Python Cybersecurity and Penetration Testing

00:00 How secure is your application? Do you know the main vulnerabilities that most apps suffer from?

00:05 How would you even start to answer these questions? On this episode of Talk Python to Me,

00:09 Justin Seitz is here to tell us all about it. This is episode number 37, recorded December 2nd,

00:15 2015. Now, before I play the theme music, I have a little something special for you guys.

00:20 This week only, instead of developers, developers, developers, we have Secrets from the Future by

00:25 MC Frenolot. It's a great song about the futility of computer security over time. You can catch the

00:31 entire song at the end of this episode.

00:50 Welcome to Talk Python to Me, a weekly podcast on Python, the language, the libraries, the ecosystem,

01:15 and the personalities. This is your host, Michael Kennedy. Follow me on Twitter where I'm at,

01:20 mkennedy. Keep up with the show and listen to past episodes at talkpython.fm and follow the show on

01:25 Twitter via at Talk Python. This episode is brought to you by Hired and Codeship. Thank them for

01:32 supporting the show on Twitter via at Hired underscore HQ and at Codeship. Hey, everyone.

01:37 Thanks for listening today. Let me introduce Justin. Justin Seitz is a respected cybersecurity

01:43 expert who has trained and consulted with Fortune 500s, law enforcement agencies, and governments

01:48 around the world. He's the author of two Python books that were translated into seven languages.

01:53 He's helped teach tens of thousands of people how to write code to automate computer hacking and OSINT

01:58 tasks. In October 2014, he presented a unique method for tracking ISIS supporters on Twitter.

02:05 Justin, welcome to the show.

02:07 Thank you very much for having me.

02:09 Yeah, I'm pretty excited to talk about this whole world of computer security and breaking software and

02:15 understanding where vulnerabilities are in your software. So I'm just happy you're on the show to

02:20 talk about that.

02:21 That's great. Normally you have builders and now you have a breaker. So that's awesome.

02:24 Yeah, that's right. Normally we have the builders on here, but I think it's super important to see that side of the story, right? Like if you build a website and you put it out

02:34 there, how do you know, you know, I kind of feel like it's safe. Is it safe? I don't know. Like you

02:40 should understand, you know, what the people who are trying to break into your systems are,

02:45 what, what, how would that even happen? Right. So that's, I think it's going to be really valuable

02:49 to builders in addition to everyone else.

02:51 Cool.

02:52 Cool. So we're going to talk a lot about that, but let's get started with where you got in a program in

02:58 Python. What's your story?

02:59 So how I got programming in Python was a good buddy of mine, Dave Falloon. I'll never forget

03:05 him peering over my shoulder when we worked together at a startup at one point. And I was doing everything

03:11 in PHP. And, you know, he kind of said, you know, dude, it's really lame that you're using PHP to do

03:17 all this stuff. You should really look into Python. So I did. And, you know, I'm one of those old dogs,

03:25 new tricks kind of guy. So I was like, oh man, you know, I'm not truth be told, not the strongest

03:31 developer. I had the pleasure of working in a couple of different companies with some really

03:36 top notch developers who just kind of blew my mind on a daily basis. And, you know, I knew that I was

03:42 never going to be like that. But I found with Python that I kind of went from zero to actually knowing

03:47 what I was doing awfully quick. And, and kind of around this time, as I was, you know, spending time

03:54 in kind of hacker forums and reverse engineering forums and stuff. You know, it was, it was kind

03:59 of strange, but Python seemed to almost become the de facto language for people to start using in the

04:06 hacking community. So between Dave kind of goading me into learning it and kind of the hacking community

04:12 beginning to adopt it as really, as, as the language we were all going to kind of standardize ourselves

04:19 on for the most part, that's really what kickstarted my journey into a Python coding.

04:23 I think that's the way a lot of people get started in Python is it's kind of the easy path to get

04:28 started, but unlike a lot of other easy paths, it doesn't seem to have a real strong upper pound,

04:35 right? Like you can build rich, high end systems, but you can also get started easy. And that's,

04:40 that's kind of unique to this whole ecosystem, right?

04:43 Yeah, I totally agree. I mean, I've seen some of the most, you know, the craziest systems built

04:49 completely in pure Python. And I've seen some of the most beautifully simple scripts that do amazing

04:55 stuff that are, you know, 10 lines long, which is great because I think 10 years ago, there's always

05:00 the argument of, you know, performance and compiled languages versus things like .NET when it was kind

05:06 of going through its renaissance period. And now I think we're to the point where we're kind of like,

05:11 you know, unless you're processing billions of transactions a second, which I bet you there are

05:14 Python installations out there that are doing that. We're okay. Everybody's kind of accepted that

05:20 there's many ways to skin these cats. And Python is just a great way to, to literally go from zero to

05:26 60 very, very quickly.

05:27 Yeah, definitely agree. So that's kind of how you got into Python. That's, that's really interesting. But

05:33 you took a sort of different path, right? You got into sort of analyzing systems and checking them for

05:40 vulnerabilities and offensive security and all that kind of stuff. That's a pretty different path than,

05:45 you know, I'm going to start building a websites in charge to build, you know, people's homepages or

05:50 whatever, right? Tell me the story there.

05:51 Yeah, yeah, sure. So I actually did spend a period of time being a web developer, again, hence why I

05:57 was into PHP. But, you know, the big thing for me was that I was at this startup that was

06:03 amazingly good, had a fantastic engineering team that kind of looked at talent and said,

06:09 you know, you are good at this particular job, do you want to do it? And for me, I got into quality

06:17 assurance and totally by accident. I was originally hired on there to, to fix printers, believe it or

06:23 not. But this was one of these really progressive kind of funky startups. And very quickly, I was leading

06:28 the QA team, which was very small. And soon, it turned out that I was really good at breaking

06:34 software. Now, I'd spent a number of years kind of in and out of, you know, kind of the hacking scene

06:39 and, you know, doing research on my own, but never really took it very seriously, never really took it

06:45 like something that it was, you know, that I wanted to do as a career. I didn't even know that it was

06:51 actually a career at the time. So as I got further and further along in this QA stuff, they realized that

06:56 we should actually get Justin spending all of his time breaking stuff. Because I seem to have this

07:01 kind of weird ability to find the bugs that nobody else would find. And to also, because I was into

07:08 reverse engineering, that I could assist the development staff in tracking down particularly

07:12 nasty bugs that they couldn't figure out other ways. So I basically, eventually became just a breaker.

07:20 So they brought in someone to run the overall QA team, and I was able to step aside and just simply

07:25 focus on that. And around this time, probably in 2006, 2007, I became more and more active

07:32 on reverse engineering forums and started sharing code and kind of networking with people. It was around

07:40 this time that I also decided, hey, I think I actually want to write a book, because I was writing some

07:45 tools in Python specifically for reverse engineering. And then immunity, where I spent seven years, sponsored a

07:52 competition, I believe in 2007, that was writing a plugin for what was called immunity debugger, which is a

07:59 debugger specifically designed to, for reverse engineering, primarily geared towards exploit development.

08:05 development. So I ended up writing a plugin for that, of course, in Python. And I won that competition. And shortly

08:13 thereafter, immunity hired me on in 2008. And from that point forward, I was doing all kinds of development

08:20 work. So their products were all written in Python. So I was working on penetration testing product there,

08:27 called Canvas, and also doing a lot of consulting and other work. And that's kind of what carried me down

08:33 that path. So I've been very fortunate that I've had a number of employers that kind of allowed me a bit

08:43 of free reign and allowed me to kind of chase the stuff that I found interesting. So I've been really

08:47 fortunate over the past 10 or 15 years to have that.

08:50 It's really great when you get to pursue what you're super interested in, right? It's almost like

08:55 you get paid to be on vacation or to do your hobby or something, right?

08:58 Yeah, absolutely. Absolutely.

09:00 Yeah, it's great. So you talked about your books. The first one you wrote was called

09:04 Grey Hat Python. Is that right?

09:06 That's correct. Yeah.

09:07 Yeah. So can you tell us kind of what topics you covered in there? And what's the story of that book?

09:13 So Grey Hat Python was definitely more heavily geared towards lower level reverse engineering and

09:20 exploit development and also looking at building tools to assist you in identifying vulnerabilities.

09:26 So in the security world, a lot of us employ a technique called fuzzing, which just basically

09:31 means generating random or semi-random inputs for a piece of software to process. So if you think of

09:38 a traditional server written in C that kind of takes packets in and dissects this proprietary protocol,

09:47 what we would do is we'd write fuzzers that would basically try to break how that protocol is parsed by that software

09:53 in the hopes that we would find vulnerabilities. So Grey Hat Python kind of takes you through

09:58 how to build some tools to assist on the back end, which means trapping bugs or using an automated kind of

10:05 debugging system to trap bugs, all the way up to building the fuzzers and building some of the other tools

10:13 to help you find bugs. So it was definitely more of a low level book, but it leveraged Python all the way

10:19 through to build tools to assist you.

10:22 Oh, that's really cool. So is that like looking for buffer overflows and SQL injection attacks and things like

10:29 that or other stuff as well?

10:31 Yeah, exactly. So I mean, 10 years ago, and still somewhat today, but things have changed a bit.

10:37 10 years ago, we were definitely looking for memory corruption bugs, which would be buffer overflows,

10:42 heap overflows, and you know, there's a myriad of other bugs. But you're right, we also,

10:47 most of us in the community that are writing tools, we're building stuff too, that's looking for SQL injection

10:53 bugs or looking for, you know, cross site scripting vulnerabilities. So much the same that we would be

10:59 focused on fuzzing software. We also built tools that would fuzz web applications as well.

11:05 I suspect a lot of the listeners know what buffer overflows are and what SQL injection

11:12 vulnerabilities are. But maybe, you know, there's probably a decent number of people who don't.

11:16 Could you maybe just talk about those two terms? Those are probably the two big,

11:19 super bad problems you can introduce into your code, right?

11:22 Sure, sure. So a buffer overflow is really where you're kind of shoving more data into a spot in

11:30 memory than it can handle. So if you think of a string in memory that is, you know, we can treat

11:37 it like a bucket. So this bucket can hold a maximum of 50 letters, or if you wanted to treat it like water,

11:43 it could be 50 liters of water. So typically, what you want to do when you're a programmer and you're using

11:48 a language like C, is that you want to ensure that you can never have even 51 liters of water or 51 letters

11:56 in that bucket. So what happens in a buffer overflow situation is that we are able to literally kind of

12:05 overflow the bucket. And depending on how we overflow that bucket, we can actually then control how your

12:12 program executes from there. So it's a very common vulnerability. But some of it is definitely starting

12:20 to go away because things like Visual Studio, the tool chains are starting to build in protections

12:26 in an attempt to deal with those programming flaws. And they're also trying to prevent you from using

12:33 functions like stir copy or mem copy in unsafe ways. So we're starting to get away from it. But that's

12:41 kind of the general feeling or general explanation of how a buffer overflow looks.

12:47 Now for a SQL injection vulnerability, we're not so much concerned with kind of shoveling too much data

12:53 in. But if you've ever written SQL code in like a PHP application, or even in Python,

12:59 and you concatenate strings together, for example, so you have your select statement, and you say,

13:05 where ID equals, then you have your quote, and you know, plus, and then some piece of input from the user.

13:12 Now, what we can do is we can substitute in a quote or single quote, or potentially other characters that

13:20 can actually allow us to control how that SQL statement is executed. So by injecting our own SQL,

13:27 that means that we could potentially extract data, you know, maybe you're only doing a select against

13:32 the products database. But when we send in our injection code, if we're successful in getting it in,

13:38 potentially, we could then begin mapping out all of the tables in the database, or we could begin

13:43 extracting data, not from the products table, but from the users table, where we could grab

13:47 usernames and passwords. Or in some cases, you can even begin executing commands directly on the

13:53 operating system straight from that little SQL injection vulnerability.

13:58 Yeah, and that might be like the text box for your password.

14:01 Yeah, exactly.

14:03 That's the command line to the remote box, right? It's less good when it's used that way, I think.

14:09 Yeah, that's right. And I think, you know, what it all boils down to is either just input

14:13 sanitization problems, right? So again, there's a lot of, you know, platforms are starting to get better,

14:20 and tool chains are getting better at forcing programmers to write code in a certain way.

14:25 And then on top of it, you know, there are a number of frameworks that are trying to make it so that

14:30 these kind of class of vulnerabilities are going to go the way of the dodo.

14:35 Yeah, that's really nice that the systems and the compilers are taking care of it, you know,

14:40 somewhat that helps, right? As well as the ORMs, right? So like SQLAlchemy,

14:45 or other high-level ORMs that don't accept string SQL, definitely help mitigate that some.

14:54 Have you Googled or have you seen the XKCD exploits of a mom, little Bobby tables?

15:00 Oh, yes.

15:02 For those of you who don't know what a SQL injection attack is, make sure you take the time to Google

15:08 for little Bobby tables and you'll get the XKCD exploits of a mom. I'll put it in the link of the

15:13 show notes, but I won't say any more. I'll let you check it out.

15:16 That's great. Yeah, it's a lot of books.

15:18 Did you really name your son that? Yes.

15:20 So I mentioned the two vulnerabilities that are like well-known to me because I, you know,

15:30 take account for them when I write web apps and stuff. But what else is out there that are sort

15:34 of on that scale that we should be aware of as developers to like just know that we should make

15:41 sure we don't do that? Well, again, I think the big thing is, you know, paying attention to every

15:47 place that input comes in from a user and assume that every user is extremely evil. So a lot of people,

15:54 you know, again, they're checking the SQL injection stuff. People treat it very seriously. So you,

16:00 along with a number of other developers, might be spending a lot of time taking a hard look at where

16:05 they interact with their database or using an ORM like SQLAlchemy. But there's a number of other

16:10 vulnerabilities like site scripting, which means that I'm able to pass in JavaScript to a piece of

16:17 input on your web application and have your web application kind of echo that JavaScript back out.

16:23 Now, this is not as sexy as a SQL injection because I can't directly attack your server. But what it does

16:29 allow me to do is potentially social engineer users of your system or even you as the administrator of

16:35 the system to click on a link that includes some JavaScript in that link. When you visit the link,

16:40 because you're not filtering the input properly, my JavaScript that I've included in the URL gets executed

16:47 in the context of your browser. So now effectively, I have the ability to make your browser do stuff

16:53 that you probably don't want me to do. You can pair this with other vulnerabilities as well. So that's,

17:00 you know, again, a common one is cross site scripting. Now, you know, again, these are all things that

17:04 if you Google for like the OWASP top 10, these are all things you're going to be looking for. But typically,

17:11 in my experience as someone who spent a lot of time hacking into systems,

17:15 a lot of our big wins where we were able to really compromise applications didn't necessarily involve

17:21 some of these classic attacks, it might be something as simple as not validating that a user account

17:28 should have access to a particular set of data. So if you and I both use the same system, and I'm user

17:34 ID one, and your user ID two, and there's a set of documents in this system, that you're assigned,

17:41 maybe the first 10 documents, and I'm assigned the last 10. What in a lot of cases, what we found was that, you know,

17:48 they're not properly checking and validating that I should only be allowed to access particular documents.

17:53 So now I'm able to access all of the sensitive information that you are,

17:57 in some cases, just by incrementing one number by walking through all of the various document IDs.

18:04 So is this an architectural flaw? Yes. Is it an input sanitization flaw, which are the most common or

18:10 previously most common? No. So it's a bit more nefarious, because you as a developer, as you're

18:16 paying attention to escaping all input and double checking your SQL queries and all that stuff,

18:22 some of these more architectural flaws are a little bit more subtle and a little bit more nefarious.

18:27 Yeah. So interesting. So for example, if I've got a relational database with a primary key that's

18:34 an integer and auto incrementing for all of my resources in my web app, and I have a user account,

18:41 it's very likely I can enumerate, you know, all of that type of data. So I might be slash users slash 271.

18:49 Well, it looks like I could just try a bunch of numbers between one and 10,000 and look for users and

18:55 see what I can see about them, right? Or documents or whatever, yeah?

18:58 Absolutely. And, you know, it sounds completely simple, but it's worked in a number of cases.

19:04 So, you know, this is where, again, you know, things like using GUIDs, so very big, long,

19:13 unique numbers that are randomized, are really helpful, because then it becomes very difficult for me,

19:19 the attacker to begin enumerating GUIDs, because they're tremendously big, right? It's not just a

19:25 simple integer. So when you're passing information around a web app, you know, in your user ID one,

19:31 you should really reference that user by GUID that's really big and unique, because it makes it

19:37 tough for an attacker to do some of those enumeration techniques.

19:41 Yeah, that's great advice.

19:43 This episode is brought to you by Hired. Hired is a two-sided, curated marketplace that connects the

19:59 world's knowledge workers to the best opportunities. Each offer you receive has salary and equity presented

20:06 right up front, and you can view the offers to accept or reject them before you even talk to

20:11 the company. Typically, candidates receive five or more offers in just the first week, and there are

20:16 no obligations, ever. Sounds pretty awesome, doesn't it? Well, did I mention there's a signing bonus?

20:22 Everyone who accepts a job from Hired gets a $2,000 signing bonus, and as Talk Python listeners,

20:28 it gets way sweeter. Use the link Hired.com slash Talk Python To Me, and Hired will double the signing

20:37 bonus to $4,000. Opportunity's knocking. Visit Hired.com slash Talk Python To Me and answer the call.

20:52 Okay, so what else was in the Grey Hat Python?

20:55 So that was basically, you know, we've kind of run the gamut for Grey Hat Python, and it was really

21:03 heavily focused on the reverse engineering and exploit writing stuff.

21:08 So that sounds like it's focused on kind of the application level.

21:12 That's right.

21:14 There's the whole sort of infrastructure, the way apps are put together, you know, the network,

21:20 those types of things that maybe you didn't talk about in that book, right?

21:23 That's right. Yeah. So I didn't talk a whole lot about that in that book, but that's where

21:28 I decided to write a second book, which was Black Hat Python, which is a more traditional penetration

21:34 test view of writing tools. So getting people to write tools that interact on the network. So just

21:41 fundamentally understanding how you write a client and server in Python is actually going to help you

21:46 understand how to write tools to do network attacks. So I teach people how to do that. And then I also

21:53 teach them how to use some more powerful libraries in Python, like Scatty, that allows you to execute

21:59 more complex attacks and allows you to do things like pet sniffing, allows you to, you know, kind of

22:05 analyze some of the data you capture in tools like Wireshark. I also spend time teaching people how to

22:12 write tools to attack web applications. So whether that's unique kind of brute forcers or using something

22:20 like Burp Suite, which is a popular web application hacking tool that a lot of people use. So I teach you

22:26 how to write plugins for Burp Suite. And then later on in the book, I start to move into more and more

22:33 offensive techniques. So I teach people actually how to write a Trojan or a virus that leverages GitHub

22:39 for command and control. So that means that this virus doesn't actually communicate to you. It

22:46 communicates only to GitHub, which in most corporate environments will bypass all the firewalls,

22:52 because most corporate environments allow people to go to GitHub.

22:55 Right. GitHub is fine. It's HTTP. It's outbound. How could that be wrong?

23:00 Exactly. Well, it's actually HTTPS, which is even better because then a lot of the

23:04 inline antivirus products are blind when it's an SSL connection. So they can't actually inspect any of

23:11 the traffic that's going by. So you have this HTTPS, this encrypted session to GitHub. And then

23:18 basically, you know, this Trojan is designed to retrieve its commands from GitHub. Also, it will do,

23:25 if the Trojan does not have a library, say like Win32, you can push that library to your GitHub repo,

23:33 and your Trojan will try to import it. And I actually hook into the import mechanism so that it reaches out

23:39 to GitHub for all of its imports that it can't resolve locally. So it'll retrieve them over the network and

23:43 import them that way. And then after it executes the task, like say, takes a screenshot of the target

23:49 system, it then actually re-uploads the results back to your GitHub repo. So techniques like that,

23:56 which I really wanted to show people that number one, writing these tools in Python is amazingly simple.

24:03 And when you sit back and realize you just wrote a Trojan that bypasses pretty much every firewall and

24:08 antivirus product out there in like 100 lines of Python or less, it's pretty neat. But also as a way to

24:17 help people understand from the network perspective, how simple it is for attackers to write tools like

24:24 this and how we need to get better at detecting them. So I start to get more offensive there. And

24:30 then kind of the tail end of the book is where I teach people, which, you know, is happening more and

24:36 more commonly where attackers are managing to get into host systems that host a number of virtual machines.

24:43 So I've seen people who are kind of paranoid, so they only will perform like their web browsing inside a

24:50 virtual machine, right? And so the last part of the book, I teach you how to use a forensics framework

24:56 called volatility. That's pure Python, how to use this forensics framework to actually analyze the RAM for a

25:05 running virtual machine and then inject code into it so that we can compromise the virtual machine,

25:10 which would allow us to then kind of climb inside it and see what the user is up to inside that machine.

25:16 So it covers a kind of a wide sweeping range from the network to web applications to Trojans and

25:25 kind of offensive forensics. But it's also a very short book. So I give you the code, I give you the

25:32 explanation and the why as to what we're doing. And there's really no fluff outside of that. It's really

25:37 about developing that Python muscle memory.

25:40 Yeah, so that has me a little scared to use my computer. But I think it was really interesting.

