Podcasts about python package index

[Referências do Episódio] Malicious packages deepseek and deepseekai published in Python Package Index - https://www.google.com/url?q=https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/malicious-packages-deepseeek-and-deepseekai-published-in-python-package-index&sa=D&source=docs&ust=1738667193797493&usg=AOvVaw3E9BNcNdMeT3UO3xeP4Sgr  Coral Jasmine on X - https://x.com/Fact_Finder03/status/1885209370868203740  OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines - https://www.aquasec.com/blog/risks-misconfigured-kubernetes-policy-engines-opa-gatekeeper/ Roteiro e apresentação: Carlos Cabral e Bianca Oliveira Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

* Fake Stars Inflate Popularity of Malicious GitHub Repositories* Cybercriminals Exploit Chrome Web Store to Infect Millions of Users* Malicious Packages Found on Python Package Index and VSCode Marketplace* One Third of Adults Don't Know How to Erase Their Data from an Old Device* New Clickjacking Technique "DoubleClickjacking" Bypasses Security MeasuresFake Stars Inflate Popularity of Malicious GitHub Repositorieshttps://arxiv.org/pdf/2412.13459A new study reveals a significant problem with inauthentic "stars" being used to artificially inflate the popularity of scam and malware distribution repositories on GitHub. These fake stars mislead users into trusting malicious projects and potentially downloading malware.How Fake Stars Work* GitHub users can "star" repositories similar to liking them on social media platforms.* The number of stars is a key factor in how GitHub ranks repositories and recommends them to users.* Malicious actors create fake accounts or compromise existing ones to star malicious repositories, making them appear more popular and trustworthy.Impact of Fake Stars* Increased Reach for Malicious Projects: Fake stars help malicious repositories reach more unsuspecting users who may be tricked into downloading malware.* Eroded Trust in GitHub: The widespread use of fake stars undermines the overall trust and credibility of the GitHub platform.Researchers developed a tool called StarScout to analyze user activity and identify patterns indicative of fake stars. StarScout looks for signs of low user activity, bot-like behavior, and coordinated starring activity across multiple accounts.The study identified 4.5 million suspected fake stars across GitHub. These fake stars were associated with over 15,800 repositories and 278,000 user accounts. Recommendations for Users* Don't rely solely on the number of stars to judge a repository's legitimacy.* Carefully evaluate the repository's activity, documentation, code quality, and user contributions.* Be cautious when downloading software from GitHub, especially from repositories with few contributions or suspicious activity.This study highlights the importance of staying vigilant when using GitHub. By being aware of fake stars and other deceptive tactics, users can help protect themselves from malware and other online threats.Cybercriminals Exploit Chrome Web Store to Infect Millions of Usershttps://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-itA sophisticated cyberattack has compromised at least 35 Chrome browser extensions, potentially exposing over 2.6 million users to data theft and credential stealing.The campaign began with a phishing attack targeting a Cyberhaven employee, granting attackers access to their Chrome Web Store account. This allowed them to inject malicious code into the Cyberhaven extension, which was subsequently downloaded by numerous users.Further investigation revealed that this was not an isolated incident. Multiple other extensions, including popular tools for AI assistance, VPNs, and video recording, were also compromised, likely through similar phishing attacks.These malicious extensions collected user data, including cookies, access tokens, and potentially even sensitive financial information. Some extensions even contained code designed to steal Facebook login credentials.Attack like these highlights the growing threat of compromised browser extensions. As these extensions often have broad access to user data and browsing activity, they can be a significant entry point for cybercriminals.Users are advised to exercise caution when installing browser extensions, carefully vetting their source and checking for any suspicious activity. Developers are also urged to implement strong security measures to protect their accounts and prevent unauthorised access.This ongoing campaign underscores the importance of vigilant security practices in the ever-evolving threat landscape of online activity.Malicious Packages Found on Python Package Index and VSCode Marketplacehttps://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-codeCybersecurity researchers have discovered malicious packages uploaded to the Python Package Index (PyPI) and the Visual Studio Code Marketplace. These packages, disguised as legitimate tools for cryptocurrency development and productivity, were designed to steal sensitive information from developers' systems.The malicious PyPI packages, named "zebo" and "cometlogger," were downloaded hundreds of times before being removed. These packages contained code to steal keystrokes, capture screenshots, and exfiltrate sensitive data, including credentials from popular platforms like Discord, Steam, and Instagram.Similarly, researchers identified malicious VSCode extensions that targeted cryptocurrency developers and Zoom users. These extensions, often with names resembling legitimate tools, downloaded and executed malicious payloads.Typosquatting and Fake ReviewsAttackers employed typosquatting techniques, creating packages with names that closely resembled legitimate ones, such as "@typescript_eslinter/eslint" instead of "typescript-eslint." They also inflated download numbers and used fake reviews to make these malicious packages appear more trustworthy.Impact and Recommendations:This incident highlights the growing threat of supply chain attacks targeting software development ecosystems. Developers are urged to exercise extreme caution when downloading and installing packages from online repositories.Key recommendations include:* Thoroughly vetting all packages before installation.* Checking the source and reputation of the developer.* Regularly auditing development environments for potential threats.This incident serves as a stark reminder of the importance of maintaining a strong security posture throughout the entire software development lifecycle.One Third of Adults Don't Know How to Erase Their Data from an Old Devicehttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/12/14-million-people-don-t-know-how-to-erase-their-data-from-an-old-device/A new survey from the UK's Information Commissioner's Office (ICO) reveals that nearly a third of adults in the UK don't know how to properly wipe their old electronic devices before discarding them. This lack of awareness poses a significant risk to personal data security.The survey found that while 71% of respondents agree that wiping data from old devices is important, 24% find the process too difficult. Worryingly, 21% of young people (aged 18-34) believe wiping data is unnecessary, compared to just 4% of those over 55. This suggests a concerning lack of awareness among younger generations about the importance of data security.The ICO emphasizes the importance of securely erasing personal information before disposing of old devices to prevent data breaches and fraud. Simple methods like factory resets can effectively erase most personal data from mobile phones.With the holiday season approaching and many people expected to purchase new devices, the ICO urges individuals to prioritize data security and properly dispose of their old electronics.New Clickjacking Technique "DoubleClickjacking" Bypasses Security Measureshttps://www.paulosyibelo.com/2024/12/doubleclickjacking-what.htmlA new cyberattack technique dubbed "DoubleClickjacking" has been discovered, exploiting the timing between double-clicks to bypass existing clickjacking protections. This allows attackers to trick users into unknowingly granting permissions or performing actions on websites, potentially leading to account takeovers and data theft.DoubleClickjacking leverages the brief window between two mouse clicks to seamlessly redirect users to malicious pages while they interact with seemingly innocuous elements. This method can bypass common security measures like X-Frame-Options and SameSite cookies, which are designed to prevent clickjacking attacks.While this technique builds upon existing clickjacking methods, it introduces a new layer of complexity that requires a re-evaluation of current security measures. Researchers suggest that browser vendors should consider implementing new standards to specifically address this vulnerability.This disclosure follows the discovery of another clickjacking variant earlier this year, highlighting the ongoing evolution of cyberattack techniques and the need for continuous vigilance in online security. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

On this Screaming in the Cloud In this episode of Screaming in the Cloud, Corey Quinn is joined by AWS container hero and security engineer at the Python Software Foundation, Mike Fiedler. They delve into the intricacies of Python's ecosystem, discussing the evolution of PyPI, its significance, and the ongoing battles against security threats like account takeover attacks and typo-squatting. Mike sheds light on his role in maintaining the security and reliability of the Python Package Index, the importance of 2FA, and the collaborative efforts with security researchers. Corey and Mike also explore the challenges and philosophies surrounding legacy systems versus greenfield development, with insights on maintaining critical infrastructure and the often-overlooked aspects of social engineering.Show Highlights(0:00) Introduction(0:47) The Duckbill Group sponsor read(1:21) Breaking down the Python nomenclature and its usability(5:49) Figuring out how Boto3 is one of the most downloaded packages(6:43) Why Mike is the only full-time security and safety engineer at the Python Software Foundation(9:53) How the Python Software Foundation affords to operate(14:17) Mike's stack security work(16:14) The Duckbill Group sponsor read(16:57) Having the "impossible job" of stopping supply chain attacks(21:00) The dangers of social engineering attacks(24:44) Why Mike prefers to work on legacy systems(33:30) Where you can find more from MikeAbout Mike FiedlerMike Fiedler is a highly analytical, forward-thinking Information Technology professional. His broad-based background includes systems administration and engineering in global environments. Mike is technically astute and versatile with ability to quickly learn, master, and leverage new technologies to meet business needs and has a track record of success in improving performance, stability, and security for all infrastructure and product initiatives.Mike is also bilingual, speaks English and Hebrew, and he loves solving puzzling problems.LinksMike's Mastadon: https://hachyderm.io/@mikethemanMike's Bluesky: https://bsky.app/profile/miketheman.comMike's Python Software Foundation blog posts: https://blog.pypi.org/The Python Package Index Safety & Security Engineer: First Year in Review: https://blog.pypi.org/posts/2024-08-16-safety-and-security-engineer-year-in-review/SponsorThe Duckbill Group: duckbillgroup.com 

In today's episode, we explore how cybercriminals exploited StackOverflow to promote the malicious Python package "pytoileur" aimed at cryptocurrency theft (https://thehackernews.com/2024/05/cybercriminals-abuse-stackoverflow-to.html). We also examine the FBI's takedown of the 911 S5 botnet and its massive impact on online fraud and cybercrime (https://krebsonsecurity.com/2024/05/is-your-computer-part-of-the-largest-botnet-ever/). Lastly, we introduce RansomLord, an open-source anti-ransomware tool that leverages DLL hijacking to block ransomware attacks pre-encryption (https://github.com/malvuln/RansomLord). FBI Botnet: https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors 00:00 Introduction to Ransomware Defense 01:12 Ransom Lord: A Game Changer 03:55 How to Check for Botnet Infections 06:47 Malicious Python Package Alert 09:19 Conclusion and Final Thoughts Tags: Cybercriminals, Python Package Index, pytoileur, cryptocurrency theft, malicious packages, StackOverflow, open source security, botnet, VPN, YunHe Wang, 911 S5, cybersecurity, RansomLord, exploits, vulnerabilities, ransomware protection Search Phrases: Cybercriminal infiltration of Python Package Index pytoileur malicious package on StackOverflow Cryptocurrency theft using pytoileur How to protect against malicious Python packages Largest botnet disguised as VPN service Arrest of YunHe Wang for cybercrime 911 S5 botnet detection methods Protecting computers from 911 S5 botnet RansomLord tool against ransomware Ransomware vulnerabilities exploited by RansomLord May30 There is a new proof of concept. Open source tool called ransom Lord. attacks, the malware that launches ransomware. In order to defeat it before it can encrypt your files. I'm a little blown away by this one, but we'll get to that in a sec. How can ransom Lord change the game for ransomware defenders? And what tactics does it use to defeat ransomware? The largest botnet ever operating under the guise of free VPN services. Has been dismantled with the arrest of its alleged mastermind for orchestrating cyber crimes, totalling billions of dollars in fraudulent losses. How can you check if your computer is part of the nine 11 s5 botnet and what steps can you take to protect yourself in the future? The Python package index has been infiltrated with a malicious package named PI told earlier. Which has now found to facilitate cryptocurrency theft by leveraging reputable platforms, such as stack overflow. What measures can developers take to protect themselves from being deceived by malicious packages? Like this one. You're listening to the daily decrypt. . Alright. So as defenders, we are constantly thinking about how to defeat ransomware. But I haven't seen much come out other than detection capabilities. So we're still focused on detecting. Indicators of compromise that might lead to ransomware. But just yesterday health net security released an article on an open source. Anti ransomware tool that essentially attacks the ransomware malware Using DLL hijacking. and automates the creation of PE files. Which are used to exploit. Ransomware before it can encrypt your files.. So even the thought of this type of defense makes me so excited. The idea that there can be more than just detecting indicators of compromise for ransomware prevention. When we can actually go in and attack the ransomware itself. And get rid of it before it even has the opportunity to encrypt your files. It's a breath of fresh air. So. This tool, which is free and open source and available on get hub. The link is in the show notes below. Deploys exploits in order to defend the network. Which is a novel strategy for defeating ransomware. It also uses vulnerability intelligence. That maps, threats to vulnerable DLLs. In order to target specific threats that you may believe may target your organization or industry. This tool in its current state has been shown to be effective. To defend against 49 ransomware families, including. Caliente. Loki locker. And many more. It can also target Trojans and info Steelers. The author of this tool writes. I created ransom Lord to demonstrate that ransomware is not invincible. And that it has vulnerabilities and its developers make mistakes and can write bad code, just like anyone else.. And I love this framing of ransomware itself being vulnerable to exploits. Because it's essentially just software on your computer and. It has vulnerabilities of its own.. And even though this is technically just a proof of concept, it is effective against current versions of these ransomware tools, though, the developers of these tools will likely patch. And it'll be a continuous cat and mouse game, but imagine if there was an entire company with thousands of employees. Whose sole purpose was to maintain the software to defeat ransomware strains. Any time a ransomware was successful. They would ship that source code off to this company and that company would analyze it and create the exploits for the vulnerabilities found in that ransomware file. I personally don't have enough time to handle this type of company and start it myself. But if you're listening and you're an entrepreneur in the cybersecurity space, I highly encourage you to get going and seek some investing and figure this company out, make it happen. So there was a giant botnet, potentially one of the biggest botnets of all time named 9 1 1 S five. Botnet. That has been masquerading around as a free VPN service. Well just recently authorities have arrested. And Hey Wang at 35 year old, Chinese national behind this entire botnet. They've also seized the 9 1 1 S five website and its infrastructure. This specific botnet has facilitated billions of dollars in online fraud and cyber crime. To include over 560,000 fraudulent unemployment claims. Causing a $5.9 billion loss. This botnet spanned more than 19 million computers across 190 countries. And. was responsible for enabling cybercriminals to route malicious traffic. Through any of those 19 million computers. Which of course allowed them to remain anonymous while they continued to partake in their cyber criminal activities. This bot net company or. Individual also sold access to compromised PCs. Within the botnet because they. Also provided a free VPN service.. And for those of you who might not know the intricacies of how a VPN works. At a high level, essentially, it's just a pathway or a tunnel. To access a network that you're not physically in. So for example, I have a VPN set up at my house. Anytime I'm out at a coffee shop. I access that VPN. Which essentially gives me access to all the devices in my house. So this bot net. Infected computers through the guise of a free VPN service. Installing and signing up for this free VPN service. Not only put your computer in part of this botnet, but gave. The botnet operators access to your computer. So, how can you check if your computer is infected by this botnet? Well, first of all, have you downloaded any free VPN services? In the last few years, if you can't remember. The FBI. Has created a webpage to help identify compromise systems. Which essentially just gives you steps to check if your computer has been infected such as checking for the running services. Such as mask VPN, do VPN proxy, gate shield, VPN shine, VPN and pallet and VPN. It gives you the step-by-step on how to do that on your own computer. It then gives you the steps you'll need to follow, to remove. The malicious free VPN service. And then also to confirm that that service has been removed. If you. We're compromised by this botnet. Please go check out the link. To the FBI site at the end, they're trying to collect a little bit of data to see what your experience was so that they can help. Detect and prevent this type of thing from happening again. And finally there has been a new malicious Python package. Found in the Python package index. This package is named PI Toya. It looks a little French. P Y T O Y L E U R. And it was designed to facilitate cryptocurrency theft. This package had only 316 downloads before the Python package index removed it. But. The developer of this package quickly uploaded a new version with the identical malicious functionality. So it will continue to go back and forth. And what's interesting about this is that. This package is being promoted by. Users. Across stack overflow. Which is a very popular. Platform where developers turn to get their questions answered. Or to provide tips for other developers to follow. So if you go on there and you are seeking. A specific package that might do something. Another stack overflow user can then suggest this malicious package. And maybe in turn, they will be rewarded or something like that. So, It seems like the whole internet at this point is a SEO. Competition doing what you can to get your search results up. And as a developer myself, I know the influence that stack overflow has on many developers. If you're a contributor to stack overflow, you have so much sway, especially if the questions you're answering are common questions, which often involve Python packages or Python coding. Tactics. You have a lot of influence on that platform. So, yeah, it makes sense that malicious actors would go on there. And maybe they buy a reputable stack overflow account for a lot of money. And then use it to promote malicious tools and packages. If you are a developer and you are out there looking for new packages to use for your organization. Especially for your organization, make sure you check out the documentation, check out the website, look for anything fishy in the metadata of that package. And look for. Reviews from verified developers. And trust me. I know the temptation as a developer, especially for personal projects at home to just get the job done as quickly as you can. If you find a stack overflow post. That might work. You tend to just copy the code, copy the imports, try it out. And see if it works, because at that point you're essentially just. Troubleshooting. In production, right. You're seeing if that code will work on your, on your little personal projects. So. No, that some of those Python packages can install malicious malware on your computer and be used to hijack your cryptocurrency. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

