04--11 Contents: Security, Checklists, Spitzer, Gmail, GDS, GDSPlus, Better Searching, Euro accession, dot-eu, eiro, Spreadsheet SOX, FoS, XLSpell
ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0411.htm [Previous] [Index] [Next]
|Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success|
IN THIS ISSUE
|1) Risk & Security
'Make IT Secure' initiative launched in Ireland
Checklists for Technology Risk
Google Mail Insecurity
Google Desktop Search Insecurity
|2) Searching your desktop and the web
Google Desktop Search enhancements
User-Guided Search Refining in Google
Unsure about web searching? Use your Noodle...
EU presses newcomers to work harder to join euro
I say eiro, EU say euro
|4) Spreadsheet Quality
XLSpell - spreadsheet style checker
Foundations of Spreadsheets (FoS'04) Papers available
|5) Off Topic
DotCom, DotOrg, what a difference.
You don't want to see this (any more)
|33 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information
I have a couple of requests this month. Firstly, see the note on "Spitzer risk" .. can you predict what the next wave will be? Secondly, almost all my business comes from personal referrals. So if you find this newsletter useful, here's how you can help me .. tell somebody else about what I do!
Enjoy this month's newsletter,
The government has announced details of an initiative - ‘make IT secure' - that aims to increase awareness of IT security. The initiative includes a nationwide information and awareness campaign about IT security issues. At the announcement, Minister for Communications Noel Dempsey was joined by representatives from each of the companies that are supporting the initiative including: Microsoft, Eircom, HP, Dell, Symantec and Esat BT. Scheduled for November 17, the day aims to inform all PC users, in the home and the workplace, how they can get secure and stay secure. Industry statistics show that between January 1 2004 and June 30 2004 more than 4,496 new viruses and worms were documented, which is more than four times greater than for the same time last year.
Sponsored website: http://www.MakeITSecure.ie
http://www.NetSecure.ie the official website of the National Awareness campaign on Computer security run by the Dept of Communications, Marine and Natural Resources.
Selection of practical Information Security guidance from Finland, Germany, Ireland, Mexico, Netherlands, Norway, UK, USA (including the NSA), the International Chamber of Commerce, APEC members, the World Bank, and the OECD.
Thanks to Louise Pryor's Risk newsletter for this one: "The risk that Eliot Spitzer will launch an investigation into your industry, attacking widely accepted ways of doing business."
"The effects of Spitzer's investigation are being felt much more widely than the particular brokers against whom a suit has been filed. A number of firms have said that they will stop accepting contingent commissions. Share prices in brokers have fallen. Credit ratings have been cut. Share prices in some insurers have fallen"
"But how do you identify a Spitzer risk before it happens? There you are, doing business in the normal way, just like everyone else in your industry: how can you tell if some part of normal business practice is likely to be considered worthy of investigation by a regulator? And not necessarily your own regulator, either? You really have to think outside the box. Is there any aspect of your business that you wouldn't like to have to explain and justify to a hostile journalist? (Or other interrogator). Or any aspect that can be described as 'just the way things are done', but isn't how you'd do it if you were starting from scratch? But it's very difficult to step back and see things as an outsider. And how can you tell which aspects somebody else might pick up on? It's all part of coping with a changing context. What was accepted 50 or even 20 years ago may not be acceptable now, with the increased emphasis on openness and transparency."
It's like the "Tribunal Risk" in Ireland - decades of pocket-lining by politicians is at last coming to light. And in the revelations of overcharges in the financial services industry, the cry is "it was the culture of the time".
http://www.sysmod.com/cgi-bin/blosxom.cgi/2004/08/20 "When I hear the word culture..."
Here's your chance for feedback - what do you think will emerge as the next embarrassing revelation? A currently-accepted "de facto" practice that will not look so good when it appears in press reporting? Drop me an email!
Assessing the Effectiveness of Internal Control, by Michael Ramos, Wiley, Mar'04. 5 star review: "the best, most comprehensive guide to Section 404 compliance out there"
Improving Internal Controls to Prevent Fraud by Scott Green, Wiley, Feb'04. Provides a practical approach for managers in assessing internal control structure at the transaction level. 5 star review ""the best starting point for stakeholders who are peripherally involved in compliance."
A security vulnerability allows the attacker login to someone's Gmail account with full privileges to view sent and received mails and to send mails on their behalf.
Password protected files in Excel are encrypted. But once the user opens such a file, it is in clear. And in the couple of minutes they have it open, the watchful Google Desktop Indexing engine can jump in and index the contents and copy them to its cache - in the clear.
Craig McFadyen's advice is to specifically exclude the paths to any password protected files. Also exclude paths to any encrypted PGPDisk or TrueCrypt mapped drives as Google Desktop will also return results in these even when not mounted. http://www.spotlightIT.com/blog
I tried GDS but I'm not using it. As it can only handle Office files it is far too limited compared to my existing tool, Wilbur from redtree.com. Wilbur can index the text in ANY file you specify, including PDFs by using a pdftotext addin. http://wilbur.redtree.com
Also, both GDS and Copernic merely report which files contain a search term and show the first match. Wilbur can show ALL matches in the line of context in which they occur, so you can home in quickly on which file you want, and where.
