[Python-ideas] PEP 504: Using the system RNG by default

Cory Benfield cory at lukasa.co.uk
Wed Sep 16 10:28:26 CEST 2015 

On 16 September 2015 at 08:23, Tim Peters <tim.peters at gmail.com> wrote:
> Fundamentally, I just don't see the sense in saying that someone who
> does their own seeding deserves whatever they get, while someone who
> uses an inappropriate generator in a security context should be saved
> from themself.  I know, I read all the posts about why I'm wrong.  I
> just don't buy it.  There's no real substitute for understanding what
> you're doing, regardless of field.  Yes, incompetence can cause great
> damage.  But I'm not sure it does the world a real favor to possibly
> help a programmer incompetent to do a task keep working in the field a
> little longer.  This isn't the only damage they can cause, and the
> longer they keep working in an area they don't understand the more
> damage they can do.  The alternative?  Learn how to use frickin'
> SystemRandom.  It's not hard.  Or get work for which they are
> competent.

Because that's never how these things go. You usually don't write a
password generator that uses a non-CS PRNG in a security context, get
discovered in the short term, and fired/reprimanded/whatever. Instead,
one of the following things happens:

- you get code review from a reviewer who knows the problem space and
spots the problem. It gets fixed, you get educated, you're better
prepared for the field.
- you get code review from a reviewer who knows the problem space but
*doesn't* spot the problem because Python isn't their first language.
It doesn't get fixed and no-one notices for ten years until the
problem is exploited, but you left the company 8 years ago and are now
Head of Security Engineering at CoolStartupInc.
- you don't get code review, or your reviewer is no better informed on
this topic than you are. The problem doesn't get fixed and no-one
notices ever because your program isn't exploited, or is only
exploited in ways you never find out about because the rest of your
security process sucked too, but you never find out about this.

This is the ongoing problem with incompetence when it comes to
security: the feedback loop is long and the negative event fires
rarely, so most programmers never experience it. Most engineers have
*never* experienced a security vulnerability in their own project, let
alone had one exploited. Thus, most engineers never get the negative
feedback loop that tells them that they don't know enough to do the
work they're doing.

Look at all the people who get this wrong. Consider haveibeenpwned.com
for a minute. They list a fraction of the website databases that have
been exposed due to security errors. At last count, that list includes
(I removed more than half for the sake of length):

- Adobe
- Ashley Madison
- Snapchat
- Gawker
- NextGenUpdate
- Yandex
- Forbes
- Stratfor
- Domino's
- Yahoo
- Telecom Regulatory Authority of India
- Vodafone
- Sony
- HackingTeam
- Bell
- Minecraft Forum
- UN Internet Governance Forum
- Tesco

Are you telling me that every engineer responsible for these is not
working in the industry any more? I doubt it. In fact, I think most of
these places can't even account for which engineer is responsible, and
if they can odds are good they left long before the problem was
exploited.

So you're right, there is no real substitute for knowing what you're
doing. But we cannot prevent programmers who don't know this stuff
from writing the code that does it. We don't get to set the bar. We
cannot throw GoReadABookOrTwo exceptions when inexperienced
programmers type random.random, much as we would like too.

With that said, we *can* construct an environment where a programmer
has to have actually tried to hurt themselves. They have to have taken
the gun off the desk, loaded it, disabled the safety, pointed it at
their foot, and pulled the trigger. At that point we can say that we
took all reasonable precautions to stop you doing what you did and you
did it anyway: that's entirely on you.

If you disable the safety settings, then frankly you are taking on the
mantle of an expert: you are claiming you knew more than the person
who developed the system, and if you don't then the consequences are
on you. But if you use the defaults then you're just doing the most
obvious thing, and from my perspective that should not be a punishable
offence.

More information about the Python-ideas mailing list