PraxIS June 2003                    ISSN 1649-2374

0306 contents: Viruses, Security, '419' scams punished, Euro notes RFID, Spreadsheet testing and auditing, James Bach Exploratory Testing Report

This issue online at


Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success

1) Internet and risk management
'419' scams punished
10 Risk Management tips for professionals

2) Euro notes
Extra security RFID speculation

3) Spreadsheet testing and auditing

4) James Bach course on "Exploratory Testing" - report

5) On the lighter side  

14 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information



I'm always ready for your comments! Thanks for reading,

Patrick O'Beirne



1) Internet and risk management


The wave of virus attacks continues, with variations on W32/Bugbear, W32/Palyh (the support [at] fake) and SoBig appearing daily. Fortunately my anti-virus scanner has caught them all. But the fact that I get them from so many sources indicates how careless many people are about protecting their data.

Banks suffer increased hack attacks

Hack attacks are becoming increasingly sophisticated, with over a third of banks and financial services companies reporting a security breach in the last year, according to a new survey.
Of the 39 per cent who admitted their systems had been compromised, 16 per cent were due to external attacks, 10 per cent internal breaches and 13 per cent both, according to the 2003 Global Security Survey of worldwide financial services institutions by consultant Deloitte Touche Tohmatsu (DTT).

'419' scams punished 
West African e-mail-fraud suspects in court

A Dutch court in Amsterdam heard how a gang of six alleged West African swindlers sent people around the world thousands of fraudulent e-mails containing luring stories of lottery wins, and promises of huge sums of money to be made. Victims - at least 23 of them - included a Russian who lost $3000, and a Swiss citizen who paid the gang $482,000 for a 25 per cent stake in a $36m scam. Police confiscated a large number of computers, telephones, fax machines and documents found on the premises from where the suspects operated.
Well, that's good news at last. In Africa, there is a growing anxiety about the damage to reputation from these activities, and there is a "Balancing Act - Africa" report at: 
There is more about these kind of scams at  and  which reports some entertaining engagements by teasers with these scammers. A somewhat scarily entertaining report, with photos, is the leading on of "Mupesa Solomon" as reported here: 

10 Risk Management Tips 
Accountants Can Avoid Malpractice Trouble: 10 Risk Management Tips
(In fact, these apply to almost any professional or consulting business)
1. Bad client selection.
2. No engagement letter.
3. Embezzlement within client's office.
4. Technical standards violations.
5. Real or perceived conflict of interest.
6. Client expectations are different than the work performed.
7. Services provided are beyond the expertise of the accountant.
8. Advising more than one party to a transaction without significant disclosures and waivers.
9. Lack of internal procedures within the accountant's office.
10. Lack of disclaimers in prepared financial statements


2) Euro notes 
Euro notes to get RFID tags from Hitachi?
Radio Frequency Identification (RFID) tags the size of a grain of sand could be embedded in the euro note if a reported deal between the European Central Bank (ECB) and Japanese electronics maker Hitachi is signed. Japanese news agency Kyodo was reportedly told by Hitachi that the ECB has started talks with the company about the use of its radio chip in the banknote. The ECB is deeply concerned about counterfeiting and money laundering and is said to be looking at radio-tag technology.


3) Spreadsheet Testing and Auditing

I have been checking some fairly complex spreadsheets in the last month or so and am glad to have tools like SpACE, ExChecker, and Spreadsheet Detective to help me. Ask me for more details.

The programme for the July 24/25 European Spreadsheet Risks Interest Group conference in Dublin has been announced. You can find it on and here are the highlights:

Paper: ‘Research Strategy & Scoping Survey on Spreadsheet Practices’ T.Grossman, O.Ozluk
Management Summary: ‘Correctness Is Not Enough’ Louise Pryor
Paper: ‘The wall and The Ball’ Richard Irons
Paper: Reducing overconfidence In Spreadsheet Development’ Ray Panko
Invited Speaker: ‘Spreadsheet Risks in UK Financial Services’’  Dean Buckner, Financial Services Authority, London
Management Summary: Barry Pettifor, PwC
Management Summary: David Chadwick ‘A CobIT Approach To Quality’
Management Summary: Paula Jennings
Paper: Spreadsheet Debugging’ Yirsaw Ayalew
Paper: Audit and Change Analysis of Spreadsheets’ John Nash
Quality Engineering: Demos and Products; Code Tracer: M. Siersted; Atebion: B.Phillips.
Research Initiatives at UWIC
Panel: Quality Engineering: is it necessary, is it wanted, what does it mean?

