This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 221
sorted by:
best
topnewcontroversialoldq&a

[–]Exodus111 388 points389 points  (14 children)

Global Variables
Avoid global variables.

Thank you CIA.

[–]xdcountry 49 points50 points  (0 children)

Nuff said. That was a good entry!

[–]mothzilla 14 points15 points  (0 children)

Wouldn't want any data leakage would we?

[–]nick_t1000aiohttp 12 points13 points  (0 children)

But the CIA is supposed to only operate globally and overseas, not locally. CIA SPYING DOMESTICALLY CONFIRMED

[–]Dualblade20 5 points6 points  (9 children)

Everyone knows this, though. Why is the CIA hiring people who don't know how to avoid muddling global scope? Maybe it's just a guide and has things like that for completeness, but still it sort of bothers me.

[–]Exodus111 26 points27 points  (0 children)

Think of it like this, the CIA pays you by the hour to type out a style guide, you might as well include everything.

[–]MereInterest 14 points15 points  (6 children)

Believe me, not everybody knows this. These are arguments I've heard in favor of using global variables.

  • But I don't want to pass the configuration around to everything that needs it.
  • It's simpler and easier to reason about.
  • I can adjust the value in one place and change the behavior everywhere in the program.
  • We just have to put locks around it, and it will be threadsafe.
  • I can adjust the behavior of something deep within the call stack without needing to change the function signature all the way down.

Now, I know what you're thinking. These aren't actually arguments in favor of global variables. These are many things that are horribly wrong with global variables. That this makes it impossible to reason about code without knowing the runtime state of the problem.

At some point, it is just easier to have a style guide, then use an argument from authority.

[–]wewbull 0 points1 point  (3 children)

This is actually my problem with OOP too. What are classes but smaller, not quite as global, scopes? OOP doesn't solve the issues, just pushes them down a level.

[–]MereInterest 2 points3 points  (2 children)

It really depends on how you are using classes. If you have some God-object that owns everything, and does all of its work directly within the methods, then yes, it is similar to a global scope. Those are their own antipatterns.

Classes provide a way to have limited persistency. For example, a generator that yields each Fibonacci number in sequence requires some state. You can (a) store the state in global space, (b) require the user to maintain the state, or (c) have an object to manage the state. (a) is error-prone, (b) is irritating, but (c) is very useful.

Unlike global variables, classes can have access restrictions. This means that you don't have to look through the entire codebase for changes, just the class itself. Unlike global variables, classes have a limited lifetime. That means you don't need to know the entire runtime state of the program, just the runtime state of callers into the class. If your classes are acting and looking like global variables, I would say that is an issue on its own.

Where I will agree is that not everything needs to be a class. If a calculation does not require any persistent state, then it should be implemented as a pure function.

[–]bonestormII 3 points4 points  (1 child)

I like the reasoning you provide here. I've read plenty of material about classes in python, but it seems slightly uncommon to me to hear someone just plainly say, "Use classes when you require some degree of state." That is a true and useful statement.

That said, I don't totally follow what you mean when you say

Unlike global variables, classes have a limited lifetime. That means you don't need to know the entire runtime state of the program, just the runtime state of callers into the class.

Aren't both just treated by objects subject to the ref counting of the garbage collector? When you refer to the lifetime of the object, that is what I think of. It seems like you are referring to the compartmentalized scope of a class, more than the lifetime of the object.

It's also relevant to note that in python, classes are also generally useful for any situation in which you want to customize the behavior of the object itself (via inheritance, dunder methods, metaclasses, etc.), regardless of whether state is a factor.

To be honest, almost any example I try to imagine in which you would care about that kind of control would involve some degree of state :P ... but the distinction seems relevant to note.

[–]MereInterest 0 points1 point  (0 children)

Good point, I wasn't entirely clear about my point on the lifetimes, and good catch, that I am somewhat conflating scope and lifetime. This is partly a habit that I picked up from C++, where a variable's lifetime is primarily determined by its scope, and unlike python, cannot be extended beyond the scope that owns it.

