#37: Python Cybersecurity and Penetration Testing Transcript
00:00 How secure is your application? Do you know the main vulnerabilities that most apps suffer from?
00:05 How would you even start to answer these questions? On this episode of Talk Python to Me,
00:09 Justin Seitz is here to tell us all about it. This is episode number 37, recorded December 2nd,
00:15 2015. Now, before I play the theme music, I have a little something special for you guys.
00:20 This week only, instead of developers, developers, developers, we have Secrets from the Future by
00:25 MC Frenolot. It's a great song about the futility of computer security over time. You can catch the
00:31 entire song at the end of this episode.
00:50 Welcome to Talk Python to Me, a weekly podcast on Python, the language, the libraries, the ecosystem,
01:15 and the personalities. This is your host, Michael Kennedy. Follow me on Twitter where I'm at,
01:20 mkennedy. Keep up with the show and listen to past episodes at talkpython.fm and follow the show on
01:25 Twitter via at Talk Python. This episode is brought to you by Hired and Codeship. Thank them for
01:32 supporting the show on Twitter via at Hired underscore HQ and at Codeship. Hey, everyone.
01:37 Thanks for listening today. Let me introduce Justin. Justin Seitz is a respected cybersecurity
01:43 expert who has trained and consulted with Fortune 500s, law enforcement agencies, and governments
01:48 around the world. He's the author of two Python books that were translated into seven languages.
01:53 He's helped teach tens of thousands of people how to write code to automate computer hacking and OSINT
01:58 tasks. In October 2014, he presented a unique method for tracking ISIS supporters on Twitter.
02:05 Justin, welcome to the show.
02:07 Thank you very much for having me.
02:09 Yeah, I'm pretty excited to talk about this whole world of computer security and breaking software and
02:15 understanding where vulnerabilities are in your software. So I'm just happy you're on the show to
02:20 talk about that.
02:21 That's great. Normally you have builders and now you have a breaker. So that's awesome.
02:24 Yeah, that's right. Normally we have the builders on here, but I think it's super important to see that side of the story, right? Like if you build a website and you put it out
02:34 there, how do you know, you know, I kind of feel like it's safe. Is it safe? I don't know. Like you
02:40 should understand, you know, what the people who are trying to break into your systems are,
02:45 what, what, how would that even happen? Right. So that's, I think it's going to be really valuable
02:49 to builders in addition to everyone else.
02:51 Cool.
02:52 Cool. So we're going to talk a lot about that, but let's get started with where you got in a program in
02:58 Python. What's your story?
02:59 So how I got programming in Python was a good buddy of mine, Dave Falloon. I'll never forget
03:05 him peering over my shoulder when we worked together at a startup at one point. And I was doing everything
03:11 in PHP. And, you know, he kind of said, you know, dude, it's really lame that you're using PHP to do
03:17 all this stuff. You should really look into Python. So I did. And, you know, I'm one of those old dogs,
03:25 new tricks kind of guy. So I was like, oh man, you know, I'm not truth be told, not the strongest
03:31 developer. I had the pleasure of working in a couple of different companies with some really
03:36 top notch developers who just kind of blew my mind on a daily basis. And, you know, I knew that I was
03:42 never going to be like that. But I found with Python that I kind of went from zero to actually knowing
03:47 what I was doing awfully quick. And, and kind of around this time, as I was, you know, spending time
03:54 in kind of hacker forums and reverse engineering forums and stuff. You know, it was, it was kind
03:59 of strange, but Python seemed to almost become the de facto language for people to start using in the
04:06 hacking community. So between Dave kind of goading me into learning it and kind of the hacking community
04:12 beginning to adopt it as really, as, as the language we were all going to kind of standardize ourselves
04:19 on for the most part, that's really what kickstarted my journey into a Python coding.
04:23 I think that's the way a lot of people get started in Python is it's kind of the easy path to get
04:28 started, but unlike a lot of other easy paths, it doesn't seem to have a real strong upper pound,
04:35 right? Like you can build rich, high end systems, but you can also get started easy. And that's,
04:40 that's kind of unique to this whole ecosystem, right?
04:43 Yeah, I totally agree. I mean, I've seen some of the most, you know, the craziest systems built
04:49 completely in pure Python. And I've seen some of the most beautifully simple scripts that do amazing
04:55 stuff that are, you know, 10 lines long, which is great because I think 10 years ago, there's always
05:00 the, the argument of, you know, performance and compiled languages versus things like .NET when it was kind
05:06 of going through its renaissance period. And now I think we're to the point where we're kind of like,
05:11 you know, unless you're processing billions of transactions a second, which I bet you there are
05:14 Python installations out there that are doing that. We're okay. Everybody's kind of accepted that
05:20 there's many ways to skin these cats. And Python is just a great way to, to literally go from zero to
05:26 60 very, very quickly.
05:27 Yeah, definitely agree. So that's kind of how you got into Python. That's, that's really interesting. But
05:33 you took a sort of different path, right? You got into sort of analyzing systems and checking them for
05:40 vulnerabilities and offensive security and all that kind of stuff. That's a pretty different path than,
05:45 you know, I'm going to start building a websites in charge to build, you know, people's homepages or
05:50 whatever, right? Tell me the story there.
05:51 Yeah, yeah, sure. So I actually did spend a period of time being a web developer, again, hence why I
05:57 was into PHP. But, you know, the big thing for me was that I was at this startup that was
06:03 amazingly good, had a fantastic engineering team that kind of looked at talent and said,
06:09 you know, you are good at this particular job, do you want to do it? And for me, I got into quality
06:17 assurance and totally by accident. I was originally hired on there to, to fix printers, believe it or
06:23 not. But this was one of these really progressive kind of funky startups. And very quickly, I was leading
06:28 the QA team, which was very small. And soon, it turned out that I was really good at breaking
06:34 software. Now, I'd spent a number of years kind of in and out of, you know, kind of the hacking scene
06:39 and, you know, doing research on my own, but never really took it very seriously, never really took it
06:45 like something that it was, you know, that I wanted to do as a career. I didn't even know that it was
06:51 actually a career at the time. So as I got further and further along in this QA stuff, they realized that
06:56 we should actually get Justin spending all of his time breaking stuff. Because I seem to have this
07:01 kind of weird ability to find the bugs that nobody else would find. And to also, because I was into
07:08 reverse engineering, that I could assist the development staff in tracking down particularly
07:12 nasty bugs that they couldn't figure out other ways. So I basically, eventually became just a breaker.
07:20 So they brought in someone to run the overall QA team, and I was able to step aside and just simply
07:25 focus on that. And around this time, probably in 2006, 2007, I became more and more active
07:32 on reverse engineering forums and started sharing code and kind of networking with people. It was around
07:40 this time that I also decided, hey, I think I actually want to write a book, because I was writing some
07:45 tools in Python specifically for reverse engineering. And then immunity, where I spent seven years, sponsored a
07:52 competition, I believe in 2007, that was writing a plugin for what was called immunity debugger, which is a
07:59 debugger specifically designed to, for reverse engineering, primarily geared towards exploit development.
