PraxIS May 2004

04-05 Contents: Sasser worm, Complex IT projects, eVoting, EU enlargement, Spreadsheet Testing

ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0405.htm [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success

IN THIS ISSUE

1) Risk management
Sasser worm - critical Windows patch needed!
The Challenges of Complex IT Projects (BCS paper)

2) Electronic Voting
    Commission on E-Voting report: "unable to recommend"

3) EU Enlargement
    Celebrations, and a challenge for readers
    Euro Conversion Calculator updated for new EU member currencies

4) Spreadsheet Testing
    Typo costs University $2.4M
    "Testing Spreadsheets" presentation available for download
    Review of XLSior, Excel testing and auto-documenting add-in

5) On the lighter side
Annals of Improbable Research
James Joyce - Bloomsday centenary

21 Web links in this newsletter
About this newsletter and Archives
Disclaimer
Subscribe and Unsubscribe information

_______________________________________________________

Welcome to PraxIS

Try the Euro acronym challenge this month!

Patrick O'Beirne

_______________________________________________________

| |

_______________________________________________________

1) Risk management

Sasser worm - critical Windows patch needed!

All you have to do to get infected is to be online and unpatched. I am highlighting this because unlike the now very common email viruses, this is like Blaster, a worm that enters PCs running Windows without the critical update of 13 April. Microsoft issued an alert on 23 April :

"Customers who are still evaluating and testing MS04-011 should immediately implement the workaround steps detailed for the PCT/SSL vulnerability detailed in the MS04-011. In addition, Microsoft has published a knowledge base article KB187498 at http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 which provides additional details on SSL and how to disable PCT without applying MS04-011."

www.microsoft.com/technet/security/bulletin/MS04-011.mspx Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732)
Issued: April 13, 2004 Updated: April 28, 2004 Version: 1.2
Summary Who should read this document: Customers who use Microsoft® Windows®
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.

The news today is showing increasing coverage of the Sasser worm that exploits the vulnerability:

www.washingtonpost.com/wp-dyn/articles/A62330-2004May3.html
1. Disconnect your computer from the Internet.
2. Press the keys "Ctrl" "Alt" and "Del" at the same time. That should launch Windows Task Manager. Click on the "Processes" tab. Look for a file called "aserve.exe" or "*_up.exe". If one of these files appears, highlight it and click on the "End Process" button. Click "yes" when it asks for confirmation.
3. Find and delete the worm: Click on the "Start" button in the bottom-left corner of your screen, then choose "Search". Search your entire computer (in the field next to the "all files and folders" option) for the following files: "avserve.exe", and "*_up.exe". Delete any matching files.

http://news.bbc.co.uk/2/hi/technology/3678725.stm BBC coverage

____________________________________________________________

The Challenges of Complex IT Projects

The report of a working group from The Royal Academy of Engineering and The British Computer Society.
www1.bcs.org.uk/ BCS Position Statements
www1.bcs.org.uk/DocsRepository/07500/7560/complexity.pdf The Challenges of Complex IT Projects (PDF - 161kb)
www1.bcs.org.uk/DocsRepository/07600/7606/royalacademy.htm Press Release: UK Wasting Billions on IT Projects
"It is alarming that significant numbers of complex software and IT projects still fail to deliver key benefits on time and to target cost and specification. The importance of project management is not well understood and usually under-rated and senior managers are often ill qualified to handle issues relating to complex IT projects. Risk management is critical to success in complex projects but is seldom applied effectively in the case of IT and software."
Advice for Senior Management: Five Key Issues
Appendix III: Project Risks and Sources of Best Practice

QUOTATIONS

"A significant percentage of IT project failures, perhaps most, could have been avoided using techniques we already know how to apply. For shame, we can do better than this." (L. Hatton)
"Why, in this field apparently more than almost any other, does there seem to be no ability to learn from history?" (G. Robinson)
Pace of change "The pace of technological change and the ferociously competitive nature of the industry more or less inevitably lead to the triumph of speed over thoughtfulness, of the maverick shortcut over discipline, and the focus on the short term" (G. Robinson)
Reinvention "Software continues to be reinvented to perform the same function. Every time it is reinvented new errors are created" (B. Collins)
Requirements management "Humans are very poor at saying precisely what they do want and extraordinarily talented at recognising what they don’t want" (M. Lunt)
Organisational culture "In my experience when things go wrong there is always somebody in the organisation who knew they were going to go wrong. The question is how do you create an environment in which those who know it’s going to go wrong feel able to say so and then get a proper hearing?" (G. Robinson)
Testing and test planning "Testing is an absolutely vital part of all software/IT systems projects and can often account for 40% of the overall development effort" (M. Williamson)

____________________________________________________________
____________________________________________________________

2) Electronic Voting

Commission cannot recommend proposed E-Voting system for Ireland

www.cev.ie, report (165K PDF) "The Commission accordingly concludes that, having regard to the issues of secrecy, accuracy and testing as set out in its terms of reference, it is unable to recommend the use of the proposed system at the local and European elections and, by extension, at the referendum due to be held on 11 June."
They highlighted the insufficient testing: "there is not sufficient time before the June elections for full testing of the final version of the software which would be essential before the software could be run in these elections;"
They even discovered an error: "certain of the tests performed at the request of the Commission identified an error in the count software which could lead to incorrect distributions of surpluses; there is a possibility that further testing will uncover further software errors;"
They made short work of the so-called "secure" system: "experts retained by the Commission found it very easy to bypass electronic security measures and gain complete control of the 'hardened' PC".

