Posts Tagged ‘Vox Anonymus’

Back from obscurity

Thursday, November 19th, 2009

Ouch! Seems like there might be some people actually interested in my project I made in the Advanced Free Software Tools course.

I haven’t had much time (read: I haven’t made time) to fiddle with it in ages. Perhaps it is time to revive it. The concepts where all pretty solid, although I am ashamed to say that there is really no documentation at all about how it works #procrastinationfail

I think what ground me to a stop the last time was how to have Django dynamically add more form fields based on a model. I guess I’ll just have to do some more research.

Thanks hesa for pushing me into the deep end of the pool, I need that from time to time ;D

Lessons learnt: Python and importing

Friday, November 21st, 2008

This will probably not be something you will do every day, but some day you might need to import a module from an altogether different directory not on the python path. Let’s for instance say that you have a script in your home folder:

~/some_script.py

This script needs to import another module, and, as in my case, you are only given the file system path to the directory in which you can find said module. What to do?

/opt/some_module.py

The solution is rather simple. some_script.py will need to import sys, in order to get a hold of the sys.path variable, to which we can append the path.

import sys
sys.path.append('/opt/')
import some_module

Tah-dah. Once the script has been executed and dies, the sys.path is restored, so no extra fiddling needed. The one gotcha I encountered, which made this problem take way much longer than it should have:

I was wrapping this code up in a function, and that made the import local to that function, and not visible in the rest of the script, so binding functions/variables from the imported module to local ditos is advised, and then moving these around instead.

What kind of ugly beast of a script I needed something as convoluted as this for? A script which tries to verify that a piece of installed software has been installed correctly, and at the correct place with respect to other software, which I from the onset cannot know where it exists (this is for Vox Anonymus, and I simply needed to check that the Django site specific settings file had been correctly updated and could find Vox Anon.

Python, urllib2 and Vox Anonymus

Wednesday, October 22nd, 2008

The project I am currently working on for the Advanced Free Software Tools course, Vox Anonymus, strives to offer a web-based (through Django) anonymous voting platform, giving users the ability to change their votes after having cast it.

In order to ensure anonymity, while retaining the ability to modify the vote, and also keep voters from cheating (the mantra “trust, but verify” comes to mind), an individual “vote key” is generated for each voter.

This vote key is then used as the password in a Password-Based Key Derivation Function (PBKDF for short) to generate a fairly strong key, which is hard to reverse-engineer back to the vote key. This generated key is then used to link a voter, with votes in various topics. It is a bit technical, and this is not the purpose of this post, so, moving along, quickly:

The vote key must be generated by Vox Anonymus, in order to disable a dishonest user from cheating the system. There are some pretty serious restrictions on the key as well, most of the regarding entropy. So, in order to create a good vote key, we need som pretty good random numbers.

Random numbers are tricky. You can’t generate them, since that would imply that there was some form of structured process to “generate” them. And how could a structured process create randomness? Especially, how could a structured process create randomness, and guarantee that said randomness for the same situation, state and input, won’t output the same randomness again?

There are some rather cool Pseudo-Random Number Generators (PRNG) available, but if an adversary got hold of the exact state of the PRNG at the time it generated a random sequence, the adversary could generate the same sequence, and thus get a hold on the key.

On GNU/Linux systems there is most of the time the /dev/random pool, and you can install the Entropy Gathering Daemon to improve it further, but using that in Vox Anonymus is not an option, as I intend to keep it as system independent as possible.

The solution, then, is not to look within, but to look outwards. Enter http://www.random.org/. Sure, there are no proofs that these numbers are random, and as such, should they be used? If the site is for real, then gathering randomness from the static in the airwaves are just as good, if not better, than any PRNG implementation I could include in the project.

So the procedure for fetching random numbers from random.org is as follows:

  1. Determine the external IP number of the server on which Vox Anonymus runs
  2. Check the quota for “my” IP number on random.org
  3. If there are enough numbers left, fetch the needed numbers, otherwise wait a couple of minutes

Step number one is completely retarded. I determine “my” external IP number by querying http://www.whatismyip.org/ for it… And I have found this to be the only? robust way of actually determining the external IP number through Python.

Please correct me if I’m wrong (and I don’t see how I couldn’t be).

We have finally arrived at the reason for this post: urllib2. I found a rather good resource, http://www.voidspace.org.uk/python/articles/urllib2.shtml, which showed me most of what I needed to know.

There where however some problems: random.org offers a http interface, based on query strings (GET requests). At the same time, the creator of random.org asks that people writing scripts to automate the process of fetching random numbers please include their email address in the User-Agent header, so that they can be sent a notification in the event that their scripts are behaving badly.

I spent quite some time figuring out how to create a request going through GET, but adding the User-Agent header. The final outcome was rather easy, so I guess I am somewhat of an idiot for not figuring it out earlier, but hopefully this will help someone else:

import urllib
import urllib2

values = {'foo': 1, 'bar': 2}
data = urllib.urlencode(values)
url = 'http://www.example.org/?' + data
header = {'User-Agent': 'wildcard@example.org'} # don't do this, only for random.org
req = urllib2.Request(url, data, header)
try:
    response = urllib2.urlopen(req)
    return response.read()
except urllib2.HTTPError, e:
    # do something
except urllib2.URLError, e:
    # do something else

Thus ends the adventures in Python-land, for now anyway