How not to program WSGI

12 May 2008

In this post I explain how, (perhaps to my shame), I hacked PyBlosxom to serve robots.txt. Kids, do not follow at home.

03 May 2008

Sometimes you may want to check that an email address is not syntactically invalid, i.e. it looks like a recognisable email address. In this post I examine a couple of ways of doing that.

25 April 2008

In this article, I argue that the benefits of reading Python code in a standardised format outweigh any benefits of bespoke code styles. I then look at 12 rules that will make your code your Python code more readable,

15 April 2008

In this post I talk about a project on Launchpad called "Eden" for sharing of specialised but useful scripts.

09 April 2008

Twitter is a social networking service where users can write a sentence (maximum 140 characters) about themselves. It also has an API that we can use to receive and send data from Twitter.

07 April 2008

In this post I write a Python module to print out all the stored OpenOffice document history.

27 March 2008

I talk about my Python script that allowed me to produce live updates of the vote in the OOXML standardisation process.

25 March 2008

I had a chat with an older lady about the British National Lottery. She buys six tickets for each draw, one for everyone in her family. So the question is what she is getting in return for the ticket price? Lets write some Python scripts to find out.

24 February 2008

So last year I wrote a little tutorial about using bazaar for my own personal projects. Please read that if you have no idea what I am talking about.

This weekend I started working on a project with a small group of friends. Therefore we decided to create a bzr server so we can all track the code that we are writing together.

18 February 2008

In the previous installment of this series, I explained that a Django site is normally organised into a 'project' which contains 'applications'.

We started a new Django 'project' (i.e. a website). This was a directory with a few files in. The most interesting were settings.py, the project's settings, and urls.py which maps URLs to functions.

02 February 2008

Projects and Applications

In theory, as long as Python can find everything, you can organise your own web application code however you want; however, we might as well follow the default Django way until we have a good reason not to. A Django website is normally organised into a 'project' which contains 'applications'.

25 January 2008

So I introduced this series seven months ago, oops! Oh well, let's get started.

01 December 2007

Python is not just cool because it easy to code with, it also has loads of bindings to almost every major open source project, (as well as to some famous proprietary software that we don't care about here).

24 November 2007

Interesting Fact for Anoraks

17 November 2007

A friend asked me to look at a broken script that he found online. The script used the Python module for interfacing with the Flickr API. So I thought I would go and give the Flickr API a try.

03 November 2007

*In the last post, I talked about how I turned a directory of PDFs to an HTML list. An example of the filenames was C_L_Warrior.pdf, which I turned into a simple index of files by author. *

System Message: WARNING/2 (<string>, line 1); backlink

Inline emphasis start-string without end-string.

02 November 2007

Recently, I was asked to put up several hundred PDFs on the web and make a simple index that links to them all. Adding that many links through the Uni's CMS was not feasible, being several clicks per link and a lot of waiting for the Java applets to do their stuff. However, the CMS allows you to import HTML. So I decided to generate the HTML and then import it in. Fortunately, the files had been given very consistent names by a careful secretary, so I could use those as the basis for the link text.

07 October 2007

Audio Files

30 September 2007

Install Pylons

In the last part we got easy_install working. Now we can start properly and get Pylons installed. You will need to run the following command as root:

30 September 2007

Pylons Versions

Pylons is under active development, currently building up to it's 1.0 release, expected in 2008. Consequently, there were some very big changes between 0.9.5 and 0.9.6; not least for the fact that the templating engine and database abstraction library were completely swapped out. So you want to be learning with version 0.9.6 or above.