08:05 development. So I ended up writing a plugin for that, of course, in Python. And I won that competition. And shortly
08:13 thereafter, immunity hired me on in 2008. And from that point forward, I was doing all kinds of development
08:20 work. So their products were all written in Python. So I was working on penetration testing product there,
08:27 called Canvas, and also doing a lot of consulting and other work. And that's kind of what carried me down
08:33 that path. So I've been very fortunate that I've had a number of employers that kind of allowed me a bit
08:43 of free reign and allowed me to kind of chase the stuff that I found interesting. So I've been really
08:47 fortunate over the past 10 or 15 years to have that.
08:50 It's really great when you get to pursue what you're super interested in, right? It's almost like
08:55 you get paid to be on vacation or to do your hobby or something, right?
08:58 Yeah, absolutely. Absolutely.
09:00 Yeah, it's great. So you talked about your books. The first one you wrote was called
09:04 Grey Hat Python. Is that right?
09:06 That's correct. Yeah.
09:07 Yeah. So can you tell us kind of what topics you covered in there? And what's the story of that book?
09:13 So Grey Hat Python was definitely more heavily geared towards lower level reverse engineering and
09:20 exploit development and also looking at building tools to assist you in identifying vulnerabilities.
09:26 So in the security world, a lot of us employ a technique called fuzzing, which just basically
09:31 means generating random or semi-random inputs for a piece of software to process. So if you think of
09:38 a traditional server written in C that kind of takes packets in and dissects this proprietary protocol,
09:47 what we would do is we'd write fuzzers that would basically try to break how that protocol is parsed by that software
09:53 in the hopes that we would find vulnerabilities. So Grey Hat Python kind of takes you through
09:58 how to build some tools to assist on the back end, which means trapping bugs or using an automated kind of
10:05 debugging system to trap bugs, all the way up to building the fuzzers and building some of the other tools
10:13 to help you find bugs. So it was definitely more of a low level book, but it leveraged Python all the way
10:19 through to build tools to assist you.
10:22 Oh, that's really cool. So is that like looking for buffer overflows and SQL injection attacks and things like
10:29 that or other stuff as well?
10:31 Yeah, exactly. So I mean, 10 years ago, and still somewhat today, but things have changed a bit.
10:37 10 years ago, we were definitely looking for memory corruption bugs, which would be buffer overflows,
10:42 heap overflows, and you know, there's a myriad of other bugs. But you're right, we also,
10:47 most of us in the community that are writing tools, we're building stuff too, that's looking for SQL injection
10:53 bugs or looking for, you know, cross site scripting vulnerabilities. So much the same that we would be
10:59 focused on fuzzing software. We also built tools that would fuzz web applications as well.
11:05 I suspect a lot of the listeners know what buffer overflows are and what SQL injection
11:12 vulnerabilities are. But maybe, you know, there's probably a decent number of people who don't.
11:16 Could you maybe just talk about those two terms? Those are probably the two big,
11:19 super bad problems you can introduce into your code, right?
11:22 Sure, sure. So a buffer overflow is really where you're kind of shoving more data into a spot in
11:30 memory than it can handle. So if you think of a string in memory that is, you know, we can treat
11:37 it like a bucket. So this bucket can hold a maximum of 50 letters, or if you wanted to treat it like water,
11:43 it could be 50 liters of water. So typically, what you want to do when you're a programmer and you're using
11:48 a language like C, is that you want to ensure that you can never have even 51 liters of water or 51 letters
11:56 in that bucket. So what happens in a buffer overflow situation is that we are able to literally kind of
12:05 overflow the bucket. And depending on how we overflow that bucket, we can actually then control how your
12:12 program executes from there. So it's a very common vulnerability. But some of it is definitely starting
12:20 to go away because things like Visual Studio, the tool chains are starting to build in protections
12:26 in an attempt to deal with those programming flaws. And they're also trying to prevent you from using
12:33 functions like stir copy or mem copy in unsafe ways. So we're starting to get away from it. But that's
12:41 kind of the general feeling or general explanation of how a buffer overflow looks.
12:47 Now for a SQL injection vulnerability, we're not so much concerned with kind of shoveling too much data
12:53 in. But if you've ever written SQL code in like a PHP application, or even in Python,
12:59 and you concatenate strings together, for example, so you have your select statement, and you say,
13:05 where ID equals, then you have your quote, and you know, plus, and then some piece of input from the user.
13:12 Now, what we can do is we can substitute in a quote or single quote, or potentially other characters that
13:20 can actually allow us to control how that SQL statement is executed. So by injecting our own SQL,
13:27 that means that we could potentially extract data, you know, maybe you're only doing a select against
13:32 the products database. But when we send in our injection code, if we're successful in getting it in,
13:38 potentially, we could then begin mapping out all of the tables in the database, or we could begin
13:43 extracting data, not from the products table, but from the users table, where we could grab
13:47 usernames and passwords. Or in some cases, you can even begin executing commands directly on the
13:53 operating system straight from that little SQL injection vulnerability.
13:58 Yeah, and that might be like the text box for your password.
14:01 Yeah, exactly.
14:03 That's the command line to the remote box, right? It's less good when it's used that way, I think.
14:09 Yeah, that's right. And I think, you know, what it all boils down to is either just input
14:13 sanitization problems, right? So again, there's a lot of, you know, platforms are starting to get better,
14:20 and tool chains are getting better at forcing programmers to write code in a certain way.
14:25 And then on top of it, you know, there are a number of frameworks that are trying to make it so that
14:30 these kind of class of vulnerabilities are going to go the way of the dodo.
14:35 Yeah, that's really nice that the systems and the compilers are taking care of it, you know,
14:40 somewhat that helps, right? As well as the ORMs, right? So like SQLAlchemy,
14:45 or other high-level ORMs that don't accept string SQL, definitely help mitigate that some.
14:54 Have you Googled or have you seen the XKCD exploits of a mom, little Bobby tables?
15:00 Oh, yes.
15:02 For those of you who don't know what a SQL injection attack is, make sure you take the time to Google
15:08 for little Bobby tables and you'll get the XKCD exploits of a mom. I'll put it in the link of the
15:13 show notes, but I won't say any more. I'll let you check it out.
15:16 That's great. Yeah, it's a lot of books.
15:18 Did you really name your son that? Yes.
15:20 So I mentioned the two vulnerabilities that are like well-known to me because I, you know,
15:30 take account for them when I write web apps and stuff. But what else is out there that are sort
15:34 of on that scale that we should be aware of as developers to like just know that we should make
15:41 sure we don't do that? Well, again, I think the big thing is, you know, paying attention to every
15:47 place that input comes in from a user and assume that every user is extremely evil. So a lot of people,
15:54 you know, again, they're checking the SQL injection stuff. People treat it very seriously. So you,
16:00 along with a number of other developers, might be spending a lot of time taking a hard look at where
16:05 they interact with their database or using an ORM like SQLAlchemy. But there's a number of other
16:10 vulnerabilities like site scripting, which means that I'm able to pass in JavaScript to a piece of
16:17 input on your web application and have your web application kind of echo that JavaScript back out.