ChatGPT goes off-script with Shakespearean flair, and cybersecurity becomes the beacon in guarding our maritime and water utility infrastructures. We unravel the complexities of software supply chain threats with a focus on the Python Package Index, and spotlight the latest vulnerabilities in ConnectWise's ScreenConnect. It's a journey through the cyber squalls and the efforts to anchor down our digital defenses. Featured Stories: ChatGPT's Shakespearean Spiral - Delving into the reasons behind ChatGPT's unexpected dive into nonsensical outputs. Read more on Ars Technica and Reddit. Bolstering Maritime Cybersecurity - How the Biden administration is strengthening America's maritime defenses against cyber threats. Cybersecurity at Sea: Strengthening America's Maritime Defenses. Protecting Water Utilities from Cyber Threats - A look into the new wave of cybersecurity measures for water utilities by CISA, the FBI, and the Environmental Protection Agency. The Stealthy Expansion of Software Supply Chain Threats - Unpacking a sophisticated cyber-attack via the Python Package Index. Discover more at ReversingLabs. Patch and Protect: ConnectWise ScreenConnect Update - Addressing the vulnerabilities reported in ScreenConnect and the steps for remediation. ConnectWise Security Bulletins. Join us as we dissect these pivotal moments in digital security and AI quirks, ensuring you stay informed and ahead of the curve in the ever-evolving world of technology. Only on Spotify. For the best listening experience, follow us on Spotify and dive into the digital depths with our insightful episodes on technology, cybersecurity, and the unexpected turns of AI. Transcript: Feb 22 [00:00:00] All right. Good morning listeners. And welcome back to the daily decrypt. Huge shout out to Jared Jones for his brand new release song played under the. Super sophisticated AI announcer. If you're looking for some music, if you're working hard all day in front of the computer and you're looking for some [00:01:00] music that doesn't have words and isn't too distracting, highly recommend looking up Jared Jones. J E R E D. You're going to find lots of sick bangers like that one. All right. But let's get into the news today. We're going to dive into a digital pandemonium as chat GPT, seemingly takes a Shakespearian swerve. Leaving user's puzzled with it's nonsensical Jabber. Meanwhile, the us government makes waves in cybersecurity. Anchoring down on maritime defenses against the rising tide of cyber threats, proving that when it comes to securing our ports, It's not just about the web. It's about the water. Speaking of water. We are also going to explore how America's water utilities are fortifying, their cyber defenses. Ensuring that the only things flowing through our pipes, our water and wifi. In the realm of software and vulnerabilities, we're gonna be talking about the Python package index or PI as I call it. And how it becomes a Trojan horse for cyber attackers highlighting the stealthy expansion of [00:02:00] threats within our digital supply chains. And lastly, if you stick around this long, we're going to just touch base on connect Wise's screen connect vulnerabilities. All right. So yesterday, Users on Reddit started reporting that chat GPT. What's going absolutely insane. The responses from techy, PT would start out pretty normal and then quickly devolve into what I would describe as someone with a dementia or Verna keys, aphasia. Thanks to all the Reddit users who posted their chats. They're very fun to read through. Various journalists have reached out to open AI, the makers of chatty Beatty. For comment and we're met just with direction to their status page. So no comment at this time has been released. But I have an example here of what ChatGPT was spitting out. And you can see by looking at the. Output. It's just [00:03:00] going through how it formulates its responses. It's creating noise and then refining that noise. So here. Is. An example of what it was doing yesterday. "The high, the high or the heart where the hair. The his, or the Howell hones, a hill, a heel or a hand where all the Astor and any, and all, or an ACE or a story or a strain at grok stands for, of you a visit or the verb there site. Is a stand, a state or a story the in or the in wit makes a must a may or a most." Part of that sounded kind of like the monologue from V for vendetta, which I'm not going to even try. To repeat, but if you haven't seen me for vendetta, highly recommended, Given the help the chat should. The T made composing this episode, it seems to be back to normal. But. It is a reminder at how. These quote, artificial intelligent. Chat bots are not perfect [00:04:00] and they can quickly devolve. So did, do you know that. Our planet is made up of mostly water. And so our, our bodies. Though these facts may seem startling. They're starting. To get the attention of government officials such as the Biden administration who yesterday released an executive order aimed at bolstering cybersecurity measures across the United States port facilities. This is sparked by increasing concerns over cyber threats, particularly from nation state actors like China. Who could cripple a lot of our infrastructure. By just taking down a few maritime ports. In an era where cybersecurity incidents can ripple through the global supply chain with devastating effect, the executive order represents a significant pivot towards enhancing the resilience of [00:05:00] maritime infrastructure. The us coast guard is now endowed with explicit authority to counter malicious cyber activities. Targeting the nation's Marine transportation system. This includes a mandate for the immediate reporting of any cyber threats or incidents that could compromise vessels, harbors, ports, or waterfront facilities. Part of the executive order involved reallocating over $20 billion towards port infrastructure over the next five years. And this is an aim to repatriate crane manufacturing, eh, which is a sector currently dominated by China, which manufacturers approximately 80% of the cranes used in us ports. So if you're wondering why focus on ports? Well, consider this America's ports are not just points of entry for goods. They're bustling hubs that can support 31 million American jobs and contribute $5.4 trillion to the economy. They're smooth operation is pivotal to our national security and economic prosperity. The threat of cyber attacks, particularly those that could be orchestrated by foreign adversaries. So as it [00:06:00] turns out, network ports, aren't the only ports cybercriminals are sneaking into. In the world of port. Cybersecurity, it looks like we're moving from pirate, infested waters. To cyber secure harbors. Ari a feeling safe yet. Speaking of water and making waves in the world of cybersecurity. The FBI SISA and the EPA. Released tips targeted specifically to water plants and water managing agencies. At an age where hackers seem to have the thirst for infiltrating our critical infrastructures. The spotlight has turned to our water utilities. This isn't just about keeping the water flowing. It's about ensuring that the only thing going down the drain is well water. And not our security. In recent years, several water treatment companies have been the target of ransomware attacks, which has led to significant disruptions. Such events compromise the safety and availability of drinking water, which is a serious risk to public health and [00:07:00] safety. These agencies. Are aiming to prevent such outcomes by helping utilities, bolster their defenses against malicious cyber activity. The article in our show notes, outlines eight top notch strategies to keep cyber threats at bay. From hiding key assets to changing passwords, as often as we're supposed to change our water filters. It seems like water utilities are being prepped for a stormy season in cyberspace. So what kind of attacks are they trying to prevent? Often hackers exploit vulnerabilities in the software and hardware that control water treatment processes. And by gaining unauthorized access, they can disrupt operations, demand, ransom, or even tamper with water quality. The guidance provided by SISA the EPA and FBI emphasizes the importance of regular updates and patches to address these vulnerabilities. Alongside training for staff to recognize and respond to cyber threats. Well, no system can be made completely invulnerable. The adoption of these recommended practices significantly reduces the risks [00:08:00] of successful cyber attacks, which is what we're going for. It is a lofty goal to completely eliminate cyber risk, but. The goal is to just do what we can. To make ourselves more secure. Alrighty, we're going to turn this a little bit more technical and talk about some recent vulnerabilities that have been discovered. Reversing labs. Released an article that discusses. A sophisticated cyber attack that leverages the Python package index or PI as I like to call it. To distribute malicious software through a technique known as DLL sideloading. In January of 2024. Carlos janky, a reverse engineer at reversing labs discovered two suspicious packages on PI. Named helper and NP six helper HTTP or. These packages were found to exploit DLL sideloading, which is a method where attackers execute malicious code on a computer without being detected by security [00:09:00] software. This technique was used to target legitimate pie packages, revealing a concerning trend in the misuse of open source platforms for cyber attacks. DLL sideloading typically involves replacement or of a dynamic link library or DLL with a malicious one. The attacker's goal is to trick the application into loading this malicious DLL. Thereby executing the harmful code. It contains. In this case, the malicious packages were designed to mimic legitimate ones, very closely, which fooled developers into incorporating them into their projects. So, this is pretty significant. It affects not just individual developers, but potentially the entire supply chain. As compromised packages could be integrated into a wide array of applications. The attackers utilized Typosquatting, which is a tactic where malicious packages are named similarly to legitimate ones. In an effort to deceive users into downloading them. Reversing labs investigation further revealed that these malicious packages downloaded additional payloads, including a legitimate [00:10:00] file from king soft core. And a malicious DLL designed to execute a second stage payload. For those interested in diving deeper into the specifics of this breach, including the technical details and indicators of compromise. We encourage you to check out the full article in our show notes for a comprehensive understanding of the attack, vectors and protective measures. And before we finish up for the day. We're just going to quickly circle back to the recent ConnectWise ScreenConnect vulnerabilities that were reported on February 13th. If you're running ScreenConnect on premises, you're going to need to update your servers to version 23.9 0.8 immediately. If you're in the cloud, there are no actions needed at this time. And ConnectWise is saying that there's no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks. All right. That's all we've got for today. I hope you enjoyed Water puns as well as the new music by [00:11:00] Jared Jones. Today was probably my favorite episode I've done so far. So if you have any feedback Uh, please shoot me a message on Instagram. Shoot us a tweet on Twitter. Uh, We'd love to hear from you. We understand your feedback is an honor. And so we'd be honored to receive And I believe we were taking tomorrow off. So we will talk to you more next week. [00:12:00] [00:13:00]

Back again with governance... part two! (See also: part one!) Here we talk about some organizations and how they can be seen as "templates" for certain governance archetypes.Links:Cygnus, CygwinMastodonAndroidFree Software Foundation, GNUSoftware Freedom Conservancy, Outreachy, Conservancy's copyleft compliance projectsCommons ConservancyF-DroidOpen CollectiveLinux Foundation501(c)(3) vs 501(c)(6)StitchtingFree as in FreedomLKML (the Linux Kernel Mailing List)Linus Doesn't ScaleSpritely Networked Communities InstitutePython and the Python Software Foundation, PyCon, the Python Package IndexPython PEPs (Python Enhancement Proposals), XMPP XEPs, Fediverse FEPs, Rust RFCsBlender, Blender Foundation, Blender Institute, Blender StudioBlender's historyElephants DreamMozilla Foundation and Mozilla CorporationDebian, Debian's organizational structure, and Debian's constitutionEFFOh yeah and I guess we should link the World History Association!

