equivocation: ambiguity or uncertainty of meaning in words; misapprehension arising from the ambiguity of terms; the using of a word or phrase in more than one sense. OED

The equivocation web site is primarily a set of personal notes about software, techniques, and other topics I find interesting or useful. Why is it called "equivocation"? Because descriptions of software and computer related techniques easily succumb to equivocation. I will endeavour to avoid this (although, I don't promise to succeeded).

Recent entries

The perfect attack against your security?

Munir Kotadia at ZDnet has an article based on an interview with Patrick Runald (F-secure) which describes what they term the "perfect attack". The article basically says:

A socially engineered e-mail, which contains a trojan file that exploits a zero-day vulnerability and then hides behind a rootkit, might be the perfect attack and impossible to defend against.

The emphasis is on the situation where opening the infected attachment is socially engineered, e.g. it may be part of your job to open attached documents. There were no suggested solutions, and the primary (and good) advice given was simply to regularly ensure your system is patched/updated.

Lighttpd and chroot jails

The http web server lighttpd has the configurable option of running within a "chroot jail". This usually requires the daemon to run with root privileges (as they are needed to change the root directory "/" in order to create the jailed file space). Thus the lighttpd server runs as root within the jail. The jail may appear like a secure thing to do, but I feel this is the wrong solution to the security problem being addressed.

New CSE update: version 1.3

I have just made an update to the CSE dupal module that performs client side encryption (i.e. encryption of content within a page, and decryption using javascript attached to that page). The update adds a feature where the encrypted text can be represented by variable text.

Drupal captcha and cookies

I have come up with a theoretical method to remove the dependence of the drupal captcha module on cookies (or in particular, the dependence on php session, which by default uses cookies). As ideas go it is in the early stages, but basically it removes the necessity for storing the captcha in the php session by putting an encrypted version of the captcha into the form as a hidden form entry. When the user submits the form, the encrypted captcha is passed back and can be decrypted and compared to the user entered captcha for verification. Ideally cookies should be used if they are available, but if not, this could be a fall back.

Drupal captcha

Image captcha is made up from two modules in drupal - captcha and textimage. I have patched textimage for this site to make it work a little differently:

Syndicate content