Changing date/time can bypass block / cause it to end early

[ghost]

Changing the computer clock totally eliminates selfcontrol blocks. Any way to have this not happen?

Thanks

[slambert]

There are other ways we considered, but they seemed more risky if anything failed. You're welcome to suggest code changes.

[cstigler]

There's potentially a way to fix this by saving an encrypted reference to the time. I'll look into it.

[ghost]

That'd be pretty incredible!

[rilian]

this may be solved by counting the ticks, without relying on computer timer at all

[towlerj]

Could you refer to a couple of NTP servers as well as the system clock? If the system clock was ahead of, for example, two ntp servers, ignore it. If only the system is clock is available, just use that.

[3marcusw]

towlerj might really be on to something. I wish i hadn't figured out this way to bypass SelfControl

[cstigler]

@towlerj that'd be a nice addition, of course it's pretty trivial to work around also (disable the network interface, move the time forward, re-enable the network interface, move the time backward) but it'd add another step to the process. Probably won't be added in the very near future though because it's not a huge priority and I'm busy.

@rillian counting the ticks sounds good in theory, but I've actually experimented that and it'd take our permablock problems to a whole new level. Just nothing quite as reliable as system time to make sure your block comes off when it's supposed to...

[towlerj]

cstigler - that would work round the NNTP check, BUT... if someone knows enough to disable the network interface then they probably know enough to restore the relevant file anyway. (Hmm, but disabling a network interface could just be pulling the ethernet cable / turning off WiFi. so maybe not).

However - I do get that this isn't a huge priority. Am also busy, but as someone who is learning ObjC I may be interested in attempting a patch to try this (most likely in summer - have a degree to be studying for at the moment), if i do and the code isn't too embarrassing I'll send it through. (they are both big if's though, obviously)

[cstigler]

@towlerj Yup, I was thinking just going up to the menu bar and choosing "Turn Wi-Fi Off," which is pretty simple. But definitely still a worthwhile improvement!

If you get to doing a patch, please send over a pull request. We attempt to read all block details from our lockfile and then from defaults, so I think the best way to handle it would be to store an offset from local to server time, then check that as we check the date and adjust if the offset has changed. We can't store only server time because we need local time as a backup...

On Feb 11, 2013, at 10:24 PM, towlerj notifications@github.com wrote:

cstigler - that would work round the NNTP check, BUT... if someone knows enough to disable the network interface then they probably know enough to restore the relevant file anyway. (Hmm, but disabling a network interface could just be pulling the ethernet cable / turning off WiFi. so maybe not).

However - I do get that this isn't a huge priority. Am also busy, but as someone who is learning ObjC I may be interested in attempting a patch to try this (most likely in summer - have a degree to be studying for at the moment), if i do and the code isn't too embarrassing I'll send it through. (they are both big if's though, obviously)

— Reply to this email directly or view it on GitHub.

[3marcusw]

Is there any way to require the user to type in their admin password multiple (say 20) times to make it a severe inconvenience to change time settings?

[cstigler]

@3marcusw we can't block any basic behavior of the system, such as changing the date/time settings. that's probably for the better.

[dpmccabe]

@cstigler, if you've done some work already on a ticks solution to this problem, do you think you could add the code to this repo in another branch? I'd be willing to sacrifice some reliability for a foolproof blocking solution, even though it might never be a good option for a general release.

[paulm6825]

Can't we edit the /etc/authorization file in a text editor to prevent this?

Something like the settings in here? http://support.apple.com/kb/TA23576?viewlocale=en_US&locale=en_US

Not a change to the program of course but there might be an interim solution there

[Henryvw]

I would like to throw my hat in the ring and note that this is a big challenge for me as well. Ignorance is bliss, I wish I'd never learned that I can simply reset self-control by changing the date and time, but now that I do, I've already started cheating myself and disabling the application. I don't know C++ or Objective-C but I'd love to help in any way that I can.

[Henryvw]

Alternatively - has any one figured out a clever workaround?

[Henryvw]

For anyone interested, I figured out a workaround to the Date/Time problem.

I installed the Apple Server app ($20), and the Apple Profile Manager ($3). Using these apps, you can set up an online dashboard to control which system settings are accessible to you as a user. I blocked out my Date/Time panel. Then I gave the Profile Manager password to my flatmate.

The big advantage to my Server / Profile Manager approach is that I can still use sudo and I can still act as an administrator of my MacBook Air. My Date/Time is the ONLY part of my laptop that I'm not allowed to access. This is important to me since I am a developer.

Obsessive, I know. If anyone else is as obsessed as me about being able to step away from the internet from time to time, they might appreciate this solution to the Date/Time problem.

