sss ssss      rrrrrrrrrrr
                      ssss    ss       rrrr   rrrr
                     sssss     s       rrrr    rrrr
                     ssssss            rrrr    rrrr
                      ssssssss         rrrr   rrrr
                          ssssss       rrrrrrrrr
                    s      ssssss      rrrr  rrrr
                    ss      sssss      rrrr   rrrr
                    sss    sssss       rrrr    rrrr
                    s  sssssss        rrrrr     rrrrr
         +=======    Quality Techniques Newsletter    =======+
         +=======            February 2002            =======+

Subscribers worldwide to support the Software Research, Inc. (SR),
TestWorks, QualityLabs, and eValid user communities and other
interested parties to provide information of general use to the
worldwide internet and software quality and testing community.

Permission to copy and/or re-distribute is granted, and secondary
circulation is encouraged by recipients of QTN provided that the
entire document/file is kept intact and this complete copyright
notice appears with it in all copies.  Information on how to
subscribe or unsubscribe is at the end of this issue.  (c) Copyright
2003 by Software Research, Inc.


                       Contents of This Issue

   o  QWE2002 -- The Reasons Why

   o  Testing Your Web Application: A Quick 10-Step Guide, by Krishen Kota

   o  Cybercrime Guidelines (Forwarded by Jack Grimes)

   o  Special Issue of IBM System Journal on Software Testing and Verification

   o  eValid 3D SiteMaps

   o  Unit Testing by Michael Reidy: A Reader Reaction, by Hans Schaefer

   o  Microsoft Haiku (Forwarded by Jack Grimes)

   o  Software Pioneers Conference (June 2001)

   o  Cypersecurity a Top Priority, by Ariana Eunjung Cha (Forwarded by Jeff Voas)

   o  Symposium on Cyber Security and Trustworthy Software

   o  ICSE Venue Changed

   o  Symmetry (Forwarded by Susan Low)

   o  Workshop on Ubiquitous Web Applications

   o  SQRL Report Abstracts

   o  QTN Article Submittal, Subscription Information


                    QWE2002 -- The Reasons Why

The times are demanding and budgets are carefully managed.  You need
all the information you can get on how to make the most of your
precious resources.  QWE2002 is the place to get your questions
answered, learn from your peers and take practical solutions back to
the job.

No need to reinvent the wheel, cause QWE2002 is a combination of
hands-on demos from the top Tools and Services Vendors, deep
technical education from academics and industry leaders.

Take advantage of the Two-Day Expo to do comparative investigation
of the latest solutions, in record time, without over-spending your
travel budget.  It is all there.  Having access to the latest
information and knowledge will save your company a lot of money on
projects in the long run.


Featured Keynote Speakers are among the top Academic and Industry

* Dr. Linda Rosenberg, Chief Scientist for Software Assurance,
  Office of Systems Safety and Missions Assurance at NASA, GSFC:
  "Independent Verification and Validation Implementation at NASA"

* Professor Koenraad Debackere from the KU Leuven: "Organizing for
  High Tech Innovation"

* Mr. Bob Bartlett, Chairman of SIM Group: "Power Testing"

* Mr. Rik Nuytten, Channels Marketing Manager at Cisco Systems,
  Belgium: "Building the Infrastructure for the Future"

* Mr. Eric Simmons, Platform Quality Engineer in the Corporate
  Quality Network Group at Intel Corporation: "From Requirements to
  Release Criteria"

* Mr. Rob Sabourin, Amibug, Canada: "Creating Quality Web Systems"


Over two intensive, hard-working days, we offer 18 pre-conference
Tutorials conducted by the foremost experts in their fields.


Download your own copy of the full-color Quality Week Europe 2002
brochure in *PDF format from:


You have asked and we are coming through for you. Here is SR
Institute's contribution to give more buying power to your Euros and

* Stay at one of the three official Conference Hotels and we'll
  honor the EARLY BIRD conference fees.  The savings in registration
  fees alone will cover most of the cost of your stay.  Simply mark
  "HOTEL" in the SR Discount Code Box on the registration form.

* Register two or more team members at one time and take 10% off the
  total registration fee.

* If you are already registered at full price, you can still add
  team members at the group discount and save!

* If you have four or more team members who wish to attend QWE2002,
  please contact us about our very, very special big-group


The Sheraton Hotel & Towers in Brussels will host both the
Conference and Vendor Expo.

Blocks of rooms have been reserved at the Sheraton, as well as at
two other hotels, Hotel Le Dome and Hotel President Nord.

The two additional hotels are walking distance from The Sheraton.
The QWE2002 Conference rates at all three hotels include elaborate
buffet breakfast and all taxes.  Please contact the Conference
hotels directly.  Go to:
  <> for full


                    Testing Your Web Application
                       A Quick 10-Step Guide

                          by Krishen Kota

Interested in a quick checklist for testing a web application?  The
following 10 steps cover the most critical items that I have found
important in making sure a web application is ready to be deployed.
Depending on size, complexity, and corporate policies, modify the
following steps to meet your specific testing needs.

Step 1 - Objectives

Make sure to establish your testing objectives up front and make
sure they are measurable. It will make your life a lot easier by
having written objectives that your whole team can understand and
rally around.  In addition to documenting your objectives, make sure
your objectives are prioritized.  Ask yourself questions like "What
is most important:  minimal defects or time-to-market?"

Here are two examples of how to determine priorities:

If you are building a medical web application that will assist in
diagnosing illnesses, and someone could potentially die based on how
correctly the application functions, you may want to make testing
the correctness of the business functionality a higher priority than
testing for navigational consistency throughout the application.

If you are testing an application that will be used to solicit
external funding, you may want to put testing the aspects of the
application that impact the visual appeal as the highest testing

Your web application doesn't have to be perfect; it just needs to
meet your intended customer's requirements and expectations.

Step 2 - Process and Reporting

Make sure that everyone on your testing team knows his or her role.
Who should report what to whom and when?  In other words, define
your testing process.  Use the following questions to help you get

  o How will issues be reported?
  o Who can assign issues?
  o How will issues be categorized?
  o Who needs what report and when do they need it?
  o Are team meetings scheduled in advance or scheduled as needed?

You may define your testing process and reporting requirements
formally or informally, depending on your particular needs.  The
main point to keep in mind is to organize your team in a way that
supports your testing objectives and takes into account the
individual personalities on your team.  One size never fits all when
dealing with people.

Step 3 - Tracking Results

Once you start executing your test plans, you will probably generate
a large number of bugs, issues, defects, etc.  You will want a way
to easily store, organize, and distribute this information to the
appropriate technical team members.  You will also need a way to
keep management informed on the status of your testing efforts.  If
your company already has a system in place to track this type of
information, don't try to reinvent the wheel.  Take advantage of
what's already in place.

If your company doesn't already have something in place, spend a
little time investigating some of the easy-to-setup online systems
such as the one found at <>.  By using an
online system, you can make it much easier on yourself by
eliminating the need to install and maintain an off-the-shelf

Step 4 - Test Environment

Set up a test environment that is separate from your development and
production environment.  This includes a separate web server,
database server, and application server if applicable.  You may or
may not be able to utilize existing computers to setup a separate
test environment.

Create an explicitly defined procedure for moving code to and from
your test environment and make sure the procedure is followed.
Also, work with your development team to make sure each new version
of source code to be tested is uniquely identified.

Step 5 - Unit Testing

Unit testing is focused on verifying small portions of
functionality.  For example, an individual unit test case might
focus on verifying that the correct data has been saved to the
database when the Submit button on a particular page is clicked.

An important subset of unit testing that is often overlooked is
range checking.  That is, making sure all the fields that collect
information from the user, can gracefully handle any value that is
entered.  Most people think of range checking as making sure that a
numeric field only accepts numbers.  In addition to traditional
range checking make sure you also check for less common, but just as
problematic exceptions.  For example, what happens when a user
enters his or her last name and the last name contains an
apostrophe, such as O'Brien?  Different combinations of databases
and database drivers handle the apostrophe differently, sometimes
with unexpected results.  Proper unit testing will help rid your web
application of obvious errors that your users should never have to

Step 6 - Verifying the HTML

Hyper Text Markup Language (HTML) is the computer language sent from
your web server to the web browser on your users' computer to
display the pages that make up your web application.   HTML is
theoretically a standard used on the Internet to make it easy for
anyone, anywhere to view the information on a website.  That may be
somewhat true for a static website, but anyone who has been involved
in developing a web application knows that HTML is anything but

Verifying HTML is simple in concept but can be very time consuming
in practice. There are many online and downloadable applications to
help in this area such as Website Garage
<>.  There are two main aspects of
verifying the validity of your HTML. First you want to make sure
that your syntax is correct, all your opening and closing tags
match, etc. Secondly, you want to verify how your pages look in
different browsers, at different screen resolutions, and on
different operating systems. Create a profile of your target
audience and make some decisions on what browsers you will support,
on which operating systems, and at what screen resolutions.

In general, the later versions of Microsoft Internet Explorer,
version 5.5 and above are very forgiving. If your development team
has only been using Internet Explorer 5.5 on high-resolution
monitors, you may be unpleasantly surprised when you see your web
application on a typical user's computer.  The sooner you start
verifying your HTML, the better off your web application will be.

