Strange NTP Services

Here’s something strange and interesting to explore. time.nist.gov is a standard NTP server, used to synchronize the clock on your computer to the government’s atomic clock.

However, it also seems to have another strange service running on ports 78 and 79. Telnet in, and hit enter after connection is established, and you get this:

% telnet time.nist.gov 78
Trying 192.43.244.18…
Connected to time.nist.gov.
Escape character is ‘^]’.

P: P: My name is Patsy: and my husband’s name is Paul:
We come from Pittsburgh: and we sell Peaches::
880-223-821-266-590-908-785
$ 0 875 3000 8 1 0 0
Connection closed by foreign host.

The names, city, and food change each time, but they always start with the same letter. The numbers on the bottom appear to be doing some incrementing based on time, but the pattern hasn’t been figured out yet.

Secret government broadcasts about the JFK conspiracy? The first step in SkyNET becoming self-aware? An equivalent to a numbers station? WHO KNOWS! Let’s get some smart minds working on deciphering this, or at least propose some wacky theories for fun.

Update: No, of course I don’t really think these are secret messages. (OMG CONSPIRACY!) It’s just more fun to posit that they might be. I’d still like to decipher the strange data format of the dump.

Update, again: If you coming in via a direct link to this post, be sure to check out the new post with the official explanation from a NIST employee.

Trackbacks & Pings

  1. cheesebikini? on 05 Apr 2005 at 12:19 am

    Time-signal Weirdness
    [This just in from my fellow Berkeley SIMian Matthew Rothenberg:] Here’s something strange to explore. A guy I know recently stumbled across this. time.nist.gov is a standard NTP server, used to syncrhonize clocks on your computer to the govt’s atomi…

  2. Boing Boing on 05 Apr 2005 at 12:36 am

    Coded messages on US govt timeserver’s nonstandard port
    A US government timeserver has a bizarre service running on a nonstandard port that will output sweet, random coded poems: % telnet time.nist.gov 78 Trying 192.43.244.18… Connected to time.nist.gov. Escape character is ‘^]’. P: P: My name is Patsy:…

  3. Pieces of My Mind on 05 Apr 2005 at 2:10 am

    Numbers Stations
    I saw this on Boing Boing.

    Apparently, one of NIST’s timeservers sends out strange messages on port 78.

    $ telnet time.nist.gov 78
    Trying 192.43.244.18…
    Connected to time.nist.gov (192.43.244.18).
    Escape character is ‘^]’.

    N: N: My n…

  4. updates @ m.blog » Strange NTP Services–Revealed! on 05 Apr 2005 at 5:03 pm

    […] of the Time and Frequency Divison of NIST Boulder, we have an official explanation of the strange NTP messages: Let me explain what you are seeing. 1. The first text […]

  5. moongate.org » Blog Archive » Cyberfun on 24 Aug 2005 at 9:00 am

    […] Ya, some sysadmins have a lot of fun. Andrew Wooster has blogged on his analysis of strange http headers, including webservers that send out ascii art! That’s pretty intersting. And of course, you already know the Strange NIST Time Server and Star Wars. […]

  6. Benjamin Schweizer: blog » Blog Archive » Cyberfun on 06 Sep 2005 at 7:08 pm

    […] Ya, some sysadmins have a lot of fun. Andrew Wooster has blogged on his analysis of strange http headers, including webservers that send out ascii art! That’s pretty intersting. And of course, you already know the Strange NIST Time Server and Star Wars. […]

Comments

  1. Bemis wrote:

    Port 79 is the ‘finger’ port - I can believe some bored sysadmin there put up ‘fortune’ as the finger output. I’d certainly believe this server is old enough to have been put up in the ‘good old days’ of the internet where everyone kept all of the standard ports open, and they just wanted to put up _something_ to respond.

    Posted 05 Apr 2005 at 1:06 am

  2. 404notfound wrote:

    Very strange–almost creepy. How did you come by this?

