torsdag 5 mars 2015

Sending invoices in PDF-format?

Do you send invoices or other financial information in PDF-format via e-mail to your customers and partners? You should probably evaluate digitally signing not only the PDF-file but also the e-mail sent. In Sweden only, there are about 40 000 scam invoices sent every year. As more and more companies chose to send their invoices digitally this opens up an even more dangerous avenue.
A scam invoice is bad enough but delivering it digitally also opens up the possibility to incorporate malware in the PDF-file. Hard to do? Nope. It can be done by anyone. Basically one need a few things to complete the scam:

1)      An infected PDF-file
2)      A genuine source to spoof
3)      A recipient

One would simply do this:
1)      Download Social Engineering Toolkit. If you have trouble setting it up, download Kali Linux with all sorts of nifty tools, including SE Toolkit, installed for you.

2)      Start the software and select the options that will guide to the creation of a hostile PDF.
  1. Social-Engineering Attacks
  2. Infectious Media Creator
  3. File-Format Exploit
  4. Adobe PDF Embedded EXE Social Engineering
  5. Use your own PDF for attack
3)      So you pick your PDF that looks like a genuine invoice, select an exploit from the repository and generate the infected file.

4)      Set up the e-mail client with any valid sender e-mail address. Pick your favourite phone company, bank, credit card company or similar. Something the recipient will recognise.

5)      If needed download some email server software also so you bypass any sending mail server filtering stuff.

6)      Now craft the e-mail to look like a genuine e-mail and add some eye-catching things like “Your invoice is default”, “Late payment” or similar. This will trigger the recipient to open the attachment.

7)      Send the e-mail and that’s it.

Now, all of this can be done by anyone. All the skills needed are how to download and install software, collect a genuine PDF-file or create one in a word processing software and save as PDF, click through a menu and send an e-mail.

Some financial institute, government organizations and companies have started to digitally sign the files so that the recipient should know where the file comes from and that it has not been tampered with. However, once the recipient has opened the file and maybe discovers that the file is bogus, well it’s too late then. The file has been executed and the malware has been planted.

How do we prevent this? Well, we cannot prevent anyone from opening an attachment and we cannot prevent anyone from sending an e-mail that look like it comes from anyone. But, what we can do is used digitally signed e-mails. A certificate to digitally sign e-mails cost around 100 EUR and it will immediately tell the recipient who sent the e-mail.

So anyone sending invoices and similar should have the courtesy to digitally sign the e-mails and provide this extra level of security for their customers.  

torsdag 12 september 2013

Exposing the mirrors

So I lecture quite a lot about different aspects of Project Management from requirements gathering, pre-studies, business case development to certification preparations. And I have found myself telling the students about all sorts of things a PM has up the sleeves . These are not things that would be found in ant text book, in any higher moral ground theory or academic paper. The number crunchers and process addicts would probably like to take my head off but, it’s now on the internet so it will not go away.

These are tools based on experience and spending a lot of time getting dirty hands. The idea is that they will extend the life expectancy of the PM’s mental health and probably take some of the stress off the mind of the PM. So am I giving away the illusionist’s tricks? Am I showing the mirrors and pointing out the strings that make the lady appear to fly? Sure, I am. But it’s not like no one else know them… Every experienced PM knows them, they are just not telling the new guy on the subject.

Since I already tell people in class, why not let the NOC-list into the open? Don’t know what the NOC-list is? Have a look at the first Mission Impossible film.

I’ll start with PERT-estimates, or Three-point-estimates. Let’s start with the basics.

When we need Estimates, we reach out to the subject matter experts (SME’s) and ask them for estimates on different task. We do know that most people hesitate to actually give a number. For self-preservation if nothing else. They have been around before and they know that this number pretty easy turn into gospel and they don’t like that. The three-point-estimate is where we let them say what they think but also tell us the best and worst case scenario. So we cut them a bit of slack and say that we will crunch out the numbers afterwards.

