serialized delusions

To content | To menu | To search

Friday 1 February 2019

Flat for sale

I'm selling studio apartment in Bratislava - Dúbravka, 60km from Vienna (1 hour by train). The apartment, consists of living room with kitchen, bathroom and entrance room with clothes closet. It's oriented to west, located at 9th floor (there's a lift) of a condominium, in immediate vicinity of public transport and all amenities. The building is after complete renovation and there are good neighbors.

Floor area: 26m^2 + 2m^2 cellar Price: 25 BTC

Contact me by mail: juraj () coinbr com

Tuesday 29 January 2019

CoinBr broker going offline

The online part of CoinBr has become a liability and it has been forced read-only for several months. During this time, no monthly fees were asked. Now it is offline completely. All assets are intact and broker will manage them offline. I have sent individual instructions using registration email to all accounts that had any balances, contact me by email or irc if you haven't received anything.

From now on, all orders should be submitted by email or irc, and encrypted to jurov's GPG key. To migrate your account, your GPG key must be associated with old CoinBr account as per instructions in the email.

The CoinBr fees from now on are as follows:

  • Monthly fee: none
  • Buying/Selling/Option exercise fee : 0.5% from traded amount in BTC, no referral bonus
  • BTC withdrawals and asset transfers : 0.02 BTC per.

Wednesday 11 January 2017

Jurov's crappy guide to Let's Encrypt

Or, rather, something to remind me of all the assorted nooks and crannies for next time.

Continue reading...

Sunday 11 December 2016

Thought about Python 3

The post prompted me to consider . While I don't reject py3k out of hand, there is some foul smell.

Continue reading...

Thursday 2 June 2016

Converting RSA public keys from OpenSSH into GPG

All snippets are for Python 2.

Extracting parameters from SSH key.

The format is blessedly simple, so we can do this without additional libraries. For anything beyond, paramiko probably has it.

import base64
import struct
import binascii

def parsersakey(data):
    """:param data: RSA ssh pubkey string in rfc4253 ssh-rsa format
    :returns tuple exponent,modulus,comment. """
    data = data.encode('ascii').split(b' ',2)
    x = base64.b64decode(data[1])
    res = []
    start = 0
    while(start < len(x)-4):
        l = struct.unpack('>l',x[start:start+4])[0]
        r = struct.unpack('%ds' % l, x[start+4:start+4+l])
        start = start+4+l
        res.append(r[0])
    if(len(res) != 3):
        raise Exception("unexpected # of pieces: %d" % len(res))
    if(start != len(x)):
        print("len got: %d expected: %d" % (len(x),start))
        res.append(x[start:])
    else:
        res.append([])
    if res[0] != b"ssh-rsa":
        raise Exception("not rsa key: %s" % binascii.hexlify(res[0]))
    e = 0
    for i in res[1]:
        e = (e<<8) + ord(i)
    N = 0
    for i in res[2]:
        N = (N<<8) + ord(i)
    return (e,N,data[2] if len(data) == 3 else '')

Creating an PGP pubkey from the parameters

Uses PGPy 0.4.0. There is no API for creating keys from known RSA parameters, so the classes need some massaging. YMMV using other PGPy version.

The resulting key can be converted to rfc4880 form just by applying str() on it.

import pgpy
from pgpy.packet.fields import RSAPub,MPI
from pgpy.packet.packets import PubKeyV4
from pgpy.constants import PubKeyAlgorithm

def custRSAPub(n,e):
    res = RSAPub()
    res.n = MPI(n)
    res.e = MPI(e)
    return res

def custPubKeyV4(custkey):
    res = PubKeyV4()
    res.pkalg = PubKeyAlgorithm.RSAEncryptOrSign
    res.keymaterial = custkey
    res.update_hlen()
    return res

def rsatogpg(e,N,name,**idargs):
    """
    :param e,N: RSA parameters as Python integers or longints
    :param name: Identity name
    :param idargs: PGP Identity parameters, such as comment,email
    :return: PGPy pubkey object
    """
    rsakey = custPubKeyV4(custRSAPub(N,e))
    pgpkey = pgpy.PGPKey()
    pgpkey._key = rsakey

    uid = pgpy.PGPUID.new(name, **idargs)
    uid._parent = pgpkey
    pgpkey._uids.append(uid)
    return pgpkey

Sunday 10 April 2016

Scripting the web

This blog, as any blog, attracts plenty of comment spam. But so far there's not much traffic and I was filtering it manually. There is lot of repeated spam, which should be easy to filter automatically.

