Ruminations on Architecture and Security

Recently I came across an excellent article on One Trick Ponies in the world of architecture. One trick ponies who know only one type of solution and desperately try to make that one the only possible solution.

This part of the article made me smile, especially since it perfectly describes my sentiment after a situation I experienced not so long ago:

Now while I look down on these people, because lets be blunt they are lying in an attempt to secure a project that they aren’t qualified for based on the hope that they can somehow pull it off. (A dazzling example of managing risk … upwards!) Why people do this I’ll never know it ALWAYS ends in tears. But I guess it keeps the cash flow going for a while.

My personal experience involved an external expert who insisted that, for a simple Java project, storing data in a database on an IBM System i would be impossible, it would cost enormous amounts of money to access and integrate this “legacy mainframe” from the Java world. I challenged the expert and asked him what kind of database was used on an IBM System i. An awkward moment of silence followed. The IBM System i uses DB2, a well known and proven database technology, it is extremely easy to access it from a Java program. In fact, developers won’t even notice the difference between the System i DB2 instance or a Windows instance.

This expert tried to guide a company towards a more expensive solution simply because he was more familiar with it. The IBM System i DB2 solution was unfit because he could not be part of it.

Of course, no architect can know every piece of technology or platform. You are bound to encounter something you are unfamiliar with. But if you do, be a professional architect and investigate, read up on the basics and find knowledgeable people inside the company who can help you fill in the details.

There was some talk about the behavior of UAC in Windows 7. To make a long story short:

1. access to UAC is protected by … UAC: UAC is marked as a “Windows Setting” and those are protected using UAC
2. by default UAC is not triggered when changes are done to a “Windows Setting” (according to MS due to popular demand for not showing the UAC dialog too often)
3. therefore changing UAC to “Don’t show up ever” (= disabling it) can be done without invoking UAC itself for confirmation (for systems that haven’t changed the default setting)
4. …
5. world domination!! (but for hackers, not for you)

At first Microsoft considered this not an issue and said this behavior is “by design”. Now they seem to have seen the light over there in Redmond.

It is always dangerous if you protect a system using the system itself. I am not saying it is bad design if you do, I am just saying that bad things can happen if you don’t think this through. The original idea for UAC in Windows 7 was obviously not thought through.

Something I forgot to post, you can now find me on Twitter as well:

http://twitter.com/bderidder

Since a few weeks I have been running IE 7 Beta on my desktop at home. Kim’s blog pointed me to Craig Burton’s blog that pointed me to this sandbox site for .NET 3.0 and Infocards.

I downloaded the July CTP of .NET 3.0, expecting a lengthy install, a few reboots and possible some problems. None of that. In about ten minutes the software was installed and I was already creating a self-issued card. Minutes later I could seamlessly log in to the sandbox and to Kim’s blog (where I could finally post a comment about a previous post).

So it seems that .NET 3.0 July CTP and Cardspace are already showing a great deal of quality. Good work!

Since a few months I have been walking around with the idea of blogging. Not about my personal life but about my work in the world of identity and access management.

A few years ago the company I worked for, SilverStream, was acquired by Novell. Since that moment I have been involved in identity management. Currently I work for Ascure, a Belgian company specialising in Information Security. I am still focused on the subjects of identity and access management in my role as competence center leader.

When time permits, I hope to share some of my ideas and thoughts about the subject.

Hope to see you back soon!