python - Dave's Blog

My timeline on Mastodon

Let's Encrypt Update

2016 Nov 5, 8:59

Since I had last posted about using Let's Encrypt with NearlyFreeSpeech, NFS has changed their process for setting TLS info. Instead of putting the various files in /home/protected/ssl and submitting an assistance request, now there is a command to submit the certificate info and a webpage for submitting the certificate info.

The webpage is{username}/sites/{sitename}/add_tls and has a textbox for you to paste in all the cert info in PEM form into the textbox. The domain key, the domain certificate, and the Let's Encrypt intermediate cert must be pasted into the textbox and submitted.

Alternatively, that same info may be provided as standard input to nfsn -i set-tls

To renew my certificate with the updated NFS process I followed the commands from Andrei Damian-Fekete's script which depends on

python --account-key account.key --csr domain.csr --acme-dir /home/public/.well-known/acme-challenge/ > signed.crt
wget -O - > intermediate.pem
cat domain.key signed.crt intermediate.pem > chained.pem
nfsn -i set-tls < chained.pem
Because my certificate had already expired I needed to comment out the section in that validates the challenge file. The filenames in the above map to the following:
  • signed.crt is the Let's Encrypt provided certificate
  • account.key is the user private key registered with LE
  • domain.csr is the cert request
  • domain.key is the key for the domain cert
PermalinkCommentscertificate lets-encrypt

laughingsquid:‘Find a Fish’, The Classic Surreal Intermission...

2015 Apr 8, 5:02


‘Find a Fish’, The Classic Surreal Intermission Sketch From Monty Python’s 1983 Film ‘The Meaning of Life’

Surprisingly often quoted ‘a fish fish fishy, oh!’ with my roommates in college.


laughingsquid:‘Find a Fish’, The Classic Surreal Intermission...

2015 Apr 8, 5:02


‘Find a Fish’, The Classic Surreal Intermission Sketch From Monty Python’s 1983 Film ‘The Meaning of Life’

Surprisingly often quoted ‘a fish fish fishy, oh!’ with my roommates in college.


Retweet of newsycombinator

2015 Feb 24, 6:31
Proving that Android’s, Java’s and Python’s sorting algorithm is broken …

harmony:generators [ES Wiki]

2013 Dec 17, 9:01

Adds the yield keyword enabling you to write JS code that sort of looks like C# await.


First-class coroutines, represented as objects encapsulating suspended execution contexts (i.e., function activations). Prior art: Python, Icon, Lua, Scheme, Smalltalk.

PermalinkCommentstechnical javascript

Stripe CTF - Level 8

2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.

(I found this in my drafts folder and had intended to post a while ago.)


    def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
reactor.callLater(remaining_time, self.sendResult, False)



The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four, but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
PermalinkCommentsbrute-force password python side-channel technical web Act like a decrypting hacker on tv (

2012 Aug 8, 3:34

A python script that d3crypt5 the input pipe’s ASCII content from ASCII garbage slowly into the correct output.

PermalinkCommentstechnical humor hack decrypt

Some Datasets Available on the Web - Data Wrangling Blog

2009 Feb 23, 10:34Lots of neat web APIs. Added to Delicious network. "Over the past year, I've been tagging interesting data I find on the web in I wrote a quick python script to pull the relevant links from my export and list them at the bottom of this post. Most of these datasets are related to machine learning, but there are a lot of government, finance, and search datasets as well."PermalinkCommentsapi data semanticweb information reference
Older Entries Creative Commons License Some rights reserved.