I’m not going to go through the whole theory here since that is common stuff and if anyone need to check  it out it’s on Wikipedia

So according to this we calculate Max + Min + 4 x Expected and divide that with 6. So where does 4 and 6 come from? Well it is based on mathematical theory for bell curves and standard deviation. What happens if we, shame on us if we do, would actually change these numbers? Let’s say 3 and 5 so we have Max + Min + 3 x Expected divided with 5? What happens then and why would we do that?

So we start with what happens. Let’s look at some figures for example. We have an imaginary project where we came up with Min = 70 days, Max = 242 days and Expected = 125 days.

Using the official numbers we get a PERT-calculated value of 136 days (70 + 242 + (4 * 125))/6.

We also get a Standard deviation of 29 days. (242 – 70)/6=29.

And we get a error percentage of 4%. (Standard Deviation / (Max + Min + 4 x Expected))

Let’s now change to 3 and 5. What numbers do we get then?

Calculated value = 144 = (70 + 242 + (4 * 125))/5
Standard deviation = 34
Error percentage = 5%   

So what does this mean? Basically it means that one let the deltas for the extremes reflect more in the end calculated result.  We can see that the calculated value increased from 136 to 144.

The million dollar question, when would you do this?

Ever get the request from a customer “We like a fixed price project”? When doing a fixed price project we have to carry the risk. So we like to know if this is a high risk project or not. If the 4/6 calculation is not very far off from the 3/5, well we are pretty sure in our estimates. If they are far off, we probably need to break things down further and analyze more. We probably are going to use the 3/5-calculation instead when writing the proposal and we probably are going to find the tasks with large deltas and use them as inputs for a risk resolution budget post.

Can we increase the numbers? Say 5/7. Yes, we can and that would mean giving more leverage to the expected. So we might work with these numbers depending on the level of how certain people are in their estimates. Large deltas, probably want to reflect them more.



torsdag 18 april 2013

When will the understanding of projects catch up to the understanding of science?

In 1814 de Laplace described what would be known as “The demon of Laplace”. He stated that if one knew the exact state of every object in the universe one would be able to predict the exact future. Then for about 150 years scientist in all kinds of different fields like meteorology, physics, economy etc tried to predict weather, economical development and other dynamic systems. According to this theory one could skip small details since the bigger picture would overrule any small effects very small initial differences would have on the end result.

Then in 1963 Edward Lorenz described what he called “Deterministic Nonperiodic Flows”. Sounds booooring but was made known to most people as “The Butterfly-effect”. Not least by Jeff Goldblums character Dr. Ian Malcolm in the film Jurassic Park. In science it is referred to as Chaos theory today. This effectively killed all notions of small details having no effect on the end result. This happened about 50 years ago and has radically changed the way science works.

Still in each and every project most people, and particularly the stakeholders, still think that we can make a plan, predict everything and that will be gospel. We are also expected to do this plan with very limited time and resources. Then when some little detail shows up that affects the project they act surprised, want to investigate responsibility and escalate to the big chiefs why we so capitally failed in predicting this little detail. The “inquisition” brings out all their hidden toys and starts the fires. Someone has to be condemned for this utter lack of predicting everything and we have to declare our total incompetence as Galileo was forced to stand trial for the Inquisitor Maculani for his heretic teachings.

So my question is, when will there be an understanding that project managers cannot predict every little detail in a sequence of events involving a lot of people for the next months or years? No one expect a weather forecast to be exact for the next 6 months or so, everyone knows we cannot predict the currency rates in detail for the next year, so how are project managers expected to have this magical foreseeing that no one else has? Is there a secret club with a lot of old people in pointy hats and dark rituals one has to go through to be elevated to some higher form of being?  

fredag 11 maj 2012

What site templates are available using Office 365?

