Cryptography

Digital Identity, Privacy, and Security with Brian Warner - Episode 102

Summary

As the internet and digital technologies continue to infiltrate our way of life, we are forced to consider how our concepts of identity and security are reflected in these spaces. Brian Warner joins me this week to discuss his work on privacy focused projects that he has worked on, including the Tahoe LAFS, Firefox Sync, and Magic Wormhole. He also has some intriguing ideas about how we can replace passwords and what it means to have an online identity.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Brian Warner about digital identity, privacy, and security

Interview

  • Please introduce yourself
  • How did you get introduced to Python?
  • How did you get involved in the area of cryptography and digital privacy?
  • You have created or made significant contributions to a number of projects that are focused on making secure communications and storage more accessible, including Tahoe LAFS (Least Authority File System), Magic Wormhole, and Petmail. Can you provide a brief overview of these projects and any others that you would like to mention?
  • What problem were you trying to solve when you created or began contributing to each of them and how satisfied are you with their current state?
  • What have you found to be the biggest barriers to adoption for these projects?
  • How do Tahoe and Magic Wormhole benefit an average user and what are your plans for their future development?
  • One of the most ubiquitous issues with our modern security infrastructure leading to compromise is the humble password. What are some technologies that you foresee replacing the need for passwords?
  • As technologists we are fairly well aware of the weaknesses in the systems that we use day-to-day. How can we make digital privacy and security more accessible?

Contact Info

warner on GitHub
@lotharrr on Twitter

Picks

Links

The Update Framework: Securing Your Software Updates with Justin Cappos - Episode 99

Summary

If you write software then there’s a good probability that you have had to deal with installing dependencies, but did you stop to ask whether you’re installing what you think you are? My guest this week is Professor Justin Cappos from the Secure Systems Lab at New York University and he joined me to discuss his work on The Update Framework which was built to guarantee that you never install a compromised package in your systems.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Justin Cappos about The Update Framework, an open spec and reference implementation for mitigating attacks on software update systems.

Interview

  • Introduction
  • How did you first get introduced to Python?
  • Please start by explaining what The Update Framework (TUF) is and the problem that you were trying to solve when you created it.
  • How is TUF architected and what led you to choose Python for the reference implementation?
  • TUF addresses the problem of ensuring that the packages that get installed are created by the right developers, but how do you properly establish trust in the first place?
  • Why are consistent and auditable dependencies important for the security of a system and how does TUF help with that goal?
  • What are some of the known attack vectors for a software update system and how do Python and other systems attempt to mitigate these vulnerabilities?
  • One of the perennial problems with any dependency management system is that of transitive dependencies. How does TUF handle this extra complexity of ensuring that all of the secondary, tertiary, etc. dependencies are also properly pinned and trusted?
  • For someone who wants to start using TUF what are the steps to get it set up with pip?
  • How would a project that wants to use TUF, do so?
  • Who is using TUF and when will it be used with PyPI?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Cryptography with Paul Kehrer - Episode 93

Summary

Sooner or later you will need to encrypt or hash some data. Thankfully we have the Cryptography library, along with the other projects maintained by the Python Cryptographic Authority, to make sure that your crypto is done right. In this episode Paul Kehrer talks about how the PyCA got started, the projects that they maintain, and how you can start using cryptography in your programs today.

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your app or experimenting with something you hear about in this episode.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Join our community! Visit discourse.pythonpodcast.com for your opportunity to find out about upcoming guests, suggest questions, and propose show ideas.
  • Your host as usual is Tobias Macey and today I’m interviewing Paul Kehrer about cryptography and encryption in Python

Interview with Paul Kehrer

  • Introductions
  • How did you get introduced to Python?
  • Can you share a bit of the background behind the Python Cryptographic Authority and how you got involved?
  • There is an adage that you should never roll your own crypto because if there are bugs or exploits in your implementation then it can have potentially serious side effects. What problem was the Cryptography library created to solve that was important enough to proceed despite that risk?
  • Given the sensitive nature of the libraries that you are working on, what development practices are you relying on to prevent the introduction of vulnerabilities?
  • While reading through the documentation I noticed that Cryptography links against OpenSSL. Is it possible to swap that out for alternative implementations such as LibreSSL or S2N?
  • What are some of the testing techniques that you use to ensure the accuracy of the algorithms that you are using?
  • What are some of the factors that a developer should keep in mind when selecting which cryptographic library to use in their projects?
  • When might someone want to use the capabilities found in the cryptography library what do they need to be aware of while writing their application?
  • For someone who wants to incorporate the cryptography library into their project what are some of the potential pitfalls that they should be aware of and how much knowledge of encryption should they possess?
  • In what ways does the security landscape in Python differ from that of other languages that you are familiar with and what unique challenges do we face?
  • What are some of the fundamental aspects of encryption and cryptography that you feel every developer should at least be aware of?
  • If anyone wants to learn more about security and encryption, what resources do you recommend?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA