PraxIS October 2005

_______________________________________________________

Welcome to PraxIS

My new book is launched and is now on sale! What are you waiting for, visit http://sysmod.buy.ie

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

How to break software security

SoftTest Ireland on 22 September heard James Whittaker on security and Val Casey on managing outsourcing. James' presentation (4.5MB .PPT) on 'How to break software security' can be downloaded from http://www.SoftTest.ie. Some highlights are: 

Functional testing: verify that the app does what it is supposed to do. Security testing: verify that the app does not do what it is not supposed to do

James showed a bug in Macromedia Flash, a way to work around the IE content advisor, a buffer overflow example, and an Excel hang/crash. In summary:

• Understand your app’s behavior…think about what should NOT happen!
• Understand your app’s environment…think about where the action is!
• Ask yourself: what is the nightmare scenario for this app (or this customer)! Then…test every entry point for that scenario being realized.
• Attacks involve: exploit external dependencies; find unanticipated user input; expose insecure design; determine insecure implementation practices.

http://sysmod.com/az.php?a=0321194330&b=How_to_Break_Software_Security 'How to Break Software Security' by James Whittaker and Herbert Thompson. This describes the general problem of software security in a practical perspective from a software tester's point of view. It then defines very prescriptive techniques (attacks that testers can use on their own software) that are designed to ferret out security vulnerabilities in software applications. Accompanying the book is a CD-ROM containing Holodeck, which tests for security vulnerabilities. There are also a number of bug-finding tools, freeware, and an easy-to-use port scanner included on the CD-ROM.

Mail loop

I had to quickly unsubscribe from the isaca it-governance list (hosted at sparklist) recently. A member had set up one of these email challenge-response systems in the naive belief that it would protect them from spam. On receiving a list message, it automatically replied *to the list* that we should click on a link to validate that we were real senders. The listserv did not recognise this as an automated response (maybe the message was missing the usual flag like X-Loop:) and distributed it. On receiving *this* list message, the autoresponder, apparently incapable of recognising its own spew, replied again in the same way. And again. And again. I might check back sometime on the list archive to see what people said to that unfortunate person.

____________________________________________________________
____________________________________________________________   

2) IT Quality

pPARs for the course in IT project oversight

http://www.ireland.com/newspaper/front/2005/1006/2636179300HM1COMPUTERS.html (Irish Times)

The Health Service Executive (HSE) in Ireland suspended work on two large computer projects that cost €200 million

FISP, the Financial Information Systems Project, has already cost €30 million. The PPARs payroll and staff records system cost €165 million. St James Hospital chief executive John O'Brien said there were "monumental concerns" about how the project was being operated and managed, and said PPARs threatened the fundamental operation of the hospital, and they were finding it difficult to assure external auditors of the integrity of the system.

FISP is based on the same computer and management system as PPARs and involves the same consultants used, Deloitte.  It is reported Deloitte has been paid €50m in consulting fees so far. An undisclosed proportion of the project cost is believed to have gone to SAP in software licence fees.

 In June the Department of Finance said in a memo "We could not determine from the meeting what the nature of the value added being provided by Deloitte was. It seemed to us that this support is mainly focused on implementation and configuration issues rather than planning and shaping significant organisational change. The very large amount of funding devoted to Deloitte services would indicate that their focus has to be at the detail level rather than at the level of planning and achieving value from organisation change. If their focus is at the detail level, the average day-rate is inappropriate.”

In a debate on public money waste in the Dáil, the Minister for Health said too many consultants were being employed on State projects. In my opinion, not enough REAL consultants are employed. What has been talked about are coders, churning out software under direction. (As an aside, the word 'consultant' has unfortunately been debased; nowadays a shop assistant is called a 'sales consultant'. I believe that it is time for the consulting industry in Ireland to speak out about standards in the profession.) In fact, breaking news in the Irish Times now reveals that IBM reported 'fundamental problems' in a review in 2004. So is this just another example of mismanagement? It may be another example of a gung-ho approach that pushes ahead, that believes one has to set 'ambitious targets', to 'stretch people', and to avoid 'analysis paralysis'. What in fact such approaches produce is a hastily built house on shifting sands. The old adage of 'measure twice and cut once' avoids waste; it also assumes the object does change change measurement in between. Undertaking a project in a changing environment requires very careful risk analysis and focused implementation.

The Politics.ie forum was discussing this topic last August, quoting a leaked memo in the Medical Times:
http://www.politics.ie/forum/viewtopic.php?t=7256

A recent thread includes posts from a person who claims to have worked on the system, and defends its complexity to a somewhat disbelieving audience. Some believe it was a technological tool to anticipate or even force organisational change.
http://www.politics.ie/forum/viewtopic.php?t=8188

http://www.examiner.ie/pport/web/ireland/Full_Story/did-sgpf-9S3NaX2Y.asp (Irish Examiner)

A report in February 2002 by Hay Management Consultants, was the first to radically revise the costs associated with PPARS. It said “Savings based on even slightly improved levels of absenteeism, retention and productivity alone will run into tens of million euro in the short to medium term.” According to Hay, the original estimate of €8.8m was no longer appropriate. “Cleary, these time and cost estimates were too ambitious given the significant restructuring of the contract and the scale of the implementation effort... The simple but inspiring vision of one entry per employee generating a suite of information assumed a level of standardisation within and between agencies which did not in fact exist.” As events have transpired, the lack of standardisation in contracts and work arrangements across the former 11 health boards and the country’s hospitals has been one of the main reasons for the huge difficulties that have beset the process.

The Minister for Health Ms Harney is reported as saying that "No computer system could possibly deal with the complexity and the irrationality of what was happening on the ground", with thousands of different rosters and employment conditions for staff.  So, one asks, when was that known? Whatever happened to old-fashioned systems analysis, specification, and feasibility studies? Were people just thrown at a project and told to get on with it and not ask questions?

http://www.ino.ie/DesktopModules/Articles/ArticlesView.aspx?TabID=6129&ItemID=5243&mid=8026
The Irish Nurses Organisation said "Our efforts to highlight the difficulties were met with denial, arrogance and dismissal. Nurse managers who questioned the validity or appropriateness of some of the procedures used under PPARS were vilified, threatened and bullied. Senior managers and even the Minister for Health questioning the system were rubbished by the promoters of it and it appeared to be an unstoppable, out of control project which took precedence over all other issues including patient care."

When someone resorts to such abusive tactics, you can be sure there is something they don't want looked into.

http://www.irishdev.com/NewsArticle.aspx?id=1135 (Irish Developer)

The leader of the opposition, Mr Enda Kenny, said "I have been inundated with complaints from staff within the health services about the problem with PPARS. These include cases such as:  the Midland Health Board carried out a test on a sample number of employee payslips to test the systems accuracy; 43% of the sample had one or more errors on their payslip." In one notorious incident, a health service employee was overpaid by €1m as part of an electronic funds transfer error. And of course we don't know about the overpayments that were not reported.

Health sector salaries and wages account for €7bn or 70pc of the annual spend on health. The UK Government is no stranger to IT failures – last year a failed IT upgrade paralysed the UK’s Department of Works and Pensions, causing 80,000 civil servants to resort to writing out giro cheques to some 800,000 pensioners. Let's see, if we had to hire accounting technicians to process payments manually for the 120,000 workers, and assume each bookkeeper could handle 120 employees, we'd need 1,000 of them to handle the load. At, say 30,000 euro per year each, that's 30 million a year - we could buy six years of such a service.

