Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #53864 > unrolled thread

Re: Can I trust downloading Python?

Back to article view | Back to comp.lang.python

Contents

  Re: Can I trust downloading Python? Fattburger <none@none.com> - 2013-09-09 12:19 +0000
    Re: Can I trust downloading Python? Tony the Tiger <tony@tiger.invalid> - 2013-09-09 14:41 -0500
    Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 00:06 +0000
      Re: Can I trust downloading Python? Oscar Benjamin <oscar.j.benjamin@gmail.com> - 2013-09-10 10:45 +0100
        Re: Can I trust downloading Python? Tom P <werotizy@freent.dd> - 2013-09-10 12:26 +0200
        Re: Can I trust downloading Python? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-09-10 14:40 +0000
      Re: Can I trust downloading Python? Chris Angelico <rosuav@gmail.com> - 2013-09-10 20:05 +1000
      Re: Can I trust downloading Python? Wolfgang Keller <feliphil@gmx.net> - 2013-09-10 18:20 +0200

#53864 — Re: Can I trust downloading Python?

On Sun, 08 Sep 2013 03:37:15 +0000, Dave Angel wrote:

> 1) what OS are you running?  Actually, we can be pretty sure you're
> running Windows, since any other common operating system would have
> already included Python.

Plus I don't often run into Linux users who worry about viruses, unless 
the braces-and-pimples crowd has expanded its horizons recently and 
started creating malware that does anything in Linux.

[toc] | [next] | [standalone]

#53887

On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:

> Plus I don't often run into Linux users who worry about viruses, unless
> the braces-and-pimples crowd has expanded its horizons recently and
> started creating malware that does anything in Linux.

Nah, there are no read-made scripts to download.


 /Grrr
-- 
          ___                  ___
 (\_--_/)  | _ ._    _|_|_  _   |o _  _ ._
 ( 9  9 )  |(_)| |\/  |_| |(/_  ||(_|(/_|
 stripes are forever - as overripe ferrets

[toc] | [prev] | [next] | [standalone]

#53894

On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:

> On Sun, 08 Sep 2013 03:37:15 +0000, Dave Angel wrote:
> 
>> 1) what OS are you running?  Actually, we can be pretty sure you're
>> running Windows, since any other common operating system would have
>> already included Python.
> 
> Plus I don't often run into Linux users who worry about viruses, unless
> the braces-and-pimples crowd has expanded its horizons recently and
> started creating malware that does anything in Linux.

Hello, the 1990s called and want their stereotypes back.

Malware in 2013 is not about loser nerds erasing your hard drive for the 
lulz. It's a multi-million dollar a year business, mostly driven by 
spammers, but with small yet profitable niche markets for industrial 
espionage and blackmail ("we've encrypted your files -- pay us $100 and 
we'll send you the key"). Plus so-called law enforcement[1] uses it to 
break into people's computers, for keylogging, etc., and you better 
believe they have cracks targeted at Linux. Of course, Linux is a much 
harder target than the average unpatched Windows box, and there are 
probably easier ways to get access to your files if they really need to.

But really, we've learned *nothing* from the viruses of the 1990s. 
Remember when we used to talk about how crazy it was to download code 
from untrusted sites on the Internet and execute it? We're still doing 
it, a hundred times a day. Every time you go on the Internet, you 
download other people's code and execute it. Javascript, Flash, HTML5, 
PDF are all either executable, or they include executable components. Now 
they're *supposed* to be sandboxed, but we've gone from "don't execute 
untrusted code" to "let's hope my browser doesn't have any bugs that the 
untrusted code might exploit".

The people driving malware these days are not script-kiddies, but 
professionals, up to and including some of the smartest and most highly 
funded professionals in the world. Stuxnet anyone?




[1] I say "so-called", because far too often the people who are supposed 
to be upholding the law are actually breaking the law with impunity.



-- 
Steven

[toc] | [prev] | [next] | [standalone]

#53911

On 10 September 2013 01:06, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>
> But really, we've learned *nothing* from the viruses of the 1990s.
> Remember when we used to talk about how crazy it was to download code
> from untrusted sites on the Internet and execute it? We're still doing
> it, a hundred times a day. Every time you go on the Internet, you
> download other people's code and execute it. Javascript, Flash, HTML5,
> PDF are all either executable, or they include executable components. Now
> they're *supposed* to be sandboxed, but we've gone from "don't execute
> untrusted code" to "let's hope my browser doesn't have any bugs that the
> untrusted code might exploit".

You could have also mentioned pip/PyPI in that. 'pip install X'
downloads and runs arbitrary code from a largely unmonitored and
uncontrolled code repository. The maintainers of PyPI can only try to
ensure that the original author of X would remain in control of what
happens and could remove a package X if it were discovered to be
malware. However they don't have anything like the resources to
monitor all the code coming in so it's essentially a system based on
trust in the authors where the only requirement to be an author is
that you have an email address. Occasionally I see the suggestion to
do 'sudo pip install X' which literally gives root permissions to
arbitrary code coming straight from the net.


Oscar

[toc] | [prev] | [next] | [standalone]

#53913

On 10.09.2013 11:45, Oscar Benjamin wrote:
> On 10 September 2013 01:06, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:
>> On Mon, 09 Sep 2013 12:19:11 +0000, Fattburger wrote:
>>
>> But really, we've learned *nothing* from the viruses of the 1990s.
>> Remember when we used to talk about how crazy it was to download code
>> from untrusted sites on the Internet and execute it? We're still doing
>> it, a hundred times a day. Every time you go on the Internet, you
>> download other people's code and execute it. Javascript, Flash, HTML5,
>> PDF are all either executable, or they include executable components. Now
>> they're *supposed* to be sandboxed, but we've gone from "don't execute
>> untrusted code" to "let's hope my browser doesn't have any bugs that the
>> untrusted code might exploit".
>
> You could have also mentioned pip/PyPI in that. 'pip install X'
> downloads and runs arbitrary code from a largely unmonitored and
> uncontrolled code repository. The maintainers of PyPI can only try to
> ensure that the original author of X would remain in control of what
> happens and could remove a package X if it were discovered to be
> malware. However they don't have anything like the resources to
> monitor all the code coming in so it's essentially a system based on
> trust in the authors where the only requirement to be an author is
> that you have an email address. Occasionally I see the suggestion to
> do 'sudo pip install X' which literally gives root permissions to
> arbitrary code coming straight from the net.
>
>
> Oscar
>

Interesting observation

[toc] | [prev] | [next] | [standalone]

#53919

On Tue, 10 Sep 2013 10:45:16 +0100, Oscar Benjamin wrote:

> On 10 September 2013 01:06, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:

[rant about executing code over the internet]
 
> You could have also mentioned pip/PyPI in that. 'pip install X'
> downloads and runs arbitrary code from a largely unmonitored and
> uncontrolled code repository. The maintainers of PyPI can only try to
> ensure that the original author of X would remain in control of what
> happens and could remove a package X if it were discovered to be
> malware. However they don't have anything like the resources to monitor
> all the code coming in so it's essentially a system based on trust in
> the authors where the only requirement to be an author is that you have
> an email address. Occasionally I see the suggestion to do 'sudo pip
> install X' which literally gives root permissions to arbitrary code
> coming straight from the net.

Sure, but there's a significant difference here.

If I were to run "pip install foo", I'm explicitly choosing to trust that 
code. If I don't trust it, I simply don't run pip install. Merely going 
to the PyPI website for package "foo" doesn't run foo, nor does viewing 
the code, or even running "hg update" (or git) on the repository. By 
default, foo doesn't run unless I explicitly run it. pip is *fail safe* 
-- if it fails, or if I don't run it, nothing gets executed.

In contrast, if I go to foo.com, the default is "everything will run". I 
have *no idea* what's going to happen until I get there. The default is 
"run anything, unless explicitly turned off" instead of "don't run, 
unless explicitly turned on". Even if I run NoScript in my browser, or 
turn off Javascript in my browser, I'm hoping that there isn't some 
executable protocol that NoScript doesn't block, or only partially blocks 
("What do you mean web fonts contain executable code?"), or maybe I 
turned Javascript back on so some other site works and forgot to turn it 
off again. Our browsers are fail unsafe -- if they fail, they can run 
untrusted code.

You can't even say "well if you don't trust foo.com, don't go there" 
because while foo.com itself might be trusted, they're probably selling 
advertising, and the advert itself is executable and could come from 
anyone, anywhere.

Imagine that every time you walked into a shop, the shop could instantly, 
irreversibly and silently deduct whatever amount of money from your 
credit card it liked, unless you remembered to put your credit card 
inside a metal wallet before entering the store. But most stores won't 
let you in if you do, or at least the shopping experience is painful. So 
we just hope that the store won't take advantage of that ability and rob 
us blind. That's not too far from the Internet security model.



-- 
Steven

[toc] | [prev] | [next] | [standalone]

#53915

On Tue, Sep 10, 2013 at 10:06 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> Of course, Linux is a much
> harder target than the average unpatched Windows box, and there are
> probably easier ways to get access to your files if they really need to.

Plus "Linux" isn't a single target. You can search the internet for
Windows XP boxes and there's an extremely high chance they'll all be
running the same base services; when you're attacking Linux, there's a
much MUCH smaller set of common code, with most attacks being aimed at
an application - which may or may not be running on any given
computer. So there's a lot less chance that you'll be randomly
assaulted just for connecting to the internet; the attacks are most
likely to come from browsing a site that exploits a Javascript
vulnerability.

I'm not particularly bothered by the possibility of someone snooping
at what I'm doing. Oh how terrible, they'll discover that I'm just as
nerdy in private as I am in public...

ChrisA

[toc] | [prev] | [next] | [standalone]

#53924

> Every time you go on the Internet, you download other people's code
> and execute it. Javascript, Flash, HTML5, PDF are all either
> executable, or they include executable components.

That's why I deactivate all of these by default. And why I *hate*
so-called "web designers" who *require* activation of such fancy flashy
nonsense gadgets.

PDF files are an exception since PDF was originally designed as a
"safe" subset of Postscript (postscript viruses had been demonstrated).
Now Adobe has jeopardized this by allowing embedding of Javascript in
PDF files (but that as well is deactivated by default for me).

Sincerely,

Wolfgang

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web