Coding 101 13 (Transcript)
Shannon Morse: Today on Coding 101 your Python list
example, we’re going to explain Heartbleed with jelly
beans? And a while loop.
Father Robert Ballecer: Om nom nom nom nom.
Shannon: Om nom nom.
Netcasts you love. From people you trust. This is Twit.
Bandwidth
for Coding 101 is provided by Cachefly. At
C-A-C-H-E-F-L-Y dot com.
Shannon: This episode is brought to you by lynda.com, learn what you want when you want with access to
over 2400 high quality online courses and training videos, all for one low
monthly price. To try it free for seven days, visit lynda.com/c101. That’s
L-Y-N-D-A dot com slash C one zero one.
Fr. Robert: Welcome to Coding 101 it’s the Twit
show where we introduce you to the wonderful world of the programmer. I'm father
Robert Ballecer.
Shannon: And I'm Shannon Morse and I am eating
jelly beans. They're stuffed in my mouth right now and I can barely talk but
we’re going to teach you all about coding for the next thirty minutes so that
you can become a Python code warrior.
Fr. Robert: Now right now Shannon in the last
couple of weeks there's been a big thing that’s erupted throughout the interwebs and that’s all about Heartbleed,
right?
Shannon: Yeah, yeah they broke my heart.
Fr. Robert: They did, so later in the show we’re actually
going to give you an in-English honest to goodness, easy to understand example
of how the Heartbleed bug works. But before we get
there, you know what we always start the show off with some examples, yeah.
Shannon: That’s right we do. So last week we
covered lists and lists are surprisingly easy to write and kind of fun
actually.
Fr. Robert: Yeah.
Shannon: So I had a lot of fun writing mine.
I’ll go ahead and pull up my example so you can see how I wrote it and what it
does. So if I click on it, double click and you’ll probably have to zoom into
this because it’s a little small. And it basically says who doesn’t like Star
Trek right? My Star Trek captains are, my favorites in
order Picard, Janeway, Kirk, Sisko and Archer. And my favorite Star Trek series in order are The Next Generation
of course, Voyager Deep Space 9 and Enterprise.
Fr. Robert: By the way, awesome code but totally
inaccurate list.
Shannon: What? What, please.
Fr. Robert: Totally inaccurate list. Seriously,
that you would put – you know what, no. We’re going to take those offline.
Shannon: First off, Picard, he’s number one.
Fr. Robert: Okay, I will give you Picard but Janeway? Janeway?
Shannon: Oh come on, she speaks to me, she
speaks to me.
Fr. Robert: Um-hmm.
Shannon: She’s a woman in power and I like that.
Fr. Robert: Um-hmm.
Shannon: Kirk, not so much, he’s total man, he’s
a womanizer.
Fr. Robert: He’s a womanizer, he really is.
Shannon: That’s exactly what it is. And then Sisko and Archer they were kind of, they're kind of equal
to me.
Fr. Robert: Now last week, you flipped that. You
had Archer ahead of Sisko and I was like “No, no, no,
no, no, no Sisko can’t be at the bottom”.
Shannon: Well I like Deep Space nine more than
Enterprise.
Fr. Robert: Right, right.
Shannon: So it made more sense.
Fr. Robert: I’ll give you props for that.
Shannon: Yeah so that was my example and for the
code, this is how I wrote it. So I had print who doesn’t like Star Trek and
that’s just a simple print screen. And then I made my first list—
Fr. Robert: There’s your list.
Shannon: …which is Star Trek,
Picard, Kirk, Janeway, Sisko,
Archer. Now you’ll notice that this list is a little bit different. This
is in order from the original series all the way to the end. So when I printed
that, I had to shift it around just a little bit to make it from my favorites
to my least favorites. So I started with zero, which was Picard, number two
which was Janeway and then once I scroll over, you’ll
see one, three and two. One, three and four.
Fr. Robert: There we go and actually that’s a great
example of one of the powers of list which is once you have your data in there,
you don’t have to follow the stream of the original data.
Shannon: That’s true.
Fr. Robert: You just give it the index for what
position you actually want to use.
Shannon: Exactly, I did pretty much the same
thing with series so I named this list series equals and then I put The
Original Series, Next Generation and so on and so forth. And then I printed my
favorite Star Trek series in order are, starting with series number one, which
was TNG, series zero the original series because it’s so awesome and so on and
so forth. And then at the end since I am on a Microsoft computer, I put raw input
press enter to exit.
Fr. Robert: And that’s just so it maintains the
terminal window until you actually want to exit.
Shannon: Yeah.
Fr. Robert: Now something else – I love this, I
love that you did this, you used a descriptive name.
Shannon: I did.
Fr. Robert: And this is one of the things we really
need to hammer in our audience, which is you can name
your variable anything. You can name your lists anything so why not give it a
meaningful name. In your case, you called series so people can say “Oh yeah the
variable name, the index name, the list name actually makes sense”.
Shannon: Exactly, it made sense so that’s why I
decided to name it that. Now we also got a really excellent example of a list
from Darryl Medley. So this is called a shopping list, if I double click on it,
it simply says “Enter the name of item one”, so this is going to be my shopping
list. So I’ll say I need to buy milk, how many in quantity,
just one because it’ll spoil because I’ll never go through it. Number two, of
course I need cereal and I'm going to buy five boxes. I go through that like
crazy. Number three I need some towels for my downstairs guest bathroom.
Fr. Robert: Always have a towel.
Shannon: So I press enter, press enter when
finished. And it takes my list, it takes these things up here and outputs them
to me so I have milk, quantity one, cereal five, towel quantity three, press
enter to close.
Fr. Robert: Now this is pretty good but I’d say if
it was going to be customized for you it would have to be a coupon list.
Shannon: It would have to be.
Fr. Robert: It really would have to be.
Shannon: It would have to have some math in
there for me.
Fr. Robert: There we go.
Shannon: I should do that.
Fr. Robert: I like this one, this is great.
Shannon: So if we look at the example, I'm going
to edit it with IDLE. Now I'm zoomed in to this because we had a little
problem, I'm seeing all of it last week so if I scroll down you’ll see—
Fr. Robert: First of all, I love the comments,
thank you for the comments. We love that.
Shannon: Yes, excellent comments, thank you so
much Darryl. So once I scroll down you see shop list and then we have case list
item count. So first it prints shopping list, prints the other information and
then we do a loop. So this is pretty interesting, he added a loop in there.
Fr. Robert: Mmm, yay.
Shannon: How fun, now we’re going to get more
into loops in just a few moments, I think so but—
Fr. Robert: Shhh, you're
spoiling it.
Shannon: Oh I already told them in the code a
little bit, gosh.
Fr. Robert: Calm down, okay fine.
Shannon: And then we have some if and whiles in
here, some options. So a lot of this is looks a little bit confusing but it
won’t soon.
Fr. Robert: Right.
Shannon: So we’ll explain all of this but this
is an excellent example.
Fr. Robert: But obviously he knows beyond what
we’ve shown on this show.
Shannon: Exactly.
Fr. Robert: But none of this is really beyond
anything we’ve given them.
Shannon: Right.
Fr. Robert: There’s a little bit on the conditional
modifiers here, the conditional operators but beyond that, this is just a
print, this is just a loop, this is just a list.
Shannon: It’s so pretty.
Fr. Robert: It is pretty.
Shannon: It’s very easy to understand and we
made lots of comments in here so I decided to show it.
Fr. Robert: Very well done, by who was this again?
Shannon: Darryl Medley.
Fr. Robert: Darryl give yourself a pat on the back, this is definitely the program of the week.
Shannon: Thank you Darryl.
Fr. Robert: Thank you Darryl.
Shannon: So that was my example of a list and
Darryl’s example of his own list with loops, yay. Now I know that we have tons
of explaining to do.
Fr. Robert: Yeah, we have to do some explaining.
Okay, so we do want to go back into loops. Now I'm assuming that many of you
watched our C# module and if you have, you know what a loop is. A loop is just
a really simple way to repeat a section of code. Now the reason you want to
repeat sections of code is, well if you're doing the same operation over and
over and over again. Like for example, if you just wanted to print a series of
numbers, you don’t want to have to do print variable one, print variable two,
print variable three.
Shannon: Yeah it would take too long.
Fr. Robert: It would just take – and that’s just
silly right, because it’s always the same line, the only thing that changes is
the name of the variable. Well what a loop allows us to do is it allows us to
minimize the amount of coding that we have to do by saying repeat this with
this difference.
Shannon: Ah okay.
Fr. Robert: Right, so just keep doing the print but
change the variable.
Shannon: Is sounds similar to the list but in
this case you're changing the variables up at the top.
Fr. Robert: Right, right and it allows us to just
keep doing the loop until we want to stop.
Shannon: That’s cool.
Fr. Robert: It’s a very good way to be efficient
with your code and also it’s pretty much the only way to do a modern
programming. If you don’t loops, you can’t write a modern piece of code because
otherwise your code would be just pages and pages and pages long. And we don’t
want that.
Shannon: With no comments.
Fr. Robert: With no comments. So that’s what loops
do, now let’s take a look how loops actually work in Python. One of the things
you have to remember is looped – while loops in Python actually aren’t all that
much different from the while loops we did in C#.
Shannon: Ah okay.
Fr. Robert: Now they use some sort of counter
because you need some way to determine whether or not the loop is going to
continue to run right?
Shannon: Right.
Fr. Robert: So you need a condition, you need
something that says “When you check this, if this is true continue to run the
loop. If it’s not true, break the loop”.
Shannon: Break the loops the loop yeah, cancel
it.
Fr. Robert: Right, yeah and do you remember from C#
what happens if you don’t have that in there.
Shannon: It just keeps going and going and
going.
Fr. Robert: It just keeps going, right. Exactly, if
there is no way to change that condition, that true or false condition then
either the loop never runs or the loop runs forever.
Shannon: Yep.
Fr. Robert: So we have to have some sort of
variable, some way, something that changes in the processing of the loop that
allows us to change the condition of whether or not the loop can run. Does that
make sense?
Shannon: That does make sense.
Fr. Robert: Okay, so let’s actually look at some
code. Bryan if you go ahead and switch to my screen, I've got – this is
probably the easiest—
Shannon: Oh that’s a simple one.
Fr. Robert: This is a super simple while loop,
okay. So all I do is I have a counter, I have a variable, it’s set to zero.
Shannon: Okay.
Fr. Robert: So counter is equal to zero, that’s a
number. Now the while loop itself is counter less than five. That’s my
condition, that’s my relational condition.
Shannon: Ah, I see what you did there.
Fr. Robert: Yeah, exactly so counter is set to zero
right?
Shannon: Right?
Fr. Robert: So while zero is less than five, is
that true?
Shannon: Yes.
Fr. Robert: Okay, exactly so it’s going to run.
Shannon: So it’ll run.
Fr. Robert: Um-hmm, and then the next line is counter equals counter plus one.
Shannon: And then it equals two.
Fr. Robert: Well first it equals one and then it
equals two and then it equals three, right because it starts with zero right?
So we’re starting at zero and yeah that’s just an increment. So all it does is
it adds one of the counter every time it runs. And then that third line there
is print, and all it does is it prints. Now let me
show you really quickly there is an indentation. You see this right here, this
is actually imported. This is not a throw away thing.
Shannon: Yes, I do see that.
Fr. Robert: This is how Python, if you remember
from last week, this is how Python knows that this code, this counter
equals counter plus one and print counter belongs to the while loop, it’s
because I’ve indented it.
Shannon: So can I just hit tab whenever I'm—
Fr. Robert: Yes, yes.
Shannon: …a code.
Fr. Robert: Absolutely, you can tab it. Right, and
this goes for every other – if you would’ve put a while loop within a while loop
or an if L statement inside that loop you would also
have to indent it.
Shannon: Okay.
Fr. Robert: So just remember it’s like old school
math where you just go one column over every time you have one operation nested
within another.
Shannon: Okay, that makes sense. It keeps it
organized too.
Fr. Robert: Right, so let’s go ahead and run this
and what we get is this. One, two, three, four, five.
Shannon: Cool, yeah that’s super simple and very
easy.
Fr. Robert: Exactly, so it’s going to – it runs it
until I get to the end. And at the end, it gets to five and it’s going to say
if five less than five and the answer is no and it stops and that’s it.
Shannon: Okay.
Fr. Robert: Okay, so very, very simple program
that’s how a while loop works, that’s what we’re going to be doing for the rest
of our time today.
Shannon: Perfect, okay.
Fr. Robert: However, we gave you the while loop.
Shannon: Yes.
Fr. Robert: There’s a little something else we want
to talk about.
Shannon: Yeah there is, it’s kind of going a
little crazy on the Internet lately.
Fr. Robert: Yeah it’s going a little crazy on the
internets. We got Heartbleed.
Shannon: Uh-oh.
Fr. Robert: Yeah.
Shannon: I don’t have any Heartbleed.
Fr. Robert: No you don’t, you're good, you're good to go. But what we want to do is we want to talk
about Heartbleed because it actually addresses
something very, very basic in programming and something that’s very important.
It’s all about sanitizing inputs. It’s about—
Shannon: Sanitizing your comments.
Fr. Robert: …your comments, sanitizing your code.
Shannon: Yes your code.
Fr. Robert: You have to make sure that the data you
receive is what you expected.
Shannon: Exactly.
Fr. Robert: But unfortunately the writer of the
piece of code in open SSL that is responsible for the Heartbleed bug didn’t do that. Now Bryan, you actually have a link for the Guthub that has all the open SSL code. While you get that
up, let me really briefly state what’s going on in the Heartbleed bug. So what we’re talking about is the Heartbleed beat, anytime I establish a secure connection, so Snubs let’s say that you're
Facebook. Okay, you're the Facebook server, I'm talking to you, you know that little, you get that little padlock in the
upper corner of you browser.
Shannon: Yes.
Fr. Robert: It tells you that you're secure right?
Shannon: Yeah, it tells me I'm using HTTPS.
Fr. Robert: Exactly, secure sockets layer or TLS,
which give me and encrypted tunnel between the client and the server. You're
the server I'm the client. Now that’s a good thing because without that anyone
can just snoop in on our conversations and they could read everything that I'm
sending and everything that you're sending back to me.
Shannon: Especially if they have a Wifi pineapple.
Fr. Robert: Brought to you by Hack five. No but see
here’s the thing, I can’t just keep those open.
Shannon: Right.
Fr. Robert: Right, once I've established one of
those connections, I need a way to tell the server that even when I'm not using
it, let’s say I'm reading something that’s on my page and I'm reading it for
three minutes, my client, my computer’s still needs to be able to tell the
server I'm still connected, I still need you don’t shut off the connection.
Shannon: So this is the Heartbeat that’s going
between us.
Fr. Robert: This is the heartbeat, right. It’s just
– it’s a nonsense piece of data, it’s a minimal data set. It’s a very small
handshake, very small packet essentially saying keep me alive.
Shannon: Okay.
Fr. Robert: Keep me alive, keep me alive and it
does that every once in a while.
Shannon: So why do we have these jellybeans up
here?
Fr. Robert: Okay so this is your system memory,
you're the server right?
Shannon: Oh yeah.
Fr. Robert: Don’t eat you memory.
Shannon: I won’t eat my memory.
Fr. Robert: Oh man I'm just going to eat all my
memory. All right so you—
Shannon: My hard drive just failed.
Fr. Robert: Now this, this one jelly bean, this is
my Heartbeat packet.
Shannon: Okay.
Fr. Robert: Okay, so what I have to do is I have to
send you two things, I have to send you my payload and the payload is the jelly
bean, right. But I also have to send you a description of how big this is.
Shannon: Ah, okay.
Fr. Robert: So in all non-open SSL implementations
of all the SSL, of the secure sockets layer of the encryption, whenever I the
client sends something to you the server you check
what you received against what I told you I sent.
Shannon: Ah, okay.
Fr. Robert: So, let’s say I do this, I go ahead I
say “I’m sending you one jelly bean”, I give it to you.
Shannon: I just received one jelly bean.
Fr. Robert: Right and that’s it and so you said
that you told me that you sent me on jelly bean, I read that—
Shannon: It looks like a jelly bean.
Fr. Robert: It looks like a jelly bean and now you
send back to me.
Shannon: I'm sending you one jelly bean.
