At QCon London 2015 I will be presenting a tutorial entitled
Introduction to Swift,
which will cover the basics of the Swift programming language using
hands-on excercises and examples to get attendees up to speed. Attendees
of the tutorial will also receive an eBook of my
Swift Essentials, published by
Update Packt publishers are running a promotion until 6 March 2015
for 25% off all print books; use PRINT25 at checkout from the
I am also giving a presentation on Swift - under the
hood, in which I’ll give a brief history of the programming language, how
it interoperates with Objective-C, and how LLVM
is used under the covers to compile and optimise Swift code. Those with an
interest in programming language evolution or are wondering how Swift differs
from other compiled object oriented languages will get a better understanding
of how it all fits together. I’ll have a free printed copy of my Swift Essentials book to give away as
In addition, a competition to win a free eBook of Swift Essentials can be entered by (natively) retweeting
this tweet from
@alblue. Winners will be announced
at QCon London.
Finally, if you are interested in attending QCon London (which has always
been a sell-out in the past) there is a £100 discount by registering
using the code SPEAKBLEW100. More information on the pricing is available
QCon London registration page.
Note that the discount applies for the conference or conference combined with
one or two tutorial days only.
Apple have recently released a slew of updates for the NTP daemon for
10.10, 10.9 and 10.8 versions of the operating system. It’s worth installing,
but also to understand what the issue is.
What is NTP?
NTP stands for Network Time Protocol, and it’s a way of synchronizing your
computer’s system clock with others on the internet. Most computers
have a built-in clock with a battery backup to keep the time when the
power is off (though the Raspberry Pi is an example of a computer which
does not have a battery backed clock – which explains why it’s always 1970
when it boots).
NTP provides a way of determining how far out the local computer’s time with
a known good time (provided by, e.g. time.euro.apple.com). It’s not enough
just to say ‘What is the time?’ since by the time (aha) you get the response
back, the time will have moved on some indeterminate number of milliseconds.
In the same way you wouldn’t post a letter to someone to ask what day it is,
simply asking a remote server what it thinks the time is is already going to
On OSX, when the
’Set date and time automatically’
is checked, the operating system will kick off a program ntpd as root to
keep the local computer’s time in sync.
What’s the problem?
According to Apple, there
is a remote exploit possibility due to a remote buffer overrun in the ntpd
program. It’s been given CVE-2014-9295
as a designator, and lists that it’s network exploitable. That’s because the
ntpd is a two-way program; it sends a request and then listens for responses.
Since network messages go via UDP,
it’s possible for a remote attacker to send a message even if the ntpd isn’t
expecting a response. It’s this that makes it globally targetable.
The CVE lists that it can be used to play a redirect for DDoS attacks, but
Apple has listed it as remotely exploitable as well; so it may be more
dangerous than it would seem at first glance.
In essence, if you are running an open ntpd on your network via a publicly
routable device, it’s going to have problems.
Applying the update
If you’re running on 10.10, 10.9 or 10.8 then a sudo softwareupdate -i -a
or using the update should work. If you’re running on older versions, you’re
out of luck.
Older versions of OSX
If you’re running an older version, Apple hasn’t backported the fixes. In
addition, it’s not clear that the source dumps at
been updated to take advantage of the fixes. So you can’t even build the
You could try building a version of ntpd from the upstream distribution
at www.ntp.org, but there may be problems
Alternatively, stop running ntpd on vulnerable Macs. This is easy to stop;
go to System Preferences, then Date and Time, and uncheck the ‘Set the time
automatically’ checkbox from the Date and Time tab. At least you won’t be
hit whilst that isn’t running, but your time will drift.
To set the time, it’s possible to run ntpdate as root via a periodic
script, using the name of the ntp hostname in the dialog box. Whilst the time
is being set you may be vulnerable to responses, but at least it won’t be
a 24h exposure. Running sudo crontab -e and adding
Setting the time via cron
@daily /usr/sbin/ntpdate time.euro.apple.com
would be enough to reset the time on a daily basis to ensure that it doesn’t
drift too far.
This will run the date seting under a sandbox profile that allows the time to
be set, but not to do any other operations. This is why the host lookup needs
to be done in backticks; because the sandbox profile doesn’t allow for DNS
Install the NTP security fix as soon as possible on computers that are
supported. For those that aren’t, turn off the automatic date and time updates
and instead use a crontab to periodically kick off the network requests,
optionally running under a sandbox profile to prevent any (non-network) related
issues from occuring.
Unfortunately I wasn’t able to make EclipseCon Europe this year in
Ludwigsberg. It sounds like it was a great conference, with the announcement
of Eclipse Cloud Development and the
new release of Orion.
To celebrate, I have managed to arrange a deal with my publishers for 25%
off the retail price of Eclipse Plug-in Development for Beginners and
Mastering Eclipse Plug-ins. Head to one of the two URLs and use the code
to get it: