Security

Dariusz Suchojad on Zato - Episode 31

Visit our site to listen to past episodes, support the show, and sign up for our mailing list.

Summary

Service integration platforms have traditionally been the realm of Java projects. Zato is a project that shows Python is a great choice for systems integration due to its flexibility and wealth of useful libraries. In this episode we had the opportunity to speak with Dariusz Suchojad, the creator of Zato about why he decided to make it and what makes it interesting. Listen to the episode and then take it for a spin.

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • Subscribe on iTunes, Stitcher, TuneIn or RSS
  • Follow us on Twitter or Google+
  • Give us feedback! Leave a review on iTunes, Tweet to us, send us an email, leave us a message on Google+, or leave a comment on our show notes
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable. For details on how to support the show you can visit our site at
  • I would also like to thank Hired, a job marketplace for developers, for sponsoring this episode of Podcast.__init__. Use the link hired.com/podcastinit to double your signing bonus.
  • Linode is also sponsoring us this week. Check them out at linode.com/podcastinit and get a $10 credit to try out their fast and reliable Linux virtual servers for your next project.
  • We are recording today on October 27th, 2015 and your hosts as usual are Tobias Macey and Chris Patti
  • Today we are interviewing Dariusz Suchojad about Zato

Interview with Dariusz Suchojad

  • Introductions
  • How did you get introduced to Python?
  • Can you explain what Zato is and what motivated you to create it?
  • What makes Zato stand out from other service bus implementations?
  • What are some signs that someone should consider incorporating Zato into their software architecture?
  • Does zato perform well in restricted resource environments like ec2? What performance bottlenecks are common when using zato?
  • It seems that most other ESB projects are written in Java. What advantages does Python have over Java for this kind of project and in what ways is it inferior?
  • The architectural nature of ESBs are such that they form the central backbone of a software system. How have you been able to ensure an appropriate level of reliability and stability in Zato while still delivering new features and improvements?
  • What are the scalability and high availability characteristics of Zato?
  • Does zato run well using pypy?
  • For anyone wanting to use Zato, what are the infrastructure requirements for deployment?
  • What are some of the security ramifications you took into account in zato’s design?
  • What are some of the most novel uses for Zato that you have seen or heard about?

Picks

Keep In Touch

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Al Sweigart on Python for Non-Programmers - Episode 19

Visit our site to listen to past episodes, learn more about us, and support the show.

Summary

We got the opportunity to speak with Al Sweigart about his work on books like ‘Automate The Boring Stuff With Python’ and ‘Invent With Python’. We discussed how Python can be useful to people who don’t work as software engineers, why coding literacy is important for the general populace and how that will affect the ways in which we interact with software.

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • Subscribe on iTunes, Stitcher, TuneIn or RSS
  • Follow us on Twitter or Google+
  • Give us feedback! Leave a review on iTunes, Tweet to us, send us an email or leave us a message on Google+
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable. For details on how to support the show you can visit our site at
  • We are recording today on July 27th, 2015 and your hosts as usual are Tobias Macey and Chris Patti
  • Today we are interviewing Al Sweigart about Python for non-programmers

Interview with Al Sweigert

  • Introductions
  • How did you get introduced to Python?
    • Started in PHP/Perl, introduced to Python in 2006
    • Lack of curly braces took some getting used to
    • Clarity of standard library was refreshing
  • What inspired you to start writing books for non-programmers?
    • Friend who took care of 10 year old interested in programming
    • Lack of coherent introductory material
    • Started writing a tutorial which grew to book length
    • All books published under Creative Commons license
  • You have written a few books about teaching Python to people who have never programmed, can you share your thoughts on the best order in which to introduce the various aspects of programming?
  • Where does software testing come in when teaching new coders how to program?
    • Use the logger, debugger, and assertions effectively
  • In invent with Python you use games as the vehicle to discuss the principles involved with writing code. What is it about computer games that makes them so popular as a means to introduce programming to newcomers?
    • Something everyone is familiar with
    • Easy to make a simple game to get started
    • Good way to get creative with programming
  • For automate the boring stuff with Python you focused on explaining how programming can be useful even if it is not someone’s occupation. How did you determine which kinds of activities to focus on for the book?
    • Got the idea at a meetup talking to someone who works in an office doing repetitive tasks
    • A lot of office jobs that involve tedious computer work which could be automated
  • What are your thoughts on the need for software literacy among the general population?
    • How much programming knowledge do you think is sufficient for a member of our modern society?
  • You also wrote about using Python to decrypt simple ciphers as a means to learn about code. What was the inspiration for this approach to software education?
    • One of the projects in invent with Python was a simple cypher, inspired further interest in the subject
  • In episode 7 with Jacob Kaplan-Moss we talked about how we define what a programmer is. Can you share your opinions on what separates someone who can understand code from someone who is a programmer?
    • Barriers to entry have been significantly lowered, making the distinction very fuzzy
    • Definition of programmer is becoming much wider
  • Books available at:

Picks

Keep In Touch

Mark Baggett on Python for InfoSec - Episode 8

Read all of our show notes and find more information about us at Beautiful Soup

Brief Introduction

  • Date of recording – May 28th, 2015
  • Hosts – Tobias Macey and Chris Patti
  • Overview – Interview with Mark Bagett
  • Follow us on iTunes, Stitcher or TuneIn
  • Give us feedback! (iTunes, Twitter, email, Disqus comments)
  • You can donate (if you want)!

Interview with Mark Bagett

  • Introductions
  • How were you first introduced to Python? – Chris
    • Started using it for automating tasks while working as a sysadmin
    • Found code that launched an attack on FTP server – in Python
  • What are some of the tasks in your job that you use Python for? -Tobias
    • Trusted command & control backdoor for Windows
      • Mostly not used by malware authors – thus far (at least Mark hasn’t seen it used that way)
      • Flame virus – 5MB payload – incredibly advanced
        • Lua interpreter bundled along with the scripts
      • Vale framework – Python framework that takes payloads out of penetration testing executables
  • What is it about Python that makes it useful for penetration testing and other information security tasks?
    • Same thing that makes it useful for anything else
    • mpacket from core security
  • What are some of the more useful Python penetration testing tools?
  • We’ve noticed that a lot of the literature around information security and penetration testing focuses on targeting Windows. Can you enlighten us as to why that is?
    • Windows event tracing
      • logman
      • event trace providers – implement packet sniffing (Can turn every browser into a key logger)
    • Primary attack surface – Where most attacks are targeted
    • Fewer purely Linux systems
      • Very few ports open – maybe 80, 22
      • Very likely no user just sitting there waiting to run an executable you send
    • More freedom on Linux – less formalized patching process, more variable tools = more exploits
    • Will write code to only use built in modules for Python that will run in customer target environments
  • What are some of the legal considerations that you have to deal with on a regular basis as a penetration tester?
  • There have recently been a number of attacks based on hijacking the TCP/IP stack. Is Python being used for any of these exploits or tools to defend against them?
    • Data analytics
    • Detect repeated sequence numbers – Man in the Middle Attack
      • As simple as 5 lines of Python code
      • import scapy, start sniffing packets, pull together all packets – make list of associated packets
      • Can pull together all packets inside of stream
      • Time spefic source communicates with specific destination
      • Bro – intrusion detection suite
        • Built into Security Onion – Doug Berks
        • FLOSS Weekly episode 296 with Bro developers
  • What are some activities that you do on a regular basis for which you would turn to another language or toolchain, rather than using Python?
    • Powershell – The Python of windows
      • Whitelisted and ubiquitous
    • Password cracking – compiled language like C or assembly
  • For anyone who is interested in getting involved in the security industry, and penetration testing in particular, what resources or tools would you recommend?
    • Developers make the best InfoSec professionals
      • Lots of jobs and opportunities
    • Developer -> Systems Administration -> Information Security
    • Security conferences – BSides, Defcon, Black Hat
    • Online capture the flag challenges (google it) – good practice for critical thinking and using code for security exercises
    • Get involved in the industry – Meetups, etc.
    • SANS institute course, Python for Penetration Testers, SEC573 by Mark Baggett – sans.org
    • Lots of free online resources
    • Violent Python
    • PicoCTF
    • Counter Hack Challenges

Picks

Keep in Touch

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA