to. For instance TH-cam trusts me with my own online reputation. It presumably trusts some employees at Google with the ability to delete my comment, but unless it has a bug it does not trust me to be able to delete theirs.
Applications trust my CPU, its not a problem if my CPU skip some conditional jumps and bypass DRM for example... I didn't even alter the executable image, that's not cracking. Qemu works magic !
You can't "just" skew time massively with NTP as a remote attacker. Most NTP clients will refuse to update if there's more than 1000 seconds difference, and slewing is limited in speed. For example, it can take 2000 seconds to move the clock by a single second. The exception to this is when the *client* forcefully sets the clock from cold, for example with ntpdate - an event which a remote attacker could not easily control.
what OS are you talking about? many routers like Mikrotik and also windows systems will auto update to current time via NTP even if they are completely out of sync by years...
Don't forget the cost of all those requests over time as well, from the dev standpoint. One is not much, but if you have 100k players sending hundreds of extra packets every day it adds up quick.
This is quite interesting, I work with some embedded Android systems, a couple of weeks ago I discovered that we had major clock syncing issues, Android refused to auto-adjust the clock. So I have implemented custom time syncing on the systems that uses the server time when syncing with the remote. So every time a request is made the clock is validated and compared to the remote, if it's fallen behind by too much adjusted for timezones, it uses the remote server's time instead. I didn't think of it as an attack vector aswell, so it's really cool to see a video exploring this subject more as it's much more critical than people think it is. Android has a stupid fallback to set the clock to 2011 if it loses track, which means all HTTPS requests will fail because of invalid SSL certificate dates.... You aren't likely to see this on phones though. And yeah, I've used the "set the clock 15min into the future, to skip cooldown" exploit on a bunch of time-based games, sometimes it even works on text-based browser games for some reason....
7:56 I won't tell you I rolled my own atomic clock! :P Joking aside, normal PCs should have RTC included in the motherboard with coin cell battery as backup. The timing operation is low powered enough to be run with the single coin cell, via a 32.768KHz crystal (32768=2^15, which can be divided to 1Hz easily) Newer RTC chips even have integrated extremely accurate TCXO to ensure precision timing.
you can actually roll your own rubidium clock, its not that expensive, you can get as surplus for something about $150. th-cam.com/video/I55uLRRvLCU/w-d-xo.html Someday I'll literally roll your my own atomic clock for cheap.
When you are designing hardware with the anticipation of using time in the firmware, as long as the power limit and other constraints permits build a low power GPS receiver in there. Those modules are cheap enough to be a dime a dozen now, and they give you a good idea what time it is, and the PPS pulses are often also good reference clocks for calibrating internal timers.
3 ปีที่แล้ว
A problem with this was recently discovered with the national COVID-19 wallet app in the Czech Republic. The app is able to load vaccination and testing certificates and display their details, including whether these certificates are valid ways to prove one's eligibility to enter various places. This, however, requires the current time-certificates are valid from a while after the second dose and of course tests are valid only a while after they were performed-and people figured out one can set the system time to make the app show that the certificate is valid. Obviously, the app shows the time frame of the validity of the certificate, but many people who check simply see the green colour and the text "valid" and assume that it's valid.
There's a very simple solution for games: Single player: Who cares? Cheaters aren't hurting anyone else. Multiplayer: You have to be online for a multiplayer game anyway, so you might as well get the time from your server.
Funny thing is the time hack for games is so simple a kid could figure it out. I certainly did and I have no knowledge of hacking or code. I just turn the device time forward. Works for far too many games.
I also figured it out as a teen. Time trial on this software that helps with schoolwork? Hah, I made my PC eternally in the past until I no longer needed those programs. Nowadays alot of those same programs seem to have free student licenses : /
As an embedded software developer working on microgrid systems, I really don't care what time it is, so long as it's correct to the microsecond modulo the current grid frequency's period. If someone with physical access can disconnect the sync input on our machine this would cause a DoS attack, but the same goal can be achieved with a sledgehammer. This is a niche use case, but other embedded systems might get trusted time information from the UART output of satellite navigation modules (assuming GPS jamming isn't part of your threat model, since only nation-state level attackers would risk operating a GPS jammer on the open airwaves). You can also embed a cheap microcontroller with an RTC battery that has strong anti-tampering features, but then you need a trusted synchronization source since quartz crystals go out of whack with extreme temperatures. Ever wondered why your wristwatch never needs adjusting but your old Civic's clock drifts by many minutes during the cold Canadian winter? It's the same reasons tuning forks go out of tune in the freezer. Physics.
Phones usually get their time from incoming calls as well as the internet in case the internet connection has not been set up. When a call is sent to a phone there is a packet of data sent to the phone before it starts ringing. This is true for both landlines and mobile networks. This data contains the number of the caller (if not blocked) and a time/date stamp plus some other data not relevant this discussion. This data was often used by devices like answering machines so that they could keep a record of the time the call was received without having to have a built in clock. I know this because in the late 90's I worked for a company that designed and made an electronic device that let a PC answer the phone and play a WAV file to the caller through the parallel port, we needed it to be cheaper than the then expensive internal modems that could also act as an answering machine, we did not need all the functions of a modem anyway. So, we had to use an IC that was authorised to connect to the phone line and it came with the information on what to expect when a call was received. It was for a guard monitoring system. Guards at a remote site would be able to call in to the system back at the base and give it codes with the touch tone. Instructions had to be relayed to the guards. I was a programmer at the time and wrote the software that monitored the guards as well as answer the calls. It was an interesting project :)
@@adriangodoy4610 That's just plain stupid. It would make way more sense to run by a default time, and then make offsets depending on timezone and daylight saving time. I'm pretty sure Linux defaults to storing the time in UTC, then offsets based off timezone and DST
ez you store the current time in the background, then, if time < than stored time, erase all progress store the time at the start of each countdown and allow timezone changes once a day (or, if possible, query the timezone, not clock info)
Sooo. I just change my timezone back and forth? And don’t change the clock info? Also there are people that travel with more than 1 timezone change aday
well, ok I meant that if you can check the timezone, you could allow changing timezone, but not the time itself, and if you can't check the timezone then allow the hour to be changed like once or twice a day... and ignore the timezone changes
Fun fact: It's possible to find forensic artifacts when someone has been tampering with the time on a windows computer. It's in the system log. Sure, people can wipe the log easily, but that leaves a mark in the new log. Of course, change it in the BIOS and there will be no OS to write to the log, but who goes that far these days?
other one of simplest solution is to make your own time counting process history of the phone that are running in the background. if the process history is (enough) count it as a unit of time, thus a second has occured. It would be completely independent with time.