25:46 Some of the stuff that you did in that book, I think it's really neat. Like, for example, you talk about

25:52 if you understand how to use raw sockets in Python, that will take you a really long ways, right?

26:00 Yep, absolutely. Yeah. And again, I mean, that module by learning how to use raw sockets. And for example,

26:07 learning how to take something that comes off a raw socket and turn it into an actual IP structure,

26:14 like you would have done in C 20 years ago, you're learning a ton of great concepts, you're learning

26:19 about the network, you're learning about how to use C types to create structures in memory. And you're

26:24 learning about some of the more fundamental pieces of networking, which is how packets are

26:29 actually built from the ground up. And you're learning it in this really easy way, like it's

26:34 really accessible. It's not, it's not like C or C++, which I still don't understand why people write

26:41 code in it.

26:41 Yeah, it's definitely accessible, right? Like a lot of the code samples are like 20 lines of Python.

26:48 That's right. Yeah. And it's really, you know, again, I really want people to be able to write

26:53 it and then sit back and say, okay, what if I did this and just go out and start doing it? So give

26:59 them the, give them the fundamentals, give them the capability, but don't, you know, don't lead them

27:03 down the entire path. I really like people having a, I love it when people email me and say, yo, I took

27:09 the example in chapter three, and I did this with it. What do you think? That means that I, that I,

27:16 that people appreciate that style of writing.

27:18 Yeah. Yeah. That's really great. You talked a little bit about the malware type of stuff. You said

27:26 you had some experience actually taking Python to like understand some piece of malware. So like,

27:32 suppose I find some suspicious file on my program, on my computer, what, what can I do to understand

27:39 whether that's just some random binary or if it's a real problem?

27:43 So there's a, there's a number of tools and frameworks out there. And again, you know,

27:48 things like I mentioned previously, volatility is, is very quickly becoming one of the big tools that

27:55 forensic and malware people use to examine what is a piece of malware doing to your machine and what

28:01 artifacts is it leaving behind? And what is it modifying inside the memory of your machine? Which is

28:08 really critical. but there's a number of other things that you can do. For example, a lot of most,

28:14 you know, most modern malware is looking at how to defend itself against you. So it doesn't particularly

28:20 want anybody to reverse engineer it. because then it prevents, you know, if it can guard itself,

28:27 then it prevents people from, developing defenses against it. So, a number of years ago,

28:33 actually myself and a guy by the name of Neil, the hippie killer, built a, built a framework

28:38 called Muffy, which was designed, it was a Python framework that ran inside of immunity debugger.

28:44 And it was designed to actually, completely, remove the protections or a number of protections

28:50 that malware would have in place that would prevent you from analyzing it. So this is all an automated

28:56 and scriptable framework built on top of immunity debugger that, it would, for example,

29:00 a lot of malware wants to know, am I being debugged? So am I currently being run under debugger?

29:06 And so our framework would actually, reach into the malware and begin to undo those checks.

29:12 and it had multiple ways of doing that. Another thing that malware will do, for example,

29:18 is that it will walk the list of running processes on the system, looking for antivirus products,

29:24 looking for, debugging products. and so what Muffy would do is again, it would go in there

29:30 and it'd basically, start removing things from the list or it could actually patch out

29:34 the malware's ability to check for those processes. So aside from, you know, some of those big ones,

29:41 and again, primarily I'm, I didn't spend most of my career being a, malware analyst and I do some now.

29:50 But the big thing to me was that, with all of these tools like debuggers and,

29:57 even things like Ida Pro having Python built in, it allows you to kind of, if you're, if you're seeing the same thing in malware sample after malware sample after malware sample,

30:08 instead of spending five hours undoing some protection every time you spend five hours,

30:13 once writing code to automatically do it for you. And then, you know, that's fixed for you kind of for,

30:20 for life. You can kind of deploy that code whenever you need it. And Python's wonderful for that.

30:25 So you build up like a set of libraries that perform these functions, you know, take down the debugger defenses,

30:31 take down the antivirus protection and just chain them together and go after it, uncloak it. So then you can understand it. Yeah.

30:38 Yeah, that's exactly it. And then there's, you know, there's other cases too, where you might be analyzing a piece of malware that implements some very simple,

30:45 like XOR encryption. and maybe it, you know, it's, it's got some special little routine that it does. so lots of times what we'll do is,

30:55 you know, we're always dealing in assembly code. So we'll look at the assembly and, and say, okay, they have this decryption function here.

31:03 that's got maybe 10 or 20 assembly instructions. It will actually convert that directly into Python.

31:09 and we can then begin, you know, executing any string or any piece of data that comes across the network.

31:15 we can begin actually processing it directly in Python rather than letting the malware have to run through the decryption routine itself.

31:22 It's been a long time since I've had some kind of virus or malware that I know of on my, on any of my machines.

31:29 But I, the last time I remember that I did have one, yeah, the way I found out was very bizarre. I had a, a firewall, like, oh my gosh,

31:39 what was it called? One of the original firewalls you could put on windows XP and it would have been like zone alarm.

31:45 Yes. Thank you. Zone alarm. And I rebooted my computer at work and it said,

31:49 notepad wants to act as a server on your network. I thought, oh, that can't be good.

31:55 I'm like, oh my God. And that looks weird. I go and run it and it looks like notepad, but you can bet it wasn't right.

32:01 That's awesome.

32:04 We went in and checked and a lot of our computers at this office were letting notepad run as a server.

32:08 That was not good.

32:09 So my question, my question was, you know, there were antivirus things we installed and they said,

32:17 oh, we removed the problem. If something like this happens, do you think it's ever safe to use your computer again?

32:23 Or does it just require like a format straight away?

32:25 I don't know. It's, you know, it's really tough to say, you know, the amazing thing about the security community is that it always seems like every year we want to one up, ourselves.

32:35 So, you know, it used to be that, yeah, you get an infection, just remove it.

32:39 And then people are like, ah, no, you know, actually, they figured out how to persist, you know,

32:43 in the BIOS or whatever it is. you know, and then, and then it's like, okay, well, maybe let's,

32:48 let's format. And it's like, oh, well, format actually doesn't solve the whole BIOS problem.

32:52 okay. So maybe it's format and, and reflash the BIOS.

32:57 And then guys started infecting the hard drive controllers.

32:59 So they're actually on the chip that controls the hard drive. Well, how do you get rid of that?

33:04 so it's one of those things that I think depending on the strain and when I say strain,

33:10 I mean, really what that means is that most antivirus products are looking at the hash of the file and

33:15 they're saying, Hey, this is bad. so if you get infected by a known kind of variant and,

33:20 and you have a good idea of, and in most cases you can just go read the report on what that particular,

33:25 you know, what that malware actually does. If there's never been evidence that that malware

33:30 actually downloads and installs a root kit or some other low level, tool, then I think,

33:37 yeah, a full kind of hard drive, format is going to do the trick for you. But in some cases,

33:43 that's not going to be enough. you know, it's, it's, it's, it's one of those things.

33:49 I don't remember the last time, I don't remember the last time I personally have been

33:54 infected with something, but, I'm on OSX and one of my good friends, Russell Nolan just

34:00 did a, a, a great presentation on OSX malware and how he kind of hunted it using, kind of big

34:07 data sets and Python, oddly enough, using pandas. and so some of the stuff that, some of the stuff

34:13 that Russ, and you can check that out at the, it was at a conference called countermeasure.

34:18 so you can check out his talk. The talks will be posted. it, you know, some of the stuff that,

34:22 that Russ was finding was, was pretty impressive, impressive stuff that, that they're writing for

34:27 OSX as well. Yeah. So what you're telling me is that even formatting the computer is not enough. I

34:33 need to smash it and buy a new one. Yeah, I would totally, totally smash it, throw it out in your

34:38 backyard, turn the hose on it and, you know, go, go buy a new one. Crazy. Make it as expensive as

34:44 possible for yourself. Cause then it'll totally make you like way more vigilant in the future. The next time I'm definitely not opening that, that document

34:54 with the cat videos. Yeah, that was from me.

35:12 This episode is brought to you by CodeShip. CodeShip has launched organizations, create teams,

35:18 set permissions for specific team members, and improve collaboration in your continuous delivery

35:22 workflow. Maintain centralized control of your organization's projects and teams with CodeShip's

35:28 new organizations plan. And as Talk Python listeners, you can save 20% off any premium plan for the next

35:34 three months. Just use the code Talk Python, all caps, no spaces. Check them out at CodeShip.com and tell

35:40 them thanks for supporting the show on Twitter where they're at CodeShip.

35:44 So another thing that you're into is something that you said was called open source intelligence. And

35:54 I'm guessing this is not like GPL licensed intelligence.

35:58 No, that's right. So open source intelligence is kind of like, it's a general term for gathering

36:06 information from open sources. So non-classified sources, not involving, you know, spies on the ground

36:12 and not involving satellites in space. But what can we gather from sources like the news, social media,

36:21 even things like mobile applications? What kind of intelligence can we gather in general? So that's kind of

36:28 something that in the security community, you use it all the time, because when you're modeling

36:33 a particular target for a penetration test, you want to learn everything there is to know about that target.

36:40 And especially when it comes to social engineering and phishing attacks, being able to perform open source

36:47 intelligence, for example, if I wanted to attack you, I would want to figure out where's your Facebook page?

36:53 Where's your Twitter page? What do you have on LinkedIn? Can I find out information about your hobbies,

36:58 your kids, all this stuff? And basically, I'm going to model you as a target.

37:03 And I'm going to watch for things that seem to kind of emotionally register with you, so that when I write

37:09 you an email, or I send you a Twitter direct message, or, you know, I'm communicating with you in some way

37:16 that includes a link, meaning I want you to click on this link, that I'm communicating to you in a way that

37:21 you are going to definitely click on that link. So open source intelligence plays a huge,

37:27 a huge role in that, among other areas.

37:30 Sure. So make it feel familiar. And then you're much more likely to get that first step into the

37:35 whole social side of things, right?

37:37 Yeah, that's right. I mean, and that's the specific use case for OSINT for the security community. But

37:44 it's really used in a whole bunch of other ways. You know, if there's a riot in a city,

37:49 police forces are using OSINT to take a look at what's going on, what are they talking about? Are there

37:55 people gathering in a particular location? Same thing when we had the Paris attacks here a couple

38:02 of weeks ago? You know, a lot of it is open source information, you can go to bellingcat.com, for

38:07 example, and they have like a detailed analysis on, on one of the Paris attackers and the information

38:13 they found out about him only through open source means, for example. So it's kind of this amazing

38:18 hammer that you can hit many different nails with.

38:22 Interesting. And speaking of nails, you said you'd actually use this technique to find extremist

38:27 supporters.

38:28 On Twitter? Yes, that's right.

38:30 Yeah, yeah, on Twitter, right.

38:31 So last year I did a presentation at a conference where I used Python, because again, I can't really

38:37 program in much else, to be honest.

38:38 So I used Python to base.

38:41 Why would you want to?

38:42 Yeah, why would you want to, right? What I did was, I was looking at how to, how to identify

38:49 ISIS supporters on, on Twitter. And so this, this was kind of before, you know, I'd been

38:56 doing some of this stuff and some of this research on the side for a number of years, probably long

39:02 before it was kind of vogue. There's lots of people doing it now. But basically, I was, I was kind of,

39:08 the question I had was, well, how do I do this when I can't speak or read Arabic, right?

39:12 This is a big deal, because as you know, this is a terrorist group that has people from all walks

39:19 of life, speak all kinds of different languages. Text analysis has always kind of seemed like been,

39:25 you know, and sentiment analysis to go with it. Like, that's kind of the sexy thing people do

39:29 when they're analyzing Twitter networks. And for me, what I did instead was, I said, well, you know

39:35 what, actually, I think images are the way to go, because images don't require language, right?

39:41 So what I set out to do is use Python, along with OpenCV, which is a computer vision platform

39:46 with Python bindings. And I built a classifier that would detect that black flag of ISIS.

39:53 So it was quite common for people who supported ISIS or were actually part of the group to use that black

40:00 flag in their profile picture on Twitter, or to use it in imagery, like propaganda videos, for example.

40:08 Not uncommon when you have a video of, you know, some Syrian army tank blowing up that you see the black

40:15 flag in the top right-hand corner of the video. So this classifier's job was just to find that black flag.

40:21 So then on top of it, I wrote Python to interact with the Twitter API. So what this thing would do is

40:28 basically, I would just point it anywhere. And part of it as well was asking the question of, like,

40:33 the six degrees of Kevin Bacon. So I wanted to know how far away the nearest terrorist was in my social

40:39 network. So I literally just pointed this tool at my Twitter account. And it just basically ripped

40:45 through all of my friends and followers looking for the black flag. And then it went through all of

40:50 their friends and followers. And then as you can see, this kind of grows out exponentially until it

40:55 started finding, started finding that black flag in propaganda or in profile pictures.

41:01 And so actually, this worked really well for me, because in a very short period of time, I was able to

41:07 build up a database of two or 3000 extremist accounts.

41:12 Now, the trick was that this was actually semi-automatically, because if you've ever used

41:19 OpenCV before to do kind of image detection or this kind of logo detection stuff, if you're not a

41:25 computer vision expert, which I definitely am not, you're going to run into kind of this high rate

41:32 of false positives. So there were cases where it would pick up a black cat and say, hey, that's

41:36 a nice supporter.

41:38 It could have been an evil cat. You never know.

41:40 It could have totally been an evil cat. So what I did was I actually used Python to solve the

41:45 semi-automatic problem, too. So after it was done crawling everything, let's say it had, you know,

41:51 a few thousand images and there was, you know, maybe a few hundred that might be kind of garbage.

41:56 So what I wanted to do is to filter through them very quickly by hand.

42:01 So I used WX Python and I wrote a little game. And all this game did was I would pull in all of the

42:08 images from this directory where I stored them. And then I could hit space bar if it was an ISA

42:12 supporter and enter if it was not. So very quickly, I could cycle through all the images very quickly,

42:16 kind of playing Duck, Duck, Goose. And amazingly enough, you know, it sounds like a lot like where

42:21 you're like, oh, man, like you did that with thousands of images. And I'm like, yeah, but it took like 10 minutes

42:25 because you very quickly, you know, it becomes this very quick game that you play and it is very,

42:31 very fast to cycle through all of them. So I use Python to kind of help me deal with that. Now,

42:36 you know, any computer vision experts who are listening to this, they already have like their

42:40 head in their hands like, oh, man, I can't believe you did that. But it worked for me. It was fast.

42:46 And then, you know, kind of on top of that, the tail end of my presentation is really about how,

42:54 again, using Python to push all of this data into Elasticsearch. And then just, you know,

43:01 because it's the Elasticsearch bindings for Python are beautiful. It's like one line of code,

43:06 you can take a dictionary and shovel it into a database. You know, like that is, for those of

43:11 us who've been around the block long enough, that was one of the most eye-opening, amazing thing I'd

43:17 ever seen. Like, you import this thing and you do es.index and like literally you're done.

43:23 There's no schema design. There's nothing else you had to do. So I thought it was just

43:27 amazingly wonderful when I discovered Elasticsearch. And so it was actually a friend of mine,

43:34 Chris Gashler, who had said, you've got to check out Elasticsearch. It's totally easy to get data

43:38 into, not so easy to get data out of, which was totally true. But then I was able to do some

43:44 interesting stuff where I could look at, you know, the geotagging of tweets and I could see where there were

43:48 concentrations of supporters and I could begin to do analysis like, hey, what was the most popular

43:53 cell phone they used to tweet with, for example. So it was really, it was a great use of Python

44:00 and open source intelligence. And it was, you know, it was really well received.

44:05 Yeah. It sounds really, really interesting. I'm sure it was. What was the number,

44:10 your index, like your Kevin Bacon number?

44:12 It was really low.

44:14 I'm sure.

44:15 It was like, it was like three, I believe. Three or less than three. Now I actually, but that's,

44:21 it was kind of a biased sample because I follow a number of counterterrorism researchers and a number

44:26 of terrorists like to follow counterterrorism researchers so they know what they're saying,

44:30 right?

44:31 Of course, of course. It's a little self-selecting, but still, right?

44:34 It was, but it's actually, it was shocking because I did pick other accounts and it was very,

44:40 I didn't know what the answer was going to be, which is always the exciting thing about research

44:44 when you actually set out to, when you truly have no idea what the answer is going to be.

44:49 But it was very low. It was always like three or sub three anywhere I ran it. So that was kind of,

44:56 that was kind of interesting to me.

44:58 That is interesting. It doesn't really surprise me, but yeah, it doesn't make you feel warm and fuzzy

45:03 either, I suppose.

45:03 No, not really. No, it's true.

45:07 So you have a, a cool course on a sort of automating open source intelligence and kind of

45:14 taking people through a lot of the techniques that you were kind of employing there, right?

45:17 Yeah, yeah, I do. So, I run a course at automatingosync.com. I have a blog as well

45:22 where I'm teaching people how to use Python, and, and like just a hint of JavaScript when required,

45:28 I know, but, I'm teaching them how to, you know, automate the collection of tweets. How do we

45:35 find all the friends and followers for an account? And then how do we do, you know, Instagram and

45:41 YouTube and thinking about how people, journalists, law enforcement, data scientists are approaching

45:47 some of these data sets and then boiling that down into very kind of digestible kind of small,

45:53 lessons that people can take, so that they can learn how to do some of this stuff.

45:58 Because again, whether you're a marketer or you're someone who's a counterterrorism analyst,

46:02 the same data can have very quite, you know, looking at it through different lenses, is

46:09 really, really fascinating. So that's kind of the whole, purpose of the course is to just teach

46:14 people how, how to do some of this stuff, how to use Python. And, and honestly, some of it is me

46:19 teaching them, you know, here's how you debug a Python script and here's, you know, don't be afraid

46:24 of coding, that this is really not that scary. And, and you can, you know, literally I've taken

46:29 people who've never written a line of code in their life and they're sending me screenshots of,

46:33 of Cabana loaded up with, tweets in an elastic search instance. And they're like,

46:38 yo dude, check this out. Like I can, I can tell that you tweet way more on Wednesdays. And I'm like,

46:42 that's really creepy and awesome at the same time. But, you know, stuff like that, that,

46:48 that this is a, it's just, I have a real passion for open source intelligence stuff,

46:52 and for Python. And so it was just natural for me that I'm like, you know what? I have like,

46:58 I don't know, hundreds of scripts that I've written. just like just one offers and stuff

47:04 I did to support research that I was doing that had nothing to do with my day job. And I'm like,

47:09 you know, I should start transferring some of this knowledge to other people because I think it would

47:13 be useful. So it is, it's totally amazing. I have people who are using it to, track criminals.

47:20 I have people who are using it to collect information on war crimes in Syria. I have students who are,

47:28 who are protecting some of the, working on protecting some of the largest, most well-known

47:33 household company names that we all use their products. you know, and they're, they're using

47:38 it to protect their infrastructure and, and find out if hackers are talking about them online. And,

47:42 so it's really, it's an amazing field for sure.

47:45 Yeah, it's really cool. And that's a, like a asynchronous type course, right? So you sign up and

47:51 you can take it from anywhere online more or less, right?

47:54 Yeah, that's right. And it's just driven by videos and, and then written material and code samples.

48:00 And then you have a skill testers where I get you to go out and solve problems with Python.

48:04 then you have to submit them to me for grading. and then once a month I run, I run student

48:11 sessions where I hop online with, whatever students can make it. I hop online for an hour

48:16 and I field questions. And then I usually try to teach something that is not in the course. So,

48:20 last month actually I taught people, how to connect Python to the Tor network so that

48:27 you can actually scrape, web pages inside of Tor, for example.

48:31 Oh yeah, that's really cool. Yeah. I'll be sure to put a link to your course in the show notes.

48:35 Awesome. Thank you.

48:36 Yeah, you bet. So we have time for a few more questions. Let's see. So sure.

48:41 He must've, you know, over the years seen a lot of crazy stuff. What's the,

48:45 the most unusual or entertaining thing that you've kind of run across in this whole space?

48:50 Oh man, that's a, that is a very good question. So I think, you know, I saw when I was doing some of this ISIS, research, I found a Twitter account,

48:59 who actually showed up initially as an extremist. And then I found, he was actually,

49:04 a satirist. but he would literally write some of the most like convincing kind of

49:10 tweets and, and he would take, for example, images that, that ISIS would use to kind of instill

49:15 fear and then he'd make them like hilarious. Right. And so I found this account and, and,

49:20 and as I'm reading through it, there's like these, you know, these jihadis who are

49:24 not very happy with him. They're like trying to get him kicked off of Twitter, but Twitter

49:28 won't really kick him off. And they're like, you know, threatening him and he's kind of responding

49:33 back with like pictures of goats and other stuff, you know? so I thought it was great. Like

49:38 I thought this is this, this person, number one's got guts and number two is like completely

49:43 counteracting, their message. I mean, nobody was really paying attention to his account,

49:48 which is unfortunate. I think if we had more people paying attention to that guy's account,

49:51 than we did paying attention to the ISIS guys, we'd be winning. but it was really

49:56 hilarious because, this guy was like a never ending source of entertainment for me that

50:00 I could go back and check on him. Yeah. It seems like a really nice brush of fresh air with all

50:05 that sort of, you know, negativity out there to just turn it around and like, here, let me put

50:10 a cat picture on top of your tank or something. Yeah, exactly. Exactly. It was pretty funny.

50:16 Yeah. How funny. One thing I wanted to ask you about, because as a programmer, I have one view of

50:22 the world and I, you know, run a lot of non-programmers. So I see their view, but from a

50:26 computer security type person, you may have a different perspective and that's sort of like

50:31 computer hacking in sort of cybersecurity in the popular media.

50:37 Right. Yeah. You're already laughing.

50:39 Yeah. I'm just thinking of, you know, some quote, like I'm going to write a VB script that's going

50:45 to track down the IP address. What are you even saying? Right.

50:50 Well, I mean, that's the thing, right? Is I think that, you know, you look at the original

50:53 kind of hackers movie, you know, sneakers was probably more realistic than people give it

50:59 credit for more so than a lot of other stuff. For the most part, like in popular media, it's,

51:05 it's pretty much 99% of it is garbage. And then within the last year we had the Mr. Robot series

51:12 come out, which was a complete game changer. And, you know, it's, they, they really fundamentally

51:19 get what it's about. And part of that is actually, they have a guy on their staff. His name is Michael

51:26 Pazell. He's a very popular guy in the open source intelligence world. And he's kind of the main

51:31 technical guy behind it. So he's the one who's driving a lot of the kind of technical and hacky

51:37 type stuff. And I can personally attest that, you know, Michael is a very smart guy. He knows what

51:43 he's talking about. And so this is the whole key to me is that having someone like that who is like,

51:48 you know what, we're not going to put a bunch of BS with like 3d cubes and, you know, whatever

51:54 people hacking on touch screens and like whatever virtual reality, because that's not how hackers

52:00 work, right? It's like mundane. And it's through the terminals, you know, for the most part. So I think

52:06 that finally that for me was I was like, Oh, finally, somebody is actually covering this properly.

52:14 But I can tell you that most hackers, you would not want to look over the shoulder while they work,

52:20 because it really is like, it is mind numbingly mundane stuff picking through 1000s of lines of

52:28 code looking for a bug. You can do that for two weeks before you hit that one place in the code that

52:35 you know, Oh, man, right there is exactly what I'm looking for. And then it gets exciting. But it can

52:41 totally be the most mundane work ever. And you know, that's just not good TV.

52:47 No, it's not. I think you're totally right about Mr. Robot. I love that series. I think I have just

52:53 the final episode to watch still. And I'll put the trailer in the show notes so people can check it out.

52:59 But you know, I started watching that I saw, you know, they're talking about tour VPNs, there's Linux,

53:05 there's the command line, they the previous show, I just had the PyCharm guys on there. There's like

53:11 segments of the show where they're working in PyCharm. Like this is a really good show. It's,

53:15 it's obviously fiction. And it's on the outer edge of, you know, believable fiction. But at the same

53:20 time, it's not based in like funky 3d cubes that like mean nothing, right? Yeah, exactly. Yeah,

53:26 yeah. Very cool. Very cool. One other quick question in this sort of non fictional space,

53:33 but kind of popular culture. There have been, it seems like increasingly many security breaches,

53:39 you know, Target, Home Depot, just, you know, one after another. Are things becoming less secure,

53:46 more secure? What are your what's your like general feeling when you're out on the internet? Fear or

53:51 generally? Okay.

53:54 I mean, I'm Yeah, I really don't. I'm not that I'm not full of fear. That's for sure. But I used to joke

54:01 when I when I'd have to do, like press interviews for like, okay, you know, it's December, actually,

54:07 this time of year, it'd be perfect, because they would they would call us up and say, what's your

54:11 predictions for 2016? Right? And I would say, whatever happened in 2015, it's going to just happen

54:16 again, maybe bigger, maybe smaller. So just copy out whatever I told you last year and just use it

54:21 again. And sadly, that's really where we're at, right? Like whether it's Target, whether it's Ashley

54:27 Madison, whatever it is, securing your data is an incredibly difficult thing to do. And so for me,

54:35 I was always breaking stuff, not necessarily fixing or defending stuff. And the defenders have an

54:40 incredibly difficult job. So for me, I don't think things are getting better or worse. I think

54:46 there are parts of the underlying security infrastructure that are getting better. I think

54:51 there are parts of the philosophy of security that are getting worse. Bring your own device,

54:56 for example, BYOD is one of the perfect examples of the worst idea ever, never, ever let anybody do it.

55:02 But people are still doing it. Oh, you want to bring your laptop from from home in and connect it to

55:07 the corporate network? You know, what's the worst that could happen? So to me, it's like there's these

55:12 opposing forces at times where we're getting better on the technology front,

55:16 I think. But the philosophy front, I think we have a ways to go. But again, it's it's very tough. I mean,

55:23 the there's going to be no shortages of breaches and and database dumps in 2016, like we saw in 2015.

55:30 I don't think that's going to change.

55:32 Yeah, that's a really, really great answer. Thanks.

55:35 I have two questions before you before you get out of here. And the first one is if you're going to write some Python code, what editor do you open up?

55:43 Hands down, I have been using it for I don't even know how many years, a long time.

55:50 All of my students, when you sign up for one of my courses, you get wing IDE pro as part of the course. I standardize all of my videos on it. Everything I do is in wing. And anytime someone asks me, you know, what should I use? 100% wing. The big thing for me is that the debugging capabilities are just out of this world. Love it.

56:11 They have a great team there. They have an accessible support staff. I don't even remember actually last time I had to file a ticket with them. So I yeah, hands down, it's weighing that being said, I know you had the PyCharm guys on here. People speak very highly of PyCharm. But for me, the inertia to try a different IDE when I need to be really productive every day. It's just too much for me to to have to even try to give it a fair shake. But I hear lots of good stuff about it.

56:40 I've used wing a little bit, not a lot, but I'm, I'm definitely a fan of the IDE side of the story. So yeah, I'd like to hear that. Cool. Final question. What's your favorite PI PI package or library out there?

56:53 Oh, man. Okay. I mean, requests is probably the one I use the most, which is just awesome. But the other day, I found a library called date util. And maybe the entire internet knows about date util already. But date util allows you to just like feed it.

57:09 Any kind of date string, like in any format. And it basically gives you back a date time object, which is amazing. You don't have to use format strings. You don't have to use any crazy, you know, conversions or string splitting to clean it up. It just does it.

57:28 That's awesome. Yeah, I hate working with dates, like in pretty much any language. It's always seems to be painful. And so that sounds really cool. I'm gonna check it out. Date util. Okay, date util. Get it. It's awesome.

57:39 All right. I'm definitely gonna check it out. Justin, this has been a fascinating look inside of a world that most of us don't really look at that often. So thank you for sharing the story.

57:50 Hey, thank you very much for having me on. This is this has been great.

57:53 Yep, you bet. And I'll make sure all the cool stuff we talked about in the show notes. So talk to you later. Thanks again.

57:59 Fantastic. Thanks, Michael.

58:01 This has been another episode of Talk Python to Me. Today's guest was Justin Seitz. And this episode has been sponsored by Hired and CodeShip. Thank you guys for supporting the show.

58:11 Hired wants to help you find your next big thing. Visit Hired.com slash Talk Python To Me to get five or more offers with salary and equity presented right up front and a special listener signing bonus of $4,000.

58:22 CodeShip wants you to always keep shipping. Check them out at CodeShip.com and thank them on Twitter via at CodeShip.

58:30 Don't forget the discount code for listeners. It's easy. Talk Python. All caps. No spaces.

58:34 You can find the links from today's show at talkpython.fm/episodes slash show slash 37.

58:41 And be sure to subscribe to the show. Open your favorite podcatcher and search for Python. We should be right at the top.

58:46 You can also find the iTunes and direct RSS feeds in the footer of the website.

58:51 This week's theme music was Secrets from the Future by MC Frontalot.

58:55 He has at least four excellent albums in this genre that he created called Nerdcore.

59:00 Check him out at Frontalot.com.

59:02 His song Zero Day is also a perfect match for this episode.

59:05 So, thanks for listening.

59:07 Here's the full song, Secrets from the Future.

59:10 Enjoy and I'll see you next time.

59:11 See you next time.

59:15 Get your most closely kept personal thought.

59:20 Put it in the word block with a password lock.

59:23 Stock it deep in the raw with extraction precluded by the ludicrous length and the strength of a reputed live.

59:30 Dictionary attack.

59:31 Proof string of characters.

59:33 This imperative to what?

59:35 All that is leverages of privacy.

59:36 The NSA and homeliness.

59:38 You better PGP the raw because so far they ain't impressed.

59:41 You better take the PGP and print the hex of it out.

59:44 Scan that into a tiff.

59:46 Then if you secret doubt for your data, scramble up the order of the pixels.

59:50 We're the one time pad that describes the fun time had.

59:53 But the thick soul boot wearing stomper who dance to produce random clap trap.

59:57 All the intervals in between which set in tandem with the stomps themselves.

01:00:01 Be got a seed of math unguessable.

01:00:03 Ain't no complaint about the cipher that's redressable.

01:00:06 Best of all your secret.

01:00:07 Nothing extant could extract it.

01:00:09 By 2025 a children speak and spell could crack it.

01:00:12 You can't hide secrets from the future with math.

01:00:15 You can try but I bet that in the future they laugh at the half-fast schemes and algorithms amassed.

01:00:21 Doing voice cryptographs in the past.

01:00:23 You can't hide secrets from the future with math.

01:00:27 You can try but I bet that in the future they laugh at the half-fast schemes and algorithms amassed.

01:00:33 To enforce cryptographs in the past.

01:00:35 And future people do not give a damn about your shopping.

01:00:38 Your visa number SSL to cherry popping hot grandpa action.

01:00:43 Websites that you visit or pass were protected partitions.

01:00:46 No matter how illicit and this it would seem is your saving grace.

01:00:50 Like amazing haste of people to forget your name, your face.

01:00:54 Lit in this list of indefensible indiscretions.

01:00:56 In fact the only way that you could pray to make impression on the era ahead.

01:01:01 Is if instead of being notable you make the data describing you undecodable.

01:01:06 The script kid is sifting in that relic.

01:01:08 Called the internet seeking latches on treasure chests.

01:01:10 If they could reckon seconds would it.

01:01:12 And yet get a chance to queue up for disassembly.

01:01:15 To discover and crack the cover like a crumbrelate.

01:01:18 They'll glance you over I guess.

01:01:20 And then for a bare moment you persist.

01:01:21 You exist.

01:01:22 Almost seem like you're there don't it?

01:01:24 But you're not.

01:01:24 You're here.

01:01:25 Your name will fade as front's will.

01:01:27 That's in the future.

01:01:27 They don't know our crypt to bury it.

01:01:29 And still.

01:01:30 You can't hide secrets from the future.

01:01:32 With math.

01:01:33 You can try.

01:01:34 But I bet that in the future they laugh.

01:01:36 At the half fast schemes.

01:01:37 And algorithms amassed.

01:01:39 You'll enforce cryptographs in the past.

01:01:41 You can't hide secrets from the future.

01:01:44 With math.

01:01:45 You can try.

01:01:46 But I bet that in the future they laugh.

01:01:48 With the half fast schemes.

01:01:49 And now the rhythms amassed.

01:01:51 To enforce cryptographs in the past.

01:01:53 Now it's an enigma machine.

01:01:58 A code yelled out at hot bongs.

01:02:00 Into a tin can with a thin string.

01:02:02 And that ain't all you do.

01:02:03 To broadcast clear text of your intention.

01:02:06 Send an email to the government.

01:02:07 Pledging your abstention from vote fraud.

01:02:10 This time.

01:02:10 Next time.

01:02:11 You ain't promised.

01:02:12 You don't get a visit from the department of piranets.

01:02:15 Be honest.

01:02:15 You ain't hacking those.

01:02:17 It'd be too easy.

01:02:18 Setting up the next president.

01:02:19 Pretending that you were through freezing.

01:02:21 When you're nothing but warming up.

01:02:22 To do list in your diary.

01:02:23 Better keep for a long time.

01:02:25 In the long time.

01:02:26 Better be tiring.

01:02:26 Into the distribution of electrical brains.

01:02:29 That's a guessing every unsalted hash that ever came.

01:02:32 They got alien technology.

01:02:34 To make the rainbow tables.

01:02:35 With an in an afternoon.

01:02:36 A glance and have them secrets.

01:02:38 Don't resist the loving codes.

01:02:39 Of the mathematical calculation.

01:02:41 Heart of your mystery.

01:02:43 Sent free fall into palpitation.

01:02:45 Pump your tunnel rise up in the dump.

01:02:47 A free agent.

01:02:48 Nobody knows the future.

01:02:49 Now go find out.

01:02:50 Be patient.

01:02:51 You can't hide secrets from the future.

01:02:59 With a favorite tribe.

01:03:01 And I bet that in the future.

01:03:02 They don't have bad schemes.

01:03:04 And I won't be honest.

01:03:06 You can't hide secrets from the future.

01:03:07 You can't hide secrets from the future.

01:03:11 You can't hide secrets from the future.

01:03:38 You can't hide secrets from the future.

01:03:40 You can't hide secrets from the future.

01:03:41 You can't hide secrets from the future.

01:03:41 You can't hide secrets from the future.

01:03:41 You can't hide secrets from the future.

01:03:41 You can't hide secrets from the future.

01:03:42 You can't hide secrets from the future.

01:03:42 You can't hide secrets from the future.

01:03:43 You can't hide secrets from the future.

01:03:44 You can't hide secrets from the future.

01:03:45 You can't hide secrets from the future.

01:03:46 You can't hide secrets from the future.

01:03:47 You can't hide secrets from the future.

01:03:48 You can't hide secrets from the future.

01:03:49 You can't hide secrets from the future.

01:03:50 You can't hide secrets from the future.

01:03:51 You can't hide secrets from the future.

01:03:52 You can't hide secrets from the future.

01:03:53 You can't hide secrets from the future.

01:03:54 You can't hide secrets from the future.

01:03:55 You can't hide secrets from the future.

01:03:56 You can't hide secrets from the future.

01:03:57 You can't hide secrets from the future.

01:03:58 You can't hide secrets from the future.

01:03:59 You can't hide secrets from the future.

01:04:00 You can't hide secrets from the future.

01:04:01 You can't hide secrets from the future.