16:23 Now, this is not as sexy as a SQL injection because I can't directly attack your server. But what it does
16:29 allow me to do is potentially social engineer users of your system or even you as the administrator of
16:35 the system to click on a link that includes some JavaScript in that link. When you visit the link,
16:40 because you're not filtering the input properly, my JavaScript that I've included in the URL gets executed
16:47 in the context of your browser. So now effectively, I have the ability to make your browser do stuff
16:53 that you probably don't want me to do. You can pair this with other vulnerabilities as well. So that's,
17:00 you know, again, a common one is cross site scripting. Now, you know, again, these are all things that
17:04 if you Google for like the OWASP top 10, these are all things you're going to be looking for. But typically,
17:11 in my experience as someone who spent a lot of time hacking into systems,
17:15 a lot of our big wins where we were able to really compromise applications didn't necessarily involve
17:21 some of these classic attacks, it might be something as simple as not validating that a user account
17:28 should have access to a particular set of data. So if you and I both use the same system, and I'm user
17:34 ID one, and your user ID two, and there's a set of documents in this system, that you're assigned,
17:41 maybe the first 10 documents, and I'm assigned the last 10. What in a lot of cases, what we found was that, you know,
17:48 they're not properly checking and validating that I should only be allowed to access particular documents.
17:53 So now I'm able to access all of the sensitive information that you are,
17:57 in some cases, just by incrementing one number by walking through all of the various document IDs.
18:04 So is this an architectural flaw? Yes. Is it an input sanitization flaw, which are the most common or
18:10 previously most common? No. So it's a bit more nefarious, because you as a developer, as you're
18:16 paying attention to escaping all input and double checking your SQL queries and all that stuff,
18:22 some of these more architectural flaws are a little bit more subtle and a little bit more nefarious.
18:27 Yeah. So interesting. So for example, if I've got a relational database with a primary key that's
18:34 an integer and auto incrementing for all of my resources in my web app, and I have a user account,
18:41 it's very likely I can enumerate, you know, all of that type of data. So I might be slash users slash 271.
18:49 Well, it looks like I could just try a bunch of numbers between one and 10,000 and look for users and
18:55 see what I can see about them, right? Or documents or whatever, yeah?
18:58 Absolutely. And, you know, it sounds completely simple, but it's worked in a number of cases.
19:04 So, you know, this is where, again, you know, things like using GUIDs, so very big, long,
19:13 unique numbers that are randomized, are really helpful, because then it becomes very difficult for me,
19:19 the attacker to begin enumerating GUIDs, because they're tremendously big, right? It's not just a
19:25 simple integer. So when you're passing information around a web app, you know, in your user ID one,
19:31 you should really reference that user by GUID that's really big and unique, because it makes it
19:37 tough for an attacker to do some of those enumeration techniques.
19:41 Yeah, that's great advice.
19:43 This episode is brought to you by Hired. Hired is a two-sided, curated marketplace that connects the
19:59 world's knowledge workers to the best opportunities. Each offer you receive has salary and equity presented
20:06 right up front, and you can view the offers to accept or reject them before you even talk to
20:11 the company. Typically, candidates receive five or more offers in just the first week, and there are
20:16 no obligations, ever. Sounds pretty awesome, doesn't it? Well, did I mention there's a signing bonus?
20:22 Everyone who accepts a job from Hired gets a $2,000 signing bonus, and as Talk Python listeners,
20:28 it gets way sweeter. Use the link Hired.com slash Talk Python to me, and Hired will double the signing
20:37 bonus to $4,000. Opportunity's knocking. Visit Hired.com slash Talk Python to me and answer the call.
20:52 Okay, so what else was in the Grey Hat Python?
20:55 So that was basically, you know, we've kind of run the gamut for Grey Hat Python, and it was really
21:03 heavily focused on the reverse engineering and exploit writing stuff.
21:08 So that sounds like it's focused on kind of the application level.
21:12 That's right.
21:14 There's the whole sort of infrastructure, the way apps are put together, you know, the network,
21:20 those types of things that maybe you didn't talk about in that book, right?
21:23 That's right. Yeah. So I didn't talk a whole lot about that in that book, but that's where
21:28 I decided to write a second book, which was Black Hat Python, which is a more traditional penetration
21:34 test view of writing tools. So getting people to write tools that interact on the network. So just
21:41 fundamentally understanding how you write a client and server in Python is actually going to help you
21:46 understand how to write tools to do network attacks. So I teach people how to do that. And then I also
21:53 teach them how to use some more powerful libraries in Python, like Scatty, that allows you to execute
21:59 more complex attacks and allows you to do things like pet sniffing, allows you to, you know, kind of
22:05 analyze some of the data you capture in tools like Wireshark. I also spend time teaching people how to
22:12 write tools to attack web applications. So whether that's unique kind of brute forcers or using something
22:20 like Burp Suite, which is a popular web application hacking tool that a lot of people use. So I teach you
22:26 how to write plugins for Burp Suite. And then later on in the book, I start to move into more and more
22:33 offensive techniques. So I teach people actually how to write a Trojan or a virus that leverages GitHub
22:39 for command and control. So that means that this virus doesn't actually communicate to you. It
22:46 communicates only to GitHub, which in most corporate environments will bypass all the firewalls,
22:52 because most corporate environments allow people to go to GitHub.
22:55 Right. GitHub is fine. It's HTTP. It's outbound. How could that be wrong?
23:00 Exactly. Well, it's actually HTTPS, which is even better because then a lot of the
23:04 inline antivirus products are blind when it's an SSL connection. So they can't actually inspect any of
23:11 the traffic that's going by. So you have this HTTPS, this encrypted session to GitHub. And then
23:18 basically, you know, this Trojan is designed to retrieve its commands from GitHub. Also, it will do,
23:25 if the Trojan does not have a library, say like Win32, you can push that library to your GitHub repo,
23:33 and your Trojan will try to import it. And I actually hook into the import mechanism so that it reaches out
23:39 to GitHub for all of its imports that it can't resolve locally. So it'll retrieve them over the network and
23:43 import them that way. And then after it executes the task, like say, takes a screenshot of the target
23:49 system, it then actually re-uploads the results back to your GitHub repo. So techniques like that,
23:56 which I really wanted to show people that number one, writing these tools in Python is amazingly simple.
24:03 And when you sit back and realize you just wrote a Trojan that bypasses pretty much every firewall and
24:08 antivirus product out there in like 100 lines of Python or less, it's pretty neat. But also as a way to
24:17 help people understand from the network perspective, how simple it is for attackers to write tools like
24:24 this and how we need to get better at detecting them. So I start to get more offensive there. And
24:30 then kind of the tail end of the book is where I teach people, which, you know, is happening more and
24:36 more commonly where attackers are managing to get into host systems that host a number of virtual machines.
24:43 So I've seen people who are kind of paranoid, so they only will perform like their web browsing inside a
24:50 virtual machine, right? And so the last part of the book, I teach you how to use a forensics framework
24:56 called volatility. That's pure Python, how to use this forensics framework to actually analyze the RAM for a
25:05 running virtual machine and then inject code into it so that we can compromise the virtual machine,
25:10 which would allow us to then kind of climb inside it and see what the user is up to inside that machine.
25:16 So it covers a kind of a wide sweeping range from the network to web applications to Trojans and
25:25 kind of offensive forensics. But it's also a very short book. So I give you the code, I give you the
25:32 explanation and the why as to what we're doing. And there's really no fluff outside of that. It's really
25:37 about developing that Python muscle memory.
25:40 Yeah, so that has me a little scared to use my computer. But I think it was really interesting.