[dpmccabe]

Thanks for that. Not sure I want to shell out $23 bucks for a solution at this point, but it's good to know there's an option out there.

[Henryvw]

@dpmccabe You're very welcome.

[ecgrue01]

Could anyone write a guide on how to do the setup Henryvw mentions above? I purchased both programs but was unable to figure it out. I'm not too computer savvy, but also not illiterate. If anyone is able to do so, many thanks.

[ecgrue01]

@Henryvw Perhaps you could help me if it isn't too complicated? I'd love to be able to avoid the Date/Time problem but I don't understand how to do so with those programs (see my message above).

[kasperpeulen]

@cstigler It seems like this could be easily fixed to just ask internet for the time, if there is no internet available, it should just keep blocking.

[cstigler]

@kasperpeulen I don't think you appreciate how often things go wrong with networking for all sorts of reasons... the website we ask for time goes down, or some other installed app ends up blocking that website, or we accidentally block it with a rule meant to block somewhere else. We will never have a rule that says "if we don't know what's going on, keep blocking". Well, maybe as an optional thing, but definitely not the default.

[dpmccabe]

You'd probably need a multiplicity of available time servers in order to make it work. Maybe there are even time servers that are available over protocols other than HTTP?

As far as other things that might go wrong...on one hand, if the internet is unavailable, there's no harm in blocking websites as long as you don't inadvertently block your DHCP server or something. It seems that blocking based on DNS wouldn't have any nasty side effects like that, correct?

[cstigler]

There is a protocol specifically for delivering times, NTP. And yes, DNS blocking avoids lots of nasty side-effects, but by default we don't do that -- we do full IP-based blocking, otherwise we couldn't do things like whitelists.

[kasperpeulen]

pff, I got this solution from @Henryvw working. But now the self controll app doesn't work for me anymore It runs, already for 45 min. but I can go to any website that I want...

[Henryvw]

Interesting and thanks for sharing. I have my little solution running now, and self-control, and the blacklist is successfully blocked on my machine. (And I am blocked from changing the time).

Are you using the whitelist? The whitelist function hasn't worked for me since updating to Mavericks (with or without apple server, profile manager, etc.)

[kasperpeulen]

Oh I've also done an osx update as that was required to install the apple sever, that may explain it. Quite sad though, will try the blacklist function now, I'm glad that I didn't set self controll for a week (what I was planning, otherwise, I wouldn't be able to change self controll for a week).

2014-09-25 20:20 GMT+02:00 Henry van Wagenberg notifications@github.com:

Interesting. I have my solution running now, and self-control, and the blacklist is successfully blocked on my machine. (And I am blocked from changing the time).

Are you using the whitelist? The whitelist function hasn't worked for me since updating to Mavericks (with or without apple server, profile manager, etc.)

— Reply to this email directly or view it on GitHub https://github.com/slambert/selfcontrol/issues/28#issuecomment-56861180.

Kasper

[cstigler]

@Henryvw @kasperpeulen If you're having issues with the whitelist functionality, please try this new alpha version: http://downloads.selfcontrolapp.com/SelfControl_1.5.2alpha6.zip

Let me know if it's still not working with that version...

[Henryvw]

The whitelist function in the new Alpha version works for me in Mavericks! Thanks kindly. Henry

On Sun, Sep 28, 2014 at 1:58 AM, Charlie Stigler notifications@github.com wrote:

@Henryvw https://github.com/Henryvw @kasperpeulen https://github.com/kasperpeulen If you're having issues with the whitelist functionality, please try this new alpha version: http://downloads.selfcontrolapp.com/SelfControl_1.5.2alpha6.zip

Let me know if it's still not working with that version...

— Reply to this email directly or view it on GitHub https://github.com/slambert/selfcontrol/issues/28#issuecomment-57069779.

+49 015251570719 {mobile} RMSAHenry {Skype}

[coolvision]

I made a version that tries to solve this issue: it uses time queried from the internet, instead of system time. https://github.com/coolvision/selfcontrol/tree/time_check https://github.com/coolvision/selfcontrol/blob/time_check/SelfControl.app.zip

Each 10 seconds time is queried with http request to http://google.com/ (using code from https://github.com/freak4pc/NSDate-ServerDate)

Use at your own risk, it might cause permanent blocking!

I'm currently using (testing) it. There are a few issues:

• obviously, google.com should not be blocked (not in the block list, or in the white list), there is no check for that now
• if there is no internet access, blocking will not start (no warnings shown)
• and will not stop (but will stop if internet access appears and blocking time has expired)
• when the system time is ahead of checked time, negative time value can be displayed (I think it's good because it prompts you to stop meddling with the time settings :)

I will continue testing it, and it there are no problems, might try to add it as an option to the main version.

