Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.018
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'plenty': 0.04; 'broken.': 0.07; 'fine,': 0.07; 'python': 0.08; 'throw': 0.09; 'am,': 0.14; 'wrote:': 0.14; 'subject:python': 0.14; 'angelico': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:distribution': 0.16; "hasn't": 0.19; 'this?': 0.19; 'header:In-Reply-To:1': 0.21; 'thu,': 0.22; 'code.': 0.22; 'received:209.85.210.174': 0.23; 'received:mail- iy0-f174.google.com': 0.23; 'subject:code': 0.23; 'fix': 0.23; 'code': 0.24; 'testing': 0.27; "i'm": 0.27; 'message- id:@mail.gmail.com': 0.28; 'thanks': 0.28; 'server': 0.29; 'forgot': 0.29; "he's": 0.29; 'order.': 0.29; 'code,': 0.29; 'bit': 0.30; 'do.': 0.30; '(just': 0.30; 'this.': 0.31; "can't": 0.32; 'done': 0.32; 'someone': 0.33; 'to:addr:python-list': 0.33; 'break': 0.33; 'error': 0.33; 'things': 0.33; 'chris': 0.34; 'direction': 0.34; 'quite': 0.36; 'received:google.com': 0.37; 'received:209.85': 0.37; 'security.': 0.37; 'techniques,': 0.37; 'thread': 0.37; 'ways': 0.37; 'two': 0.37; 'think': 0.38; 'run': 0.38; 'but': 0.38; 'easiest': 0.38; 'subject:: ': 0.38; 'some': 0.38; 'doing': 0.39; 'should': 0.39; 'client': 0.39; "i'd": 0.39; 'received:209': 0.39; 'either': 0.39; 'to:addr:python.org': 0.39; 'everyone': 0.40; 'more': 0.60; 'kind': 0.60; 'your': 0.60; 'back': 0.63; 'secure': 0.63; 'direction.': 0.65; 'here': 0.66; 'online': 0.71; 'game,': 0.84; 'ask.': 0.91; 'cope': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=lx0gEqF87r5vs1GoEB/9yziP1n72T43/cH6Gx4I6ZTw=; b=vuTOQmrJuskdXf/4Mkh22ou6RWcR2ZLxwDD+IcdYzMdesTuOJThhVMOBieVAeMhbq4 aaXAfAZt0EiUtaP1sW0J1tfz6UllYfz2V3nvFbK+6EOwRS3uFA3Z/w/YscNLornc/pSt UXiyMA0rDYp2GdWmR8hOrAoED28OzbdszJj/w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=HOV8kLalYHGzjDffJP9lI635YaTdrGrqNhFbVHjgw2EaPpvpAa/M/8RytXuxEwmqj7 sMfBL947VWK5pb9ag1QdMq+TUelY1Vwi8XGvOcTp+QAJNwnyGizrUfJT54wuXDAOKZ0x joERQ8zjvukFbtUi1X/gD8SMy0DqlGYCndw/o=
MIME-Version: 1.0
In-Reply-To: <4DD40F65.7090807@tysdomain.com>
References: <4DD08620.4030507@tysdomain.com> <mailman.1611.1305512463.9059.python-list@python.org> <op.vvlipenoa8ncjz@gnudebst> <5h9ca8-ekq.ln1@svn.schaathun.net> <BANLkTikm9+ordG3xudYTdmrce3vPcHnQ-A@mail.gmail.com> <BANLkTin6Mf3_s9PaMAZgu+DgZ=U+EV+QiA@mail.gmail.com> <BANLkTi=f7Kx=F144dgjaCm6Bwmh3egWAYw@mail.gmail.com> <4DD40F65.7090807@tysdomain.com>
Date: Thu, 19 May 2011 04:49:30 +1000
Subject: Re: obviscating python code for distribution
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1768.1305744573.9059.python-list@python.org>
Lines: 28
NNTP-Posting-Host: 82.94.164.166
X-Trace: 1305744573 news.xs4all.nl 49183 [::ffff:82.94.164.166]:38767
X-Complaints-To: abuse@xs4all.nl
Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:5726

On Thu, May 19, 2011 at 4:26 AM, Littlefield, Tyler <tyler@tysdomain.com> wrote:
>>might be secure as long as attackers cannot, say:
> You forgot UFOs.
> Anyway, again, thanks to everyone for the advice, this is good reading.
> Incidentally, I don't know to much about security. I know about rate
> limiting and dos attacks, as well as some others, but I think there's a lot
> more that I don't know--can someone kind of aim me in the right direction
> for some of this? I want to be able to take techniques, break my server and
> then fix it so that can't be done before I head to public with this.

Your last sentence IS the right direction. The two easiest ways to
find out if your system is secure are (1) try to break it, and (2)
pore over the code and see what can be broken.

When you start testing things, try doing things in the wrong order.
Your server should either cope with it fine, or throw back an error to
that client, but should never allow any action that that client hasn't
already proven he's allowed to do.

There's plenty of people here who know what they're talking about when
it comes to security (just skim over this thread for a few good
names!), so if you have specific questions regarding your Python code,
do ask. Alternatively, if it's not particularly Python-related, I
would be happy for you to email me privately; I'm a gamer, and run an
online game, so I'd be quite willing to have a bit of a poke at your
code.

Chris Angelico