Continue reading...

Wednesday 2 March 2016

Wget malignant featuritis

I had problems to find stuff in deedbot archive, so decided to make a mirror to be able to grep things in. Such a simple website would be an ideal job for wget, no?

Continue reading...

Tuesday 1 March 2016

F.MPIF 2015 trading statements

The trading was not very eventful, so I ceased to blog the report every month and they were published only via deedbot. But having some TOC for them is in order.

Continue reading...

Monday 29 February 2016

Embedded Common Lisp for Eulora

I have not commented on Eulora here yet, afraid it would come out as rambling and swearing. Mostly due to need for repetitive tasks and barely adequate bots in existence. I play it quite much anyway, even became official dealer of game currency.

Continue reading...

Wednesday 2 December 2015

Tragedy of web security

I have found myself in the middle of depressing discussion about XSS. A security company released scary video how it is used in practice to hijack admin session. And the reactions? As usual.

"This won't happen with $magicunicornframework, ain't no shitty PHP."

"Easy, just tie it to user's browser version, system version, IP address, geo location, shoe size...."

"That's banal bug, we only need proper sanitation of user input."

As it happens to me more and more often recently, such situations ring my "let's invent us an profitable hard problem" sense. In this case.. really there is no option how application A running on computer AA can uniquely authenticate to application B running on server BB? I thought this is solved problem in crypto, we have Diffie-Hellman, PKI,...

But it's impossible when A may run rogue code and access these secrets! We can't do much about it!

Oh really, then why do you have that shit code manage secrets?

*Silence*.

I can't believe no one ever thought of a way for browser to authenticate a session without giving out secrets to anyone, including javascript. It would be really worthwhile addition to HTTP protocol... but let's instead do compression and pipelining and whatnot. Actually it goes way back to the beginning, when HTTP login authentication went largely unused because browser vendors forgot to include logout button. Just sad.

Update: got a reply from security company owner, and it's really symptomatic:

Nonsense. We have so much work that we'd like to solve interesting problems and not trivial bullshit. And there are many more areas that need better security. Our goal is better internet and I don't know any pentester who has fun to submit same bugs over and over. We also want new challenges and to move on so I believe such bugs will soon really be solved with frameworks, better session management and proper separation of contexts (text, html, javascript, data, css, data from user, data from server, ...)

Sunday 2 August 2015

F.MPIF July 2015 trading statement

GPG signed statement

Continue reading...

Wednesday 1 July 2015

F.MPIF June 2015 trading statement

GPG signed statement

Continue reading...

Friday 5 June 2015

Eulora 0.1.0 for Windows

My fateful involvement with #bitcoin-assets was today sealed with another achievement.

Continue reading...

Monday 1 June 2015

F.MPIF May 2015 trading statement

GPG signed statement

Continue reading...

Saturday 2 May 2015

F.MPIF April 2015 trading statement

GPG signed statement

Continue reading...

Wednesday 1 April 2015

F.MPIF March 2015 trading statement

GPG signed statement

Continue reading...

Sunday 1 March 2015

F.MPIF February 2015 trading statement

GPG signed statement

Continue reading...

Monday 2 February 2015

F.MPIF January 2015 trading statement

GPG signed statement - January December statement was originally published only on #bitcoin-assets: GPG signed statement - December

Continue reading...

Tuesday 2 December 2014

The Bitcoin Foundation November 2014 Statement

GPG signed statement

Continue reading...

F.MPIF November 2014 trading statement

GPG signed statement

Continue reading...

- page 1 of 3