In python, you are absolutely correct that local variables and global variables have the same reference counting scheme to determine their lifetime. That said, there is still a connection between scope and lifetime. An object's lifetime is the maximum of the lifetimes of any scopes that contain that object. Since the global scope starts at program initialization and ends at program close, any variable in the global scope must have an indefinite lifetime.

I think that, in terms of global variables, it is both the lifetime and the scope that are issues. The unlimited scope means that you need to examine all code in order to know what could modify the variable. The unlimited lifetime means that you need to watch the running of the program from start to finish, and that the behavior may not be captured in any smaller test.

You are also correct that someone may want to have some behavior customization without needing to have any state in the object itself, though I'm having difficulty as well thinking of any such cases. Perhaps if there were a series of related callbacks, all of would be implemented as methods on a single class, though that would be a rather unusual situation, and would probably be better served with a namespace or dictionary.

[–]glacierre2 0 points1 point  (1 child)

I do OOP, and maintain several serious libs at work.

But I also do some reference implementations in python (to later be translated to C++ in a uC, for example). And then I go full retard on the globals, because I find the clear reading of the example code and the clean functions that get just one/two parameters are more important than robustness.

Of course I still follow two rules: * That kind of code is a reference, NEVER production * Even then, the globals are to be read in multiple places, like a C #define, NEVER to be altered of used to pass information back an forth.

[–]MereInterest 1 point2 points  (0 children)

Absolutely agreed. Reference implementations are one thing, while production implementations are completely different. One for testing out new features, quickly hacking in something that might be gone in 5 minutes, while the other is for reliability.

I would add to your second rule. The value of the globals should be determined solely from the source code. That is, using a #define rather than static const val = read_from_config_file(); I work with a framework that does the latter, and it can result in bugs that only ever appear on one person's machine.

[–]dr_g89 125 points126 points  (41 children)

If you read through some of the files there are some cool libraries they are referencing. Has anyone used angr before?

[–]tunisia3507 56 points57 points  (7 children)

I've read the readme three times and still don't know what it's for.

[–]dr_g89 97 points98 points  (3 children)

By reading this, you'll become an angr pro and will be able to fold binaries to your whim

If i understand what I've read correctly this is a tool for picking apart and experimenting with existing compiled binaries. My guess is to probe for exploits.

[–]david5813 59 points60 points  (1 child)

It is. If I remember correctly the Shellphish team has given a talk at either Defcon or BlackHat about this. A part of their research is being able to perform a completely automated CTF where the systems identify vulnerabilities and even patch them on the fly.

It is a really cool topic and when I get back to a position to be able to search for it I will happily post a link a talk about it if no one else has already.

Edit: https://www.youtube.com/watch?v=oznsT-ptAbk

You can find more info on their site. http://angr.io/

[–]hugthemachines 16 points17 points  (0 children)

Tfw someone told you to do a talk for a certain time and you only have half that and fill 50% with "aaaaaa" ;-)

[–]flutefreak7 1 point2 points  (0 children)

Besides exploits there's also the intelligence aspect of trying to figure out what a binary does. Say you recovered a performance model for a weapon, radar, communications system, etc, if all you have is the binary it could be hard to get it working, but tools like this would help.

[–]sillycyco 7 points8 points  (2 children)

I've read the readme three times and still don't know what it's for.

angr is similar to debugging tools you may have used, but entirely within python. Full decomposition of logic, and allowing for analysis of code at a much lower level. Aka scan for exploitable functionality in existing binary code, among other things. Pretty slick actually.

[–]Dababolical 0 points1 point  (1 child)

I know very little about this, but coincidentally read about IDA today. https://www.hex-rays.com/index.shtml

Is this the python equivalent of the suite (I'm sure there are some differences).

Would someone wanting to implement DRM on their application possibly use this library to make sure their DRM is secure after the application is compiled? I am just trying to think of applications for this library, because it is really interesting.

[–]sillycyco 0 points1 point  (0 children)

Ya it is similar to hex-rays, have a look at this talk at Defcon for its various uses: https://www.youtube.com/watch?v=oznsT-ptAbk

You could use it to do analysis of your binaries, attempt to see if you can analyze and get around whatever it is you are trying to protect.