[Referências do Episódio] - Monti Ransomware Unleashes a New Encryptor for Linux - https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html - Unwanted Guests: Mitigating Remote Access Trojan Infection Risk - https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram - Sophisticated, Highly-Targeted Attacks Continue to Plague npm - https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/ - FortiGuard AI Detects Continued OSS Supply Chain Hidden in Python Package Index - https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi  Roteiro e apresentação: Carlos Cabral Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typosquatting and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/98 Selected reading. Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal) Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP News) Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks (The Hacker News) Researchers tie FIN7 cybercrime family to Clop ransomware (The Record) Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs) PyPI new user and new project registrations temporarily suspended. (Python) PyPI repository restored after temporarily suspending new activity (Computing) RATs found hiding in the NPM attic (ReversingLabs) Legitimate looking npm packages found hosting TurkoRat infostealer (CSO Online) SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack (Mandiant) Mozilla Explains: SIM swapping (Mozilla) The Underground History of Russia's Most Ingenious Hacker Group (WIRED) Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia's Federal Security Service (US Department of Justice) Hunting Russian Intelligence “Snake” Malware (CISA) FBI misused intelligence database in 278,000 searches, court says (Reuters) FBI misused controversial surveillance tool to investigate Jan. 6 protesters (The Record) FBI broke rules in scouring foreign intelligence on Jan. 6 riot, racial justice protests, court says (AP News)

Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2023.03.30.533110v1?rss=1 Authors: Martin, J. T., Boynton, G. M., Baker, D. H., Wade, A. R., Spitschan, M. Abstract: The normal human retina contains several classes of photosensitive cell-rods for low-light vision, three cone classes for daylight vision, and the intrinsically photosensitive retinal ganglion cells (ipRGCs) expressing melanopsin for non-image-forming functions including pupil size, melatonin suppression and circadian photoentrainment. The spectral sensitivities of the photoreceptors overlap significantly, which means that most lights will stimulate all photoreceptors, to varying degrees. The method of silent substitution is a powerful tool for stimulating individual photoreceptor classes selectively, which is useful in research and clinical settings. The main hardware requirement for silent substitution is a spectrally calibrated light stimulation system with at least as many primaries as there are photoreceptors under consideration. Device settings that will produce lights to selectively stimulate the photoreceptor(s) of interest can be found using a variety of analytic and algorithmic approaches. Here we present PySilSub (https://github.com/PySilentSubstitution/pysilsub), a novel Python package for silent substitution featuring flexible object-oriented support for individual colorimetric observer models (including human and mouse observers), multi-primary stimulation devices, and solving silent substitution problems with linear algebra and constrained numerical optimisation. The software is registered with the Python Package Index and includes example data sets from various multi-primary systems. We hope that PySilSub will facilitate the application of silent substitution in research and clinical settings. Copy rights belong to original authors. Visit the link for more info Podcast created by Paper Player, LLC

Hello World! It's January 17, 2023. Welcome to a new edition of Cyber Briefing by Cybermaterial Let's review the latest cybersecurity alerts and incidents. CyberAlerts Malicious Lolipop, Python Package Index, infected with info stealing malware Russian hackers try to bypass Chat G P T restrictions for malicious purposes Avast releases free BianLian ransomware decryptor CyberIncidents Norton LifeLock says thousands of customer accounts breached 1.7 TB of data stolen from Cellebrite, an israeli digital intelligence company, were leaked online

Guest Dustin Ingram Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Joining us today is Dustin Ingram, who's a Staff Software Engineer on Google's Open Source Security Team, where he works on improving the security of open source software that Google and the rest of the world relies on. He's also the director of the Python Software Foundation and maintainer of the Python Package Index. Today, we'll learn about the Open Source Security Team at Google, what they do, the bill they've contributed to for Securing Open Source Software Act of 2022, a rewards program they have to pay maintainers called SOS rewards, and Google's role in the Sigstore project. Also, Dustin talks about the Python Package Index, he shares his opinion on the difference between security and sustainability, and what he's most excited about with work going on in the next year or two. Download this episode now to find out more! [00:01:10] Dustin fills us in on the Open Source Security Team at Google, what they do there, how they prioritize which packages to work on, and which security bugs to work on. [00:03:25] We hear about the team at Google working on the bill 4913 Securing Open Source Software Act of 2022. [00:04:18] Justin brings up Dan Lorenc and Sigstore, and we learn Google's role in this project and making sure it's adopted more heavily in the supply chain. [00:06:05] Dustin explains the model on how Google is working to make sure these projects stick together, and he tells us how an open source maintainer can make their code more reliable by going to Sigstore and other sites to talk to people. [00:09:26] How does Google prioritize and choose which projects are the most important and where they're going to dedicate developer time to do that work? [00:11:02] Dustin works on the Python Package Index, and he explains what it is, and with the PSF, how many directors they have, and how much he interfaces with other people there. [00:12:17] We hear how Dustin dealt with the fallout from the backlash that happened during the mandatory multifactor authentication for the critical projects. [00:16:52] When it comes to security, Richard wonders if Dustin has put a lot of thought into different grades of where it exists and who it's for, as well as if there's a ten to fifty year plan for the maintainers who move on to do other things and people are not going to be developing at all. [00:19:13] Are there plans around educations for maintainers and communities on how to onboard new maintainers and how to increase security without increasing load time for the maintainers working on their projects? [00:20:21] We hear what the Securing Open Source Software Act is all about. [00:22:21] Now that open source is the dominant distribution, Dustin shares his thoughts on if open source will stop working and explains the real strength of open source. [00:24:09] Richard brings up the US government trying to secure their supply chain, working with future maintainers, code packages, working with foundations to figure out how we secure the ecosystem at a large, and wonders if Dustin sees a way for the government to try and secure open source and not regulate it, but try to figure how to manage it without the help of foundations or package managers. [00:26:56] Dustin shares his opinion on the difference between security and sustainability and what he thinks about that and what he's most excited about with work going on in the next year or two. [00:30:28] Find out where you can follow Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the government got really spooked because they really didn't know what software they were consuming, and President Biden did an executive order on securing a nation's cybersecurity, which was about setting a policy for how the government should consume open source.” [00:08:11] “We also do some other things to make that a little easier for open source maintainers to adopt these technologies.” [00:08:17] “One thing we have is a rewards program called SOS.dev, and that's a way that maintainers can get paid for doing what we feel is relevant security work.” [00:21:01] “The US government consumes a lot of open source software. They have a dependency on a lot more than most large companies that you can think of.” [00:21:11] “The answer to Log4j is not to stop using open source, it's to get better practices around determining what you have and just do industry best practices for finding and fixing vulnerabilities.” Spotlight [00:31:17] Justin's spotlight is some awesome software called Rewind.ai. [00:32:32] Richard's spotlight is Geoff Huntley. [00:33:36] Dustin's spotlight is the Mozilla Open Source Support Program. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Dustin Ingram Twitter (https://twitter.com/di_codes) Dustin Ingram LinkedIn (https://www.linkedin.com/authwall?trk=gf&trkInfo=AQFx--arUWM32wAAAYVVP7pwcaKJmtv_xwAO_dyvHEdFxj0JMheal1V_PnvzCU1Fo_b5mai0jP51x2cucIULaN2C_6Hw_WNXexVVFtrbaamCLoGTNV3KU0oNc8E_cJD2AWGXUZA=&original_referer=https://www.google.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdustingram%2F) Dustin Ingram Website (https://dustingram.com/) Open Source Vulnerability (OSV) (https://osv.dev/) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/guests/dan-lorenc) Sigstore (https://www.sigstore.dev/) SOS Rewards (https://sos.dev/) Python Package Index (PyPI) (https://pypi.org/) Sustain Podcast-Episode 75: Deb Nicholson on the OSI, the future of open source, and SeaGL (https://podcast.sustainoss.org/75) Open Technology Fund (https://www.opentech.fund/) Rewind (https://www.rewind.ai/) Geoff Huntley Twitter (https://twitter.com/GeoffreyHuntley) Explaining NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay Heist (YouTube) (https://www.youtube.com/watch?v=iLDOSnqN9-I) Mozilla Open Source Support Program (https://www.mozilla.org/en-US/moss/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Dustin Ingram.

