[Python-ideas] PEP 504: Using the system RNG by default

Nick Coghlan ncoghlan at gmail.com
Wed Sep 16 06:00:22 CEST 2015 

On 16 September 2015 at 11:16, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Guido van Rossum writes:
>  > The concept of secure vs. insecure sources of randomness isn't
>  > *that* hard to grasp.
>
> Once one *tries*.  Read some of Paul Moore's posts, and you will
> discover that the very mention of some practice "improving security"
> immediately induces a non-trivial subset of his colleagues to start
> thinking about how to avoid doing it.  I am almost not kidding;
> according to his descriptions, the situation in the trenches is very
> nearly that bad.  Security is evidently hated almost as much as spam.

Yep, hence things like http://stopdisablingselinux.com/

SELinux in enforcing mode operates on a very simple principle: we
should know what system resources we expect our applications to
access, and we should write that down in a form the computer
understands so it can protect us against attackers trying to use that
application to do something unintended (like steal user information).

However, what we've realised as an industry is that effective security
systems have to be *transparent* and they have to be *natural*. So in
a containerised world, SELinux isolates containers from each other,
but if you're writing code that runs *in* the container, you don't
need to worry about it - from inside the container, it looks like
SELinux isn't running.

The traditional security engineering approach of telling people
"You're doing it wrong" just encourages them to avoid talking to
security people [1], rather than encouraging them to improve their
practices [2].

Hence the proposal in PEP 504 - my goal is to make the default
behaviour of the random module cryptographically secure, *without*
unduly affecting the use cases that need reproducibility rather than
cryptographic security, while still providing at least a nudge in the
direction of promoting security awareness. Changing the default
matters more to me than the nudge, so I'd be prepared to drop that
part.

Regards,
Nick.

[1] http://sobersecurity.blogspot.com.au/2015/09/everyone-is-afraid-of-us.html
[2] http://sobersecurity.blogspot.com.au/2015/09/being-nice-security-person.html

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-ideas mailing list