News update 2006-01: January 2006
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe AT louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe AT
louisepryor.com. (Change ” AT ” to “@”). Newsletter archived at
http://www.louisepryor.com/newsArchive.do.
In this issue:
1. Control freakery
2. Doing without
3. Safe documents
4. Reports and surveys
5. Newsletter information
===============
1. Control freakery
I admit it. I’m a control freak. Not necessarily in all aspects of
life, but as far as my computer is concerned, there is no
question. I don’t let anything (Microsoft included) update my
software automatically, and if I change a setup in any way I want
it to stay changed. I don’t like it when my computer tries to be
helpful, by guessing what I want to do. It’s just not that clever,
and certainly isn’t a mind reader, and often guesses wrong.
In July 2004 I discussed how Excel tries to be clever when
importing data by recognising dates and converting them to date
values. It also automatically converts strings that it believes are
floating point numbers. For example, the string “2310009E13” is
converted to the number 2.31E+13. In both cases the original data
is irretrievably lost.
It is possible, although not easy, to avoid these automatic
conversions, but you have to remain vigilant. You can’t turn them
off, but have to take special steps each time you import data. Some
solutions are described by Microsoft in
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q214233
The auto-completion feature is another source of problems. When you
type data in, Excel tries to guess what you mean by looking at
other values in the same column. If you are entering credit
ratings, for example, and the first one you enter is AAA, if the
next one you enter also starts with an A, Excel will suggest AAA as
an auto-completion. If you hit enter, it thinks you are accepting
the suggestion. So if you are actually trying to enter A, you type
A, enter, and Excel helpfully puts AAA in the cell. This one is
easier to fix: simply turn off auto-completion. On the Tools menu,
click Options, and then click the Edit tab. Once there, select or
clear the “Enable AutoComplete for cell values” check box.
Dean Buckner has just found another example of what might be called
(if you are feeling charitable) over-helpful behaviour. He writes:
I’ve always tried to discourage our users from MS ‘shortcuts’,
i.e. little files that can be placed on the desktop and which
point to applications. The problem is that they sometimes point
to the wrong thing – we had a case last year of an emailed short
cut pointing to a correspondence log which was an old version.
Thus some people were using a correct version, some were
updating an old one in parallel. The business of merging the
two streams was a nightmare.
Anyway I forbade this practice, and restricted the use of
shortcuts to those which are centrally maintained and have a
strict change control. (For they can be useful in that they can
control the way an application is called, for example with a
security file).
Or so I thought. I took our main system down over the break in
order to do maintenance work. I did this by deleting the main
production file, and working on a copy, as one would. However,
someone tried to access it over the break, and it turned out
that when a shortcut fails, it will “search” around until it
finds an application that looks similar. In this case it found
one of the backup files which we save down every week. Once
this happens, it then changes not only the user’s own desktop
version of the shortcut, but also the central file itself. I
only spotted this when, working on the application, I noticed
some clearly out of date information.
Ouch. As Dean goes on to say, it’s difficult to find out what is
going on and work out how to turn it off (the help system is
decidedly unhelpful on this). The answer is in the following
Microsoft document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;299780&sd=tech
The document says: “If you disable a shortcut, the NTFS File System
in Windows XP and Windows 2000 automatically attempts to locate the
shortcut destination by searching all paths that are associated
with the shortcut.” One of the solutions involves editing the
Registry, which is not for the faint-hearted. Also, if you make
backups or copies of files in a nearby directory, it’s probably
best to change the name so that Windows will not identify the copy
with the original.
===============
2. Doing without
I moved house about 3 weeks ago, and have had problems getting
broadband connected. It’s more accurate to say that I am having
problems, as I haven’t actually succeeded yet (though progress is
being made). Apparently my order “got stuck in the system”. I
suggested WD40, but apparently that wouldn’t work. Anyway, I have
had to fall back on good old dial-up, and the effects have been
much wider than I anticipated. I hadn’t quite realised how much I
had come to rely on the always-on, high bandwidth access. Even when
doing things that I thought were definitely off-line in nature,
I’ve found it frustrating not to be online. There’s a lot of
information out there that I have never bothered to download,
because it’s so readily available on the web… but when you have
to connect explicitly (tying up your phone line) and download over
what now feels like a piece of wet string, the term “readily
available” takes on a whole new meaning.
