Time  Nick      Message
00:26 prologic  https://mail.python.org/pipermail/python-dev/2015-April/139253.html
01:19 pdurbin   prologic: so... you're anti PEP 484?
01:24 prologic  not particularly
01:24 prologic  but I do agree with some of the points
01:24 prologic  it adds cognitive overheads, more work
01:25 pdurbin   I'm not enough of a pythonista to really get what's going on in the PEP or that post.
01:28 prologic  lemme glance at it again quickly
01:28 prologic  ahh yeap
01:29 prologic  so yeah Type Hints
01:29 prologic  So sometime in Python 3 (I think 3.3+) added Type Annotations
01:29 prologic  e.g:
01:29 prologic  def foo(a: int, b: int) -> int:
01:29 prologic  or something
01:29 prologic  where the annotations themselves are valid python 3+ syntax but are ignored by the runtime
01:30 prologic  but are more of a standardized way of static snalyais tools, ides and what not picking up on "declared types" of functions, etc
01:30 prologic  I think now there is contention (from the ml post above) around whether to do this inline and/or stub files
01:30 prologic  both have pros/cons
01:30 prologic  that's my take from it all so far :)
01:31 prologic  I personally have nothing against type hints and type annotations per se as long as they *do* remain a completely optional feature of the language
01:31 prologic  I can certainly see tooling and the ecosystem at large benefiting from them
01:31 pdurbin   ok, so the plan is to always ignore them at runtime for now
01:31 prologic  but the moment Python turns into a static language I think I'll go find some other language to become an *isa in :)
01:32 pdurbin   heh
01:32 prologic  well
01:32 prologic  I think changing the runtime would breka far too much
01:32 prologic  and would turn Python into some other langauge anyway
01:32 prologic  so I doubt that'll ever happen
01:32 pdurbin   me too
01:32 prologic  it's already been convention for example to declare types of functions and classes, etc in docstrings
01:33 prologic  using sphinx rst rextensions and what not
01:33 prologic  so this is just a way of standaizing that of sorts
01:33 pdurbin   and tools might make use of it
01:33 prologic  problem though is that it makes function signature very messy going forward ihmo
01:33 prologic  and other agree
01:33 prologic  it also hurts readability as well in a lot of cases
14:33 codex     pdurbin: whoaaa -- now i'll have to check it out
14:33 codex     ohh, n.m
14:33 codex     he was intercepting...duhh :)
14:34 codex     they should probably pin their certs though
14:54 pdurbin   intercepting? so it's not really a security problem?
15:47 hydrajump pdurbin: what I understand the guy did was use burp suite to proxy the paypal ios app's communication with paypal's servers. Had the paypal app used certificate pinning as codex mentioned it would have been harder to do as the app would only trust paypal's cert and not the one from burp suite (which was required to intercept the traffic in the first place).
15:49 hydrajump with regards to his wifi SSID being sent to paypal it is stated in paypal's TOS/privacy policy that they use various metadata such as your location for fraud detection.
15:50 hydrajump http://www.troyhunt.com/2015/04/mobile-app-privacy-insanity-were-still.html#.VTZV1D49gio.twitter
15:51 hydrajump if you scroll down to "Invasive personal device data tracking" you'll see how much personal identifiable data the paypal app sends
16:44 pdurbin   hydrajump: thanks! will check it out in a bit
18:03 dotplus   hydrajump: it all hinges on your definition of what it means for a port to be 'open'. Generally, it means that something has to be bound to that socket and listening for connections. so if ssh is not listening (nor anything else) then it's not open. That doesn't necessarily mean that it's blocked in any way by either a host-based or network firewall in between.
18:41 hydrajump dotplus: very concise explanation. thanks ;)
18:41 dotplus   oh. and waay out of date. scrollfail.
18:48 hydrajump hehe
22:05 codex     pdurbin: basically he said: <ios-paypal-app>---->(him)---->payoal
22:05 codex     he said to "ios-paypal-app" that "i am paypal" and to paypal he said "i am the ios-paypall-app"
22:05 codex     and he created 2 connections -- 1 with each. And then inspected everything in the middle b/c the ios-paypal-app -> him was w/ his own cert
22:06 codex     but anyway, the way he wrote it is about the same as someone saying "the earth is on fire"
22:06 codex     and then reading in the comments something like "actually, my gas stove has a flame"
22:07 melodie   codex what does that mean clearly?
22:07 codex     he is doing a MITM attack against himself by knowingly feeding a certificate to his iOS that he has created w/ his own CA
22:43 melodie   so that's not a very big security issue if he is doing it to himself, no harm done, right?
22:43 melodie   why does he do that, a test?
22:44 melodie   codex
22:44 melodie   :)