To overcome the file type limitation, an ingenious member of the GDS discussion group has come up with a patch :
http://www.trivex.net/ Google Desktop Search Plus
I can confirm that with GDSPlus it can now index Eudora .MBX files but not their entire contents, the limit appears to be even smaller than Copernic's.
http://insidegoogle.blogspot.com/2004/10/whos-talking-about-google-desktop.html Who's Talking About Google Desktop? Everyone!
http://blog.searchenginewatch.com/blog/040830-11 Microsoft MSN Desktop Search rumoured to come out this year
http://news.com.com/2100-1032_3-5409844.html AOL launches new portal, tests desktop search.
http://www.pcworld.com/news/article/0,aid,117272,00.asp PC world: Yahoo desktop search planned
http://www.copernic.com Copernic Desktop search. Free but limited in handling MBX files and drags performance. My review: www.sysmod.com/praxis/prax0409.htm
http://www.blinkx.com/ Blinkx is also free. I deleted it soon. My review: www.sysmod.com/praxis/prax0409.htm
http://www.nettakeaway.com/tp/index.php?id=107 "Desktop Search, or just where did I leave that knowledge?" references to other commercial tools.
http://labnol.blogspot.com/2004/10/what-is-missing-in-desktop-search.html "What is missing in Desktop Search Tools " a wish list for features including Help file searching.
Found at http://www.researchbuzz.org/archives/002060.shtml
http://www.mygooglesearch.com/ You can take the returned search results and select/deselect them and "refine by example" to further clarify your search results. The page will refresh showing a new ten results with notes at the top defining what search terms were added.
http://www.noodletools.com/noodlequest/ NoodleQuest helps to develop the optimum Web-based search strategy. Just answer a few questions about your research topic and NoodleQuest will reveal and explain some of the best search strategies you can use.
http://sysmod.com/az.php?a=0596004478&b=Google_Hacks by Rael Dornfest, Tara Calishain. rrp US$25 Google Hacks reveals--and documents in considerable detail--a large collection of Google capabilities that many readers won't have even been aware of. A large part of Google Hacks concerns itself with the Google API (the collection of capabilities that Google exposes for use by software) and other programmers' resources.
European Union financial chiefs have welcomed progress by the bloc's 10 newest members in preparation for joining Europe's single currency, but say none is yet ready and pressed for continued efforts.
Estonia, Latvia, Lithuania, Poland, the Czech Republic, Slovakia, Hungary, Slovenia, Cyprus and Malta joined the EU on May 1. All 10 are obliged to adopt the euro at some point. Of the older EU member states, Britain and Denmark have chosen to remain outside the eurozone for now and Sweden has taken the same route by not qualifying for membership. Three countries -- Estonia, Lithuania and Slovenia -- joined the ERM II in March, and could therefore in theory apply to join the eurozone in 2006, possibly taking up the currency at the start of 2007. ECB chief Almunia also voiced concern about the reliability of EU data -- an issue highlighted by Greece's recent admission that it exceeded the 3.0 percent deficit ceiling from 2000 to 2002, contrary to previous figures.
European Commission Convergence Report 2004: http://europa.eu.int/comm/economy_finance/publications/european_economy/convergencereports2004_en.htm
http://sysmod.com/az.php?a=0201604825&b=Euro_Conversion Managing the Euro in Information Systems: Strategies for Successful Changeover. Patrick O'Beirne. This book covers the mechanics of conversion calculations, but also examines the scope of such an enormous project, the many different business functions involved in the conversion, and the options and strategies that should be employed to insure a smooth changeover.
A new .eu domain name will be available to companies in 2005 following the European Commission's signing this week of an agreement with a consortium (EURid) to act as the domain's registry. Companies who want to create a pan-European identity for their Internet presence are likely to be interested, especially those operating across country borders. The Commission also sees .eu as a counterweight to the generic .com and .org domains which are dominated by the US in terms of registrations and applicable law.
A couple of hints: EURid advises against accepting offers to pre- register your .eu domain name. There is a risk of confusion and fraud, and the registry needs to be operational before any domain can be pre-registered. Once it is, however, if you are a trademark holder or public body, make sure you take advantage of the "sunrise period" of 4 months during which you can register your domain name before other eligible parties. http://www.eubusiness.com/topics/Internet/EUNews.2004-10-13.5611
Latvia digs in its heels over 'euro' spelling (EUBusiness)
The Baltic republic of Latvia, which joined the EU in May, has rejected attempts to make it spell the European single currency, the euro, like other countries in the Union. "It sounds illogical for us in our language. For many years we have used the word eiro," said foreign ministry spokesman Rets Pletsums. http://www.eubusiness.com/afp/041013151542.e8xkr735
http://www.sysmod.com/euro-emu.htm Answers to questions on the euro including links to the Commission's English Style Guide.
Derek Wimmer of WimmerSystems.com has just launched a new blog-based site on spreadsheets and Sarbox http://www.SpreadsheetSOX.com It has just some news on it now, but I expect he'll collect more on this topic.