    Posted 05 Apr 2005 at 1:13 am

  3. Andy Joy wrote:

    mmm, from cardiff i get

    L: L: My name is Linda: and my husband’s name is Larry: We come from London: and we sell Lettuce::
    243-117-411-268-620-934-326
    $ 0 2272 3000 8 1 0 0

    Connection to host lost.

    Posted 05 Apr 2005 at 1:31 am

  4. Will wrote:

    pretty cool, I’m also wondering how you found out about this? Who are you working for??

    Posted 05 Apr 2005 at 1:40 am

  5. Will wrote:

    very cool, I’m also wondering how you found this. Who do you really work for??

    Posted 05 Apr 2005 at 1:41 am

  6. Pablo Marx wrote:

    In the

    $

    reply, I believe the second number is indicating the seconds. Doing a quick shell script like:

    ne

    It increments one-by-one … But the mysteries still abound.

    Posted 05 Apr 2005 at 1:42 am

  7. Vruba wrote:

    If you have Ruby, here’s a script to collect rhymes into a file so you can ponder them at leisure. If you don’t, here are 100 samples responses from the script (with the local timestamp before and after each rhyme).

    Posted 05 Apr 2005 at 1:44 am

  8. Maureen wrote:

    I used to play this game as a kid on long trips! I don’t know it’s nist.gov connection, but it seems innocent to me.

    Posted 05 Apr 2005 at 1:49 am

  9. Pablo Marx wrote:

    Hrm, my post seemed to have gotten horked. Anyways, the (bash) shell script being: for f in `seq 10`; do echo “(newline)” | nc time.nist.gov 79; sleep 1; done

    With (newline) being a newline.

    Posted 05 Apr 2005 at 1:51 am

  10. Lyndon wrote:

    You know this is he meaty equivilent of portmapping, which is illegal use of computing machinery, watch out for the spooks!

    Posted 05 Apr 2005 at 3:37 am

  11. Mmmmmmmmmmmmmmmmmmmm wrote:

    ooooooooooooooooooo!

    Posted 05 Apr 2005 at 6:32 am

  12. lowtax wrote:

    http://forums.somethingawful.com/showthread.php?s=&threadid=1517694

    Posted 05 Apr 2005 at 7:17 am

  13. Ben Hutchings wrote:

    At a guess, time.nist.gov maps to several time servers using load-balancing at the IP level (since it only maps to one IP address). The letter could indicate which one of them you’re getting statistics for.

    Posted 05 Apr 2005 at 7:19 am

  14. Gil Bates wrote:

    It’s just performance data. The NIST cluster in Boulder polls each server periodically. The output contains information about performance of the algorithm as well as the security state of the server.

    Posted 05 Apr 2005 at 9:32 am

  15. Travis wrote:

    These secret coded poems are really kids games. My mom and sister used to play this when I was younger. Their versions that I remember are slightly different - but that is all.

    Posted 05 Apr 2005 at 9:52 am

  16. Judah Levine wrote:

    Let me explain what you are seeing.
    1. The first text is a pseudo-random text designed to confuse
    automated search engines (note the strategic colons). There are
    16 poems and they are sent in a random sequence. The
    text is derived from a jump-rope game and has no special meaning.
    2. The remaining digits provide internal information on the operation
    of the server and are used for automated remote monitoring. All
    NIST servers do this.
    3. Most of the digits relate to complicated internal parameters.
    However, the first 3 values after the $ sign are easy to expolain
    the first is the overall state of the server (0=ok,>0=various failures)
    the second is the time since the server was last calibrated (in sec),
    and the third is the nominal interval between c alibrations (in sec)
    the remaining parameters have to do with the internal clock control
    of the system.

    Judah Levine
    Time and Frequency Divison
    NIST Boulder

    Posted 05 Apr 2005 at 10:56 am

  17. AYBp wrote:

    Cool.

    Posted 29 Aug 2005 at 3:45 am

« WYSINWYG or Improper Redaction Techniques
Strange NTP Services–Revealed! »