25:46 Some of the stuff that you did in that book, I think it's really neat. Like, for example, you talk about
25:52 if you understand how to use raw sockets in Python, that will take you a really long ways, right?
26:00 Yep, absolutely. Yeah. And again, I mean, that module by learning how to use raw sockets. And for example,
26:07 learning how to take something that comes off a raw socket and turn it into an actual IP structure,
26:14 like you would have done in C 20 years ago, you're learning a ton of great concepts, you're learning
26:19 about the network, you're learning about how to use C types to create structures in memory. And you're
26:24 learning about some of the more fundamental pieces of networking, which is how packets are
26:29 actually built from the ground up. And you're learning it in this really easy way, like it's
26:34 really accessible. It's not, it's not like C or C++, which I still don't understand why people write
26:41 code in it.
26:41 Yeah, it's definitely accessible, right? Like a lot of the code samples are like 20 lines of Python.
26:48 That's right. Yeah. And it's really, you know, again, I, I really want people to be able to write
26:53 it and then sit back and say, okay, what if I did this and just go out and start doing it? So give
26:59 them the, give them the fundamentals, give them the capability, but don't, you know, don't lead them
27:03 down the entire path. I really like people having a, I love it when people email me and say, yo, I took
27:09 the example in chapter three, and I did this with it. What do you think? That means that I, that I,
27:16 that people appreciate that style of writing.
27:18 Yeah. Yeah. That's really great. You talked a little bit about the malware type of stuff. You said
27:26 you had some experience actually taking Python to like understand some piece of malware. So like,
27:32 suppose I find some suspicious file on my program, on my computer, what, what can I do to understand
27:39 whether that's just some random binary or if it's a real problem?
27:43 So there's a, there's a number of tools and frameworks out there. And again, you know,
27:48 things like I mentioned previously, volatility is, is very quickly becoming one of the big tools that
27:55 forensic and malware people use to examine what is a piece of malware doing to your machine and what
28:01 artifacts is it leaving behind? And what is it modifying inside the memory of your machine? Which is
28:08 really critical. but there's a number of other things that you can do. For example, a lot of most,
28:14 you know, most modern malware is looking at how to defend itself against you. So it doesn't particularly
28:20 want anybody to reverse engineer it. because then it prevents, you know, if it can guard itself,
28:27 then it prevents people from, developing defenses against it. So, a number of years ago,
28:33 actually myself and a guy by the name of Neil, the hippie killer, built a, built a framework
28:38 called Muffy, which was designed, it was a Python framework that ran inside of immunity debugger.
28:44 And it was designed to actually, completely, remove the protections or a number of protections
28:50 that malware would have in place that would prevent you from analyzing it. So this is all an automated
28:56 and scriptable framework built on top of immunity debugger that, it would, for example,
29:00 a lot of malware wants to know, am I being debugged? So am I currently being run under debugger?
29:06 And so our framework would actually, reach into the malware and begin to undo those checks.
29:12 and it had multiple ways of doing that. Another thing that malware will do, for example,
29:18 is that it will walk the list of running processes on the system, looking for antivirus products,
29:24 looking for, debugging products. and so what Muffy would do is again, it would go in there
29:30 and it'd basically, start removing things from the list or it could actually patch out
29:34 the malware's ability to check for those processes. So aside from, you know, some of those big ones,
29:41 and again, primarily I'm, I didn't spend most of my career being a, malware analyst and I do some now.
29:50 But the, the big thing to me was that, with all of these tools like debuggers and,
29:57 even things like Ida Pro having Python built in, it allows you to kind of, if you're, if you're seeing the same thing in malware sample after malware sample after malware sample,
30:08 instead of spending five hours undoing some protection every time you spend five hours,
30:13 once writing code to automatically do it for you. And then, you know, that's fixed for you kind of for,
30:20 for life. You can kind of deploy that code whenever you need it. And Python's wonderful for that.
30:25 So you build up like a set of libraries that perform these functions, you know, take down the debugger defenses,
30:31 take down the antivirus protection and just chain them together and go after it, uncloak it. So then you can understand it. Yeah.
30:38 Yeah, that's exactly it. And then there's, you know, there's other cases too, where you might be analyzing a piece of malware that implements some very simple,
30:45 like XOR encryption. and maybe it, you know, it's, it's got some special little routine that it does. so lots of times what we'll do is,
30:55 you know, we're always dealing in assembly code. So we'll look at the assembly and, and say, okay, they have this decryption function here.
31:03 that's got maybe 10 or 20 assembly instructions. It will actually convert that directly into Python.
31:09 and we can then begin, you know, executing any string or any piece of data that comes across the network.
31:15 we can begin actually processing it directly in Python rather than letting the malware have to run through the decryption routine itself.
31:22 It's been a long time since I've had some kind of virus or malware that I know of on my, on any of my machines.
31:29 But I, the last time I remember that I did have one, yeah, the way I found out was very bizarre. I had a, a firewall, like, oh my gosh,
31:39 what was it called? One of the original firewalls you could put on windows XP and it would have been like zone alarm.
31:45 Yes. Thank you. Zone alarm. And I rebooted my computer at work and it said,
31:49 notepad wants to act as a server on your network. I thought, oh, that can't be good.
31:55 I'm like, oh my God. And that looks weird. I go and run it and it looks like notepad, but you can bet it wasn't right.
32:01 That's awesome.
32:04 We went in and checked and a lot of our computers at this office were letting notepad run as a server.
32:08 That was not good.
32:09 So my question, my question was, you know, there were antivirus things we installed and they said,
32:17 oh, we removed the problem. If something like this happens, do you think it's ever safe to use your computer again?
32:23 Or does it just require like a format straight away?
32:25 I don't know. It's, you know, it's really tough to say, you know, the amazing thing about the security community is that it always seems like every year we want to one up, ourselves.
32:35 So, you know, it used to be that, yeah, you get an infection, just remove it.
32:39 And then people are like, ah, no, you know, actually, they figured out how to persist, you know,
32:43 in the BIOS or whatever it is. you know, and then, and then it's like, okay, well, maybe let's,
32:48 let's format. And it's like, oh, well, format actually doesn't solve the whole BIOS problem.
32:52 okay. So maybe it's format and, and reflash the BIOS.
32:57 And then guys started infecting the hard drive controllers.
32:59 So they're actually on the chip that controls the hard drive. Well, how do you get rid of that?
33:04 so it's one of those things that I think depending on the strain and when I say strain,
33:10 I mean, really what that means is that most antivirus products are looking at the hash of the file and
33:15 they're saying, Hey, this is bad. so if you get infected by a known kind of variant and,
33:20 and you have a good idea of, and in most cases you can just go read the report on what that particular,
33:25 you know, what that malware actually does. If there's never been evidence that that malware
33:30 actually downloads and installs a root kit or some other low level, tool, then I think,
33:37 yeah, a full kind of hard drive, format is going to do the trick for you. But in some cases,
33:43 that's not going to be enough. you know, it's, it's, it's, it's one of those things.
33:49 I don't remember the last time, I don't remember the last time I personally have been
33:54 infected with something, but, I'm on OSX and one of my good friends, Russell Nolan just
34:00 did a, a, a great presentation on OSX malware and how he kind of hunted it using, kind of big
34:07 data sets and Python, oddly enough, using pandas. and so some of the stuff that, some of the stuff
34:13 that Russ, and you can check that out at the, it was at a conference called countermeasure.