I have to confess I was a cynic and believed the Commission could only report that in the time they had, they could find no problems, and that Minister Cullen could use that to press ahead. It is heartening to see a resounding endorsement of good practice. (See the BCS paper, above)

The report mirrors every point made by Joe McCarthy (see www.iol.ie/~aecolley/icte/Joe-CEV.doc). His hard work and persistence, and willingness to spend his own money on Freedom of Information Act (FOI) requests to force disclosures of documents from the Dept. of the Environment, is an example of investigative analysis.
Irish Examiner: www.irishexaminer.com
See also the previous four issues of PraxIS (www.sysmod.com/praxis/)

____________________________________________________________
____________________________________________________________

3) EU Enlargement

Celebrations, and a challenge puzzler

Saturday May 1st saw the historic accession of ten new countries to the European Union. Malta, Lithuania, Hungary, Slovenia, Poland, Cyprus, Latvia, Estonia, Czech Republic, Slovakia. I wandered around the fair in Dublin's Merrion Square tasting the salami and wines on offer. That Estonian vodka is strong stuff.

Here's a challenge for you: can you think of an acronym to help people remember the names of the ten new members? You already know the "Baffling Pigs and Duks" acronym for the present EU-15? (The 12 Euro countries: Belgium, Austria, Finland, France, Luxembourg, Ireland, Netherlands, Germany, Portugal, Italy, Greece, Spain, and the three non-euro: Denmark, UK, Sweden)

Here's one I came up with, using the second letter of the ISO abbreviations of the countries: Phlimzy Kev. OK, you do better.

Pl: Poland
Hu: Hungary
Lt: Lithuania
sI: Slovenia
Mt: Malta
cZ: Czech rep.
cY: Cyprus
sK: Slovakia
Ee: Estonia
lV: Latvia

www.eu2004.ie Irish EU Presidency website

_______________________________________________________

Euro Conversion Calculator updated for new EU member currencies

http://www.sysmod.com/eurocalc/eurocalc.php euro calculator

I have now updated the online calculator to show the currencies of the new members, and the exchange rates for the other world currencies. It is updated every day from the European Central Bank rates. I am pleased to say it has been syndicated to the European information portal EUBusiness.com (www.eubusiness.com/Currency-converter)

If you would like to feature this on your web site, just email me telling me the page you want it on and I'll explain to your web maintainer how to do it. In return, I ask that you retain my advertisement display and links to my site.

_______________________________________________________

4) Spreadsheet Testing

Typo costs University $2.4M

www.toledoblade.com/apps/pbcs.dll/article?AID=/20040501/NEWS21/405010344/-1/NEWS University of Toledo loses $2.4M in projected revenue (Toledo Blade May 1, 2004)
"While official UT projections call for a 10 percent decline in graduate student enrollment, an increase mistakenly was shown in a spreadsheet formula that led officials to overestimate enrollment and therefore revenue, Mr. Decatur said." "Dr. Johnson said no job action will be taken against the employee who made the mistake, who has a good performance record. Officials will, however, pursue systemic changes to provide more safeguards in the future. "We have very competent people," Dr. Johnson said. "I do think that the continuing fiscal pressures on universities have forced us to a level of staff support where there is little or no redundance in the process."

That story joins more than thirty spreadsheet problems at http://www.eusprig.org/stories.htm

From the BCS report above, a quote on professionalism: "Everybody is taught some software writing skills – they are not taught the responsibility that goes with it" (K. Longmore)

_______________________________________________________

"Testing Spreadsheets" presentation available for download

www.SoftTest.ie/20040426.htm My presentation to SoftTest Ireland, April 26.

The risks in business dependence on spreadsheets developed by overconfident "near experts" are confirmed by research and news stories on spreadsheet errors. This paper presents dynamic and static methods of testing spreadsheets, and describes good design practice to build in protection, validation, usability. Context-driven risk assessment helps prioritise the resources to maximise the returns from the effort expended. I describe auditing tools to assess the quality of existing spreadsheet assets and provide tips for managing the spreadsheet development process.

_______________________________________________________

Review of XLSior, Excel testing and auto-documenting add-in

Overview of XLSior, produced by Louise Pryor, www.XLSior.com

From the help file: "XLSior makes it easy to build better Excel spreadsheets by supporting the use of automatic testing, systematic development and organisation-wide standards and processes. It includes tools for: Automatic testing Automatic documentation Controlling development versions and releases Handling protected and hidden worksheets Automatic importing of values from other workbooks".

