I have spent a lot of hours in the past week working with Mephisto. Mephisto is a blogging platform with aims of eventually being a full-fledged CMS. Overall I like it, but I am uncertain if it is a platform I ought to continue working with at this point.

Here are the highlights of the pros:

  • It is written in Rails, which is a platform I know well and therefore can extend rather easily.
  • The site can be split into multiple sections, each of which can be its own blog and have its own RSS feed, or which can be a single page.
  • Themes! Mephisto can be themed, and it is easy to write new ones using one or more of several template languages.
  • It allows multiple layouts to allow for different looks for each section of the site.
  • Articles can be formatted in with Textile, Markdown, or just plain HTML. I was able to integrate TinyMCE without much trouble as well.

But there are also the cons:

  • The current version is 0.8. That is not quite 1.0, and I wager that the reason it is not at 1.0 is related to the various little bugs that I have found.
  • Sometimes Mephisto will select the wrong layout for a page and it is difficult to figure out why. Fortunately, these situations are limited to “Preview this Post” and the “permanent links” to articles that represent pages that normally do not get linked to.
  • Mephisto has plugins and themes, but it is difficult to find useful plugins and more than a small number of publicly available themes.

I think Mephisto is a better platform than Radiant at this point, and in my opinion it gives Rails a reasonably usable blogging platform. Before committing more time to it, however, I think I will take a look at the much touted Drupal. I have been meaning to take a look at it anyway. :)

I Am an Independent Contractor Now

Yes, that’s right. Today is my last day at my present employer. Two weeks ago I formed my own company, CosineWave Technologies Incorporated, and I will be working for it as a contractor.

Here are the primary services that I offer today:

  • Unix Security
  • Security Management
  • Application Development
  • Internal Training

Please go to the CosineWave website and drop me a line if you are interested in hiring me!

And to all my friends and colleagues that have helped me get here: thank you very much!

Chisec 16 and C

Thursday, February 28 was a long day for me, but in a good way. It started almost like any normal morning, except I had to wake up 20 minutes early to handle the morning care and feeding of my animals. That task is one my wife usually performs, but she had to run out extra early for her own work.

My morning at work went relatively fast. I had very few scheduled tasks because of meetings dotting my schedule and my vice president’s group was all going out to play Whirlyball for the afternoon. Additionally, due to my company’s sales team scoring a big contract, the company was serving free Lou Malnati’s pizza for lunch.

Whirlyball was probably the most fun of the day, but it is what happened afterward that is the most interesting. I arrived at Houlihan’s at 6:30, preparing to socialize with other security professionals at Chisec 16 starting at 7:00. I did not wait long. I had hardly sat down when Maniac showed up, always full of interesting conversation and even an Asus Eee PC, something I had never seen before. It was not long before the room was full of other security professionals from all over the Chicago area.

With 20–30 people in a room, you do not get to talk to everyone. I primarily spoke with a couple guys from the University of Chicago and some consultants from no less than three different firms. It was Thomas Ptacek that gave me the biggest surprise of the evening.

Tom told me that it is getting increasingly rare to find computer people that know C. I had never thought about it, but I could see why this would be a problem. I have been using C since 1994, and I simply consider it a staple of my computer abilities. It is like part of the foundation. It is through C that I know how a shell interacts with an operating system, or how any program interacts with other components of the system. My knowledge of C is how I learned about the general structure of a running process in memory, and from that I understand how things like buffer overflow attacks actually work. It is through C that I even know how Ruby handles its garbage collection, at a low level. In regard to modern computer architecture, if you do not know C, then I would be incredulous if you told me that you really understand computer architecture. I am not sure that knowledge of C++ can really convey the same understanding, except that someone could do so by paying close attention to the subset of C++ that is C.

I wonder… do you know C? If I were to compile a list of important languages that all computer programmers should learn, C would be high on the list, if not the top language. Certainly there are other important languages out there that expand ones mind around advanced programming topics, such as Ruby, Lisp, and ML, but down at the linker level C is the language that all other languages communicate with the operating system or the hardware—application binary interfaces (ABIs) are designed around how C compilers generate object files. It is that important.

OpenID and Testing

Earlier this month I was playing with a WordPress plugin that would add OpenID support for the blog here. My intention is to make it easier to signup for commenting, while still not opening the flood gates of anonymous posting to avoid spam (I am not a big fan of CAPTCHAs). Unfortunately, the hosting environment is still on PHP4 and the plugin requires PHP5. I could probably fix the code to work with PHP4, but I have better things to do for now so the OpenID support will wait a bit.

Also, I want to share this bit posted on Jim Weirich’s blog. He said it is on his wall, and I liked it so much that it is also on mine now, too.

Security Missing in Oracle Best Practices

Recently Oracle released a 272 page document outlining some recommended best practices when implementing SOA with its suite:

I was going to review it for its security best practices and WS-Security recommendations… but there are not any. Take that to mean what you will.