Thursday, 26 April 2007

What is an Architect?

What is an Architect?

I participated in two meetings in two weeks that addressed the question "What is an Architect?"
Mark Carroll and Darryl Chantry of Microsoft got the Wellington Microsoft Architects' forum thinking about what was needed to develop an architect. Horia Slusanschi led a lively discussion about Enterprise Architecture at the NZ Chapter meeting of Association of Enterprise Architects

A stumbling block for Microsoft's approach clearly was the lack of definition of what an architect was or should be. Although Darryl started with a view from the Greeks and history that architecture is about aesthetics, there seemed a split between a desire for certification of ability to construct solutions from Microsoft components; and capability to take on a wider vendor agnostic perspective.

Horia presented a choice for EA "Just technology, or the works?". Although some of those present with EA in their job title were clearly limited to the technology arena, there appeared to be a consensus for EA going well beyond technology application. The functions of EA are mainly strategic and addressing technology alone misses the point of why the technology matters at all.

When I started in IT 37 years ago we had the distinct jobs of Programmer and System Analyst. The programmer role was defined in some detail but the system analyst could best be described as "everything that the programmer did not do". Those may have been the bad old days but I think that a similar situation has arisen with the "architect" job. There are a myriad of specialist functions that are defined in some detail, generally around the arcana of some product or vendor strategy and there is the role that joins it up. As specialisations evolve (security, information, etc) there is a tendency to give the label of "architect" to the job or role that makes it all hang together.

There certainly is a wealth of information in the and msdn sites but it is lacking in structure and it is difficult from there to determine what a complete architecture would be (enterprise, solution, infrastructure or ...) made up of in Microsoft terms or vendor agnostic terms. Some consistency in terms would help ... Strategic Architecture or Enterprise Architecture?

I recommend a look at A Better Path to Enterprise Architectures by Roger Sessions (avoid the version in which has broken links).

Certification was a hot topic for Microsoft. At $10,000 a time, it must look like an interesting revenue stream. Until the role is specified in terms of what is included rather than the 'any other business' present situation there is dubious value in a certification.

It will be interesting to follow these initiatives.

Wednesday, 18 April 2007

Wireless hijacking under scrutiny

Wireless hijacking under scrutiny

Following on the heels of the report of the District Health Board insecurely providing access to its network through a wireless port....

Just in case you think there should be a law against it, there is! Accessing other peoples networks seems pretty well covered in New Zealand by Section 249 Accessing computer system for dishonest purpose of the Crimes Act 1961
[Part 10] [Crimes against rights of property] (s [217 to s 305) which shows the forethought of the legislators in describing a computer system by

computer system


(i)a computer; or

(ii)2 or more interconnected computers; or

(iii)any communication links between computers or to remote terminals or another device; or

(iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and

(b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.]

The BBC reports a British case in which Gregory Straszkiewicz had "piggybacked" on a wireless broadband network of a local Ealing resident, using a laptop while sitting in his car and was fined £500 and sentenced to 12 months' conditional discharge.

The penalties here in NZ (up to 7 years imprisonment) may discourage wholesale assaults on WiFi networks as a pastime but do not absolve the network owner from taking precautions.

The same report also addresses the issue of responsibility for what was done by the unauthorised user of the network where the network is inadequately protected

"There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn't them that used the network for illegal purposes," said NetSurity's Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

So, if you expose your network deliberately or by negligence to a bad person who manipulates it (perhaps by denial of service attack) so that bad things happen to others , you could carry the can for it legally as well as morally.

Kim Cameron touched on the issue of responsibility for preventing bad people doing things in your name or through your means
There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name .

By what logic was I responsible for it? Because I chose to use WordPress - along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for potential bugs in MySQL and PHP. Not to mention any improper behavior by those working at my hosting company or ISP.

Clearly this is unlikely to be a black/white issue but a matter of judgement on what the reasonable person could be expected to do in the circumstances.

Friday, 13 April 2007

Health Information Exposed

A scary report from an organisation responsible for the health information of 5% of New Zealand.

An anonymous “war driver” has told Computerworld that it’s possible to access internal systems through the wireless service run by the Otago District Health Board (ODHB). As a result, the Dunedin hospital authority may have to review the security arrangements relating to its wi-fi pilot.
The ODHB’s acting CIO, John Tolchard, says the need to achieve a balance between security and cost-effectiveness was behind the choice of WEP. There are always trade-offs between security and complexity for users, he says.

Tolchard asks: with the WEP key cracked, “then what would he [the attacker] do?”

According to Tolchard, all the systems on the ODHB’s network are password-protected and only select users who need access — and who attend a training programme — get logins. There is no way anyone could access confidential information, such as patient records, without a valid username and password, he says.[my emphasis]
Yeah Right! as they say around here. Generously assuming that any brute force attack would be detected and foiled, the unprotected network can be sniffed to collect user id/passwords of "select users" or passively collect information handled by legitimate users. Aside from that, it would appear possible to mount denial of service attacks on the internal network or worse, subvert network components.

As George Ou reported way back in March 2005, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes!

