Apple claim that iCloud can store passwords “only locally” seems to be false

Aurich Lawson / Thinkstock

An Apple support document describing the company's new iCloud Keychain makes a surprising claim that it can sync passwords across devices without ever storing them in the cloud.

If true, this would be an important advance in password management, allowing users to create long, complicated passwords on one device and have the passwords automatically sync to their other devices, but without storing data on Apple's servers.

Today, most password managers sync data across devices by storing the data in a cloud service. There are ways to sync passwords directly among devices without cloud storage, for example with a Wi-Fi sync option in the latest versions of 1Password. However, this requires some extra steps that reduce the convenience a good password manager offers.

Read 27 remaining paragraphs | Comments


Open Group Enterprise Architecture Conference London 2013 Highlights


Last week , The Open Group kicked off their signature Enterprise Architecture Conference in London. Like others in the  recent past the Open Group has taken on a industry focus for these quarterly conferences. The goal here is to provide a very tailored experience to EA’s in those specific industries. With this focus and where the conference was hosted I was surprised to see the very broad attendance and representation from many nations all over the world that include 28 nations: UK, US, Columbia, Philippines, Australia, Japan, Netherlands, Germany, South Africa and many others.

The theme of this conference was Business Transformation in Finance, Government and Healthcare. There were some very interesting sessions specifically from the keynote presenters based in the UK. If you were not there you can watch the live stream of the keynote presentations here:

You will find from all of these presentations that there is a shift in how EA is used and the results generated. As an example, Judith Jones from Architecting-The-Enterprise, shared her findings from the World Economic Forum, posing the question “what keeps 1000 global leaders awake at night”? There were stats were presented with over 50 global risks – economical, societal, environmental, geopolitical and technological. There wasn’t the typical drudging over IT oriented topics. Luckily this was a shared theme across many of the pure vertical tracks.

The Open Group has posted two summaries are well, I would suggest taking a look at them. I wasn’t going to duplicate much of what they covered since they did such a good job. See below:



Even though there was a vertical focus the Open Group did cover additional areas around the profession of EA, forward looking views on the industry and architecture topics like big data and cloud.

Included in that were a series of announcements:


Mike Walker’s Participation at the Event

Unfortunately for myself I wasn’t able to attend many of the afternoon sessions at the conference. Would see more coverage and thoughts about the event. This was due largely to my leadership duties at the Open Group in developing the next version of TOGAF.  Specifically I spent time in two areas, leading the Business Architecture work stream along with Enterprise Architecture Capabilities workshop (see more here). I will talk more about the Enterprise Architecture Capabilities in another post.

The time that I did spend in the conference center was spent presenting to the conference attendees. I had two sessions that centered around the profession itself:

  • Enterprise Architecture Certifications Distilled
  • Panel Session: Looking to the Future


Enterprise Architecture Certifications Distilled

In my presentation, I distilled a wide range of the certifications directly applicable to Enterprise Architecture. While this was a narrow view on the EA profession, it’s one of the most common questions I get from customers.  Certifications are only one component of a career planning conversation. Most importantly for organizations, it is a component of a competency driven strategy to drive results for your organization.

With that said, and if you agree with the assertion, there are so many different EA certifications out there, without the proper framing it can get a bit confusing. I provide perspectives on certifications like TOGAF®, Open CA, and Open CITS  to name a few. Then discuss why it is important to choose the right certification for your career. I examine why skills and experience-based certifications are becoming increasingly more important to both employers and employees as part of the professional development process.

You can see the Live Stream below for those that wasn’t able to attend:



Looking into the Future Panel


Thanks to David Daniel@AgileEngineer for snapping a shot of all of us.

In this panel session I participated we discussed some of the key issues facing the future development of the Enterprise Architecture discipline. You might of seen me talk on other panels about this very topic. A detailed post on my predictions can be found in the post entitled, “Predictions: Enterprise Architecture In 2020”. My thoughts on these topics haven’t changed much.

The questions asked were:

  1. How will the practice of architecture be materially different in 5 years?
  2. Will enterprise architecture ever achieve a professional status - similar to medicine or law?
  3. Are universities the right place to teach enterprise architecture?
  4. Are there any other disciplines that threaten to supersede EA? If so - what are they?




Thank You

I wanted to extend a big thank you to both The Open Group for asking me to come and speak again at their conference along with all the attendees that joined my sessions, asked some really great questions and tweeted some of my thoughts.

Thank you!

Hack of MongoHQ exposes passwords, user databases to intruders

Cloud-based database service MongoHQ said it's changing log-in credentials for employees and customers alike after suffering a security breach that allowed attackers to access sensitive customer files and obtain users' e-mail addresses and cryptographically scrambled password data.

The intrusion occurred Monday, when hackers gained access to an internal support application that included a trouble-shooting feature that allows MongoHQ employees to view an account as if they are a specific customer. The support application allowed the intruders to view account information, including lists of databases, e-mail addresses, and passwords that were protected with the bcrypt hashing algorithm, Jason McCay, co-founder of the service, wrote in an advisory published Tuesday afternoon. The attackers also had the ability to view the MongoHQ account database, which includes connection information for customers' MongoDB instances.

"We've conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database," McCay wrote. "We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user."

Read 5 remaining paragraphs | Comments


Rackspace’s Bad Security

We have found that web hosts often prominently advertise their focus on security while not actually caring about security enough to even taking basic security measures. Lets take a quick look at Rackspace to see that in action. Rackspace has a whole section of their website dedicated to security. If you look over that you would probably be impressed. Though if look closely you might see warning signs. For example, they have a PDF about their “holistic approach to security” that was written by their Director of Product Marketing. Why is a product marketing person writing a security guide?

You don’t have to look hard to see that Rackspace don’t actually have much concern for security. A really basic security measure is keeping software running up to date. That way the software isn’t vulnerable to known security vulnerabilities that have been fixed in the software. An important component of many hosting services is phpMyAdmin, which allows administration of MySQL databases. If someone can exploit phpMyAdmin they can gain access to the database underlying a website. With that they could collect customer information stored in the database, they could create a new administrator account for a website to gain further access, or do other harmful things. If you believed Rackspace’s claims about their focus on security you would certainly expect they would be keeping their installation of phpMyAdmin up to date. Unfortunately for their customers they don’t:

Rackspace Cloud is using phpMyAdmin

The version they are running is over a year and half out of date (as the next version of phpMyAdmin was released in February of 2012). It gets even worse, Rackspace only upgraded to that version after a customer alerted them that they were running an outdated and insecure version of phpMyAdmin and took them six months after being alerted to that to do that upgrade.

According to the information on phpMyAdmin’s security page the version Rackspace is running contains a number of security vulnerabilities. The version they are using is so out of date that phpMyAdmin no longer lists if vulnerabilities impact that version, so it isn’t clear exactly how many there are.