One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy? That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes. Links from the show Overview topics SolarWinds: csoonline.com XCodeGhost: macrumors.com Python Package Index nukes 3,653 malicious libraries uploaded: theregister.com Dependency confusion: medium.com Typosquatting Is About More Than Typos: iqt.org Approaches to Protecting the Software Supply Chain: iqt.org A Quant's View of Software Supply Chain Securityz: usenix.org Organizations Open Source Security Foundation (OpenSSF): openssf.org Python Security Response Team: python.org Proposed solutions and tools pypi-scan: github.com AuraBorealis App: github.com Project Aura: aura.sourcecode.ai Aura source code: github.com Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages: github.com Have I Been Pwned: haveibeenpwned.com Snyk Package Advisor: snyk.io Backstabbers-Knife-Collection: dasfreak.github.io NetworkML Package: github.com Misc Google as a Visionary Sponsor: pyfound.blogspot.com Episode transcripts: talkpython.fm Sponsors Square Talk Python Training AssemblyAI

Watch the live stream: Watch on YouTube About the show Sponsored by Sentry: Sign up at pythonbytes.fm/sentry And please, when signing up, click Got a promo code? Redeem and enter PYTHONBYTES Special guest: Dr. Becky Smethurst Brian #1: Powering the Python Package Index in 2021 Dustin Ingram A lot has changed in 5 years since the previous write-up From 3 people to 3 maintainers/admins 5 moderators 3 commiters Companies donate about $1.8M per month in services Fastly, mostly Google Cloud ~ $10K AWS ~ $7K Also Statuspage, Sentry, Datadog, Digicert, Pingdom Awesome grants to fund projects rewrite of PyPI Localization, internationalization, API tokens and 2FA Malware Detection and Update Framework Foundational Tool Improvements & Productionized Malware Detection Support Staff (a project manager) Growth, now up to (per day) 1.7 B requests pypi 55.4 TB pypi Next steps FUNDABLES.md, which is a non-exhaustive wishlist of large projects we’d like to see happen become a member, donate, or volunteer Michael #2: The Leuven Star Atlas via Shahrin Ahmad Making a publication-quality stellar atlas from scratch Plotting one page of the atlas: There is one single python script that takes care of the plotting of a single page of the atlas (plot_map.py). At the moment it is 1545 lines long The goal was to produce a publication quality, both practical and visually pleasing star atlas aimed at amateur astronomers. Took about 1.5 months to build/develop Libraries used: numpy for all kinds of data handling and numerical operations pylab / matplotlib for all the main plotting operations basemap for the mapping (takes care of the projection and the related transformations) scipy for some specific interpolations and contours connected to the Milky Way astropy and pyephem for celestial coordinate transformations Source data: All databases that I am using are either publicly available from the internet (under various licenses), or they are compiled by me from publicly available data (links in the article) One of the main new features of my atlas (compared to other atlases on the market) is the inclusion of the (as) precise (as possible) contours of the Milky Way on its pages. Interesting library: adjustText - automatic label placement for matplotlib The whole process takes around 4 hours on my laptop (using 4 cores in parallel). Whole thing reminds me of the quote: “Data cleanin√g isn’t grunt work, it is THE work.” Becky #3: TI-84 Plus CE Python graphing calculator I remember being so attached to my graphica calculator at school and I swear I haven’t used it since I was 18 - they were banned from my university exams Remember very pixelated screen, almost like an original GameBoy, and plotting was the worst - but what if could have colour plots in Python Teaching kids to code early is so important, but learning to code with no purpose is also incredibly difficult. Learn alongside everything else makes it second nature and when something is second nature it becomes a tool you can use to solve a whole host of problems Brian #4: Python Package CI/CD with GitHub Actions Johanan Idicula Nice write up of working with GH Actions Triggers from push or pull request Matrix runs Running jobs across different build environenments ubuntu macos windows Diff python versions Caching some tools to not have to load them for each combination example caches Poetry Running tests, of course Checking artifacts Auto-merge some branches Release automation to pypi on ‘v*’ tag pushes Michael #5: SpaceX is using Python for prototyping their Starlink satellite software via Garett Dunn From four-part series on the software that powers SpaceX The software breaks down roughly into two parts: 1) software that flies and 2) software that supports the flying components. For Starlink, one of the main challenges is that our “towers” are orbiting Earth, forcing your path to the internet to change very frequently. The Earth-side network then provides continuous updates on traffic conditions and constellation changes, while each satellite updates the ground on its planned trajectory. Starlink software, both in satellites and on the ground, is written almost exclusively in C++ But the prototyping is done in … Python. The software is developed in a continuous integration environment, with teams merging into the master development branch often and deploying to the fleet of satellites in space each week. Live view findstarlink.com and starlink.sx and starlinkradar.com/livemap.html The Python version allows for rapid iteration during the design phase. Once we are happy with the results of an algorithm, we port it to C++ so it runs efficiently in production. Becky #6:: A beginner’s guide to working with astronomical data it’s a scientific paper but huge sections on using Python to analyse images, remove noise, all the steps needed not just for me as professional but one I hope amateurs will find useful too Huge shoutout to astropy, Michael mentioned it before, revolutionised the field but also those keen amateur astrophotographers who perhaps use a Raspberry Pi to drive their telescope or to analyse their images Extras Michael Python for Astronomy with Dr. Becky episode on Talk Python KFocus laptops a company looking to build software + hardware stack kind of like Apple with macOS. Very focused on AI workloads and high-end GPUs (e.g. 3080) Becky Books! Joke Uber Flaws Distracted Space-Vegas

