Re: Hello World in Python
On 1/24/2015 6:53 PM, Christopher J. Pisz wrote: I am trying to help a buddy out. I am a C++ on Windows guy. This buddy of mine is learning Python at work on a Mac. I figured I could contribute with non language specific questions and such. When learning any new language, I said, the first step would be a Hello World program. Let's see if we can get that to work. So my buddy creates opens the IDE they gave at the workplace, creates a new project, adds a demo.py file, writes one line : print Hello World, hits Run in the IDE and indeed the display is shown at the bottom when it executes. I say the next step would be to get that to run on the command line. So (keep in mind I know nothing about macs) my buddy opens a zsh? window, cd to the directory, and I say the command i most likely: python demo.py It looks like it executes but there is no output to the command line window. It should. In a Windows console, using 3.4: C:\Programs\Python34type tem.py # cat on Mac? print('Hello World!') C:\Programs\Python34python tem.py Hello World! Can anyone explain why there is no output? Without a copy of the file and command, as above, no. Can anyone recommend a good walkthrough of getting set up and doing basics? Since you used 2.x print syntax: https://docs.python.org/2.7/ Python Setup and Usage how to use Python on different platforms Tutorial start here I'll probably end up learning python myself, just to help out. You might possibly enjoy Python as a complement to C++. Some people prototype in Python and rewrite time critical functions in C++. One can access .dlls either directly (via the ctypes module) and write a wrapper file in C or C++. I believe Python has also been used to write tests for C++ functions (I know this is true for Python and Java, via Jython). -- Terry Jan Reedy -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World in Python
On Sunday, January 25, 2015 at 5:36:02 AM UTC+5:30, Chris Angelico wrote: One thing that I really like doing with my Python students (full disclosure: I'm a mentor with www.thinkful.com and am thus at times paid to help people learn Python) is some form of screen-sharing, so I can watch him/her trying things. There are a number of zero-dollar ways to do this, and it helps enormously. Flip on screen-share, ask him to run the script, and see where that leads. Would be interested in how you manage that! Am teaching a class where everyone has a laptop. Having them setup with a bare modicum of uniformity is turning out some challenge. Some windows, some linux(es), even one blessed mac! -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World in Python
On Sun, Jan 25, 2015 at 6:14 PM, Rustom Mody rustompm...@gmail.com wrote: On Sunday, January 25, 2015 at 5:36:02 AM UTC+5:30, Chris Angelico wrote: One thing that I really like doing with my Python students (full disclosure: I'm a mentor with www.thinkful.com and am thus at times paid to help people learn Python) is some form of screen-sharing, so I can watch him/her trying things. There are a number of zero-dollar ways to do this, and it helps enormously. Flip on screen-share, ask him to run the script, and see where that leads. Would be interested in how you manage that! Am teaching a class where everyone has a laptop. Having them setup with a bare modicum of uniformity is turning out some challenge. Some windows, some linux(es), even one blessed mac! Generally we use Google Hangouts - video chat, with options for screen-share (replacing the camera; let's face it, when you're discussing code, staring at talking heads isn't all that useful) and a few other neat features. But if uniformity is an issue, you might want to look into some kind of virtual Linux box like http://nitrous.io/ - that way, everyone's using the same system, and nobody has to worry about the stupid hassles of trying to support three different OSes. Though Nitrous mightn't be as important for you as it is for the Thinkful course; as part of the course, we teach PostgreSQL + Python + PsycoPG2 + SQLAlchemy, and if you're on a Mac and your student is on Windows, you'll *really* appreciate not having to figure out how to install that lot on a foreign platform! (In theory, the situation should be getting better. Installing stuff from PyPI under Windows has long been a massive nuisance, but it's starting to become a bit easier. But it's still a massive pain for someone who doesn't know Windows to try to walk a Windows person through the setup.) And hey. If you want a pay-for Python programming course, do check 'em out - www.thinkful.com. You get regular one-on-one mentorship, a highly responsive team of staff, and all sorts of random fun. There, I'm done advertising now. :) ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World in Python
On 1/24/2015 7:12 PM, Terry Reedy wrote: On 1/24/2015 6:53 PM, Christopher J. Pisz wrote: I am trying to help a buddy out. I am a C++ on Windows guy. This buddy of mine is learning Python at work on a Mac. I figured I could contribute with non language specific questions and such. When learning any new language, I said, the first step would be a Hello World program. Let's see if we can get that to work. So my buddy creates opens the IDE they gave at the workplace, creates a new project, adds a demo.py file, writes one line : print Hello World, hits Run in the IDE and indeed the display is shown at the bottom when it executes. I say the next step would be to get that to run on the command line. So (keep in mind I know nothing about macs) my buddy opens a zsh? window, cd to the directory, and I say the command i most likely: python demo.py It looks like it executes but there is no output to the command line window. It should. In a Windows console, using 3.4: C:\Programs\Python34type tem.py # cat on Mac? print('Hello World!') C:\Programs\Python34python tem.py Hello World! Can anyone explain why there is no output? Without a copy of the file and command, as above, no. Can anyone recommend a good walkthrough of getting set up and doing basics? Since you used 2.x print syntax: https://docs.python.org/2.7/ Python Setup and Usage how to use Python on different platforms Tutorial start here I'll probably end up learning python myself, just to help out. You might possibly enjoy Python as a complement to C++. Some people prototype in Python and rewrite time critical functions in C++. One can access .dlls either directly (via the ctypes module) and write a wrapper file in C or C++. I believe Python has also been used to write tests for C++ functions (I know this is true for Python and Java, via Jython). Good docs. I got setup in Windows in 10 minutes. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World in Python
On Sun, Jan 25, 2015 at 10:53 AM, Christopher J. Pisz cp...@austin.rr.com wrote: So my buddy creates opens the IDE they gave at the workplace, creates a new project, adds a demo.py file, writes one line : print Hello World, hits Run in the IDE and indeed the display is shown at the bottom when it executes. I say the next step would be to get that to run on the command line. So (keep in mind I know nothing about macs) my buddy opens a zsh? window, cd to the directory, and I say the command i most likely: python demo.py It looks like it executes but there is no output to the command line window. Can anyone explain why there is no output? Can anyone recommend a good walkthrough of getting set up and doing basics? Your broad methodology is fine! I'd normally expect that to work correctly. Was the file properly saved? Ask him to display the file (cat demo.py) to make sure it's what he thinks. Or maybe he's in a different directory to the one he thinks he's in; again, catting the file will help. Otherwise, it might be a weird problem with his shell, but that's hard to diagnose. One thing that I really like doing with my Python students (full disclosure: I'm a mentor with www.thinkful.com and am thus at times paid to help people learn Python) is some form of screen-sharing, so I can watch him/her trying things. There are a number of zero-dollar ways to do this, and it helps enormously. Flip on screen-share, ask him to run the script, and see where that leads. Good luck! ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Michael Torrie torr...@gmail.com: Most password policies are the wrong solution. I believe passwords themselves are the wrong solution. I believe in a physical, government-issue object capable of challenge-response. It can then be beefed up with extra measures depending on the need. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico wrote: Want security? Push the encryption and authentication down to a lower layer, and save yourself the trouble. Yes. And now for the next level: How to prevent unauthorized machines to connect to your network… Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder mich...@stroeder.com wrote: Chris Angelico wrote: Want security? Push the encryption and authentication down to a lower layer, and save yourself the trouble. Yes. And now for the next level: How to prevent unauthorized machines to connect to your network… Extremely difficult, and in many cases quite unnecessary. No, you let them on the network, and then make sure that won't hurt you more than you're prepared to accept. For instance, someone could join my wifi network - all they need is the WPA2 PSK, which is well known around the place - and use/abuse our internet connection; but they couldn't access my PostgreSQL databases, because the firewall doesn't permit access to port 5432. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico wrote: On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder mich...@stroeder.com wrote: Chris Angelico wrote: Want security? Push the encryption and authentication down to a lower layer, and save yourself the trouble. Yes. And now for the next level: How to prevent unauthorized machines to connect to your network… Extremely difficult, and in many cases quite unnecessary. No, you let them on the network, and then make sure that won't hurt you more than you're prepared to accept. Somewhat true… For instance, someone could join my wifi network - all they need is the WPA2 PSK, which is well known around the place - and use/abuse our internet connection; but they couldn't access my PostgreSQL databases, because the firewall doesn't permit access to port 5432. …but your firewall relies on authenticity of IP addresses. Fail! Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Michael Ströder mich...