Well there is a special set of site templates that are available using Office 365:

Team Site
Blank Site
Document Workspace
Basic Meeting Workspace
Blank Meeting Workspace
Decision Meeting Workspace
Social Meeting Workspace
Multipage Meeting Workspace
Group Work Site
Asset Web Database
Charitable Contribution Web
Contact Web Database
Issues Web Database
Project Web Database
Document Center
Personalization Site
Basic Search Center
Visio Process Repository
Express Team Site (only Office 365)

Using SharePoint 2010 Enterprise Edition as a comparison you would have also these site templates:
Records Center
PowerPivot Site
Business Intelligence Center
Publishing Site
Publishing Site with Workflow
Enterprise Search Center
Enterprise Wiki
FAST Search Center

torsdag 12 april 2012

15 worst passwords

The 15 most common used passwords according to "someone".
1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
12. 111111
13. iloveyou
14. master
15. sunshine

onsdag 21 mars 2012

SharePoint Web Analytics Report Error

Sometimes you run into a problem that just has to do with timing. Yesterday we were working on a brand new SharePoint 2010 setup, and one of the first things to check (due to requirements) was the Web Analytics Reports.

When doing   so we got an unexpected error. There was no info in the logs related to the ID. Initially we didn’t find any data in the .usage log file but after running the two services Usage Data Import and Usage Data Processing and setting them to run every 5 minutes we did get data in the .usage log file.

But no luck. There was still the error when accessing the Web Analytics Report in Site Settings.

However, it turns out there is also a workflow that has to run, the Web Analytics Trigger Workflows Timer Job, and by default this runs once every day. So if you don’t try this the first one or two days after setup there will never be a problem. However, if you want to run this the first day after setup you have to change the schedule for this job or run it manually.

Then there was no more error.

söndag 12 februari 2012

CV’s – the death of renaissance people

The attribute “Renaissance” and the expression “Renaissance Man” is all about broad knowledge in multiple disciplines. The ambition and what is attractive is the ability to do different things at different levels within different areas and by that experience and knowledge create new things and unexpected wonders.

This was once very popular, this was once highly respected. The men and women who could master completely different tasks and succeed in doing so where regarded with respect and admired for their stamina, their never ending enthusiasm for new knowledge and willingness to tackle new situations.

Most people today will at different intervals end up in situations where one is asked to present earlier work or experiences. The most common way of doing so is by creating a CV, a resume. If you are looking for a new job or a new consultancy assignment this is the first screening before one even gets to talk to people.

The employer or the consultant manager will have a list of skills required for the job. This is often a quite narrow list of bullet points that one has to match.

So if you have been around a bit, done a few things other than just the looked after previous tasks, you are disqualified. In the long run this limits your paths and once starting down one road there is no way off that. In the other end that gives the organization, step-by-step, employees and staff that are inflexible, lack outside influences, lack abilities to adjust to new situations and super experts on one thing and one thing alone. Is this the desired way we should go?

Generally there are two accepted groups that one can be sorted in, experts or generalist. Either one can know a lot about few things or one can know a little about a lot of things. That is the common idea.  The renaissance person that actually actively cultivates his or her skills in several areas is left out of this classification.

If you are one of these persons you will find yourself creating a zillion different CV’s depending on what actual skills are asked for in a particular assignment. But you will quite often be sorted out anyway since you didn’t do just that particular thing for the last century or so. By this approach Da Vinci would never have been allowed to create defense machines, art and scientific experiments. Cicero would never have been a politician, a philosopher and author. Galileo would not have been allowed to be a master of mathematics, painting and play the lute for kings and dignitaries.  

Have you ever run into a project or application where one can see that things have been done in the way they used to be done ten years ago? Even as this is a brand new application? How is that? Well, the simple answer is if one continue to select people who have done a particular thing, and only that, for the last ten to fifteen years, you will get a product or application that is produced in the same way as it was for ten or fifteen years ago.

Have you ever found yourself going to several meetings and then afterword being refused by mutually exclusive reasons? For one you where to technical, for the other you where to broad, for a third you hadn’t done so and so many years of exactly that particular thing. Although you do have the skills asked for, you have experience of that type of work and you have succeeded before in performing the same tasks?

Then you are probably someone who refuses to be locked in by conventional constrains on your ability to learn new things. Someone who to takes on new challenges and succeed in completing them. Someone who wants to expand your experience beyond what is the absolute minimum for what is needed and someone who can see new things and new solutions.

You are probably a renaissance person.