Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #45944 > unrolled thread

Python Magazine

Back to article view | Back to comp.lang.python

Contents

  Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:19 -0700
    Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-24 23:35 -0400
      Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:38 -0700
      Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 13:48 +1000
        Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 21:11 -0700
        Re: Python Magazine zoom <zoom@yahoo.com> - 2013-05-25 08:38 +0200
          Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 16:41 +1000
            Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-25 14:29 +0000
              Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 11:30 -0400
                Re: Python Magazine John Ladasky <john_ladasky@sbcglobal.net> - 2013-05-25 18:28 -0700
                  Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 21:54 -0400
                    Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 11:58 +1000
                      Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-26 04:03 +0000
                        Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 14:37 +1000
                    Re: Python Magazine John Ladasky <john_ladasky@sbcglobal.net> - 2013-05-25 20:04 -0700
                      Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 23:24 -0400
                      Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 13:45 +1000
                      RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-26 07:01 +0300
                      Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 14:31 +1000
                      RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-26 08:00 +0300
                      Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 15:17 +1000
                        Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-31 04:11 -0700
                          RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-06-01 11:15 +0300
                            Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 00:37 -0700
                              RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-06-05 15:20 +0300
                                Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 09:17 -0700
                                  Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-06-06 03:52 +1000
                                    Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 22:01 -0700
                    Re: Python Magazine Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-05-26 04:20 +0100
                    Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-26 03:50 +0000
                      Re: Python Magazine 88888 Dihedral <dihedral88888@gmail.com> - 2013-06-01 08:08 -0700
    Re: Python Magazine Mark Janssen <dreamingforward@gmail.com> - 2013-05-24 20:38 -0700
      Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:41 -0700
    RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 06:43 +0300
      Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 21:10 -0700
        RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 07:22 +0300
        Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 14:25 +1000
          Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 11:24 -0400
            Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 01:30 +1000
            RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 20:28 +0300
    Re: Python Magazine Michael Poeltl <michael.poeltl@univie.ac.at> - 2013-05-25 07:29 +0200
    Re: Python Magazine Daniel <danielrr2@gmail.com> - 2013-05-25 16:56 +0200

Page 1 of 3  [1] 2 3  Next page →

#45944 — Python Magazine

Planning to start a python online chronicle.What you want to see in it. :)

[toc] | [next] | [standalone]

#45947

In article <27969350-4dd8-4afa-881a-b4a2364b3cf1@googlegroups.com>,
 DRJ Reddy <rama29065@gmail.com> wrote:

> Planning to start a python online chronicle.What you want to see in it. :)

Issue 1:

"Whitespace as syntax: mistake or magic?"

"Python 3 vs. IPv6: who will win the race for early adoption?"

"Did Python 3 break unicode?  The true story"

"Tuplemania: 100 things you can do with immutable lists"

[toc] | [prev] | [next] | [standalone]

#45949

> Issue 1:

> "Whitespace as syntax: mistake or magic?"
Thanks Roy :)

[toc] | [prev] | [next] | [standalone]

#45952

On Sat, May 25, 2013 at 1:35 PM, Roy Smith <roy@panix.com> wrote:
> "Python 3 vs. IPv6: who will win the race for early adoption?"

I think Py3 is winning that one so far. But really, both need to get
moving. Neither of my ISPs does IPv6 :(

Seconding the recommendation for QOTW, that's good fun.

ChrisA

[toc] | [prev] | [next] | [standalone]

#45957

This is what i love with python community faster responses. :)

[toc] | [prev] | [next] | [standalone]

#45972

But why would anyone want to use IPv6?

On 05/25/2013 05:48 AM, Chris Angelico wrote:
> On Sat, May 25, 2013 at 1:35 PM, Roy Smith<roy@panix.com>  wrote:
>> "Python 3 vs. IPv6: who will win the race for early adoption?"
>
> I think Py3 is winning that one so far. But really, both need to get
> moving. Neither of my ISPs does IPv6 :(
>
> Seconding the recommendation for QOTW, that's good fun.
>
> ChrisA

[toc] | [prev] | [next] | [standalone]

#45973

On Sat, May 25, 2013 at 4:38 PM, zoom <zoom@yahoo.com> wrote:
> But why would anyone want to use IPv6?

