Archive for the ‘security’ Category

don’t use free proxy servers

January 4, 2015 Leave a comment

Why are free proxies free?

because it’s an easy way to infect thousands of users and collect their data

When you download a page via a proxy server, there is no guarantee that you get the original page… There is a high risk that the proxy server sent you back a modified page. Read the article above for more details.

Categories: network, security Tags: , ,

run a script as another user without password

October 8, 2013 Leave a comment

You can run a program/script/command as another user the following way (example):

sudo -u www-data /bin/date

That is: /bin/date is executed in the name of www-data and you get the output. However, it asks for your password.

Question: how to execute the command above without a password check?


Create the file /etc/sudoers.d/date_test :

jabba ALL=(www-data) NOPASSWD: /bin/date

Meaning: allow the user “jabba” to execute “/bin/date” in the name of “www-data” and ask no password.

You should read /etc/sudoers.d/README, it contains important pieces of information:

  • the file you create cannot contain ‘~‘ or ‘.
  • the file must have 0440 rights
  • the command at the end of the lines must have absolute path

Tip from here.

Categories: bash, security Tags: , ,

setfacl / getfacl

October 8, 2013 Leave a comment

With ACL (Access Control List) you can set exactly who can access your files and directories. With ACL you can set things like “nobody can read this file except user XY”, or “no one can write this directory except the user Z”.

With setfacl you can set the ACL rights. With getfacl you can ask the ACL rights of a file/folder.

Example #1
You have a pmwiki installation that runs on an Apache webserver. PmWiki has a directory called “wiki.d” that must be writable too, otherwise you cannot edit your wiki from a browser. Behind the scenes it’s Apache’s www-data user who wants to write in this directory.

A naive approach is to “chmod 777 pmwiki/wiki.d”. In this case anyone with a shell access to the server can modify the content of this folder.

A better way is to give the necessary grants to Apache’s www-data user:

setfacl -R -m u:www-data:rwx $HOME/public_html/pmwiki/wiki.d

Thanks to Jeszy for the tip.

Example #2
You have a web application that uses an SQLite database. Again, the www-data user would like to write into it. In addition, www-data must be able to write to the directory too that contains the database file.

$ cd /home/jabba/public_html/myapp
# say we have here an sqlite.db file
$ setfacl -m u:www-data:rw sqlite.db
$ setfacl -m u:www-data:rwx .

To grant rights to a group, use “g:groupid:rights” instead of “u:userid:rights“.

Categories: bash, security, ubuntu Tags: , ,

MD5 decrypter

October 2, 2013 Leave a comment

MD5 is a hash, not an encryption. From this hash value you cannot restore the original content. However, you can take a dictionary, hash every word in it with md5, then compare the original md5 value with them. If there is a match, your md5 is cracked. allows you to input an MD5 hash and search for its decrypted state in our database, basically, it’s a MD5 cracker / decryption tool… We have a total of just over 43.745 billion unique decrypted MD5 hashes since August 2007.” (source)

So, if you store your passwords in md5 format and someone has access to them, they are not safe at all… If an md5 hash is generated from a weak password, it can be cracked in an instant with the tool above.

OK, but… how should I store the passwords then?
See this post for a great tip: How to store and verify a password?

Categories: security, Uncategorized Tags: , , ,

Online Security

June 29, 2013 Leave a comment

Read this: The Best Browser Extensions that Protect Your Privacy @lifehacker.

I installed the following extensions:

Categories: firefox, security Tags: ,

Storing sensitive data in your Dropbox folder

January 7, 2012 1 comment

You want to store some sensitive data in your Dropbox folder, e.g. passwords. How to protect these data?

In your Dropbox folder create a Truecrypt volume and store your data in this encrypted virtual file system. For more info refer to this article.

I wanted to store some credentials that I wanted to access from several machines. In my Dropbox folder I created a 10 MB Truecrypt volume. I mounted it and put the sensitive data in it.

Categories: security Tags: ,

Download cookie-protected pages with Python using cookielib (Part 2)

September 11, 2011 13 comments

Warning! In this post I use the Project Euler site as an example. However, it seems that this method doesn’t work anymore with that site. The PE site was updated recently and they have changed something. However, the method described below might work well with other sites.

Update (20111108): If you want to scrape the Project Euler site, check out Part 3 of this series.

In Part 1 we showed how to download a cookie-protected page with Python + wget. First, cookies of a given site were extracted from Firefox’s cookies.sqlite file and they were stored in a plain-text file called cookies.txt. Then this cookies.txt file was passed to wget and wget fetched the protected page.

The solution above works but it has some drawbacks. First, an external command (wget) is called to fetch the webpage. Second, the extracted cookies must be written in a file for wget.

In this post, we provide a clean, full-Python solution. The extracted cookies are not stored in the file system and the pages are downloaded with a Python module from the standard library.

Step 1: extracting cookies and storing them in a cookiejar
On the blog of Guy Rutenberg I found a post that explains this step. Here is my slightly refactored version:

#!/usr/bin/env python

import os
import sqlite3
import cookielib
import urllib2

COOKIE_DB = "{home}/.mozilla/firefox/cookies.sqlite".format(home=os.path.expanduser('~'))
CONTENTS = "host, path, isSecure, expiry, name, value"
COOKIEFILE = 'cookies.lwp'          # the path and filename that you want to use to save your cookies in
URL = ''

def get_cookies(host):
    cj = cookielib.LWPCookieJar()       # This is a subclass of FileCookieJar that has useful load and save methods
    con = sqlite3.connect(COOKIE_DB)
    cur = con.cursor()
    sql = "SELECT {c} FROM moz_cookies WHERE host LIKE '%{h}%'".format(c=CONTENTS, h=host)
    for item in cur.fetchall():
        c = cookielib.Cookie(0, item[4], item[5],
            None, False,
            item[0], item[0].startswith('.'), item[0].startswith('.'),
            item[1], False,
            item[3], item[3]=="",
            None, None, {})

    return cj

def main():
    host = 'projecteuler'
    cj = get_cookies(host)
    for index, cookie in enumerate(cj):
        print index,':',cookie    # save the cookies if you want (not necessary)

if __name__=="__main__":

Step 2: download the protected page using the previously filled cookiejar
Now we need to download the protected page:

def get_page_with_cookies(cj):
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

    theurl = URL    # an example url that sets a cookie, try different urls here and see the cookie collection you can make !
    txdata = None   # if we were making a POST type request, we could encode a dictionary of values here - using urllib.urlencode
    #params = {}
    #txdata = urllib.urlencode(params)
    txheaders =  {'User-agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'}  # fake a user agent, some websites (like google) don't like automated exploration

    req = urllib2.Request(theurl, txdata, txheaders)    # create a request object
    handle = urllib2.urlopen(req)                       # and open it to return a handle on the url


See the full source code here. This code is also part of my jabbapylib library (see the “web” module). For one more example, see this project of mine, where I had to download a cookie-protected page.

Resources used

What’s next
In Part 3 we show how to use Mechanize and Splinter (two programmable browsers) to log in to a password-protected site and get the HTML source of a page.


Get every new post delivered to your Inbox.

Join 85 other followers