help to convert c++ fonction in python

Robert Kern robert.kern at gmail.com
Tue Oct 20 08:06:19 CEST 2009


Steven D'Aprano wrote:
> On Sat, 17 Oct 2009 19:48:46 -0400, geremy condra wrote:
> 
>> For the love of baby kittens, please, please, please tell me that you do
>> not believe this securely encrypts your data.
> 
> Surely that depends on your threat model?

Well, let's let the OP off the hook immediately. He's just trying to 
interoperate with another piece of software that wrote WPKG. So let's put all of 
the blame, if any, on the WPKG authors.

I would say that this form of obfuscation is totally inadequate for WPKG's 
actual threat model. The WPKG server, which performs unattended software 
installation, appears to run with a very high level of privilege in Windows. It 
implements its own authentication mechanism to allow low privilege clients to 
access it and install software.

   http://wpkg.org/System_User

It seems like the threat model has a large attack surface for a small 
investment. You don't need NSA level attacks here, just a typical hacker's job. 
It's certainly not unreasonable for this to be an easier target than social 
engineering for a largish payoff (remote software deployment across an entire IT 
infrastructure).

But perhaps this might be an acceptable choice if one were familiar with one's 
own IT infrastructure and were implementing this oneself, but to distribute this 
to other people....

And the thing is, it is actually pretty damn easy to do something standard and 
possibly-secure than it is to roll-your-own definitely-insecure system. It 
really doesn't buy you anything. There's just no reason to complicate matters. 
There is nothing here to justify bad crypto.

-- 
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
  that is made terrible by our own mad attempt to interpret it as though it had
  an underlying truth."
   -- Umberto Eco




More information about the Python-list mailing list