34:18 so you can check out his talk. The talks will be posted. it, you know, some of the stuff that,
34:22 that Russ was finding was, was pretty impressive, impressive stuff that, that they're writing for
34:27 OSX as well. Yeah. So what you're telling me is that even formatting the computer is not enough. I
34:33 need to smash it and buy a new one. Yeah, I would totally, totally smash it, throw it out in your
34:38 backyard, turn the hose on it and, you know, go, go buy a new one. Crazy. Make it as expensive as
34:44 possible for yourself. Cause then it'll totally make you like way more vigilant in the future. The next time I'm definitely not opening that, that document
34:54 with the cat videos. Yeah, that was from me.
35:12 This episode is brought to you by CodeShip. CodeShip has launched organizations, create teams,
35:18 set permissions for specific team members, and improve collaboration in your continuous delivery
35:22 workflow. Maintain centralized control of your organization's projects and teams with CodeShip's
35:28 new organizations plan. And as Talk Python listeners, you can save 20% off any premium plan for the next
35:34 three months. Just use the code Talk Python, all caps, no spaces. Check them out at CodeShip.com and tell
35:40 them thanks for supporting the show on Twitter where they're at CodeShip.
35:44 So another thing that you're into is something that you said was called open source intelligence. And
35:54 I'm guessing this is not like GPL licensed intelligence.
35:58 No, that's right. So open source intelligence is kind of like, it's a general term for gathering
36:06 information from open sources. So non-classified sources, not involving, you know, spies on the ground
36:12 and not involving satellites in space. But what can we gather from sources like the news, social media,
36:21 even things like mobile applications? What kind of intelligence can we gather in general? So that's kind of
36:28 something that in the security community, you use it all the time, because when you're modeling
36:33 a particular target for a penetration test, you want to learn everything there is to know about that target.
36:40 And especially when it comes to social engineering and phishing attacks, being able to perform open source
36:47 intelligence, for example, if I wanted to attack you, I would want to figure out where's your Facebook page?
36:53 Where's your Twitter page? What do you have on LinkedIn? Can I find out information about your hobbies,
36:58 your kids, all this stuff? And basically, I'm going to model you as a target.
37:03 And I'm going to watch for things that seem to kind of emotionally register with you, so that when I write
37:09 you an email, or I send you a Twitter direct message, or, you know, I'm communicating with you in some way
37:16 that includes a link, meaning I want you to click on this link, that I'm communicating to you in a way that
37:21 you are going to definitely click on that link. So open source intelligence plays a huge,
37:27 a huge role in that, among other areas.
37:30 Sure. So make it feel familiar. And then you're much more likely to get that first step into the
37:35 whole social side of things, right?
37:37 Yeah, that's right. I mean, and that's the specific use case for OSINT for the security community. But
37:44 it's really used in a whole bunch of other ways. You know, if there's a riot in a city,
37:49 police forces are using OSINT to take a look at what's going on, what are they talking about? Are there
37:55 people gathering in a particular location? Same thing when we had the Paris attacks here a couple
38:02 of weeks ago? You know, a lot of it is open source information, you can go to bellingcat.com, for
38:07 example, and they have like a detailed analysis on, on one of the Paris attackers and the information
38:13 they found out about him only through open source means, for example. So it's kind of this amazing
38:18 hammer that you can hit many different nails with.
38:22 Interesting. And speaking of nails, you said you'd actually use this technique to find extremist
38:27 supporters.
38:28 On Twitter? Yes, that's right.
38:30 Yeah, yeah, on Twitter, right.
38:31 So last year I did a presentation at a conference where I used Python, because again, I can't really
38:37 program in much else, to be honest.
38:38 So I used Python to base.
38:41 Why would you want to?
38:42 Yeah, why would you want to, right? What I did was, I was looking at how to, how to identify
38:49 ISIS supporters on, on Twitter. And so this, this was kind of before, you know, I'd been
38:56 doing some of this stuff and some of this research on the side for a number of years, probably long
39:02 before it was kind of vogue. There's lots of people doing it now. But basically, I was, I was kind of,
39:08 the question I had was, well, how do I do this when I can't speak or read Arabic, right?
39:12 This is a big deal, because as you know, this is a terrorist group that has people from all walks
39:19 of life, speak all kinds of different languages. Text analysis has always kind of seemed like been,
39:25 you know, and sentiment analysis to go with it. Like, that's kind of the sexy thing people do
39:29 when they're analyzing Twitter networks. And for me, what I did instead was, I said, well, you know
39:35 what, actually, I think images are the way to go, because images don't require language, right?
39:41 So what I set out to do is use Python, along with OpenCV, which is a computer vision platform
39:46 with Python bindings. And I built a classifier that would detect that black flag of ISIS.
39:53 So it was quite common for people who supported ISIS or were actually part of the group to use that black
40:00 flag in their profile picture on Twitter, or to use it in imagery, like propaganda videos, for example.
40:08 Not uncommon when you have a video of, you know, some Syrian army tank blowing up that you see the black
40:15 flag in the top right-hand corner of the video. So this classifier's job was just to find that black flag.
40:21 So then on top of it, I wrote Python to interact with the Twitter API. So what this thing would do is
40:28 basically, I would just point it anywhere. And part of it as well was asking the question of, like,
40:33 the six degrees of Kevin Bacon. So I wanted to know how far away the nearest terrorist was in my social
40:39 network. So I literally just pointed this tool at my Twitter account. And it just basically ripped
40:45 through all of my friends and followers looking for the black flag. And then it went through all of
40:50 their friends and followers. And then as you can see, this kind of grows out exponentially until it
40:55 started finding, started finding that black flag in propaganda or in profile pictures.
41:01 And so actually, this worked really well for me, because in a very short period of time, I was able to
41:07 build up a database of two or 3000 extremist accounts.
41:12 Now, the trick was that this was actually semi-automatically, because if you've ever used
41:19 OpenCV before to do kind of image detection or this kind of logo detection stuff, if you're not a
41:25 computer vision expert, which I definitely am not, you're going to run into kind of this high rate
41:32 of false positives. So there were cases where it would pick up a black cat and say, hey, that's
41:36 a nice supporter.
41:38 It could have been an evil cat. You never know.
41:40 It could have totally been an evil cat. So what I did was I actually used Python to solve the
41:45 semi-automatic problem, too. So after it was done crawling everything, let's say it had, you know,
41:51 a few thousand images and there was, you know, maybe a few hundred that might be kind of garbage.
41:56 So what I wanted to do is to filter through them very quickly by hand.
42:01 So I used WX Python and I wrote a little game. And all this game did was I would pull in all of the
42:08 images from this directory where I stored them. And then I could hit space bar if it was an ISA
42:12 supporter and enter if it was not. So very quickly, I could cycle through all the images very quickly,
42:16 kind of playing Duck, Duck, Goose. And amazingly enough, you know, it sounds like a lot like where
42:21 you're like, oh, man, like you did that with thousands of images. And I'm like, yeah, but it took like 10 minutes
42:25 because you very quickly, you know, it becomes this very quick game that you play and it is very,
42:31 very fast to cycle through all of them. So I use Python to kind of help me deal with that. Now,
42:36 you know, any computer vision experts who are listening to this, they already have like their
42:40 head in their hands like, oh, man, I can't believe you did that. But it worked for me. It was fast.
