Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #82693 > unrolled thread

Hello World

Started bySteven D'Aprano <steve+comp.lang.python@pearwood.info>
First post2014-12-20 23:57 +1100
Last post2014-12-22 19:05 +0000
Articles 20 on this page of 122 — 30 participants

Back to article view | Back to comp.lang.python


Contents

  Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-20 23:57 +1100
    Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 00:11 +1100
    Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-20 16:13 +0000
    Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-20 08:50 -0800
    Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-20 20:39 +0200
    Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-20 22:18 +0000
    Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 21:14 -0800
      Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-21 16:26 +1100
      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 16:31 +1100
      Re: Hello World Terry Reedy <tjreedy@udel.edu> - 2014-12-21 01:31 -0500
        Re: Hello World wxjmfauth@gmail.com - 2014-12-21 00:07 -0800
      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 17:44 +1100
        Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:44 -0800
          Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:45 -0800
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 10:26 +0200
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 18:46 +1100
        Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 12:43 +0000
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-08 23:53 +1100
            Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 13:37 +0000
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:06 +0200
              Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 14:21 +0000
                Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:31 +0200
                  Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 15:14 +0000
            Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-08 15:11 +0100
            Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 14:51 +0000
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 01:57 +1100
                Re: Hello World cl@isbd.net - 2015-01-17 15:18 +0000
              Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 09:29 -0700
                Re: Hello World cl@isbd.net - 2015-01-17 16:47 +0000
                  Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 18:06 +0000
                    Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-17 19:47 +0100
                      Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:09 -0700
                    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 13:37 +1100
                      Re: Hello World Roy Smith <roy@panix.com> - 2015-01-17 22:18 -0500
                        Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 14:45 +1100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:45 +1100
                          Re: Hello World Roy Smith <roy@panix.com> - 2015-01-18 07:26 -0500
                        Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2015-01-17 21:50 -0600
                        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:44 +1100
                  Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-01-17 18:31 +0000
                    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 10:46 +1100
                      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 11:04 +1100
                      Re: Hello World Jason Friedman <jsf80238@gmail.com> - 2015-01-17 18:19 -0700
                      Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:13 -0700
                        Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 12:03 +0200
                          Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:34 +0100
                            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 18:03 +0200
                              Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 19:39 +0100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:10 +1100
                            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 22:50 +0200
                        Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:32 +0100
                      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:00 +1100
                        Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:35 +0100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 00:57 +1100
                            Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 16:48 +0100
                              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 04:08 +1100
                      Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:30 +0100
          Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2015-01-08 19:02 +0200
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-09 04:11 +1100
              Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 15:10 +0000
            Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-08 10:53 -0700
              Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2015-01-08 18:57 +0000
      Re: Hello World Devin Jeanpierre <jeanpierreda@gmail.com> - 2015-01-17 16:06 -0800
    Re: Hello World Tony the Tiger <tony@tiger.invalid> - 2014-12-21 19:22 +0000
      Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 22:02 +0200
      Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 09:51 +1100
        Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 18:50 -0500
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:10 +1100
            Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 19:12 -0500
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:36 +1100
            Re: Hello World mm0fmf <none@mailinator.com> - 2014-12-22 00:20 +0000
              Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-21 18:47 -0600
              Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 02:56 +0000
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 10:52 +0200
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 20:01 +1100
          Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:23 +0000
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 04:25 +1100
            Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:51 +0000
            Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-22 19:05 +0000
            Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-22 13:16 -0600
              Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 19:55 -0500
                Re: Hello World sohcahtoa82@gmail.com - 2014-12-22 17:03 -0800
                  Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-23 01:37 +0000
                  Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:39 +1100
                  Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-23 02:36 +0000
                  Re: Hello World Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2014-12-23 12:24 -0500
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:03 +1100
            Encryption - was Hello World Dave Angel <d@davea.name> - 2014-12-22 14:57 -0500
            Re: Encryption - was Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 09:29 +1100
            Re: Encryption - was Hello World Dave Angel <davea@davea.name> - 2014-12-22 18:22 -0500
        Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-21 18:37 -0800
        Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 08:21 +0200
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 17:33 +1100
            Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 09:46 +0200
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 18:56 +1100
          Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 20:18 +1100
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 11:34 +0200
              Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-22 19:38 -0800
            Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:15 -0500
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 00:23 +1100
                OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 13:09 +1100
                  Re: OFF TOPIC Snow Crash [was Re: Hello World] Grant Edwards <invalid@invalid.invalid> - 2014-12-23 16:20 +0000
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] Rustom Mody <rustompmody@gmail.com> - 2014-12-23 08:41 -0800
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 12:51 +1100
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 14:18 +1100
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-24 11:50 +0000
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:34 +1000
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:27 +1000
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-26 15:13 +1100
                        Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-26 10:03 +0000
              Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 15:26 +0200
                Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:41 -0500
          Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:13 -0500
            Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 02:22 +1100
              Re: Hello World Jussi Piitulainen <jpiitula@ling.helsinki.fi> - 2014-12-22 17:36 +0200
                Re: Hello World Chris Warrick <kwpolska@gmail.com> - 2014-12-22 17:03 +0100
              Re: Hello World Skip Montanaro <skip.montanaro@gmail.com> - 2014-12-22 09:39 -0600
                Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 03:54 +1100
              Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:48 +0000
          Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:26 +0000
      Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:18 +0000
        Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-22 19:05 +0000