While I can have some sympathy with an organisation caught with its guard/pants down in this way, there is incredible naivety shown in the report. We may debate the value of information revealed by illicit access to networks or services and the loss an individual may face when medical information is exposed and therefore establish what is to be traded-off. However, loss of confidence in the medical provider's security of information may have the fundamental outcome of people simply not trusting the organisation as a whole.

The legalese that covers the issue in NZ is contained in the Health Information Privacy Code 1994

Rule 5 Storage and Security of Health Information
(1) A health agency that holds health information must ensure:
(a) that the information is protected, by such security safeguards as it is
reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of
the agency; and
(iii) other misuse;

Perhaps it is time that the protection of information here in New Zealand had the visibility and force of law in the manner of HIPAA in the USA. Then boards and officers would have it brought home to them that protection of information is a requirement and not an optional extra.

Tuesday, 10 April 2007

Sleepwalking into a surveillance society

Nice to see the issue of privacy hitting the front page of the capital's press. Dominion Post 10 Apr 2007 . It was a pretty quiet Easter!
Our Privacy commissioner Ms Shroff told The Dominion Post New Zealand could expect to follow the same track (as the UK). "What happens in the UK is probably going to happen here tomorrow," she said. "We're the same sort of society."

What a horrible thought! Apart from the cameras, the UK appears to be aiming at universal monitoring of vehicle location and fingerprinting of children to control the lunchtime turkey twizzler rations.

Technology is certainly well in advance of the general understanding of the issues involved in all this surveillance capability.

Are you the same Richard Gray?

Kim Cameron summarises some thoughtful comments from Richard Gray on identity and authorisation spread over Jon Udell's blog and Kim's own. Richard notes on Jon Udell's blog:
As you don’t have CardSpace enabled here, you can’t actually verify that I am the said same Richard from Kim’s blog.
But without Kim's co-operation Jon could not verify that the same Richard, presented the same or equivalent credentials using Cardspace. A third party would require co-operation from both Jon and Kim to verify that it was the same Mr Gray. This appears to be the case even if he used the same managed card from an Id Provider trusted by all the parties.
I think we need to explore this use-case further.

Monday, 2 April 2007

Biometric Identification

Kim Cameron is doing a nice job of keeping both the technical and social implications of fingerprinting or other biometric identification visible so that we do not get led astray by the relative ease of delivering a biometric identification system. Way back when I was designing systems for IBM360s and the like, identification of people for the systems was always a significant part of the work and often we would call for everybody to be tattooed with a bar code at birth. Somehow this never caught on... damn liberals! Now we have extremists in governments of significance who have brought gunboat diplomacy to new levels and who view state collection of information about the individual as a natural part of keeping the world safe.
It may not be clear what the issue is ... why shouldn't governments, law enforcement, and lunch monitors require you to be registered on a database of good guys (or bad guys) in order for you to receive your rights or go about your lawful business? Even if the systems were 100% trustworthy and secure, governments; law enforcement officers; and lunch monitors certainly are not.
In The Honest Truth on Biometrics in Schools (but not the whole truth), Mitch Johns states:

How do school lunch biometric systems work and do they protect privacy?
In most school lunch biometric systems, students place a forefinger on a small fingerprint reader by the register. In seconds, the system translates the electronic print into a mathematical pattern, discards the fingerprint image, and matches the pattern to the student’s meal account information. Food Service Solutions (FSS) biometric software, for example, plots 27 points on a grid that correspond with the fingerprint's ridges to achieve positive identification, but saves no actual fingerprint image.
When school lunch biometric systems like FSS's are numerically-based and discard the actual fingerprint image, they cannot be used for any purpose other than recognizing a student within a registered group of students. Since there's no stored fingerprint image, the data is useless to law enforcement, which requires actual fingerprint images. As there’s no way for any fingerprint or computer expert to extract a record and reconstruct a person's fingerprint image from purely numerical data, privacy is protected.

Kim gives him the benefit of the doubt
I hope your statement is the product of not having thought through the potential uses ...

I think it is straightforward marketing obfuscation. A concern is admitted and addressed, as though it is the only possible concern (in this case that someone will reconstruct a fingerprint from the stored data). This distracts from the other issues that cannot be so easily dealt with.

Strictly the fingerprint expert compares an unknown fingerprint with a known and states that they are the same on the basis of similarity across a number of points. The more points of similarity, the more likely the identification. Where the bulk of the population is fingerprinted conventionally or through DNA, a system could be devised to provide a subset that includes the target of an investigation to a very high degree of probability. The size of the subset is determined by the confidence that you wish to have in stating that the target is inside. In the fictional world of CSI, we would see this happening in the twinkling of an eye with only a few false arrests but in the real world, we can expect some serious cock-ups as police, security, librarians and lunch monitors react to False Rejects or False Accepts of the identity.

The use of an encrypted biometric does address the issue of law enforcement scooping up large sections of the population on the basis that there is a 50% chance that the bad guy is in the scoop but encrypted biometric systems must be implemented with a very high level of integrity and trust. Certainly relying on a school to manage the acquisition and storage of such sensitive data as identity is not sensible. We barely trust schools to do their core business of teaching.