Special guest: Calvin Hendryx-Parker Live stream Watch on YouTube Michael #1: AWSimple by James Abel AWSimple is a more object oriented interface on top of boto3 for some of the common “serverless” AWS services: S3, DynamoDB, SNS, and SQS. Features: Simple Object Oriented API on top of boto3 One-line S3 file write, read, and delete Automatic S3 retries Locally cached S3 accesses True file hashing (SHA512) for S3 files (S3's etag is not a true file hash) DynamoDB full table scans (with local cache option) DynamoDB secondary indexes Built-in pagination (e.g. for DynamoDB table scans and queries). Always get everything you asked for. Can automatically set SQS timeouts based on runtime data (can also be user-specified) Caching: S3 objects and DynamoDB tables can be cached locally to reduce network traffic, minimize AWS costs, and potentially offer a speedup. Brian #2: coverage and installed packages I’ve covered coverage.py a lot on Test & Code, starting with episode 12, and even talked about it on episode 147, and many others. Except there’s something I missed, hidden in plain sight, all this time. coverage --source , as well as pytest --cov if using pytest-cov plugin, is not just a path. “You can specify source to measure with the --source command-line switch, or the [run] source configuration value. The value is a comma- or newline-separated list of directories *or package names*. If specified, only source inside these directories or packages will be measured.” - coverage.py docs, (emphasis mine) Up to now I was doing this trick I picked up from I don’t remember where I would run coverage from the top level project directory, specify the source as the project source, and set a [paths] setting in .coveragerc, the source setting to both the project source and the site-packages directory. Then the report would show the coverage of the source code, even though it was the site-packages code that was running. That trick is still nice to specify the output as your project directory, which is usually a shorter relative path. However, it’s not essential. You can just specify the source as the package name, without the above trick, and coverage will report the coverage of the installed package. That is usually good enough. Super cool Calvin #3: Finding Mona Lisa in the Game of Life with JAX by Atul Vinaya Lots of great code examples Showcases the speed increase you can get using JAX on a GPU vs CPU unvectorized Initial implementation took days of CPU time to get a rough result JAX compiles numpy to highly vectorized code to run on a GPU Requires some refactor of the code to optimize for a highly parallel run on GPUs Post includes link to notebook used for the project “Running ~1000 iterations for a 483px wide Mona Lisa on the google colab GPU runtime only takes around 40 seconds!” Michael #4: Python Package Index nukes 3,653 malicious libraries uploaded soon after security shortcoming highlighted From Mark Little Recall Google’s Python goal was around PyPI security. Related (from @tonny) Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules PyPI has removed 3,653 malicious packages uploaded days after a security weakness in the use of private and public registries was highlighted. “Developers are often advised to review any code they import from an external library though that advice isn't always followed.” ← yeah Last month, security researcher Alex Birsan demonstrated how easy it is to take advantage of these systems through a form of typosquatting that exploited the interplay between public and private package registries. Birsan set out to see whether he could identify the names of private packages used inside companies and create malicious packages using those library names to place in the public package registries – the indexes that keep track of available software modules. The names of private packages turned out to be rather easy to find, particularly in the Node.js/JavaScript ecosystem because private package.json files show up rather often in public software repositories. So Biran crafted identically named libraries that he designed to sneak system configuration data through corporate firewalls. The challenge then became getting applications that require private libraries to look for those file names in a polluted public source. As it turns out, it's common for corporate software developers to rely on a hybrid configuration for their applications, one that references private internal packages but also supports fetching dependencies from a public registry, in order to ensure packages are up-to-date. The companies that Birsan managed to attack with this technique include Apple, Microsoft, Netflix, PayPal,Shopify, Tesla, Uber, and Yelp. And for his efforts, he has been awarded at least $130,000 from bug bounty programs involving these firms. Birsan's success in carrying out such attacks should set off alarm bells. Software supply chain attacks present a higher degree of risk than many threat scenarios because they have the potential to affect so many downstream victims Makes me want to setup devpi + devpi-constrained just for internal projects. What to do? Don’t do mass bogus uploads like this to prove your point. We appreciate the message you are trying to deliver, but it’s already been documented so you are just making distracting work for other people who could more usefully be doing something else for the project. Don’t choose a PyPI package juat because the name looks right. Check that you really are downloading the right module from the right publisher. Even legitimate modules sometimes have names that clash, compete or confuse. Don’t hook internal projects to external repositories by mistake. If you are using Python packages that you haven’t published externally, then the one thing you can be sure of is that all external copies of “your” package are imposter modules, probably malware. Don’t blindly download package updates into your own development or build systems. Test and review everything you download before you approve it for use. Remember that packages typically include update-time scripts that run when you do the update, so malware infections could be delivered as part of the update process, not of the module source code that ultimately gets installed. Brian #5: python-adventure Brandon Rhodes "This is a faithful port of the “Adventure” game to Python 3 from the original 1977 FORTRAN code by Crowther and Woods (it is driven by the same advent.dat file!) that lets you explore Colossal Cave, where others have found fortunes in treasure and gold, though it is rumored that some who enter are never seen again. “ “For extra authenticity, the output of the Adventure game in this mode, python3 -m adventure, is typed to your screen at 1200 baud.” “Colossal Cave Adventure is the first known work of interactive fiction and, as the first text adventure game, is considered the precursor for the adventure game genre. “ - wikipedia related: Zork, 77-79, also an adventure game, was inspired by Collossal Cave Adventure, 75-77 Zork on Chuck - Brian’s a Chuck fan Brandon, can we have Zork also? side note: Closest I got was Dungeons of Daggorath on TRS-80. Not text based. Early 80’s Calvin #6: Exciting New Features in Django 3.2 From Haki Benita Upcoming LTS Release in the 3 series Expected in April Post highlights some interesting new features that you might not have noticed New Features Covering Indexes in Postgres support (performance plus!) Timezones are hard and TruncDate now helps keep you from pulling out the foot cannon JSONObject DB Functions, helping the unstructured data world keep using Postgres Signal.send_robust() now logs exceptions so you don’t have to! The new QuerySet.alias() method allows creating reusable aliases for expressions (Performance!) The new display decorator makes creating calculated admin fields cleaner Value Expressions Detects Type, more cleaning up to allow the ORM to figure it out Notable missing feature is Async ORM, but this will be awesome when it lands More are listed on the Django 3.2 Release Page Extras: Michael: Is Python on Mars? FastAPI Website course is out: talkpython.fm/fastapi-web Are you thinking of going to PyCon 2021? Over at Talk Python, we're giving away 5 tickets to the event: talkpython.fm/pycon2021 Be sure to join us @ pythonbytes.fm/youtube Got a chance to speak to the medical field about Python and programming superpowers on the Finding Genius podcast. Calvin: DjangoCon Europe 2021 CFP is Open until 4/1 https://2021.djangocon.eu/talks/cfp/ Python Web Conf 2021 4 Tracks this year 60 Amazing Speakers (almost 20% women) Tickets Professional $199 Student $99 Grants Available! Joke: /** Logger */ private Logger logger = Logger.getLogger(); // This is black magic // from // *Some stackoverlow link // Don’t play with magic, it can BITE. # For the sins I am about to commit, may Guido van Rossum forgive me // Remove this if you wanna be fired } catch(Exception ex) { // Houston, we have a problem } int getRandomNumber() { Return 4; // chosen by fair dice roll. // guaranteed to be random. } https://twitter.com/LinuxHandbook/status/1368974401979383810

Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2020.11.08.370650v1?rss=1 Authors: Gilchrist, C. L. M., Chooi, Y.-H. H. Abstract: Genes involved in biological pathways are often collocalised in gene clusters, the comparison of which can give valuable insights into their function and evolutionary history. However, comparison and visualisation of gene cluster homology is a tedious process, particularly when many clusters are being compared. Here, we present clinker, a Python based tool, and clustermap.js, a companion JavaScript visualisation library, which used together can automatically generate accurate, interactive, publication-quality gene cluster comparison figures directly from sequence files. Source code and documentation for clinker and clustermap.js is available on GitHub (github.com/gamcil/clinker and github.com/gamcil/clustermap.js, respectively) under the MIT license. clinker can be installed directly from the Python Package Index via pip. Copy rights belong to original authors. Visit the link for more info

Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2020.11.06.371344v1?rss=1 Authors: Shave, S., Chen, Y.-K., Pham, N. T., Auer, M. Abstract: Understanding multicomponent binding interactions in protein-ligand, protein-protein and competition systems is essential for fundamental biology and drug discovery. Hand deriving equations quickly becomes unfeasible when the number of components is increased, and direct analytical solutions only exist to a certain complexity. To address this problem and allow easy access to simulation, plotting and parameter fitting to complex systems at equilibrium, we present the Python package PyBindingCurve. We apply this software to explore homodimer and heterodimer formation culminating in the discovery that under certain conditions, homodimers are easier to break with an inhibitor than heterodimers and may also be more readily depleted. This is a potentially valuable and overlooked phenomenon of great importance to drug discovery. PyBindingCurve may be expanded to operate on any equilibrium binding system and allows definition of custom systems using a simple syntax. PyBindingCurve is available under the MIT license at: https://github.com/stevenshave/pybindingcurve as Python source code accompanied by examples and as an easily installable package within the Python Package Index. Copy rights belong to original authors. Visit the link for more info

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Open source language, package installer, programming Python. PIP is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. It is the most downloaded package on the Python Package Index. Doc Searls and Aaron Newcomb talk with the project manager of PIP, Sumana Harihareswara who is also a comedian and owner of Changest Consulting. Changest Consulting is a short-term project management services for free and open source software projects. They also talk with software developer, and release manager of pip, Pradyun Gedam. They discuss the new changes that are coming to pip in the future and why those changes are important. Including changes to the pip dependency resolver. Hosts: Doc Searls and Aaron Newcomb Guests: Sumana Harihareswara and Pradyun Gedam Sponsor: barracuda.com/floss

Haarlem, 1956. No, this isn't an episode about New York, we're talking Haarlem, Netherlands. Guido Van Rossum is born then, and goes on to college in Amsterdam where he gets a degree in math and computer science. He went on to work at the Centrum Wiskunde & Informatica, or CWI. Here, he worked on BSD Unix and the ABC Programming language, which had been written by Lambert Meertens, Leo Geurts, and Steven Pemberton from CWI.  He'd worked on ABC for a few years through the 1980s and started to realize some issues. It had initially been a monolithic implementation, which made it hard to implement certain new features, like being able to access file systems and functions within operating systems. But Meertens was an editor of the ALGOL 68 Report and so ABC did have a lot of the ALGOL 68 influences that are prevalent in a number of more modern languages and could compile for a number of operating systems. It was a great way to spend your 20s if you're Guido. But after some time building interpreters and operating systems, many programmers think they have some ideas for what they might do if they just… started over. Especially when they hit their 30s. And so as we turned the corner towards the increasingly big hair of the 1990s, Guido started a new hobby project over the holiday break for Christmas 1989.  He had been thinking of a new scripting language, loosely based on ABC. One that Unix and C programmers would be interested in, but maybe not as cumbersome as C had become. So he got to work on an interpreter. One that those open source type hackers might be interested in. ALGOL had been great for math, but we needed so much more flexibility in the 90s, unlike bangs. Bangs just needed Aquanet. He named his new creation Python because he loved Monty Python's Flying Circus. They had a great TV show from 1969 to 1974, and a string of movies in the 70s and early 80s. They've been popular amongst people in IT since I got into IT. Python is a funny language. It's incredibly dynamic. Like bash or a shell, we can fire it up, define a variable and echo that out on the fly. But it can also be procedural, object-oriented, or functional. And it has a standard library but is extensible so you can add libraries to do tons of new things that wouldn't make sense to be built in (and so bloat and slow down) other apps. For example, need to get started with big array processing for machine learning projects? Install TensorFlow or Numpy. Or according to your machine learning needs you have PyTorch, SciPi, Pandas, and the list goes on.  In 1994, 20 developers met at the US National Standards Bureau in Maryland, at the first workshop and the first Python evangelists were minted. It was obvious pretty quickly that the modular nature and ease of scripting, but with an ability to do incredibly complicated tasks, was something special. What was drawing this community in. Well, let's start with the philosophy, the Zen of Python as Tim Peters wrote it in 1999: Beautiful is better than ugly. Explicit is better than implicit. Simple is better than complex. Complex is better than complicated. Flat is better than nested. Sparse is better than dense. Readability counts. Special cases aren't special enough to break the rules. Although practicality beats purity. Errors should never pass silently. Unless explicitly silenced. In the face of ambiguity, refuse the temptation to guess. There should be one—and preferably only one—obvious way to do it. Although that way may not be obvious at first unless you're Dutch. Now is better than never. Although never is often better than right now.[a] If the implementation is hard to explain, it's a bad idea. If the implementation is easy to explain, it may be a good idea. Namespaces are one honking great idea—let's do more of those! Those are important enough to be semi-official and can be found by entering “import this” into a python shell. Another reason python became important is that it's multi-paradigm. When I said it could be kinda' functional. Sure. Use one big old function for everything if you're moving from COBOL and just don't wanna' rethink the world. Or be overly object-oriented when you move from Java and build 800 functions to echo hello world in 800 ways. Wanna map reduce your lisp code. Bring it. Or add an extension and program in paradigms I've never heard of. The number of libraries and other ways to extend python out there is pretty much infinite.  And that extensibility was the opposite of ABC and why Python is special. This isn't to take anything away from the syntax. It's meant to be and is an easily readable language. It's very Dutch, with not a lot of frills like that. It uses white space much as the Dutch use silence. I wish it could stare at me like I was an idiot the way the Dutch often do. But alas, it doesn't have eyeballs. Wait, I think there's a library for that.  So what I meant by white space instead of punctuation is that it uses an indent instead of a curly bracket or keyword to delimit blocks of code. Increase the tabbing and you move to a new block. Many programmers do this in other languages just for readability. Python does it for code.  Basic statements included, which match or are similar to most languages, include if, for, while, try, raise, except, class, def, with, break, continue, pass, assert, yield, import and print until python 3 when that became a function. It's amazing what you can build with just a dozen and a half statements in programming. You can have more, but interpreters get slower and compilers get bigger and all that…  Python also has all the expressions you'd expect in a modern language, especial lambdas. And methods. And duck typing, or suitability for a method is determined by the properties of an object rather than the type. This can be great. Or a total pain. Which is why they'll eventually be moving to gradual typing.  The types of objects are bool, byte array, bytes, complex, dict, ellipsis (which I overuse), float, frozen set, int, list, NoneType (which I try to never use), NotImplementedType, range, set, str, and tuple so you can pop mixed tapes into a given object. Not to be confused with a thruple, but not to not be confused I guess…  Another draw of python was the cross-compiler concept. An early decision was to make python cable to talk to c. This won over the Unix and growing Linux crowds. And today we have cross-compilers for C and C++, Go, .Net, Java, R, machine code, and of course, Java.   Python 2 came in 2000. We got a garbage collection system and a few other features and 7 point releases over the next 10 years. Python 3 came in 2008 and represented a big change. It was partially backward-compatible but was the first Python release that wasn't fully backward-compatible. We have had 7 point releases in the past 10 years as well. 3 brought changes to function print, simpler syntax, moved to storing strings in unicode by default, added a range function, changed how global variables react inside for-loops, implemented a simpler set of rules for order comparisons, and much more.  At this point developers were experimenting with deploying microservices. Microservices is an a software development architecture where we build small services, perhaps just a script or a few scripts daisy chained together, that do small tasks. These are then more highly maintainable, more easily testable, often more scalable, can be edited and deployed independently, can be structured around capabilities, and each of the services can be owned by the team that created it with a contract to ensure we don't screw over other teams as we edit them.  Amazon introduced AWS Lambda in 2014 and it became clear quickly that the new micro services paradigm was accelerating the move of many SaaS-based tools to a micro services architecture. Now, teams could build in node or python or java or ruby or c# or heaven forbid Go. They could quickly stand up a small service and get teams able to consume the back end service in a way that is scalable and doesn't require standing up a server or even a virtual server, which is how we did things in EC2. The containerization concept is nothing new. We had chroot in 1979 with Unix v7 and Solaris brought us containerization in 2004. But those were more about security. Docker had shown up in 2013 and the idea of spinning up a container to run a script and give it its own library and lib container, that was special. And Amazon made it more so.  Again, libraries and modularization. And the modular nature is key for me. Let's say you need to do image processing. Pillow makes it easier to work with images of almost any image type you can think of. For example, it can display an image, convert it into different types, automatically generate thumbnails, run sooth, blur, contour, and even increase the detail. Libraries like that take a lot of the friction out of learning to display and manage images.  But Python can also create its own imagery. For example, Matplotlib generates two dimensional graphs and plots points on them. These can look as good as you want them to look and actually allows us to integrate with a ton of other systems.  Van Rossum's career wasn't all python though. He would go on to work at NIST then CNRI and Zope before ending up at Google in 2005, where he created Mondrian, a code review system. He would go to Dropbox in 2013 and retire from professional life in 2019. He stepped down as the “Benevolent dictator for life” of the Python project in 2018 and sat on the Python Steering Council for a term but is no longer involved. It's been one of the most intriguing “Transfers of power” I've seen but Python is in great hands to thrive in the future. This is the point when Python 2 was officially discontinued, and Python 3.5.x was thriving.  By thriving, as of mid-202, there are over 200,000 packages in the Python Package Index. Things from web frameworks and web scraping to automation, to graphical user interfaces, documentation, databases, analytics, networking, systems administrations, science, mobile, image management and processing. If you can think of it, there's probably a package to help you do it. And it's one of the easier languages.  Here's the thing. Python grew because of how flexible and easy it is to use. It didn't have the same amount of baggage as other languages. And that flexibility and modular nature made it great for workloads in a changing and more micro-service oriented world. Or, did it help make the world more micro-service oriented. It was a Christmas hobby project that has now ballooned into one of the most popular languages to write software in the word. You know what I did over my last holiday break? Sleep. I clearly should have watched more Monty Python so the short skits could embolden me to write a language perfect for making the programmers equivalent, smaller, more modular scripts and functions. So as we turn the corner into all the holidays in front of us, consider this while stuck at home, what hobby project can we propel forward and hopefully end up with the same type of impact Guido had. A true revolutionary in his own right.  So thank you to everyone involved in python and everyone that's contributed to those 200k+ projects. And thank you, listeners, for continuing to tun in to the history of computing podcast. We are so lucky to have you.

In episode 29, we interviewed Jason R Coombs from the setuptools project. We started with a discussion about his background and his interest for Python and other programming languages. Following that, we had a thorough discussion about setuptools. We covered topics such as how he got involved in the project, the nature and composition of a Python package, why packaging your code can be important even for small projects, the hidden complexity of binary packages in the Python Package Index and how to maintain compatibility between Python versions. We also had a brief segment about the security aspects of Python packages. He informed us about how you could start contributing to the project and where to discuss Python packaging. We then followed with a general discussion about FLOSS in science and the problem of long-term maintenance in academia. We concluded the interview with our usual quick questions. 00:00:00.000 Intro 00:00:23 Introducing Jason R. Coombs 00:01:28 The first programming languages he learned and how he got into Python 00:03:46 New interesting programming languages 00:05:07 His favourite past Python projects 00:06:53 His one minute elevator pitch for setuptools 00:08:00 The relation between setuptools, PIP and Anaconda 00:10:43 How he got involved with the setuptools project 00:14:43 What is a Python package ? 00:16:07 What can be included in a package? 00:16:36 At which point is it beneficial to create a package ? 00:18:04 Managing compatibility with multiple versions of Python 00:20:33 Advantages of packages for small projects 00:22:46 How much work is required to create a package ? 00:25:05 Files required to create a Python package 00:27:45 Licenses and readme for Python packages 00:30:51 The nature of distribution archives 00:31:27 Compatibility of binary archives 00:32:39 Eggs and wheel files 00:34:32 Dealing with non portable packages in the Python Package Index across multiple operating systems 00:37:49 Uploading packages to the Python Package Index 00:39:12 Review for broken or malicious code 00:40:08 Vulneraility from package removal in the Python Package Index 00:43:24 Package name collisions 00:45:13 How many packages are in the Python Package Index 00:45:25 Alternatives to the main Python Package Index 00:46:35 Other packaging tools 00:47:39 How many developpers are involved in the project 00:48:31 Communication channels and discussions about Python packaging 00:49:53 Openings for new contributors 00:50:59 Skills required to contribute 00:52:24 The challenge of long term maintenance of packages in academia 00:55:43 His vision about the importance of FLOSS for the openess of science 00:59:18 Disadvantage of using FLOSS 01:01:24 The most notable scientific discovery in recent years 01:02:13 Favourite text processing tool 01:03:23 A topic in science about which he recently changed his mind 01:04:50 Contact informations 01:05:23 Conclusion