Page 5 of 7 — ← Prev page 1 2 3 4 [5] 6 7  Next page →


#82821

FromRoy Smith <roy@panix.com>
Date2014-12-22 19:55 -0500
Message-ID<roy-7D1708.19552822122014@news.panix.com>
In reply to#82800
In article <mailman.17133.1419276169.18130.python-list@python.org>,
 Tim Chase <python.list@tim.thechases.com> wrote:

> On 2014-12-22 19:05, MRAB wrote:
> > On 2014-12-22 18:51, Mark Lawrence wrote:
> > > I'm having wonderful thoughts of Michael Palin's favourite Python
> > > sketch which involved fish slapping.
> > >
> > Well, ChrisA _has_ mentioned Pike in this thread. :-)
> 
> But you know he does it just for the halibut...
> 
Are you guys fishing for complements?

[toc] | [prev] | [next] | [standalone]


#82822

Fromsohcahtoa82@gmail.com
Date2014-12-22 17:03 -0800
Message-ID<27bf3c98-f1cd-4d67-bb51-958c9d4fd71f@googlegroups.com>
In reply to#82821
On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote:
> In article <mailman.17133.1419276169.18130.python-list@python.org>,
>  Tim Chase <python.list@tim.thechases.com> wrote:
> 
> > On 2014-12-22 19:05, MRAB wrote:
> > > On 2014-12-22 18:51, Mark Lawrence wrote:
> > > > I'm having wonderful thoughts of Michael Palin's favourite Python
> > > > sketch which involved fish slapping.
> > > >
> > > Well, ChrisA _has_ mentioned Pike in this thread. :-)
> > 
> > But you know he does it just for the halibut...
> > 
> Are you guys fishing for complements?

I never thought I'd get cod in a pun thread outside of reddit.

[toc] | [prev] | [next] | [standalone]


#82824

FromMRAB <python@mrabarnett.plus.com>
Date2014-12-23 01:37 +0000
Message-ID<mailman.17148.1419298653.18130.python-list@python.org>
In reply to#82822
On 2014-12-23 01:03, sohcahtoa82@gmail.com wrote:
> On Monday, December 22, 2014 4:56:13 PM UTC-8, Roy Smith wrote:
>> In article <mailman.17133.1419276169.18130.python-list@python.org>,
>>  Tim Chase <python.list@tim.thechases.com> wrote:
>>
>> > On 2014-12-22 19:05, MRAB wrote:
>> > > On 2014-12-22 18:51, Mark Lawrence wrote:
>> > > > I'm having wonderful thoughts of Michael Palin's favourite Python
>> > > > sketch which involved fish slapping.
>> > > >
>> > > Well, ChrisA _has_ mentioned Pike in this thread. :-)
>> >
>> > But you know he does it just for the halibut...
>> >
>> Are you guys fishing for complements?
>
> I never thought I'd get cod in a pun thread outside of reddit.
>
And a programming newsgroup isn't really the plaice for it anyway!

