[Python-ideas] PEP 504: Using the system RNG by default

Wed Sep 16 11:42:33 CEST 2015

On 16 September 2015 at 05:00, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 16 September 2015 at 11:16, Stephen J. Turnbull <stephen at xemacs.org> wrote:
>> Guido van Rossum writes:
>>  > The concept of secure vs. insecure sources of randomness isn't
>>  > *that* hard to grasp.
>>
>> Once one *tries*.  Read some of Paul Moore's posts, and you will
>> discover that the very mention of some practice "improving security"
>> immediately induces a non-trivial subset of his colleagues to start
>> thinking about how to avoid doing it.  I am almost not kidding;
>> according to his descriptions, the situation in the trenches is very
>> nearly that bad.  Security is evidently hated almost as much as spam.
>
> Yep, hence things like http://stopdisablingselinux.com/
>
> SELinux in enforcing mode operates on a very simple principle: we
> should know what system resources we expect our applications to
> access, and we should write that down in a form the computer
> understands so it can protect us against attackers trying to use that
> application to do something unintended (like steal user information).

I don't know if it's still true, but most Oracle database installation
instructions state "disable SELinux" as a basic pre-requisite. This is
a special case of a more general issue, which is that the "assign only
those privileges that you need" principle is impossible to implement
when you are working with proprietary software that contains no
documentation on what privileges it needs, other than "admin rights".
(Actually, I just checked - it looks like the official Oracle docs no
longer suggest disabling SELinux. But I bet they still don't give you
all the information you need to implement a tight security policy
without a fair amount of "try it and see what breaks"...)

Even in open source, people routinely run "sudo pip install". Not
"make the Python site-packages read/write", which is still wrong, but
which at least adheres to the principle of least privilege, but "give
me root access".

How many people get an app for their phone, see "this app needs <long
list of permissions>" and has any option other than to click "yes" or
discard the app? Who does anything with UAC on Windows other than
blindly click "yes" or disable it altogether? Not because they don't
understand the issues (certainly, many don't, but some do) but rather
because there's really no other option?

In these contexts, "security" is the name for "those things I have to
work around to do what I'm trying to do" - by disabling it, or blindly
clicking "yes", or insisting I need admin rights.

Or another example. Due to a password expiry policy combined with a
lack of viable single sign on, I have to change upwards of 50
passwords at least once every 4 weeks in order to be able to do my
job. And the time to do so is considered "overhead" and therefore
challenged regularly. So I spend a lot of time looking to see if I can
automate password changes (which is *definitely* not good practice).
I'm sure others do things like using weak passwords or reusing
passwords. Because the best practice simply isn't practical in that
context.

Nobody in the open source or security good practices communities even
has an avenue to communicate with the groups involved in this sort of
thing. At least as far as I know. I do what I can to raise awareness,
but it's a "grass roots" exercise that typically doesn't reach the
people with the means to actually change anything.

Of course, nobody in this environment uses Python to build
internet-facing web applications, either. So I'm not trying to argue
that this should drive the question of the RNG used in Python. But at
the same time, I am trying to sell Python as a good tool for
automating business processes, writing administrative scripts and
internal applications, etc. So there is a certain link...

Sorry - but it's nice to vent sometimes :-)

Paul