Posted by Moe Trin on 06/28/07 00:47

On Wed, 27 Jun 2007, in the Usenet newsgroup comp.os.linux, in article
<1383dmujf7mp67a@corp.supernews.com>, Gordon Burditt wrote:

>Ok, consider this situation: your bank clock is off. *BADLY*.

Sorry - my bank is not so tiny as to depend on a single PC to do all
their computing needs. That also means they aren't using amateurs to
admin either the network, firewall or the individual boxes.

>I'll let you decide whether that means it's off by several hours
>or by several DECADES. In either direction. How did it get that
>way? Perhaps some hackers breaking in to a backbone provider pulled
>off a man-in-the-middle attack between you and the US Naval
>Observatory

Wander over to news://comp.protocols.time.ntp - I don't think to many
people are depending on USNO for time - assuming you can convince the
peers that you need access to a stratum 1, there are 116 public servers
listed. More likely, you'll be using a stratum 2 server, and there are
a lot more of those. You don't use _one_ server as a reference. And
just as NTP won't reset your clock to the "correct" time if it were
more than some minimum off, it also won't mis-set your clock.
Changes are small drifts - never large steps. If the clock is
significantly (more than a few seconds), you have other MAJOR problems,
and you'd better be informing the powers that be RIGHT NOW and maybe
taking that/those system(s) off the air.

>then forced you to reboot your systems with a power outage, since your
>UPS depends on that last batch of sabotaged batteries.

Bit of a stretch - but this would cause the systems to reset the clock
to the BIOS setting, which may or may not be somewhere near sane. Did
the president of your bank who is also the only teller, head of IT and
janitor, bother to check that the clock was set somewhere close? On our
systems, there is a cron job that checks this nightly. If you had a
hardware failure and didn't detect it, the government regulatory
agencies are going to have a field day with that.

>Perhaps it was a virus.

Uhuh. Yeah, I definitely won't be using your bank.

>Perhaps it was a bribed employee, or just a scared one with guns pointed
>at his family. Or maybe it was just a bad bit in a failed clock chip.

Right. Don't check the mail or logs either. I'd get another bank.

Let me spell it out in small words - If the computer time isn't right
it isn't running this banking/securities/what-ever software, AND IT IS
NOT DOING BUSINESS, or you are doing jail time. If that costs you
business opportunities, that's tough. Simple enough?

>It is also my observation that your system clock, running with NTP,
>can get quite a bit off after a several-day loss of network
>connectivity followed by it coming back up

I'd change network providers too. In the thirty-four years I've been
in networking, the longest we've been disconnected is six hours - the
classic 'backhoe fade' thanks to the city water department. But if
you are dependent on network connectivity, haven't you at least looked
into disaster scenarios? Or do disasters only happen to others? I know
that your bank is going to be in really deep sh!t if they're off line
that long - both from the government regulators AND their ex-customers.

>NTP does correct for some of the error. Then again, the clock error
>depends on temperature by quite a lot.

Please remember than companies that are subject to these legal
requirements (about not fscking with the clock) are also not dependent
on a single PC in an uncontrolled location. Thus, there are three time
servers here, each monitoring _separate_ time sources, and averaging
that to 'tweak' their own concept of correct time, and we're not even
subject to those regulations - they are only serving time to 2500+ users
in this facility, and acting as a stratum 4 reference to other time
servers in other company locations.

>Now, WHAT DO YOU DO ABOUT IT? Set the clock, or let it drift into
>correctness a couple of decades after your prison sentence is up?

And what do the government regulating agencies require - or is that
why you'd expect to be in the slammer?

Regulated companies are supposed to follow the requirements set by
government agencies (or even trade entities). They really aren't
going to be running time critical services on that Dull laptop that
your Aunt Maude is still running windoze95 on (without an anti-mal-ware
program because it came with a [90 day demo] copy of Norton Anti-Virus
when she bought it back in 1996).

Old guy

[Back to original message]