42:46 And then, you know, kind of on top of that, the tail end of my presentation is really about how,
42:54 again, using Python to push all of this data into Elasticsearch. And then just, you know,
43:01 because it's the Elasticsearch bindings for Python are beautiful. It's like one line of code,
43:06 you can take a dictionary and shovel it into a database. You know, like that is, for those of
43:11 us who've been around the block long enough, that was one of the most eye-opening, amazing thing I'd
43:17 ever seen. Like, you import this thing and you do es.index and like literally you're done.
43:23 There's no schema design. There's nothing else you had to do. So I thought it was just
43:27 amazingly wonderful when I discovered Elasticsearch. And so it was actually a friend of mine,
43:34 Chris Gashler, who had said, you've got to check out Elasticsearch. It's totally easy to get data
43:38 into, not so easy to get data out of, which was totally true. But then I was able to do some
43:44 interesting stuff where I could look at, you know, the geotagging of tweets and I could see where there were
43:48 concentrations of supporters and I could begin to do analysis like, hey, what was the most popular
43:53 cell phone they used to tweet with, for example. So it was really, it was a great use of Python
44:00 and open source intelligence. And it was, you know, it was really well received.
44:05 Yeah. It sounds really, really interesting. I'm sure it was. What was the number,
44:10 your index, like your Kevin Bacon number?
44:12 It was really low.
44:14 I'm sure.
44:15 It was like, it was like three, I believe. Three or less than three. Now I actually, but that's,
44:21 it was kind of a biased sample because I follow a number of counterterrorism researchers and a number
44:26 of terrorists like to follow counterterrorism researchers so they know what they're saying,
44:30 right?
44:31 Of course, of course. It's a little self-selecting, but still, right?
44:34 It was, but it's actually, it was shocking because I did pick other accounts and it was very,
44:40 I didn't know what the answer was going to be, which is always the exciting thing about research
44:44 when you actually set out to, when you truly have no idea what the answer is going to be.
44:49 But it was very low. It was always like three or sub three anywhere I ran it. So that was kind of,
44:56 that was kind of interesting to me.
44:58 That is interesting. It doesn't really surprise me, but yeah, it doesn't make you feel warm and fuzzy
45:03 either, I suppose.
45:03 No, not really. No, it's true.
45:07 So you have a, a cool course on a sort of automating open source intelligence and kind of
45:14 taking people through a lot of the techniques that you were kind of employing there, right?
45:17 Yeah, yeah, I do. So, I run a course at automatingosync.com. I have a blog as well
45:22 where I'm teaching people how to use Python, and, and like just a hint of JavaScript when required,
45:28 I know, but, I'm teaching them how to, you know, automate the collection of tweets. How do we
45:35 find all the friends and followers for an account? And then how do we do, you know, Instagram and
45:41 YouTube and thinking about how people, journalists, law enforcement, data scientists are approaching
45:47 some of these data sets and then boiling that down into very kind of digestible kind of small,
45:53 lessons that people can take, so that they can learn how to do some of this stuff.
45:58 Because again, whether you're a marketer or you're someone who's a counterterrorism analyst,
46:02 the same data can have very quite, you know, looking at it through different lenses, is
46:09 really, really fascinating. So that's kind of the whole, purpose of the course is to just teach
46:14 people how, how to do some of this stuff, how to use Python. And, and honestly, some of it is me
46:19 teaching them, you know, here's how you debug a Python script and here's, you know, don't be afraid
46:24 of coding, that this is really not that scary. And, and you can, you know, literally I've taken
46:29 people who've never written a line of code in their life and they're sending me screenshots of,
46:33 of Cabana loaded up with, tweets in an elastic search instance. And they're like,
46:38 yo dude, check this out. Like I can, I can tell that you tweet way more on Wednesdays. And I'm like,
46:42 that's really creepy and awesome at the same time. But, you know, stuff like that, that,
46:48 that this is a, it's just, I have a real passion for open source intelligence stuff,
46:52 and for Python. And so it was just natural for me that I'm like, you know what? I have like,
46:58 I don't know, hundreds of scripts that I've written. just like just one offers and stuff
47:04 I did to support research that I was doing that had nothing to do with my day job. And I'm like,
47:09 you know, I should start transferring some of this knowledge to other people because I think it would
47:13 be useful. So it is, it's totally amazing. I have people who are using it to, track criminals.
47:20 I have people who are using it to collect information on war crimes in Syria. I have students who are,
47:28 who are protecting some of the, working on protecting some of the largest, most well-known
47:33 household company names that we all use their products. you know, and they're, they're using
47:38 it to protect their infrastructure and, and find out if hackers are talking about them online. And,
47:42 so it's really, it's an amazing field for sure.
47:45 Yeah, it's really cool. And that's a, like a asynchronous type course, right? So you sign up and
47:51 you can take it from anywhere online more or less, right?
47:54 Yeah, that's right. And it's just driven by videos and, and then written material and code samples.
48:00 And then you have a skill testers where I get you to go out and solve problems with Python.
48:04 then you have to submit them to me for grading. and then once a month I run, I run student
48:11 sessions where I hop online with, whatever students can make it. I hop online for an hour
48:16 and I field questions. And then I usually try to teach something that is not in the course. So,
48:20 last month actually I taught people, how to connect Python to the Tor network so that
48:27 you can actually scrape, web pages inside of Tor, for example.
48:31 Oh yeah, that's really cool. Yeah. I'll be sure to put a link to your course in the show notes.
48:35 Awesome. Thank you.
48:36 Yeah, you bet. So we have time for a few more questions. Let's see. So sure.
48:41 He must've, you know, over the years seen a lot of crazy stuff. What's the,
48:45 the most unusual or entertaining thing that you've kind of run across in this whole space?
48:50 Oh man, that's a, that is a very good question. So I think, you know, I saw when I was doing some of this ISIS, research, I found a Twitter account,
48:59 who actually showed up initially as an extremist. And then I found, he was actually,
49:04 a satirist. but he would literally write some of the most like convincing kind of
49:10 tweets and, and he would take, for example, images that, that ISIS would use to kind of instill
49:15 fear and then he'd make them like hilarious. Right. And so I found this account and, and,
49:20 and as I'm reading through it, there's like these, you know, these jihadis who are
49:24 not very happy with him. They're like trying to get him kicked off of Twitter, but Twitter
49:28 won't really kick him off. And they're like, you know, threatening him and he's kind of responding
49:33 back with like pictures of goats and other stuff, you know? so I thought it was great. Like
49:38 I thought this is this, this person, number one's got guts and number two is like completely
49:43 counteracting, their message. I mean, nobody was really paying attention to his account,
49:48 which is unfortunate. I think if we had more people paying attention to that guy's account,
49:51 than we did paying attention to the ISIS guys, we'd be winning. but it was really
49:56 hilarious because, this guy was like a never ending source of entertainment for me that
50:00 I could go back and check on him. Yeah. It seems like a really nice brush of fresh air with all
50:05 that sort of, you know, negativity out there to just turn it around and like, here, let me put
50:10 a cat picture on top of your tank or something. Yeah, exactly. Exactly. It was pretty funny.