Sponsored by Datadog: pythonbytes.fm/datadog We’re launching a YouTube Project: pythonbytes.fm/youtube Brian #1: Announcing a new Sponsorship Program for Python Packaging “The Packaging Working Group of the Python Software Foundation is launching an all-new sponsorship program to sustain and improve Python's packaging ecosystem. Funds raised through this program will go directly towards improving the tools that your company uses every day and sustaining the continued operation of the Python Package Index.” Improvements since 2017, as a result of one time grants, a contract, and a gift: relaunch PyPI in 2018 added security features in 2019 improve support for users with disabilities and multiple locales in 2019 security features in 2019, 2020 pip & dependency resolver in 2020 Let’s keep it going We use PyPI every day We need packaging to keep getting better You, and your company, can sponsor. View the prospectus, apply to sponsor, or ask questions. Individuals can also donate. Michael #2: energy-usage A Python package that measures the environmental impact of computation. Provides a function to evaluate the energy usage and related carbon emissions of another function. Emissions are calculated based on the user's location via the GeoJS API and that location's energy mix data (sources: US E.I.A and eGRID for the year 2016). Can save report to PDF, run silently, etc. Only runs on Linux Brian #3: Coding is 90% Google Searching — A Brief Note for Beginners Colin Warn Short article, mostly chosen to discuss the topic. Michael & Brian disagree, so, what’s wrong with this statement? Michael #4: Using WSL to Build a Python Development Environment on Windows Article by Chris Moffet VMs aren’t fair to Windows (or macOS or …) But you need to test on linux-y systems! Enter WSL. In 2016, Microsoft launched Windows Subsystem for Linux (WSL) which brought robust unix functionality to Windows. May 2019, Microsoft announced the release of WSL 2 which includes an updated architecture that improved many aspects of WSL - especially file system performance. Check out Chris’ article for What is WSL and why you may want to install and use it on your system? Instructions for installing WSL 2 and some helper apps to make development more streamlined. How to use this new capability to work effectively with python in a combined Windows and Linux environment. The main advantage of WSL 2 is the efficient use of system resources. Running a very minimal subset of Hyper-V features and only using minimal resources when not running. Takes about 1 second to start. The other benefit of this arrangement is that you can easily copy files between the virtual environment and your base Windows system. Get the most out of this with VS Code + Remote - WSL Python Extension Anaconda Extension Pack Brian #5: A Pythonic Guide to SOLID Design Principles Derek D Again, mostly including this as a discussion point But for reference, here’s the decoder Single Responsibility Principle Every module/class should only have one responsibility and therefore only one reason to change. Open Closed Principle Software Entities (classes, functions, modules) should be open for extension but closed to change. Liskov's Substitutability Principle If S is a subtype of T, then objects of type T may be replaced with objects of Type S. Interface Segregation Principle A client should not depend on methods it does not use. Dependency Inversion Principle High-level modules should not depend on low-level modules. They should depend on abstractions and abstractions should not depend on details, rather details should depend on abstractions. Michael #6: Types for Python HTTP APIs: An Instagram Story Let’s talk about Typed HTTP endpoints Instagram has a few (thousand!) on a single Django app We can have data access layers with type annotations, but how do these manifest in HTTP endpoints? Instagram has a cool api_view decorator to “upgrade” regular typed methods to HTTP endpoints. For data exchange, dataclasses are nice, they have types, they have type validation, they are immutable via frozen. But some code is old and crusty, so TypedDict out of mypy allows raw dict usage with validation still. OpenAPI can be used for very nice documentation generation. Comments are super interesting. Suggesting pydantic, fastapi, and more. But that all ignores the massive legacy code story. But one is helpful and suggests Schemathesis: A tool for testing your web applications built with Open API / Swagger specifications. Extras: Michael: superstring follow up Joke: "How many programmers does it take to kill a cockroach? Two: one holds, the other installs Windows on it."

Outreachy receives the second Open Source Community Grant from IBM, the LLVM project adds mitigations for Load Value Injection attacks, more bad news for the Linux-based Atari VCS console, and the Python Software Foundation seeks recurring sponsorships to support its software repository.

PyPI is a core component of the Python ecosystem that most developer's have interacted with as either a producer or a consumer. But have you ever thought deeply about how it is implemented, who designs those interactions, and how it is secured? In this episode Nicole Harris and William Woodruff discuss their recent work to add new security capabilities and improve the overall accessibility and user experience. It is a worthwhile exercise to consider how much effort goes into making sure that we don't have to think much about this piece of infrastructure that we all rely on.

Участники подкаста: Артем Гавриченков, Константин Игнатов, Андрей Лескин и Александр Козлов. Темы шестого «Прокуратора»: 1 м. - BlueBorne: все плохо, bluetooth уязвимость для всего - https://www.armis.com/blueborne/ 11 м. - Adobe и private PGP в блоге - https://arstechnica.com/information-technology/2017/09/in-spectacular-fail-adobe-security-team-posts-private-pgp-key-on-blog/ 12 м. - Equifax и все, что с ним связано - https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html 20 м. - FCC и публичная загрузка документов - https://medium.com/contratastic/the-fcc-gov-website-lets-you-upload-documents-and-host-them-there-bdcd5c1a5b8b 21 м. - AT&T и роутеры с зашитыми учетными записями - https://www.nomotion.net/blog/sharknatto/ 25 м. - Обновление с малварью в Ccleaner - https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security 27 м. - Python Package Index: кто-то залил как минимум несколько пакетов с именами-опечатками - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ 31 м. - В Австралии полиция решила научиться определять какие из проезжающих мимо полицейских автомобилей краденные. Парень сделал дешевле. Использовал он для этого библиотеку Automatic License Plate Recognition. Ребята, которые ее написали, сами деньги зарабатывать пытаются - https://medium.freecodecamp.org/how-i-replicated-an-86-million-project-in-57-lines-of-code-277031330ee9, https://github.com/openalpr/openalpr 36 м. - Пиратская бухта стала встраивать майнинг крипты в свой JS. (да и не только они в последнее время, вот CBS Showtime например, и главное - им-то накой, а также вредные советы про Cloudflare) - https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/ 40 м. - блок научных новостей: “Карманный ЭЭГ” и “будущее нейрогейминга” может быть использовано в совокупности с определённым мальварём для угадывания паролей пользователей. Скайхаб забанил и разбанил Россию. Феномен “Гейдара” довольно хорошо и много исследуют, но вот тем временем вдруг оказалось, что глубинные нейронные сети способны определить ориентацию человека по лицу лучше, чем это делают люди (https://osf.io/zn79k/). Наконец-то человечество переходит на использование единиц измерения, не связанных с человеком или человечеством. (https://www.wired.com/story/the-quest-to-perfect-the-universal-language-of-science/). Нобелевская и Игнобелевская премии 2017 69 м. - Apple же говорит теперь, что их FaceID не настолько идеален, как могло показаться сначала (https://www.theguardian.com/technology/2017/sep/27/apple-face-id-iphone-x-under-13-twin-facial-recognition-system-more-secure-touch-id). В Китае поймали 25 преступников на фестивале пива их опознали при помощи софта по распознаванию лиц (http://www.dailymail.co.uk/sciencetech/article-4851564/Facial-recognition-detects-criminals-beer-festival.html). Хрен теперь где затеряешься в толпе. В Москве хотят также https://rb.ru/news/person-of-interest/. 80 м. - РКН и Google Global Cache 82 м. - Министерство Внутренней Безопасности США решило забанить все продукты Касперского как шпионские. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01 86 м. - блок open source новостей: “Запрет” Fedora” в Крыму. SSO для граждан США на правительственных ресурсах login.gov. Код выложен для рассмотрения и изучения всеми желающими. Впрочем, у них это закон. IBM открыла код своей Java (https://github.com/eclipse/openj9). Apple открыла код ядра ОС практически всех своих устройств (https://github.com/apple/darwin-xnu). XNU is not UNIX вообще ни разу ничего не напоминает. Прекращает развитие проект theano (https://groups.google.com/forum/#!topic/theano-users/7Poq8BZutbY). Firefox Quantum! 96 м. - Amazon UK предлагал пользователям купить составные части взрывчатки потому что их “часто покупают вместе с…” - https://www.nytimes.com/2017/09/20/technology/uk-amazon-bomb.html

See the full show notes for this episode on the website at talkpython.fm/64.

As Python developers we have all used pip to install the different libraries and projects that we need for our work, but have you ever wondered about who works on pip and how the package archive we all know and love is maintained? In this episode we interviewed Donald Stufft who is the primary maintainer of pip and the Python Package Index about how he got involved with the projects, what kind of work is involved, and what is on the roadmap. Give it a listen and then give him a big thank you for all of his hard work!