Tuesday, January 30, 2018

Pycon UK 2016: Avoiding the "left pad" problem: How to secure your pip install process

Aaron Bassett
When Azer Ko├žulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.

Friday, October 13, 2017

What's new in Python 3.7

There are many things in the Python 3.7 release notes but I like this:

PEP 553 describes a new built-in called breakpoint() which makes it easy and consistent to enter the Python debugger. Built-in breakpoint() calls sys.breakpointhook(). By default, this latter imports pdb and then calls pdb.set_trace(), but by binding sys.breakpointhook() to the function of your choosing, breakpoint() can enter any debugger. Or, the environment variable PYTHONBREAKPOINT can be set to the callable of your debugger of choice. Set PYTHONBREAKPOINT=0 to completely disable built-in breakpoint().

Thursday, August 10, 2017

Alex Martelli, ""Good Enough" IS Good Enough!", PyBay2016

"In Python community 'clever' is not a compliment."

Wednesday, April 19, 2017

GoogleTechTalks: The Extended Mind: Recent Experimental Evidence

Why is it that this field has so much taboo around it when others don't? For example, the Astronomer Royal in Britain, President of the Royal Society, Master of Trinity College Cambridge, Lord Rees, member of the House of Lords, believes in multiple universes.
He holds down the highest possessions you can possibly have in British scientific life. He hasn't shred of evidence for them. Yet, that's acceptable where telepathy is not, why? I think the reason is that in the enlightenment of the end of the seventeenth century or eighteenth century, the movement of the enlightenment was a movement to liberate humanity from religion and superstition in favor of science and reason. That was the social movement. And I think at that time things like telepathy and what we call--what are called paranormal phenomena were classified as superstition. And since then, there's been a sociological phenomenon where smart people defined as smart by not believing these things, which is why newspapers with the demographic of university graduates like the New York Times can't write about them. Whereas once that where--with readers with no intellectual potentials--pretensions like the National Inquirer feel completely free to write about these things and exaggerate it in totally unreliable form. And that of course reinforces the social taboo and so, a self reinforcing sociological pattern. And I think it's so strong because it was embedded in among educated people somewhere around 1800. You know, with the--there was a reaction against mesmerism and that kind of thing. And I think it's re-embedded in the intellectual world ever since and it's become a deep-seated habit of thought.

Richard Dawkins, who's a very smart man and is, in this area, not very smart at all, he's a very bigoted skeptic, and he came to interview me for his most recent TV series in Britain. He had one against religion, a two-part polemic called "The Root of All Evil." And his most recent series was called "Enemies of Reason." It was about research in parapsychology and alternative medicine. They didn't tell me it was called "Enemies of Reason" beforehand when they asked me to take part, but I had enough experience of these negative media treatments. And I'd seen his previous series. The title is very suspicious and I said I only agree to take part if it's a genuine scientific discussion about evidence and if he's really open to discussing the evidence, otherwise, there's no point. And they gave me a writ--and I said I want in writing. They gave me a written assurance that this was the case. So, I agreed to meet him and he came to see me. And he's--we started off. 
There was a handheld camera they put us facing each other. And he started off by saying--he said, "I dare say we agree about quite a number of things, Rupert," he said, "But let me tell you what worries me about you." And I said, "Okay, what worries you about me." And he said, "What worries me about you is you're prepared to believe almost anything and science should be base on the minimum number of beliefs." So, I said, "Well, okay. Well, let me tell you what worries me about you." I said, "You come across as prejudiced and bigoted and I think you give science a bad name." 
So, we didn't get much very far with that conversation. So, then he said, "The trouble with telepathy is that people are--" then he said, "Extraordinary claims require extraordinary proof. It's a standard skeptical slogan." So I said, "Well, what's the extraordinary claim?" I said, "The majority of saying normal people in Britain believed they've had telepathic experiences." In that sense, it's not extraordinary, it's ordinary. Most people had it. You're making the claim that most people are deluded about their own experience. Where's your extraordinary evidence for that." And he couldn't produce any at all, you know, he just, "Oh, people have a very false sense of statistics and probability and such generic arguments." 
Then I said, "Well, look, okay. Why don't we get down to the evidence and actually discuss the evidence, which is why we've met." He said, "I didn't want to talk about the evidence." And I said, "Well, why not?" And he said, "There isn't time." And I said, "Well, we've got plenty of time." He said, "It's too complicated." And I said, "No, it isn't." He said, "Anyway, it's not what this program is about." And so, I said, "Well, I am--he didn't--I'd sent him my papers, three or four papers two weeks could look at them." He hadn't looked at me. And he's just trying to trap me into saying something silly and then put that on TV.

Thursday, January 5, 2017

Google I/O 2008 - Open Source Projects and Poisonous People

Every project runs into people who are selfish, uncooperative, and disrespectful. These people can silently poison the atmosphere of a happy developer community. Come learn how to identify these people and peacefully de-fuse them before they derail your project. Told through a series of (often amusing) real-life anecdotes and experiences.

Thursday, December 22, 2016

Forbid outbound connections to a certain port from a Linux user

Done on Ubuntu 14.04.

By default there are no netfilter rules:
admin@host:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We will use `iptables-apply` to enable the rule to be sure we are not locked out because of bad netfilter rules:
admin@host:~$ cat it.sh
iptables -A OUTPUT -o eth0 -p tcp --dport 27017 -m owner --uid-owner user -j REJECT
admin@host:~$ sudo iptables-apply -c ./it.sh
Running command './it.sh'... done.
Can you establish NEW connections to the machine? (y/N) y
... then my job is done. See you next time.

Now check that `user`  cannot make outbound connections on the port `27017`:
user@host:~$ telnet mongodb0.host 27017
Trying *.*.*.*...
telnet: Unable to connect to remote host: Connection refused

The new netfilter rule is there:
admin@host:~$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     tcp  --  anywhere             anywhere             tcp dpt:27017 owner UID match user reject-with icmp-port-unreachable

The rule will not survive server restart. So we will use `iptables-persistent`.

admin@host:~$ sudo apt install iptables-persistent

You answer "Yes" during installation when prompted to save current IPv4 rules or do:

admin@host:~$ sudo sh -c "iptables-save > /etc/iptables/rules.v4"

Restart the server and check that the rules are still active.