Fr. Robert: And there we go, so now the connection
stays alive. If I did this, I am sending you five jelly beans and I give that
to you, what do you think you as a server do?
Shannon: I only have one jelly bean.
Fr. Robert: That’s it, right.
Shannon: This is odd.
Fr. Robert: This is odd, it’ll kill the connection
right or it’ll ask for the heartbeat again.
Shannon: Right.
Fr. Robert: That’s simple checking right? That’s
sanitizing your inputs, that’s making sure that you’ve actually received what
you expected to receive. That’s good coding.
Shannon: That makes sense.
Fr. Robert: That makes sense. There’s a bug in open
SSL.
Shannon: No.
Fr. Robert: And Bryan if you go ahead and bring up
that Github, it’ll actually show you the code that
goes behind SSL. Now go ahead and forward, what line was that, we need you to
go to line 3,972. There, right there. See where it says read type and payload
type first. These next four lines of code, actually three lines after the
comment are entirely responsible for the Heartbleed bug. Now let me explain, this looks kind of crazy but let me explain what’s
here. HB type is just setting the type of data, okay so that’s like from C#
that just says this is the kind of data that I'm going to be receiving.
Shannon: Okay.
Fr. Robert: P plus plus,
we've seen that, it just incrementing the counter so it’s P plus one, right?
Shannon: Ah yes, plus one yeah.
Fr. Robert: Now here’s the big line, N S two which
is calling a function because we know it’s in parenthesis right? So it’s
calling a function and it’s passing it to parameters. P is the location, it’s called the pointer of the payload, the jelly
bean. So it’s telling it where the jelly bean is located.
Shannon: Okay.
Fr. Robert: Right. Payload is the length. That’s me
telling you I'm passing you one jelly bean.
Shannon: Ah.
Fr. Robert: Okay, now a good piece of code would’ve
had an extra line here that says “Is P, the length of P equal to the length of
payload”.
Shannon: Yeah.
Fr. Robert: Right, so if I told you—
Shannon: You would be sanitizing their code.
Fr. Robert: It’s sanitizing the code, sanitizing
the input. It’s saying “If I told you I'm giving you one jelly bean, what is P?
How long is P? Is P actually one jelly bean? If it is, allow it. If it’s not
then X, kill the connection”.
Shannon: And since they didn’t do that, there is
no line that says “If it’s this long then it should equal P”.
Fr. Robert: Right.
Shannon: That pretty much means that the payload
could be as long as they want.
Fr. Robert: Or short. So this is how it works, if
you come back to me, now we’re talking about this jelly bean all right. So I'm
still talking to you in the server and I'm passing you this one jelly bean and
I'm saying I sent you 64,000 jelly beans.
Shannon: It looks like 64,000 jelly beans.
Fr. Robert: That’s how open SSL works because it
doesn’t check, it’s just going to trust me. And
unfortunately, that’s not good.
Shannon: That’s not good.
Fr. Robert: So what it’s going to do is it’s going
to say “Well he must’ve sent me 64,000 jelly beans, so I'm going to send him
back the one jelly bean plus 63,999 he shouldn’t have received”.
Shannon: That’s so bad.
Fr. Robert: Which means I take your system memory
and it’s all for me.
Shannon: Hello hacks. Oh that’s bad.
Fr. Robert: Hello hacks, exactly. And see the
problem with that is they can do it over and over and over and each time
they’ll get a different set of the memory until they can put it all together
and they can essentially have everything.
Shannon: And from the server end, everything
looks cool so nobody ever checks for any difference
Fr. Robert: Right, to the server end, if you're
using open SSL the unpatched version all it knows is that someone is sending a
lot of Heartbeats, and that’s normal because that’s how we keep the connection
open. It doesn’t realize that it’s giving away the keys to the kingdom every
time it send you that 64k.
Authorization
acknowledged.
Fr. Robert: Precisely, exactly we got a computer
fault.
Shannon: Yes.
Fr. Robert: So that’s how Heartbleed works and go back to that code Bryan. This is the crazy part, this is what we’re trying to drill into you people, when you’re writing your
code, you got to make sure to check for things like that. This was an innocent
mistake, this was, again we know that this was submitted something like, what
was it, an hour or two before midnight two years ago. December 2011.
Shannon: Right.
Fr. Robert: So it was probably some guy staying up
late, writing some code. It looked right, it worked right, but he never
actually made sure that he was receiving what he was supposed to receive.
Shannon: That’s true. Ah man, I feel bad for
that guy.
Fr. Robert: Simple mistake, I feel bad for him but
you know, simple mistake that anyone can make.
Shannon: Yeah, it’s true.
Fr. Robert: Yeah.
Shannon: That’s unfortunate, but it’s a good example
of what can happen if you don’t sanitize.
Fr. Robert: Very good example, yeah. Which brings
us to this part of the show, where we’re actually going to bring someone in who
has experience with sanitizing right?
Shannon: But before we do that, I wanted to tell
you guys about a website that I really, really enjoyed and I've been using for
years. It’s called lynda.com and they're our sponsors for today. So if you
haven’t checked lynda.com yet, it is a website where you can get everything
that you ever want as far as thousands of online video courses in software,
creative and business skills. So whether you want to learn Python code or you
want to explore the foundations of programming, or improve you photography,
everything like that. With a lynda.com subscription, members receive unlimited
access to thousands of high quality and engaging video tutorials across a wide
variety of subjects. Now here’s a cool one, do you ever want to build your own
IOS app but you're not a programmer. Well lynda.com has a new course called
programming for non-programmers IOS 7. This is so cool. It’ll allow you to
build your first IOS app in a single afternoon. You’ll learn the most important
concepts in IOS and the app development process. By the end of the course
you’ll have a finished app, that’s awesome.
