Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.068 X-Spam-Evidence: '*H*': 0.87; '*S*': 0.00; 'subject:into': 0.09; 'way:': 0.09; 'python': 0.11; 'changes': 0.15; 'bug,': 0.16; 'exploits': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'how,': 0.16; 'previously,': 0.16; 'unwarranted': 0.16; 'utterly': 0.16; 'fix': 0.17; 'wrote:': 0.18; 'code.': 0.18; 'trying': 0.19; 'saying': 0.22; 'header:In-Reply-To:1': 0.27; 'fixed': 0.29; 'am,': 0.29; 'patch': 0.29; 'message- id:@mail.gmail.com': 0.30; "i'm": 0.30; 'fixing': 0.31; 'subject:Database': 0.31; 'another': 0.32; 'are:': 0.33; 'continuing': 0.33; 'received:google.com': 0.35; 'there': 0.35; 'wrong': 0.37; 'two': 0.37; 'starting': 0.37; 'problems': 0.38; 'nov': 0.38; 'writes': 0.38; 'to:addr:python-list': 0.38; 'issue': 0.38; 'that,': 0.38; 'itself': 0.39; 'to:addr:python.org': 0.39; 'major': 0.40; 'even': 0.60; 'break': 0.61; 'new': 0.61; 'more': 0.64; 'night,': 0.68; 'insecure': 0.84; 'iterative': 0.84; 'pardon': 0.84; 'perspective,': 0.84; 'vulnerable': 0.84; 'attitude': 0.91; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=jlDqdcIcw5U+E1b5GjkrXm18WpsGYqrtNJJjADeDWJU=; b=U+V43hWehOdTf09eebskYhAPgUw6DEQm728FSw5SVjZ9fkbQOUbYpz7n3kfxSOdQya VaArpMPN86dCBJ0V1Il2X7HxvKiUdabexHscbBYoJYouQGMGXzwpyGj2pTm/5sO6EAgp 9zfsPIRvmHJ65Nc88Zx9p28JWELFrUI2thZDiPWFlp72uZmvjhJ7U3LGZ3HKTpDXWnLb FvsGnz3OfUYhZFu6dvY4XFxqawQSMxp9ouZGXbTS/bMbv+/CeGx8Wclyd6EnIcJkKmhg tGd4qC38ybA8Y3Bd5ndYWoyzwtZE9gXj1VsB0bXdp9St/iu3FOT/Ie1Qq2vWT3dj9qGA nBRA== MIME-Version: 1.0 X-Received: by 10.66.162.136 with SMTP id ya8mr22687878pab.110.1384035609633; Sat, 09 Nov 2013 14:20:09 -0800 (PST) In-Reply-To: <527E557F.3010305@rece.vub.ac.be> References: <527a5f79$1@news.synserver.de> <527E557F.3010305@rece.vub.ac.be> Date: Sun, 10 Nov 2013 09:20:09 +1100 Subject: Re: To whoever hacked into my Database From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 28 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1384035618 news.xs4all.nl 15971 [2001:888:2000:d::a6]:56929 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:58970 On Sun, Nov 10, 2013 at 2:32 AM, Antoon Pardon wrote: >> And i had until i made some new changes last night, which i think i have corrected now as we speak. > > Continuing the arrogance. Just to put that in perspective, by the way: *EVERYONE* writes vulnerable code. Even Python itself has been found to have had significant exploits (hash randomization had to get backported a long way). There's nothing wrong with fixing security bugs; there's not even a lot wrong with the iterative process of "find bug, fix bug, find another bug, fix another bug". There are two major problems with what you did here, Nikos, and they are: 1) Starting with a hopelessly insecure system and then trying to band-aid patch it one vulnerability at a time, which is folly; and 2) Boasting that your system was now secure. The main issue is the boasting, which is utterly unwarranted arrogance. All you have to do is look at how, after boasting previously, you were provably vulnerable - which means that you clearly still had problems while you were boasting. A more humble attitude of "Oops, well, that's fixed now" without saying "Ha ha, now try to break THAT, I'm oh so perfect now" would suit you far better, based on your history. ChrisA