The hapless Communications Minister Noel Dempsey said the amount of misspent money was small when compared to the overall budget. "When you are talking in terms of massive and unprecedented growth, created by this Government, in a €41bn budget, the level of expenditure of misspent money is relatively very, very small," he said in an RTE interview. What an excuse to give. We could have had a fully fitted hospital for that money. Mind you, even if we had, there would be no guarantee we would have the staff to run it, other new facilities are lying idle.

http://www.siliconrepublic.com/news/news.nv?storyid=single5481 (Silicon Republic)

Dr Joe McDonagh, a senior lecturer in business studies at Trinity College Dublin, whose work focuses on leading large-scale change in complex organisations, particularly change enabled by modern ICT systems, told siliconrepublic.com that IT disasters, such as the PPARS rollout, also occur frequently in the private sector.  He warned that a lack of understanding of organisational change and a tendency by government and businesses to invest in so-called change management systems is contributing to the ever rising spate of IT blunders. He added “The €150m lost on the health system — you don’t have to look far in this country to see figures higher than that being lost in failed projects in large financial services firms.”

http://www.unison.ie/irish_independent/stories.php3?ca=9&si=1482038&issue_id=13092

It's a €40,000 party for the €150m flop (Irish Independent). Mr Kenny said: "Last Christmas a major social bash was held in Sligo costing in excess of €40,000 to celebrate the ongoing progress of this scheme."

____________________________________________________________
____________________________________________________________

3) Irish Computer Society

http://www.ics.ie The Irish Computer Society has been sponsoring some interesting events recently:

On October 4th the ICS launched the IT Architects Network, a special interest group for IT Architects and those with IT Architecture responsibilities. It featured talks on the Microsoft Certified Architect Program by Bill O'Brien of Microsoft Ireland, and on TOGAF IT Architect Certification Program by James de Raeve, the Open Group.

The second IQ Network Forum will take place on Thursday, 13th October, in the Helix at Dublin City University. This half-day conference is a valuable opportunity to learn best practice in Information Quality Management from experts in the field. http://www.computing.dcu.ie/research/dataquality/iqireland/registration.php

____________________________________________________________
____________________________________________________________

4) Spreadsheets

Book: Spreadsheet Check and Control

I'm pleased to say that my latest book has been getting some good reviews and press coverage.

http://www.irishdev.com/NewsArticle.aspx?id=1100 Spreadsheets have errors like dogs have fleas

Pat Cleary of the University of Wales Institute, Cardiff, the programme chair of Eusprig, spoke at the book launch in the Burlington Hotel in Dublin on September 26. Thanks to all who turned out!.

The book can now be purchased online from http://sysmod.buy.ie

I plan to run a one day spreadsheet auditing course, based partly on the book, in Dublin next month - contact me to be informed of the date and venue, or check http://www.sysmod.com/blog

David Gainer's blog on the new Excel 12

http://blogs.msdn.com/excel/default.aspx  David is the Microsoft Excel product manager. He describes the new features here such as colour scales. Here is a list of all of the major changes MS made to Excel 12 in the area of limits. Imagine the monsters that can be produced now ... try to audit a 1-million row spreadsheet with formulas up to 8096 characters long containing up to 64 levels of function nesting!

Number of Columns: was 256, now  16,384
Number of Rows: was 64k, now 1 m

Number of unique colours allowed a single workbook: was 56 (indexed colour), now 4.3 billion (32-bit colour)

Number of conditional format conditions on a cell: was 3 conditions, now only limited by available memory

Number of levels of sorting on a range or table: was 3, now 64

The total number of characters that can display in a cell was 1k now 32k 

The maximum length of formulas was 1k, now 8k characters

The number of levels of nesting that Excel allows in formulas: was 7, now 64
_______________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

The Excel-L list is normally for serious techie discussion of Excel VBA and array functions. On Fridays, however, the tone drops considerably, with broad humour a speciality. See http://peach.ease.lsoft.com/archives/excel-l.html and http://peach.ease.lsoft.com/archives/excel-g.html which is the Excel General list.

I can't reproduce the more outrageous ones. By contrast, here was a little ditty posted when a list member named Bill announced it was his birthday:

Hippo, birdies, two ewes,
Hippo, birdies, two ewes,
Hippo, birdies, deer,
Bill,
Hippo, birdies, two ewes.

It reads like the text of a Gary Larson 'Far Side' cartoon. In fact, Sandra Boynton designed a birthday card on that theme back in 1975:
http://www.sandraboynton.com/sboynton/Boyntonography.html
http://dragonfire1.50megs.com/Boynton/mugs13.htm

_______________________________________________________
_______________________________________________________

Copyright 2005 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/
_______________________________________________________