@stroeder.com: Marko Rauhamaa wrote: I believe in a physical, government-issue object Did you forget the smiley? Or where were you during the last 1,5 years? You can juggle the issues all you want. In the end, there's no escaping the governments' underwriting role. The TLS chain of trust we have today is a joke and can be spoofed easily not only by governments but really by anybody. Authentication is still separate from privacy, which could be secured from the governments if there were a will. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa ma...@pacujo.net wrote: Michael Torrie torr...@gmail.com: Most password policies are the wrong solution. I believe passwords themselves are the wrong solution. I believe in a physical, government-issue object capable of challenge-response. It can then be beefed up with extra measures depending on the need. I can't tell whether you're serious or not. Do you actually trust government-issue more than anything else, or is your tongue firmly in your cheek? Also, which government? ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 1:13 PM, Michael Torrie torr...@gmail.com wrote: Like many of you I use a password manager these days. It's pretty slick. But really it shows the absurdity of the situation. Instead of passwords we should all just use private/public keypairs and store the private keys in a digital wallet. Forget this password garbage with it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with it, if we're going to require the use of password managers. Easy way to do a lot of that is to layer most things on top of SSH. I can pull/push git repositories using my SSH keypairs, I can access the local network mounts that way, all sorts of things can be done with a system that's already deployed. It's easy to put your own service on top of SSH too. Want simplicity? Passwords are fine. Want security? Push the encryption and authentication down to a lower layer, and save yourself the trouble. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 01/17/2015 05:04 PM, Chris Angelico wrote: Related to that is another reason I've heard: if your password is figured out by some means other than hash theft [1], there's a maximum of N days to make use of it. But let's face it, if someone gets hold of one of your accounts, it won't take long to do serious damage. Even if it's not a high-profile target like email or banking, a service with your password known by someone else is a problem *now*, not after a month of research or something. Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. Most password policies are the wrong solution. They don't seem to increase the time to guess the password given the hash, and they certainly don't physically secure anything, as passwords that have to be changed often and to bizarre notions of upper case, lower case, digits, non-alphanumeric characters, are guaranteed to be written down and pasted to the monitor. Like many of you I use a password manager these days. It's pretty slick. But really it shows the absurdity of the situation. Instead of passwords we should all just use private/public keypairs and store the private keys in a digital wallet. Forget this password garbage with it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with it, if we're going to require the use of password managers. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 54bb2c5f$0$12977$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: You know that two-factor authentication doesn't offer any real security against Man In The Middle attacks? The fact that TFA doesn't solve all problems doesn't change the fact that it solves some of them. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Steven D'Aprano wrote: Mark Lawrence wrote: Bah humbug, this has reminded me of doing secure work whereby each individual had two passwords, both of which had to be changed every thirty days, and rules were enforced so you couldn't just increment the number at the end of a word or similar. I hate and despise systems that force you to arbitrarily change a good strong password after N days for no good reason. The utterly bad reason often given by people who don't understand probability is that if hackers try to guess your password by brute-force, changing the password regularly will make it harder for them. That's simply wrong, and is based on a misunderstanding of probability. But there's a probability 0 that one of the systems where an admin has to use his/her password was hacked and that passwords gets stolen there. It's hard to find out in case of skilled hackers. = have more than one account for different security areas and have password aging in place. Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Michael Torrie wrote: Like many of you I use a password manager these days. It's pretty slick. But really it shows the absurdity of the situation. Instead of passwords we should all just use private/public keypairs and store the private keys in a digital wallet. Forget this password garbage with it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with it, if we're going to require the use of password managers. Yes, and that's easy e.g. with SSH. And in theory it's easy with SSL/TLS. But support for client certs in browsers really suck (try to change the login once you've chosen a client cert without closing the browser). Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. Bruce Schneier (mostly) agrees with you: https://www.schneier.com/blog/archives/2010/11/changing_passwo.html. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Marko Rauhamaa wrote: I believe in a physical, government-issue object Did you forget the smiley? Or where were you during the last 1,5 years? Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Marko Rauhamaa wrote: Michael Ströder mich...@stroeder.com: Marko Rauhamaa wrote: I believe in a physical, government-issue object Did you forget the smiley? Or where were you during the last 1,5 years? You can juggle the issues all you want. In the end, there's no escaping the governments' underwriting role. The TLS chain of trust we have today is a joke and can be spoofed easily not only by governments but really by anybody. That's why I'm internally using my own private CA and limit the trust stores of various services to this CA. Authentication is still separate from privacy, Not true because there's no authorization without authentication. Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Jan 19, 2015 at 2:48 AM, Michael Ströder mich...@stroeder.com wrote: For instance, someone could join my wifi network - all they need is the WPA2 PSK, which is well known around the place - and use/abuse our internet connection; but they couldn't access my PostgreSQL databases, because the firewall doesn't permit access to port 5432. …but your firewall relies on authenticity of IP addresses. Fail! No; I have two completely separate networks. If you're on the one that anyone can easily get onto, it doesn't matter what your IP is, you do not get access to certain ports on computers on the other side of the firewall. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico ros...@gmail.com: On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa ma...@pacujo.net wrote: I believe passwords themselves are the wrong solution. I believe in a physical, government-issue object capable of challenge-response. It can then be beefed up with extra measures depending on the need. I can't tell whether you're serious or not. Do you actually trust government-issue more than anything else, or is your tongue firmly in your cheek? I'm serious. Also, which government? For example, the State of Finland (the place where I happen to reside). Then, you would know you would be dealing with someone who is holding a physical ID guaranteed by the Finnish government. After all, that's how passports work; passports are trusted everywhere in the world. That would be better than anything we have right now. As far as I know, a system like that is in use in Estonia. In principle, an analogous system is also there in Finland, but it is barely used yet (chicken and egg). The practical online authentication in Finland is provided by private banks. The private solution is effective but it costs businesses money to use making it unavailable for individuals and nonprofits. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. ChrisA -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spearc.xs4all.nl =n http://home.hccnet.nl/a.w.m.van.der.horst -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 1:51 AM, Albert van der Horst alb...@spenarnc.xs4all.nl wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. So you have to have a password on the root account. My systems are more secure, as they do not have a password that someone could learn. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17481.1420737102.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes hayes...@telkomsa.net wrote: On 08 Jan 2015 12:43:33 GMT, alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based That works. That is exactly what I did. system. With Debian itself, you get the option during installation of setting a root password, in which case it won't install sudo by default. ChrisA -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spearc.xs4all.nl =n http://home.hccnet.nl/a.w.m.van.der.horst -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico ros...@gmail.com wrote: On Sun, Jan 18, 2015 at 1:51 AM, Albert van der Horst alb...@spenarnc.xs4all.nl wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. So you have to have a password on the root account. My systems are more secure, as they do not have a password that someone could learn. Yes, they do (if you use sudo) it's *your* password and IMHO it's less secure as you only need to know one password to get root access. -- Chris Green · -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. On my laptop sudo has a huge advantage over su, and that is I can use my fingerprint reader to access root. Now I could set up root to accept a fingerprint as well which would work with su, but the sudo solution is much quicker to configure. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Michael Torrie torr...@gmail.com wrote: On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. One big distinction is that you need to know two passwords to get root access if there's a real root account as opposed to using sudo. This only applies of course if direct root login isn't allowed (via ssh or whatever). -- Chris Green · -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 17/01/2015 16:47, c...@isbd.net wrote: Michael Torrie torr...