|
16 | 16 |
|
17 | 17 | 00:00:51 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython. |
18 | 18 |
|
19 | | -00:00:56 Python, both on fosstodon.org. |
| 19 | +00:00:56 both on fosstodon.org. |
20 | 20 |
|
21 | 21 | 00:00:59 Be careful with impersonating accounts on other instances, there are many. |
22 | 22 |
|
|
34 | 34 |
|
35 | 35 | 00:01:37 Listen to an episode of their podcast to demystify the tech industry over at talkpython.fm/compiler. |
36 | 36 |
|
37 | | -00:01:44 Cliff, welcome to Talk Python to Me. |
| 37 | +00:01:44 Glyph, welcome to Talk Python to Me. |
38 | 38 |
|
39 | 39 | 00:01:46 - It's good to be here. |
40 | 40 |
|
|
156 | 156 |
|
157 | 157 | 00:06:20 - I wrote a little tool called Encrust that does some of the code signing stuff. |
158 | 158 |
|
159 | | -00:06:24 I'm packaging it with Py to app right now. |
| 159 | +00:06:24 I'm packaging it with Py2app right now. |
160 | 160 |
|
161 | 161 | 00:06:26 And it's for GUI framework. |
162 | 162 |
|
|
314 | 314 |
|
315 | 315 | 00:13:10 And that's this project that has been gone unmaintained and has been shut down, I think because it was a little too much on the edge of what really you should be doing. |
316 | 316 |
|
317 | | -00:13:21 And it's called Shgit. |
| 317 | +00:13:21 And it's called Shhgit. |
318 | 318 |
|
319 | | -00:13:23 Shgit is a CLI thing, I'm not exactly sure. |
| 319 | +00:13:23 Shhgit is a CLI thing, I'm not exactly sure. |
320 | 320 |
|
321 | 321 | 00:13:26 Basically, a little app you can run, a little CI that you can run, that will show you secrets in Git code, in code in Git repository. |
322 | 322 |
|
323 | | -00:13:34 So you can look at your own, But for a while they were running this website called like shigit.com or something, like shhh, secret. |
| 323 | +00:13:34 So you can look at your own, But for a while they were running this website called like shhgit.com or something, like shhh, secret. |
324 | 324 |
|
325 | 325 | 00:13:43 And it was just a live stream of just all the secrets that were being committed to public repositories just screaming by and it's going by so fast that you really can't read it. |
326 | 326 |
|
|
436 | 436 |
|
437 | 437 | 00:19:00 Yeah. |
438 | 438 |
|
439 | | -00:19:01 And if you want to startle yourself, just check out the link, the animated GIF in the Shiget repository. |
| 439 | +00:19:01 And if you want to startle yourself, just check out the link, the animated GIF in the Shhgit repository. |
440 | 440 |
|
441 | 441 | 00:19:06 All right, so as we start our conversation about the different secrets, the pitfalls and how we might keep them, you told, this was a really creative presentation at PyCon and you presented it through by way of, mostly by way of storytelling. |
442 | 442 |
|
|
496 | 496 |
|
497 | 497 | 00:22:11 All of the different ways to do that are like a little bit out of scope for this discussion. |
498 | 498 |
|
499 | | -00:22:15 But also it's important to remember that a lot of these attacks are things that it's hard to demonstrate in like a quick, like circa 2007 type sniffing your Facebook password off the wire, like, Hey, look at this, like immediate attack where I've got all of your stuff. And they're difficult to demonstrate, because Pi PI is actively scanning for these types of packages, they're actively responding to reports, there are lots of people, there are lots of security researchers developing tools, some of them, kind of over aggressively running them against the index to take them up a little too much too many resources. But there are lots of people doing things to defend you against each one of these attacks. |
| 499 | +00:22:15 But also it's important to remember that a lot of these attacks are things that it's hard to demonstrate in like a quick, like circa 2007 type sniffing your Facebook password off the wire, like, Hey, look at this, like immediate attack where I've got all of your stuff. And they're difficult to demonstrate, because PyPI is actively scanning for these types of packages, they're actively responding to reports, there are lots of people, there are lots of security researchers developing tools, some of them, kind of over aggressively running them against the index to take them up a little too much too many resources. But there are lots of people doing things to defend you against each one of these attacks. |
500 | 500 |
|
501 | 501 | 00:22:56 And so the simplistic version of them will rarely work out of the box. |
502 | 502 |
|
|
744 | 744 |
|
745 | 745 | 00:35:37 - I guess you have more control over, right? |
746 | 746 |
|
747 | | -00:35:39 But I guess one of your very first recommendations was use a pass manager or use something like PenPal to help not forget your password to your password. |
| 747 | +00:35:39 But I guess one of your very first recommendations was use a pass manager or use something like PinPal to help not forget your password to your password. |
748 | 748 |
|
749 | 749 | 00:35:48 And sort of the lesson is the CIA triad. |
750 | 750 |
|
|
806 | 806 |
|
807 | 807 | 00:40:23 So like your, there's apps are generally sandboxed on the Mac if they come from the app store, if they've opted in, even if they're not sandboxed, there's a lot of things that they can't do. Like if you, you may have noticed if you use a Mac, if you try to like run a Python program on like a file on your desktop or in your documents folder, it'll like pop up a dialogue and say like, Hey, this program is trying to access this thing. |
808 | 808 |
|
809 | | -00:40:45 secrets or something like that, where when an app tries to access a secret, you have to not just say yes, but you have to like enter your account, your login password again. And you can choose to either allow it temporarily or permanently. And you can then go in and configure it to say like, Oh, this, like, I know I said that I this app could access its own secrets, but like, actually, I want to be prompted every time. So like, for example, my Pi PI keys, if I use twine, or flit to upload a package to Pi PI, I always get a secret. |
| 809 | +00:40:45 secrets or something like that, where when an app tries to access a secret, you have to not just say yes, but you have to like enter your account, your login password again. And you can choose to either allow it temporarily or permanently. And you can then go in and configure it to say like, Oh, this, like, I know I said that I this app could access its own secrets, but like, actually, I want to be prompted every time. So like, for example, my PyPI keys, if I use twine, or flit to upload a package to PyPI, I always get a secret. |
810 | 810 |
|
811 | | -00:41:15 get a password prompt because my Pi PI token is not stored anywhere on my file system. The key that's stored in my Mac key ring is like locked. |
| 811 | +00:41:15 get a password prompt because my PyPI token is not stored anywhere on my file system. The key that's stored in my Mac key ring is like locked. |
812 | 812 |
|
813 | 813 | 00:41:24 It's not allowed to be automatically accessed by anything. |
814 | 814 |
|
815 | | -00:41:28 And that adds a little bit of friction versus something like Pi PI package uploads. |
| 815 | +00:41:28 And that adds a little bit of friction versus something like PyPI package uploads. |
816 | 816 |
|
817 | 817 | 00:41:31 You want to have that friction there. |
818 | 818 |
|
|
856 | 856 |
|
857 | 857 | 00:43:37 More like it's going to look for well-known things. |
858 | 858 |
|
859 | | -00:43:40 Much like if you tail the log of your website, you're going to see some things trying to access /wpadman.php. |
| 859 | +00:43:40 Much like if you tail the log of your website, you're going to see some things trying to access /wpadmin.php. |
860 | 860 |
|
861 | 861 | 00:43:47 Even if it's not a PHP site, like that's, they just got the things they look for, and they're going to go through their processes to gather secrets and access. |
862 | 862 |
|
|
868 | 868 |
|
869 | 869 | 00:44:14 It's your processor, it's your processing. |
870 | 870 |
|
871 | | -00:44:16 Maybe just runs Shaget on every Git repo it can find on your computer. |
| 871 | +00:44:16 Maybe just runs Shhgit on every Git repo it can find on your computer. |
872 | 872 |
|
873 | 873 | 00:44:20 Right. |
874 | 874 |
|
|
1122 | 1122 |
|
1123 | 1123 | 01:00:52 Obviously, use keyring, use keyring, use keyring and pick an appropriate back end for the level of security that you need in each place where your code is deployed. |
1124 | 1124 |
|
1125 | | -01:01:00 Yeah, absolutely. All right. Well, Cliff, thanks for thinking about all this for everyone and giving us a list. And I think people will really enjoy your storytelling when the PyCon video eventually comes out. |
| 1125 | +01:01:00 Yeah, absolutely. All right. Well, Glyph thanks for thinking about all this for everyone and giving us a list. And I think people will really enjoy your storytelling when the PyCon video eventually comes out. |
1126 | 1126 |
|
1127 | 1127 | 01:01:13 Yeah, I can't wait to start sending people over to the YouTube video. |
1128 | 1128 |
|
|
1226 | 1226 |
|
1227 | 1227 | 01:05:13 Bye. |
1228 | 1228 |
|
1229 | | -01:05:13 This has been another episode of talk Python to me. Thank you to our sponsors. |
| 1229 | +01:05:13 This has been another episode of Talk Python to me. Thank you to our sponsors. |
1230 | 1230 |
|
1231 | 1231 | 01:05:19 Be sure to check out what they're offering. It really helps support the show. The folks over at JetBrains encourage you to get work done with PyCharm. PyCharm Professional understands complex projects across multiple languages and technologies, so you can stay productive while you're writing Python code and other code like HTML or SQL. |
1232 | 1232 |
|
|
1251 | 1251 | 01:06:47 Now, get out there and write some Python code. |
1252 | 1252 |
|
1253 | 1253 | 01:06:49 [MUSIC] |
1254 | | - |
0 commit comments