Make ThrottleService more tamper resistant.

Use elapsed time not wall time for alarms so users can't play with the
system time to get around things.

Also using NTP servers to pull in an authoritative time - if we the build
is configured with an NTP server we will not advance to the next cycle
without it, but we also will not trottle - rather not throttle users
on an error.

Note that the poll alarm is just relative to the last poll time and real
time doesn't matter.

Defining the time-fetching API's as returning time in the system wallclock
range (correcting if we are using NTP time internally).

bug:2597530
Change-Id: I1c0ac0923314c2f8a04edd0b36c4845352eae99a