@gmail.com wrote: On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. One big distinction is that you need to know two passwords to get root access if there's a real root account as opposed to using sudo. This only applies of course if direct root login isn't allowed (via ssh or whatever). Bah humbug, this has reminded me of doing secure work whereby each individual had two passwords, both of which had to be changed every thirty days, and rules were enforced so you couldn't just increment the number at the end of a word or similar. -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article h9gqob-c3e@esprimo.zbmc.eu, c...@isbd.net wrote: Michael Torrie torr...@gmail.com wrote: On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. One big distinction is that you need to know two passwords to get root access if there's a real root account as opposed to using sudo. This only applies of course if direct root login isn't allowed (via ssh or whatever). The other is that if a dozen users have sudo possibility, one compromised password compromises the whole system. The same administrators that like sudo will force the users into a safe password of at least 8 characters a special sign a number and a capital, instead of educating them to use a strong password like the_horse_eats_yellow_stones. 1] Chances are that one of the users has a password like ! (first special sign) 1 (first number) Q (first capital) followed by a weak 5 letter word (or even a guessable one). Compare that to Dear administrator, I've to do this. Can I have the root password. Sure here it is Looks over users shoulder. Are you ready? Make sure he's logged out. Uses random generator for a new password. If there is something, anything, change the root password and check the disk for suid-root files. There is no such thing as automatic security. Security requires one thing: attention. And effort. So two things: attention and effort. And simplicity. So three things: attention, effort and simplicity. sudo makes administrators careless, lazy and it is not simple at all. -- Chris Green Groetjes Albert 1] I don't claim this is *very* strong, just strong. -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spearc.xs4all.nl =n http://home.hccnet.nl/a.w.m.van.der.horst -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: In article h9gqob-c3e@esprimo.zbmc.eu, c...@isbd.net wrote: Michael Torrie torr...@gmail.com wrote: On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. One big distinction is that you need to know two passwords to get root access if there's a real root account as opposed to using sudo. This only applies of course if direct root login isn't allowed (via ssh or whatever). The other is that if a dozen users have sudo possibility, one compromised password compromises the whole system. Hmm, but it's much worse if a dozen users have to know the root password. With this they can circumvent sudo completely (e.g. going over IPMI console). Compare that to Dear administrator, I've to do this. Can I have the root password. Sure here it is Looks over users shoulder. Are you ready? Make sure he's logged out. Uses random generator for a new password. This process does not work for dozens of admins maintaining thousands of machines. Especially when something goes wrong in the night shift and has to be fixed quickly. If there is something, anything, change the root password and check the disk for suid-root files. Better require public key authc for SSH access and the user's own (one-time) password for sudo. If your security requirements are really high mandate going through a SSH gateway / jumphost. Security requires one thing: attention. And effort. So two things: attention and effort. And simplicity. So three things: attention, effort and simplicity. Yes. sudo makes administrators careless, lazy and it is not simple at all. Admins must have separate accounts with separate credentials for administrative work and must be careful when using an administrative account. Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Mark Lawrence wrote: Bah humbug, this has reminded me of doing secure work whereby each individual had two passwords, both of which had to be changed every thirty days, and rules were enforced so you couldn't just increment the number at the end of a word or similar. I hate and despise systems that force you to arbitrarily change a good strong password after N days for no good reason. The utterly bad reason often given by people who don't understand probability is that if hackers try to guess your password by brute-force, changing the password regularly will make it harder for them. That's simply wrong, and is based on a misunderstanding of probability. The merely poor reason given by the more thoughtful sys admins is, if the password hashes get stolen, the hacker has a maximum of N days (and possibly less) to crack the hashes and recover the passwords before they get changed. That's okay as far as it goes, but it's the wrong solution for the problem. The right solution is to salt the passwords, and to secure the hashes from theft. Users should only be forced to change their password if the hashes are stolen, not at arbitrary intervals. The problem with regular password changes is that it makes it significantly harder remember passwords, especially one that you might only use rarely. It encourages users to pick weak, trivial passwords that can be trivially incremented each time the computer insists they change it, blahblah-JAN or blahblahblah1, or to simply write the password down or a Post-it note on their computer. In isolation, regular password changes seems like a good idea, but in practice they are not. Password management is hard enough without having to throw away perfectly good, strong, memorable passwords every N days just in case. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Sorry for necro. On Sat, Dec 20, 2014 at 10:44 PM, Chris Angelico ros...@gmail.com wrote: On Sun, Dec 21, 2014 at 5:31 PM, Terry Reedy tjre...@udel.edu wrote: Just to be clear, writing to sys.stdout works fine in Idle. import sys; sys.stdout.write('hello ') hello #2.7 In 3.4, the number of chars? bytes? is returned and written also. Whether you mean something different by 'stdout' or not, I am not sure. The error is from writing to a non-existent file descriptor. That's because sys.stdout is replaced. But stdout itself, file descriptor 1, is not available: It surprises me that IDLE, and most other shells, don't dup2 stdout/err/in so that those FDs talk to IDLE. -- Devin -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 01/17/2015 11:47 AM, Michael Ströder wrote: sudo makes administrators careless, lazy and it is not simple at all. Admins must have separate accounts with separate credentials for administrative work and must be careful when using an administrative account. Right. This is not a bad idea in a large organization. In any case, Sudo is more auditable than su in my opinion, but more importantly, it's much easier to revoke. With su, if I fire an admin, I have to change root passwords on every machine, and redistribute the new password to every admin that needs it. With sudo, I might still change the root password, but I'll lock the root password up in a safe box somewhere, and life goes on for everyone else. In fact with root disabled entirely, the whole root password needing to be changed when a person leaves the company is completely eliminated. sudo allows us (especially with the idea about separate admin credentials) to have multiple, controllable, auditable, root passwords in effect. Surely the benefit of this can be seen. Another good alternative to sudo is ksu, which is a kerberized su. This also provides an excellent audit trail, and is easy to revoke. This may be more to Mr. van der Horst's liking, as normally ksu is configured to accept only principals with a /admin suffix (arbitrarily chosen). So admins would have their normal principal, and their admin principal. It's a pretty slick system if you have Kerberos up and running. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Albert van der Horst wrote: In article h9gqob-c3e@esprimo.zbmc.eu, c...@isbd.net wrote: Michael Torrie torr...@gmail.com wrote: On 01/17/2015 07:51 AM, Albert van der Horst wrote: In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: SNIP But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I didn't except this strawman argument from you. Of course you need a distinction between doing system things as root, and working as a normal user. You just don't need sudo. I just don't see the distinction. What's the difference between having to type in a root password and having to type in your own administrative user password? Guess we're all just struggling to understand your logic here. One big distinction is that you need to know two passwords to get root access if there's a real root account as opposed to using sudo. This only applies of course if direct root login isn't allowed (via ssh or whatever). The other is that if a dozen users have sudo possibility, one compromised password compromises the whole system. The same administrators that like sudo will force the users into a safe password of at least 8 characters a special sign a number and a capital, instead of educating them to use a strong password like the_horse_eats_yellow_stones. 1] Sigh. I like XKCD, I really do, but anyone who thinks that brute force attacks cannot simply replace words for characters is deluding themselves. Consider a password like mg93H$8s. Each character is taken from an alphabet of lowercase and uppercase letters plus digits, plus 32 punctuation characters and other symbols available on a US keyboard. There are 26+26+10+32 = 94 different letters in this alphabet. If your password is ten characters long, there is a potential pool of 94**10 available passwords. Let's say we strip out 90% of them for being too easy to guess (say, eight As in a row, or it happens to contain your username). That still leaves us with: 94**10//10 = 5386151140948997017 potential passwords. Now consider the XKCD scheme. You pick four words from a dictionary and concatenate them. On my system, /usr/share/dict/words has a little less than 500,000 words. The problem is, most of them are not really memorable, and many of them are very low entropy. Here's a selection from the first few starting with A: A A. a a' a- a. A-1 A1 a1 A4 A5 AA aa A.A.A. AAA aaa So in practice people are going to choose words from a much, much smaller selection. I estimate that most people are going to choose words from a pool of about 10,000 words or so, but let's imagine that you have four times the vocabulary (or imagination) of the average person and pick from a pool of 40,000 words, specially crafted to avoid low-entropy selections such as AAA A4 aa a. That gives: 4**4 = 256 potential passwords, half that of the conventional scheme. And if people have biases in the words they pick -- and you better believe they will -- that