03-08 Contents: Windows secrets, UK & Euro, Eusprig conference report, best practice
This issue online at http://www.sysmod.com/praxis/prax0308.htm
Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success
1) Risk management
Windows Password cracker
Windows XP Product Activation - what it tells MS
2) UK & The Euro
Another news service
3) Eusprig 2003 conference report
The best European Spreadsheet Risks Interest Group conference yet!
A short "best practice" spreadsheet guide from NZ Treasury
4) Paris holiday apartment website
5) On the lighter side
12 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information
I'm always interested in reading your comments! Thanks for reading,
Woody Leonhart's Windows Watch provides two interesting reports recently:
Philippe Oechslin at the Ecole Polytechnique Federale de Lausanne refined a very fast method for cracking certain kinds of alphanumeric passwords. Windows passwords are particularly vulnerable to his pre-digesting trick because Windows always encodes passwords the same way, on any PC. By contrast, Linux "salts" each password, so the encoding comes up different on different machines. That makes it impossible to come up with this kind of pre-digested list.
Luca Wullschleger and Claude Hochreutiner, also at EPFL, wrote a program and a Web interface http://lasecpc13.epfl.ch/ntcrack/ (now taken down as it had too many hits) to show just how well Dr. Oechslin's method works. Woody's 12-character test password was cracked in less than three seconds. The program only works with alphanumeric passwords - if you use punctuation marks (as Woody strongly recommends in his books), your chances of being cracked quickly go down significantly.
Mike Hartmann at tecChannel has gone through every single byte that's
transmitted to Microsoft during activation over the Internet , and accounted for
all of it. The net result: there's a little bit of extra data going to the
'Softies, but none of it appears to be personally identifiable. If you have any
qualms about activation, Woody strongly suggests you dig through Mike's very
techy report at
http://www.tecchannel.com/security/client/105/index.html This article documents the protocol employed by Internet-based product activation. The site offers a $2.95 download of the tools used. That in itself is an interesting use of a new service for charging for digital content - FirstGate.com
The web site www.GrahamBishop.com provides news alerts on subscription on economic affairs. There is a trial period. I noticed a mention of an "EMU Conversion Forum" meeting on 16 July, but that is for a closed group of banking and insurance companies.
End-user and corporate developers, software testers, and risk auditors discovered best practices in managing spreadsheet risks by attending the European Spreadsheet Risks Interest Group (EUSPRIG) Fourth Annual Conference.
This was our most successful EUSPRIG conference yet. The quality and content of the presentations and the 170-page proceedings received very high ratings. The conference was opened with an introduction from Garry Cleere of the European Computer Driving Licence Foundation which was the chief sponsor, and the support of the Irish Computer Society and KPMG Ireland were acknowledged.
'Reducing Overconfidence In Spreadsheet Development' by Ray Panko of the University of Hawaii was for many delegates the first introduction to concepts of human error that are now accepted in the world of software quality. Professionals have learned through inspection and introspection to expect error rates of 1-5% and they work hard to reduce errors through good preparation, awareness in working, and review. Spreadsheet end-users do not measure their error rate and so have naïve and overconfident expectations of success. Engaging in risky behaviour is self-reinforcing, for as long as one’s luck lasts. Computer lab experiments have shown how to reduce overconfidence by warning people of previous typical error rates.
'Audit and Change Analysis of Spreadsheets' by John Nash of the University of Ottawa was remarkable in its introduction of the concepts of change control into spreadsheets. It is innovative in its use of Open Source Software and server-based spreadsheets. The use of cross-platform browser clients also eliminates the virus risk. It offers a potential solution to the endemic problems of merging spreadsheets - which have been distributed for filling-in by users - back into a central database. Their tool SSSCAN tracks all changes over the life of a spreadsheet, and auditors can review and filter the log to perform integrity checks.
'VBA Tools For Excel 2000' by Chris Gorham of London caused that “I didn’t know Excel could do THAT” moment in a conference where people sit up. In this case it was the explanation of “Very Hidden” sheets which are invisible to the “unhide” command. Although I knew of that, in the next minute I heard about how individual worksheet recalculation can be turned on or off independently of workbook automatic/manual recalculation, which was news to me.
'Correctness Is Not Enough' by Louise Pryor of Edinburgh explained the importance of quality attributes such as auditability, usability, maintainability, and performance. Her Excel add-in is at www.xlsior.com
'User Computing In Financial Regulation' was the keynote speech by Dean Buckner of the Financial Services Authority (FSA) in London. He is a proponent of end-user compuing (EUC), but calls for a “Highway Code” to go along with the “Driving Licence” in using computers. His description of “data citizenship” is comparable with the “responsible computing” term used by the European Computer Driving Licence (ECDL). He sees similar problems now arising with Access databases as are already happening with spreadsheets, as users get to grips with this technology. His aim is to reduce the two or three major problems (that go unreported) he sees every year. One of the FSA’s firms already links the level of a business’s capital charges to accreditation in EUC.