I hope you're not serious :)

ChrisA

[toc] | [prev] | [next] | [standalone]

#45995

On Sat, 25 May 2013 16:41:58 +1000, Chris Angelico wrote:

> On Sat, May 25, 2013 at 4:38 PM, zoom <zoom@yahoo.com> wrote:
>> But why would anyone want to use IPv6?
> 
> I hope you're not serious :)

He's planning to drop off the Internet once the IP address run out.


-- 
Steven

[toc] | [prev] | [next] | [standalone]

#46003

In article <51a0caac$0$30002$c3e8da3$5496439d@news.astraweb.com>,
 Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote:

> On Sat, 25 May 2013 16:41:58 +1000, Chris Angelico wrote:
> 
> > On Sat, May 25, 2013 at 4:38 PM, zoom <zoom@yahoo.com> wrote:
> >> But why would anyone want to use IPv6?
> > 
> > I hope you're not serious :)
> 
> He's planning to drop off the Internet once the IP address run out.

We already have run out.  People have gotten so used to being behind NAT 
gateways they don't even understand how evil it is.  From my phone, I 
can call any other phone anywhere in the world.  But I can't talk 
directly to the file server in my neighbor's house across the street?

[toc] | [prev] | [next] | [standalone]

#46024

On Saturday, May 25, 2013 8:30:19 AM UTC-7, Roy Smith wrote:
> From my phone, I 
> can call any other phone anywhere in the world.  But I can't talk  
> directly to the file server in my neighbor's house across the street?

Hmmm... I've been an advocate of IPv6, but... now you've got me thinking of what Iran's new cadre of hackers might do with it!  :^)

[toc] | [prev] | [next] | [standalone]

#46027

In article <7cd17be8-d455-4db8-b8d0-ccc757db5cff@googlegroups.com>,
 John Ladasky <john_ladasky@sbcglobal.net> wrote:

> On Saturday, May 25, 2013 8:30:19 AM UTC-7, Roy Smith wrote:
> > From my phone, I 
> > can call any other phone anywhere in the world.  But I can't talk  
> > directly to the file server in my neighbor's house across the street?
> 
> Hmmm... I've been an advocate of IPv6, but... now you've got me thinking of 
> what Iran's new cadre of hackers might do with it!  :^)

You (like many people) are confusing universal addressability with 
universal connectivity.  The converse of that is people confusing NAT 
with security.

Of course not every IPv6 endpoint will be able to talk to every other 
IPv6 endpoint, even if the both have globally unique addresses.  But, 
the access controls will be implemented in firewalls with appropriately 
coded security policies.  Not as an accident of being behind a NAT box.

[toc] | [prev] | [next] | [standalone]

#46028

On Sun, May 26, 2013 at 11:54 AM, Roy Smith <roy@panix.com> wrote:
> In article <7cd17be8-d455-4db8-b8d0-ccc757db5cff@googlegroups.com>,
>  John Ladasky <john_ladasky@sbcglobal.net> wrote:
>
>> On Saturday, May 25, 2013 8:30:19 AM UTC-7, Roy Smith wrote:
>> > From my phone, I
>> > can call any other phone anywhere in the world.  But I can't talk
>> > directly to the file server in my neighbor's house across the street?
>>
>> Hmmm... I've been an advocate of IPv6, but... now you've got me thinking of
>> what Iran's new cadre of hackers might do with it!  :^)
>
> You (like many people) are confusing universal addressability with
> universal connectivity.  The converse of that is people confusing NAT
> with security.
>
> Of course not every IPv6 endpoint will be able to talk to every other
> IPv6 endpoint, even if the both have globally unique addresses.  But,
> the access controls will be implemented in firewalls with appropriately
> coded security policies.  Not as an accident of being behind a NAT box.

To be more specific: The control of who can talk to whom is in the
hands of the admins of the two endpoints and the nodes in between,
rather than being arbitrarily in the hands of the technology. So I
would be able to talk to the file server across the street, but only
IF its admin lets me.

ChrisA

[toc] | [prev] | [next] | [standalone]

#46040

On Sun, 26 May 2013 11:58:09 +1000, Chris Angelico wrote:

> On Sun, May 26, 2013 at 11:54 AM, Roy Smith <roy@panix.com> wrote:

>> Of course not every IPv6 endpoint will be able to talk to every other
>> IPv6 endpoint, even if the both have globally unique addresses.  But,
>> the access controls will be implemented in firewalls with appropriately
>> coded security policies.  Not as an accident of being behind a NAT box.
> 
> To be more specific: The control of who can talk to whom is in the hands
> of the admins of the two endpoints and the nodes in between, rather than
> being arbitrarily in the hands of the technology. So I would be able to
> talk to the file server across the street, but only IF its admin lets
> me.

Or when (not if) you find a vulnerability in the particular firewall. 
Make no mistake: the most secure entry point is the one that isn't there.



-- 
Steven

[toc] | [prev] | [next] | [standalone]

#46047

On Sun, May 26, 2013 at 2:03 PM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> On Sun, 26 May 2013 11:58:09 +1000, Chris Angelico wrote:
>
>> On Sun, May 26, 2013 at 11:54 AM, Roy Smith <roy@panix.com> wrote:
>
>>> Of course not every IPv6 endpoint will be able to talk to every other
>>> IPv6 endpoint, even if the both have globally unique addresses.  But,
>>> the access controls will be implemented in firewalls with appropriately
>>> coded security policies.  Not as an accident of being behind a NAT box.
>>
>> To be more specific: The control of who can talk to whom is in the hands
>> of the admins of the two endpoints and the nodes in between, rather than
>> being arbitrarily in the hands of the technology. So I would be able to
>> talk to the file server across the street, but only IF its admin lets
>> me.
>
> Or when (not if) you find a vulnerability in the particular firewall.
> Make no mistake: the most secure entry point is the one that isn't there.

Packets have to get somewhere. If they come into this computer, it has
to deliberately forward them to that computer or they won't get there.
Same thing. All it takes is

# ip6tables -p FORWARD DROP

and you have a "secure unless I specifically permit it" router.
Obviously an attacker can target the router itself (which is exactly
the same as current situation), but can't attack anything beyond it
without an explicit forwarding rule (which is also exactly the same).

ChrisA

[toc] | [prev] | [next] | [standalone]

#46029

A perfectly fair point, Roy.  It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do.  So, my mind leaped to the possibility of uninvited connections.

Related question: would denial-of-service attacks be more pernicious without a NAT?

[toc] | [prev] | [next] | [standalone]

#46032

In article <8f19e20c-4f77-43dc-a732-4169e482d2b2@googlegroups.com>,
 John Ladasky <john_ladasky@sbcglobal.net> wrote:

> A perfectly fair point, Roy.  It's just when you started suggesting 
> connecting to your neighbor's file server -- well, that's not something that 
> many people would ordinarily do.  So, my mind leaped to the possibility of 
> uninvited connections.
> 
> Related question: would denial-of-service attacks be more pernicious without 
> a NAT?

Not really.  If I know the external IP address of your NAT box, I can 
throw as much traffic at it as your internet connection will deliver.  
Assuming you have sufficient bandwidth, eventually I'll melt down your 
router.  This is equally true with NAT or without it.

[toc] | [prev] | [next] | [standalone]

#46035

On Sun, May 26, 2013 at 1:04 PM, John Ladasky
<john_ladasky@sbcglobal.net> wrote:
> A perfectly fair point, Roy.  It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do.  So, my mind leaped to the possibility of uninvited connections.
>
> Related question: would denial-of-service attacks be more pernicious without a NAT?

Not sure what you mean. If we assume that network topology doesn't
change, then what we have is a single uplink (say, an ADSL connection,
given that most home users don't have luxuries) going to a router
(let's be generous here and say that's a Linux box with two NICs, and
you have a smart admin in charge of it), behind which is a set of
switches and computers making up a LAN of peers. On IPv4, the LAN
would operate on one of the RFC 1918 address blocks - say, 192.168.0.x
- and all external communication would be through one single IP
address - 203.0.113.47 will do for the purposes of discussion.