One way to detect if the user has turned back the system clock: Every time the program starts you can check system time and save it. By comparing the current time with the saved time you have some protection, if time now is before the time of last start up the user is cheating. The weak point is the file containing the last start up time could have been modified by the user as well.
For the main Pokémon games, which run on dedicated gaming hardware, the game can detect the changing of system time, and lock out time-related functions temporarily. I suspect the game is able to read the real-time clock (RTC) values directly, and changing the system time only modifies an offset on top of the RTC. (Some older Pokémon games, that ran on systems that don't have a system clock, came with an RTC inside the game cartridge, and those would ask you to set the wall clock at the start of the game. Certainly Game Freak have thought a lot about this type of vulnerability, which makes its existence in a spinoff game surprising. )
Google also has experimentally made Roughtime, an authenticated time protocol, to replace tldsate, which gets time from HTTPS servers. Edit: TLS (≤1.2) handshake or HTTPS. servers.
the best trick I have for software that expire is creating a VM in the future and freezing it, so every time I need to use the software I start the VM, and because its in the future, it'll never expire. and yes, there are ways to hide the fact you're running inside an hypervisor, but no one checks those
I used to do that all the time in Candy Crush on Android. XD One question I have. If you really need a time clock, how do you make sure that the time you are accessing is correct?
Hey, i want to say Thanks allot. You have changed my life with your Videos. I learn coding (I am not that good) but it is hell of fun :) thanks alot and Keep it up :)
This even works with the new Whatsapp message deletion feature. It normally only allows deleting the message 10 minutes after it has been sent. If you set your clock accordingly you can still delete the messages.
Notice that UTC is always computed after the fact, based on an average between different atomic clocks. This means that your wall clock is always wrong.
What if you run a "test for," that will compare the last minute to the next minute, and if there is more than a % of the time then the program will subtract the between time and keep running the game as if no time had passed between that time jump. Ex: 12:00 -> 12:01 -> 12:02 -> 7:30 -> 7:31 (the program subtracts 7 hours and 28 minutes of in-game time and then runs as normal.)
So timezones are easy. Work in UTC. Let the UI modify display for user. I've worked in places where the way they handled time was consensus. NTP from NIST + FM broadcast from local time station + GPS all concur for example so set the time. Use local TCXOs to maintain time within your closed system. Maintain consensus across TCXOs Use a dice roll to determine if time is verified that "tick". One of the most basic NTP protections is that it will not update large differences, anything more than a few seconds (I forget the actual number) will generally be ignored unless but it's a forced update by a client. It only corrects it by milliseconds usually. So a network attacker attempting to mitm a NTP server and change the time to last week, will likely fail.
From the NTP man page. If the -x option is included on the command line, the clock will never be stepped and only slew corrections will be used. The issues should be carefully explored before deciding to use the -x option. The maximum slew rate possible is limited to 500 parts-per-million (PPM) as a consequence of the correctness principles on which the NTP protocol and algorithm design are based. *As a result, the local clock* *can take a long* *time to converge to an acceptable offset*, *about 2000s for each second the clock is outside the acceptable range*. During this interval the local clock will not be consistent with any other network clock and the system cannot be used for distributed applications that require correctly synchronized network time. Voila attacker will have to wait a considerable time to screw with your ntp server any great degree. 10 minutes difference would take about 14 days to take effect. I thought this was a default thing mind you, hence my first post, didn't realise it was an option that could just not be used.
But where will the game initiate the time. If it again depends on system time, still you can cheat. You should initiate by syncing it to the internet then
@@shakeerhussain9366 the game starts it's time by 0 seconds and from first start/savefile a counter will be running in the background... of course the device has to be on and the program needs the permission to run in background... anyway, this idea is kinda ridiculous ^^
great video as always, intresting topic too i have an idea can you do a video where showing how easy it sounds but how difficult can it be to exploit these attacks? i know i know it is a big request but yeah :)
the comments here defending their choice to trust time are highly concerning... even if you use some sort of super advanced hardware method to get your time, that can always be modified in the memory. fact of the matter is, you can't trust it, point blank, so you have to think of interesting ways to mitigate that. in order to properly mitigate it, without sacrificing user experience, you have to think of really clever ways to capture the point from multiple angles as well as do some data analysis. not infallible, but done correctly it would be more work to fake it than to just do it legitimately.
I think the systems rely on materials like small valuable crystals. Even atomic clocks are known to be useful for operationally running a secured business. It is also a known fact that we get the crystals in our smartphones from Asia.
I can't remember the game, it was a cheesy ftp mmo from the mid to late 00's. I noticed that the time between skill usage was slightly different between different computers. I looked into it and it turned out that it worked off FPS not time and it also turned out that there was no server verification......... Yeah, I quickly became a cheat chr
lots of playtime counters do this too- say the game is 60fps, it just guesses every 60 frames is 1 second, which isn't true if the game lags lol in game timers are not trusted in speed runs most of the time for this reason ;
They don't NEED to connect to the network, but they do it anyway. It's difficult to find systems that wouldn't, mostly because "why not". Your machine has to be connected to the internet for many applications to be useful at all, so the time given by the rest of the internet is a totally reasonable one to use, instead of the local time on your machine.
Firefox behave oddly when you change system time. Sites still work and show a valid certificate even when by system time it should be expired, so it seems to be doing a check with a remote server. However when you view the certificate it says that it's invalid.
There is one bummer for mobile games - really most mobile games here: iOS does not allow the use of GPS time or UMTS time directly inside apps. Those clocks originated from the user's mobile carrier or the GPS satellites are more trustworthy than the user-controllable system time. With those time sources independently available the games can be built to use GPS/UMTS time whenever possible, keep track of the delta between those trustworthy time sources and the system time to allow some offline operation. As of myself my mobile devices are configured to use GPS and UMTS time whenever possible; and computers are configured to use a local Raspberry Pi based NTP server on my home network, which has a GPS module connected to serve GPS time.
"Not to mention that timezones and people who travel and all this crap makes programming time really annoying" I'm glad I always use UTC time. I had a problem with daylight saving once in my business program, been using UTC since then and never went back;
Are these vulnerabilities still applicable if a monotonic clock is used which measures time since epoch? I can understand these being an issue with real-time clocks.
