You are here

rick's blog

Migration to Drupal

Drupal Icon

After spending a few years with WordPress, I decided to migrate to Drupal. I installed WordPress in December, 2007, and replaced it in February, 2011.

Existing users had to recover their passwords, since ther was no clean way to use WordPress-encrypted passwords on a Drupal site. I also had the site off-line for part of the day while I replaced the WordPress software with the Drupal software.

My main reason for the migration is Drupal's "book" feature. Drupal makes it easy to structure short articles into a long, hierarchically-structured narrative. This is essentially how I write books anyway. This makes it easier to present complex topics built from a series of short articles.

Wordpress tag: 
Post category: 

False Security Claims by Vendors

Galen Gruman on his Infoworld blog has noted recent - and not so recent - discoveries that some smart phone models lie to corporate servers.

Microsoft Exchange has a mechanism called Exchange ActiveSync which synchronizes data with mobile phones.

Wordpress tag: 
Post category: 

Command Injection Example

I'm assembling an explanation of command injection for my upcoming textbook Elementary Information Security. (yes, yes, it should be finished by now and in production, but things were delayed). This yielded a couple of diagrams that I've managed to squeeze onto a single sheet of 8.5 x 11 paper. Here's a JPEG preview:

Command Injection Poster

It is also available as a PDF file.

Post category: 

Firewall Rule Set Sizes

I've heard a broad range of claims on how large a firewall rule set might be, so I decided to dig around for published data. There are lots of quotes claiming gigantic numbers, but I only found three reports of plausible-looking data collection - one from 2001 and the others from last year. I also have notes from a fourth that I haven't verified.

In practice, firewall rule sets seem to range from 5 rules to over 25,000 rules. Some claim that even larger rule sets may exist.

The number of rules seem to depend heavily on the number of users behind the firewall, and on the firewall's implementation of the rules themselves. If a firewall can create sophisticated rules, then it takes fewer rules to implement the site's policy.

As with everything, small is beautiful. If you have a lot of rules, it's hard to keep them accurate and up to date.

Wordpress tag: 
Post category: 

"Basic Principles" of Information Security

I am finishing up a textbook on elementary information security. Unlike other books, this one targets freshmen and sophomores, and eschews memorization for problem-solving.

Trojan Horse

Sprinkled here and there are concepts we all should recognize as "basic principles" of information security: ideas that transcend programming, network design, and system administration. Now that I'm finished, here is a summary of the ones I covered. I've also noted how they compare to Saltzer and Schroeder's classic list from 1975 and, briefly, the NIST principles in SP800-14.

Post category: 

Fraudulent Public-Key Certificates

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

Post category: 

RAID Backups with Snow Leopard

[SEE UPDATE due to changes in a Snow Leopard patch]

I've finally completed a whole RAID 1 backup cycle with Snow Leopard and I can reliably report on how it works.

The process, when performed reliably, is essentially unchanged from earlier versions of Mac OS X. [Details added 3/4/11].

Specifically, you must never attach an old software RAID 1 drive to the working RAID 1 set. If the set was missing a drive ("degraded") before you attach the  drive, it will treat the new drive as part of the set. THIS IS BAD.

You must always erase a drive's partition header completely before adding it back in to a RAID set. Otherwise it's misidentified as being an up-to-date part of the RAID 1 set even though it may not have been updated in months.

I had thought that changes made to RAID handling in Snow Leopard might have fixed this problem. Nope.

Post category: 

Owning versus controlling hardware

The Register recently wrote about how the latest firmware in Android phones tries to un-jailbreak them. Most smart phones contain built-in features to restrict the types of software they run. The built-in iPhone software restricts it to AT&T and to apps sold by Apple's own store. Blackberry and Android has similar restrictions."Jailbreaking" bypasses these protections to allow the phone's owner to install un-approved software. Android is fighting back in real time.

AT&T system logoSo the battle is on: who really controls a phone, or any other computer-based device? Most of us assume we control our personal computers. But phones are ambiguous. We want them to work reliably as phones, so we're willing to give up some control to the phone company. Back when US phones were an AT&T monopoly, we rented everything: from the network to the wiring to the indestructible desktop handsets.

On the other hand, we buy our cell phones. In AT&T's glory days, the Bell System never sold telephones, they only rented them. As owners, shouldn't we be able to choose the software to run, or the phone company to use?

Post category: 

Stats on OS Popularity

Wolfgang Gruener took the trouble to graph data from either Net Analytics or Net Market (I'm guessing it's really the latter) to illustrate the popularity of recent Windows versions. The main story seems to have nothing to do with the graphs: 66% Of All Windows Users Still Use Windows XP.

While Windows XP was more secure than the systems it replaced, Vista and Windows 7 are much more secure than XP. Or, at least, it's easier to lock down a Win 7 desktop than an XP desktop and still have a usable system.

Mobsters on distant continents can break into business desktops and transfer funds to money mules. No doubt some of the victims are running the newest OS software, but I suspect the vast majority involve Windows XP, if not even older systems.

Post category: 

RAID on Snow Leopard

Apple Snow LeopardI had avoided upgrading to Snow Leopard for several months, and finally completed the upgrade a few weeks ago. It went mostly without trouble, though there were a few minor things that needed to be fixed.

However, I was greeted with "new and improved!" RAID support which, as usual, provides only the most terse of directions. I rely on mirrored RAID to construct off-site backups. When I went to apply my procedure to Snow Leopard, I had to figure out the difference between "Delete" and "Demote" in order to get my backups rebuilt.

[Here's a more recent post to address the disappearance of "Demote"]


Wordpress tag: 
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer