Telepathwords – password guesser

This tries to evaluate password strength by guessing the next character of your password.

https://telepathwords.research.microsoft.com/

Here’s a  Bruce Schneier blog posting on it

https://www.schneier.com/blog/archives/2013/12/telepathwords_a.html

I tried it out with a few of my (old) passwords (no longer in use). It was able to guess the next character about 25% of the time, and it was able to guess whole words (I use a variant of passphrases) about 10% of the time. What I want is an offline variant of this that can tell me the true entropy of my passwords. Interestingly, with about half my (old, not longer in use) passwords, it was unable to guess any of the next characters.

I would only use this to test password strength if I had an offline version, AND I had the source code to that offline version.

This points out the weakness in pure passphrases, the entropy is related to the number of words, not the number of characters.

Gitstats

http://gitstats.sourceforge.net/, source at https://github.com/hoxu/gitstats

I think this could be turned into something pretty cool with a little bit of work. As-is, it uses gnuplot to do the visualization, so that makes it a little hard to use on Windows. It would be nicer if it used matplotlib or the Python ggplot2, or the approach that IPython Notebook took.

So, speaking of “the future of visualization in Python”, here are some links.

And for fun, to emulate XKCD

Interesting bits

DissidentX from Bram Cohen – a “censorship resistance tool”.

Microsoft is offering Visual C++ Refactoring – you can rename variables, for example. It’s more of a tech demo than anything else, at least at the moment.

Bitcoin mining currently uses $15 million a day in electricity – maybe. Can Bitcoin reach $98,500 per coin? Or is the fair price of a Bitcoin actually zero?

GCC poison? Maybe. Still pissed at Microsoft trying to deprecate strcpy etc, so misguided.

David Lowery thinks Silicon Valley is destroying creativity? Sigh. Or lol. I can’t decide which. So misguided.

Guy Kawasaki says you must enchant your customers. I probably agree.

First class functions in C. Although, it’s really more of a stunt.

Mac OS 10.9 has had incredible adoption rates (upwards of 50% of Macs are now running 10.9), but Windows 8 feels like a flop; it’s still not at 10% adoption rate, and Windows 7 adoption rate is now outpacing Windows 8.

Applebee’s and Chili’s rolling out iPads – is this going to replace waiters?

Shanghai-China is #1 on the Pisa 2012 results (which is Math, Reading and Science). The US is #36. Below Russia. Below France, Italy and Spain. Sigh.

Is there a link between wormholes and quantum entanglement? That’s pretty cool.

How does the NSA break SSL? Tricks.

A lock-free ring buffer.

 

Cog – interesting Python-based code generator

http://nedbatchelder.com/code/cog/

I like the approach, which is that you can (1) do generated code for any language and (2) edit the generated code with some freedom, because there are markers to separate generated code from non-generated code.

Cog uses Python – it runs any Python code inside the file, replacing the whole file with the output from the generation. I’ll have to try it out in conjunction with SCons.

Extending Python import

I want Python’s import to look something like this

import google.protobuf.message from ('Python Google Protocol Buffers', '2.5.0',
                                     'c9818b6c4f44a10a96d8409044da41a540b40272')

The extra information is hints – hints to the import system to make sure that it found the correct google package, hints to a search/download system on where to look for it if it’s not already present locally. This would basically replace pip. I don’t want to need to install packages. I don’t mind installing packages, you can prebake a system, but it should be an option for efficiency’s sake, not something that everyone must do.

Go has taken a big step in this direction, but it’s a little inflexible. It will download a package from a remote repository, but you have to specify the path, and it’s to a specific repository. This has long-term implications, all your code will need updating if the repository moves. Also, this is not very distributed, and you can’t package things up easily for bundle distribution. Every first-time run of a Go program is going to hit the remote repositories – packages are cached in your local program, but not even system-wide.

What I want is very loose coupling. If I have modules preinstalled on my system and they are the right modules, they get used. If not, my import casts a net to find it, and this search process can be enhanced as desired. For example, a company might want to keep a local cache server of packages so that most searches can be satisfied locally, only going out to other networks for unknown packages. Or an organization might push a giant set of likely-defined modules to every system.

I also want as much flexibility as possible. I like the Google search approach – no schema that has to absolutely be followed, it’s all hints, hints to a search engine. But the hints are specific enough that you’ll find exactly what you are looking for.

Also, I want something that automatically handles architecture differences, platform differences, compiler/interpreter differences, and so on. If I run my code in Python 2.7, I want it to use a Python 2.7-compatible library (e.g. perhaps already precompiled for my exact version of Python), but if I run it in Python 3.3, I might expect a different Python 3.3-savvy library to be used. Or if I’m running on a Windows 7 64-bit machine, then I want any native code to be specific to my architecture and operating system.

Links

surrogate is a library used to create stubs for non-existing modules in sys.modules. Its aim is for unit testing, but it’s an example of manipulating sys.modules.

PEP 302 — New Import Hooks is the original specification for import hooks, kept around because the current system uses it for documentation on how to make custom importers.

The current system is described in The import system and importlib in the Python 3 documentation; also see sys.meta_path and related in the sys module reference. I don’t yet know how much of this is in Python 2.7. However, this still doesn’t let me get extra hint information to my custom importer.

The sum of all knowledge of Python packaging is contained herein: Python Packaging User Guide. OK, maybe not quite, but this is from the Python Packaging Authority, a group working on packaging and installing distributions in Python.

Bento is another interesting Python package system.

Some related module-system PEPs

Loading (and unloading) Python modules

I have a need to unload modules, or rather packages. It turns out to be a little messy, due to how import places stubs into sys.modules for lookups it knows will always fail. Or, rather, in order to properly unload modules, you have to know how modules were loaded in the first place.

Let’s say we have a package called package, i.e. a directory package/, with a __init__.py file inside it, along with the module files for package.

Let’s assume that __init__.py uses some other Python modules.

import os
import sys
... do stuff

What do you think will be in sys.modules after you import package?

You’ll see this

...
package <module 'package' from 'package\__init__.pyc'>
package.os None
package.sys None
...

The first entry is the code loaded for package. However, what are those next two entries? For example, the package.os entry records the fact that an import of os inside package is a redirection to a top-level os package, not a module inside package. This is an optimization for future imports, and nothing more. Furthermore, these exist only if PEP 328 is not in effect (explicit relative imports).

The basic drill for unloading a module is to remove any related entries from sys.modules, and then to hope you can remove all variables pointing inside the loaded module. Typically, this will be the symbol created from the import. So, all things being equal, you do this to import

import package

and this to “un-import”

del sys.modules["package"]
del package

and now the next import package that you do will cause Python to search for your package module and load it (import is a no-op on an already-loaded module).

You may or may not need to remove the stub entries. Presumably you are unloading and reloading in order to load a different version of the module (in my case, I’m bootstrapping to a newer version). If so, then it really depends on whether or not you overload names that might be in the search path. If you don’t ever do this, then don’t worry about it.

But it’s not really that simple. One of your modules might include others of your modules. For me, when I import package.cache (one of the modules inside package), I get this

package <module 'package' from 'package\__init__.pyc'>
package.__future__ None
package.cache <module 'package.cache' from 'package\cache.pyc'>
package.errno None
package.httplib None
package.lockfile <module 'package.lockfile' from 'package\lockfile.pyc'>
package.os None
package.package None
package.shutil None
package.socket None
package.stat None
package.sys None
package.tempfile None
package.threading None
package.time None
package.urllib None
package.util <module 'package.util' from 'package\util.pyc'>
package.zipfile None

My package.cache module in turn uses package.lockfile and package.util, and those import lots of standard modules, all of which get stubs. So to unload everything, I really need to remove everything starting with package. That might look something like this

for k in [x for x in sys.modules.keys() if x.startswith('package.')]:
  del sys.modules[k]
del sys.modules['package']
del package

which would remove everything inside package, and package, and then remove the local dictionary that contains package’s variables. My Python is probably not idiomatic enough yet, the use of that list comprehension seems strained.

Who is Satoshi Nakamoto?

Here are several attempts over the past few years to try to find out who Satoshi Nakamoto, the pseudonymous inventor of Bitcoin, really is.

Satoshi Nakamoto is (probably) Nick Szabo is an analysis of online sources to find writing similar to that of the Bitcoin whitepaper.  I don’t know who LikeInAMirror is, this is the only post to this blog. For reference, Unenumerated is Nick Szabo’s blog, and it’s worth reading. Certainly Nick Szabo has strong circumstantial ties to Satoshi Nakamoto and Bitcoin.

Dorit Ron and Adi Shamir (the ‘S’ in RSA) claimed to find a link between Ross Ulbricht (the infamous Dread Pirate Roberts from the Silk Road) and Satoshi Nakamoto. Here is the NYTimes blog posting, here is the second revision of the paper, here is a rebuttal from Dustin Trammell, here is a Reddit thread that’s gathers a lot of information together, and here is a retraction of the claim. So we’re pretty sure Satoshi Nakmoto is indeed not Dustin Trammell.

The article Who Is Satoshi Nakamoto by vice.com has another list of suspects. I hesitate to call them likely suspects.

Joshua Davis, in a 2011 New Yorker article, attempted to track down Satoshi Nakamoto. Here’s a PDF link (not sure whether it’s licit or not, sorry). He turned up a few names, but again, nothing definitive. The individual that Joshua tried to connect to Satoshi, Michaal Clear, went on to publish a rebuttal of sorts. And someone annotated the article.

After the New Yorker article was published, Adam Penenberg wrote on his attempt in an article for Fast Company and turned up a patent application. To his credit, he doesn’t claim the patent filers are Satoshi Nakamoto, but more to point out just how hard it will be to unmask him.