Category: Old site

Content imported from my previous website, which was active until April 2007.

Categories
Old site

More laptop woes

Laptops can contain confidential information, and are inherently less secure than large machines: it is easier to take physical possession of them.

Nationwide building society recently had one stolen that contained customer information; and 3 laptops containing police payroll information were stolen from LogicaCMG, the UK IT services firm.

You have to wonder whether it was absolutely necessary for this information to be on the laptops in the first place. It appears that it may not have been, as Nationwide are saying that the employee who had the laptop stolen may not have been complying with the firm’s security policy. Of course, it’s one thing to have a policy and another for it to be complied with.

Categories
Old site

He who pays the piper…

Firefox 2.0 is better than Internet Explorer 7 at preventing phishing, according to a study commissioned by Mozilla. A study commissioned by Microsoft found that IE7 is better than a range of 7 third-party security applications. The Microsoft study didn’t include Firefox.

Categories
Old site

Year-end computer bug could ground shuttle

“The Shuttle was never expected to be in orbit as one year gives way to another”. Unbelievable.

Categories
Old site

More public sector IT woes

This time it’s the Department of Work and Pensions, in particular their contact centres.

Contact centre employees have to use a number of different systems containing client information. These systems are not properly joined up, so that people applying for benefits or pensions have to give the same information on a number of occasions – when much of it is already held on a system in the department.

Not only is this frustrating for the member of the public, as well as the staff member concerned, it’s also a very good way of ensuring that inaccurate and inconsistent information gets into the system(s).

“There are at least 55 different telephone numbers for contacting the DWP and, quite incredibly, if you contact the wrong service, the department’s technology will not enable your call to be transferred to the right service.”

I suppose that if you make it really hard for people to claim benefits then you save money, as fewer of them will stick it out, but it’s expensive in terms of productivity and staff morale.

Categories
Old site

Is anti-piracy overkill?

There are some worrying aspects to the anti-piracy technologies that are part of Microsoft’s new Vista operating system.

In any case, the entire concept of significantly reducing the functionality of running systems is saturated with risks. Microsoft notes that their products aren’t supposed to be used for “critical” types of applications. That’s a fine sentiment, but Microsoft has succeeded all too well in getting developers to use their operating systems in all manner of exceptionally important applications. That’s the reality.

Of course, just because Microsoft says that they can use such drastic anti-piracy measures in any particular situation, doesn’t mean that they necessarily will, but can we really afford to take that chance? Even if you are the most 100% squeaky-clean human on planet Earth, and would never even dream of running pirated software, you may want to think twice (or more than twice) before jumping into bed with Microsoft on this one.

The End User License Agreement (EULA) for Vista is also much more restrictive than previous EULAs. So your chances of inadvertently violating it, and hence being a software pirate, are much higher.

Categories
Old site

Perceived risk vs. actual risk

I can’t put it better than Bruce Schneier, commenting on a Los Angeles Times op-ed by Dennis Gilbert. People just aren’t rational about risk. They over react to some risks, and under react to others.
This has big implications for risk management, especially in risk identification and risk assessment.

More importantly, though, it affects how both we and those that govern us respond to global warming and terrorism.

Categories
Old site

Stern review and IT

We can’t just ignore the environmental impact of IT. If, as some hope, the Stern review is going to raise the profile of environmental issues, and lead to actual changes in business behaviour, then IT won’t be exempt.

Categories
Old site

Blackouts don’t work

It’s been reported that yet again sensitive information has been posted on the web because people don’t understand the difference between what you see and what you get. A pdf document posted by the Civil Aviation Authority contained blacked out sections that were about airport security. However, the sensitive sections could be read quite easily: they just used black on black, or something similar.

Pdf documents contain all the text that was in the document from which they were produced; just because it’s not immediately visible (black on black, or a black block superimposed) it doesn’t mean that it’s disappeared. Just select the text to see it, or if necessary copy and paste into another application, or view the pdf file with a text editor.

Categories
Old site

Will your website work tomorrow?

A recent survey suggests that many websites won’t work well with IE7. Normally, it wouldn’t matter much if sites don’t work with a new browser, as take-up is typically pretty slow. However, many people will be upgraded to IE7 automatically.

I have to admit that I haven’t tested my site with IE7. I’m hoping that it will be OK, though, because I know it works with most other browsers. There are a number of sites out there that really only work with IE6, as they take advantage of its non-standard features. They are the ones that are likely not to work with IE7, which apparently has a different rendering engine.

In this case, it’s definitely a case of “do as I say, not as I do”: don’t skimp on the testing.

Categories
Newsletter Old site

Newsletter Oct 2006

News update 2006-10: October 2006
===================

Contents:
1. Software versions
2. Bogus data
3. Is testing necessary?
4. Blogging and wikis
5. Newsletter information

===============
1. Software versions

Want to lose 4.8 billion euros? It looks as if a good way to do it
is to make sure that different parts of your organisation are using
different versions of the same software package. The wiring
problems that have delayed (yet again) deliveries of the Airbus
A380 arose because incompatible versions of the CAD software were
being used. French and British engineers had upgraded to version 5,
while the German and Spanish engineers were still using version 4.
The two versions use different file formats.

How did this happen? It must have been a combination of factors.
First, the software manufacturer (Dassault in this case) changed
the file format without providing backwards compatibility. Then it
was decided that parts of Airbus should upgrade, and that parts
should not. Either those decisions were made independently, and
there is no overall software policy (which is a big problem) or
there were particular reasons for different parts of the
organisation to make different decisions, but nobody thought about
how they would then work together. Probably the truth is somewhere
between the two.

http://aecnews.com/articles/2035.aspx
http://www.bloomberg.com/apps/news?pid=20601085&sid=aSGkIYVa9IZk

This isn’t, of course, a problem only with CAD software. It
shouldn’t surprise anyone that incompatibility problems can arise
with Excel too. There are still people using Excel 97, in which
macros written in later versions generally don’t work. And I’ve
come across macros written in Excel 2000 that don’t work in later
versions. In fact, to state the obvious, each new release of Excel
contains features that don’t work in earlier releases. More subtly,
some of the statistical functions were changed in Excel 2003, so
the results produced by a spreadsheet can depend on the version
under which it was last recalculated.

http://misfouge.notlong.com

As Excel 2007 hits the streets (or rather desktops) incompatibility
problems are going to become more common. It’s actually going to
have a “compatibility mode” which will ensure “that content created
in the 2007 Office release can be converted or downgraded to a form
that can be used by previous versions of Office.” I like the use of
the word “downgraded” in that sentence. The trouble is, though,
that if you use the compatibility mode you won’t be able to take
advantage of all the new features.

http://belciled.notlong.com

IT departments are going to have to think carefully about their
upgrading strategy. However, even if individual organisations get
it right, there will still be problems when spreadsheets are sent
between organisations.

===============
2. Bogus data

Computer models are all very well, but they are only as good as the
data that goes into them. Two Citibank traders recently pleaded
guilty to falsifying bank records and wire fraud. Among their
nefarious activities, they manipulated a computer model that was
monitoring options trading, by inputting bogus data. Apparently
they got a broker to supply them with false market quotes.

http://www.finextra.com/fullstory.asp?id=15935
http://www.msnbc.msn.com/id/15335081/

Maybe they had taken lessons from John Rusnak, the fraudster in the
AIB/Allfirst case. He manipulated the inputs into a spreadsheet
that monitored his trades, by making sure that exchange rate feeds
didn’t go in to it directly but through his own PC.

http://www.gre.ac.uk/~cd02/eusprig/2001/AIB_Spreadsheets.htm

Deliberate data manipulation like this is always going to be a risk
when people’s remuneration depends on the results. Accidental
manipulation is always a risk, though, regardless of the uses to
which the model is put. That’s why it’s really important to have a
good audit trail from the source of the data right through to the
end results of the model.

A good audit trail is one that would make any discrepancy
immediately obvious, without requiring laborious manual
comparisons. There are various ways to accomplish this, depending
on the circumstances. However, there are also numerous ways to
invalidate an audit trail, and these are probably more common.
Obvious problems include documentation that doesn’t reflect the
actual procedures, lack of documentation, manual procedures such as
copying and pasting, over reliance on check totals, non-standard
items that get special treatment, and any stage in the process
where manual alterations are possible, whether deliberate or
accidental.

===============
3. Is testing necessary?

I think you can guess what my answer would be, but it appears that
not everyone has the same opinion. It’s often felt that testing is
expensive, and can be skimped (or skipped altogether) as the
benefits it provides aren’t worth it. This view assumes that the
testing process won’t uncover any significant problems. Experience
shows that this assumption is usually over-optimistic.

It’s important to remember, too, that testing isn’t just about
getting the calculations right (though that’s important). You may
also want to test performance (under both normal and abnormal
conditions) and usability. Doing the right thing covers every
aspect of a deployed system, and it’s important to get it all
right.

A recent article reports the government as saying the following
about ID cards:

* It won’t be possible to test everything in advance
* They’ll use off-the-shelf technology for some parts; this will
have been adequately tested elsewhere
* Trials will have to be limited in order to stay within budget
* Instead of trials, they’ll use incremental roll-outs

So they will be testing, it’ll just be on live data (and hence real
people). And just because a product is off-the-shelf it doesn’t
mean it’ll work under all circumstances, especially if it’s part of
a larger system. Interfaces between different components are always
potentially dodgy.

http://news.zdnet.co.uk/business/management/0,39020654,39284263,00.htm

I can just see this whole ID card project heading in the same
direction as the NHS National programme for IT, which has become a
byword for disastrous IT projects. Not testing it properly is just
asking for trouble.

A recent survey suggests that many applications fail when they are
deployed. If you don’t plan for performance issues in advance,
during the development process, things can go pear shaped in the
production environment. Performance can be significantly affected
by network issues, for example: often, development takes place on a
LAN, but the production environment is a WAN. If you don’t test in
an environment as much like the production environment as possible,
you’re just not going to find the problems.

The report says “perhaps the most telling statistic from the survey
is that most IT departments (71 per cent) seem to rely on end users
calling the help desks to alert them that performance problems
exist. This means problems are only reported after their impact is
noticed.”

http://www.regdeveloper.co.uk/2006/10/24/compuware_performance/

In other words, use your users as testers. They won’t mind, will
they?

When it comes down to it, testing is useful. If you don’t look for
problems, you mightn’t find them until they are really
inconvenient.

===============
4. Blogging and wikis

I’ve started a new blog at http://www.louisepryor.com/blog. It’s
likely that many, but not all, of the items in this newsletter will
be mentioned the blog first. There will also be things that appear in
the blog that don’t make it into the newsletter.

One of the GIRO working parties this year is on “Building an open
source ICA model”. If you’d like to join the working party, please
let me know. If you’re interested in what we’re doing, take a look
at our wiki at http://http://icamodel.pbwiki.com/. You’ll need the
password (or a pbwiki ID) to edit it; again, let me know if you’d
like to contribute at that level, without committing to the working
party.

===============
5. Newsletter information

This is a monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2006. All
rights reserved. You may distribute it in whole or in part as long as
this notice is included.

To subscribe, email news-subscribe AT louisepryor.com. To unsubscribe,
email news-unsubscribe AT louisepryor.com. Send all comments, feedback
and other queries to news-admin AT louisepryor.com. (Change ” AT ” to
“@”). All comments will be considered as publishable unless you state
otherwise. The newsletter is archived at
http://www.louisepryor.com/newsArchive.do.