Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #82693 > unrolled thread
| Started by | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| First post | 2014-12-20 23:57 +1100 |
| Last post | 2014-12-22 19:05 +0000 |
| Articles | 20 on this page of 122 — 30 participants |
Back to article view | Back to comp.lang.python
Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-20 23:57 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 00:11 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-20 16:13 +0000
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-20 08:50 -0800
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-20 20:39 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-20 22:18 +0000
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 21:14 -0800
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-21 16:26 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 16:31 +1100
Re: Hello World Terry Reedy <tjreedy@udel.edu> - 2014-12-21 01:31 -0500
Re: Hello World wxjmfauth@gmail.com - 2014-12-21 00:07 -0800
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 17:44 +1100
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:44 -0800
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:45 -0800
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 10:26 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 18:46 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 12:43 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-08 23:53 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 13:37 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:06 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 14:21 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:31 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 15:14 +0000
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-08 15:11 +0100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 14:51 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 01:57 +1100
Re: Hello World cl@isbd.net - 2015-01-17 15:18 +0000
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 09:29 -0700
Re: Hello World cl@isbd.net - 2015-01-17 16:47 +0000
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 18:06 +0000
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-17 19:47 +0100
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:09 -0700
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 13:37 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2015-01-17 22:18 -0500
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 14:45 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:45 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2015-01-18 07:26 -0500
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2015-01-17 21:50 -0600
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:44 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-01-17 18:31 +0000
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 10:46 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 11:04 +1100
Re: Hello World Jason Friedman <jsf80238@gmail.com> - 2015-01-17 18:19 -0700
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:13 -0700
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 12:03 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:34 +0100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 18:03 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 19:39 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:10 +1100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 22:50 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:32 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:00 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:35 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 00:57 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 16:48 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 04:08 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:30 +0100
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2015-01-08 19:02 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-09 04:11 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 15:10 +0000
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-08 10:53 -0700
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2015-01-08 18:57 +0000
Re: Hello World Devin Jeanpierre <jeanpierreda@gmail.com> - 2015-01-17 16:06 -0800
Re: Hello World Tony the Tiger <tony@tiger.invalid> - 2014-12-21 19:22 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 22:02 +0200
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 09:51 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 18:50 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:10 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 19:12 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:36 +1100
Re: Hello World mm0fmf <none@mailinator.com> - 2014-12-22 00:20 +0000
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-21 18:47 -0600
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 02:56 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 10:52 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 20:01 +1100
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:23 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 04:25 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:51 +0000
Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-22 19:05 +0000
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-22 13:16 -0600
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 19:55 -0500
Re: Hello World sohcahtoa82@gmail.com - 2014-12-22 17:03 -0800
Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-23 01:37 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:39 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-23 02:36 +0000
Re: Hello World Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2014-12-23 12:24 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:03 +1100
Encryption - was Hello World Dave Angel <d@davea.name> - 2014-12-22 14:57 -0500
Re: Encryption - was Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 09:29 +1100
Re: Encryption - was Hello World Dave Angel <davea@davea.name> - 2014-12-22 18:22 -0500
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-21 18:37 -0800
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 08:21 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 17:33 +1100
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 09:46 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 18:56 +1100
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 20:18 +1100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 11:34 +0200
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-22 19:38 -0800
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:15 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 00:23 +1100
OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 13:09 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] Grant Edwards <invalid@invalid.invalid> - 2014-12-23 16:20 +0000
Re: OFF TOPIC Snow Crash [was Re: Hello World] Rustom Mody <rustompmody@gmail.com> - 2014-12-23 08:41 -0800
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 12:51 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 14:18 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-24 11:50 +0000
Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:34 +1000
Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:27 +1000
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-26 15:13 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-26 10:03 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 15:26 +0200
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:41 -0500
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:13 -0500
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 02:22 +1100
Re: Hello World Jussi Piitulainen <jpiitula@ling.helsinki.fi> - 2014-12-22 17:36 +0200
Re: Hello World Chris Warrick <kwpolska@gmail.com> - 2014-12-22 17:03 +0100
Re: Hello World Skip Montanaro <skip.montanaro@gmail.com> - 2014-12-22 09:39 -0600
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 03:54 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:48 +0000
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:26 +0000
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:18 +0000
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-22 19:05 +0000
Page 5 of 7 — ← Prev page 1 2 3 4 [5] 6 7 Next page →
| From | Roy Smith <roy@panix.com> |
|---|---|
| Date | 2014-12-22 19:55 -0500 |
| Message-ID | <roy-7D1708.19552822122014@news.panix.com> |
| In reply to | #82800 |
In article <mailman.17133.1419276169.18130.python-list@python.org>, Tim Chase <python.list@tim.thechases.com> wrote: > On 2014-12-22 19:05, MRAB wrote: > > On 2014-12-22 18:51, Mark Lawrence wrote: > > > I'm having wonderful thoughts of Michael Palin's favourite Python > > > sketch which involved fish slapping. > > > > > Well, ChrisA _has_ mentioned Pike in this thread. :-) > > But you know he does it just for the halibut... > Are you guys fishing for complements?
[toc] | [prev] | [next] | [standalone]
| From | sohcahtoa82@gmail.com |
|---|---|
| Date | 2014-12-22 17:03 -0800 |
| Message-ID | <27bf3c98-f1cd-4d67-bb51-958c9d4fd71f@googlegroups.com> |
| In reply to | #82821 |
On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote: > In article <mailman.17133.1419276169.18130.python-list@python.org>, > Tim Chase <python.list@tim.thechases.com> wrote: > > > On 2014-12-22 19:05, MRAB wrote: > > > On 2014-12-22 18:51, Mark Lawrence wrote: > > > > I'm having wonderful thoughts of Michael Palin's favourite Python > > > > sketch which involved fish slapping. > > > > > > > Well, ChrisA _has_ mentioned Pike in this thread. :-) > > > > But you know he does it just for the halibut... > > > Are you guys fishing for complements? I never thought I'd get cod in a pun thread outside of reddit.
[toc] | [prev] | [next] | [standalone]
| From | MRAB <python@mrabarnett.plus.com> |
|---|---|
| Date | 2014-12-23 01:37 +0000 |
| Message-ID | <mailman.17148.1419298653.18130.python-list@python.org> |
| In reply to | #82822 |
On 2014-12-23 01:03, sohcahtoa82@gmail.com wrote: > On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote: >> In article <mailman.17133.1419276169.18130.python-list@python.org>, >> Tim Chase <python.list@tim.thechases.com> wrote: >> >> > On 2014-12-22 19:05, MRAB wrote: >> > > On 2014-12-22 18:51, Mark Lawrence wrote: >> > > > I'm having wonderful thoughts of Michael Palin's favourite Python >> > > > sketch which involved fish slapping. >> > > > >> > > Well, ChrisA _has_ mentioned Pike in this thread. :-) >> > >> > But you know he does it just for the halibut... >> > >> Are you guys fishing for complements? > > I never thought I'd get cod in a pun thread outside of reddit. > And a programming newsgroup isn't really the plaice for it anyway!
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-23 12:39 +1100 |
| Message-ID | <mailman.17149.1419299170.18130.python-list@python.org> |
| In reply to | #82822 |
On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote: > And a programming newsgroup isn't really the plaice for it anyway! And yet we do carp on a bit, don't we... ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Mark Lawrence <breamoreboy@yahoo.co.uk> |
|---|---|
| Date | 2014-12-23 02:36 +0000 |
| Message-ID | <mailman.17150.1419302206.18130.python-list@python.org> |
| In reply to | #82822 |
On 23/12/2014 01:39, Chris Angelico wrote: > On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote: >> And a programming newsgroup isn't really the plaice for it anyway! > > And yet we do carp on a bit, don't we... > > ChrisA > Gordon Bennett what have I started? You dangle a bit of bait and... -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence
[toc] | [prev] | [next] | [standalone]
| From | Dennis Lee Bieber <wlfraed@ix.netcom.com> |
|---|---|
| Date | 2014-12-23 12:24 -0500 |
| Message-ID | <mailman.17155.1419355490.18130.python-list@python.org> |
| In reply to | #82822 |
On Tue, 23 Dec 2014 02:36:30 +0000, Mark Lawrence <breamoreboy@yahoo.co.uk>
declaimed the following:
>On 23/12/2014 01:39, Chris Angelico wrote:
>> On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote:
>>> And a programming newsgroup isn't really the plaice for it anyway!
