• Flask v. Django

    This is a lightning talk I gave a couple months ago  at a PyLadies SF meetup.

    TL;DR: Both are great tools. Django is better for fast and Flask is better for flexible.

    I have to admit, I've never used Django in production, but I have used it for some test projects and loved it. When I first met Flask, I was confused about why anybody liked it. You'll see it in the slides, but a working Flask app can be just SEVEN LINES OF CODE. No plugins, no database, no nothing. (OK, that's a lie. You get Jinja templates.) Everything else you have to build or bolt on.

    I've used it for about six months now, and I love it. There's a lot of elbow room with Flask - you can build your app however you like and it can grow organically. Flask gives you the tools and lets you knock yourself out.

    To use a database with Flask, generally you use SQLAlchemy which IMHO is both the biggest strength and the biggest liability of Flask. SQLAlchemy does more than the Django ORM. It's fantastic, full-featured, well-documented...aaaaand it has a learning curve like Half Dome. The left side.

    It's not easy to get started if you're a beginner. Flask also has the problem/benefit of being under rapid development - there are more plugins written every day. (Literally. I wrote a mail plugin just to discover somebody published one two weeks after I finished mine.)

    However, if you have a group of strong coders, you can make Flask do magic. It's quick and agile once you get a handle on it.

    In the end, I think both tools are awesome. Are you a beginner, writing a standard website, or need to code fast? Django's your pal. Want flexibility, freedom and room to grow? Flask is pretty awesome too.

    100 year old vulnerability in master-keyed locks

    This one is filed under “things probably only Rachel finds interesting” but dammit, I do.

    Recently, I came across this article talking about a security flaw in master-keyed locks.

    You probably remember master-keyed locks from school: your teacher had a key to their classroom, but the janitor had a master key that opened all doors. There’s a flaw in this system that lets you recreate the master key easily if you have access to one of the locks and have (or have examined) its associated, non-master key.

    Locksmiths (and criminals) have known about this for over a hundred years, but it was made public only in 2003. (!)

    OK, first some background. The common household or commercial lock is a pin tumbler[1. I wrote "tumblr" first. I hate you, web 2.0. ] cylinder lock.

    [Source: Wikipedia]

    The yellow and green bits are cylinders. The yellow one is where you stick your key in, and it rotates inside the green one.  Normally, it’s prevented from doing that by the red and purple pins. At rest, they block the gap between the cylinders and prevent the yellow one from turning.

    When you put your key in the lock, the teeth on the key line up the pins so the gap between them coincides with the gap between the cylinders. This lets you rotate the yellow cylinder, opening the door.


    To make a lock take multiple keys, you just have multiple cuts in the pins:

    The second key lines up a different set of cuts and so opens the lock. This is how master keys work: each lock is set up so it’s opened by one unique combination (the teacher key) and one common one (the janitor/master key).

    Can you guess what the vulnerability is?

    I’ll give you a hint: there’s more than two keys that open this lock.

    The trick is, the lock doesn’t care which pins line up with the cylinder. Any combination will do. If there are five pins in the lock, a key with four teeth the same as the teacher key and one the same as the master key will still open the lock.

    The attack works like this. Take a high school kid (we’ll call him Roger, no relation to my boyfriend at the time) with a predilection for trouble and access to one of the teacher keys. He could have a physical key (say he works as an aide for one of the teachers) or he could have just handled a key (the teacher temporarily lent him her keys to open the door).  According to the article, pin height is usually standardized. An expert can look at a key and memorize the values. A photo or an impression in clay would also work.

    Let’s say Roger figures out the key is for a five pin lock with pin heights from 1-4. In this notation, his key is 23421.

    All he has to do is make keys where only one of the pins changes:

    • 43421
    • 33421
    • 13421

    and try them in the lock. If 33421 opens the lock, he knows the first pin of the master key is 3. It’s very common for people to fumble with keys, so trying three or four keys in a row won’t make anybody suspicious. Then repeat for each of the pins.

    Also note Roger doesn’t have to try all combinations at once - he could vary a new pin each day. By the end of the week, he’d have the set and the entire weekend to break into the principal’s office and do unspeakable things to his desk.

    I’ve glossed over some of the details, but the scholarly article is short and quite readable. Recommended: http://www.crypto.com/papers/mk.pdf

    Bicycle Repair (Wo)man

    As many of you know, I have a NEW JOB. Hooray!

    New Job is all of 2.5 miles from my house, so I figured I probably shouldn’t be a lazyass and drive. So I bought a bike. Used. Off Craigslist. Late at night from an Irish guy out of a warehouse and it was not at all sketchy.

    BEHOLD. My new bike:


    Yeah, yeah, okay, it’s not very impressive. “Hell of ugly” you might say. It was $80 off Craigslist. Whadda want.

    It worked fine enough for 2.5 miles over flat territory, but after riding it a few times, I noticed it had a few issues:

    • A complete lack of interest in going up to a higher gear
    • If I got it in a higher gear, after a minute it’d decide it’d really rather not 
    • It made weird grumbly noises if I really really insisted on being in a higher gear
    • I got too much of a workout riding the thing 2.5 miles over flat ground

    Did I mention used? Craiglist? Eighty bucks?

    So I went on Youtube, looked up “bicycle repair” and I’ve been able to fix most of the problems. I be writing this down so I remember what the hell I did, and maybe one of you will have a cheapass bike that needs fixing.

    Bad Cable Tension

    One of the first videos I found was this one, on how to adjust cable tension. Sure enough, the rear cable was hell of loose. I hand-tightened it up to where it looked OK. Shifting the rear gears worked better after that.

    Tightening the rear cable

    Bad Shifter Tension (?)

    I don’t know what to call this - I couldn’t find a video on it. The problem was the front shifter would not stay in a higher gear. You ratchet it up and it would ratchet itself right back down, thank you very much.

    Turns out there’s a screw on the shifter that was really, really loose.

    I screwed it good.

    I screwed it in until it was tight. That fixed it. Yes, I am a genius.

    Front derailleur is whack

    This guy, despite his annoying habit of telling you what to do, and then remembering the three steps you should do before you do that thing, walks you through adjusting the low and high limits for the derailleur. This sets how high and low it shunts the chain.

    On my bike, the limit screws look like this:

    There's a joke to be made here about high and low screwing, but this is a classy place.

    Sure enough, they were wildly off on my bike, and I’m still not sure I have the high limit set right. At least I can get it into high gear.

    Brakes are whack

    As I finished all that stuff up, I noticed the front brakes were really tight and one side was rubbing against the tire. So THAT’s why I get a really nice workout riding the bike.

    The light outside’s going, so I’ll probably adjust this tomorrow.

Contents © 2013 Rachel Sanders