Regular readers of Naked Security will know that I have some strong feelings about timestamps in logfiles.
In particular, the ambiguities created by logfiles based on local time – which is subject to local timezone regulations and changes – can work against your security interests.
Here’s one reason why:
"..Don't let year-ends, timezones, daylight saving changes or varying local conventions confuse your logs. If you suffer a breach, you will almost certainly want to put together an irrefutable historical sequence of events, based on your system logs, possibly from many systems and many locations.."
Local time can confuse even local residents, let alone outsiders trying to make sense of unqualified timestamps in logfiles some time after the event.
For example, in New South Wales, Australia, there are three official timezones: one for the far west of the state, 1000km inland; one for the bulk of the mainland; and a third for Lord Howe Island, 700km to the east of Sydney. And there are two different increments for daylight savings: one hour for most of us; but just half an hour for Lord Howe.
Furthermore, the Government of New South Wales has made three legislative tweaks to local time in the past six years: a switch from GMT to UTC in 2005; a temporary change to daylight savings for the Commonwealth Games in 2006; and a long-term change to prolong daylight savings in 2007.
Or, to put it another way, the day after tomorrow.
As I write this, it’s 1pm on Friday 30 December 2011 in Sydney. It’s 2pm in Samoa, and 3pm in New Zealand.
That sounds pretty convenient, considering that the majority of Samoan expatriates live in New Zealand and Australia, and that the three countries have strong business and sporting ties.
Except that it’s only Thursday 29 December in Samoa. Back in 1892, Samoa did quite a bit of trade with Hawaii and California, so it made sense to decide to be twelve hours behind Greenwich, rather than 12 hours ahead. (Hawaii is UTC-10; California is UTC-8 or UTC-7.)
But in the 21st century, being the most westerly country in the world has become a huge business pain to Samoans when it comes to dealing with Australia and New Zealand, since our weekends don’t line up.
By Friday, Samoans trying to wrap up the week’s business can no longer get hold of their counterparts across the South Pacific – we’re all at the beach, at the shopping mall, or in the pub. And to contact us early on Monday to catch up, the Samoans have to work on their Sunday.
So the Samoan legislature has taken a surprisingly simple, but astonishingly bold, step. At midnight tonight, the country will make a timezone adjustment, switching from UTC-12 to UTC+12. Figuratively, at least, Samoa will jump from one side of the world to the other.
Clocks won’t change at all. Just the calendar will.
Simply put, there will be no Friday 30 December 2011 in Samoa.
How funky is that?
(Samoa is surprisingly good at low-fuss but potentially high-impact bureaucratic change. In 1997, the country changed its name from Western Samoa; in 2009, it switched from driving on the right to driving on the left, as does most of the South Pacific; and in 2011, it will calmly skip an entire day.)
Let this remind you once again why standardised and unambiguous timestamps are vital in logfiles, and take a moment to revisit RFC3339: Date and Time on the Internet: Timestamps.
As I wrote back at the start of 2010:
"..Without reliable logs, you are unlikely to understand [a security] breach, which makes it harder to prevent it happening again. Without reliable logs, you are unlikely to be able to prove your case against the perpetrator, if you are even able to get anyone in your sights. And without reliable and consistent logs, you might not even spot breaches in the first place.."
To everyone in Samoa and Tokelau – Happy New Year! This time, we can celebrate together. And remember this: tomorrow, footy season will be two days closer, not one.