>>
>> And yet we do carp on a bit, don't we...
>>
>> ChrisA
>>
>
>Gordon Bennett what have I started? You dangle a bit of bait and...
Well... you could have been trolling...
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-23 12:03 +1100 |
| Message-ID | <mailman.17147.1419296618.18130.python-list@python.org> |
| In reply to | #82821 |
On Tue, Dec 23, 2014 at 11:55 AM, Roy Smith <roy@panix.com> wrote: > In article <mailman.17133.1419276169.18130.python-list@python.org>, > Tim Chase <python.list@tim.thechases.com> wrote: > >> On 2014-12-22 19:05, MRAB wrote: >> > On 2014-12-22 18:51, Mark Lawrence wrote: >> > > I'm having wonderful thoughts of Michael Palin's favourite Python >> > > sketch which involved fish slapping. >> > > >> > Well, ChrisA _has_ mentioned Pike in this thread. :-) >> >> But you know he does it just for the halibut... >> > Are you guys fishing for complements? That has nothing to do with it, it's just a red herring! ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Dave Angel <d@davea.name> |
|---|---|
| Date | 2014-12-22 14:57 -0500 |
| Subject | Encryption - was Hello World |
| Message-ID | <mailman.17134.1419278249.18130.python-list@python.org> |
| In reply to | #82785 |
On 12/22/2014 12:25 PM, Chris Angelico wrote:
> There's one exception. Writing your own crypto is a bad idea if that
> means reimplementing AES... but if you want something that's effective
> on completely different levels, sometimes it's best to write your own.
> I had a project a while ago that needed some encryption work done, and
> I implemented something that I described as "scarily effective". My
> boss demanded that the debug code-execution feature be protected by a
> password that would be strong even if someone could read the source
> code, so I put together something that would hash the incoming
> password, then check to see if the first two and last two bytes of the
> hash were all the same byte value as the current hour-of-week (ranging
> from 0 to 167). This is clearly more secure than simply embedding a
> SHA256 hash in the source code, because you can't possibly
> reverse-engineer it (since you don't even have the full hash). And
> yes, this was 100% effective in convincing my boss that the code
> executor was safely guarded. Since that was the goal, having several
> lines of complex and opaque code was far better than a single line
> that says "if hash(password)=='5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8':
> do stuff", which is way too easy for someone to decode.
>
> And it was, indeed, scarily effective. That lasted for a long time,
> and any time there was a question about security, I could just point
> to that and say "See? Safe."...
I figure I must be misunderstanding something in your explanation, since
a brute-force password guesser would seem to only need four billion
tries to (probably) crack that.
1) Are you assuming that the cracker can read the source code, but
cannot modify the version of the code that is running?
2) Are you really doing something equivalent to:
test = time_calc() - get a one-byte byte-string according to hour of the
week
encoded_pw = hash(password)
if encoded_pw.startswith(test*2) and encoded_pw.endswith(test*2):
---passed---
I can understand that being sufficiently obscure for the pointy haired
boss, but I figure I've got to be missing something. A quick test with
3.2 shows that around a million hashes can be generated per second, so
checking four billion is only an hour or so. Since some of them will
collide, that gives us something better than 50% likelihood of having
found a useful pw in an hour. But a few more hours and we'll most
likely have it.
For that matter, you must have already written such a pw finder.
I'm back to figuring I'm misunderstanding what you're saying.
--
DaveA
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-23 09:29 +1100 |
| Subject | Re: Encryption - was Hello World |
| Message-ID | <mailman.17139.1419287363.18130.python-list@python.org> |
| In reply to | #82785 |
On Tue, Dec 23, 2014 at 6:57 AM, Dave Angel <d@davea.name> wrote: > I figure I must be misunderstanding something in your explanation, since a > brute-force password guesser would seem to only need four billion tries to > (probably) crack that. > > 1) Are you assuming that the cracker can read the source code, but cannot > modify the version of the code that is running? > > 2) Are you really doing something equivalent to: > > test = time_calc() - get a one-byte byte-string according to hour of the > week > encoded_pw = hash(password) > if encoded_pw.startswith(test*2) and encoded_pw.endswith(test*2): > ---passed--- > > I can understand that being sufficiently obscure for the pointy haired boss, > but I figure I've got to be missing something. A quick test with 3.2 shows > that around a million hashes can be generated per second, so checking four > billion is only an hour or so. Since some of them will collide, that gives > us something better than 50% likelihood of having found a useful pw in an > hour. But a few more hours and we'll most likely have it. > > For that matter, you must have already written such a pw finder. > > I'm back to figuring I'm misunderstanding what you're saying. No, actually you're understanding that fairly well. Of course, I didn't share the password finder script. The code was similar in functionality to what you describe, but it used a more obscure coding style so it wasn't obvious. Imagine using a regex to verify that part of the hash. (It wasn't actually a regex, but it wasn't Python either, and the significance is that it was obfuscated code.) I don't remember exactly which hashing algorithm I was using for this, but the password finder took about a week (running roughly eight hours a day, while I was there) to cover most of the required passwords. As to the assumptions... uhh... that was never something I really understood. I think you're probably right, and this was part of the paranoia of "my code might be stolen". You're attempting to attribute a level of logic to the requirements which has no supporting evidence :) But what you've proven above is how ineffective this technique is at keeping out a determined, and mathematically-adept, attacker. Yaknow, *real* security. This code was *extremely* effective at satisfying my boss. As I said, he wasn't satisfied with the idea of just embedding a SHA256 hash into the code; I would have used an XKCD 936 compliant password, so brute-forcing that would take (assuming your million-hashes-per-second figure) about a year, and that assuming the attacker knew my exact style. Aside: XKCD 936 overestimates the time to generate guesses (1000/sec), which presumably means it's not talking about reversing a hash, but attempting some other attack. (Not a big deal, since the same figure is used for both types of password.) But it also underestimates the password entropy of four words. Let's see. First off, a 4K corpus isn't that hard to work with, so that potentially gives you another four bits of entropy; in /usr/share/dict/words I have 72861 words with no capital letters, punctuation, etc, so it wouldn't be unreasonable to push that up even to 16 bits per word (which sounds weird, worded like that), raising the total entropy from 44 bits to 64. And there's no guarantee that one person's corpus will exactly match another's. Plus, you might and might not capitalize the first letters of the words (another bit), and you could run them together with no punctuation, or use any common punctuation to separate them (space, or "-:,./\" - eight easy options, 3 bits). So in theory, an attacker might know that you're using an XKCD 936 password, but there could still be up to 68 bits of entropy, *easily*. Even in a dedicated personal attack, the estimate of 44 bits would be an absolute minimum, and it's likely to cost rather more than that. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Dave Angel <davea@davea.name> |
|---|---|
| Date | 2014-12-22 18:22 -0500 |
| Subject | Re: Encryption - was Hello World |
| Message-ID | <mailman.17141.1419290548.18130.python-list@python.org> |
| In reply to | #82785 |
On 12/22/2014 05:29 PM, Chris Angelico wrote:
> On Tue, Dec 23, 2014 at 6:57 AM, Dave Angel <d@davea.name> wrote:
>> I figure I must be misunderstanding something in your explanation, since a
>> brute-force password guesser would seem to only need four billion tries to
>> (probably) crack that.
>>
<snip>
>
> As to the assumptions... uhh... that was never something I really
> understood. I think you're probably right, and this was part of the
> paranoia of "my code might be stolen". You're attempting to attribute
> a level of logic to the requirements which has no supporting evidence
> :)
>
I recall a DLL that implemented the license check, and an application
called a function in the DLL and looked for true or false. Even the
exported function name was a pretty good clue. And extremely easy to
intercept and defeat. I did convince the company (my employer, though I
didn't normally work on the license stuff) to statically link instead.
And to stop shipping all the symbols with the executable. Most security
flaws are of this form, not sophisticated cracking.
