February 2, 2010, 20:37
This post is about security, so if you are not into that, feel free to skip it.
Today I get a friendly email from the national railroad company of Belgium (NMBS) in which they announced a brand new site to order international train tickets. It also mentioned that instead of using my made up user name I could now use the email address I used while registering to log in.
That sounds great, another site that uses an email address to log in instead of something like “johnsmith342″.
Then they kind of messed up. For my convenience and to make sure I would be able to use their shiny new site to buy lots of international train tickets they included my password. Yes, you read that right, they mailed me my password. Without me asking for it.
They have no clue about processes and procedures for dealing with passwords. They are not helping the world in teaching people how to deal with authentication secrets, social engineer and phishing.
I can only hope the password is not stored clear text. Due to password policies it is often necessary to access the password in clear text, only storing a hash is not working any more. Common databases like Microsoft Active Directory, Novell eDirectory and probably many others use two way encryption to store passwords. They have many secure access layers between a public api and the encryption keys to access to the clear text version of the password.
Honestly, emailing me my own password without my consent doesn’t generate a lot of trust in how they deal with sensitive information. That includes my trust in how they store my password in their systems.
January 15, 2010, 22:03
Yesterday I received an invitation to support an effort to set UML free. You can read all about it on webuml.org. Currently the site is a wall of text (tip for the authors: less is more … and there is nothing wrong with a picture or two 
) but if you have some spare time I encourage you to read through it.
The basic idea is to provide for online collaboration while modeling with UML. You can’t really do that today. The best you can achieve is to email some images of UML diagrams around or hope for the best with XMI. webUML aims to create an online collaboration environment using modern web technologies. They already have a powerful UML drawing canvas ready, including an integration with MediaWiki.
I see a future for this effort, if of course they can achieve minimal functionality (which I think they almost have if not already) and critical mass (that’s why they are promoting it right now).
There is however one thing that caught my attention: a promise for a plugin for Enterprise Architect from Sparx Systems so it can access a webUML central repository. If that plugin ever becomes reality and that central repository is HTTP accessible (sounds like a good REST challenge) they will have made me a happy architect. Integration with business tools and the business environment will be, in my humble opinion, key for mass adoption.
I would be really happy if there would be support for BPMN and creation of custom viewpoints and models (meta modeling).
But one should not ask too much and be happy with what we get. So please support the webUML effort, help if you can and spread the word.
While reading up on webUML I also came across this little gem: The Model Factory. A wiki on design patterns from the point of view of modelers. Implemented of course with webUML technology. Bookmark added.
January 15, 2010, 21:46
Recently I came across an excellent article on One Trick Ponies in the world of architecture. One trick ponies who know only one type of solution and desperately try to make that one the only possible solution.
This part of the article made me smile, especially since it perfectly describes my sentiment after a situation I experienced not so long ago:
Now while I look down on these people, because lets be blunt they are lying in an attempt to secure a project that they aren’t qualified for based on the hope that they can somehow pull it off. (A dazzling example of managing risk … upwards!) Why people do this I’ll never know it ALWAYS ends in tears. But I guess it keeps the cash flow going for a while.
My personal experience involved an external expert who insisted that, for a simple Java project, storing data in a database on an IBM System i would be impossible, it would cost enormous amounts of money to access and integrate this “legacy mainframe” from the Java world. I challenged the expert and asked him what kind of database was used on an IBM System i. An awkward moment of silence followed. The IBM System i uses DB2, a well known and proven database technology, it is extremely easy to access it from a Java program. In fact, developers won’t even notice the difference between the System i DB2 instance or a Windows instance.
This expert tried to guide a company towards a more expensive solution simply because he was more familiar with it. The IBM System i DB2 solution was unfit because he could not be part of it.
Of course, no architect can know every piece of technology or platform. You are bound to encounter something you are unfamiliar with. But if you do, be a professional architect and investigate, read up on the basics and find knowledgeable people inside the company who can help you fill in the details.
November 22, 2009, 13:35
Various resources on the Internet you might find useful. At least recommended reading for a spare moment.
ArchiMate and TOGAF. Four excellent papers comparing ArchiMate and TOGAF:
Some attempts at defining the concept of “business function:
Miscellaneous
June 22, 2009, 21:41
Martin Kuppinger from Kuppinger Cole, known from the excellent European Identity Conference, wrote a very interesting article on Cloud Computing: “It’s not about the cloud – it’s about Cloud IT“.
…
But the more you dive into the topic of cloud computing it becomes obvious that this cloudy thing of “cloud” (usually associated with the Internet and things which are provided there) isn’t the key thing. The key to success is that companies understand the value of Cloud IT.
What does this mean? Cloud IT stands for consequently using cloud principles in IT – and in every part of IT, not only for consuming some external services. That includes
- well defined services (SLAs!!!)
- a consistent service management across all services, regardless of where they are running (and, based on that, consistent approaches to cloud governance)
- applications which are agnostic of where they are run or which hardware resources are available – there have to be parameters which might limit the ability to run applications everywhere and the application has to accept the currently available hardware resources but as well should understand that these resources can change dynamically
Defining everything in IT as services in a consistent manner is a fundamental change and the foundation for a flexible use of cloud services. Once you have made that move you can decide (based on parameters of a service) which service provider (internal or external) you will use. Thus, the first step is making your IT “cloud-ready”, e.g. moving towards a Cloud IT. Without that, using cloud services will always be sort of tactical and not strategic.
On the last day of the 2009 edition of the European Identity Conference I participated in a workshop on Cloud computing and Identity with Martin. In the workshop I told Martin that for me, an architect, the most interesting aspect of Cloud Computing is not the ability to house your application logic externally but a renewed and global attention for various architectural patterns.
The underlying current for most of these patterns is a high degree of abstraction and transparency combined with simplicity (not the bad kind, the good kind). In other words: keep it simple, abstract away everything that is not part of your application and don’t care about the environment you are running in (for instance network transparency). The advantages of following these principles are becoming more obvious due to Cloud Computing: scalability, continuity, flexibility, reusability …
Those patterns can equally be applied to classical internal IT. Yet, you rarely see this except at the application level. Cloud computing forces you into this thinking, traditional IT however gives you enough escape hatches. Not in the least because vendors keep on selling solutions that stifle innovation. As a simple example you can take the infamous network transparency. Demonstrated over and over again in the last 3 decades to be achievable (see for example the Inferno operating system) yet most commercial solutions still expose the network to you. So many good “inventions” but so little uptake from vendors.
In conclusion: I can only join Martin in his advice: get your IT cloud ready, move to a Cloud IT. Even if you will never ever actually move to the cloud. And more importantly, put pressure on your vendors to force them to innovate!
[edited: corrected some typos and grammar]
June 22, 2009, 09:28
Some companies insist on letting you know that the mail you just received from them, has been properly scanned, dissected and cleansed before it reached your mailbox.
Sometimes it can go wrong however:
Internal Virus Database is out-of-date.
Checked by AVG.
Version: 7.5.524 / Virus Database: 270.4.1/1517 – Release Date: 24/06/08 20:41
I wonder if I should delete the mail or not. As a juice extra, somewhere else in the mail they refer to their company as “Your IT Reference on the Web !“.
June 9, 2009, 09:52
Last weekend I was in a shop buying a new subscription for my mobile phone. As usual I was hit by an avalanche of questions asking for my name, address, shoe size … One question in particular caught my attention …
The shop attendant asked me “for a password”, a password I could use if I couldn’t go to one of their shops and had to call their call center. By supplying the password to the call center they could verify it was really me.
I don’t know about anyone else but I personally call my mobile subscription provider about once every 5 years. The service they offer just works, rarely needs change and if it does need change, they often have a website to help you out. Chances are high I would have completely forgotten the password by the time I had to call them.
The conversation with the shop attendant went like this:
- Attendant: “You have to choose a password, a password you can use when calling our call center“
- Me: “Oh … hmm … how many times can I guess when I am calling in?“
- Attendant (realizing I was afraid of forgetting the password): “We will give you hints if you forgot it“
- Attendant (still aiming to give excellent customer service): “People often choose the PIN code of their credit or debit card ...”
- Attendant (now realizing not everyone liked this idea): “… but of course you don’t have to, you can pick any word“
At that moment I tried not to, at least not obviously, show my emotions about this conversation.
This method to verify who is calling is flawed to say the least. Due to the very low frequency people have to call in, most people will have forgotten their password. Unless of course they used their PIN code, which they hopefully still remember. Since call center employees can obviously read the password (they need to verify it) they have clear text, and probably unnoticed, access to a lot of PIN numbers. Do I need to add that call centers employees are not the most loyal employees you can find?
The fact they give hints when you call in, is stupid as well. Not only do they admit their system is flawed by design, they also help in under mining it themselves. Imagine this conversation when a hacker calls in:
- Hacker: “Hi, I am John and I need to change my subscription plan“
- Call Center: “Hi John, could you give us your password please“
- Hacker: “Oh, I forgot it … could you give a hint?“
- Call Center: “It looks like your birth year or perhaps your PIN code“
- Hacker (after a quick look on Facebook): “My year of birth? That should be 1975.“
- Call Center: “Sorry John, that is not correct, perhaps it’s your PIN code?“
- Hacker: “No, I would never give my PIN code to you, could you give me the first number? Perhaps I recognize it“
- Call Center (re-assured it could not be his PIN code): “It starts with 5 John“
- …
I am sure someone much more experienced in social engineering (I have virtually none) can get someone’s PIN code this way.
May 17, 2009, 21:12
It began with an article about the recent TOGAF conference written by Tom Graves. That article contained a quote I twittered:
We’re actually quite close to the point where a TOGAF certification is an indication that someone is not capable of doing enterprise architecture.
