Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unsafe at Any Speed (PyCon UK, 26th October 2017)

Rae Knowler
October 26, 2017
Programming
1
580

Unsafe at Any Speed (PyCon UK, 26th October 2017)

The default settings of some libraries and tools are so useless, or even dangerous, that they should never be used. While they give the impression of being easy to use or performant, they actually represent traps for the unwary user. I look at some examples, consider the reasons why these bad defaults might have arisen, and offer some guidelines for setting up projects with good defaults.

Presented at PyCon UK 2017: http://2017.pyconuk.org/sessions/keynotes/unsafe-at-any-speed/

Links and resources:

CKAN: https://github.com/ckan/ckan/pull/2164

MongoDB security: https://blog.shodan.io/its-the-data-stupid/, https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-data

Elasticsearch: http://bouk.co/blog/elasticsearch-rce/

PEP 476: http://legacy.python.org/dev/peps/pep-0476/

YAML
Tom Eastman's Serialization talk: http://s3.eastman.net.nz/serialization/, https://www.youtube.com/watch?v=kjZHjvrAS74
Update! PyYAML seems to be safe by default as of 26th August 2017: https://github.com/yaml/pyyaml/issues/5

MongoDB durability: https://docs.mongodb.com/manual/release-notes/2.6-compatibility/#write-method-acknowledgements

Li and Evans, Insecure by Default?: https://www.cs.virginia.edu/~evans/pubs/webframeworks2016/insecurebydefault.pdf

The Zen of Python: https://www.python.org/dev/peps/pep-0020/

Rae Knowler

October 26, 2017
Tweet

More Decks by Rae Knowler

See All by Rae Knowler
How do vampires use the internet? An exploration of fandom and technology
bellisk
0
340
Liiptalk__Mental_Health_First_Aid.pdf
bellisk
0
71
Hypothesis: Property-based testing for Python
bellisk
0
63
Python, Locales and Writing Systems - PyCon US, 12th May 2018
bellisk
0
100
Unsafe at Any Speed (PyDays Vienna, 5th May 2018)
bellisk
0
82
Python, Locales and Writing Systems (PyCon Poland, 18th August 2017)
bellisk
1
110
Python, Locales and Writing Systems (PyCon Italia, 7th April 2017)
bellisk
1
92
Python, Locales and Writing Systems (Swiss Python Summit 2017)
bellisk
0
97
Python, Locales and Writing Systems
bellisk
0
620

Other Decks in Programming

See All in Programming
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.8k
Macとオーディオ再生 2024/11/02
yusukeito
0
380
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
150
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
340
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
210
Ethereum_.pdf
nekomatu
0
470
CSC509 Lecture 12
javiergs
PRO
0
160
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
2k
RubyLSPのマルチバイト文字対応
notfounds
0
120
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Optimizing for Happiness
mojombo
376
70k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Statistics for Hackers
jakevdp
796
220k
Designing the Hi-DPI Web
ddemaree
280
34k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
110
Visualization
eitanlees
145
15k

Transcript

  1. Unsafe at Any Speed Rae Knowler PyCon UK, 26th October

    2017

  2. Who I am @RaeKnowler Python (Django, CKAN) PHP, Go, JavaScript

    they/them/their https://www.flickr.com/photos/zurichtourism/5160475075

  3. Intro

  4. CAUGHT IN A BAD DEFAULT

  5. @RaeKnowler #PyConUK https://nader.org/books/unsafe-any-speed/

  6. @RaeKnowler #PyConUK https://commons.wikimedia.org/wiki/File:1962_Corvair_01.jpg

  7. @RaeKnowler #PyConUK Unsafe at Any Speed, Ralph Nader

  8. @RaeKnowler #PyConUK Unsafe at Any Speed, Ralph Nader

  9. The right thing to do is non-obvious, and the obvious

    thing to do is bad

  10. Defaults aren't bad, bad defaults are bad

  11. @RaeKnowler #PyConUK What is a bad default? • Data loss

    • Security breaches • Becoming part of a botnet

  12. Examples

  13. None

  14. @RaeKnowler #PyConUK CKAN "hack" https://github.com/ckan/ckan/pull/2164

  15. @RaeKnowler #PyConUK 595.2 TB Data exposed on the Internet via

    publicly accessible MongoDB databases with no authentication (2015) https://blog.shodan.io/its-the-data-stupid/

  16. @RaeKnowler #PyConUK https://www.mongodb.com/blog/post/update-how-to-avoid-a- malicious-attack-that-ransoms-your-data

  17. @RaeKnowler #PyConUK MongoDB and insecure access • By default, DBs

    were open to remote connections, and authentication was not required • Lots of DBs were hacked, ransomed or just wiped • Localhost-only binding became default in packaged releases from 2.6.0 (April 2014) • Implemented in MongoDB server directly from 3.6 (upcoming) • But lots of people won't hear or bother to update their installations!

  18. @RaeKnowler #PyConUK Other insecure access defaults • Hadoop • Redis

    • Elasticsearch (this one is weird!): http://bouk.co/blog/elasticsearch-rce/

  19. "The 'S' in 'HTTPS' stands for secure." PEP 476

  20. @RaeKnowler #PyConUK PEP 476 • stdlib http modules used not

    to verify X509 certificates for https connections • Result: API calls looked simple but were unexpectedly insecure • Many people used requests instead • This was changed in the stdlib based on PEP 476 (August 2014)

  21. 'goodbye': !!python/object/apply:os.system ['rm *'] Tom Eastman, Serialization formats are not

    toys

  22. @RaeKnowler #PyConUK Parsing YAML • PyYAML's default is to use

    load() • Use safe_load()

  23. @RaeKnowler #PyConUK https://www.flickr.com/photos/sealegssnapshots/2672780121

  24. @RaeKnowler #PyConUK MongoDB: durability • Write operations used to be

    'fire and forget' by default • Needed to explicitly check for errors • Otherwise, data could be silently lost • Fixed in 2.6, at a performance cost

  25. Setting up good defaults

  26. @RaeKnowler #PyConUK Why bad defaults get set up • Developer

    knows the tool • Unconsidered use cases • Desire to make the tool seem easy • Desire to make the tool seem performant • Internal tools becoming external • Improved methods are added later

  27. "We expect most of the insecure aspects of current web

    frameworks are not due to ignorance or carelessness on the parts of their designers, but difficult tradeoffs between security, functionality, usability, and ease of development" Li and Evans, Insecure by Default?

  28. Explicit is better than implicit Errors should never pass silently

    The Zen of Python

  29. @RaeKnowler #PyConUK Good defaults • Secure • Reliable (rather than

    performant) • Never swallow errors • Hard fail on serious errors • Demand explicit configuration if there's no safe default • If a bad default does happen, be brave enough to fix it

  30. @RaeKnowler #PyConUK Thank you! PyCon UK David Stark Liip AG

    and...

  31. @RaeKnowler #PyConUK Thanks to @BunkyFob, @DRMacIver, @_tomchristie, @alexwlchan, @glasnt, @infosecabaret,

    @janepipistrelle, @mgedmin, @moreati, @n0x13 and @ncoghlan_dev … in default sort order, of course!

  32. @RaeKnowler #PyConUK

  33. @RaeKnowler #PyConUK https://www.flickr.com/photos/havoc0311/5586595514

  34. @RaeKnowler #PyConUK Jinja2: autoescaping • Autoescaping off by default in

    Jinja2 • Causes security hole for the unaware • Autoescaping is slow • Some use cases don't need it

  35. "You should always configure autoescaping as defaults in the future

    might change." Jinja2 FAQ