'The Wall and The Ball' by Richard Irons of Central Queensland University had a startling start by showing a tax calculation mistake in a model in a published book by Benninga now in its second edition. Irons has created two simple spreadsheet test examples and he is looking for people to take them as research into the causes of errors. Be warned if you decide to try it – the average cell error rate for the simple “Wall” problem is 1.67% and for the more conceptually difficult “Ball” it is 11.86% !
'Accuracy In Spreadsheet Modelling Systems' by Tom Grossman of the University of Calgary gave an analytical overview of various classes of errors. These include input data quality, imperfect models, implementation errors, and bias in interpreting unexpected results. Tom also presented 'Research Strategy & Scoping Survey on Spreadsheet Practices' where he outlined a survey for collecting data on spreadsheet attributes, importance, motivation, and development practices.
A feature of the conference were the exhibits & demonstrations of Code Tracer, a spreadsheet visualiser and analyser ( www.codetracer.com/demo ), Atebion, a simultaneous equation modelling solver ( www.atebit.co.uk ) and EXChecker, a spreadsheet auditing tool ( www.spreadsheetauditing.com ).
'Getting Spreadsheets Under Control - Practical Issues And Ideas' by Barry Pettifor of PWC in London revealed that “in 7 years reviewing models, the PwC team have NEVER failed to find errors in client models”. He predicted that the Sarbanes-Oxley Act in the USA should mean that managers can no longer ignore their un-controlled dependency on spreadsheets. He described an approach of identifying key applications, consolidate them, lock the spreadsheets down, develop “spreadsheet champions” to instil good practices, and equip auditors with a risk assessment framework such as CoBiT.
'Issues in Strategic Decision Modelling' by Paula Jennings of London described sensitivity analysis, what-if scenarios, Monte Carlo simulation, optimisation, and real-options modelling.
'Investigating The Use Of Software Agents To Reduce The Risk Of Undetected Errors' by Simon Thorne and Mukul Madahar of the University of Wales in Cardiff (UWIC) was controversial. They described how software agents could monitor users as they work with spreadsheets, detect certain patterns, and – this is what caused the sharp intake of breath – “make appropriate changes”!
'TEAM work: A CobIT Approach To Quality' by David Chadwick of Greenwich summarised previous EUSPRIG work in the key categories of Tools, Education, Audit, and Management. Grenville Croll reported on his EuSpRIG presentation at EURO/INFORMS Conference 2003 in Istanbul. We need to make more contact with the OR/MS world - may I ask anyone in that area to get in touch with regard to future conferences?
'Spreadsheet Debugging' by Yirsaw Ayalew of the University of Addis Ababa described research on Interval-Based Testing and Fault Tracing. Interval testing uses a parallel spreadsheet with ranges of expected values specified to aid validation. The fault tracing strategy is based on the expectation that a cell which has many faulty precedents is more likely to contain the most influential cells than the one with few faulty precedents.
We concluded with a panel discussion on “Quality Engineering” and an invitation by Roland Mittermeir to next year’s conference at the University of Klagenfurt, Austria.
At www.eusprig.org there is a downloadable PDF Best Practices paper of 100+ pages but at the conference somebody asked for something more concise.
So, out of all the links at
www.sysmod.com/sslinks.htm I recommend this
PDF from Down Under:
www.treasury.govt.nz/dice/reports/rev-spreadsheets.pdf Review of Spreadsheets - November 1997 - The Treasury. This document aims to highlight the main risk areas, and provide best practice guidelines in order for the user to make the correct trade-off decision.
I said last month that I would let you know which Paris apartment letting service we settled upon. We picked one from www.Homelidays.com. The bank transfer charge for our booking deposit was only 15c, now that there are new rules for intra-EU bank transfers!
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
Thank you! Patrick O'Beirne, Editor
Mildred's House of Signage
ElectricNews.net reports: "America -- the home of the weird and wonderful. From the restaurant promoting the 'best hat dogs' in town, to the sausage maker who uses a painting of pigs literally jumping into a meat grinder, to a store advertising 220-volt appliances such as 'VCRs, TVs and luggage' -- photos of strange, funny and beautiful signs can all be found on this site. A great way to view some genuine slices of Americana. "
Copyright 2003 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.
We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to
EuroIS-subscribe (at) yahoogroups (dot) com - it's free!
For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.
Patrick O'Beirne, Editor
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
Copyright (c) SML 2003
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
We guarantee not to sell, trade or give your e-mail address to
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://groups.yahoo.com/group/EuroIS/