50:16 Yeah. How funny. One thing I wanted to ask you about, because as a programmer, I have one view of
50:22 the world and I, you know, run a lot of non-programmers. So I see their view, but from a
50:26 computer security type person, you may have a different perspective and that's sort of like
50:31 computer hacking in sort of cybersecurity in the popular media.
50:37 Right. Yeah. You're already laughing.
50:39 Yeah. I'm just thinking of, you know, some quote, like I'm going to write a VB script that's going
50:45 to track down the IP address. What are you even saying? Right.
50:50 Well, I mean, that's the thing, right? Is I think that, you know, you look at the original
50:53 kind of hackers movie, you know, sneakers was probably more realistic than people give it
50:59 credit for more so than a lot of other stuff. For the most part, like in popular media, it's,
51:05 it's pretty much 99% of it is garbage. And then within the last year we had the Mr. Robot series
51:12 come out, which was a complete game changer. And, you know, it's, they, they really fundamentally
51:19 get what it's about. And part of that is actually, they have a guy on their staff. His name is Michael
51:26 Pazell. He's a very popular guy in the open source intelligence world. And he's kind of the main
51:31 technical guy behind it. So he's the one who's driving a lot of the kind of technical and hacky
51:37 type stuff. And I can personally attest that, you know, Michael is a very smart guy. He knows what
51:43 he's talking about. And so this is the whole key to me is that having someone like that who is like,
51:48 you know what, we're not going to put a bunch of BS with like 3d cubes and, you know, whatever
51:54 people hacking on touch screens and like whatever virtual reality, because that's not how hackers
52:00 work, right? It's like mundane. And it's through the terminals, you know, for the most part. So I think
52:06 that finally that for me was I, I was like, Oh, finally, somebody is actually covering this properly.
52:14 But I can tell you that most hackers, you would not want to look over the shoulder while they work,
52:20 because it really is like, it is mind numbingly mundane stuff picking through 1000s of lines of
52:28 code looking for a bug. You can do that for two weeks before you hit that one place in the code that
52:35 you know, Oh, man, right there is exactly what I'm looking for. And then it gets exciting. But it can
52:41 totally be the most mundane work ever. And you know, that's just not good TV.
52:47 No, it's not. I think you're totally right about Mr. Robot. I love that series. I think I have just
52:53 the final episode to watch still. And I'll put the trailer in the show notes so people can check it out.
52:59 But you know, I started watching that I saw, you know, they're talking about tour VPNs, there's Linux,
53:05 there's the command line, they the previous show, I just had the PyCharm guys on there. There's like
53:11 segments of the show where they're working in PyCharm. Like this is a really good show. It's,
53:15 it's obviously fiction. And it's on the outer edge of, you know, believable fiction. But at the same
53:20 time, it's not based in like funky 3d cubes that like mean nothing, right? Yeah, exactly. Yeah,
53:26 yeah. Very cool. Very cool. One other quick question in this sort of non fictional space,
53:33 but kind of popular culture. There have been, it seems like increasingly many security breaches,
53:39 you know, Target, Home Depot, just, you know, one after another. Are things becoming less secure,
53:46 more secure? What are your what's your like general feeling when you're out on the internet? Fear or
53:51 generally? Okay.
53:54 I mean, I'm Yeah, I really don't. I'm not that I'm not full of fear. That's for sure. But I used to joke
54:01 when I when I'd have to do, like press interviews for like, okay, you know, it's December, actually,
54:07 this time of year, it'd be perfect, because they would they would call us up and say, what's your
54:11 predictions for 2016? Right? And I would say, whatever happened in 2015, it's going to just happen
54:16 again, maybe bigger, maybe smaller. So just copy out whatever I told you last year and just use it
54:21 again. And sadly, that's really where we're at, right? Like whether it's Target, whether it's Ashley
54:27 Madison, whatever it is, securing your data is an incredibly difficult thing to do. And so for me,
54:35 I was always breaking stuff, not necessarily fixing or defending stuff. And the defenders have an
54:40 incredibly difficult job. So for me, I don't think things are getting better or worse. I think
54:46 there are parts of the underlying security infrastructure that are getting better. I think
54:51 there are parts of the philosophy of security that are getting worse. Bring your own device,
54:56 for example, BYOD is one of the perfect examples of the worst idea ever, never, ever let anybody do it.
55:02 But people are still doing it. Oh, you want to bring your laptop from from home in and connect it to
55:07 the corporate network? You know, what's the worst that could happen? So to me, it's like there's these
55:12 opposing forces at times where we're getting better on the technology front,
55:16 I think. But the philosophy front, I think we have a ways to go. But again, it's it's very tough. I mean,
55:23 the the there's going to be no shortages of breaches and and database dumps in 2016, like we saw in 2015.
55:30 I don't think that's going to change.
55:32 Yeah, that's a really, really great answer. Thanks.
55:35 I have two questions before you before you get out of here. And the first one is if you're going to write some Python code, what editor do you open up?
55:43 Hands down, I have been using it for I don't even know how many years, a long time.
55:50 All of my students, when you sign up for one of my courses, you get wing IDE pro as part of the course. I standardize all of my videos on it. Everything I do is in wing. And anytime someone asks me, you know, what should I use? 100% wing. The big thing for me is that the debugging capabilities are just out of this world. Love it.
56:11 They have a great team there. They have an accessible support staff. I don't even remember actually last time I had to file a ticket with them. So I yeah, hands down, it's weighing that being said, I know you had the PyCharm guys on here. People speak very highly of PyCharm. But for me, the inertia to try a different IDE when I need to be really productive every day. It's just too much for me to to have to even try to give it a fair shake. But I hear lots of good stuff about it.
56:40 I've used wing a little bit, not a lot, but I'm, I'm definitely a fan of the IDE side of the story. So yeah, I'd like to hear that. Cool. Final question. What's your favorite PI PI package or library out there?
56:53 Oh, man. Okay. I mean, requests is probably the one I use the most, which is just awesome. But the other day, I found a library called date util. And maybe the entire internet knows about date util already. But date util allows you to just like feed it.
57:09 Any kind of date string, like in any format. And it basically gives you back a date time object, which is amazing. You don't have to use format strings. You don't have to use any crazy, you know, conversions or string splitting to clean it up. It just does it.
57:28 That's awesome. Yeah, I hate working with dates, like in pretty much any language. It's always seems to be painful. And so that sounds really cool. I'm gonna check it out. Date util. Okay, date util. Get it. It's awesome.
57:39 All right. I'm definitely gonna check it out. Justin, this has been a fascinating look inside of a world that most of us don't really look at that often. So thank you for sharing the story.
57:50 Hey, thank you very much for having me on. This is this has been great.
57:53 Yep, you bet. And I'll make sure all the cool stuff we talked about in the show notes. So talk to you later. Thanks again.
57:59 Fantastic. Thanks, Michael.
58:01 This has been another episode of Talk Python to Me. Today's guest was Justin Seitz. And this episode has been sponsored by Hired and CodeShip. Thank you guys for supporting the show.
58:11 Hired wants to help you find your next big thing. Visit Hired.com slash Talk Python to me to get five or more offers with salary and equity presented right up front and a special listener signing bonus of $4,000.