will be reduced even further. Password crackers will take advantage of the fact that most XKCD-style passwords will include at least one of the most common thousand or so words, reducing the search space significantly. I believe that the state of the art of password cracking is such now that people cannot realistically expect to remember sufficiently strong passwords for all the things they need passwords for. I believe that the only good solution is to have one strong passphrase that you use to protect a password manager, which in turn uses long (12 character or more), completely random passwords. Even that doesn't protect you, because your security is controlled by websites and banks etc. with stupid security policies. E.g. I am forced to deal with one bank that uses a cryptographic key to sign in to their bank, but your passphrase is limited to exactly eight characters. Another bank I use limits you to SIX characters, taken from case-insensitive(!) letters, digits, and a small set of punctuation. At least they do enforce rate limiting on account logins: three wrong login attempts and they lock your account and force you to go to a branch in person to recover it. (Can you say Denial Of Service Attack? I can.) Compare that to Dear administrator, I've to do this. Can I have the root password. Sure here it is Looks over users shoulder. Are you ready? Make sure he's logged out. Uses random generator for a new password. That is a ridiculously impractical system for anything other than a home system. Problems include: - You have a single point of failure, the one administrator who controls access to the root password. The day he stays home with his phone switched off to play WOW is the day the mail server dies and you need root to fix it. The Bus Factor (what do you do when the administrator gets hit by a bus?) is critical. -
Re: Hello World
Roy Smith wrote: In article 54bb1c83$0$12979$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Even that doesn't protect you, because your security is controlled by websites and banks etc. with stupid security policies. E.g. I am forced to deal with one bank that uses a cryptographic key to sign in to their bank, but your passphrase is limited to exactly eight characters. Another bank I use limits you to SIX characters, taken from case-insensitive(!) letters, digits, and a small set of punctuation. Tell me about it. I have an E-Trade ATM card. When I first got it, I set it up with a 6 digit PIN. I was shocked to discover some time later that it actually only looks at the first 4 digits. And, no, I'm not talking *characters*, I'm talking *digits*. There are 10**4 possible PINs. The mind boggles. On the other hand, E-Trade gave me an RSA key fob so I use two-factor authentication on their web site. You know that two-factor authentication doesn't offer any real security against Man In The Middle attacks? Scenario: * You log in to the bank, and transfer $1 to me. * Evil haxor intercepts the transfer between your PC and the Internet, changing it to a request to transfer ONE MILLION DOLLARS to evil haxor's account. * Bank receives the request and sends you a token. * You receive the token and approve the transfer. * Evil haxor makes the money disappear. * When you complain to the bank that your account is ONE MILLION DOLLARS overdrawn, they insist that you authorized the transfer so their liability is limited to exactly Sweet FA. (I am very cynical about most of the security features the banks are pushing for, since in my opinion they are more about giving the banks plausible deniablity so they can push responsibility for security breaches onto the customer.) As soon as I heard that banks were turning to two-factor authentication I predicted that attackers would trivially move to man-in-the-middle and man-in-the-browser attacks to get around them. And sure enough, as long ago as 2006 that's exactly what happened: http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html More here: https://www.schneier.com/blog/archives/2012/09/man-in-the-midd_5.html (read the comments for more examples) All of the MITM attacks I know of involve social engineering attacks, but if and when customers get too sophisticated to fall for phishing attacks[1], the bad guys will move to scenarios like the one I described, where they hijack your own legitimate transactions. [1] Try not to laugh. It could happen. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 2:50 PM, Tim Chase python.l...@tim.thechases.com wrote: You think that's bad, one million Google Authenticator 2-factor verification codes were leaked: https://twitter.com/paulmutton/status/509991378647277568 Those hackers are a wily bunch. ;-) http://torrent-city.net/download/Li/List-of-ALL-ip-addresses-[hacking-tool]-[source-code-included].5185923.html ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: The merely poor reason given by the more thoughtful sys admins is, if the password hashes get stolen, the hacker has a maximum of N days (and possibly less) to crack the hashes and recover the passwords before they get changed. That's okay as far as it goes, but it's the wrong solution for the problem. Related to that is another reason I've heard: if your password is figured out by some means other than hash theft [1], there's a maximum of N days to make use of it. But let's face it, if someone gets hold of one of your accounts, it won't take long to do serious damage. Even if it's not a high-profile target like email or banking, a service with your password known by someone else is a problem *now*, not after a month of research or something. Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. ChrisA [1] eg http://xkcd.com/792/ -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2015-01-17 22:18, Roy Smith wrote: Tell me about it. I have an E-Trade ATM card. When I first got it, I set it up with a 6 digit PIN. I was shocked to discover some time later that it actually only looks at the first 4 digits. And, no, I'm not talking *characters*, I'm talking *digits*. There are 10**4 possible PINs. The mind boggles. You think that's bad, one million Google Authenticator 2-factor verification codes were leaked: https://twitter.com/paulmutton/status/509991378647277568 Those hackers are a wily bunch. ;-) -tkc -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 54bb1c83$0$12979$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Even that doesn't protect you, because your security is controlled by websites and banks etc. with stupid security policies. E.g. I am forced to deal with one bank that uses a cryptographic key to sign in to their bank, but your passphrase is limited to exactly eight characters. Another bank I use limits you to SIX characters, taken from case-insensitive(!) letters, digits, and a small set of punctuation. Tell me about it. I have an E-Trade ATM card. When I first got it, I set it up with a 6 digit PIN. I was shocked to discover some time later that it actually only looks at the first 4 digits. And, no, I'm not talking *characters*, I'm talking *digits*. There are 10**4 possible PINs. The mind boggles. On the other hand, E-Trade gave me an RSA key fob so I use two-factor authentication on their web site. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Sun, Jan 18, 2015 at 2:45 PM, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: (I am very cynical about most of the security features the banks are pushing for, since in my opinion they are more about giving the banks plausible deniablity so they can push responsibility for security breaches onto the customer.) Definitely they are. Banks don't care about customers, they care about profits. James Hacker: I see, it's just profits, isn't it, Sir Desmond? Sir Desmond: It's not just profits - it's profits! -- Yes Minister ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17077.1419144290.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: On Sun, Dec 21, 2014 at 5:31 PM, Terry Reedy tjre...@udel.edu wrote: Just to be clear, writing to sys.stdout works fine in Idle. import sys; sys.stdout.write('hello ') hello #2.7 In 3.4, the number of chars? bytes? is returned and written also. Whether you mean something different by 'stdout' or not, I am not sure. The error is from writing to a non-existent file descriptor. That's because sys.stdout is replaced. But stdout itself, file descriptor 1, is not available: os.fdopen(1,w).write(Hello, world\n) Traceback (most recent call last): File pyshell#4, line 1, in module os.fdopen(1,w).write(Hello, world\n) OSError: [Errno 9] Bad file descriptor I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do su .. # su nobody Who needs sudo? It's like instead of telling a 4-year old to stay on the side walk, learning him to read and then give him a 8-page brochure about safety in traffic. This works fine in command-line Python, just not in IDLE. It's not Windows vs Unix, it's Idle vs terminal. ChrisA Groetjes Albert -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spearc.xs4all.nl =n http://home.hccnet.nl/a.w.m.van.der.horst -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Thu, Jan 8, 2015 at 11:43 PM, Albert van der Horst alb...@spenarnc.xs4all.nl wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do su .. # su nobody Who needs sudo? With sudo, you get MUCH finer control. I can grant some user the power to run sudo eject sr0, but no other commands. I can permit someone to execute any of a large number of commands, all individually logged. I can allow sudo to other users than root, without having to reveal those accounts' passwords (chances are they don't even have passwords). But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17471.1420721626.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: On Thu, Jan 8, 2015 at 11:43 PM, Albert van der Horst alb...@spenarnc.xs4all.nl wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do su .. # su nobody Who needs sudo? With sudo, you get MUCH finer control. I can grant some user the power to run sudo eject sr0, but no other commands. I can permit someone to execute any of a large number of commands, all individually logged. I can allow sudo to other users than root, without having to reveal those accounts' passwords (chances are they don't even have passwords). You've answered it. sudo works for a system with a very knowledgeable system administrator and at least one other user. Not for an electronic engineer who uses Python on his Raspberry Pi. But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! I've no problem explaining to an electronic engineer not to do this, while not offering him to do the system administration for him. Having a separate account for system things is a useful distinction that he can grasp and handle easily. Beyond that he is indeed inclined to do everything as root, because what he wants is to make a turnkey to feed his gold fish. So a separate root account is the best protection for a single user system. For quite a considerable part of the systems around, sudo is over the top and stimulates no protection at all, i.e. what I'd call counter productive. I can save a 4-years olds life by imprinting on him to stay on the side walk. ChrisA Groetjes Albert -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spearc.xs4all.nl =n http://home.hccnet.nl/a.w.m.van.der.horst -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico ros...