It supports Excel 2000 and later. 30-day evaluation licenses are free. The single user license is £249 which includes basic technical support by email for 90 days, and all upgrades until the next major version.

In summary, this is a unique tool that simplifies the most bothersome part of spreadsheet development, the job people hate to do, but the job they should do almost more importantly than anything else – testing.

Auto-Documentation

XLSior uses an attractive choice of plum and yellow colours to indicate the function and contents of cells in the worksheets it uses. It can add any or all of these worksheets to your workbooks: List of cell comments in the workbook, inserted and updated by the AutoDocument > List cell Comments command. List of external links in the workbook, inserted and updated by the AutoDocument > List external Links command. List of sheets in the workbook, inserted and updated by the AutoDocument > List Names command. List of sheets in the workbook, inserted and updated by the AutoDocument > List Sheets command. (It takes the sheet title from cell A1 in each sheet.) Sheets of import definitions. Sheets of test definitions. Results of the last set of tests run by the Tests > Run Tests command. A record of all the versions and releases that have been made from the workbook.

You can specify a standard page footer when you print containing the full filename (including path) and sheet name on the left and date, time and page number on the right. This is a useful audit trail, and is mandated in regulated environments.

You can choose to update existing AutoDocumentation sheets, or to run the tests in the workbook, whenever a workbook is opened or a workbook, version, or release is saved. You can also add a distinctively formatted box near the top of the sheet to hold comments about the sheet.

Figure 1: XLSior screen shot showing test cases

Testing

This for me is the highlight of XLsior, reminiscent of JUnit for Java unit testing. The traditional problem with spreadsheet testing is that it is manual, repetitive, and boring, and therefore very likely to be skipped under schedule pressure. This is of course a false economy of time as it often leads to embarrassing releases that have to be re-issued and in some cases more time wasted on data recovery. XLSior allows you to define a set of tests for each workbook and run them automatically. Testing thus becomes a pain free exercise, meaning that it is more likely to happen.

The basic idea of testing is to perform controlled execution of the workbook, and to check that it behaves as expected. The test data consist of substitutions that are to made on the spreadsheet: which cells should be set to which values. When a test is run, the test data is substituted, then the workbook is recalculated and the test conditions are evaluated. Finally, all cells affected by the substitution of test data are set back to their original values or formulae and the workbook is recalculated again.

After testing, the calculations in the main workbook are unchanged. The results of running the tests are recorded on sheet X~TestResults, which summarises all the tests, and on the individual sheets on which they were defined.

Worksheet manipulations

Dealing with worksheets can be fiddly and time consuming in Excel. Protecting, hiding, and reordering can be performed only one sheet at a time, requiring you to go through a series of menu selections and dialogs for each. Like the tools mentioned in PraxIS March 2004, XLSior provides menu items to operate on groups of sheets.

Automated Importing

XLSior provides protected sheets where you can specify ranges from other workbooks to be imported onto each import sheet.

Version Control

Usually, you have to diligently keep and track multiple copies of your workbook as you develop new versions. Although Excel provides a way of tracking changes, and undoing them if necessary, this only works on shared workbooks; and you can only make limited changes to these workbooks. XLSior provides you with mechanisms for keeping backup versions of workbooks, snapshots that enable you to return to earlier copies, and for differentiating these from releases, copies that can be used in earnest by users. It also records these in a change log, which again is a mandated requirement in regulated organisations. The Save Version / Release command saves a copy of the current workbook using a special name, effectively taking a snapshot of the current state. Whenever you save a version or release copy using XLSior, a record is kept in the original workbook of the name of the copy that was saved, when it was saved and who saved it. You can also add a comment describing the purpose of the copy or what changes it includes.

Figure 2 :XLSior screen shot showing saved versions

_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

If you like the newsletter, a great way to show your support is to make your next book or CD purchase from our Amazon shop page!

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) On the lighter side

Annals of Improbable Research

www.improbable.com The journal sponsors the annual IgNobel Prizes This year, AIR started an AIRHead blog ( http://improbable.typepad.com ) with a new improbable entry every day. Scientific, slightly nerdy, sometimes silly, sometimes guffaw-inducing satire.

James Joyce - Bloomsday centenary

This is of personal interest as my wife Megan is preparing photographic exhibitions in Dublin and Trieste on sites where Joyce lived, worked, and died. If you relish "the inner organs of beasts and fowls” on June 13, check out www.MeganOBeirne.com/joyce-2004.htm

www.rejoycedublin2004.com/ The official Bloomsday 100 site.

_______________________________________________________
_______________________________________________________

Copyright 2004 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://groups.yahoo.com/group/EuroIS/
_______________________________________________________

[Previous] [Index] [Next]