His product DACS is of particular interest to those wishing to exert more control over Excel users. The concern of the company is ensuring that (a) nothing has been changed unless the person has been authorized to do so, (b) any changes are securely tracked, (c) the person making the changes can be identified, and (d) the authenticity and integrity of the data can be demonstrated. Their product DACS and the implementation is geared towards satisfying the "best practices" regulations imposed on the pharma industry and their process flows with electronic signatures. For more information, see www.spreadsheetvalidation.com
You know that I've a niche in very specialised information on how various testing tools compare in digging out what's really going on in spreadsheets. And you also know of my wider view of modelling as part of problem solving, to be sure the right problem is being addressed in the most effective way. You may not have a need for that just at the moment, but you may know someone who does. May I ask you just to keep me in mind and if the topic of spreadsheet modelling or testing comes up in conversation, to mention "I know just the person to do it"?
I've been evaluating XLSpell from Sheetware.com recently. Even with all the spreadsheet auditing tools out there, a newcomer can identify even more risk factors that others overlook. That's why I keep an eye on all these, and have them ready to investigate any specific situation. There is no "Swiss Army Knife" of auditing tools, rather I have ExChecker and SpACE and others to hand in order to apply their specific strengths.
XLSpell takes its name from the most commonly used tool in end user applications, the spelling checker. But it does not literally do spelling checks, rather it applies a set of style rules describing known unsound constructs. It includes Sheetware's previous product XDrill to drill down from outputs to inputs.
It checks for: manual recalculation; uses macros; external links; hidden sheets, rows, columns, cells, formulas; Lotus evaluation; embedded objects; timebase changes; circular references, scenarios; chart series constant or only part of data; named range contains error, relative ref, calculation, or duplicate; cells contain constants, error-prone functions, high complexity; references to blanks, non-numerics, unusual forward/backward refs; fails Excel's checks or data validation; blocks of cells with unique formulas; too many inputs, dependencies, outputs, too complex, and bad style in not separating formulas from inputs.
It is priced to be attractive when bought in quantity so that companies can buy it for all their spreadsheet creators rather than just one copy for the auditors.
Web site: http://www.sheetware.com/xlspell.html
The proceedings of the EUSES conference held in Rome on Sept 30 are now available. Eusprig delegates were Pat Cleary of the University of Wales and Grenville Croll of Frontline Systems UK. I notice that EUSES in the US got $2.65M research funding, and Stephen Powell in Dartmouth got $1M. If anyone knows a way in which Eusprig can get EU Sixth Framework Programme money for research projects, let me know!
Downloadable presentations include:
The colouring system in WYSIWYT resembles that used by Phil Bewig in his TrafficLights add-in available from the Eusprig YahooGroup download area.
Management Science, Spreadsheet Engineering, and Modeling Craft (with CDROM) by Stephen G. Powell, Kenneth R. Baker. Effective methods for designing, building, and testing models, and for performing model-based analyses; data analysis, simulation, and optimization.
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
If you like the newsletter, a great way to show your support is to make your next book or CD purchase from our Amazon shop page!
Thank you! Patrick O'Beirne, Editor
Now that the US election is over, these stories are safely out of date:
It seems a common trick to register a .org domain name in order to attack a .com name, or vice versa,
In a US Vice-Presidential debate, VP Cheney invited viewers to read a non-partisan analysis confirming his position by going to "FactCheck.com". Unfortunately, he meant to say "FactCheck.org", which is indeed a non-partisan election watchdog site run by the University of Pennsylvania. FactCheck.com is a private advertising site run by someone who is not a fan of the President.
Also http://www.georgewbush.org is NOT the same as http://www.georgewbush.com Not that we can see the latter site, anyway, as this story tells:
http://news.bbc.co.uk/1/hi/technology/3961557.stm (BBC) Attack prompts Bush website block
www.GeorgeWBush.com The official re-election site of President George W Bush is blocking visits from overseas users for "security reasons".
From Netcraft: "A campaign spokesman acknowledged that the official site of the Bush-Cheney campaign has been rejecting requests from outside North America since Monday morning 25 Oct. "The measure was taken for security reasons," campaign spokesman Scott Stanzel told news services, but did not elaborate on that statement. Surprisingly, none of the coverage that we have seen to date has considered the possibility that it might be a well executed scheme aimed at increasing international awareness of the site.
For a few days, hackers could point out workarounds such as https://georgewbush.com/ and http://georgewbush.com./ and http://22.214.171.124/ but later on someone in the Bush campaign copped on and blocked the other routes to the site.
You can still browse the site text-only using the lynx viewer http://tinyurl.com/4u6q8
Homepage Usability by Jakob Nielsen & Marie Tahir. All about making that first impression. Is your tag line effective? Can visitors find your search box? How difficult is navigation? This book contains fifty critically analysed websites, good and not so good. The lessons are summarised in 113 guidelines.
Copyright 2004 Systems Modelling Limited,
Reproduction allowed provided the newsletter is copied in its entirety and with
this copyright notice.
We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to EuroIS-subscribe (at) yahoogroups (dot) com - it's free!
For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.
Patrick O'Beirne, Editor
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://groups.yahoo.com/group/EuroIS/