@gmail.com: With sudo, you get MUCH finer control. I can grant some user the power to run sudo eject sr0, but no other commands. I can permit someone to execute any of a large number of commands, all individually logged. I can't remember ever having a need for that. I sometimes use sudo but most times su is the way. I can allow sudo to other users than root, without having to reveal those accounts' passwords (chances are they don't even have passwords). An administrator doesn't need the users' passwords for anything but should be assumed to know them. But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! In the era of personal computers, the main advantage of the root account is that you can breathe more easily as an ordinary user, as the potential for accidental damage is lower. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 01/08/2015 10:02 AM, Steve Hayes wrote: On 08 Jan 2015 12:43:33 GMT, alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. Of all the distro choosing criteria, this has to be one of the more bizarre ones I've heard. You could at least choose something fashionable to avoid, like systemd. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
alister alister.nospam.w...@ntlworld.com: On Thu, 08 Jan 2015 16:06:16 +0200, Marko Rauhamaa wrote: An administrator doesn't need the users' passwords for anything but should be assumed to know them. The administrator may be able to change them but he should NEVER know them (or need to)! When you are under an administrator's dominion, *you* must assume the they know your password. (Somewhat in the same vein, if you are running a virtual machine, *you* must assume the owner of the host computer has root access to your virtual machine. By extension, *you* must assume the government officials of the physical jurisdiction of the host computer have root access to your virtual machine.) Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Thu, 08 Jan 2015 16:31:22 +0200, Marko Rauhamaa wrote: alister alister.nospam.w...@ntlworld.com: On Thu, 08 Jan 2015 16:06:16 +0200, Marko Rauhamaa wrote: An administrator doesn't need the users' passwords for anything but should be assumed to know them. The administrator may be able to change them but he should NEVER know them (or need to)! When you are under an administrator's dominion, *you* must assume the they know your password. (Somewhat in the same vein, if you are running a virtual machine, *you* must assume the owner of the host computer has root access to your virtual machine. By extension, *you* must assume the government officials of the physical jurisdiction of the host computer have root access to your virtual machine.) Marko I will agree with you there. The administrator 'should' never know your password but as a user you should never believe that password security has been correctly implemented (just ask Sony :-) ) -- The subspace _W inherits the other 8 properties of _V. And there aren't even any property taxes. -- J. MacKay, Mathematics 134b -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico wrote: With sudo, you get MUCH finer control. But it's very hard, almost impossible, to really implement fine-grained control with sudo. Too many programs provide shell exits. Well, it's off-topic here. How about taking this to news:comp.security.unix ? Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Thu, 08 Jan 2015 16:06:16 +0200, Marko Rauhamaa wrote: Chris Angelico ros...@gmail.com: With sudo, you get MUCH finer control. I can grant some user the power to run sudo eject sr0, but no other commands. I can permit someone to execute any of a large number of commands, all individually logged. I can't remember ever having a need for that. I sometimes use sudo but most times su is the way. I can allow sudo to other users than root, without having to reveal those accounts' passwords (chances are they don't even have passwords). An administrator doesn't need the users' passwords for anything but should be assumed to know them. The administrator may be able to change them but he should NEVER know them (or need to)! But sure. If you want to cut out complication, dispense with user accounts altogether and run everything as root. That's WAY simpler! In the era of personal computers, the main advantage of the root account is that you can breathe more easily as an ordinary user, as the potential for accidental damage is lower. Marko -- Davis' Law of Traffic Density: The density of rush-hour traffic is directly proportional to 1.5 times the amount of extra time you allow to arrive on time. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 08 Jan 2015 12:43:33 GMT, alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. -- Steve Hayes from Tshwane, South Africa Web: http://www.khanya.org.za/stevesig.htm Blog: http://khanya.wordpress.com E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes hayes...@telkomsa.net wrote: On 08 Jan 2015 12:43:33 GMT, alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based system. With Debian itself, you get the option during installation of setting a root password, in which case it won't install sudo by default. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2015-01-08, Michael Torrie torr...@gmail.com wrote: On 01/08/2015 10:02 AM, Steve Hayes wrote: On 08 Jan 2015 12:43:33 GMT, alb...@spenarnc.xs4all.nl (Albert van der Horst) wrote: I don't trust sudo because it is too complicated. (To the point that I removed it from my machine.) I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. Of all the distro choosing criteria, this has to be one of the more bizarre ones I've heard. That's what I thought. Especially since it's trivial to remove sudo. Some system admin stuff on *buntu may require some extra thought since the standard pointy-clicky recipes might not work exactly as described in various fora, but anybody worried about security to the extent that they refuse to use sudo probably shouldn't be using pointy-clicky admin tools to start with. You could at least choose something fashionable to avoid, like systemd. Or whatever the desktop du jour is for distro-to-be-avoided. -- Grant Edwards grant.b.edwardsYow! Didn't I buy a 1951 at Packard from you last March gmail.comin Cairo? -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On Fri, 26 Dec 2014 15:13:25 +1100, Steven D'Aprano wrote: Deep in the brain, well underneath the level of modern languages and consciousness, there is a deeper machine language of the brain. If you can write instructions in this machine language, you can control people's brains. Back in the distant past, the Sumerians learned how to do this via spoken language, but few people speak Sumerian any more, hence there are two versions of Snow Crash: one is a drug plus virus. The drug is to encourage people to inject themselves, which then allows the virus to get into their brain. The other is an animated bitmap, which contains machine code for the human brain, and is injected via the optic nerve (i.e. when a hacker sees it). is this why web designers are now embeding QR codes in web pages? -- Playing an unamplified electric guitar is like strumming on a picnic table. -- Dave Barry, The Snake -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On 24/12/2014 2:20 AM, Grant Edwards wrote: And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. While I love SNOW CRASH, I do think it'd fundamentally flawed. The worst for me is that in a fictional universe with a VR system capable of displaying anything, the crux of the book revolves around a couple of characters having a long, long discussion about Sumerian history. A: blah blah blah blah blah Sumeria B: And then what? A: blah blah blah blah B: etc It's been at least a decade since I read it, but wasn't that also the explanation for how the virus worked? -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On 24/12/2014 9:50 PM, alister wrote: what feels like 3 or 4 chapters in it is still trying to set the scene, an exercise in stylish writing with very little content so far. even early scifi written for magazines on a per word basis were not this excessive (because if they were they would probably have been rejected or seriously edited). My personal theory is that Stephenson polishes and polishes the first few chapters until the whole creative process really engages - the first chapter is especially overwritten - and then tears through the novel in an increasingly unrefined way, until it arrives at its anticlimactic conclusion. He was notorious for a while for not providing satisfying endings to his books. Hopefully it will finally settle down amend my current impression. SNOW CRASH doesn't, I'm afraid, but Stephenson himself does as a writer. CRYPTONOMICON is a great geek read. ANATHEM is a fantastic piece of SF (possibly my favourite of his) THE SYSTEM OF THE WORLD is an amazing accomplishment and really shows that modern infotech didn't spring out of nothing like Venus from the foam. -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
