0306 contents: Viruses, Security, '419' scams punished, Euro notes RFID, Spreadsheet testing and auditing, James Bach Exploratory Testing Report
This issue online at http://www.sysmod.com/praxis/prax0306.htm
Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success
1) Internet and risk management
Viruses
Security
'419' scams punished
10 Risk Management tips for professionals
2) Euro notes
Extra security RFID speculation
3) Spreadsheet testing and auditing
4) James Bach course on "Exploratory Testing" - report
14 Web links in this newsletter
About this newsletter and Archives
Disclaimer
Subscribe and Unsubscribe information
_______________________________________________________
I'm always ready for your comments! Thanks for reading,
Patrick O'Beirne
_______________________________________________________
_______________________________________________________
The wave of virus attacks continues, with variations on W32/Bugbear, W32/Palyh
(the support [at] microsoft.com fake) and SoBig appearing daily. Fortunately my
anti-virus scanner has caught them all. But the fact that I get them from so
many sources indicates how careless many people are about protecting their data.
_______________________________________________________
http://www.silicon.com/news/500009-500001/1/4118.html?nl=d20030513
Banks suffer increased hack attacks
Hack attacks are becoming increasingly sophisticated, with over a third of
banks and financial services companies reporting a security breach in the last
year, according to a new survey.
Of the 39 per cent who admitted their systems had been compromised, 16 per cent
were due to external attacks, 10 per cent internal breaches and 13 per cent
both, according to the 2003 Global Security Survey of worldwide financial
services institutions by consultant Deloitte Touche Tohmatsu (DTT).
_______________________________________________________
http://www.europemedia.net/shownews.asp?ArticleID=16359
West African e-mail-fraud suspects in court
A Dutch court in Amsterdam heard how a gang of six alleged West African
swindlers sent people around the world thousands of fraudulent e-mails
containing luring stories of lottery wins, and promises of huge sums of money to
be made. Victims - at least 23 of them - included a Russian who lost $3000, and
a Swiss citizen who paid the gang $482,000 for a 25 per cent stake in a $36m
scam. Police confiscated a large number of computers, telephones, fax machines
and documents found on the premises from where the suspects operated.
Well, that's good news at last. In Africa, there is a growing anxiety about the
damage to reputation from these activities, and there is a "Balancing Act -
Africa" report at:
http://www.balancingact-africa.com/news/back/balancing-act_158.html
There is more about these kind of scams at
www.fraudaid.com and
http://www.africanscam.co.uk/ which reports some entertaining
engagements by teasers with these scammers. A somewhat scarily entertaining
report, with photos, is the leading on of "Mupesa Solomon" as reported here:
http://www.craigmcateer.pwp.blueyonder.co.uk/mupesa.htm
_______________________________________________________
http://www.smartpros.com/x38254.xml
Accountants Can Avoid Malpractice Trouble: 10 Risk Management Tips
(In fact, these apply to almost any professional or consulting business)
1. Bad client selection.
2. No engagement letter.
3. Embezzlement within client's office.
4. Technical standards violations.
5. Real or perceived conflict of interest.
6. Client expectations are different than the work performed.
7. Services provided are beyond the expertise of the accountant.
8. Advising more than one party to a transaction without significant disclosures
and waivers.
9. Lack of internal procedures within the accountant's office.
10. Lack of disclaimers in prepared financial statements
____________________________________________________________
____________________________________________________________
http://www.silicon.com/news/500018-500001/1/4316.html?nl=d20030527
Euro notes to get RFID tags from Hitachi?
Radio Frequency Identification (RFID) tags the size of a grain of sand could be
embedded in the euro note if a reported deal between the European Central Bank (ECB)
and Japanese electronics maker Hitachi is signed. Japanese news agency Kyodo was
reportedly told by Hitachi that the ECB has started talks with the company about
the use of its radio chip in the banknote. The ECB is deeply concerned about
counterfeiting and money laundering and is said to be looking at radio-tag
technology.
____________________________________________________________
____________________________________________________________
I have been checking some fairly complex spreadsheets in the last month or so and am glad to have tools like SpACE, ExChecker, and Spreadsheet Detective to help me. Ask me for more details.
The programme for the July 24/25 European Spreadsheet Risks Interest Group conference in Dublin has been announced. You can find it on www.eusprig.org and here are the highlights:
Paper: ‘Research Strategy & Scoping Survey on Spreadsheet Practices’ T.Grossman, O.Ozluk
Management Summary: ‘Correctness Is Not Enough’ Louise Pryor
Paper: ‘The wall and The Ball’ Richard Irons
Paper: Reducing overconfidence In Spreadsheet Development’ Ray Panko
Invited Speaker: ‘Spreadsheet Risks in UK Financial Services’’ Dean Buckner, Financial Services Authority, London
Management Summary: Barry Pettifor, PwC
Management Summary: David Chadwick ‘A CobIT Approach To Quality’
Management Summary: Paula Jennings
Paper: Spreadsheet Debugging’ Yirsaw Ayalew
Paper: Audit and Change Analysis of Spreadsheets’ John Nash
Quality Engineering: Demos and Products; Code Tracer: M. Siersted; Atebion: B.Phillips.
Research Initiatives at UWIC
Panel: Quality Engineering: is it necessary, is it wanted, what does it mean?
_______________________________________________________ _______________________________________________________
James Bach ( http://www.satisfice.com
) is the author (with Kaner and Pettichord) of Lessons Learned in Software
Testing: A Context-Driven Approach. I went to his course in Edinburgh
efficiently organised by Newell & Budge.
Solid material, full-flow presentation
I was impressed by his presentation flow. Although we took a break every hour
(the “academic hour” principle) we seemed to flag before he did! He was
immediately able to present anecdotes and arguments to back up his answers to
any question asked. He began with some exercises related to thinking and
knowledge, including our observing magic tricks, and then went on to sessions on
software testing. I won’t repeat the course outline here, you can obtain them by
request from www.NewellAndBudge.com
.
In fact, you can download extracts from JB’s presentations as well as those of
other well-known testing experts from
http://www.testingeducation.org/coursenotes/ and
http://www.testingeducation.org/conference/wtst_page.php
Heuristics
This is JB’s favourite word. It refers to rules of thumb; fallible rules, like
proverbs, which capture common patterns of experience but must be applied with
discretion. The course exercises include a simple program in which, although it
is unchanged since 1996, successive course attendees have found more and more
bugs. Later exercise on commercial products were far more challenging which
drove home to me the point about needing preparation for time-limited testing
see my driving analogy below.
Context driven testing
At one point I got irritated at what I thought was a logic-chopping argument at
one point. It turned out that JB was offering counter-examples in order to make
a point about context; that assumptions that are valid in one context are not in
another. “Good practices” in one context produce poor results in another. He
offered another exercise where he put up one of his heuristics and invited us to
argue against it. We came up with a number of counter-arguments that he already
had on a list from previous courses.
As attendees were mainly working within companies where they are very well aware
of their context, I wonder how much value it is to consider different contexts.
It’s a strain for a corporate tester to think like a consultant (like JB) who
has to switch context every week and needs very widely-scoped checklists. But
it’s nonetheless useful as an exercise as sometimes habits become embedded as
assumptions, and it only takes raising the question for a change to happen. For
example, many developers carefully comment out debugging code and testing
harness before creating a product for testing; but having such tools can
simplify testing enormously. Simply ask for an automatable feature like a
command-line interface it might be there!
I found his checklists useful and immediately applied one to my next testing
project!
How to star on the course
Actually, this is also how to star in testing generally. JB’s course materials
contain a handout on creating a test strategy model. Put a yellow sticky label
on that when he first draws your attention to it. That evening, before going to
the pub, revise that section. On the next day’s exercise, refer to it and you’ll
be amazed how quickly you can generate probing questions that will reveal
further details about the product under test.
How to perform well under pressure.
Using a checklist is not instinctive; under the time pressure of an exercise,
one tends to jump in and use previous experience to get you through. But
consider this analogy. You have to make a journey by car across unfamiliar
territory. From the distance, you might expect it to take between one and two
hours. If you have two hours, you might just drive off and rely on road signs to
get there. If you have only one hour, you will stop to carefully check your map
first, listen for traffic reports on the way, and phone ahead to get precise
instructions near the destination. That is all overhead but it is done to
reduce risk and ultimately save time.
Structured Exploratory Testing
JB’s point is that we all do exploratory testing. Under fear of ad-hoc wandering
around aimlessly “testing”, we may think the antidote is to specify fixed tests
and always do them. In fact, JB’s approach is to use a disciplined method
involving checklists, note taking, and structured reporting, with the aim of
finding as many bugs as possible which is after all the most common aim!
Obviously with different aims (e.g. testing for compliance certification) one
uses different approaches, but for most of us, that’s our main interest. JB’s
reply to concerns about auditability is simply to have a balanced approach
“let no regulation or formalism be an excuse for bad testing”.
Any questions?
If you are wondering why I did not address this or that issue of testing,
remember that I’m just commenting on what is noteworthy in my context. Feel free
to email me and we can continue the theme in future newsletters.
_______________________________________________________ _______________________________________________________
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
Thank you! Patrick O'Beirne, Editor
_______________________________________________________ _______________________________________________________
http://www2.thny.bbc.co.uk/radio4/news/bh/rumsfeld.shtml
The BBC's "Donald Rumsfeld soundbite of the week" archive
http://homepage.tinet.ie/~nobyrne/nonirishjokes.htm
Pages of "groaners" such as light bulb jokes.
_______________________________________________________
_______________________________________________________
Copyright 2003 Systems Modelling Limited,
http://www.sysmod.com .
Reproduction allowed provided the newsletter is copied in its entirety and with
this copyright notice.
We appreciate any feedback or suggestions for improvement. If you have received
this newsletter from anybody else, we urge you to sign up for your personal copy
by sending a blank email to
EuroIS-subscribe (at) yahoogroups (dot) com - it's free!
For those who would like to do more than receive the monthly newsletter, the
EuroIS list makes it easy for you to discuss issues raised, to share experiences
with the rest of the group, and to contribute files to a common user community
pool independent of the sysmod.com web site. I will be moderating posts to the
EuroIS list, to screen out inappropriate material.
Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen
to reflect our focus on practical solutions to IS problems, avoiding hype. If
you like acronyms, think of it as "Patrick's reports and analysis across
Information Systems".
_______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at
http://www.sysmod.com/praxis.htm
DISCLAIMER
This newsletter is prepared in good faith and the information has been taken
from observation and other sources believed to be reliable. Systems Modelling
Ltd. (SML) does not represent expressly or by implication the accuracy,
truthfulness or reliability of any information provided. It is a condition of
use that users accept that SML has no liability for any errors, inaccuracies or
omissions. The information is not intended to constitute legal or professional
advice. You should consult a professional at Systems Modelling Ltd. directly for
advice that is specifically tailored to your particular circumstances.
Copyright (c) SML 2003
_______________________________________________________
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to
anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers
a moderated discussion list for readers and a free shared storage area for
user-contributed files. The archives of this group are on YahooGroups website
http://groups.yahoo.com/group/EuroIS/
_______________________________________________________