Protip for wannabe PC technicans. Time mismatch can often cause weird results in PCs, like (real life situations of my clients): 1) some pages word, most don't, some partially (CMOS battery died, clock got reseted and without NTP sync all SSL certs weren't valid yet) 2) misorder in instant messaging - both local apps and webapps (often to sort app takes server time for incoming messages + local for outgoing). So, if you all would fix PCs someday - either as a help or as a work - you could include time+date check as one of the first things you do. It won't take much time and clock which is really off might give you very weird results. IMO it's worth to spend 5 seconds on time check than find out hour later that it was the thing that broke something.
Is it a good/secure option using the data base with a date/time field ? (while having prepared data base about SQL injection) I mean you start training your magikarp -> server set a date time -> you're forced to wait datetime >= (last datetime + timer). I'm new, just want to know if it's secure or there's some security failures I didn't know ?
if i remember correctly, fucking with system time in The Sims 2 on Nintendo DS got you abducted by aliens or something :D i just thought maybe "burning" past time (i.e. safely, unalterably storing dates that are safely known to have passed) might alleviate issues with ssl. But then again, this might open up DoS-scenarios where manipulating ntp to be a few years ahead might make any current certs permanently unusable.
Would a locally saved file (in the root partition of the device's memory - for example) record the system time every 5 minutes, and if it observes that the delta between the last two records is > (or
Oiz no? You just account for the time adjustments, in your code. So if there is a time-adjustment on date x and time y, you don't reset his scores in the interval of (x,y) +/- maybe 5 minutes.
Draven Main xd there are multiple things that make such task much more than "*just* account for that in code". Daylight saving times are based on legislation, which varies from place to place, year to year, and sometimes from city to city. There are no constants; no matter how you look at it, time, especially for computers, is an unpredictable thing
for iot applications, i'll suggest user-built/compiled client instead of obscure auto update. at least the server/ user have a way to know if the running program is trustworthy.
8:13 Why not using public keys with algorithms that are time independent? Which can not be manipulated into more or less calculations depending on the input. As such you would share a large public key and send it twice with different time stamps... or whatever needs to be done to sync... but given the fact that we use a network, how do we even sync time in the first place?! To an acceptable degree maybe, but over 100-50ms wouldn't we have to use tons of timestamps transfers with a statistical analysis client side to check for it? Whatever, if we just need a time within the +-1000ms time frame, isn't a simple time independent public key algorithm fine too?
There is technically an easy way out of the time problem on the mobile platform: since most mobile devices have satellite positioning system like GPS, your software can require either an Internet connection (for NTP to a trusted server, preferably over a VPN for added authentication) or a GPS fix (for GPS-based time.) Also if you are building an authenticated local NTP server, GPS can also work as a trusted time source. If you want to make sure your GPS receiver is not tied to just USAF, you can use quad-band GNSS modules that can receive and process signals of GPS, Galileo (EU,) GLONASS (Russia) and Beidou (China) systems at the same time. Such a system would only fall out of trustworthiness when the nuclear powers of the world are at war against each other.
You can not restrict others what they do with their hard and software. DRM and things like that can not work mathematically, without internet connection.
@@happygimp0 DRM is a thing, anti-cheat in online games is another thing. While I am against DRM too, I am perfectly fine with keeping an online game a fair place.
When you have access to the internet, you have the server time, so you don't need the time on the client. If you don't have access to the internet, then you don't have an online game.
@@happygimp0 The whole point here is to tolerate brief network cuts. The server can be put on GPS time using a GPS-based NTP server in the datacenter. Then the mobile end must also run on GPS time if the player want to go offline for short periods of time.
I remember writing a SQL-based tool for comparing sales year over year. Great, it works! All done in less than 10 hours. But shit, we forgot about 29th of February happening every four years! Hence another 150 hours had been sunk into the project rebuilding the whole thing to account for a single 24 hour period. Screw time.
I just always imagined putting a timer logic event nestled in the code of the game based off of app run time although that does come with a specific downside. You can't close the app while the time is ticking down so I guess for most purposes that wouldn't work would it...
You can simply build your own time system whether its countdown , runtime. And whenever the application is closed, change the user database information to the lastest time. This way is will not be possible to edit the memory or manipulate the time. Its very simple.
You might be able to implement it so that the app will not run if your system time < logged app time. It won't prevent the exploit but it will cause inconvenience for those who might want to turn back the clock after exploiting.
its great when im playing a game with my friend thats an hour behind my time zone and daylight savings time ends so for a moment were both at the 1 am when in truth its 2 am for me and 1 am for them
Oh shit, that's old. There was even an old, Windows 95 program, which attached a tiny loader to an exe, which set the system clock to a specific date and time, then started the program and set it back. This was known as "Time crack" Even Microsoft is guilty. I use Visual Studio express 2008. This free version has a time limit and locks after a couple of months until it was registered. Problem, the page is down, you cannot register it anymore. So, I just deleted it's registry, set my date to 2030 started it up, closed it and set my date back. Guess what, it works. I have negative days left and do what I want until I die or have to reformat.
The most important thing about traffic monetization is choosing a good ad network that pays off your traffic investments.. Been looking for the best ones, my profit is currently the highest on MonadPlug ad network.
@7:40 when you say “as I look at NTP packets” and you show a screen and circle the mouse over “port number” that made me wonder if you can tell what protocol is being used by looking at the port number? I think I remember reading somewhere that once a synchronization is established the process' can change the port number. I don't remember why, I want to say the reason is related to security. Sorry for my own poor memory, is anything I'm remembering even true?
For software validation...! You can run a counter in your program, you don't always need to grab the system time......! Like, if the software is going to expire after 30 days.. then set the timer at 0 on the day of installation and run your own timer, and if the timer hits 30 days then do some stuff(whatever you want)....! But if the user turns off the system the timer will stop and will start from the last captured point on restart, right..?? So, grab the time just before the system shut down, and record it in a log file, and again grab the system time just after the system start up and take the difference of both the times and add this time difference to the software timer... So in this case if user changes the system time, it won't effect your timer...!
Hello LiveOverflow. Definitely i like your videos and i am always amaze. Please can you make a video on how you started about hacking and what was your school carrer , your first programming language and a guide for those want to be as strong as you in computer security.