alex23 wrote: On 24/12/2014 2:20 AM, Grant Edwards wrote: And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. While I love SNOW CRASH, I do think it'd fundamentally flawed. The worst for me is that in a fictional universe with a VR system capable of displaying anything, the crux of the book revolves around a couple of characters having a long, long discussion about Sumerian history. A: blah blah blah blah blah Sumeria B: And then what? A: blah blah blah blah B: etc Keep in mind the limitations of the media. The novel is written word, so there are only a limited number of ways of getting background information to the reader. In this case, having one character (an AI) tell another character (the protagonist) what he needs to know is arguably the least-worst way. The many pages of info-dumping is one of the lesser parts of the book. I wonder what Stephenson's motive for writing it as dialog was, because in other parts of the book he demonstrated great skill in imparting background information to the reader without dry info-dumps (e.g. the Rat Things). At least it is information that is *not* common knowledge in-universe. Old pulp SF used to be filled with cheesy dialog like this: Attractive but stupid female: Professor, I know you've told me before, but how does the microwave oven work again? Avuncular male authority figure: Well my dear, as you know all foods contain water molecules. The oven uses radio-frequency subatomic radiation, know as 'microwaves', specially tuned to excite the oxygen-to-hydrogen molecular bonds in water molecules. As you know, heat is just the action of excited molecular bonds, so this has the effect of beaming heat energy deep into the food so that it cooks from the inside out without burning. and then the microwave oven is not used for anything more exciting than making a cup of tea for the rest of the book. In the case of Snow Crash, I think we need to keep in mind when it was written. In 1990, the idea that you might *carry on a conversation* with your computer still seemed (1) plausible to SF readers, who expected strong AI and robots with Asimov's Three Laws to be just around the corner, and (2) the widespread public Internet, or even use of computers, was still pretty rare. The idea that you could only get information out of a computer by typing, or pointing, would have struck readers in 1994 as terribly unrealistic. The other interface, the holographic interface so beloved of recent SF television and movies where you push screens around in space, hadn't been invented yet, and isn't terribly good for getting information to the reader since they can't actually see what is on the screen. It's been at least a decade since I read it, but wasn't that also the explanation for how the virus worked? Deep in the brain, well underneath the level of modern languages and consciousness, there is a deeper machine language of the brain. If you can write instructions in this machine language, you can control people's brains. Back in the distant past, the Sumerians learned how to do this via spoken language, but few people speak Sumerian any more, hence there are two versions of Snow Crash: one is a drug plus virus. The drug is to encourage people to inject themselves, which then allows the virus to get into their brain. The other is an animated bitmap, which contains machine code for the human brain, and is injected via the optic nerve (i.e. when a hacker sees it). -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On Tue, 23 Dec 2014 16:20:10 +, Grant Edwards wrote: On 2014-12-23, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Chris Angelico wrote: On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith r...@panix.com wrote: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. Anybody in IT who hasn't read Neal Stephenson's Snow Crash needs to hand in their Geek Card immediately. I tried, but I got so tired of the author doing stuff like pointing out that there were 65536 of something or other (and that it's a power of TWO, kids!) that I gave up. The annoying thing was that there was no real technical reason why the quantity _needed_ to be a power of two. Too many of the technical details that you got constantly beat over the head with were 1) not even remotely relevent to the story 2) mostly an effort by the author to demonstrate that he had a junior-high level understanding of a 68K based Macintosh and knew lots of cool grown up tech-sounding words -- and even if had only a vague idea of what they meant, he could still impress the other 13-year olds. 3) just plain wrong And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. I am reading it now thanks to this list I currently agree that it is quite annoying what feels like 3 or 4 chapters in it is still trying to set the scene, an exercise in stylish writing with very little content so far. even early scifi written for magazines on a per word basis were not this excessive (because if they were they would probably have been rejected or seriously edited). Hopefully it will finally settle down amend my current impression. -- Guns don't kill people. It's those damn bullets. Guns just make them go really really fast. -- Jake Johanson -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On 2014-12-23, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Chris Angelico wrote: On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith r...@panix.com wrote: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. Anybody in IT who hasn't read Neal Stephenson's Snow Crash needs to hand in their Geek Card immediately. I tried, but I got so tired of the author doing stuff like pointing out that there were 65536 of something or other (and that it's a power of TWO, kids!) that I gave up. The annoying thing was that there was no real technical reason why the quantity _needed_ to be a power of two. Too many of the technical details that you got constantly beat over the head with were 1) not even remotely relevent to the story 2) mostly an effort by the author to demonstrate that he had a junior-high level understanding of a 68K based Macintosh and knew lots of cool grown up tech-sounding words -- and even if had only a vague idea of what they meant, he could still impress the other 13-year olds. 3) just plain wrong And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. -- Grant -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
On Tuesday, December 23, 2014 9:50:22 PM UTC+5:30, Grant Edwards wrote: And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. You find that far-fetched? I would have thought it commoner than common-cold -- basis for the trillion dollar industry called advertising -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
Rustom Mody wrote: On Tuesday, December 23, 2014 9:50:22 PM UTC+5:30, Grant Edwards wrote: And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. You find that far-fetched? I would have thought it commoner than common-cold -- basis for the trillion dollar industry called advertising [controversial and perhaps annoying] To say nothing of religion, both the supernatural/mystical kind and the my editor/programming language/brand of car/gaming console/etc is better than yours kind... -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: OFF TOPIC Snow Crash [was Re: Hello World]
Grant Edwards wrote: On 2014-12-23, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Chris Angelico wrote: On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith r...@panix.com wrote: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. Anybody in IT who hasn't read Neal Stephenson's Snow Crash needs to hand in their Geek Card immediately. I tried, but I got so tired of the author doing stuff like pointing out that there were 65536 of something or other (and that it's a power of TWO, kids!) that I gave up. The annoying thing was that there was no real technical reason why the quantity _needed_ to be a power of two. Neal Stephenson's technical chops, and his limits, are well established. He is a writer first and foremost and it is quite obvious that he's often showing off his technical knowledge even when it's not strictly relevant. Remember to that Snow Crash became a cult classic among hackers, but it was written for a science fiction and cyberpunk audience. To them, 2^16 is a strange and exotic concept: 1, or 5, or 10 would be a round number, not 65536. And even _with_ all the technical jibber-jabber, none of it explained or justified the whole writing a virus to infect the brain through the optic nerve thing which might just have well been magick and witches. Any sufficiently advanced technology. I disagree. I think he did a good job of making such a thing seem plausible without getting bogged down with inventing a detailed mechanism which could only ever be wrong. But then I was easily convinced, because I already knew of various related facts and concepts which probably primed me to accept the concept of the Snow Crash virus: - Zombie ant fungus and various other parasites which manipulate the brains of organisms, including human beings (Toxoplasmosis, syphillis and others). - The optic nerve is technically not a nerve, but part of the brain, and there are deep and subtle connections between it and the rest of the brain, e.g. blind-sight. - The theory of memes, or perhaps I should say the meme of memes, since memetics has never been quite vigorous enough to count as an actual theory. - Super-stimuli. - The human brain considered as an information processor. - Julian Jaynes' book The Origin Of Consciousness In The Breakdown Of The Bicameral Mind, a hypothesis so wonderful that it needs to be true (alas, it's probably rubbish). Personally, I don't believe that in this day and age of Java programming, anyone could be programmed by looking at a black and white animated bitmap, but back in the 1990s it was probably a bit more plausible that hackers would spend their time learning to read machine code. But there's always the chance that somebody will find a way a stimulus that crashes the human brain and lets them run the arbitrary code of their choice... -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Chris Angelico ros...@gmail.com: Level 0: Why implement your own crypto?!? Licensing concerns come to mind. For example, the reference implementations of MD5 [RFC1321] and SHA1 [RFC3174] are not in the public domain. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Dec 22, 2014 at 7:52 PM, Marko Rauhamaa ma...@pacujo.net wrote: Chris Angelico ros...@gmail.com: Level 0: Why implement your own crypto?!? Licensing concerns come to mind. For example, the reference implementations of MD5 [RFC1321] and SHA1 [RFC3174] are not in the public domain. Which would you prefer? Something with licensing restrictions, or something that's either outright buggy, completely insecure due to something you didn't notice, or maybe has an unnoticed side-channel attack that leaks your keys? While these can happen with well-known libraries like libssl, they also get patched; when Heartbleed went public, updates to the affected versions were available pretty quickly, but if you had your own implementation, someone might be leaking your keys without your knowledge and you have to fix it yourself... if you ever notice. But we're somewhat off topic now... ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Steve Hayes wrote: Yes, my initial reaction was that's awesome. And my second thought was that it was scary. I ran it. It worked, and printed Hello world. I was awed. But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? That's why I didn't run it myself :-) Seriously. I read the blog post, it seemed legitimate, I could follow the explanation for how it worked well enough to be convinced it would work, but I didn't try running it myself. If I had, I would have made sure I was running as an unprivileged user, not the superuser/Administrator account. Actually, since I care more about my personal files than the operating system, I'd prefer to *not* use my normal account. This being Linux, I can run suspicious code as the nobody user: [steve@ando ~]$ sudo -u nobody python -c print 'Hello World' Hello World Running as nobody limits the harm a rogue script might do: [steve@ando ~]$ sudo -u nobody python -c import os; os.listdir('/home/steve') Traceback (most recent call last): File string, line 1, in ? OSError: [Errno 13] Permission denied: '/home/steve' Ultimately, I'm trusting the security of my operating system. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Steven D'Aprano steve+comp.lang.pyt...@pearwood.info: Steve Hayes wrote: But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? That's why I didn't run it myself :-) Well, I admit having run yum install python3 as root. Ultimately, I'm trusting the security of my operating system. Ultimately, I'm trusting my luck. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 0udf9a1m3n02rt06a5ib58mvifm7sde...@4ax.com, Steve Hayes hayes...@telkomsa.net wrote: On Mon, 22 Dec 2014 09:51:02 +1100, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Tony the Tiger wrote: On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: I am in total awe. I'm not. It has no real value. Write your code like that and you'll soon be looking for a new job. Awww, did da widdle puddy tat get up on the wrong side of the bed this morning? :-) Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Yes, my initial reaction was that's awesome. And my second thought was that it was scary. I ran it. It worked, and printed Hello world. I was awed. But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? How would you know any code you download from the net won't reformat your disk? If I wanted to write something evil, I wouldn't write it to look obfuscated. I'd write it to look like it did something useful. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 5497e1d5$0$12978$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Steve Hayes wrote: Yes, my initial reaction was that's awesome. And my second thought was that it was scary. I ran it. It worked, and printed Hello world. I was awed. But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? That's why I didn't run it myself :-) Seriously. I read the blog post, it seemed legitimate, I could follow the explanation for how it worked well enough to be convinced it would work, but I didn't try running it myself. If I had, I would have made sure I was running as an unprivileged user, not the superuser/Administrator account. Actually, since I care more about my personal files than the operating system, I'd prefer to *not* use my normal account. This being Linux, I can run suspicious code as the nobody user: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith r...@panix.com wrote: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. (I miss that show. Their technobabble was so mindbogglingly bad it became rather funny.) ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Roy Smith r...@panix.com: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) Speaking of trust and AWS, Amazon admins—and by extension, the NSA—have full access to the virtual machines. That needs to be taken into account when running serious services on their facilities. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 87egrrrf2i@elektro.pacujo.net, Marko Rauhamaa ma...@pacujo.net wrote: Roy Smith r...@panix.com: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) Speaking of trust and AWS, Amazon adminsâand by extension, the NSAâhave full access to the virtual machines. That needs to be taken into account when running serious services on their facilities. Marko Nobody who is really serious about security runs their stuff in any kind of shared infrastructure. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Roy Smith wrote: If I wanted to write something evil, I wouldn't write it to look obfuscated. I'd write it to look like it did something useful. That's an order of magnitude harder than merely obfuscating code. If you wanted to write something evil, better to just rely on the fact that most people won't read the source code at all. Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Steven D'Aprano writes: Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) Not sure what that character is (those characters are) but it's not (they aren't) the hyphen that rm expects in its options, so: os.system(rm ――rf /) rm: cannot remove `――rf': No such file or directory rm: cannot remove `/': Is a directory 256 :) -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Dec 22, 2014 at 9:22 AM, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) And because Steven *knows* some fool will try this at home, he cripples the rm command. Now where's the fun in that? :-) Skip -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Dec 22, 2014 at 4:36 PM, Jussi Piitulainen jpiit...@ling.helsinki.fi wrote: Steven D'Aprano writes: Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) Not sure what that character is (those characters are) but it's not (they aren't) the hyphen that rm expects in its options, so: os.system(rm ――rf /) rm: cannot remove `――rf': No such file or directory rm: cannot remove `/': Is a directory 256 Let‘s ask Python: (polyglot 2.6+/3.3+ code!) from __future__ import print_function import unicodedata command = urm ――rf / for i in command: print(hex(ord(i)), unicodedata.name(i)) 0x72 LATIN SMALL LETTER R 0x6d LATIN SMALL LETTER M 0x20 SPACE 0x2015 HORIZONTAL BAR 0x2015 HORIZONTAL BAR 0x72 LATIN SMALL LETTER R 0x66 LATIN SMALL LETTER F 0x20 SPACE 0x2f SOLIDUS There’s your answer: it’s U+2015 HORIZONTAL BAR, twice. And `rm` wants U+002D HYPHEN-MINUS instead. Moreover, it wants only one HYPHEN-MINUS and not two: Linux: $ rm --rf / rm: unrecognized option '--rf' Try 'rm --help' for more information. BSD: $ rm --rf / rm: illegal option -- - usage: rm [-f | -i] [-dIPRrvWx] file ... unlink file That’s two-step “protection”. (This e-mail brought to you by Unicode.) -- Chris Warrick https://chriswarrick.com/ PGP: 5EAAEA16 -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-21, Tony the Tiger tony@tiger.invalid wrote: On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: I am in total awe. I'm not. It has no real value. Write your code like that and you'll soon be looking for a new job. I think you'll find that people who know enough to write code like that only do it for entertainment purposes. -- Grant -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-21, Roy Smith r...@panix.com wrote: In article 54974ed7$0$12986$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). Damn. Should I ever start to do something like that (for a real product), I hereby officially request that somebody please try to slap some sense into me. -- Grant -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-22, Steve Hayes hayes...@telkomsa.net wrote: On Mon, 22 Dec 2014 09:51:02 +1100, Steven D'Apranosteve+comp.lang.pyt...@pearwood.info wrote: Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Yes, my initial reaction was that's awesome. And my second thought was that it was scary. I ran it. It worked, and printed Hello world. I was awed. But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? Well not running it as root would be start -- Grant -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Skip Montanaro wrote: On Mon, Dec 22, 2014 at 9:22 AM, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) And because Steven *knows* some fool will try this at home, he cripples the rm command. Now where's the fun in that? :-) Ah, I'm just a big softie :-) -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Tue, Dec 23, 2014 at 3:23 AM, Grant Edwards invalid@invalid.invalid wrote: Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). Damn. Should I ever start to do something like that (for a real product), I hereby officially request that somebody please try to slap some sense into me. Likewise. And I'll happily do the slapping. There's one exception. Writing your own crypto is a bad idea if that means reimplementing AES... but if you want something that's effective on completely different levels, sometimes it's best to write your own. I had a project a while ago that needed some encryption work done, and I implemented something that I described as scarily effective. My boss demanded that the debug code-execution feature be protected by a password that would be strong even if someone could read the source code, so I put together something that would hash the incoming password, then check to see if the first two and last two bytes of the hash were all the same byte value as the current hour-of-week (ranging from 0 to 167). This is clearly more secure than simply embedding a SHA256 hash in the source code, because you can't possibly reverse-engineer it (since you don't even have the full hash). And yes, this was 100% effective in convincing my boss that the code executor was safely guarded. Since that was the goal, having several lines of complex and opaque code was far better than a single line that says if hash(password)=='5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8': do stuff, which is way too easy for someone to decode. And it was, indeed, scarily effective. That lasted for a long time, and any time there was a question about security, I could just point to that and say See? Safe ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 22/12/2014 15:39, Skip Montanaro wrote: On Mon, Dec 22, 2014 at 9:22 AM, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info mailto:steve%2bcomp.lang.pyt...@pearwood.info wrote: Don't try this at home! # download_naked_pictures_of_jennifer_lawrence.py import os os.system(rm ――rf /) And because Steven *knows* some fool will try this at home, he cripples the rm command. Now where's the fun in that? :-) Skip I don't see any fun anywhere in this at all. How can one import and one os.system() call do any damage to anything? I'm guessing that rm is Bob Martin but who is rf? Shouldn't that be a backslash '\' on Windows? -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 22/12/2014 16:23, Grant Edwards wrote: On 2014-12-21, Roy Smith r...@panix.com wrote: In article 54974ed7$0$12986$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). Damn. Should I ever start to do something like that (for a real product), I hereby officially request that somebody please try to slap some sense into me. I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-22 18:51, Mark Lawrence wrote: On 22/12/2014 16:23, Grant Edwards wrote: On 2014-12-21, Roy Smith r...@panix.com wrote: In article 54974ed7$0$12986$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). Damn. Should I ever start to do something like that (for a real product), I hereby officially request that somebody please try to slap some sense into me. I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, 22 Dec 2014 16:18:33 +, Grant Edwards wrote: On 2014-12-21, Tony the Tiger tony@tiger.invalid wrote: On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: I am in total awe. I'm not. It has no real value. Write your code like that and you'll soon be looking for a new job. I think you'll find that people who know enough to write code like that only do it for entertainment purposes. Some of the articles on the daily wtf suggest otherwise -- I'd rather have a free bottle in front of me than a prefrontal lobotomy. -- Fred Allen [Also attributed to S. Clay Wilson. Ed.] -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-22 19:05, MRAB wrote: On 2014-12-22 18:51, Mark Lawrence wrote: I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) But you know he does it just for the halibut... -tkc -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17133.1419276169.18130.python-l...@python.org, Tim Chase python.l...@tim.thechases.com wrote: On 2014-12-22 19:05, MRAB wrote: On 2014-12-22 18:51, Mark Lawrence wrote: I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) But you know he does it just for the halibut... Are you guys fishing for complements? -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Tue, Dec 23, 2014 at 11:55 AM, Roy Smith r...@panix.com wrote: In article mailman.17133.1419276169.18130.python-l...@python.org, Tim Chase python.l...@tim.thechases.com wrote: On 2014-12-22 19:05, MRAB wrote: On 2014-12-22 18:51, Mark Lawrence wrote: I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) But you know he does it just for the halibut... Are you guys fishing for complements? That has nothing to do with it, it's just a red herring! ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote: In article mailman.17133.1419276169.18130.python-l...@python.org, Tim Chase python.l...@tim.thechases.com wrote: On 2014-12-22 19:05, MRAB wrote: On 2014-12-22 18:51, Mark Lawrence wrote: I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) But you know he does it just for the halibut... Are you guys fishing for complements? I never thought I'd get cod in a pun thread outside of reddit. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 2014-12-23 01:03, sohcahto...@gmail.com wrote: On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote: In article mailman.17133.1419276169.18130.python-l...@python.org, Tim Chase python.l...@tim.thechases.com wrote: On 2014-12-22 19:05, MRAB wrote: On 2014-12-22 18:51, Mark Lawrence wrote: I'm having wonderful thoughts of Michael Palin's favourite Python sketch which involved fish slapping. Well, ChrisA _has_ mentioned Pike in this thread. :-) But you know he does it just for the halibut... Are you guys fishing for complements? I never thought I'd get cod in a pun thread outside of reddit. And a programming newsgroup isn't really the plaice for it anyway! -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Tue, Dec 23, 2014 at 12:37 PM, MRAB pyt...@mrabarnett.plus.com wrote: And a programming newsgroup isn't really the plaice for it anyway! And yet we do carp on a bit, don't we... ChrisA -- https://mail.python.org/mailman/listinfo/python-list
OFF TOPIC Snow Crash [was Re: Hello World]
Chris Angelico wrote: On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith r...@panix.com wrote: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. Anybody in IT who hasn't read Neal Stephenson's Snow Crash needs to hand in their Geek Card immediately. Snow Crash is nearly 20 years old now but still as much of a ripping yarn today as it was the year it was written. Under-achiever, freelance hacker and part-time pizza delivery boy for the Mafia, Hiro Protagonist, discovers that somebody has written a virus that hacks into computer programmers' brains via their optic nerve. This book has drama, adventure, humour, vast amounts of exposition that might even be almost true, a murderous Inuit who is his own sovereign state (a *nuclear armed* sovereign state at that), Rat Things, Sumerian myths, Reverend Wayne's Pearly Gates franchise, one of the most spunky teenage protagonists I've ever read, and pirates listening to Reason. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 23/12/2014 01:39, Chris Angelico wrote: On Tue, Dec 23, 2014 at 12:37 PM, MRAB pyt...@mrabarnett.plus.com wrote: And a programming newsgroup isn't really the plaice for it anyway! And yet we do carp on a bit, don't we... ChrisA Gordon Bennett what have I started? You dangle a bit of bait and... -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Monday, December 22, 2014 3:04:52 PM UTC+5:30, Marko Rauhamaa wrote: Steven D'Aprano : Steve Hayes wrote: But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? That's why I didn't run it myself :-) Well, I admit having run yum install python3 as root. Ultimately, I'm trusting the security of my operating system. Ultimately, I'm trusting my luck. O thats nothing. Ive eaten cookies. Given by strangers can contain narcotics you know! Ive even walked on the road. Mines? Youve heard of them right?!? People get their legs blown off [shivers] Only computers I dont use -- Just too dangerous. If cars and bikes can have bombs -- why not a compueer? Speaking of which you guys have been had by Steven. That was not an innocent Hello World program. All those who tried it Beware! On the next Friday the 13th when you hear the wings of werewolves waffling inside your disk drive... you know who is responsible [Sound of eerie music] == Merry Christmas everyone! -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
CM cmpyt...@gmail.com: On Sunday, December 21, 2014 2:44:50 AM UTC-5, CM wrote: Hello, world! 13 Actually, there is no comma after Hello. Do you have a patch? Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Tony the Tiger tony@tiger.invalid: On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: I am in total awe. I'm not. It has no real value. It is, of course, a joke, and there are whole tongue-in-cheek languages like Brainfuck. However, some similar exercises carry deep meaning. Take, for example, iota and jot (URL: http://semarch.linguistics.fas.nyu.edu/barker/Iota/). Write your code like that and you'll soon be looking for a new job. Navigare necesse est, vivere non est necesse. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
Tony the Tiger wrote: On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: I am in total awe. I'm not. It has no real value. Write your code like that and you'll soon be looking for a new job. Awww, did da widdle puddy tat get up on the wrong side of the bed this morning? :-) Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Any beginner with 3 seconds experience with Python can write: print Hello World But being able to write obfuscated code to that degree displays real skill and understanding of the language, and a great deal of patience and stick with it-ness, all of which are valuable work skills. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article 54974ed7$0$12986$c3e8da3$54964...@news.astraweb.com, Steven D'Aprano steve+comp.lang.pyt...@pearwood.info wrote: Obviously you don't write obfuscated code like this for production use, except in such cases where you deliberately want to write obfuscated code for production use. Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). The person who wrote some particular bit of the code had decided that deliberately obfuscating the function and variable names would somehow make it more secure, so that's what he did. The mind boggles. At so many levels. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Dec 22, 2014 at 10:50 AM, Roy Smith r...@panix.com wrote: Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). The person who wrote some particular bit of the code had decided that deliberately obfuscating the function and variable names would somehow make it more secure, so that's what he did. The mind boggles. At so many levels. Level 0: Why implement your own crypto?!? ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
In article mailman.17098.1419207020.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: On Mon, Dec 22, 2014 at 10:50 AM, Roy Smith r...@panix.com wrote: Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). The person who wrote some particular bit of the code had decided that deliberately obfuscating the function and variable names would somehow make it more secure, so that's what he did. The mind boggles. At so many levels. Level 0: Why implement your own crypto?!? ChrisA That would be one of the levels. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On 22/12/2014 00:10, Chris Angelico wrote: Level 0: Why implement your own crypto?!? Because people who don't understand the concepts behind cryptography don't understand that the crypto algorithm can be open whilst the results of applying the algorithm are secure. There again I always use ROT-13 to encrypt my stuff. For the stuff that really has to be NSA-proof I use ROT-13 twice. -- https://mail.python.org/mailman/listinfo/python-list
Re: Hello World
On Mon, Dec 22, 2014 at 11:12 AM, Roy Smith r...@panix.com wrote: In article mailman.17098.1419207020.18130.python-l...@python.org, Chris Angelico ros...@gmail.com wrote: On Mon, Dec 22, 2014 at 10:50 AM, Roy Smith r...@panix.com wrote: Heh. I once worked on a C++ project that included its own crypo code (i.e. custom implementations of things like AES and SHA-1). The person who wrote some particular bit of the code had decided that deliberately obfuscating the function and variable names would somehow make it more secure, so that's what he did. The mind boggles. At so many levels. Level 0: Why implement your own crypto?!? ChrisA That would be one of the levels. Good, I'm glad you agree on that one. I don't mind reimplementing some other protocols (couple years ago now I built my own OAuth library because the provided one was being terrible - no, this wasn't in Python), especially the simple ones (SMTP or FTP - use a library/module if available, but otherwise just establish a socket connection and do whatever you need), and even complex protocols can occasionally be worth reworking (Pike has its own PostgreSQL client, rather than using libpq, and it gets some handy improvements in concurrency), but crypto's one thing that it's *never* worth rewriting. ChrisA -- https://mail.python.org/mailman/listinfo/python-list