Category Archives: python

Welcome to your new NSA partner network. Tech art in Berlin.


Whilst walking around the Afterglow art hack day opening in Berlin, my phone buzzed as I had received a text message.  Opening up my phone I saw this:

“Welcome to your new NSA partner network.”

I immediately had a scary thought.  “Had someone hacked into my phone?”

My next thought was “oh, someone is hacking the mobile networks”.  “Damn, I forgot to turn my phone off like I usually do before coming to hacker events”.

My phone didn’t have service to either of the networks it usually connects to, so someone was definitely jamming the phone systems.

This message was a very impressive piece of tech art indeed.  It made me think, and feel something.


We are starting an EU/UK tech online magazine. Want to know when it is released?
Email

Rest your head against the speaker.
Part of the art hack day.

The revolution is over. Welcome to the afterglow.” reads the opening line to the transmedial festival in Berlin.

The transmedial festival brought back Cyber punk type thoughts from the last 15-20 years or so.  Now that the digital revolution is over, and “The future is now“, and that 2020 is just around the corner… what next?

The afterglow.

“What is next” is a question lots of people in tech are always pontificating about, but perhaps not in the context of the time known historically as the information revolution.

Despite all that lofty talk, and a long speech on this topic, the event was a lot of fun.  Especially the art hack day parts.  Lots of people were there interacting with various art works people had made.

Some sort of eletronic alchemy going on here

Art Hack Day as a grassroots event/exhibit format/community for artists whose medium is tech and hackers whose medium is art.”

Over 80 artist hackers were invited to create the exhibit from scratch in 48 hours.  What they came up with was quite often fun and impressive.

Stamps combine to make prints.

Knowing the design brief for these pieces can give you a better appreciation of what went into the thought process.  Here is the brief the creators were given:

As coders we fear the ‘legacy’ system, a piece of old junk we haven’t yet figured out how to throw away. As artists, we’re tempted by prolific outbursts of freshness and novelty; more art of less value. Businesses and government crave more data, more connections, more context. By embracing these impulses without contemplation we perpetuate the technological hype cycle and unintentionally shorten the half-life of our artefacts. Technology has become akin to a natural resource, generating physical and immaterial waste that is appropriated in such diverse contexts as e-garbage dumps, big data businesses and mass surveillance schemes. As such, trash is no longer what is just left behind but is central to our post-digital lives. When digital detritus piles up it decomposes, giving rise to a post-digital afterglow with the potential for new expression and new enterprise. Can we make peace with our excessive data flows and their inevitable obsolescence? Can we find nourishment in waste, overflow and excess? Can the afterglow of perpetual decay illuminate us?

This honey pot exhibit was one of my favourites.  If you look closely you can see a phone in there tempting passers by…

Honey pot.  With actual honey. With phones in the honey.

Below are a selection of short video clips showing some of the other exhibits in motion.

The tower of beer was one of my favourites.  Not just because it had beer cans in it, but because of the great video effect it had when filmed.

The augmented reality of this tablet swinging from a rope was popular.  Point it at the picture of a rubbish bin painted on the wall, and the video will show rubbish flowing out of the wall.

Not only is the Afterglow happening for the digital revolution, but also for the revolution in Berlin.  After the Berlin wall fell, many artists entered the city from around the world.  It is currently undergoing another revolution of sorts, with many tech companies growing from within Berlin, and also moving to Berlin.  However, tech in Berlin has been around for a long time.  From groups like the Chaos Computer Club (europe’s largest association of hackers), to the Z3 (world’s first working programmable, fully automatic digital computer), Berlin has a very old historical involvement with technology.  The other revolution in tech that is going on is citizens fighting back against surveillance of the state and corporations.  So maybe we are not finished with the digital revolution, and perhaps it will cycle, one more time, towards a future.  But which future?


We are starting an EU/UK tech online magazine. Want to know when it is released?
Email

Continue reading

Posted in Art, berlin, music, pygame, python, raspberrypi, tech | Comments Off

Serial and pixels for breakfast. Arduino + pygame.

Taking a byte of bits of Serial, along with Green screen with Sam, pygame, and an Arduino hooked up to a light sensor and a motor thing.Coffee too?  Naturally.Where do we begin?  At the end of course.  A video of the result…The arduino… Continue reading

Posted in arduino, making, music, pygame, python | Comments Off

Reducing the number of concepts. To make teaching easier.