Older

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Zeth

May 16, 2008
To Anonymous, I tried your script with some old SSH keys and it did not manage to break into an apparently vulnerable system. 1. The script requires a known username. My system did not allow root logins. 2. After failed three logins, the script's IP address got added to deny hosts.
→ Swap out your ssh keys

Zeth

May 16, 2008
To Anonymous, I said to do three things: 1. Accept the update. 2. Replace your keys. 3. Don't *have a panic attack about it.* And I still stand by that. Most non-technical users won't even be using openssh-server. While the update, blacklists and instructions on how to regenerate comes down automatically for those that do. Indeed, I think this episode shows how fast the free/open source community can move. Everytime the open source software has a panic attack over an in-theory, technically possible, but not actually being used, 'exploit', then proprietary software people say "Look their software is no better, it is just as insecure as ours". However, that is not true. There is a range of exploits, from theoretically possible with some serious preparation and knowledge about the target system, through to automated attacks that will work against any machine without the need for knowledge about it.
→ Swap out your ssh keys

Anonymous

May 15, 2008
Like stefano says, you are being VERY irresponsible by downplaying this as only "theoretically possible with a supercomputer". Linked on the page stefano mentioned is this: http://milw0rm.com/exploits/5622 That will break into your computer in a couple hours is you're using public-key logins, which are considered the safest kind, and are used on many, many machines that are supposed to be extra secure. This is a horrible, horrible problem, and dismissing it does nobody any favours. I'd really suggest you re-write this article to accurately portray how serious the problem is.
→ Swap out your ssh keys

Ryan

May 15, 2008
Yeah, good layout too. Very clear. :) Better than the last, in fact! I'm another python/django nerd, so I'll be listening even more now. I guess one of the things that's inspiring about Django is they're concerned pretty hardcore with security fixes. Just this week, an email came out and they released new sub-versions for each major Django release to include the fix. Very awesome. For your blog post model, what did you do for entering posts? Do you still use the default admin interface, or did you make your own views for posting and whatnot? I haven't looked into it much, but does django automatically include much in the way of wysiwyg text editors for text fields?
→ How not to program WSGI

stefano

May 15, 2008
Apparently the bug makes a brute-force attack much easier than "theoretically possible with a supercomputer". http://metasploit.com/users/hdm/tools/debian-openssl/ It looks that the buggy code used the process ID as seed for generating the key, and there might only be 32,768 process IDs. Furthermore not all process ID are equally possible and one could use a range of 1000-3000 seeds and having a very high chance of producing a valid key.
→ Swap out your ssh keys

Bug

May 15, 2008
@txwikinger: Thing is, I don't use Ubuntu and I can't remember where did I generate my key [I'm using Archlinux]. @Zeth: You should add the number of comments to the front page.
→ Swap out your ssh keys

Kennon

May 15, 2008
The openssh-blacklist debian package (now available, and required for the latest version of openssh-client and openssh-server) is now available. You should: apt-get update apt-get install openssh-blacklist apt-get upgrade After that you'll have the ssh-vulnkey utility and can check.
→ Swap out your ssh keys

Krispy

May 15, 2008
mkc: debian only provided blacklists for 2048 bit RSA keys and 1024 bit DSA keys. If your key isn't one of those two types, then the blacklist isn't provided in the package. You can download one here: http://metasploit.com/users/hdm/tools/debian-openssl/ but it is nearly 100MB
→ Swap out your ssh keys

Ed

May 15, 2008
@Cristian: it applies to keys. If you generated a key on Ubuntu and then put it in authorized_keys on Fedora, it's possible that someone could brute force their way in to the Fedora server.
→ Swap out your ssh keys

Cristian

May 14, 2008
This vulnerability only applies to ssh servers, right? Aren't they the ones that generate the keys? So if my client is Ubuntu and the server is Fedora everything's okay?
→ Swap out your ssh keys

Taking Control of your Own Technology

12 May 2008

03 May 2008

25 April 2008

15 April 2008

09 April 2008

07 April 2008

27 March 2008

25 March 2008

24 February 2008

18 February 2008

02 February 2008

25 January 2008

01 December 2007

24 November 2007

17 November 2007

03 November 2007

02 November 2007

07 October 2007

30 September 2007

30 September 2007

About

Hello, my name is Zeth, I'll be your host here.

Latest Discussions

Zeth

Zeth

Anonymous

Ryan

stefano

Bug

Kennon

Krispy

Ed

Cristian