Alex headshot

AlBlue’s Blog

Macs, Modularity and More

QCon London and Swift Essentials tutorial/talk

2015, conference, qcon, swift

At QCon London 2015 I will be presenting a tutorial entitled Introduction to Swift, which will cover the basics of the Swift programming language using hands-on excercises and examples to get attendees up to speed. Attendees of the tutorial will also receive an eBook of my Swift Essentials, published by Packt Publishing.

Update Packt publishers are running a promotion until 6 March 2015 for 25% off all print books; use PRINT25 at checkout from the Packt website.

I am also giving a presentation on Swift - under the hood, in which I’ll give a brief history of the programming language, how it interoperates with Objective-C, and how LLVM is used under the covers to compile and optimise Swift code. Those with an interest in programming language evolution or are wondering how Swift differs from other compiled object oriented languages will get a better understanding of how it all fits together. I’ll have a free printed copy of my Swift Essentials book to give away as well.

In addition, a competition to win a free eBook of Swift Essentials can be entered by (natively) retweeting this tweet from @alblue. Winners will be announced at QCon London.

Finally, if you are interested in attending QCon London (which has always been a sell-out in the past) there is a £100 discount by registering using the code SPEAKBLEW100. More information on the pricing is available at the QCon London registration page. Note that the discount applies for the conference or conference combined with one or two tutorial days only.

Look forward to seeing you there!

OSX and NTPD security update

2014, osx, security

Apple have recently released a slew of updates for the NTP daemon for 10.10, 10.9 and 10.8 versions of the operating system. It’s worth installing, but also to understand what the issue is.

What is NTP?

NTP stands for Network Time Protocol, and it’s a way of synchronizing your computer’s system clock with others on the internet. Most computers have a built-in clock with a battery backup to keep the time when the power is off (though the Raspberry Pi is an example of a computer which does not have a battery backed clock – which explains why it’s always 1970 when it boots).

NTP provides a way of determining how far out the local computer’s time with a known good time (provided by, e.g. time.euro.apple.com). It’s not enough just to say ‘What is the time?’ since by the time (aha) you get the response back, the time will have moved on some indeterminate number of milliseconds. In the same way you wouldn’t post a letter to someone to ask what day it is, simply asking a remote server what it thinks the time is is already going to be out-of-date.

On OSX, when the ’Set date and time automatically’ is checked, the operating system will kick off a program ntpd as root to keep the local computer’s time in sync.

What’s the problem?

According to Apple, there is a remote exploit possibility due to a remote buffer overrun in the ntpd program. It’s been given CVE-2014-9295 as a designator, and lists that it’s network exploitable. That’s because the ntpd is a two-way program; it sends a request and then listens for responses. Since network messages go via UDP, it’s possible for a remote attacker to send a message even if the ntpd isn’t expecting a response. It’s this that makes it globally targetable.

The CVE lists that it can be used to play a redirect for DDoS attacks, but Apple has listed it as remotely exploitable as well; so it may be more dangerous than it would seem at first glance.

In essence, if you are running an open ntpd on your network via a publicly routable device, it’s going to have problems.

Applying the update

If you’re running on 10.10, 10.9 or 10.8 then a sudo softwareupdate -i -a or using the update should work. If you’re running on older versions, you’re out of luck.

Older versions of OSX

If you’re running an older version, Apple hasn’t backported the fixes. In addition, it’s not clear that the source dumps at http://opensource.apple.com have been updated to take advantage of the fixes. So you can’t even build the version.

You could try building a version of ntpd from the upstream distribution at www.ntp.org, but there may be problems with it.

Alternatively, stop running ntpd on vulnerable Macs. This is easy to stop; go to System Preferences, then Date and Time, and uncheck the ‘Set the time automatically’ checkbox from the Date and Time tab. At least you won’t be hit whilst that isn’t running, but your time will drift.

To set the time, it’s possible to run ntpdate as root via a periodic script, using the name of the ntp hostname in the dialog box. Whilst the time is being set you may be vulnerable to responses, but at least it won’t be a 24h exposure. Running sudo crontab -e and adding

Setting the time via cron
1
@daily /usr/sbin/ntpdate time.euro.apple.com

would be enough to reset the time on a daily basis to ensure that it doesn’t drift too far.

For the really paranoid, you can run:

1
@daily /usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb /usr/sbin/ntpdate `dig +short time.euro.apple.com`

This will run the date seting under a sandbox profile that allows the time to be set, but not to do any other operations. This is why the host lookup needs to be done in backticks; because the sandbox profile doesn’t allow for DNS lookups.

Summary

Install the NTP security fix as soon as possible on computers that are supported. For those that aren’t, turn off the automatic date and time updates and instead use a crontab to periodically kick off the network requests, optionally running under a sandbox profile to prevent any (non-network) related issues from occuring.

EclipseCon Europe and book codes

2014, conference, eclipse, eclipsecon

Unfortunately I wasn’t able to make EclipseCon Europe this year in Ludwigsberg. It sounds like it was a great conference, with the announcement of Eclipse Cloud Development and the new release of Orion.

To celebrate, I have managed to arrange a deal with my publishers for 25% off the retail price of Eclipse Plug-in Development for Beginners and Mastering Eclipse Plug-ins. Head to one of the two URLs and use the code to get it:

Codes are valid until 2nd November 2014.