I also wrote my own form of protection in 1976 to make it difficult for
somebody to retrieve source. The previous version had simply added a
protect bit to the image file. Mine saved a completely different file
every time you re-saved the program data, to try to make it hard (not
impossible) to recover it. Then it stored a separate key in each sector
of the file so reading it into the interpreter was always possible. I
had a couple of constraints - the file couldn't grow, and it had to be
fast enough to have no impact on load time.
I had a guy claim that the CIA got interested in the code, and cracked
it during a lunch hour. But I suspect somebody got hold of the source
code, which was available to our field service staff.
There were a couple of iterations before this code was stable. Not in
the algorithm, but in what amounted to a few back-doors. For example,
it turns out the error display logic would show the line in error,
unencrypted. So people would munge the code sufficiently to cause
errors on most lines, and retrieve them one at a time.
Another thing I did in 1976 which was apparently unusual was to add a
checksum to the code itself. The Boot Rom would self-check before
starting the machine, and it also checksummed the loadable microcode
before passing control to it. Prevented some corruption problems.
Another thing that machine did was to run a RAM diagnostic from the time
it booted till the operator specified the drive from which to fetch the
microcode. The entire test took many minutes to run, but it was
entirely silent unless a problem occurred. No pass counts or anything.
When I added that code, manufacturing found some machines that had
been put aside as flaky, actually had RAM errors. The test was
necessary crude, because the entire boot, including disk logic, had to
fit in 1k.
Ahh... memories.
--
DaveA
[toc] | [prev] | [next] | [standalone]
| From | Rustom Mody <rustompmody@gmail.com> |
|---|---|
| Date | 2014-12-21 18:37 -0800 |
| Message-ID | <e41f17a2-6244-4f60-b504-de03838634fa@googlegroups.com> |
| In reply to | #82726 |
On Monday, December 22, 2014 4:21:13 AM UTC+5:30, Steven D'Aprano wrote: > > Awww, did da widdle puddy tat get up on the wrong side of the bed this > morning? :-) > > > Obviously you don't write obfuscated code like this for production use, > except in such cases where you deliberately want to write obfuscated code > for production use. > > Any beginner with 3 seconds experience with Python can write: > > print "Hello World" > Bad Boy -- Stand in the corner for forgetting the '()' [Good boys use python3] On a more serious note... > Tony the Tiger wrote: > > > On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: > > > >> I am in total awe. > > > > I'm not. It has no real value. Write your code like that and you'll soon > > be looking for a new job. If a python teacher wanted, that blog has enough internal python mechanisms on display strung together into a cute result for a number of lectures. [If only I could wrap my brain round it all] IOW learning language-L and real world programming in L are quite different. Related to 1. People read programs far more often than they write 2. Different types of vocabularies http://en.wikipedia.org/wiki/Vocabulary#Degree_of_knowledge and next
[toc] | [prev] | [next] | [standalone]
| From | Steve Hayes <hayesstw@telkomsa.net> |
|---|---|
| Date | 2014-12-22 08:21 +0200 |
| Message-ID | <0udf9a1m3n02rt06a5ib58mvifm7sdeg31@4ax.com> |
| In reply to | #82726 |
On Mon, 22 Dec 2014 09:51:02 +1100, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: >Tony the Tiger wrote: > >> On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote: >> >>> I am in total awe. >> >> I'm not. It has no real value. Write your code like that and you'll soon >> be looking for a new job. > >Awww, did da widdle puddy tat get up on the wrong side of the bed this >morning? :-) > > >Obviously you don't write obfuscated code like this for production use, >except in such cases where you deliberately want to write obfuscated code >for production use. Yes, my initial reaction was "that's awesome". And my second thought was that it was scary. I ran it. It worked, and printed "Hello world". I was awed. But what if I had run it and it reformatted my hard disk? How would I have known that it would or wouldn't do that? -- Steve Hayes from Tshwane, South Africa Web: http://www.khanya.org.za/stevesig.htm Blog: http://khanya.wordpress.com E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-22 17:33 +1100 |
| Message-ID | <mailman.17110.1419229999.18130.python-list@python.org> |
| In reply to | #82753 |
On Mon, Dec 22, 2014 at 5:21 PM, Steve Hayes <hayesstw@telkomsa.net> wrote: > Yes, my initial reaction was "that's awesome". > > And my second thought was that it was scary. > > I ran it. It worked, and printed "Hello world". I was awed. > > But what if I had run it and it reformatted my hard disk? > > How would I have known that it would or wouldn't do that? You trust that (a) Steven D'Aprano isn't going to give you outright malicious code (or that he trusts that the original author won't), and that (b) your hard disk cannot be reformatted by a non-root user. Every major platform has this kind of privilege separation (Windows doesn't call it "root" but "Administrator", but the effect is, AIUI, equivalent), so unless you're running random scripts from the internet with maximum privileges, you should be safe. Frankly, though, it's no worse than downloading binary code from the internet and running it. How do you know that the executable you just downloaded really is what it claims to be, that you didn't get some MITM shipping you a malicious binary? Yet men and women do this every day, with none to say "Oh the pity of it", save me and fools like me. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Steve Hayes <hayesstw@telkomsa.net> |
|---|---|
| Date | 2014-12-22 09:46 +0200 |
| Message-ID | <ssif9ah8432e19uvp7eqvskmkspjiemg16@4ax.com> |
| In reply to | #82755 |
On Mon, 22 Dec 2014 17:33:10 +1100, Chris Angelico <rosuav@gmail.com> wrote: >On Mon, Dec 22, 2014 at 5:21 PM, Steve Hayes <hayesstw@telkomsa.net> wrote: >> Yes, my initial reaction was "that's awesome". >> >> And my second thought was that it was scary. >> >> I ran it. It worked, and printed "Hello world". I was awed. >> >> But what if I had run it and it reformatted my hard disk? >> >> How would I have known that it would or wouldn't do that? > >You trust that (a) Steven D'Aprano isn't going to give you outright >malicious code (or that he trusts that the original author won't), and >that (b) your hard disk cannot be reformatted by a non-root user. >Every major platform has this kind of privilege separation (Windows >doesn't call it "root" but "Administrator", but the effect is, AIUI, >equivalent), so unless you're running random scripts from the internet >with maximum privileges, you should be safe. Well yes, (a) is what I did and why I ran it. But a hacker who can write that kind of stuff can probably bypass any safeguards built into the OS. As others have pointed out, it's not so much coding as black magic! -- Steve Hayes from Tshwane, South Africa Web: http://www.khanya.org.za/stevesig.htm Blog: http://khanya.wordpress.com E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-22 18:56 +1100 |
| Message-ID | <mailman.17111.1419234992.18130.python-list@python.org> |
| In reply to | #82756 |
On Mon, Dec 22, 2014 at 6:46 PM, Steve Hayes <hayesstw@telkomsa.net> wrote: > But a hacker who can write that kind of stuff can probably bypass any > safeguards built into the OS. This isn't magic. You can't just do more of it to get past the firewalls, like in sci fi. It's much MUCH easier to attack the humans than the computers. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| Date | 2014-12-22 20:18 +1100 |
| Message-ID | <5497e1d5$0$12978$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #82753 |
Steve Hayes wrote:
> Yes, my initial reaction was "that's awesome".
>
> And my second thought was that it was scary.
>
> I ran it. It worked, and printed "Hello world". I was awed.
>
> But what if I had run it and it reformatted my hard disk?
>
> How would I have known that it would or wouldn't do that?
That's why I didn't run it myself :-)
Seriously. I read the blog post, it seemed legitimate, I could follow the
explanation for how it worked well enough to be convinced it would work,
but I didn't try running it myself.
If I had, I would have made sure I was running as an unprivileged user, not
the superuser/Administrator account. Actually, since I care more about my
personal files than the operating system, I'd prefer to *not* use my normal
account. This being Linux, I can run suspicious code as the "nobody" user:
[steve@ando ~]$ sudo -u nobody python -c "print 'Hello World'"
Hello World
Running as nobody limits the harm a rogue script might do:
[steve@ando ~]$ sudo -u nobody python -c "import os;
os.listdir('/home/steve')"
Traceback (most recent call last):
File "<string>", line 1, in ?
