PyCon Day 3: Opening Keynotes
Guido van Rossum
Mini “State of Python”
- What’s new in Python 2.7?
- Nothing!
- Until 2020, we’ll only see
- security fixes
- support for new OS versions / tool chains
- rarely bug fixes
- Updates at http://pythonclock.org
- What’s new in Python 3.5
- async/await syntax (no future import!)
async def foo():
x = await bar()
async for i in baz():
x += 1
return
- More Python 3.5
- matrix multiply for numpy
- more unpacking syntax:
x = [1, 2, *y] - bytes formatting:
b"Hello %s %d" % (b"world", 42) - gradual typing support (checked by mypy; PEP 484)
- What’s new in Python 2.6?
- Code freeze September
- Final release just before Christmas
- f-strings:
x = "world"; y = 42; print(f"Hello {x}, {y}") - Underscores in numbers!
100_00_00 __fspath__protocol,os.fspath()(for pathlib)- secrets.py:
randbins(), token_hex()etc.- Apparently people continue to poorly ad-hoc-ly re-implement cryptography badly.
- secrets.py is approved by real cryptographers
- Local time disambiguation:
datetime(..., fold=1) - Moving to GitHub! (Late this year)
- Somehow everyone magically understands Git’s branching model
- Somehow magically everyone is born with a GitHub account
- Beyond 3.6?
- This is all speculation
- Sometimes I just feed python-ideas random ideas to get them going
- A match statement? Dict unpacking?
- Variable declaration syntax?
a = 0 # type: intvar a: int = 0?let a int = 0?
- Removing the GIL??? (#gilectomy)
- Apparently the Python interpreter can still run all extensions
- And it’s “only” 3x slower
- What else?
- An apology for writing ‘Femail [sic] Core Developers’
- Still don’t have 2 female core devs
And Now, For Something Completely Different…
(an inspirational story)
- Netherlands King’s Day
- I’m a nerd/geek and a late bloomer
- At age 35 I created a programming language and it took off
- At age 10 my parents gave me an educational electronics kit
- I just followed the directions and everything just worked
- First kit had 3 transistors
- First model was a flashing light that I took to show-and-tell in 5th grade
- It was a total dud. No one cared.
- First memory of knowing that I was a geek
- In high school, I developed my nerdiness more
- In Physics class we sat in the back, discussing nan gates
- Physics teacher got us to build a timer and we used it to demonstrate the laws of gravity
- Project showed that our skills were useful
- Other kids still thought we were weird
- It was the 70s so some kids were busy smoking pot and rebelling
- Others were busy preparing for successful careers as doctors and lawyers
- Went to University of Amsterdam
- Majored in Math
- In the basement of the science building was a mainframe computer
- The computer was love at first sight
- I learned to program in Algo, FORTRAN, Pascal
- There I was again, sitting in the back of the Algebra class, correcting my programs
- Lessons I learned about were sharing
- The tricks of my trade died with the mainframe
- Mainframe staff had an operating systems group and hired some students
- They posted a job, I applied, and got a job on the spot
- No more fighting for access or fighting for disk space
- I then had access to the source code of the OS
- That was highly precious
- Dozens of colleagues who continue to feed my interest and share their knowledge
- I had my dream job. Studied stalled. I almost dropped out.
- An enlightened manager pulled some strings and nudged me in the right direction and helped me grad in 7 years.
- Got my next dream job that wouldn’t have been possible w/o graduating.
- Next job was a company creating a new programming language that was supposed to replace BASIC
- BASIC was a pest that needed to be eradicated
- The language was ABC and “Stamp out BASIC” was our motto
- Timing and marketing sucked and ABC got killed
- Why did it fail?
- Best guess was that in the mid-80s there was no Internet and there could not be healthy feedback between the users of the language and its designers
- The design was the same after 4 years of working on it. 4 years of work had not revealed any design flaws (which of course existed)
- In the mid-90s our University in Amsterdam finally got an Internet node.
- The Internet and the Open Source movement changed everything.
- The makers of software and its users have completely changed.
- We can ask the users questions and we get answers.
- It didn’t hurt that I named the language Python
- Genius marketing… I just wanted to honor the comedic genius of Monty Python’s Flying Circus
- These days, brand marketing firms would be happy to take your money and tell you what customers think of when they hear the word Python
- But I was just being flippant
- What do programming languages mean to programmers
- Tell it to a lay person?
- “How you tell a computer what to do”
- If that’s all it is, then way are programmers so passionate about them
- It’s more than just that
- It’s how you express ideas
- It’s how you communicate to other programmers
- Programming languages are for people, not the computer
- The computer can take care of itself
- Poorly communicated ideas can cause very expensive flops
- The ideas expressed in a programming languages ultimately reach the end-users of the program even though they never read the code
- To be effective, and idea has to be expressed as a computer program
- You must use a programming language
- The language used to express an idea gives that team an advantage
- Tell it to a lay person?
- The original version of Google was written in Python, because it gave Larry and Segei clarity about that idea
- Why did Python become successful? How does Python distinguish itself
- Because it’s out in the open
- Developed by volunteers (but not amateurs)
- I’m happiest when I’m part of such a community
- If I can’t feel it, I don’t feel alive
- There are PyCons all over the world
- A year ago, I spent 20 minutes on a video call talking to a classroom full of students in Iraq
- Students are now learning programming in Python in a war-torn country
- I never thought that I would touch lives in people so far away
- Next year, I’m going to PyCon Cuba
The Hacker Spectrum
Tales of people that break software and why being hacker-friendly can lead to better software security.
