Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!1.eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.028 X-Spam-Evidence: '*H*': 0.94; '*S*': 0.00; 'subject:Python': 0.05; 'preferably': 0.05; 'works.': 0.07; 'degree,': 0.09; 'negative,': 0.09; 'obviously': 0.15; 'from:addr:torriem': 0.16; 'from:name:michael torrie': 0.16; 'holy': 0.16; 'vectors': 0.16; 'wrote:': 0.16; 'case.': 0.18; 'saying': 0.22; 'finished': 0.23; 'header:In-Reply-To:1': 0.24; 'header:User-Agent:1': 0.26; 'practices,': 0.27; 'actual': 0.29; 'code': 0.31; 'similar': 0.32; 'class': 0.33; 'science.': 0.33; 'steven': 0.33; 'message- id:@gmail.com': 0.35; 'to:addr:python-list': 0.35; 'but': 0.36; 'except': 0.36; 'there': 0.36; 'subject:: ': 0.37; 'thought': 0.37; 'one,': 0.37; 'received:org': 0.38; 'pm,': 0.39; 'does': 0.39; 'to:addr:python.org': 0.39; 'received:192': 0.39; 'your': 0.60; 'secure': 0.61; 'show': 0.62; 'expert': 0.63; 'charset:windows-1252': 0.65; 'secure.': 0.66; 'subject:Data': 0.66; 'talking': 0.67; 'attacks.': 0.84; 'proving': 0.84 X-Virus-Scanned: amavisd-new at torriefamily.org Date: Sat, 27 Jun 2015 11:02:31 -0600 From: Michael Torrie User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: python-list@python.org Subject: Re: Pure Python Data Mangling or Encrypting References: <558b7e85$0$1648$c3e8da3$5496439d@news.astraweb.com> <558bc912$0$2899$c3e8da3$76491128@news.astraweb.com> <558c1a7e$0$1668$c3e8da3$5496439d@news.astraweb.com> <558d86b0$0$1659$c3e8da3$5496439d@news.astraweb.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 19 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1435424557 news.xs4all.nl 2951 [2001:888:2000:d::a6]:32862 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:93251 On 06/26/2015 03:11 PM, Johannes Bauer wrote: > You misunderstand. This is now how it works, this is not how any of this > works. Steven does not *at all* have to prove to you your system is > breakable or show actual attacks. YOU have to prove that your system is > secure. Ahh the holy grail of computer science. Now it's been a while since I finished my CS degree, but I recall spending a lot of time in class talking about the proving code correctness, which is a similar problem, and learning that that was thought to be NP complete. Furthermore you cannot prove a negative, which is what proving security is for anything but the trivial case. Are you saying this is untrue? Obviously there are best practices, which you are an expert in. But how does one prove a system is secure except by enumerating attack vectors and addressing each one, preferably in the design phase?