[toc] | [prev] | [next] | [standalone]


#82825

FromChris Angelico <rosuav@gmail.com>
Date2014-12-23 12:39 +1100
Message-ID<mailman.17149.1419299170.18130.python-list@python.org>
In reply to#82822
On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote:
> And a programming newsgroup isn't really the plaice for it anyway!

And yet we do carp on a bit, don't we...

ChrisA

[toc] | [prev] | [next] | [standalone]


#82829

FromMark Lawrence <breamoreboy@yahoo.co.uk>
Date2014-12-23 02:36 +0000
Message-ID<mailman.17150.1419302206.18130.python-list@python.org>
In reply to#82822
On 23/12/2014 01:39, Chris Angelico wrote:
> On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote:
>> And a programming newsgroup isn't really the plaice for it anyway!
>
> And yet we do carp on a bit, don't we...
>
> ChrisA
>

Gordon Bennett what have I started?  You dangle a bit of bait and...

-- 
My fellow Pythonistas, ask not what our language can do for you, ask
what you can do for our language.

Mark Lawrence

[toc] | [prev] | [next] | [standalone]


#82844

FromDennis Lee Bieber <wlfraed@ix.netcom.com>
Date2014-12-23 12:24 -0500
Message-ID<mailman.17155.1419355490.18130.python-list@python.org>
In reply to#82822
On Tue, 23 Dec 2014 02:36:30 +0000, Mark Lawrence <breamoreboy@yahoo.co.uk>
declaimed the following:

>On 23/12/2014 01:39, Chris Angelico wrote:
>> On Tue, Dec 23, 2014 at 12:37 PM, MRAB <python@mrabarnett.plus.com> wrote:
>>> And a programming newsgroup isn't really the plaice for it anyway!
>>
>> And yet we do carp on a bit, don't we...
>>
>> ChrisA
>>
>
>Gordon Bennett what have I started?  You dangle a bit of bait and...

	Well... you could have been trolling...
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

[toc] | [prev] | [next] | [standalone]


#82823

FromChris Angelico <rosuav@gmail.com>
Date2014-12-23 12:03 +1100
Message-ID<mailman.17147.1419296618.18130.python-list@python.org>
In reply to#82821
On Tue, Dec 23, 2014 at 11:55 AM, Roy Smith <roy@panix.com> wrote:
> In article <mailman.17133.1419276169.18130.python-list@python.org>,
>  Tim Chase <python.list@tim.thechases.com> wrote:
>
>> On 2014-12-22 19:05, MRAB wrote:
>> > On 2014-12-22 18:51, Mark Lawrence wrote:
>> > > I'm having wonderful thoughts of Michael Palin's favourite Python
>> > > sketch which involved fish slapping.
>> > >
>> > Well, ChrisA _has_ mentioned Pike in this thread. :-)
>>
>> But you know he does it just for the halibut...
>>
> Are you guys fishing for complements?

That has nothing to do with it, it's just a red herring!

ChrisA

[toc] | [prev] | [next] | [standalone]


#82802 — Encryption - was Hello World

FromDave Angel <d@davea.name>
Date2014-12-22 14:57 -0500
SubjectEncryption - was Hello World
Message-ID<mailman.17134.1419278249.18130.python-list@python.org>
In reply to#82785
On 12/22/2014 12:25 PM, Chris Angelico wrote:
> There's one exception. Writing your own crypto is a bad idea if that
> means reimplementing AES... but if you want something that's effective
> on completely different levels, sometimes it's best to write your own.
> I had a project a while ago that needed some encryption work done, and
> I implemented something that I described as "scarily effective". My
> boss demanded that the debug code-execution feature be protected by a
> password that would be strong even if someone could read the source
> code, so I put together something that would hash the incoming
> password, then check to see if the first two and last two bytes of the
> hash were all the same byte value as the current hour-of-week (ranging
> from 0 to 167). This is clearly more secure than simply embedding a
> SHA256 hash in the source code, because you can't possibly
> reverse-engineer it (since you don't even have the full hash). And
> yes, this was 100% effective in convincing my boss that the code
> executor was safely guarded. Since that was the goal, having several
> lines of complex and opaque code was far better than a single line
> that says "if hash(password)=='5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8':
> do stuff", which is way too easy for someone to decode.
>
> And it was, indeed, scarily effective. That lasted for a long time,
> and any time there was a question about security, I could just point
> to that and say "See? Safe."...

I figure I must be misunderstanding something in your explanation, since 
a brute-force password guesser would seem to only need four billion 
tries to (probably) crack that.

1) Are you assuming that the cracker can read the source code, but 
cannot modify the version of the code that is running?

2) Are you really doing something equivalent to:

test = time_calc() - get a one-byte byte-string according to hour of the 
week
encoded_pw = hash(password)
if encoded_pw.startswith(test*2) and encoded_pw.endswith(test*2):
       ---passed---

I can understand that being sufficiently obscure for the pointy haired 
boss, but I figure I've got to be missing something.  A quick test with 
3.2 shows that around a million hashes can be generated per second, so 
checking four billion is only an hour or so.  Since some of them will 
collide, that gives us something better than 50% likelihood of having 
found a useful pw in an hour.  But a few more hours and we'll most 
likely have it.

For that matter, you must have already written such a pw finder.

I'm back to figuring I'm misunderstanding what you're saying.


-- 
DaveA

[toc] | [prev] | [next] | [standalone]


#82811 — Re: Encryption - was Hello World

FromChris Angelico <rosuav@gmail.com>
Date2014-12-23 09:29 +1100
SubjectRe: Encryption - was Hello World
Message-ID<mailman.17139.1419287363.18130.python-list@python.org>
In reply to#82785
On Tue, Dec 23, 2014 at 6:57 AM, Dave Angel <d@davea.name> wrote:
> I figure I must be misunderstanding something in your explanation, since a
> brute-force password guesser would seem to only need four billion tries to
> (probably) crack that.
>
> 1) Are you assuming that the cracker can read the source code, but cannot
> modify the version of the code that is running?
>
> 2) Are you really doing something equivalent to:
>
> test = time_calc() - get a one-byte byte-string according to hour of the
> week
> encoded_pw = hash(password)
> if encoded_pw.startswith(test*2) and encoded_pw.endswith(test*2):
>       ---passed---
>
> I can understand that being sufficiently obscure for the pointy haired boss,
> but I figure I've got to be missing something.  A quick test with 3.2 shows
> that around a million hashes can be generated per second, so checking four
> billion is only an hour or so.  Since some of them will collide, that gives
> us something better than 50% likelihood of having found a useful pw in an
> hour.  But a few more hours and we'll most likely have it.
>
> For that matter, you must have already written such a pw finder.
>
> I'm back to figuring I'm misunderstanding what you're saying.

No, actually you're understanding that fairly well. Of course, I
didn't share the password finder script.

The code was similar in functionality to what you describe, but it
used a more obscure coding style so it wasn't obvious. Imagine using a
regex to verify that part of the hash. (It wasn't actually a regex,
but it wasn't Python either, and the significance is that it was
obfuscated code.) I don't remember exactly which hashing algorithm I
was using for this, but the password finder took about a week (running
roughly eight hours a day, while I was there) to cover most of the
required passwords.

As to the assumptions... uhh... that was never something I really
understood. I think you're probably right, and this was part of the
paranoia of "my code might be stolen". You're attempting to attribute
a level of logic to the requirements which has no supporting evidence
:)

But what you've proven above is how ineffective this technique is at
keeping out a determined, and mathematically-adept, attacker. Yaknow,
*real* security. This code was *extremely* effective at satisfying my
boss. As I said, he wasn't satisfied with the idea of just embedding a
SHA256 hash into the code; I would have used an XKCD 936 compliant
password, so brute-forcing that would take (assuming your
million-hashes-per-second figure) about a year, and that assuming the
attacker knew my exact style.

Aside: XKCD 936 overestimates the time to generate guesses (1000/sec),
which presumably means it's not talking about reversing a hash, but
attempting some other attack. (Not a big deal, since the same figure
is used for both types of password.) But it also underestimates the
password entropy of four words. Let's see. First off, a 4K corpus
isn't that hard to work with, so that potentially gives you another
four bits of entropy; in /usr/share/dict/words I have 72861 words with
no capital letters, punctuation, etc, so it wouldn't be unreasonable
to push that up even to 16 bits per word (which sounds weird, worded
like that), raising the total entropy from 44 bits to 64. And there's
no guarantee that one person's corpus will exactly match another's.
Plus, you might and might not capitalize the first letters of the
words (another bit), and you could run them together with no
punctuation, or use any common punctuation to separate them (space, or
"-:,./\" - eight easy options, 3 bits). So in theory, an attacker
might know that you're using an XKCD 936 password, but there could
still be up to 68 bits of entropy, *easily*. Even in a dedicated
personal attack, the estimate of 44 bits would be an absolute minimum,
and it's likely to cost rather more than that.

ChrisA

[toc] | [prev] | [next] | [standalone]


#82814 — Re: Encryption - was Hello World

FromDave Angel <davea@davea.name>
Date2014-12-22 18:22 -0500
SubjectRe: Encryption - was Hello World
Message-ID<mailman.17141.1419290548.18130.python-list@python.org>
In reply to#82785
On 12/22/2014 05:29 PM, Chris Angelico wrote:
> On Tue, Dec 23, 2014 at 6:57 AM, Dave Angel <d@davea.name> wrote:
>> I figure I must be misunderstanding something in your explanation, since a
>> brute-force password guesser would seem to only need four billion tries to
>> (probably) crack that.
>>
     <snip>
>
> As to the assumptions... uhh... that was never something I really
> understood. I think you're probably right, and this was part of the
> paranoia of "my code might be stolen". You're attempting to attribute
> a level of logic to the requirements which has no supporting evidence
> :)
>

I recall a DLL that implemented the license check, and an application 
called a function in the DLL and looked for true or false.  Even the 
exported function name was a pretty good clue.  And extremely easy to 
intercept and defeat.  I did convince the company (my employer, though I 
didn't normally work on the license stuff) to statically link instead. 
And to stop shipping all the symbols with the executable.  Most security 
flaws are of this form, not sophisticated cracking.

I also wrote my own form of protection in 1976 to make it difficult for 
somebody to retrieve source.  The previous version had simply added a 
protect bit to the image file.  Mine saved a completely different file 
every time you re-saved the program data, to try to make it hard (not 
impossible) to recover it.  Then it stored a separate key in each sector 
of the file so reading it into the interpreter was always possible.  I 
had a couple of constraints - the file couldn't grow, and it had to be 
fast enough to have no impact on load time.

I had a guy claim that the CIA got interested in the code, and cracked 
it during a lunch hour.  But I suspect somebody got hold of the source 
code, which was available to our field service staff.

There were a couple of iterations before this code was stable.  Not in 
the algorithm, but in what amounted to a few back-doors.  For example, 
it turns out the error display logic would show the line in error, 
unencrypted.  So people would munge the code sufficiently to cause 
errors on most lines, and retrieve them one at a time.

Another thing I did in 1976 which was apparently unusual was to add a 
checksum to the code itself.  The Boot Rom would self-check before 
starting the machine, and it also checksummed the loadable microcode 
before passing control to it.  Prevented some corruption problems.

Another thing that machine did was to run a RAM diagnostic from the time 
it booted till the operator specified the drive from which to fetch the 
microcode.  The entire test took many minutes to run, but it was 
entirely silent unless a problem occurred.  No pass counts or anything. 
  When I added that code, manufacturing found some machines that had 
been put aside as flaky, actually had RAM errors.  The test was 
necessary crude, because the entire boot, including disk logic, had to 
fit in 1k.