Twitter is a medium not really suitable for intelligent conversation. You only have 140 characters, there is no room for nuances or context. I did include a short url to the original article so people could get the whole picture. Nevertheless, the quote is out of context and that scared Tom.
In his follow up article Tom tries to explain where his statement came from. I hope that anyone understands that neither Tom nor I ever tried to say that people with a TOGAF certification are not capable of Enterprise Architecture. The TOGAF certification doesn’t differ from most other certifications out there. Having the certification does not guarantee knowledge and expertise. Not having the certification doesn’t mean you are inexperienced either.
The reason for me to twitter the quote was because I found it to be representative for what my generally feeling about TOGAF is. TOGAF needs a reality check, and soon.
In fact, Tom sums it up perfectly in his follow up post (and I urge you to read it instead of just depending on the cut and pastes I make):
- he reference-architectures (Part VI of the TOGAF spec: ‘Technical Reference Model’ and ‘Integrated Information Infrastructure Reference Model’) are way out of date, and at the least need a complete overhaul, if not dumped altogether [that was from the Open Group’s lead Allen Brown, in one of the plenary sessions]
- “almost no-one” uses the ADM in the form described in the TOGAF specification [in my last post I said I thought that was one of the guys from Deloitte, but my notes indicate it was Mike Lambert from Architecting the Enterprise, one of the lead TOGAF training groups]
These are two major shortcomings of TOGAF and Tom is not the only one mentioning them. Combine that with these two fundamental characteristics of Enterprise Architecture:
- enterprise architecture is much broader than IT, and must now encompass the whole of the enterprise [that theme came up at least a dozen times, in plenary sessions and elsewhere]
- enterprise architecture needs to be understood as a professional discipline, comparable to other professional disciplines such as medicine and building-architecture [again, many people, but particularly Len Fehskens, Open Group VP on Skills and Capabilities]
TOGAF has become enormously mal-aligned with Enterprise Architecture. It started in the wrong camp (IT) and even after a couple of versions (7.x, 8.x and now 9) it does not succeed in taking the right path. That is kind of ironic for a framework that is supposed to align business with IT.
Only in the last couple of months people start talking about some of the shortcomings of TOGAF. Everyone else is still covering up the shortcomings while making money from the “big TOGAF standard”. Each time you ask about some unclear element of TOGAF, the answer you’ll get will sound like “oh, but you don’t have to take that so literal, you have to adapt it”.
I sincerely hope we will get more people to speak up about TOGAF and get a significant better and mostly leaner version of the standard.
May 14, 2009, 15:53
Kim Cameron recently went to a conference where he heard a cloud computing vendor utter these, and judging on the blogosphere almost legendary, words:
One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don’t need encryption”.
Kim admitted he almost choked. I can understand him. We are in for some rough times if there are cloud computing vendors out there who think like that.
On the other hand I would like to take this opportunity to make sure you know that encryption in itself does not mean security. You can apply encryption all over the place, using keys that have a gazillion bits, and still have a unsecure, dumb solution.
Any vendor who replies “We use 256 bit AES encryption” when answering the question “How do you secure transmission of data?” is as dumb as the vendor who says “physical access controls and the right background checks on employees make encryption not necessary”.
May 14, 2009, 12:41
Johannes Ernst suggests that using OpenID might be a good way to avoid phriend phishing on Twitter:
Should have guessed that Phriend Phishing was first going to happen to somebody famous.
Now, how could that have been prevented?
What if:
- Twitter adopted OpenID as the only way of authenticating.
- Twitter showed the authenticated OpenID identifier instead of a (possibly made up) user handle on all tweets.
- Kanye West would have used his official website URL as his OpenID.
- Ergo, everybody could follow the OpenID to determine whether any phriend phishing is going on or not.
I admit that scenario is not entirely viable yet. For example, users are not familiar and comfortable enough yet with OpenID that a major-volume site like Twitter could switch to OpenID-only. But it’s close, and that’s the kind of adoption barriers that we need to work on over the next 12-18 months in the OpenID community.
I don’t know how OpenID can help solve this issue. Changing someone’s Twitter ID to his authenticated OpenID is not helping us forward. These are the reasons.
First, OpenID’s are assigned on a first-come first-served basis. I can pick any OpenID provider and register “http://BradPitt.<openidprovider>.com”. Even when some OpenID providers are going to validate your request, others won’t so users have no clue what to assume about an OpenID.
Second, even when you pick your homepage as your OpenID (using some mechanism of OpenID delegation), the user has no way to know which one of these is the right one:
http://www.bradpitt.com/
http://www.brad-pitt.com/
http://www.brad-pitt.org/
http://www.BradAndAngelina.com/
…
And last, what happens if someone is also named “Brad Pitt”? Is he not allowed to claim the OpenID “http://www.bradpitt.com/”?
I think OpenID has many added values, especially in the world of social media, but for the moment I don’t think owner assurance is one of them. With OpenID I can be fairly sure the Tweet came from someone owning that particular OpenID. But OpenID does not guarantee me that the names used in the OpenID URL itself are pointing to the owner.