[slambert]

Thank you for writing code instead of just demanding features. It's refreshing.

On Oct 9, 2014, at 8:53 AM, coolvision notifications@github.com wrote:

I made a version that tries to solve this issue: it uses time queried from the internet, instead of system time. https://github.com/coolvision/selfcontrol/tree/time_check https://github.com/coolvision/selfcontrol/blob/time_check/SelfControl.app.zip

Each 10 seconds time is queried with http request to http://google.com/ (using code from https://github.com/freak4pc/NSDate-ServerDate)

Use at your own risk, it might cause permanent blocking!

I'm currently using (testing) it. There are a few issues:

if there is no internet access, blocking will not start (no warnings shown) and will not stop (but will stop if internet access appears and blocking time has expired) when the system time is ahead of checked time, negative time value can be displayed (I think it's good because it prompts you to stop meddling with the time settings :) I will continue testing it, and it there are no problems, might try to add it as an option to the main version.

— Reply to this email directly or view it on GitHub.

[paulm6825]

That's awesome. Thanks! I will try it out

On Thu, Oct 9, 2014 at 1:54 PM, coolvision notifications@github.com wrote:

I made a version that tries to solve this issue: it uses time queried from the internet, instead of system time. https://github.com/coolvision/selfcontrol/tree/time_check https://github.com/coolvision/selfcontrol/blob/time_check/SelfControl.app.zip Each 10 seconds time is queried with http request to http://google.com/ (using code from https://github.com/freak4pc/NSDate-ServerDate) Use at your own risk, it might cause permanent blocking! I'm currently using (testing) it. There are a few issues:

• if there is no internet access, blocking will not start (no warnings shown)
• and will not stop (but will stop if internet access appears and blocking time has expired)

• when the system time is ahead of checked time, negative time value can be displayed (I think it's good because it prompts you to stop meddling with the time settings :) I will continue testing it, and it there are no problems, might try to add it as an option to the main version.

  Reply to this email directly or view it on GitHub: https://github.com/SelfControlApp/selfcontrol/issues/28#issuecomment-58504488

[cstigler]

Yes, @coolvision it's great that you went and actually did it! A few suggestions: 1) might try using a server other than Google since I think people do block it sometimes, 2) displaying negative times is neat but in the latest versions we take that as a sign we need emergency block removal -- so might be better to just display the actual time remaining.

If this gets cleaned up and pretty much just works I think we could definitely put this in as a option (although would have to be off by default, just because it increases the possibilities for badness).

[daaxel]

Thank you @coolvision for your effort! Since changing the time is too easy it completely rendered SelfControl useless for me. Until your patch came along. This should be integrated into SelfControl directly.

[AveMaleficum]

@cstigler Does this problem solved in SelfControl 2.0?

[AveMaleficum]

@coolvision Can you change the code to send http request to time.apple.com. instead? Someone may just block the google.

[AveMaleficum]

@cstigler @coolvision Dear Sir, I just make a change in the code by myself https://github.com/AveMaleficum/selfcontrol/tree/time_check I change the code

define _SD_SERVER @“http://google.com/"

to

define _SD_SERVER @"http://time.apple.com/"

Am I using the right code? If so, how can I make my version of SelfControl to an APP? How can I do it?

[coolvision]

@AveMaleficum yes, this is the correct place for change. But there is a problem with using time.apple.com. it looks like a time server (using NTP protocol). I used HTTP for getting time, so time.apple.com will not work, because it returns NTP responses, not HTTP. http://en.wikipedia.org/wiki/Network_Time_Protocol http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

It should be some normal web page, for the time querying code to work, like http://www.apple.com/. I made a build that uses www.apple.com: https://www.dropbox.com/s/riwi2eblw4e5b3l/apple_time_SelfControl.app.zip?dl=0

you can use XCode to build the app. cocoapods (http://cocoapods.org/) has to be used to generate a project workspace first.

[AveMaleficum]

@coolvision Dear Sir, I open SelfControl of this apple_time version, and it sends request to a-23-216-91-43.deploy.static.akamaitechnologies.com And in Private Eye, I can see that it just send the request to website once...I don't know what's wrong, shouldn't

1. send request to www.apple.com
2. send every request 10 seconds?

update: I get it now. because I open two SelfControl at once,and then it send request to www.google.com.hk. Well, that's my guess.

I will check if this new apple_time version works after the time expires...

[AveMaleficum]

@coolvision I am really sorry about that, and I know this is very rude. Would you mind build a version of SelfControl that use www.microsoft.com? I don't know why, but it seems that www.apple.com does not work for me.

I am really sorry for the inconvenience, and I know this is very rude to ask such request.

[coolvision]

@AveMaleficum not sure about this strange connections that selfcontrol makes as you can see on privateeye screenshot, at http://radiosilenceapp.com/private-eye, itunes also makes requests to this akamaitechnologies domain, so it's probably some apple updating service.

made a build for www.microsoft.com:

define _SD_SERVER @"http://www.microsoft.com/"

https://www.dropbox.com/s/rldxiykfo3q2hvx/microsoft_time_SelfControl.app.zip?dl=0

i probably should make it a configurable setting, but the thing that's stopping me is a total lack of objective-c knowledge )

[landoncope]

@coolvision thanks for doing this, works great! It appears they haven't implemented this in the newest version yet? If no one else has plans to, I'll clean your patch up and make it configurable so that it can be included in release.

[coolvision]

@landoncope I did not add it to the current version because I'm using OSX 10.9, and don't have a way to test it on 10.10. Don't think I should patch SelfControl 2.0 without testing in 10.10, so if you would be able to do that, it would be cool!

[step11]

I'm running OSX 10.6. I downloaded the zip file of the updated app from this thread, but the new version of SelfControl wouldn't open. I got an error message: "SelfControl cannot be opened because of a problem.Check with the developer to make sure SelfControl works with this version of Mac OS X...."

I clicked on details & it said: " Dyld Error Message: Symbol not found: _kSecDigestSHA1 Referenced from: /Users/aaaa/Downloads/SelfControl.app/Contents/MacOS/../Frameworks/Sparkle.framework/Versions/A/Sparkle Expected in: /System/Library/Frameworks/Security.framework/Versions/A/Security in /Users/aaaa/Downloads/SelfControl.app/Contents/MacOS/../Frameworks/Sparkle.framework/Versions/A/Sparkle

I tried two of coolvision's links:

https://www.dropbox.com/s/riwi2eblw4e5b3l/apple_time_SelfControl.app.zip?dl=0 & https://www.dropbox.com/s/rldxiykfo3q2hvx/microsoft_time_SelfControl.app.zip?dl=0

Am I doing something wrong?

[cstigler]

@step11 The latest version of SelfControl is compatible with OS X 10.7 and above. For older OS versions, you can use version 1.5.1: http://downloads.selfcontrolapp.com/SelfControl-1.5.1.zip

[step11]

Thanks for that cstigler. I downloaded that version (1.5.1) from your link, but it still has the loophole of the date/time workaround. Is there a version that I can download that prevents the work around? (and is also compatible with OSX 10.6?). Or is there a way I can modify the 1.5.1 version of the app myself to prevent the work around? Thanks for your time!

[cstigler]

@step11 All official versions currently can be worked around by changing date/time. I haven't evaluated or tested the patch in this thread and can't recommend anything regarding that.

@coolvision @landoncope I haven't looked at the specifics, but great job making changes that people really want! I would welcome seeing this as a cleaned-up PR so the broader SC userbase could take advantage of it as well

On Mon, Aug 31, 2015 at 1:01 PM step11 notifications@github.com wrote:

Thanks for that cstigler. I downloaded that version (1.5.1) from your link, but it still has the loophole of the date/time workaround. Is there a version that I can download that prevents the work around? (and is also compatible with OSX 10.6?). Or is there a way I can modify the 1.5.1 version of the app myself to prevent the work around? Thanks for your time!

— Reply to this email directly or view it on GitHub https://github.com/SelfControlApp/selfcontrol/issues/28#issuecomment-136483739 .

[step11]

@coolvision - is the version you made only compatible with OSX 10.7 & later? I tried downloading it but it wouldn't run on my computer (which is running OSX10.6).

[alexpmarsh]

@step11 I use @coolvision's Version 1.5.2a8 (1.5.2 alpha 8) and it's working fine apart from the bugs stated in the documentation on Mac OS X Yosemite Version 10.10.5 (14F27).

Hope that helps. Also thanks and props to @coolvision for adding this feature. Hope to see something like it in the official version one day.

[step11]

@yolotariat - Thanks for the reply! I downloaded that same version (1.5.2a8) by @coolvision, but when I try to open it I get the error message that I posted earlier in this thread ("SelfControl cannot be opened because of a problem.Check with the developer to make sure SelfControl works with this version of Mac OS X...."). You are running 10.10.5? I'm on a much earlier version (10.6), and so I was wondering if @coolvision's build was compatible with earlier forms of OSX.