Parisa Tabriz (@laparisa), Security Princess (Lead Engineer) for Chrome at Google
Started at an engineer in a team of hired hackers whose goal was to make Google’s product more secure. Then I moved to chrome
What is a hacker?
- It’s a really overloaded term
- Someone who things outside the box.
- Won’t assume anything much more
- Bruce Schneider, says anyone who discards the common rules and doesn’t follow them
- Someone who figures out how to use software in unintended ways
- Often someone who exposes a flaw
- We won’t assume any motivation
- Jobs and Woz
- Built and sold Blue Boxes
- Get free calls
- Phone Phreaks
- Stole phone service, like most of the other Phreaks of the day
- Motivation wasn’t damage
- Motivation was knowledge
- Computer hackers are of the same mould
- If you have an iPhone or MacBook, you have to admit that there is some societal benefit to tolerating hackers
What is their objective?
- They want secure software
- How do you assess the security of the software you use?
- Maybe you have some trust in the brand?
- Maybe you have a paranoid friend that you ask?
- At some point, someone has to try and break into it to assess the security
- Threat modelling
- identify the assets that you’re trying to protect
- deconstruct the system
- …
- assess the robustness of the defences
- Exercise: hack into a vending machine
- physical security
- go after the mechanical?
- got after the credit card reader?
- skimming attack?
- is the machine connected to the Internet
- I use the example both with engineers or with policy makers
- Creative answers: one person suggested filling the whole machine w/ water
- The Internet will give you lots of suggestions as well
- Currency approach
- Use another coin that’s made from a similar blank but worth vastly less
- I’m not advocating this! This is a toy example
- This is an example to get you thinking about attackers
- How easy was this exercise for you?
- Most hackers can’t even prevent themselves from thinking about this
- Don’t have to exploit the flaws
- But if you don’t, you’ll never even notice the flaws
- Think about how things can break
- This can make you a more sophisticated consumer and citizen as well
- How do you assess the security of the software you use?
- Enjoy the challenge
- In the 50s at MIT “a great hack” meant a practical joke or great feat
- Morphed into cyber crime
- June 2007, GeoHot became the first person to jailbreak an iPhone
- In 2010, he officially retired from jailbreaking
- In 2009 he started jailbreaking the Sony Playstation 3
- Sony took him to court
- Posted a video
- Sony tries to get all IP addresses from YouTube of visitors
- George has been employed at Facebook as interned at Google and has been extremely helpful in making Chrome more secure
- In 2011, hackers broke into Sony and stole millions of user information
- I know George is personally and is someone who does it for the challenge
- Many hackers and their creativity are responsible for the great technology that we enjoy today
- Have something to say
- Some hackers have caused harm to the Internet and the world
- Political dissidents
- Anonymous and others
- Turk Hack Team
- New World Hacking
- etc.
- “2016 is shaping up to be a down year for Hacktivism” (sounds like a stock market report to me)
- Tend to do less financial damage
- Want Money
- Stealing money or data that can be monetized
- Hard to get good data on this (it’s often flawed or hidden)
- $500 million / year?
- Ransomware; malware that demands payment via BitCoin
- 72 hours
- There are some variants (no one can figure out how to use BitCoin in 72 hours)
- Usability of malware has really increased in the last few years
- Mass-extortion on the Internet
- Vulnerability Reward Program
- https://g.co/HackGoogle
- Be rewarded based on the level of vulnerability
- Have to play by the rules, can’t go after others’ accounts
- hundreds of these programs
- even the Pentagon is doing it
- Time: World War Zero
- Selling exploits for $$
- Exploits in a popular application can go for hundreds of thousands of dollars
- Company that does this
- FBI paid $1.3 million for zero-day to get into San Bernardino iPhone
- Exploit for hire is becoming an increasingly acknowledged form or revenue
- Want Information
- or data
- Quest for knowledge about how the system works
- More nefarious; intelligence on people’s usage habits
- E.g. Invalid Cert if you were trying to access gmail from Iran in 2011
- Evidence of man-in-the-middle attack
- Added a feature in Chrome called certificate pinning
- Early version of the feature showed 300,000 requesting IPs for rogue certs
- DigiNotar CA
- “Thank you… For me and thousands of other Iranians, [a stolen certificate] leads to jail, torture or even death sentence.” ~an Iranian
- I want you to be a hacker!
- It will make anything you use more robust and reliable
- https://xss-game.appspot.com
- XSS is the most common security bug by far
- This is a training game that teaches you about XSS
- Guides you through increasingly difficult levels of exploiting XSS
- https://bit.ly/google-gruyere
- Teeny, tiny holes
- Code lab that intentionally has exploitable bugs in it
- Cross site request forgery
- Input injection
- Try and make some $$ from our vulnerability reward program
- Never use the
picklemodule on data from an untrusted or unauthenticated source
Conclusions
- Hacker is a mindset and a skillset. Curiosity is not a crime!
- Hackers (people) are complicated.
- The hacker mindset can be developed with practice.
pickleis convenient (and tasty!), but dangerous to use on untrusted input.
blog comments powered by Disqus