Fr. Robert: Yeah I like that.
Shannon: Basic understanding of X code, the
toolset for developing IOS apps. You’ll know the building blocks like variables
and functions and conditional statements and interface design. And you can find
links to this course in many more at lynda.com/c101. So I use lynda.com for
years. I used it for everything from learning how to use Adobe Photoshop.
Fr. Robert: Yeah.
Shannon: Hey, photography. And even Premiere
from when I was you know, Paul over at hack5 learning how to edit back in the
day. Long time ago but you know what, all of those
little tidbits that I learned from lynda.com still work today.
Fr. Robert: You know what I like about this is we
get a lot of people who are asking us “Well, when are we actually going to get
to do some app development?”
Shannon: That’s true.
Fr. Robert: We don’t need to do that because what
we’re doing is we’re teaching people how to code. We’re teaching them the
fundamentals and then they can go to something like Lynda and then they can
look at the IOS development lessons and say “Oh yeah, this makes sense. Now
that I know how to break down problems into computer code I can just follow
these steps and make myself and app”.
Shannon: And you know, maybe you don’t want to
learn Adobe Photoshop but guess what, there's 2400 courses online and more are
added every single week so you're going to find something that you like, trust
me. Lynda.com courses are produced at the highest quality and they're not homemade
videos on Youtube so you're going to get good audio,
good viewing of the people who are doing the show. Everything that you need is
right there. The instructors are accomplished professionals at the top of their
fields and they're passionate about teaching. So you're not going to get
somebody who’s boring, which happens a lot.
Fr. Robert: Which is sad.
Shannon: You're going to get somebody who is
excited about what they're teaching and that’s what I love about doing videos
on lynda.com. Courses are for all experiences, whether you're a beginner,
intermediate or you're advanced, and you can watch on your computer, your
tablet or you mobile device. So if you're on the go, like I do, I'm commuting
often, I can watch them via my cellphone, it’s perfect. Now whether you have
fifteen minutes of fifteen hours, each course is structured so you can learn
from start to finish. You can even search the transcripts to find quick answers
or you can read along with the video, which is super helpful to me if I'm not paying
that much attention. Lynda.com offers certificates of completion when you
finish a course so you can publish to your LinkedIn profile, which is great if
you're a professional in a certain field. That’s really fun. Now it’s only $25
a month for access to the entire lynda.com course library. Or for 37.50 a
month, you can subscribe to the premium plain which includes exercise files
that will let you follow along with the instructor’s project using the exact
same project assets that they do. And you can try lynda.com right now with a
free seven day trial, visit lynda.com/c101 to access the entire library. That’s
over 2400 courses for free, for seven days. Have at it, I mean do this – go at
it when you're on your spring break.
Fr. Robert: Do it now, go.
Shannon: Watch all of them.
Fr. Robert: This is a perfect summer project. You
know if you're coming home from high school, if you're coming home from
college, why not use Lynda to brush up on some of the things that you really,
really want to learn.
Shannon: Exactly, and again that was L-Y-N-D-A
dot com slash c one zero one. And of course we thank lynda.com for your
support. We love you guys, thank you.
Fr. Robert: Woot, lots of woot.
Shannon: I think it’s time for some code
warrior.
Fr. Robert: I think so now it’d be great if we had
someone we could bring in right now and maybe have him explain how while loops
and code sanitization and input sanitization works in the real world.
Shannon: Who could that be?
Dale Chase:
What’s up guys?
Fr. Robert: Oh it’s Dale Chase from Discovery
Digital Networks.
Shannon: Oh my god, it’s you. What up?
Dale: How are you doing?
Shannon: Doing good,
how are you doing?
Dale: Yeah so – yeah heartbleed huh.
Shannon: Oh yeah no kidding.
Dale: Well I've got something here that will
at least show you how to - well I've got a couple of examples here. One sort of
simple one that will let you sanitize positive
integers that you were just looking for.
Shannon: Ooh, okay this looks kind of
complicated.
Dale: Um not so much. Really, I mean it’s
really just a while loop. So let’s go through it, so I start here by saying
clean equals false. Clean is what I'm going to be using to set up my while loop.
Shannon: Okay.
Dale: And just check the state of that. So
I'm starting it off as false.
Fr. Robert: And I like that because you're assuming
that the input coming in is wrong.
Dale: Yes.
Fr. Robert: And you want the code to say it’s wrong
until it prove otherwise.
Dale: Right, yes. So I'm saying while clean
is false with the double equal here. Phones equals, so here’s the first set
input, how many phones have you broken?
Shannon: You jerk.
[laughter]
Fr. Robert: Now we know from the ivory tower that
because those lines are indented they belong to the while loops. So the while loops
will continue to repeat everything indented over up to that print statement.
Dale: That’s correct. Then we go to how many
laptops have you dropped, with another raw input command. Being assigned to
assigned to a variable called laptops and then if phones.isdigits is digit this is a function that will now—
Fr. Robert: There we go, okay.
Dale: …assess what is in phones and make sure
that it is a positive integer as essentially.
Fr. Robert: Okay, so that’s a function. So phones.isdigit means that I'm taking the variable called
phones and I'm running the function isdigit against
it and I'm assuming that since the makers of Python used functions with
understandable names, all it’s going to do is look at the variable called
phones and say is this a positive integer.
Dale: That’s correct.
Fr. Robert: Okay.