What’s interesting about this is that it shows how ingrained habits
can become. After all, there are many people in this country (and
elsewhere) who don’t have broadband, and who manage very happily
with dial-up. But in the three and a bit years that I have had
broadband, I appear to have changed my working patterns quite
radically, and it’s proving difficult to revert to the old ones.
One thing I don’t have is a BlackBerry. When travelling, I manage
quite happily with my Palm hooked up to my mobile via
bluetooth. It’s slightly clunky, but surprisingly effective. There
are, however, large numbers of people who do have BlackBerries, and
who rely on them quite heavily. Are they right to do so? How would
they manage without them?
We know that some people can cope, for short periods at least,
because in October we heard how the BBC had suspended its
Blackberry service because of email problems. But many more may
have to cope for long periods if not for ever, and there may be
more short outages.
As BlackBerries become more popular and hence more mainstream, they
become more attractive targets to the bad guys. Early in January
there was a news story about security vulnerabilities that provided
loopholes through which hackers could launch denial of service
attacks. No actual problems were reported, but it’s probably only a
matter of time.
Meanwhile, Research In Motion (RIM, the makers of the BlackBerry)
are involved in a US court action over a patent infringement. A US
federal appeals court wanted to use US patent law, which bars
unauthorised use of a patented invention within the US, to block
the BlackBerry service. The Supreme Court refused to consider RIM’s
argument that the law should not be used to block the service,
which is run from Canada. The end result could be a lot of unhappy
US BlackBerry addicts, though they would doubtless soon find usable
alternatives. FT readers certainly think they would, according to
an online poll.
http://news.zdnet.com/2100-1035_22-6029671.html
http://makeashorterlink.com/?P6392309C
This story also emphasises one difficulty caused by the
globalisation of services: just what jurisdiction do they come
under?
===============
3. Safe documents
Last month I mentioned how Westpac had been forced to halt trading
on its shares and deliver its annual profit briefing a day early
after it accidentally sent its results by email to research
analysts. It had sent out a spreadsheet containing the results for
previous years; it also contained the latest results, obscured by
blacking out the relevant cells. The cells may have looked black on
the screen, but it didn’t need advanced technical skills to find
out what they contained.
The US National Security Agency (NSA) has now issued a document
that describes how to issue an electronic document that has no
sensitive information hidden in it.
http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf
The document is 14 pages long, and covers some of the ways in which
problems can arise, as well as how to avoid them. In brief, the
recommended procedure is:
1. Make a copy of the original document, and work on the copy.
2. Turn off change tracking etc.
3. Delete sensitive text and diagrams.
4. Change the document name to make it clear that it’s an edited
version.
5. Open a new blank document.
6. Copy the contents of the edited document into the new one.
7. Convert the new document to pdf.
The NSA gives detailed instructions for doing all this in a Word
document, but the same principles apply to spreadsheets and other
formats.
===============
4. Reports and surveys
If you work in General Insurance, you’ll probably know about GIRO,
the general insurance conference held each year by the Actuarial
Profession. I’m currently chairing the GIRO working party on
software use, which is looking into what software GI actuaries (and
others) use, and how they use it. As our first step, finding out
what software is actually used, we are conducting an online
survey. So, if you work in GI, as an actuary or otherwise, we’d
really appreciate if you’d help us out by completing the survey,
which is at http://www.surveymonkey.com/s.asp?u=891841542723.
There’s a prize of a bottle of champagne for one lucky participant!
The FSA has just issued its annual report on the Financial Risk
Outlook. One of the main points that is made is the need for stress
testing: how firms would respond to extreme risk scenarios. The
scenarios imagined by the FSA include natural disasters (possibly
driven by climate change), global pandemic, political instability
in a major economy, a large terrorist attack, or a major corporate
bankruptcy.
http://www.fsa.gov.uk/Pages/Library/corporate/Outlook/fro_2006.shtml
Although these scenarios are important, there are undoubtedly
others, possibly as yet barely imagined, that could cause similar
levels of disruption. The FSA emphasise that it is important to use
historical experience to inform hypothetical scenarios, rather than
simply re-running past events. Another important aspect of
effective stress testing is the effect of unsuspected risk
correlations across the different parts of large, complex
businesses.
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2006. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email news-subscribe AT
louisepryor.com. To unsubscribe, email news-unsubscribe AT
louisepryor.com. All comments, feedback and other queries to
news-admin AT louisepryor.com. (Change ” AT ” to “@”). Archives at
http://www.louisepryor.com/newsArchive.do.