Ahh... memories.

-- 
DaveA

[toc] | [prev] | [next] | [standalone]


#82741

FromRustom Mody <rustompmody@gmail.com>
Date2014-12-21 18:37 -0800
Message-ID<e41f17a2-6244-4f60-b504-de03838634fa@googlegroups.com>
In reply to#82726
On Monday, December 22, 2014 4:21:13 AM UTC+5:30, Steven D'Aprano wrote:
> 
> Awww, did da widdle puddy tat get up on the wrong side of the bed this
> morning? :-)
> 
> 
> Obviously you don't write obfuscated code like this for production use,
> except in such cases where you deliberately want to write obfuscated code
> for production use.
> 
> Any beginner with 3 seconds experience with Python can write:
> 
>     print "Hello World"
> 

Bad Boy -- Stand in the corner for forgetting the '()'
[Good boys use python3]
On a more serious note...

> Tony the Tiger wrote:
> 
> > On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote:
> > 
> >> I am in total awe.
> > 
> > I'm not. It has no real value. Write your code like that and you'll soon
> > be looking for a new job.


If a python teacher wanted, that blog has enough internal python mechanisms on display strung together into a cute result
for a number of lectures. [If only I could wrap my brain round it all]

IOW learning language-L and real world programming in L are 
quite different. Related to 

1. People read programs far more often than they write
2. Different types of vocabularies
http://en.wikipedia.org/wiki/Vocabulary#Degree_of_knowledge
and next

[toc] | [prev] | [next] | [standalone]


#82753

FromSteve Hayes <hayesstw@telkomsa.net>
Date2014-12-22 08:21 +0200
Message-ID<0udf9a1m3n02rt06a5ib58mvifm7sdeg31@4ax.com>
In reply to#82726
On Mon, 22 Dec 2014 09:51:02 +1100, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:

>Tony the Tiger wrote:
>
>> On Sat, 20 Dec 2014 23:57:08 +1100, Steven D'Aprano wrote:
>> 
>>> I am in total awe.
>> 
>> I'm not. It has no real value. Write your code like that and you'll soon
>> be looking for a new job.
>
>Awww, did da widdle puddy tat get up on the wrong side of the bed this
>morning? :-)
>
>
>Obviously you don't write obfuscated code like this for production use,
>except in such cases where you deliberately want to write obfuscated code
>for production use.

Yes, my initial reaction was "that's awesome".

And my second thought was that it was scary.

I ran it. It worked, and printed "Hello world". I was awed.

But what if I had run it and it reformatted my hard disk?

How would I have known that it would or wouldn't do that?


-- 
Steve Hayes from Tshwane, South Africa
Web:  http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[toc] | [prev] | [next] | [standalone]


#82755

FromChris Angelico <rosuav@gmail.com>
Date2014-12-22 17:33 +1100
Message-ID<mailman.17110.1419229999.18130.python-list@python.org>
In reply to#82753
On Mon, Dec 22, 2014 at 5:21 PM, Steve Hayes <hayesstw@telkomsa.net> wrote:
> Yes, my initial reaction was "that's awesome".
>
> And my second thought was that it was scary.
>
> I ran it. It worked, and printed "Hello world". I was awed.
>
> But what if I had run it and it reformatted my hard disk?
>
> How would I have known that it would or wouldn't do that?

You trust that (a) Steven D'Aprano isn't going to give you outright
malicious code (or that he trusts that the original author won't), and
that (b) your hard disk cannot be reformatted by a non-root user.
Every major platform has this kind of privilege separation (Windows
doesn't call it "root" but "Administrator", but the effect is, AIUI,
equivalent), so unless you're running random scripts from the internet
with maximum privileges, you should be safe.

Frankly, though, it's no worse than downloading binary code from the
internet and running it. How do you know that the executable you just
downloaded really is what it claims to be, that you didn't get some
MITM shipping you a malicious binary? Yet men and women do this every
day, with none to say "Oh the pity of it", save me and fools like me.

ChrisA

[toc] | [prev] | [next] | [standalone]


#82756

FromSteve Hayes <hayesstw@telkomsa.net>
Date2014-12-22 09:46 +0200
Message-ID<ssif9ah8432e19uvp7eqvskmkspjiemg16@4ax.com>
In reply to#82755
On Mon, 22 Dec 2014 17:33:10 +1100, Chris Angelico <rosuav@gmail.com> wrote:

>On Mon, Dec 22, 2014 at 5:21 PM, Steve Hayes <hayesstw@telkomsa.net> wrote:
>> Yes, my initial reaction was "that's awesome".
>>
>> And my second thought was that it was scary.
>>
>> I ran it. It worked, and printed "Hello world". I was awed.
>>
>> But what if I had run it and it reformatted my hard disk?
>>
>> How would I have known that it would or wouldn't do that?
>
>You trust that (a) Steven D'Aprano isn't going to give you outright
>malicious code (or that he trusts that the original author won't), and
>that (b) your hard disk cannot be reformatted by a non-root user.
>Every major platform has this kind of privilege separation (Windows
>doesn't call it "root" but "Administrator", but the effect is, AIUI,
>equivalent), so unless you're running random scripts from the internet
>with maximum privileges, you should be safe.

Well yes, (a) is what I did and why I ran it. 

But a hacker who can write that kind of stuff can probably bypass any
safeguards built into the OS. 

As others have pointed out, it's not so much coding as black magic!


-- 
Steve Hayes from Tshwane, South Africa
Web:  http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[toc] | [prev] | [next] | [standalone]


#82757

FromChris Angelico <rosuav@gmail.com>
Date2014-12-22 18:56 +1100
Message-ID<mailman.17111.1419234992.18130.python-list@python.org>
In reply to#82756
On Mon, Dec 22, 2014 at 6:46 PM, Steve Hayes <hayesstw@telkomsa.net> wrote:
> But a hacker who can write that kind of stuff can probably bypass any
> safeguards built into the OS.

This isn't magic. You can't just do more of it to get past the
firewalls, like in sci fi. It's much MUCH easier to attack the humans
than the computers.

ChrisA

[toc] | [prev] | [next] | [standalone]


#82763

FromSteven D'Aprano <steve+comp.lang.python@pearwood.info>
Date2014-12-22 20:18 +1100
Message-ID<5497e1d5$0$12978$c3e8da3$5496439d@news.astraweb.com>
In reply to#82753
Steve Hayes wrote:

> Yes, my initial reaction was "that's awesome".
> 
> And my second thought was that it was scary.
> 
> I ran it. It worked, and printed "Hello world". I was awed.
> 
> But what if I had run it and it reformatted my hard disk?
> 
> How would I have known that it would or wouldn't do that?

That's why I didn't run it myself :-)

Seriously. I read the blog post, it seemed legitimate, I could follow the
explanation for how it worked well enough to be convinced it would work,
but I didn't try running it myself.

If I had, I would have made sure I was running as an unprivileged user, not
the superuser/Administrator account. Actually, since I care more about my
personal files than the operating system, I'd prefer to *not* use my normal
account. This being Linux, I can run suspicious code as the "nobody" user:

[steve@ando ~]$ sudo -u nobody python -c "print 'Hello World'"
Hello World


Running as nobody limits the harm a rogue script might do:

[steve@ando ~]$ sudo -u nobody python -c "import os;
os.listdir('/home/steve')"
Traceback (most recent call last):
  File "<string>", line 1, in ?
OSError: [Errno 13] Permission denied: '/home/steve'


Ultimately, I'm trusting the security of my operating system.





-- 
Steven

[toc] | [prev] | [next] | [standalone]


#82765

FromMarko Rauhamaa <marko@pacujo.net>
Date2014-12-22 11:34 +0200
Message-ID<87wq5krpsd.fsf@elektro.pacujo.net>
In reply to#82763
Steven D'Aprano <steve+comp.lang.python@pearwood.info>:

> Steve Hayes wrote:
>> But what if I had run it and it reformatted my hard disk?
>> 
>> How would I have known that it would or wouldn't do that?
>
> That's why I didn't run it myself :-)

Well, I admit having run

   yum install python3

as root.

> Ultimately, I'm trusting the security of my operating system.

Ultimately, I'm trusting my luck.


Marko

[toc] | [prev] | [next] | [standalone]


#82831

FromRustom Mody <rustompmody@gmail.com>
Date2014-12-22 19:38 -0800
Message-ID<d757daec-54df-47b4-839d-897ef3cb2822@googlegroups.com>
In reply to#82765
On Monday, December 22, 2014 3:04:52 PM UTC+5:30, Marko Rauhamaa wrote:
> Steven D'Aprano :
> 
> > Steve Hayes wrote:
> >> But what if I had run it and it reformatted my hard disk?
> >> 
> >> How would I have known that it would or wouldn't do that?
> >
> > That's why I didn't run it myself :-)
> 
> Well, I admit having run
> 
>    yum install python3
> 
> as root.
> 
> > Ultimately, I'm trusting the security of my operating system.
> 
> Ultimately, I'm trusting my luck.
> 

O thats nothing.

Ive eaten cookies. Given by strangers can contain narcotics you know!

Ive even walked on the road.  Mines? Youve heard of them right?!? People get
their legs blown off [shivers]

Only computers I dont use -- Just too dangerous.
If cars and bikes can have bombs -- why not a compueer?

Speaking of which you guys have been had by Steven.
That was not an innocent Hello World program.
All those who tried it Beware!
On the next Friday the 13th when you hear the wings of werewolves waffling inside your
disk drive... you know who is responsible
[Sound of eerie music]

======================

Merry Christmas everyone!

[toc] | [prev] | [next] | [standalone]


#82770

FromRoy Smith <roy@panix.com>
Date2014-12-22 08:15 -0500
Message-ID<roy-5247EA.08145622122014@news.panix.com>
In reply to#82763
In article <5497e1d5$0$12978$c3e8da3$5496439d@news.astraweb.com>,
 Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote:

> Steve Hayes wrote:
> 
> > Yes, my initial reaction was "that's awesome".
> > 
> > And my second thought was that it was scary.
> > 
> > I ran it. It worked, and printed "Hello world". I was awed.
> > 
> > But what if I had run it and it reformatted my hard disk?
> > 
> > How would I have known that it would or wouldn't do that?
> 
> That's why I didn't run it myself :-)
> 
> Seriously. I read the blog post, it seemed legitimate, I could follow the
> explanation for how it worked well enough to be convinced it would work,
> but I didn't try running it myself.
> 
> If I had, I would have made sure I was running as an unprivileged user, not
> the superuser/Administrator account. Actually, since I care more about my
> personal files than the operating system, I'd prefer to *not* use my normal
> account. This being Linux, I can run suspicious code as the "nobody" user:

If I really didn't trust something, I'd go to AWS and spin up one of 
their free-tier micro instances and run it there :-)

[toc] | [prev] | [next] | [standalone]


#82772

FromChris Angelico <rosuav@gmail.com>
Date2014-12-23 00:23 +1100
Message-ID<mailman.17119.1419254621.18130.python-list@python.org>
In reply to#82770
On Tue, Dec 23, 2014 at 12:15 AM, Roy Smith <roy@panix.com> wrote:
> If I really didn't trust something, I'd go to AWS and spin up one of
> their free-tier micro instances and run it there :-)

How do you know it won't create console output that stroboscopically
infects you with a virus through your eyes? Because that's *totally*
what would be done in the town of Eureka.

(I miss that show. Their technobabble was so mindbogglingly bad it
became rather funny.)

ChrisA

[toc] | [prev] | [next] | [standalone]


Page 5 of 7 — ← Prev page 1 2 3 4 [5] 6 7  Next page →

Back to top | Article view | comp.lang.python


csiph-web