Threads for jpadilla

  1. 6

    Isn’t it a bit insecure to trust networks based on a SSID whitelist? Personally, I check if the hostname of my router resolves and if its ssh host key is the same as expected. My could be cleaner but works nicely:

    nslookup router.home >/dev/null || exit 1
    ACTUAL="$(ssh-keygen -F router.home \
      | awk '$2 == "ecdsa-sha2-nistp256" {print $3}')"
    KNOWN="$(ssh-keyscan -t ecdsa-sha2-nistp256 router.home 2>/dev/null \
      | awk '$2 == "ecdsa-sha2-nistp256" {print $3}')"
    test  "$ACTUAL" = "$KNOWN"
    1. 3

      Isn’t it a bit insecure to trust networks based on a SSID whitelist?

      What about BSSID’s? Of course they’re spoofable, but I’d guess not as trivially like SSID’s.

      1. 1

        I guess they could work. I did not think so much about deliberate spoofing but more about accidental collitions. Of course the are rather unlikely with an SSID like the authors, but could happen especially with more common ones.

        The whole spoofing attack vector would assume that an attacker can already authenticate to your legitimate network and send a stronger signal then your real one, right? Even my technique above would not guard against that if the network would just forward most traffic to the real network by default. I am not sure if spoofing could be avoided under such circumstances?

      2. 2

        Ah, that’s actually pretty clever, thanks for sharing.

      1. 2

        San Juan, Puerto Rico

        1. 1

          Gotta get some client work done first but…

          • Juice Box made it to HN last week so I got quite a bit of feedback to process and figure out next moves for it, definitely seems like there are people interested in it.

          • Release latest version of PyJWT

          • Release latest version of django-rest-framework-jwt

          • Release latest version of ember-cli-simple-auth-token

          • Prepare my talk next month at Security BSides Puerto Rico 2015

          1. 5

            Python 2.7 with pip, virtualenv, and virtualenvwrapper


            1. 1

              Yeah yeah I know. I feel like if I did include Python 3, I’d also need to include Python 2.7. I’d be down to include both if I can figure out a decent setup. Anything?

              1. 2

                This is ubuntu based, so why not just including the py3 packages?

                1. 1

                  I just need to figure out what’s a nice setup to have virtualenvwrapper work with different Python versions.

                  1. 3
                    1. 1

                      That might just work, perhaps wrap some aliases like mkvirtualenv2.7 and mkvirtualenv3.3.

                2. 1

                  I like pyenv and it’s virtualenv plugin works very well for my needs. I think it’s easier to use but more hardcore Pythonitas would probably say otherwise.



                  1. 3

                    Just some rough thoughts on attack vectors, my estimate of the level of the audience of lobsters is that I’m not going to be saying anything that you haven’t though of already, but if you don’t find yourself actively interested in security and are considering using this (all 3-4 of you) read on. I haven’t got much time, so this is a little hap hazard and I may be wrong, so I haven’t chased up references nor looked at any code. It’s rough, and should be considered if you’re going to go this route.

                    Vector 1 (against network adversary in the middle: ISP / Government / employee at ISP / employer / cafe user) - monitor for hits on (which I assume is the url in homebrew) - exploit router (if remote), exploit printer (routers and printer not known for security)

                    Vector 2 (against network adversary in the middle: ISP / Government / employee at ISP / employer / cafe user) - mitm the HTTP request from homebrew (HTTPS fails) from homebrew to

                    It doesn’t appear homebrew does signature checking, and that hash checking is just for checking the cache has the right file.

                    Yeah, so that’s some FUD for you, but you should definitely consider a good answer to this FUD before you go and do this.

                    </two cents>

                    1. 2

                      It doesn’t appear homebrew does signature checking, and that hash checking is just for checking the cache has the right file.

                      Wow. That’s, uh, an interesting bug report. Wonder how the other OS X package managers do it.

                      1. 1

                        Definitely all valid points, thanks! I’m currently storing a backup using paperkey’s output, plain ASCII print out, and a digital copy stored on a new flash drive. When I was printing them out I even thought that it was definitely possible to check the printer’s spool for cached versions of the printout.

                      1. 3

                        Getting ready for DjangCon US. First time attending, speaking, and organizing a sprint for Django REST Framework. Also spending some time working on a couple of open source libraries like:

                        I’ve also had to work

                        Oh, and I just remember I should be working on some stats and optimizations for FilePreviews.

                        1. 5

                          This is a real pain point I had the last time I looked at Go. I found it very difficult to find exactly which packages are getting serious attention - I found several other curated lists, but those seem to get stale quickly.

                          For example: I wanted to find a Golang Kyoto Cabinet binding. My Googling found cat-v’s list which is ~2 years old, and the Go Wiki’s list which had two options, so I picked the most up to date, and it seemed to work.

                          But now, compare that with Ruby. And hell, if Go had something like Pypi, I might’ve learned about Bolt.

                          If nothing else, if someone made a website that showed commit/fork/star activity on various github projects and sliced it up by category (web framework/DB/…), I think it would be an immense help.

                          1. 2

                            just like, right?

                            1. 1

                              I feel you, package discovery has definitely been kind of annoying. I’ve found these very helpful:

                              Wondering if there’s someone working on indexing/categorizing Go packages from different sources. Would definitely be a cool project, and would definitely build it on Go :)

                            1. 4

                              Just curious, how in heck could this be considered spam?

                              1. 1

                                Source isn’t available for most of them AFAICT, so it’s not going to teach anybody anything.

                                Just advertising/marketing.

                                Edit: Also the presentation is mostly about web design, and doesn’t communicate anything about Ember. As if having a pretty website means you should use their particular framework. That kind of superficiality should not be encouraged.

                                1. 0



                                  OK, your edit helps me to understand where you are coming from. That said, since ember is supposed to aid in developing single page designs, seeing examples of sites built with it would help you understand what it does. So it isn’t exactly spam, but more of a showcase.

                                  1. 1

                                    Thanks for the feedback.

                                1. 3

                                  Shouldn’t this also have a web tag?

                                  1. 3

                                    Done. Thanks for the suggestion.

                                    1. 1

                                      No problem :-)

                                  1. 6

                                    Someone just posted this “counter-argument” on HN

                                    1. 2

                                      This post was much better than the original. Thanks for sharing! The unfortunate thing about this “counter-argument” is that none of the things would ever happen. The core Python team seems to see nothing wrong with Python 3 as it is.

                                      1. 4

                                        I didn’t reply on HN, but Python3 already has function type signatures [0] They aren’t enforced, that would be up to a tool, not the base runtime itself.

                                        # this is python3
                                        In [5]: def parb(x: float, y: float) -> float:
                                           ...:     return 2*x**2 + 2*y**2 - 4
                                        In [10]: parb.__annotations__
                                        Out[10]: {'x': float, 'return': float, 'y': float}

                                        There are also some excellent 3rd party libraries that add nearly any level of typing one would want to the language.

                                        Python is an extremely [1] malleable [2] language that no only supports macros but tail calls [3]. The tail call stuff works, I have implemented beautiful state machines using it.

                                        The crime with Python3 is that it separates people into one camp or the other. It is like a stop the world collector that lasts years.

                                        1. 3

                                          Yes, Python does provide interesting places to extend it, among them the import hooks. Import hooks allow you to do things like mix other languages in when required. This doesn’t work in all implementations, which is a very valuable aspect of Python.

                                          Macro support in Python is somewhat silly. You can’t modify the parsing, only the interpretation of already defined syntax. That’s still potentially useful I suppose, but it’s pretty limited in its use cases.

                                          Tail calls in Python are not supported. What you’ve linked to is a trick, called trampolining, which can be done in any language that supports calling functions and loops. While the decorator approach makes it slightly nicer, it’s still no where near as powerful as automatically optimized tail calls that you’d get in say, Scheme.

                                          As for type annotations, great. One can even do inference without them with an external tool.

                                          EDIT: MacroPy looks pretty neat, however.

                                          1. 1

                                            Afaik, MacroPy executes via an import hook so one could do some pretty circuit bendy things, like hylang.

                                            Shedskin is a type inferencing transpiler from Python to C++ that works very well. Check out the examples. One would still need the annotations to type check the code. A side effect of type annotations is that it makes tools like quick check easier to use.

                                            Not sure I get what you are saying about a trampoline based tail call implementation in Python? That the decorator needs to be used? Make a macro in MacroPy that detects recursive calls and applies the decorator automatically!

                                            Python can be turned into the language you need.

                                            1. 2

                                              I’ve used Python for a good number of years successfully. In my opinion there’s no reason to switch to Python 3 as it provides no clear benefits over Python 2. When I use Python, it’s purely out of convenience (I already know it, know a decent number of libraries, etc).

                                              Shedskin’s purpose is simply for performance, which is something that CPython simply doesn’t have without native code, or things like psyco which, was/is a Python specializing compiler and is no longer maintained. There are things like cython which try to bridge a gap between writing C and Python, and they do a failry good job, but in the case of cython, you have to compromise and write in a Python “like” language.

                                              Python 3’s type annotations are pretty meaningless–they’re documentation only unless you add another tool. Adding another tool means you’re likely going to need a build which compromises some of the core aspects of Python that are neat–the REPL (even in its featureless state) and buildless execution cycles (minus the bytecode translation).

                                              So, run the type analysis at runtime. OK, but if I want macros, I have to expand them first, and they must expand with type annotations (or you’re likely going to be getting top level “object” as the type in lots of places). And, if I want to add hylang integration as well, well, now startup has to bootstrap 3 things… And, maybe I’m writing a server with gevent, so that needs monkey patching… And maybe I rely on a Cython module some stats I need to perform…

                                              You can bend Python however you want, sure, but it sure starts to get complicated. It’d be much nicer if this bending came out of the box. Don’t you think?