58:22 CodeShip wants you to always keep shipping. Check them out at CodeShip.com and thank them on Twitter via at CodeShip.
58:30 Don't forget the discount code for listeners. It's easy. Talk Python. All caps. No spaces.
58:34 You can find the links from today's show at talkpython.fm/episodes slash show slash 37.
58:41 And be sure to subscribe to the show. Open your favorite podcatcher and search for Python. We should be right at the top.
58:46 You can also find the iTunes and direct RSS feeds in the footer of the website.
58:51 This week's theme music was Secrets from the Future by MC Frontalot.
58:55 He has at least four excellent albums in this genre that he created called Nerdcore.
59:00 Check him out at Frontalot.com.
59:02 His song Zero Day is also a perfect match for this episode.
59:05 So, thanks for listening.
59:07 Here's the full song, Secrets from the Future.
59:10 Enjoy and I'll see you next time.
59:11 See you next time.
59:15 Get your most closely kept personal thought.
59:20 Put it in the word block with a password lock.
59:23 Stock it deep in the raw with extraction precluded by the ludicrous length and the strength of a reputed live.
59:30 Dictionary attack.
59:31 Proof string of characters.
59:33 This imperative to what?
59:35 All that is leverages of privacy.
59:36 The NSA and homeliness.
59:38 You better PGP the raw because so far they ain't impressed.
59:41 You better take the PGP and print the hex of it out.
59:44 Scan that into a tiff.
59:46 Then if you secret doubt for your data, scramble up the order of the pixels.
59:50 We're the one time pad that describes the fun time had.
59:53 But the thick soul boot wearing stomper who dance to produce random clap trap.
59:57 All the intervals in between which set in tandem with the stomps themselves.
01:00:01 Be got a seed of math unguessable.
01:00:03 Ain't no complaint about the cipher that's redressable.
01:00:06 Best of all your secret.
01:00:07 Nothing extant could extract it.
01:00:09 By 2025 a children speak and spell could crack it.
01:00:12 You can't hide secrets from the future with math.
01:00:15 You can try but I bet that in the future they laugh at the half-fast schemes and algorithms amassed.
01:00:21 Doing voice cryptographs in the past.
01:00:23 You can't hide secrets from the future with math.
01:00:27 You can try but I bet that in the future they laugh at the half-fast schemes and algorithms amassed.
01:00:33 To enforce cryptographs in the past.
01:00:35 And future people do not give a damn about your shopping.
01:00:38 Your visa number SSL to cherry popping hot grandpa action.
01:00:43 Websites that you visit or pass were protected partitions.
01:00:46 No matter how illicit and this it would seem is your saving grace.
01:00:50 Like amazing haste of people to forget your name, your face.
01:00:54 Lit in this list of indefensible indiscretions.
01:00:56 In fact the only way that you could pray to make impression on the era ahead.
01:01:01 Is if instead of being notable you make the data describing you undecodable.
01:01:06 The script kid is sifting in that relic.
01:01:08 Called the internet seeking latches on treasure chests.
01:01:10 If they could reckon seconds would it.
01:01:12 And yet get a chance to queue up for disassembly.
01:01:15 To discover and crack the cover like a crumbrelate.
01:01:18 They'll glance you over I guess.
01:01:20 And then for a bare moment you persist.
01:01:21 You exist.
01:01:22 Almost seem like you're there don't it?
01:01:24 But you're not.
01:01:24 You're here.
01:01:25 Your name will fade as front's will.
01:01:27 That's in the future.
01:01:27 They don't know our crypt to bury it.
01:01:29 And still.
01:01:30 You can't hide secrets from the future.
01:01:32 With math.
01:01:33 You can try.
01:01:34 But I bet that in the future they laugh.
01:01:36 At the half fast schemes.
01:01:37 And algorithms amassed.
01:01:39 You'll enforce cryptographs in the past.
01:01:41 You can't hide secrets from the future.
01:01:44 With math.
01:01:45 You can try.
01:01:46 But I bet that in the future they laugh.
01:01:48 With the half fast schemes.
01:01:49 And now the rhythms amassed.
01:01:51 To enforce cryptographs in the past.
01:01:53 Now it's an enigma machine.
01:01:58 A code yelled out at hot bongs.
01:02:00 Into a tin can with a thin string.
01:02:02 And that ain't all you do.
01:02:03 To broadcast clear text of your intention.
01:02:06 Send an email to the government.
01:02:07 Pledging your abstention from vote fraud.
01:02:10 This time.
01:02:10 Next time.
01:02:11 You ain't promised.
01:02:12 You don't get a visit from the department of piranets.
01:02:15 Be honest.
01:02:15 You ain't hacking those.
01:02:17 It'd be too easy.
01:02:18 Setting up the next president.
01:02:19 Pretending that you were through freezing.
01:02:21 When you're nothing but warming up.
01:02:22 To do list in your diary.
01:02:23 Better keep for a long time.
01:02:25 In the long time.
01:02:26 Better be tiring.
01:02:26 Into the distribution of electrical brains.
01:02:29 That's a guessing every unsalted hash that ever came.
01:02:32 They got alien technology.
01:02:34 To make the rainbow tables.
01:02:35 With an in an afternoon.
01:02:36 A glance and have them secrets.
01:02:38 Don't resist the loving codes.
01:02:39 Of the mathematical calculation.
01:02:41 Heart of your mystery.
01:02:43 Sent free fall into palpitation.
01:02:45 Pump your tunnel rise up in the dump.
01:02:47 A free agent.
01:02:48 Nobody knows the future.
01:02:49 Now go find out.
01:02:50 Be patient.
01:02:51 You can't hide secrets from the future.
01:02:59 With a favorite tribe.
01:03:01 And I bet that in the future.
01:03:02 They don't have bad schemes.
01:03:04 And I won't be honest.
01:03:06 You can't hide secrets from the future.
01:03:07 You can't hide secrets from the future.
01:03:11 You can't hide secrets from the future.
01:03:38 You can't hide secrets from the future.
01:03:40 You can't hide secrets from the future.
01:03:41 You can't hide secrets from the future.
01:03:41 You can't hide secrets from the future.
01:03:41 You can't hide secrets from the future.
01:03:41 You can't hide secrets from the future.
01:03:42 You can't hide secrets from the future.
01:03:42 You can't hide secrets from the future.
01:03:43 You can't hide secrets from the future.
01:03:44 You can't hide secrets from the future.
01:03:45 You can't hide secrets from the future.
01:03:46 You can't hide secrets from the future.
01:03:47 You can't hide secrets from the future.
01:03:48 You can't hide secrets from the future.
01:03:49 You can't hide secrets from the future.
01:03:50 You can't hide secrets from the future.
01:03:51 You can't hide secrets from the future.
01:03:52 You can't hide secrets from the future.
01:03:53 You can't hide secrets from the future.
01:03:54 You can't hide secrets from the future.
01:03:55 You can't hide secrets from the future.
01:03:56 You can't hide secrets from the future.
01:03:57 You can't hide secrets from the future.
01:03:58 You can't hide secrets from the future.
01:03:59 You can't hide secrets from the future.
01:04:00 You can't hide secrets from the future.
01:04:01 You can't hide secrets from the future.