Dale: I'm also doing that for my laptop’s
variable as well in the same if statement and I'm making sure that condition
happens together with this end. I think in C# that’s like an ampersand ampersand.
Fr. Robert: Ampersand ampersand.
So it’s saying if this and that are true.
Dale: Exactly.
Shannon: That’s cool.
Dale: In Python you actually can use the real
word and. And so then that is now part of – so if that print statement, if that
is true, if both of these are positive integers, clean becomes true and the
loop stops.
Fr. Robert: Right, now let’s point out something
else here, we did this in previous episodes but if you look at the while loop
and if you look at if statement, both of them have a
colon at the end of the line. Now we told you that Python only cares about whitespace,
it actually looks at formatting, however anytime I'm doing one of these
statements, one of these functions that use multiple lines, I have to have a
colon there to tell it “Hey, you're about to get multiple lines”. That’s all it
means so—
Shannon: I see, okay.
Fr. Robert: …yeah that’s why you—
Shannon: You're not done yet, here's the rest of
the code.
Fr. Robert: I'm not done yet, right. Which is why
for while it says “Continue to do the rest of the code that you're going to see
indented” and then the if statement it’s going to say
“Continue to do the rest of the code that you're going to see indented”. That’s
all it means, that all it means.
Shannon: Oh okay, cool.
Dale: So since everything that you input with
raw input is actually taken as a string, I still have to tell it that phones
and integer and laptops is an integer for me to actually do this math, here
where I'm going to add both of these together and then print out the total.
Fr. Robert: Right.
Shannon: Okay.
Fr. Robert: What you're saying is remember, because
Python as we talked about in the first episode, the variables are dynamically
assigned right?
Shannon: Right.
Fr. Robert: In C# we had to tell it, this is an int, this is a float, this is a character, this is a string.
Shannon: Python you don’t have to do that.
Fr. Robert: Python doesn’t do that, you don’t have
to do that except when you start doing – if you go back to his code, when you
get to that line where you actually want to use numbers, you need to make sure
that Python has converted that into numbers otherwise it’s just defaulting for
a string.
Shannon: Okay, got it.
Dale: What it’ll actually end up doing is
just concatenating the two numbers together to make a long number that you
didn’t ask for.
Shannon: Oh no.
Fr. Robert: Right, right.
Dale: So let’s run this I guess.
Shannon: Yeah let’s do it.
Dale: Let’s see, do I have it here.
Fr. Robert: It’s here somewhere.
Dale: It’s a sanitizing input.
Shannon: Whatever I named it.
Fr. Robert: There it is, there it is.
Dale: Okay, how many phones have you broken?
Shannon: Twenty.
Dale: Twelve.
Fr. Robert: That’s later, that’s later.
Dale: How many laptops have you dropped? Two.
Shannon: Really, wow.
Fr. Robert: Really, just two. That’s pretty good.
Shannon: Way to go Dale.
Dale: And my total is 14.
Fr. Robert: Okay and that’s basic, that’s simple.
Shannon: It gets expensive real quick.
Fr. Robert: But let’s run it again because what we
want to check is we want to see if the program actually knows whether or not
it’s been given the right information.
Shannon: Right.
Dale: That’s right. So here we go again, how
many phones have I broken?
Shannon: Jelly Beans.
Fr. Robert: Go, jelly beans, absolutely.
Dale: Jelly beans.
Shannon: Just like that.
Dale: How many laptops have I actually
dropped?
Fr. Robert: Let’s actually give it a number, let’s
say how about just five. Let’s see what happens, so we’re mixing inputs.
Dale: Yup.
Fr. Robert: Oh.
Dale: How many phones have you broken?
Shannon: Oh so it just asks you again, it’s like
“Um—
Fr. Robert: So remember back to the code, actually go back to the code Bryan. Oh actually I'm
sorry, Dale if you could go back to your code.
Dale: Yeah uh-huh.
Fr. Robert: So what’s happening is it’s stuck in
that while loop because it never cleared it right? Because in the if statement it says both of these have to be true. In
the example we gave it only one was true and so therefore it failed the and statement and so clean was never set to true.
Shannon: So I guess one thing that I could do is
if wanted to, under if I could add and else statement that says something like
“If this is not actually a integer digit then I could say that’s wrong put in
another”
Fr. Robert: Very good. Hey what are you doing? Get
that out of here. Exactly, yeah I mean this is a simple program so we didn’t do
that but you're exactly right. Yeah you could have an if l statement.
Dale: Yeah.
Fr. Robert: And an if else
statement all it says is “If this is true then do this. If
anything else, if it’s not true then do that”.
Shannon: Ah cool, okay I get it, I get it.
Fr. Robert: There we go, very nice Snubs.
Shannon: I'm learning.
Dale: How about print.
Shannon: So else, hey. So you're going to just
print out a statement that says something like “Uh that was wrong”. Oh, so you
also had to add that slash so it knows that the—
Dale: That’s it, I'm escaping the apostrophe.
Shannon: Yeah the apostrophe there is actually—
Dale: I could get around that by actually
using double quotes instead.
Fr. Robert: Right, right.
Shannon: Oh okay.
Fr. Robert: There we go.
Shannon: That’s not a number, whatcha doing?
Fr. Robert: Go ahead, yeah go ahead and run that.
Run that bad boy.
Dale: Yeah.
Fr. Robert: And now if we put jelly beans in there.
Dale: All right, jelly beans and tacos. Oh
wait what happened, it didn’t—
Fr. Robert: No the terminal window was still
running, it never—
Dale: Oh no, no it was – I ran it again it
should’ve taken.
Fr. Robert: The else statement.
Dale: Oh did I not save this – oh I didn’t
save this in the right spot.
Fr. Robert: Dale.
Dale: Got some explaining to do.
Fr. Robert: Now this is basic sanitizing. Now of
course what the guy who wrote open SSL, that module, what he had to do was far
more complicated than this but the theory is the same thing. You always need to
make sure anytime you're dealing with any sort of input, any sort of data that
it’s acting the way you want it to behave.
Shannon: Right.
Fr. Robert: If you don’t put a check you can get
bad things.
Shannon: And that’s what we get.
Fr. Robert: And that’s what we get.
Shannon: Okay so now it says print hey that’s
not a number and then it asks you again and then it redoes the loop.
Fr. Robert: It’s looping through, right.
Shannon: Cool.
Fr. Robert: Because remember we told the loop to
run until it got two valid inputs.
Shannon: Right, that makes sense, that’s
awesome.
Fr. Robert: Yeah, now Dale let’s go back to your
code for a second if you could. The pieces that our audiences need to know, the
pieced that they need to learn because they're new for this episode is they
need to know the while loop, they need to know the function to actually check
the data. So isdigit and the need to know if else,
we’re actually go more in depth on that next week but it’s actually not that
difficult to figure out. And the last part is they need to know the function
for int which actually turns that variable into a
number, right.
Shannon: Int phone
plus int laptops.
Fr. Robert: Now notice he has the int function to turn those into numbers. He has that after
it’s already checked the strings to make sure that they are actually numbers.
Shannon: Yeah.
Fr. Robert: Because you can’t actually run that if
someone gave you a string. You can’t say turn jelly beans into a number. They
will freak out.
Shannon: Ah, okay.
Fr. Robert: Yeah.
Shannon: Now I also noticed with isdigits, that can only work for positive numbers—
Dale: Yes.
Shannon: …so is there an option there if you
wanted to put in a negative number or something else.
Dale: There is if you want to – you actually
kind of have to get into a little bit of a try accept, which is sort of error
handling.
Shannon: Oh, interesting.
Dale: Yeah, so in Python there is no real
easy way to sanitize without doing that. But yeah, so let’s pop this up here.
Fr. Robert: Yeah it’s not built in but you can sort
of code around it.
Dale: Yeah.
Shannon: That’s cool.
Dale: So let me pop this up here.
Fr. Robert: Yeah, yeah now Dale while you're
working on this, one of the things we’d love to talk about is obviously you
have to do this sort of data checks, these sort of variable checks when you're
coding in the real world. Do you have a good example of a time when people
didn’t properly sanitize their inputs and it lead to some bad, bad things?
Dale: Oh yeah, well – or a situation where
you definitely want to have your inputs sanitized, where if you're accepting
email address and they put a comma in front of the dot coms instead of dot in
front of the com for the email address. And then they won’t get their email
notification. So you want to make sure that when they enter the email address,
they are actually putting in a valid email address that you can then
communicate with them with.
Fr. Robert: All right.
Shannon: I guess it could also be said that if
you have a text field like that on the internet anywhere where they say enter
an email address, and it doesn’t check to make sure it’s an email address they
could put another line of code in there.
Fr. Robert: Yeah.
Dale: Yeah.
Fr. Robert: And actually we just had an example of
that, you may have read that the quote on quote ATT hacker was let out of
prison right? They dismiss the case. Well he didn’t really do any hacking, all
he did was he took advantage of some very sloppy programming that didn’t check
the input. It didn’t make sure that it was receiving any input that it couldn’t
properly process or would process in a way that they didn’t expect.
Shannon: Right.
Fr. Robert: So, I mean we see, it’s sounds really simple and you know when we look at that that the code that
created the heartbleed bug we say “Oh god, why
wouldn’t you do that”. But it happens over and over again folks, so all we’re
saying is please, please, please even in the starting days when even in the
starting days when you're just starting to pick up the compiler, make sure that
you get in the habit of checking your code. And you know what, we’re going to say
this, in future episodes when we have your user programs, we will favor the
ones that have some sort of sanitization.
Shannon: Oooh yes,
definitely.
Fr. Robert: Does that make sense?
Shannon: I’ll have to start checking for those
when I'm looking over the code on the Google Plus community. Now, before we
finish up Dale, I did want to check out that code that you just put in.
Dale: Yeah, yeah let’s take a look at it. So
here, you know it’s pretty much the same up until we get to now where the, what was that. So now instead of isdigit,
instead of an if statement asking if it’s a digit, we get a try, which is try
to convert this string into an integer.
Fr. Robert: Right, right.
Shannon: Ah.
Dale: If it fails, it will throw and
exception and the type of exception it will throw is a value error. So if that
happens then we’ll print “Hey you didn’t give me a number”.
Fr. Robert: Right, so essentially, instead of
running it through a function beforehand to make sure that it’s an integer that
it can use, you just ran it through the integer conversion and if it gave you
an error then you know that it wasn’t an integer.
Dale: Exactly, exactly.
Fr. Robert: Got it.
Dale: And I could’ve saved a step later in
the print statement and just used phones if I had just decided to actually
assign these integers to phone assign if decided to just say phones equals and
phones.
Shannon: Ah okay.
Dale: I could’ve done that and saved having
to do it down here. But I didn’t.
Shannon: But either way works the same.
Dale: Yeah.
Shannon: Cool.
Dale: So and if they do pass that test we go
to else and clean becomes true and the loop stops.
Fr. Robert: Fantastic.
Shannon: That’s awesome.
Fr. Robert: Dale, thank you so very, very much.