                                              Re: Trampolines: The fact that you’re using a trampoline means you’re taking a performance hit for each function call. If you want performance, I’d stay clear of it, and just rewrite the code using a while loop explicitly. It’s a clever trick, but nothing more.

                                              EDIT Also, I’m not sure how you could make a macro in MacroPy to detect tail calls. I’d have to tell apply the macro somewhere…

                                              In fact, the example MacroPy gives to do this looks like this:

                                              def fact(n, acc=0):
                                                  if n == 0:
                                                      return acc
                                                      return fact(n-1, n * acc)
                                              1. 1

                                                I have also been using Python professionally for 14-ish years. I’d like to use some Python3 features but don’t require them. I am still on Python2 (CPython and PyPy).

                                                I kinda like building the language I want out of different libraries. Providing the mechanism (function annotations) while not enforcing a policy is an excellent decision. The syntax is fixed, we largely can’t change that (except for all the hooks available, :) ), but the policies can be programmatic, delegate the decisions to people writing the code. Some people like AoP, ORMs and ??? I program in a mostly functional style using itertools and namedtuples, think Clojure but in Python.

                                                I don’t think bootstrapping your language adds too much complexity and I’d much rather bootstrap it into something I liked than having to modify myself for the language. If Python wasn’t so malleable I wouldn’t be using it. The core devs are heavily into OO, I don’t really do OO, but yet Python still supports functional programming to a level that I feel comfortable. I’d love immutability, pattern matching (this can be added) and tail calls out of the box. But then all of the other people contributing to the ecosystem wouldn’t be here. Python is our CLR. If was designing something from scratch it would be layers of languages with something like an SKI at the bottom with each layer available to the others using a nanopass language delegation framework.

                                                PyPy should remove those trampolines, :)

                                                It isn’t a clever trick, I have used tail calls in Python to have vastly simpler code in production systems. If I used a while loop idiom everywhere I would use a tail call, the code would be a mess. Benchmark the tco recipe, I think you will find it plenty fast for the places it would be used.

                                                # cpython 2.7.6
                                                # trampoline
                                                In [35]: %timeit factorial(10000)
                                                10 loops, best of 3: 49.7 ms per loop
                                                # stack factorial
                                                In [36]: %timeit stack_fac(10000)
                                                10 loops, best of 3: 38.5 ms per loop
                                                # VM heavy 
                                                In [37]: %timeit reduce(operator.mul, range(1,10001))
                                                10 loops, best of 3: 33.7 ms per loop

                                                I have of course picked values that show the trampoline in a good light. For much smaller inputs the non-trampoline code is 3x to 4x faster and largely a non-issue. I use Python for the flexibility.


                                                Shedskin also creates native standalone executables, so it isn’t just for performance.

                                    1. 1

                                      By day, working on the last 95% of one of our latest products at By night, learning Go.

                                      1. 2

                                        Huh, looks cool. I don’t have a use for it but I can imagine that there are plenty out there. Side note: it chokes on Javascript files.

                                        However, I love the logo. It’s extremely simple and clever. Kudos to the designers.

                                        1. 1

                                          Thanks! Will take a look on what might be happening with js files. One thing we might actually do in the future is provide highlighted previews of source code files.

                                        1. 2

                                          I built something exactly like this. I never got around to monetizing it. I am almost certain it uses Quicklook.framework to generate the PNGs.

                                          Good work, @jpadilla. Have you been able to work out how to view specific pages in a word, pdf, or ppt? I think that could be really useful.

                                          I pitched my product as a way for mobile devices to quickly view the contents of an otherwise heavy document format without third-party libs.

                                          1. 1

                                            We’re leveraging a couple of already existing tools like ImageMagick, Tesseract, Ghostscript, and a couple other in a custom workflow software we built. We’ve looked into Quicklook.framework for iWork files, Omnigraffle, and Sketch which already have “previews” inside. The tricky part about those files is that they are actual package/folders, so uploading them is quite tricky. I haven’t seen anyone doing it right on web, so an idea might be to build a simple desktop uploader/sync tool.

                                            Edit: Yea we currently extract all pages from all documents that we can. Here’s an example JSON result for a .doc file with multiple pages.

                                            We currently have two APIs. One that one we’re pitching for client side web apps and a more complete one using webhooks. We have a couple of client libraries, including an Ember.js component, that use the simple API that powers the demo on the website.

                                            1. 1

                                              My focus at the time was high quality PDF to PNG and Quicklook.framework beat out ImageMagick by a long shot.

                                              1. 1

                                                That might actually be interesting. I could always check if the PDF has a Quicklook preview and use that instead which would be faster.

                                                1. 1

                                                  I don’t recall PDFs having embedded Quicklook previews, but the framework could generate PNGs from PDFs really fast and look as good as they would in the The only drawback was that it had to run on OSX and mac hardware, but I found a good mac hosting company.

                                                  If you’d like to chat further feel free to connect with me stefan at; Cheers.