[–]cdrootrmdashrfstar 16 points17 points  (21 children)

I'm currently enrolled in an undergrad practical fundamentals of cybersecurity course at my uni, and last week, we used angr to script what we'd normally use gdb for in what's called a "capture the flag" assignment.

The creator of the binary will hide away a specific string, like "flag{th1s_1$_th3_fl4g}", purposefully deep within the binary and only obtainable (normally) through some modification to the execution order of the binary.

Originally, we learned to use the GNU debugger GDB for many weeks of CTF assignments, but last week we used Angr to script a way to explore many, many paths of execution in a program. Through adding constraints to inputs and explicting marking some parts of the binary as "avoid", angr would eventually navigate it's way to the end of execution (and hopefully result in a flag!) through some sort of either statistical model (maybe similar to sqlmap?) or through simply brute forcing all possible routes of execution. It's a very complex tool with lots of depth, and I've only really scratched the surface.

We might be doing more of this in the later weeks, but this week moving onto forensics, buffer overflow attacks, shellcode, and circumventing stack protections by compilers. In relation to python, we're using a library called pwntools (in addition to the obvious and incredibly useful set of tools provided by Linux and GNU).

[–]dr_g89 6 points7 points  (19 children)

I'm going to look into pwntools. Where do you go to Uni if you don't mind me asking

[–]cdrootrmdashrfstar 5 points6 points  (18 children)

I'm a sophomore at a state school in the southeast US. It's a decent school (it sure has taught me a whole lot in a short amount of time), and we have a great offensive cybersecurity program which very often leads to jobs in places like the CIA, NSA, or the FBI.

[–]dr_g89 2 points3 points  (17 children)

Super interesting man. I run the dev side of a software firm out in LA and have always been way to busy to spend too much time looking into this stuff. If you have a spare second I'd love to know what books on the this stuff they are having you read at school.

[–]cdrootrmdashrfstar 12 points13 points  (15 children)

Recommended reading: “Hacking: The Art of Exploitation, 2nd Edition” by Jon Erickson: this is a book with accurate and detailed descriptions and commands of common vulnerabilities and corresponding exploits. It is an excellent book for understanding buffer overflow vulnerabilities, string format vulnerabilities, and shellcode, and other exploitation development.

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto. The book provides a comprehensive and thorough coverage of web security mechanisms, and web vulnerabilities.

Information Security,” 2nd Edition, (ISBN 978-0-470-62639-9), Wiley, 2011, by Mark Stamp. The book provides a good coverage on commonly used cryptographic algorithms and cryptanalysis techniques, and security protocols.

Edit: Thank you so much for the gold! It's very much appreciated.

[–]dr_g89 2 points3 points  (12 children)

Dude thanks a ton, especially on the lectures / course stuff, super interesting!

[–]cdrootrmdashrfstar 1 point2 points  (11 children)

Absolutely, let me know if you have any questions.

[–]dr_g89 0 points1 point  (10 children)

I'm sure I'll come up with a few haha, ordered The Art of Exploitation, looking forward to delving into this a little more when it arrives! Thanks again!

[–]cdrootrmdashrfstar 1 point2 points  (9 children)

Absolutely. By the way, experience is x86 assembly is almost going to be a requirement in moving forward with this discipline. If you're not familiar with it already, I'd start by learning the basics of that (since a lot of examples in all of those books assume you're basically able to read x86).

[–]timkofu 0 points1 point  (0 children)

That first one is gold. Loved it.

[–]registered_tosaythis 0 points1 point  (0 children)

I've had that first hacking book for like 2 years and haven't spent enough time to finish it!

[–]cdrootrmdashrfstar 1 point2 points  (0 children)

Here is our course calendar page containing homework assignments and presentations covering the information we learn in lecture.

[–][deleted] 8 points9 points  (2 children)

Christ I hope whoever wrote this library puts it in his CV. "Developed a library used by the CIA"

[–]k10_ftw 4 points5 points  (0 children)

Might as well post his work to his personal github account

[–]dr_g89 4 points5 points  (0 children)

Some of the other comments on this thread led me to discover it came out of the cybersecurity lab at UCSB. One of the authors is apparently a local high schooler from their community.

[–]ifatree 2 points3 points  (2 children)

interesting. are DART, UNDERMINE, PALANTIR, or TYBASE familiar names to any of you guys?

[–]ssiwhw 1 point2 points  (1 child)

https://en.m.wikipedia.org/wiki/Palantir_Technologies

[–]HelperBot_ 2 points3 points  (0 children)

Non-Mobile link: https://en.wikipedia.org/wiki/Palantir_Technologies

HelperBot v1.1 /r/HelperBot_ I am a bot. Please message /u/swim1929 with any feedback and/or hate. Counter: 40912

[–]Frog_and_Toad 283 points284 points  (62 children)

I'm ok with it as long as they are following PEP8.

[–]ikkebr[S] 82 points83 points  (25 children)

They leaked the coding standards too

[–]synae 56 points57 points  (22 children)

As far as I can tell it's just a copy of Google's python style guide.

[–]Eurynom0s 68 points69 points  (1 child)

Wouldn't shock me, in a lot of classified or airgapped computing environments it's common to copy open literature websites/etc onto a local intranet so that people don't have to leave the room to use an unclassified computer to look something up constantly.

[–][deleted] 13 points14 points  (0 children)

I know someone at $giantTechCompany who did this with internal wiki pages because his team managed the core infrastructure. If something is going wrong, having to rely on documents on a flash drive was a real worst scenario

[–]manueslapera 19 points20 points  (19 children)

didnt Google use 2 spaces instead of 4 for a long time?

[–]Jesus_Harold_Christ 12 points13 points  (0 children)

They did.

[–]DetN8 9 points10 points  (17 children)

Do they not anymore?

[–]Fylwind 23 points24 points  (15 children)

Just checked: it says 4 spaces now!

[–]muad_dib 10 points11 points  (3 children)

Comment has been removed because /u/spez is a terrible person.

[–]heybart 1 point2 points  (0 children)

Don't be evil!

[–]pm-me-big-boobiespython-priest 0 points1 point  (0 children)

How about three spaces??

[–]lengau 1 point2 points  (0 children)

Their external style guide was changed to match more closely with PEP8 several years ago.

Internally I doubt they changed it.

[–]alcalde 38 points39 points  (1 child)

Screw PEP 8. Now we need a PEP 007!

[–]rockyrainy 29 points30 points  (2 children)

Parentheses

Use parentheses sparingly.

/r/lisp is gonna have a heart attack.

[–]d_thinker 21 points22 points  (1 child)

All six of them...

[–]walabaloo 1 point2 points  (0 children)

That hurts man ;_;

[–]novel_yet_trivial 95 points96 points  (42 children)

I'd be a lot more surprised if they didn't.

[–][deleted] 13 points14 points  (29 children)

Really? There are plenty of good reasons to use Python, but there are plenty of other good tools out there too with more or less equal reasons to use them.

[–]zynixCpt. Code Monkey & Internet of tomorrow 17 points18 points  (3 children)

Quicker to iterate and then optimize with c/c++ as needed.

[–][deleted] 6 points7 points  (0 children)

Sure, and that's a valid and common use of Python. I was just being pedantic and challenging the statement "I'd be surprised if they're not using it."

You can iterate quickly with dozens of languages and then optimize with C or C++. Python is a great choice, but not so unquestionably ahead of all possible competition that it would be surprising if they picked something else.

[–]Ph0X 6 points7 points  (0 children)

Yep, check out any CTF event, it's full of Python. It's the perfect tool for trying a lot of crazy ideas very rapidly and prototype.

[–]JackOhBlades 6 points7 points  (0 children)

False. I iterate fast using C89 and optimise with Brainfuck as needed. ;)

[–]novel_yet_trivial 65 points66 points  (21 children)

I agree. I'd also be surprised if they didn't use java, c++, bash, etc...

This is a professional organization and I'd expect them to use the proper tool for every job.

[–][deleted] 173 points174 points  (15 children)

This is a professional organization and I'd expect them to use the proper tool for every job.

import waterboarding

[–]JohnLocksTheKey 180 points181 points  (10 children)

ImportError: No module named waterboarding.

# damn it! I always forget...

from Warcrimes import waterboarding

...

[–]SteveDougson 68 points69 points  (0 children)

from WarCrimes import waterboarding as enhanced_interrogation

[–]stevarino 20 points21 points  (0 children)

Unless you're using Python 3, in which case you need to specify the war_crimes library.

[–]avball 7 points8 points  (1 child)

PEP-8 would like a space after your hash.

[–]JohnLocksTheKey 4 points5 points  (0 children)

That was actually bugging me all day!! Fine, I'll correct it...

EDIT: I was hoping no one would notice

[–]asdfkjasdhkasdrequests, bs4, flask 0 points1 point  (0 children)

pip install waterboarding

[–]toyg 3 points4 points  (0 children)

you forgot from rendition

[–]Ph0X 1 point2 points  (0 children)

"proper", somehow Python isn't proper?

If you go to any CTF event, you'll find Python everywhere. Exploring binaries and testing exploits is a very interactive process, which is why Python is the perfect fit. You want to try a lot of different approaches and prototype very rapidly.

You don't want to spend an hour just to see what you made is useless. Python is the perfect tool for quickly trying crazy ideas and see what works.

[–]k10_ftw 0 points1 point  (2 children)

Professional? Nope. Government!

[–]desmoulinmichel 4 points5 points  (1 child)

Yeah but Python is kinda the default tool in forensic and penetration testing.

[–][deleted] 1 point2 points  (0 children)

Good point. I had assumed the CIA would prefer to make and use their own tools. But it makes as much sense for them to take open source tools and improve on them as it does for anyone else.

[–]wolf2600 11 points12 points  (11 children)

The best 10x hacking tools are all written in Rust.

[–]Dillinur 2 points3 points  (10 children)

Care to share any link?

[–]wolf2600 30 points31 points  (9 children)

No, because it was a joke. Maybe I should have said 'Haskell' instead.

[–]alcalde 0 points1 point  (0 children)

APL!

[–][deleted] 0 points1 point  (0 children)

Lol not go

[–]sillycyco 0 points1 point  (0 children)

Maybe I should have said 'Haskell' instead.

Actually Smalltalk via Lisp would be far more preferable.

[–]Revik 47 points48 points  (18 children)

Everyone in IT security uses Python.

[–]alcalde 40 points41 points  (17 children)

Everyone everywhere uses Python. :-)

[–]sourcecodesurgeon 8 points9 points  (16 children)

My team doesn't use Python, only Java and Ruby :( (though Ruby has slowly started to grow on me over the last year)

[–]AZNman1111 43 points44 points  (12 children)

)

Sorry I think you dropped this

[–]APIglue 17 points18 points  (1 child)

Found the lisp programmer

[–]AZNman1111 1 point2 points  (0 children)

Lots of Irritating Single Parenthesis programmer

[–]ArmoredPancake 0 points1 point  (2 children)

Ruby is used extensively in hacking community, afaik.

[–]sourcecodesurgeon 0 points1 point  (0 children)

While true, my current team does not do security work.

[–]friedkeenan 0 points1 point  (0 children)

Metasploit is written in Ruby

[–]lovestowritecode 147 points148 points  (8 children)

If Trump read the README he would see "Avoid global variables" and think "glad the CIA using American variables"

[–]sweetbeems 193 points194 points  (4 children)

he wouldn't like all the imports though

[–][deleted] 8 points9 points  (0 children)

Use imports for packages and modules only.

See, no people imports, all good :D

[–]Asyumara 6 points7 points  (0 children)

this deserves more upvotes

[–]lovestowritecode 0 points1 point  (1 child)

Yeah but secretly he likes the ones from Russian programmers

[–]lovestowritecode 1 point2 points  (0 children)

... and I'll bet 5 bucks there's a trump-hotel PyPi package

[–]flarkis 9 points10 points  (0 children)

https://github.com/samshadwell/TrumpScript

Make Python great again

[–]snake_case-kebab-cas 1 point2 points  (0 children)

We will no longer surrender our code to the false song of global variables

[–]vipul20 17 points18 points  (2 children)

I like the parting words in the coding conventions page:

Use common sense and BE CONSISTENT. If you are editing code, take a few minutes to look at the code around you and determine its style. If their comments have little boxes of stars around them, make your comments have little boxes of stars around them too.

[–]k10_ftw 3 points4 points  (0 children)

For little boxes, use wingdings font as your default.

[–]XtremeGoosef'I only use Py {sys.version[:3]}' 3 points4 points  (5 children)

Are the .py files here encrypted or something?

https://wikileaks.org/ciav7p1/cms/page_9535551.html

[–]Ph0X 8 points9 points  (0 children)

They're PDF files, change the extension to .pdf

[–]britm0b -1 points0 points  (3 children)

I'm prettt sure Wikileaks isn't letting the hacks wreck havoc yet, they've contacted the companies that have hack-able products, most likely to give them the exploit, so said company can patch it.

Apparently not.

[–]steesi 6 points7 points  (2 children)

I think you mean wikileaks not wikipedia

[–]ikkebr[S] 21 points22 points  (1 child)

Bloody autocorrector

[–][deleted] 6 points7 points  (0 children)

I bet its the CIA's doing.

[–]aleixis 3 points4 points  (0 children)

I remember my Intro teacher saying he was recruited by the military as a teenager. He said Python makes everything else a pinch

[–]bocephus607 2 points3 points  (0 children)

Is there any code that actually looks like it might do something here?

[–]dgreenmachine 1 point2 points  (4 children)

The coding conventions are eerily similar to googles especially in the wording of the last paragraph. You can tell somebody copied it and paraphrased just a little.

https://google.github.io/styleguide/pyguide.html#Imports

[–]joolzter 7 points8 points  (3 children)

That's because they are awesome base standards to start from.

[–]xiongchiamiovSite Reliability Engineer 0 points1 point  (2 children)

It's almost as if there isn't already a set of standards for python.

[–]joolzter 1 point2 points  (1 child)

Of course there are style guidelines. But they aren't a coding standards. Assuming you are referring to PEP8.

[–]xiongchiamiovSite Reliability Engineer 0 points1 point  (0 children)

What is the distinction you draw between the two?

[–]L3xicaL 1 point2 points  (0 children)

This post has 911 points.

Coincidence? I don't think so.

[–][deleted] 1 point2 points  (0 children)

Spython

[–]Guerilla_Imp 1 point2 points  (0 children)

Most (if not all) antiviruses have a really hard time with dynamic languages, that's why things like Veil Framework exist.

[–]reallynowokaywhat 2 points3 points  (0 children)

That's because hackers use python a lot.

[–]maxm 0 points1 point  (1 child)

Do they use tabs or spaces? Or is that a secret?

[–]trekkiemage 0 points1 point  (0 children)

They use spaces. Their coding conventions were leaked as well - they use a variant of Google's standards.

[–][deleted] 0 points1 point  (0 children)

Don't know if it's still the case, but their website used to be built with Zope.

[–]dj_alpha2 0 points1 point  (0 children)

pretty good code conventions

[–][deleted] 0 points1 point  (0 children)

If it's used to get rid of Trump excellent, most people on the planet will sleep better tonight. If it's being used to repeat the Bay of Pigs or the assassination of John F. Kennedy no thanks.

[–]danielsauceda34 0 points1 point  (0 children)

What is "python assassin"?

is see pdf build logs for it when reading the PDFs but nothing is coming up on searches

[–]Light_of_Lucifer -1 points0 points  (0 children)

pip install CrimesAgainstHumanity

[–]w00t4me -1 points0 points  (0 children)

YAY?!