#1 Send a (encrypted?) request to the server to recieve a time update. #2 Meanwhile, check the system time (Does it allow to do the thing? Yes) #3 Let the user do the thing #4 Receive the server time & compare it with system time. #5 If the difference is more than some seconds, then undo the user thing & raise a "sync" (cheating) error. Makes the app responsive while still reasonably secure. (Although I hate games & apps with artificial time limits for actions)
@@Darticus42 An ugly solution is to add a 10 second timeout to receive the answer, if it can't be received add a popup warning that the network connection has been lost and stop the game.
what if the CMOS battery is dead (or your on some hardware that just doenst have one), and thus the time is 1/1/1970 and relies on server to set it whenever it boots?
I clicked, thinking it is a video about relativity.
Haha
General and Special Relativity in Secure System Timing!!!
Lol I clicked after realizing it wasn't 😜
i thought those are used condoms
@@netbin they arent?
"..., but where does the NTP server get it's time from?"
In Europe I think the most common answer is DCF77. It's a long-wave radio signal broadcasted from Germany which signals date and time information since 1973. The signal so easy to receive and decode that you can find building block modules for under 15€ and of cause there is a wide range of ready to use serial and USB versions.
My NTP server at home (runnign on a RasPi) still uses an old serial DCF77 receiver I bought for my PC in 1991.
The cool thing is that the signal now also carries data from Germans catastrophe warning system as well as a 4 day weather forecast for 60 European regions without the internet :-D
another very common source of accurate time is something already in almost every phone: GPS.
+Unreasonable Steev that certainly helps for malicious NTP time changes. But doesn't help with licenses, games etc
Jan Günter that is amazing! Great luck with that!
Sexcellent!
@@kreuner11 The common radio stations most likely get the time they broadcast from the internet, so they are as unreliable as any PC
I am a database engineer, and for concensus, the system I make have a general way of seeing time:
1/ the server is always in the right, the client can be slightly in the wrong (by a few seconds or so)
2/ The time is not a date, the time is just a value that will always steadily increase from the server point of view.
3/ You always read data from the past and write data in the present from the client. the server always receive requests of data from the past and send back data from further in the past
Or use the server time & calculate the time based on timezone of the client which you can extract from the IP address block
@@puffingin2d490 well, that always depends on how accuracy is important for you, in a game like Magikarp jump, a few seconds of accuracy are good enough, in a more complicated system, you sometimes need a much better time resolution, for me it often is near 250ms of accuracy, for other purposes it can go as low as a dozen microseconds, and for science applications, it can go up to nanosecond scale accuracy
Our locked down school ipads had the wrong time on them (they were set to the first jan 2007) so we were unable to access internet
@@kingonduty2825 Was no point. IT department was one guy who barely knew computers it felt like. Appstore was removed with the help of a music teacher, but no Google Docs or MS word was installed so they were basically useless
LiveOverflow: "Don't trust time!"
People who take Psychedelics: "Yeah, obviously."
Haha
People who hate all herbs "Yeah obviously"
Why you are late for work?
Sorry, I just don't trust time
👍
👍
👍
👍
👍
There's a much simpler solution for the games, one that is based on "complexity ~ error susceptibility".
If there is no timer implemented stopping us from playing, we couldn't break the timer.
that is genius
i remember i had this old desktop computer with a dead CMOS battery, i had a demo version of Mixcraft 7 installed and because the system time never updated correctly, i had an unlimited trial period.
until my mother set the system time to the correct one and then the trial ended. but a few years after that i bought Mixcraft 8 Home Studio edition on steam. best 20$ ive spent. for the most part.
4:55 If you in can ensure that the user won't close the app, you can simply store a counting variable in memory.
Since that's a rare case, your best bet is to store that information in a file that you hide from the user ("hide" by putting it in a folder that's not a popular - whether you create one or use an existing one).
Otherwise - you simply have to rely on the device's time, like you said
When your pc didn't have power for a week the time comes from the bios clock and not from NTP -> Power off your pc and unplug your ethernet cable. Reboot your pc and the time is still correct without NTP.
I was shocked that he didn't mention this.
👍
unless you use a rpi, no rtc.
The motherboard has a battery inside, if you take that off time shouldn't be tracked anymore I believe
true, our pc even phone has rtc. keeps tracking time until the battery runs out.
Overall good video, but you say "how does your computer know the time after it has been offline for a week...well you probably know about NTP". Actually, that's not really how this works, and almost all computers use a small battery (on desktops, often a little circular one you can easily find if you take the side panel off) to keep timers running (very low power) even when fully "shut down" (and unplugged), and that's how they keep track...NTP is only synchronized occasionally.
+Mark Polyakov yeah I know about that :) I should have not said that in the video.
wow, fast reply :)
Exactly my thoughts.
+Mark Polyakov btw. My laptop battery is completely dead today. Have to replace it. But now it also doesn't remember the time :P not every motherboard has an extra battery
And I have a raspberry pi, lol
I once downloaded a piece of software that only checked if the demo time was out when you launched it, so as long as you didn't close the software, you could keep using it.
perfect for frozen VM snapshots !
It is pretty common to use GPS as time source. BTS towers and ATMs are just glaring examples for that.
Also you may want to check your stratum level if it comes to synchronized time on device.
GPS can be spoofed. It's not a software attack, but it can be done even for a moving receiver.
It was used to detour cruise ships without anybody noticing it until it was too late.
Sure. The only way of being sure that i am aware of, is buying atomic clock and setting up that as stratum 0 for other devices. And we have one in our lab.
👍
There's a game called Disco Zoo for mobile that does a clever trick to mess with cheaters. It uses your system time, so you can cheat all you want by setting the time ahead, but obviously you will need to know the actual time sooner or later. You will set back the clock to the current time after you are done cheating, but next time you enter the game you get a message: Some of your animals were lost in a time travel incident. I think this is a fun and clever way to set cheaters back, while not requireing server side tracking of time. (Although obviously this system can be improved with calculating the time difference for a penalty of the similar level etc.)
Paper Mario: The Thousand Year Door has similar: there's a lottery minigame you can play once per day. If you adjust the clock forward, the game can't tell (no other time source to compare to), but if you turn it back, the lotto guy will tell you off.
Unfortunately it is possible to get bit by that with legit time zone changes too...
Or you could just ban the people who do it
The Nintendo DS has an interesting protection against just changing the clock used by the Pokemon games: when you change the system time, another variable is edited by the same amount which reflects an offset of the current time from when the firmware was last cleared. The Pokemon games would save this time offset with the time, and a substantial difference would indicate attempted time travel.
"time is complicated"
the Doctor: "yeah, let's talk about it"
There is quite a simple solution to the matter (for games at least), breakable but not very easily.
* Firstly, one rule is that you can never go back in time.
* Secondly, most systems have an internal `ticks since boot` which you can hook onto, so you track the time from the moment the app was started onwards with the ticks instead, and when it is out of sinc with the time date of the system, they can be assumed to try to cheat.
And then to pack it all up, you do a server request every x seconds just to check up on things from the server side also, but the rest just plays as a `secure prediction`.
PS, great video! Very interesting and underestimated topic!
Even if I think i know a subject very well its still nice to see the "meat" you bring to the discussion. I was doing this back in windows 95 :P
Applications often have to trust user input. To keep them secure programmers have to be conscious about what exactly they are trusting the input *with*, and whether the user is someone who is appropriate to give that trust to. For instance TH-cam trusts me with my own online reputation. It presumably trusts some employees at Google with the ability to delete my comment, but unless it has a bug it does not trust me to be able to delete theirs.
Applications trust my CPU, its not a problem if my CPU skip some conditional jumps and bypass DRM for example... I didn't even alter the executable image, that's not cracking. Qemu works magic !
You can't "just" skew time massively with NTP as a remote attacker.
Most NTP clients will refuse to update if there's more than 1000 seconds difference, and slewing is limited in speed. For example, it can take 2000 seconds to move the clock by a single second. The exception to this is when the *client* forcefully sets the clock from cold, for example with ntpdate - an event which a remote attacker could not easily control.
what OS are you talking about? many routers like Mikrotik and also windows systems will auto update to current time via NTP even if they are completely out of sync by years...
@@oldbootz probably something *nix since he mentioned ntpdate-
fantastic video -- the quality of what you makes visibly, AND quickly seems to be going up ... or my clock's running fast ... who knows ...
Don't forget the cost of all those requests over time as well, from the dev standpoint. One is not much, but if you have 100k players sending hundreds of extra packets every day it adds up quick.
wow! this is mind boggling.
so important and yet it's (potentially) flawed.
This is quite interesting, I work with some embedded Android systems, a couple of weeks ago I discovered that we had major clock syncing issues, Android refused to auto-adjust the clock. So I have implemented custom time syncing on the systems that uses the server time when syncing with the remote. So every time a request is made the clock is validated and compared to the remote, if it's fallen behind by too much adjusted for timezones, it uses the remote server's time instead. I didn't think of it as an attack vector aswell, so it's really cool to see a video exploring this subject more as it's much more critical than people think it is.
Android has a stupid fallback to set the clock to 2011 if it loses track, which means all HTTPS requests will fail because of invalid SSL certificate dates.... You aren't likely to see this on phones though.
And yeah, I've used the "set the clock 15min into the future, to skip cooldown" exploit on a bunch of time-based games, sometimes it even works on text-based browser games for some reason....
7:56 I won't tell you I rolled my own atomic clock! :P
Joking aside, normal PCs should have RTC included in the motherboard with coin cell battery as backup.
The timing operation is low powered enough to be run with the single coin cell, via a 32.768KHz crystal (32768=2^15, which can be divided to 1Hz easily)
Newer RTC chips even have integrated extremely accurate TCXO to ensure precision timing.
you can actually roll your own rubidium clock, its not that expensive, you can get as surplus for something about $150. th-cam.com/video/I55uLRRvLCU/w-d-xo.html
Someday I'll literally roll your my own atomic clock for cheap.
When you are designing hardware with the anticipation of using time in the firmware, as long as the power limit and other constraints permits build a low power GPS receiver in there. Those modules are cheap enough to be a dime a dozen now, and they give you a good idea what time it is, and the PPS pulses are often also good reference clocks for calibrating internal timers.
A problem with this was recently discovered with the national COVID-19 wallet app in the Czech Republic. The app is able to load vaccination and testing certificates and display their details, including whether these certificates are valid ways to prove one's eligibility to enter various places. This, however, requires the current time-certificates are valid from a while after the second dose and of course tests are valid only a while after they were performed-and people figured out one can set the system time to make the app show that the certificate is valid. Obviously, the app shows the time frame of the validity of the certificate, but many people who check simply see the green colour and the text "valid" and assume that it's valid.
There's a very simple solution for games:
Single player: Who cares? Cheaters aren't hurting anyone else.
Multiplayer: You have to be online for a multiplayer game anyway, so you might as well get the time from your server.
Except single player games which offer real money microtransactions to skip timers..
@@moversti92 you still have to be online to purchase....
@@moversti92 don't help them protect that filth. xD
thats basically the "Not my threat model"™ thing he said around 9:20 lol
i did this in my phone 7 years ago and this what introduced me to game development today
I'm not much in programming but your videos are so interesting. I would never suppose that my time on computer might be so complicated!
This comment is coming from the future
5 months ago... maybe im from th future future... :P
your time is glitching... it has to be 6 months from now xD
I know how he did that!
This is.
@@chrisgamer7144 This is.
Funny thing is the time hack for games is so simple a kid could figure it out. I certainly did and I have no knowledge of hacking or code. I just turn the device time forward. Works for far too many games.
I also figured it out as a teen. Time trial on this software that helps with schoolwork? Hah, I made my PC eternally in the past until I no longer needed those programs. Nowadays alot of those same programs seem to have free student licenses : /
As an embedded software developer working on microgrid systems, I really don't care what time it is, so long as it's correct to the microsecond modulo the current grid frequency's period. If someone with physical access can disconnect the sync input on our machine this would cause a DoS attack, but the same goal can be achieved with a sledgehammer.
This is a niche use case, but other embedded systems might get trusted time information from the UART output of satellite navigation modules (assuming GPS jamming isn't part of your threat model, since only nation-state level attackers would risk operating a GPS jammer on the open airwaves). You can also embed a cheap microcontroller with an RTC battery that has strong anti-tampering features, but then you need a trusted synchronization source since quartz crystals go out of whack with extreme temperatures. Ever wondered why your wristwatch never needs adjusting but your old Civic's clock drifts by many minutes during the cold Canadian winter? It's the same reasons tuning forks go out of tune in the freezer. Physics.
9:00 when I saw IoT, I chuckled, IoT and security do rarely go together well
Phones usually get their time from incoming calls as well as the internet in case the internet connection has not been set up. When a call is sent to a phone there is a packet of data sent to the phone before it starts ringing. This is true for both landlines and mobile networks. This data contains the number of the caller (if not blocked) and a time/date stamp plus some other data not relevant this discussion. This data was often used by devices like answering machines so that they could keep a record of the time the call was received without having to have a built in clock. I know this because in the late 90's I worked for a company that designed and made an electronic device that let a PC answer the phone and play a WAV file to the caller through the parallel port, we needed it to be cheaper than the then expensive internal modems that could also act as an answering machine, we did not need all the functions of a modem anyway. So, we had to use an IC that was authorised to connect to the phone line and it came with the information on what to expect when a call was received. It was for a guard monitoring system. Guards at a remote site would be able to call in to the system back at the base and give it codes with the touch tone. Instructions had to be relayed to the guards. I was a programmer at the time and wrote the software that monitored the guards as well as answer the calls. It was an interesting project :)
My grandad had an issue that he couldn't browse the web on his iPad because it was a year or two in the future to skip the wait times on Candy Crush.
Don't forget daylight savings time!
I have a strong feeling DST just makes an offset in the displayed time, so it doesn't mess with time reliant programs
@@adriangodoy4610 That's just plain stupid. It would make way more sense to run by a default time, and then make offsets depending on timezone and daylight saving time.
I'm pretty sure Linux defaults to storing the time in UTC, then offsets based off timezone and DST
It make me rise an hour early
@@JeppeBeier who
@@realcartoongirl Who what?
Time constantly progresses so technically, we're all time travellers. Great video!
ez
you store the current time in the background, then, if time < than stored time, erase all progress
store the time at the start of each countdown
and allow timezone changes once a day (or, if possible, query the timezone, not clock info)
Sooo. I just change my timezone back and forth? And don’t change the clock info?
Also there are people that travel with more than 1 timezone change aday
well, ok
I meant that if you can check the timezone, you could allow changing timezone, but not the time itself, and if you can't check the timezone then allow the hour to be changed like once or twice a day...
and ignore the timezone changes
So I can cheat once or twice a day? :P
wtf? timezone doesn't change system time. at least in gettimeofday() function
EXACTLY
what software are you using for the animations
Fun fact: It's possible to find forensic artifacts when someone has been tampering with the time on a windows computer. It's in the system log. Sure, people can wipe the log easily, but that leaves a mark in the new log. Of course, change it in the BIOS and there will be no OS to write to the log, but who goes that far these days?
other one of simplest solution is to make your own time counting process history of the phone that are running in the background.
if the process history is (enough) count it as a unit of time, thus a second has occured.
It would be completely independent with time.
Big fan. Programmer myself, 25 years, and learning so much from your videos.
Great video, I would have never considered time
Tried this method on Fallout Shelter. Worked great but I wouldn´t find loot for 30 Years since then.. hehe...
Very beneficial video, highly appreciated!
Pokemon Go: you can only get one raid pass a day, some people change the timezone to get the tomorrow's raid pass.
One way to detect if the user has turned back the system clock: Every time the program starts you can check system time and save it. By comparing the current time with the saved time you have some protection, if time now is before the time of last start up the user is cheating. The weak point is the file containing the last start up time could have been modified by the user as well.
It's forward jumps that they're concerned about, not backward jumps, so I don't think this does anything
For the main Pokémon games, which run on dedicated gaming hardware, the game can detect the changing of system time, and lock out time-related functions temporarily.
I suspect the game is able to read the real-time clock (RTC) values directly, and changing the system time only modifies an offset on top of the RTC.
(Some older Pokémon games, that ran on systems that don't have a system clock, came with an RTC inside the game cartridge, and those would ask you to set the wall clock at the start of the game. Certainly Game Freak have thought a lot about this type of vulnerability, which makes its existence in a spinoff game surprising. )
Google also has experimentally made Roughtime, an authenticated time protocol, to replace tldsate, which gets time from HTTPS servers.
Edit: TLS (≤1.2) handshake or HTTPS. servers.
the best trick I have for software that expire is creating a VM in the future and freezing it, so every time I need to use the software I start the VM, and because its in the future, it'll never expire. and yes, there are ways to hide the fact you're running inside an hypervisor, but no one checks those
7:48 what program are you using to scan packages like that?
Stupidly late, but that program is Wireshark.
I used to do that all the time in Candy Crush on Android. XD
One question I have. If you really need a time clock, how do you make sure that the time you are accessing is correct?
Hey, i want to say Thanks allot. You have changed my life with your Videos. I learn coding (I am not that good) but it is hell of fun :) thanks alot and Keep it up :)
I had an app that only run when you set your time to 'get from internet'
This even works with the new Whatsapp message deletion feature.
It normally only allows deleting the message 10 minutes after it has been sent.
If you set your clock accordingly you can still delete the messages.
This is a really great video! Thanks I hope to see more technical stuff like this in the future.
Notice that UTC is always computed after the fact, based on an average between different atomic clocks. This means that your wall clock is always wrong.
4:07 when i used the App Poweramp 5 years ago, i just turned the date back 2 weeks, and this way i could use it free until I bought it
Your videos is all i need right now! Thank you
I think some games remember the last timestamp they got, and detect backwards jumps in time. Not sure what they do when they detect it though.
What if you run a "test for," that will compare the last minute to the next minute, and if there is more than a % of the time then the program will subtract the between time and keep running the game as if no time had passed between that time jump. Ex: 12:00 -> 12:01 -> 12:02 -> 7:30 -> 7:31 (the program subtracts 7 hours and 28 minutes of in-game time and then runs as normal.)
Don’t trust edited comments.
And that's why twitter doesn't allow me fix my typos :(
k
Obey this comment. Don't trust this comment.
then you can't trust 95% of mine. i always edit.
This comment is actually paradox
So timezones are easy. Work in UTC. Let the UI modify display for user.
I've worked in places where the way they handled time was consensus.
NTP from NIST + FM broadcast from local time station + GPS all concur for example so set the time.
Use local TCXOs to maintain time within your closed system. Maintain consensus across TCXOs
Use a dice roll to determine if time is verified that "tick".
One of the most basic NTP protections is that it will not update large differences, anything more than a few seconds (I forget the actual number) will generally be ignored unless but it's a forced update by a client. It only corrects it by milliseconds usually. So a network attacker attempting to mitm a NTP server and change the time to last week, will likely fail.
From the NTP man page.
If the -x option is included on the command line, the clock will never be stepped and only slew corrections will be used.
The issues should be carefully explored before deciding to use the -x option. The maximum slew rate possible is limited to 500 parts-per-million (PPM) as a consequence of the correctness principles on which the NTP protocol and algorithm design are based. *As a result, the local clock* *can take a long* *time to converge to an acceptable offset*, *about 2000s for each second the clock is outside the acceptable range*. During this interval the local clock will not be consistent with any other network clock and the system cannot be used for distributed applications that require correctly synchronized network time.
Voila attacker will have to wait a considerable time to screw with your ntp server any great degree. 10 minutes difference would take about 14 days to take effect.
I thought this was a default thing mind you, hence my first post, didn't realise it was an option that could just not be used.
Just have the game run in background with it's own clock
:lmao:
But where will the game initiate the time. If it again depends on system time, still you can cheat. You should initiate by syncing it to the internet then
@@shakeerhussain9366 the game starts it's time by 0 seconds and from first start/savefile a counter will be running in the background... of course the device has to be on and the program needs the permission to run in background... anyway, this idea is kinda ridiculous ^^
great video as always, intresting topic too i have an idea can you do a video where showing how easy it sounds but how difficult can it be to exploit these attacks? i know i know it is a big request but yeah :)
the comments here defending their choice to trust time are highly concerning... even if you use some sort of super advanced hardware method to get your time, that can always be modified in the memory. fact of the matter is, you can't trust it, point blank, so you have to think of interesting ways to mitigate that. in order to properly mitigate it, without sacrificing user experience, you have to think of really clever ways to capture the point from multiple angles as well as do some data analysis. not infallible, but done correctly it would be more work to fake it than to just do it legitimately.
Don't ever underestimate the will to do silly things.
As the mighty Rick said: _Homework is stupid. The whole point is to get less of it._
I think the systems rely on materials like small valuable crystals. Even atomic clocks are known to be useful for operationally running a secured business. It is also a known fact that we get the crystals in our smartphones from Asia.
Im loving this channel, thanks for the entertainment!
I can't remember the game, it was a cheesy ftp mmo from the mid to late 00's. I noticed that the time between skill usage was slightly different between different computers. I looked into it and it turned out that it worked off FPS not time and it also turned out that there was no server verification.........
Yeah, I quickly became a cheat chr
That's not a good way to do it lmfao
ya developer is liesbien
lots of playtime counters do this too-
say the game is 60fps, it just guesses every 60 frames is 1 second, which isn't true if the game lags
lol in game timers are not trusted in speed runs most of the time for this reason ;
There's a separate battery in computers that keep track of time when they're off. They do not need to connect to a network.
There is no secondary battery for the time in my MacBook. When the battery failed it didn't keep the time.
They don't NEED to connect to the network, but they do it anyway. It's difficult to find systems that wouldn't, mostly because "why not". Your machine has to be connected to the internet for many applications to be useful at all, so the time given by the rest of the internet is a totally reasonable one to use, instead of the local time on your machine.
Overflow - well, Mac - you get what you p... nope, you just dont get anything.
LiveOverflow Most computer do it, but my Walmart netbook as the same issues as your MacBook.
"There is no secondary battery for the time in my MacBook." - It's not a bug, it's a feature! :P
Firefox behave oddly when you change system time. Sites still work and show a valid certificate even when by system time it should be expired, so it seems to be doing a check with a remote server. However when you view the certificate it says that it's invalid.
Now, what if your user moves near the speed of light? Or if your server does?
There is one bummer for mobile games - really most mobile games here: iOS does not allow the use of GPS time or UMTS time directly inside apps. Those clocks originated from the user's mobile carrier or the GPS satellites are more trustworthy than the user-controllable system time. With those time sources independently available the games can be built to use GPS/UMTS time whenever possible, keep track of the delta between those trustworthy time sources and the system time to allow some offline operation. As of myself my mobile devices are configured to use GPS and UMTS time whenever possible; and computers are configured to use a local Raspberry Pi based NTP server on my home network, which has a GPS module connected to serve GPS time.
"Not to mention that timezones and people who travel and all this crap makes programming time really annoying"
I'm glad I always use UTC time. I had a problem with daylight saving once in my business program, been using UTC since then and never went back;
Are these vulnerabilities still applicable if a monotonic clock is used which measures time since epoch? I can understand these being an issue with real-time clocks.
Protip for wannabe PC technicans. Time mismatch can often cause weird results in PCs, like (real life situations of my clients):
1) some pages word, most don't, some partially (CMOS battery died, clock got reseted and without NTP sync all SSL certs weren't valid yet)
2) misorder in instant messaging - both local apps and webapps (often to sort app takes server time for incoming messages + local for outgoing).
So, if you all would fix PCs someday - either as a help or as a work - you could include time+date check as one of the first things you do. It won't take much time and clock which is really off might give you very weird results. IMO it's worth to spend 5 seconds on time check than find out hour later that it was the thing that broke something.
Is it a good/secure option using the data base with a date/time field ? (while having prepared data base about SQL injection)
I mean you start training your magikarp -> server set a date time -> you're forced to wait datetime >= (last datetime + timer).
I'm new, just want to know if it's secure or there's some security failures I didn't know ?
if i remember correctly, fucking with system time in The Sims 2 on Nintendo DS got you abducted by aliens or something :D
i just thought maybe "burning" past time (i.e. safely, unalterably storing dates that are safely known to have passed) might alleviate issues with ssl. But then again, this might open up DoS-scenarios where manipulating ntp to be a few years ahead might make any current certs permanently unusable.
Would a locally saved file (in the root partition of the device's memory - for example) record the system time every 5 minutes, and if it observes that the delta between the last two records is > (or
then maybe if there happens to be a time adjustment, because of daylight saving times for example, then a honest user might get screwed.
Oiz well, i think an adjustment for that would not be difficult to implement, we're talking twice a year
guky667 as liveoverflow said, then you can cheat twices a year ;)
Oiz no? You just account for the time adjustments, in your code. So if there is a time-adjustment on date x and time y, you don't reset his scores in the interval of (x,y) +/- maybe 5 minutes.
Draven Main xd there are multiple things that make such task much more than "*just* account for that in code". Daylight saving times are based on legislation, which varies from place to place, year to year, and sometimes from city to city. There are no constants; no matter how you look at it, time, especially for computers, is an unpredictable thing
I always used this while playing games on my Nintendo DSi as a kid! 😄
for iot applications, i'll suggest user-built/compiled client instead of obscure auto update.
at least the server/ user have a way to know if the running program is trustworthy.
You could request location services on your app to verify the time as gps satellites have precise time.
Anyone getting flashbacks to setting your phone's time to manually '2890' to get more cookies in cookie clicker
8:13 Why not using public keys with algorithms that are time independent? Which can not be manipulated into more or less calculations depending on the input. As such you would share a large public key and send it twice with different time stamps... or whatever needs to be done to sync... but given the fact that we use a network, how do we even sync time in the first place?! To an acceptable degree maybe, but over 100-50ms wouldn't we have to use tons of timestamps transfers with a statistical analysis client side to check for it?
Whatever, if we just need a time within the +-1000ms time frame, isn't a simple time independent public key algorithm fine too?
There is technically an easy way out of the time problem on the mobile platform: since most mobile devices have satellite positioning system like GPS, your software can require either an Internet connection (for NTP to a trusted server, preferably over a VPN for added authentication) or a GPS fix (for GPS-based time.)
Also if you are building an authenticated local NTP server, GPS can also work as a trusted time source. If you want to make sure your GPS receiver is not tied to just USAF, you can use quad-band GNSS modules that can receive and process signals of GPS, Galileo (EU,) GLONASS (Russia) and Beidou (China) systems at the same time. Such a system would only fall out of trustworthiness when the nuclear powers of the world are at war against each other.
You can not restrict others what they do with their hard and software. DRM and things like that can not work mathematically, without internet connection.
@@happygimp0 DRM is a thing, anti-cheat in online games is another thing. While I am against DRM too, I am perfectly fine with keeping an online game a fair place.
When you have access to the internet, you have the server time, so you don't need the time on the client. If you don't have access to the internet, then you don't have an online game.
@@happygimp0 The whole point here is to tolerate brief network cuts. The server can be put on GPS time using a GPS-based NTP server in the datacenter. Then the mobile end must also run on GPS time if the player want to go offline for short periods of time.
@@hikaru-live Check the data when the client is connect to the server. If they are plausible, you keep them if not screw them.
I remember writing a SQL-based tool for comparing sales year over year. Great, it works! All done in less than 10 hours. But shit, we forgot about 29th of February happening every four years! Hence another 150 hours had been sunk into the project rebuilding the whole thing to account for a single 24 hour period.
Screw time.
I just always imagined putting a timer logic event nestled in the code of the game based off of app run time although that does come with a specific downside. You can't close the app while the time is ticking down so I guess for most purposes that wouldn't work would it...
Like the The Persistence of Memory thumbnail ;)
You can simply build your own time system whether its countdown , runtime.
And whenever the application is closed, change the user database information to the lastest time.
This way is will not be possible to edit the memory or manipulate the time. Its very simple.
How does it keep counting the time when the app is closed though?
You might be able to implement it so that the app will not run if your system time < logged app time. It won't prevent the exploit but it will cause inconvenience for those who might want to turn back the clock after exploiting.
on pc can't you just put the date into a hidden registry address?
I used to do that on Candy Crush. Not sure if the game still allows it
its great when im playing a game with my friend thats an hour behind my time zone and daylight savings time ends so for a moment were both at the 1 am when in truth its 2 am for me and 1 am for them
Oh shit, that's old. There was even an old, Windows 95 program, which attached a tiny loader to an exe, which set the system clock to a specific date and time, then started the program and set it back.
This was known as "Time crack"
Even Microsoft is guilty. I use Visual Studio express 2008. This free version has a time limit and locks after a couple of months until it was registered. Problem, the page is down, you cannot register it anymore. So, I just deleted it's registry, set my date to 2030 started it up, closed it and set my date back. Guess what, it works. I have negative days left and do what I want until I die or have to reformat.
2030 is only one year away.
1990 was 40 years ago. :dafeels:
The most important thing about traffic monetization is choosing a good ad network that pays off your traffic investments.. Been looking for the best ones, my profit is currently the highest on MonadPlug ad network.
@7:40 when you say “as I look at NTP packets” and you show a screen and circle the mouse over “port number” that made me wonder if you can tell what protocol is being used by looking at the port number? I think I remember reading somewhere that once a synchronization is established the process' can change the port number. I don't remember why, I want to say the reason is related to security. Sorry for my own poor memory, is anything I'm remembering even true?
For software validation...! You can run a counter in your program, you don't always need to grab the system time......! Like, if the software is going to expire after 30 days.. then set the timer at 0 on the day of installation and run your own timer, and if the timer hits 30 days then do some stuff(whatever you want)....!
But if the user turns off the system the timer will stop and will start from the last captured point on restart, right..??
So, grab the time just before the system shut down, and record it in a log file, and again grab the system time just after the system start up and take the difference of both the times and add this time difference to the software timer... So in this case if user changes the system time, it won't effect your timer...!
That's worse, Your saving time to a log which people could change just as easily
@@CleanOverflow i just mentioned the idea... You can encrypt the logs, send the logs to your server and clean up the system or whatever ...!
Hello LiveOverflow. Definitely i like your videos and i am always amaze. Please can you make a video on how you started about hacking and what was your school carrer , your first programming language and a guide for those want to be as strong as you in computer security.
I propose that we install a daylight sensor on the computer, and it sets the time based off the sun's position relative to the device.
What if you move the device?
#1 Send a (encrypted?) request to the server to recieve a time update.
#2 Meanwhile, check the system time (Does it allow to do the thing? Yes)
#3 Let the user do the thing
#4 Receive the server time & compare it with system time.
#5 If the difference is more than some seconds, then undo the user thing & raise a "sync" (cheating) error.
Makes the app responsive while still reasonably secure.
(Although I hate games & apps with artificial time limits for actions)
Sion but what if the client is not able to get the server time back? Then the client can do whatever they want, completely unhindered.
@@Darticus42 An ugly solution is to add a 10 second timeout to receive the answer, if it can't be received add a popup warning that the network connection has been lost and stop the game.
what if the CMOS battery is dead (or your on some hardware that just doenst have one), and thus the time is 1/1/1970 and relies on server to set it whenever it boots?
You got new subscriber :) ! great job