As far as other hosts on the internet are concerned, that entire
network is one single host, with address 203.0.113.47. It's unaware of
the three computers 192.168.0.4, .0.87, and .0.92; they merge into
one. This means they share the 65536 ports, they share entries on
blacklists, etc, etc.

With IPv6, that ADSL connection would come with a /64 block - say,
2001:db8:142:857::/64. Within that block, each computer would be
assigned a single address - perhaps 2001:db8:142:857::4,
2001:db8:142:857::87, and 2001:db8:142:857::92, or perhaps they'd be
assigned them by their MAC addresses eg
2001:db8:142:857:200:5eff:fe00:531a, which can be done automatically.
Now all your computers (including the router) are individually
addressable; they can be identified separately, or treated as a group
(the /64 representing the whole group). Their ports, blacklist
entries, etc, are all unique. This means you can run three servers on
port 80, etc.

The question now is: What sort of DOS attack are you fearing? If it's
a simple matter of saturating the connection, it makes absolutely no
difference. As Roy said, that's just a question of overloading. If I
command more bandwidth than you do, I can saturate you. Easy. (Very
easy if I have a botnet, for instance.) Harder to judge are the
amplifying attacks; a half-open-connection attack, for instance,
attacks a TCP server's RAM allocation. It's possible that some attacks
will be easier or harder with NAT than without, but you'd have to
evaluate a specific attack technique.

ChrisA

[toc] | [prev] | [next] | [standalone]

#46039

----------------------------------------
> Date: Sat, 25 May 2013 20:04:28 -0700
> Subject: Re: Python Magazine
> From: john_ladasky@sbcglobal.net
> To: python-list@python.org
>
> A perfectly fair point, Roy. It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do. So, my mind leaped to the possibility of uninvited connections.
>
> Related question: would denial-of-service attacks be more pernicious without a NAT?
> --
> http://mail.python.org/mailman/listinfo/python-list

I don't think so.

IP blocking still a very common mitigation approach to DDoS, but it may cause denial of service to legitimate clients who share the same blocked public IP address used by the malicious clients. So, NAPT will still benefit DDoS attackers, at least temporarily (until the IP is unblocked). 		 	   		  

[toc] | [prev] | [next] | [standalone]

#46046

On Sun, May 26, 2013 at 2:01 PM, Carlos Nepomuceno
<carlosnepomuceno@outlook.com> wrote:
> ----------------------------------------
>> Date: Sat, 25 May 2013 20:04:28 -0700
>> Subject: Re: Python Magazine
>> From: john_ladasky@sbcglobal.net
>> To: python-list@python.org
>>
>> A perfectly fair point, Roy. It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do. So, my mind leaped to the possibility of uninvited connections.
>>
>> Related question: would denial-of-service attacks be more pernicious without a NAT?
>> --
>> http://mail.python.org/mailman/listinfo/python-list
>
> I don't think so.
>
> IP blocking still a very common mitigation approach to DDoS, but it may cause denial of service to legitimate clients who share the same blocked public IP address used by the malicious clients. So, NAPT will still benefit DDoS attackers, at least temporarily (until the IP is unblocked).

I expect that IP blocks will be upgraded to /64 block blocks, if that
starts being a problem. But it often won't, and specific IP address
blocks will still be the norm.

ChrisA

[toc] | [prev] | [next] | [standalone]

#46049

----------------------------------------
> Date: Sun, 26 May 2013 14:31:57 +1000
> Subject: Re: Python Magazine
> From: rosuav@gmail.com
> To: python-list@python.org
[...]
> I expect that IP blocks will be upgraded to /64 block blocks, if that
> starts being a problem. But it often won't, and specific IP address
> blocks will still be the norm.
>
> ChrisA


Blocking a whole network (/65) is totally undesirable and may even become illegal.

Currently it may not only happen at the target of the DDoS attack, but be spread all over the internet where block lists are enforced.

I don't expect that to happen and if it happens I'm surely in favor of protection against this type of 'solution' because it will block not only malicious clients but potentially many other legitimate clients. 		 	   		  

[toc] | [prev] | [next] | [standalone]

Page 1 of 3  [1] 2 3  Next page →

Back to top | Article view | comp.lang.python

csiph-web