Page 2 of 2

Python Random Forest Classification

Yesterday, I learned to use random forest classification in Python at a workshop hosted by NYC Women in Machine Learning & Data Science, facilitated by data scientists from OnDeck.

Here is the solution file from the instructor.

Justin Law, one of the data scientists from OnDeck, said that this analysis is a very simple one compared to the ones he deals with at work on a daily basis. Still, it took more than three hours just to read through and understand.

Machine learning is a wonderful black box you can do a lot of damage with, even if you have no idea why things are happening in there.

Here’s another render of random forest classification. Once you’ve figured out the steps and the motions, hopefully you’ll understand some of the theories down the road.

Python Prank

Yesterday, I was chatting on Slack with fellow RC members about object-oriented programing and the Python language, when Paul Gowder brought up a prank he had written. It’s supposed to create a security hole, and suppress errors, so it becomes impossible to find bugs.

I started analyzing it line by line, with the help of Paul, Leo Torres and Sean Martin.

Line 3: class foo(str) declares foo to be a subclass of str, which means foo will do everything str does, plus anything else you add to it.

Line 4: Here, we add the __call__ functionality to class foo(str).

Line 6: We are calling exec on self, which interprets the string as executable python code.

Line 7: The except Exception part would suppress any errors we might get.

Line 10: Adding str = foo replaces the standard implementation of str with our new foo. This line is important for the code to be malware, because everything created with str() will actually be a foo(), which means that now your strings created with str() are callable. If they’re called, they’re executed as Python code.

Line 18: If we do evil(), we end up running exec 'print "EVIL"', which is interpreted as the python code print "EVIL", which then just prints EVIL.

In a nutshell, anything that gets converted to a string with str() is turned into a function that you can call. One little typo, entering the name of a string variable rather than a function, and you’ve just executed whatever random code is contained in the string.

The stack trace you get won’t give you any obvious indication that what you called was a string. It’ll just throw errors related to whatever it is that you put in the string. Or, if there’s something that will actually run in the string, then it’ll just execute, and God only knows what happens then.

If our application is reading a value for username = input(), and the user inputs not a username but malicious code, this code ends up being run. Also, the except Exception part would suppress any errors we get from calling nonsense that way.

It kind of felt like music composition.

Newer posts »

© 2017

Theme by Anders NorenUp ↑