_______________________________________________________ _______________________________________________________

4) James Bach 3-day course on "Exploratory Testing"

James Bach (  ) is the author (with Kaner and Pettichord) of Lessons Learned in Software Testing: A Context-Driven Approach. I went to his course in Edinburgh efficiently organised by Newell & Budge.
Solid material, full-flow presentation
I was impressed by his presentation flow. Although we took a break every hour (the “academic hour” principle) we seemed to flag before he did! He was immediately able to present anecdotes and arguments to back up his answers to any question asked. He began with some exercises related to thinking and knowledge, including our observing magic tricks, and then went on to sessions on software testing. I won’t repeat the course outline here, you can obtain them by request from .
In fact, you can download extracts from JB’s presentations as well as those of other well-known testing experts from  and
This is JB’s favourite word. It refers to rules of thumb; fallible rules, like proverbs, which capture common patterns of experience but must be applied with discretion. The course exercises include a simple program in which, although it is unchanged since 1996, successive course attendees have found more and more bugs. Later exercise on commercial products were far more challenging which drove home to me the point about needing preparation for time-limited testing ­ see my driving analogy below.
Context driven testing
At one point I got irritated at what I thought was a logic-chopping argument at one point. It turned out that JB was offering counter-examples in order to make a point about context; that assumptions that are valid in one context are not in another. “Good practices” in one context produce poor results in another. He offered another exercise where he put up one of his heuristics and invited us to argue against it. We came up with a number of counter-arguments that he already had on a list from previous courses.
As attendees were mainly working within companies where they are very well aware of their context, I wonder how much value it is to consider different contexts. It’s a strain for a corporate tester to think like a consultant (like JB) who has to switch context every week and needs very widely-scoped checklists. But it’s nonetheless useful as an exercise as sometimes habits become embedded as assumptions, and it only takes raising the question for a change to happen. For example, many developers carefully comment out debugging code and testing harness before creating a product for testing; but having such tools can simplify testing enormously. Simply ask for an automatable feature like a command-line interface ­ it might be there!
I found his checklists useful and immediately applied one to my next testing project!
How to star on the course
Actually, this is also how to star in testing generally. JB’s course materials contain a handout on creating a test strategy model. Put a yellow sticky label on that when he first draws your attention to it. That evening, before going to the pub, revise that section. On the next day’s exercise, refer to it and you’ll be amazed how quickly you can generate probing questions that will reveal further details about the product under test.
How to perform well under pressure.
Using a checklist is not instinctive; under the time pressure of an exercise, one tends to jump in and use previous experience to get you through. But consider this analogy. You have to make a journey by car across unfamiliar territory. From the distance, you might expect it to take between one and two hours. If you have two hours, you might just drive off and rely on road signs to get there. If you have only one hour, you will stop to carefully check your map first, listen for traffic reports on the way, and phone ahead to get precise instructions near the destination. That is all overhead ­ but it is done to reduce risk and ultimately save time.
Structured Exploratory Testing
JB’s point is that we all do exploratory testing. Under fear of ad-hoc wandering around aimlessly “testing”, we may think the antidote is to specify fixed tests and always do them. In fact, JB’s approach is to use a disciplined method involving checklists, note taking, and structured reporting, with the aim of finding as many bugs as possible ­ which is after all the most common aim! Obviously with different aims (e.g. testing for compliance certification) one uses different approaches, but for most of us, that’s our main interest. JB’s reply to concerns about auditability is simply to have a balanced approach ­ “let no regulation or formalism be an excuse for bad testing”.
Any questions?
If you are wondering why I did not address this or that issue of testing, remember that I’m just commenting on what is noteworthy in my context. Feel free to email me and we can continue the theme in future newsletters.

_______________________________________________________ _______________________________________________________


Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) On the lighter side 
The BBC's "Donald Rumsfeld soundbite of the week" archive 
Pages of "groaners" such as light bulb jokes.


Copyright 2003 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to 
EuroIS-subscribe (at) yahoogroups (dot) com
- it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor

"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".


To read previous issues of this newsletter please visit our web site at


This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.

Copyright (c) SML 2003

Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!


We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website