I am Sam.  Sam I am*.  Well at least my middle name is Sam.  So of course, one fun book I’ve always been drawn to is Green Eggs and Ham. The famous beginners book by “Dr. Seuss”.  It contains just 50 different words: a, am, and… Continue reading

Posted in language, pygame, python, teaching | Comments Off

Raspberry pygame

The Arduino adventure took a little pause today… I finally managed to buy a raspberry pi.Things have improved greatly with the software since I messed around with an alpha board 1 year and 7 months ago.  Pygame is even on the desktop!  Pret… Continue reading

Posted in pygame, python, raspberrypi | Comments Off

pygame logo colour swatches

Been messing around with some colour swatches for the neu pygame website…colors/colours for pygame logo Continue reading

Posted in pygame, python | Comments Off

How I got Dynamite Jack from 62MB down to 46MB

Hey, So – I went Universal with Dynamite Jack just today! Yay! This involved a lot of “blah blah” messing with resizing all the menus for iPhone users, which wasn’t very interesting, though it came out really well. The interesting bit was when I realized that “going Universal” meant that my retina iPad assets were [...] Continue reading

Posted in C++, dynamitejack, python | Comments Off

KEEP PYTHON WEIRD

Posted in python | Comments Off

pretty print json

Pretty Print JSONHow to pretty print json from the command line?$ echo ‘{“foo”: “lorem”, “bar”: “ipsum”}’ | python -mjson.tool{ “bar”: “ipsum”, “foo”: “lorem”}$ python -mjson.tool < /tmp/input.json { “bar”: “ipsum”, “foo”: “lorem”}$ … Continue reading

Posted in json, python | Comments Off

Pygame Google Summer of Code, 2012.

Thanks to the students, and mentors donating their time, along with the PSF, and Google, the following pygame related projects are ongoing over the summer.

“Pygame: GUI toolkit” by Sam Bull (sambull), mentored by Mike Fletcher(mcfletch) and with backup mentor Robert Deaton (masquerade). (Proposal | Blog)

“Pygame: Improved Sprite and Scene system” by Sagie Maoz (n0nick), co-mentored by Robert Deaton (masquerade) and Katie Cunningham (kcunning). (Proposal | Blog)

“Easy networking in PyGame” by Szymon Wróblewski (bluex), mentored by Rene Dudfield (illume) and with backup mentor Mike Fletcher (mcfletch). (Proposal | Blog)


Some project updates:

Sagie wrote a tutorial on pygame.sprite.Dirty and pygame.sprite.LayeredDirty, as well as a blog update on his progress.
    http://dotfile.n0nick.net/quick-dirty-using-pygames-dirtysprite-layered
    http://dotfile.n0nick.net/gsoc-journal-weeks-1-2

Szymon wrote a blog post on the networking project:
    http://pygame-networking.blogspot.com/2012/06/gsoc-journal-introduction.html

Sam wrote a post on the “SCG” beta release of the GUI project:
    http://blog.sambull.org/sgc-0-1-4-beta-release

Sam has also written to the mailing list asking for feedback on his work.
    https://groups.google.com/forum/?fromgroups#!topic/pygame-mirror-on-google-groups/AQiDPF_rINo

Sagie has also been getting into some conversations on the mailing list, and in the irc channel about the sprites project.
    https://groups.google.com/forum/?fromgroups#!topic/pygame-mirror-on-google-groups/KhaV8V6o4Js

Sam, Szymon, and Rene started on a little game for pyweek to be used as an experimental sandbox for testing out gsoc project ideas.
    https://bitbucket.org/pygame/pygamegsoc12

Continue reading

Posted in games, pygame, python | Comments Off

Internet protocol 6, 6, 6.

June 6th, 2012 is ipv6 launch day.  http://www.worldipv6launch.org/ You can now go to http://www.pygame.org/ with version 6 of the internet protocol. Continue reading

Posted in internet, ipv6, pygame, python, web | Comments Off

SQL Injection via field names, and table names.

About a year ago I had to implement a system where the table name could be configured for an application.  Why would you want to do that?  Lots of reasons really, like if you have a table generator via a web interface.  In this case, the system integrates with other systems, and users need a way to specify where the data would go in an existing database.  So I merrily went ahead to try and put the table name in a prepared statement… but ERROR!  Unfortunately the sqlite database does not do table names or column names via prepared statements (like postgresql does for example).  The documented solution by sqlite is to escape them correctly with the provided functions.  Unfortunately python does not expose these SQL escaping functions – since most people should be using prepared statements.

Here are some WONTFIX, closed, invalid bugs also mentioning table names, and column names not being a problem.  One of them is six years old.

(closed wontfix) http://bugs.python.org/issue11685
(closed invalid) https://code.djangoproject.com/ticket/1474
(closed invalid) https://code.djangoproject.com/ticket/14991

Python and Django don’t really consider this a vulnerability in themselves, but a problem in users code.

However, I still think it is something people should still be aware of.  Especially if you are taking user input to generate your table names, or your field names.  For those people, it could be a problem unless you are really careful.

SQL Injection with Django (a case study)

I’m going to use the python framework Django as a case study of what to be careful of.  However this advice applies to all python, php, [insert your favourite language or framework] and other SQL using libraries.

This code is used to quote table names, and field names in Django via the mysql db backend.


    def quote_name(self, name):
        if name.startswith('"') and name.endswith('"'):
            return name # Quoting once is enough.
        return '"%s"' % name

Note how there is no database provided escaping of the input?  To protect against SQL injection it should be using prepared statements or an escaping function.

Because Django mostly does things like validate field names, and table names… this turns out to not be a problem in a lot of cases.  Other layers of security in Django protect it here.  This isn’t an “OMG free Django p0wny!” bug, but a fairly niche bug if you do something wrong in your own code.

An example of how you can inject SQL because of quote_name is here, where the command takes a table name:

django-admin.py createcachetable ‘myinjectedtable` (id INT) select id from users;create table `thecachetablename’

This SQL injection could be a problem if you are getting the cache table name from user input somewhere else, and not validating it first.

quote_name (as one of the places that does it wrong) is used in public 3rd party code, and internally within Django.  It is not a private method, since it does not begin with ‘_’ or ‘__’.  There are places where a string can be supplied from outside of django (either through command line, or through other APIs used, or from a file).  It says that the db backends are responsible for quoting the field names (eg, the Q.__str__ method).

The Django book says:

Thus, if you need to, say, dynamically construct a list of tables from a POST variable, you’ll need to escape that name in your code. Django provides a function, django.db.connection.ops.quote_name, which will escape the identifier according to the current database’s quoting scheme.

Another example where you can inject SQL…

MyObject.objects.extra(where=['"name"="SomeName";CREATE TABLE qwer (id int) select id from users'])

The Django documentation warns to be careful about this function.  However there is no documentation on the extra method about escaping field names, or table names.  Should probably add a warning there: https://docs.djangoproject.com/en/1.4/ref/models/querysets/#extra

You should be careful using input from untrusted places where you’ll use it for table names, or field names.  Luckily this is not done very often by lots of people.

What can we do to fix table name SQL injections?

  • Use prepared statements if db backend allows,
  • … or escape it correctly(as documented by each DB engine) when using prepared statements are not possible.
  • Disable multiple statements in the db connect, so even if something gets through the damage is limited.
  • validate the input where possible (for example, why would a table name need to include ;  or DROP DATABASE?)
  • document dangerous calls to explain how to escape values correctly in your database abstraction.

Some more expensive to do fixes are:

  • have automated SQL injection tests.
  • use the database provided permission systems. So front end code only has permissions to do what is required, and admin code can only do what is required of it.

Continue reading

Posted in django, PHP, python, security, sql, sqlite, web | Comments Off

Dynamite Jack: The second prototype, post-post mortem

So about six months after I created “Escape from Anathema Mines” during the Ludum Dare game jam, I created a game called Dynamite in the PyWeek game jam. Theme So the theme of PyWeek #1 was “Power” .. I worked with my brother-in-law Tim on this game, and we spent a fair amount of time [...] Continue reading

Posted in dynamitejack, pygame, python | Comments Off

Dynamite Jack: Seven Years Ago Today – the prototype post-post-mortem

The development of Dynamite Jack was a really involved and long-term project. The project started almost exactly SEVEN YEARS AGO. I’m going to do a series of blog posts over the next few weeks leading up to the release of Dynamite Jack highlighting both the features of the game, the development of the current version [...] Continue reading

Posted in dynamitejack, python | Comments Off

Chaos Python

Add this into your functional tests and smoke it. import sys, randomdef chaos_trace(frame, event, arg): if event == ‘line’ and random.random() < 0.000001: raise MemoryError() return chaos_tracesys.settrace(chaos_trace) You will get … Continue reading

Posted in python | Comments Off

CherryPy – I love it because it’s pyhon.

CherryPy moved to bitbucket a while ago, and also got a website refresh.I love cherrypy, since I can use it with python 3 – not legacy python.I love cherrypy, because I can just use python objects.I love cherrypy because it has a clever name.I love ch… Continue reading

Posted in python, web | Comments Off

Thoughts on Python 3

It’s awesome.Go get some! Continue reading

Posted in python, python3 | Comments Off

PyGameZine issue0

Today we are very excited to announce the launch of PyGameZine! There is more information about it on the http://www.pygame.org/ website. Continue reading

Posted in games, pygame, pygamezine, python, zine | Comments Off

Vintage in Paris

Our Vintage in Paris app has been published on the Nokia app store!The process was pretty simple, since it was a very technically basic but content heavy app.The main difficulty in this app was walking around the streets of Paris taking pictures, and … Continue reading

Posted in app, html5, javascript, nokia, pygame, python, web | Comments Off

beta testing intel appup apps

So, I’ve been going around in circles the last few days with the validation our app on the intel appup store.The support people escalated my request, and it looks like they have fixed a problem with the validation program.  It looks like their aut… Continue reading

Posted in app, chrome, games, google, Intel, javascript, Ludumdare, pygame, python | Comments Off

‘Halloween Juggling Pumpkin’ published to the chrome web store… I think.

Well, I clicked the publish button, and it seems the ‘Halloween Juggling Pumpkin’ app has been published to the chrome web store.  I’m quite happy that it is up!Here is a screen shot of the menu screen. Well, that wasn’t too hard to do after all…. Continue reading

Posted in app, chrome, games, google, javascript, Ludumdare, pygame, python | Comments Off