PraxIS September 2005

05-09 Contents: Katrina lessons, Security, Testing, Spammer slammed, Spreadsheet training, Auctions

ISSN 1649-2374 This issue online at   [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Lessons from Hurricane Katrina
     Global Security Week & Security Awareness
2) Software Testing
     James Whittaker talks to SoftTest Ireland on Breaking Software Security
     Cracking good books
3) Mobile Spammer fined
     Fined for deceptive calls    
4) Spreadsheets
     Audit Course
     Book Launch    
5) Off Topic
     Auction sites and academic studies
9 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

A sobering lesson this month for those charged with preparedness.

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  Risk and Security

Katrina survival

Planning, preparation, and deployment. If ever the basics of risk management needed restating, it's now. All the survivalist fantasies of Y2K came true for New Orleans last week - no power, clean water, food, sanitation, or security.

What does the disaster say about community organisation? From three thousand miles away, it looks like there was no spontaneous community self-defence in New Orleans. Perhaps the reports of gun-toting gangs and pirates were sensationalised by the media, but the returning tourists tell a story of a very frightening environment. The men of the 'internationals' gathered in a defensive circle around the women. Of course, there must have been many church communities and generous people offering housing around the area, and we've heard of people taking in evacuees. Still, the impression I get is of a demoralised, dependent, poverty-stricken underclass, easy prey to organised crime. I'm not talking about disorganised looting for food and water, which I would probably do if I was in that position, but hijacking, theft of support supplies, and so on.

The lessons are becoming fairly clear now: the immediate need for communications facilities to direct aid; the need for water and sanitation to prevent what was intended as an overnight refuge becoming a hellhole; and self-defence. Nothing too fancy. They had notice, they knew the storm was coming. The strengthening of the flood defences had been cut back, ironically in the name of homeland security.

I scavenge, you find, he loots  

Aid to America

It has been said that donating aid to America is like taking up a collection for Bill Gates. The strict economics, however, overlook the human element. It's unnatural to suppress the instinct to help others in distress. We all have specific gifts that are useful in a short, concentrated burst of aid until the US administration gets organised. Local organisation is still needed anyway to prevent well-meaning foreigners, who may not understand the local patois, getting in the way. Many countries have experience of disaster relief - didn't Cuba offer doctors? In Ireland we produce rehydration sachets that provide an essential salt+sugar addition to water. Even from a purely selfish point of view, we should do it in order to learn how to prepare for a disaster that may strike us some day. Remember, preparation and planning?

Global Security Week is this week, September 5 to 11. Gary Hinson says "Global Security Week is deliberately designed to be a broadly-scoped event but with a long-term aim to become the main focus for security awareness activities in years to come. What each organization does to support the event is entirely up to them." U.S. National Security Awareness Day is on September 9th.


2) Software Testing

How to break Software Security

That's the title of a talk by James Whittaker at the Software Testing Interest Group half day event on Thu Sep 22 2005. 09:-13:00, Holiday Inn, Pearse St, Dublin 2. More details: 

Outline: "This talk is a journey through the arcane discipline of security testing. We begin by comparing security vulnerabilities to traditional functional defects and showing how a different kind of thinking must be mastered in order to gain skill as a security tester. Then James summarizes a set of 19 techniques for exposing security flaws in software. You'll learn where to look for security bugs, how to recognize them when they occur, and how to guide your developers through a fix. Caution
advised: real software vulnerabilities are demonstrated in this talk. If the sight of software dying a bloody death gives you the
creeps, then you may not want to attend!"
James A. Whittaker is a professor of computer science at the Florida Institute of Technology. His research interests are software testing, software security, software vulnerability testing and anti cyber warfare technology. He is the author of How to Break Software, How to Break Software Security (with Hugh Thompson).

The second talk at that event is "Virtual Software Testing Teams: Overcoming the Obstacles". This presentation will provide
an overview of the research, carried out in the establishment, and operation of virtual software testing teams undertaken by an Irish based multinational and a division in the Far East. The speaker Valentine Casey holds a research position within the Irish Software Engineering Research Consortium (ISERC) in the area of Global Software Development (GSD) for small to medium sized enterprises.

Cracking good books to Break Software Security How to Break Software Security James Whittaker, Herbert Thompson. This describes the general problem of software security in a practical perspective from a software tester's point of view. It then defines very prescriptive techniques (attacks that testers can use on their own software) that are designed to ferret out security vulnerabilities in software applications. Accompanying the book is a CD-ROM containing Holodeck, which tests for security vulnerabilities. There are also a number of bug-finding tools, freeware, and an easy-to-use port scanner included on the CD-ROM. to Break Software How to Break Software: A Practical Guide to Testing James A. Whittaker. It takes a very applied and non-rigid approach to teaching how to test software for common bugs. Instead of relying on a rigid plan, it should be intelligence, insight, experience and a nose for where the bugs are hiding that guide testers. This book helps testers develop this insight. Computer and Network Security   This is a new book by Ray Panko, not due until September 30, 2005, which includes Whittaker's in a multipack. Corporate Computer and Network Security (Pie): AND How to Break Software Security Raymond R. Panko, James Whittaker to Break Web Software  This is even newer - due Dec 31, 2005. How to Break Web Software: Functional and Security Testing of Web Applications and Web Services James Whittaker, Mike Andrews

Of course, testers don't "break" software - they merely show where it is already broken.


3) Mobile Spammer fined  "Company fined as Ireland's first spam case concludes" Gordon Smith reporting.  These psychics didn't see this coming! The 4ís a Fortune service, which was operated by Tom Higgins, founder of Irish Psychics Live, was found to have sent unsolicited messages to members of the public in March 2004. Since November 2003 under SI 535 of 2003 [European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003] the sending of unsolicited commercial mail from Ireland has in some instances been an offence. The company was fined Ä300 for each of four complaints from mobile phone users, plus costs of Ä1,000. According to Sean Sweeney, a spokesman for the Data Protection Commissioner, Judge Anne Watkin had expressed surprise that the legislation didnít allow a custodial sentence.


4) Spreadsheets

One day training course in how to audit spreadsheets If you'd like this course run in-company, let me know.  The Excel User Conference is on Sep 16-17.

Spreadsheet Check and Control - book launch On Sep 26, we launch my new book at the Mespil Bar in the Burlington Hotel, Dublin, from 6 to 7:30 pm. More information on the book is at including several complimentary reviews.

ScanXLS: create an inventory of your spreadsheets  This ready-to-use spreadsheet scans any given directory and below and obtains a list of all the .XLS files. It reports on file properties, attributes, the presence of unusual features or settings that may represent a risk or are prone to human error, Excel's error checking summaries, a list of other workbooks that it depends on through links, and a scoring on how 'problematic' it might be. SCANXLS can also compare two workbooks to check whether their formulas and/or values are identical. For those of you who already have it, I welcome suggestions for enhancements.



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

Auction Studies

Ebay has launched its service in Ireland, at I have not used online auctions since first learning a lesson about auction tricks on the UK service. Neither do I feel inclined to sell our junk on it. But it is certainly popular as the online equivalent of the car boot sale, and it attracts academic study such as this: The Signal Effect of Buy-now Price in Internet Auctions. "We argue that when it is difficult for bidders to assess the value of an item [...] auctioneers can use a buy-now price to signal the value of an item, even though bidders may not utilize this option." 


Copyright 2005 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website