OSError: [Errno 13] Permission denied: '/home/steve'
Ultimately, I'm trusting the security of my operating system.
--
Steven
[toc] | [prev] | [next] | [standalone]
| From | Marko Rauhamaa <marko@pacujo.net> |
|---|---|
| Date | 2014-12-22 11:34 +0200 |
| Message-ID | <87wq5krpsd.fsf@elektro.pacujo.net> |
| In reply to | #82763 |
Steven D'Aprano <steve+comp.lang.python@pearwood.info>: > Steve Hayes wrote: >> But what if I had run it and it reformatted my hard disk? >> >> How would I have known that it would or wouldn't do that? > > That's why I didn't run it myself :-) Well, I admit having run yum install python3 as root. > Ultimately, I'm trusting the security of my operating system. Ultimately, I'm trusting my luck. Marko
[toc] | [prev] | [next] | [standalone]
| From | Rustom Mody <rustompmody@gmail.com> |
|---|---|
| Date | 2014-12-22 19:38 -0800 |
| Message-ID | <d757daec-54df-47b4-839d-897ef3cb2822@googlegroups.com> |
| In reply to | #82765 |
On Monday, December 22, 2014 3:04:52 PM UTC+5:30, Marko Rauhamaa wrote: > Steven D'Aprano : > > > Steve Hayes wrote: > >> But what if I had run it and it reformatted my hard disk? > >> > >> How would I have known that it would or wouldn't do that? > > > > That's why I didn't run it myself :-) > > Well, I admit having run > > yum install python3 > > as root. > > > Ultimately, I'm trusting the security of my operating system. > > Ultimately, I'm trusting my luck. > O thats nothing. Ive eaten cookies. Given by strangers can contain narcotics you know! Ive even walked on the road. Mines? Youve heard of them right?!? People get their legs blown off [shivers] Only computers I dont use -- Just too dangerous. If cars and bikes can have bombs -- why not a compueer? Speaking of which you guys have been had by Steven. That was not an innocent Hello World program. All those who tried it Beware! On the next Friday the 13th when you hear the wings of werewolves waffling inside your disk drive... you know who is responsible [Sound of eerie music] ====================== Merry Christmas everyone!
[toc] | [prev] | [next] | [standalone]
| From | Roy Smith <roy@panix.com> |
|---|---|
| Date | 2014-12-22 08:15 -0500 |
| Message-ID | <roy-5247EA.08145622122014@news.panix.com> |
| In reply to | #82763 |
In article <5497e1d5$0$12978$c3e8da3$5496439d@news.astraweb.com>, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: > Steve Hayes wrote: > > > Yes, my initial reaction was "that's awesome". > > > > And my second thought was that it was scary. > > > > I ran it. It worked, and printed "Hello world". I was awed. > > > > But what if I had run it and it reformatted my hard disk? > > > > How would I have known that it would or wouldn't do that? > > That's why I didn't run it myself :-) > > Seriously. I read the blog post, it seemed legitimate, I could follow the > explanation for how it worked well enough to be convinced it would work, > but I didn't try running it myself. > > If I had, I would have made sure I was running as an unprivileged user, not > the superuser/Administrator account. Actually, since I care more about my > personal files than the operating system, I'd prefer to *not* use my normal > account. This being Linux, I can run suspicious code as the "nobody" user: If I really didn't trust something, I'd go to AWS and spin up one of their free-tier micro instances and run it there :-)
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2014-12-23 00:23 +1100 |
| Message-ID | <mailman.17119.1419254621.18130.python-list@python.org> |
| In reply to | #82770 |
On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith <roy@panix.com> wrote: > If I really didn't trust something, I'd go to AWS and spin up one of > their free-tier micro instances and run it there :-) How do you know it won't create console output that stroboscopically infects you with a virus through your eyes? Because that's *totally* what would be done in the town of Eureka. (I miss that show. Their technobabble was so mindbogglingly bad it became rather funny.) ChrisA
[toc] | [prev] | [next] | [standalone]
Page 5 of 7 — ← Prev page 1 2 3 4 [5] 6 7 Next page →
Back to top | Article view | comp.lang.python
csiph-web