It’s always great to have you as our code warrior. Now Bryan our TD, can you
give us a little bit of a groove so we could play Dale out.
Shannon: Ooh.
Fr. Robert: Because Dale, we want to give you your
time here. I mean you’ve yourself selflessly.
[laughter]
Fr. Robert: Fantastic, I can’t talk today. To our
audience and where can they find you? Where can they find your art because
you're not just a programmer, right?
Dale: I'm a musician too.
Shannon: Yay.
Dale: And yeah I've got a song with Shannon
that you might know called SSH to your heart. Right now you guys have a coder
girl remix which you can find at dchase.bandcamp.com among all my other stuff.
What you got there is Love++ which is my most recent EP, which I released on
Valentine’s Day.
Shannon: And you actually did several songs that
one of the lovely ladies that works at Hack5.
Dale: Yes, yes Sarah she’s awesome
Fr. Robert: Who might that be.
Shannon: Yes it’s Sarah.
Dale: Yeah so Love++ is like a companion
piece to my most recent full length Typedef which I
released around this time last year actually. So yeah check me out on Bandcamp at dchase.bandcamp.com.
Shannon: Yay.
Fr. Robert: Yay, that’s right folks, he is a
programmer, he’s a geek, he’s a musician, he is a
renaissance man. Dale Chase, Discovery Digital networks, we’ll see you next
week.
Dale: Thank you guys, I’ll catch you later.
Shannon: Thank you Dale.
Fr. Robert: Now Shannon, that was a lot right. I
mean we—
Shannon: That was a lot. That was a lot of
information but it was really good information to get out there, especially
about sanitizing.
Fr. Robert: Yeah and you know it’s one of these
thing that people always say “Oh I'm not going to get caught” but everyone gets
caught by it.
Shannon: Right, exactly.
Fr. Robert: Everyone, I’ll say it right now, if you
are not actively searching for values you did not expect you will be caught by
this bug at some point in the near future.
Shannon: There’s somebody out there who’s fishing
through all the websites looking for people who didn’t sanitize their code.
Fr. Robert: And they probably have a pineapple on
their shirt.
Shannon: They probably do.
Fr. Robert: They probably do. Now we don’t want to
just leave the folks thinking “Oh gosh, this firehose stuff is coming into my head”
Shannon: Right.
Fr. Robert: We have show notes right?
Shannon: We do, they're over at twit.tv/code
c-o-d-e, that’s where you can find the show notes for every single episode that
we do, Even our old ones from C plus as well. And you can you can also find our Github link on there.
Fr. Robert: Which by the way I understand we are
having an issue right now, I'm not sure exactly what’s going on but the
revisions I'm making are not making it into the Github.
I may have to recreate it so if you could, if you’ve bookmarked that Github, please go back into the show notes and get the new
link to make sure you're getting the one that’s being updated.
Shannon: Right.
Fr. Robert: Also, don’t forget that we’re on
iTunes. Go ahead and jump into iTunes if you're an iCoder and help us spread the word about Coding 101. Believe it or not, we’re still
one of the most downloaded, subscribed to podcast. We want to keep that going.
We want people to understand the world around them and that means they're going
to have to learn how to code. So go tell people.
Shannon: No wait, people are watching the show?
Fr. Robert: I know, weird
right?
Shannon: That’s crazy. People are out there?
Fr. Robert: I know I've got a camera.
Shannon: That’s so weird. Well if you are out
there, hi. We’re also on Youtube. You can find us
over at youtube.com/twitcoding101 and that’s where you can find all sorts of
information about us and all of our Youtube episodes.
Fr. Robert: That’s right and also, we’ve got a G
Plus community and it’s vibrant. I am absolutely convinced we’re going to—
Shannon: I love the code that we’re getting on
our show.
Fr. Robert: Yeah, that what where we pull this
stuff so if you want your code featured, you got to go to out G Plus page. I
know we’re going to break a thousand subscribers before we hit the end of this
module.
Shannon: Where are we?
Fr. Robert: You could find us at
gplus.to/coding101.
Shannon: Oh my gosh, we
are at currently, where’s our numbers?
Fr. Robert: Boom, 815.
Shannon: 815, that’s awesome.
Fr. Robert: And you know what, if you are the
thousandth code monkey, code warrior, code person that join our community, I
will send you an autographed Python compiler.
Shannon: What?
Fr. Robert: It’s free so.
Shannon: We could send an autographed picture.
Fr. Robert: We could, we don’t have any.
Shannon: They printed pictures for us.
Fr. Robert: Wait, they did?
Shannon: Well I got some. I could send you an
autograph.
Fr. Robert: I’ll sign one of Snubs’.
Shannon: You could sign one of me.
Fr. Robert: Also, if you're not into the G Plus
group, you could find us on Twitter. We’re both on Twitter, we’re both pretty
active and you can ask us questions there or you could ask us about guests that
you might want on our wildcard episodes between modules. You can find me at
twitter.com/padresj, that’s @padresj
Shannon: And I'm @Snubs.
Fr. Robert: Yeah and don’t forget you can watch us
each week at Thursdays at 1:30 pm pacific time. If you come to live.twit.tv,
you'll see the pre-show, you'll see the post-show, you’ll see all the foibles. It’s actually a lot of fun right?
Shannon: It is super fun and we also listen to
you guys in the chat room. Hi everybody.
Fr. Robert: All the time.
Shannon: At irc.twit.tv so you can chat with us
during the show if you have questions.
Fr. Robert: Until next time, I'm father Robert Ballecer.
Shannon: I'm Snubs.
Fr. Robert: End of line.
