Cryptosmith

This process looks deceptively simple. WordPress happily exports all entries into a nicely formatted XML file. Drupal has a "WordPress Import" module that appears to do a comfortable import. What could possibly go wrong?

Well, in Drupal, everything comes down to a question of surprising choices for defaults. At least, if you are expecting ease of use, the default choices seem surprising.

The migration did not go without a few hitches, but it went as smoothly as might be expected for such a thing.

My inexperience with Apache's .htaccess files caused an unnecessary delay and a lot of "500 Internal Server Error" messages.

I finished the "heavy lifting" part of the Cryptosmith site upgrade. It is now running the Drupal content management system.

It was much, much easier to start up a WordPress blog and to publish simple postings with it. But WordPress really doesn't help you arrange larger-scale content.

After spending a few years with WordPress, I decided to migrate to Drupal. I installed WordPress in December, 2007, and replaced it in February, 2011.

Existing users had to recover their passwords, since ther was no clean way to use WordPress-encrypted passwords on a Drupal site. I also had the site off-line for part of the day while I replaced the WordPress software with the Drupal software.

My main reason for the migration is Drupal's "book" feature. Drupal makes it easy to structure short articles into a long, hierarchically-structured narrative. This is essentially how I write books anyway. This makes it easier to present complex topics built from a series of short articles.

Galen Gruman on his Infoworld blog has noted recent - and not so recent - discoveries that some smart phone models lie to corporate servers.

Microsoft Exchange has a mechanism called Exchange ActiveSync which synchronizes data with mobile phones.

I'm assembling an explanation of command injection for my upcoming textbook Elementary Information Security. (yes, yes, it should be finished by now and in production, but things were delayed). This yielded a couple of diagrams that I've managed to squeeze onto a single sheet of 8.5 x 11 paper. Here's a JPEG preview:

It is also available as a PDF file.

I've heard a broad range of claims on how large a firewall rule set might be, so I decided to dig around for published data. There are lots of quotes claiming gigantic numbers, but I only found three reports of plausible-looking data collection - one from 2001 and the others from last year. I also have notes from a fourth that I haven't verified.

In practice, firewall rule sets seem to range from 5 rules to over 25,000 rules. Some claim that even larger rule sets may exist.

The number of rules seem to depend heavily on the number of users behind the firewall, and on the firewall's implementation of the rules themselves. If a firewall can create sophisticated rules, then it takes fewer rules to implement the site's policy.

As with everything, small is beautiful. If you have a lot of rules, it's hard to keep them accurate and up to date.

I am finishing up a textbook on elementary information security. Unlike other books, this one targets freshmen and sophomores, and eschews memorization for problem-solving.

Sprinkled here and there are concepts we all should recognize as "basic principles" of information security: ideas that transcend programming, network design, and system administration. Now that I'm finished, here is a summary of the ones I covered. I've also noted how they compare to Saltzer and Schroeder's classic list from 1975 and, briefly, the NIST principles in SP800-14.

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

[SEE UPDATE due to changes in a Snow Leopard patch]

I've finally completed a whole RAID 1 backup cycle with Snow Leopard and I can reliably report on how it works.

The process, when performed reliably, is essentially unchanged from earlier versions of Mac OS X. [Details added 3/4/11].

Specifically, you must never attach an old software RAID 1 drive to the working RAID 1 set. If the set was missing a drive ("degraded") before you attach the  drive, it will treat the new drive as part of the set. THIS IS BAD.

You must always erase a drive's partition header completely before adding it back in to a RAID set. Otherwise it's misidentified as being an up-to-date part of the RAID 1 set even though it may not have been updated in months.

I had thought that changes made to RAID handling in Snow Leopard might have fixed this problem. Nope.