Step 7 - Usability Testing

In usability testing, you'll be looking at aspects of your web
application that affect the user's experience, such as:

  o How easy is it to navigate through your web application?

  o Is it obvious to the user which actions are available to him or

  o Is the look-and-feel of your web application consistent from
    page to page, including font sizes and colors?

The book, "Don't Make Me Think! A Common Sense Approach to Web
Usability" by Steve Krug and Roger Black, provides a practical
approach to the topic of usability.  I refer to it often, and
recommend it highly.

In addition to the traditional navigation and look-and-feel issues,
Section 508 compliance is another area of importance.  The 1998
Amendment to Section 508 of the Rehabilitation Act spells out
accessibility requirements for individuals with certain

For instance, if a user forgets to fill in a required field, you
might think it is a good idea to present the user with a friendly
error message and change the color of the field label to red or some
other conspicuous color.  However, changing the color of the field
label would not really help a user who has difficulty deciphering
colors.  The use of color may help most users, but you would want to
use an additional visual clue, such as placing an asterisk beside
the field in question or additionally making the text bold.

For more details, refer to <>.  Another
great resource that can help analyze your HTML pages for Section 508
compliance can be found at <>.  If you are
working with the United States federal government, Section 508
compliance is not only good design, it most likely is a legal

Step 8 - Load Testing

In performing load testing, you want to simulate how users will use
your web application in the real world.  The earlier you perform
load testing the better. Simple design changes can often make a
significant impact on the performance and scalability of your web
application.  A good overview of how to perform load testing can be
found on Microsoft's Developer Network (MSDN) website at:


A topic closely related to load testing is performance tuning.
Performance tuning should be tightly integrated with the design of
your application.  If you are using Microsoft technology, the
following article is a great resource for understanding the
specifics of tuning a web application.

us/dnserv/> html/server03272000.asp

People hate to wait for a web page to load.  As general rule, try to
make sure that all of your pages load in 15 seconds or less.  This
rule will of course depend on your particular application and the
expectations of the people using it.

Step 9 - User Acceptance Testing

By performing user acceptance testing, you are making sure your web
application fits the use for which it was intended. Simply stated,
you are making sure your web application makes things easier for the
user and not harder. One effective way to handle user acceptance
testing is by setting up a beta test for your web application.

One article to help you get started planning an effective beta test
is:  Supercharged Beta Test by Joshua Grossnickle and Oliver Raskin,
May 14, 2001 which can be found at:
This article points out the critical aspects of setting up a beta
test including how to identify beta testers and how to obtain their
feedback.  The main point to remember in user acceptance testing is
to listen to what the people using your web application are saying.
Their feedback will be critical to the ultimate success of your web

Step 10 - Testing Security

With the large number of highly skilled hackers in the world,
security should be a huge concern for anyone building a web
application.  You need to test how secure your web application is
from both external and internal threats.  The security of your web
application should be planned for and verified by qualified security

If you think security is a subject that is over-hyped, check out
Steve Gibson's account of how a 13 year old hacker took his
company's website down for an extended period of time at will.  You
can find this eye-opening security case study at:


Some additional online resources to help you stay up to date on the
latest Internet security issues include:

CERT Coordination Center <>

Computer Security Resource Center <>

After performing your initial security testing, make sure to also
perform ongoing security audits to ensure your web application
remains secure over time as people and technology change.

Testing a web application can be a totally overwhelming task.  The
best advice I can give you is to keep prioritizing and focusing on
the most important aspects of your application and don't forget to
solicit help from your fellow team members.

By following the steps above coupled with your own expertise and
knowledge, you will have a web application you can be proud of and
that your users will love.  You will also be giving your company the
opportunity to deploy a web application that could become a run away
success and possibly makes tons of money, saves millions of lives,
or slashes customer support costs in half.  Even better, because of
your awesome web application, you may get profiled on CNN, which
causes the killer job offers to start flooding in.

Proper testing is an integral part of creating a positive user
experience, which can translate into the ultimate success of your
web application.  Even if your web application doesn't get featured
on CNN, CNBC, or Fox News, you can take great satisfaction in
knowing how you and your team's diligent testing efforts made all
the difference in your successful deployment.

(c) Copyright 2001 Krishen Kota. All Rights Reserved.

About the Author:  Krishen Kota is a 10-year veteran of the
information technology consulting industry and is President of
AdminiTrack, Inc.  <>, which provides a
web-based issue and defect tracking application designed
specifically for professional software development teams.  Krishen
can be contacted via email at .


                       Cybercrime Guidelines
        Forwarded by: Jack Grimes 

Working with industry and law enforcement professionals, CIO
Magazine recently published guidelines on responding to and
reporting threats or attacks on information systems or data.  The
guidelines emphasize the importance of reporting incidents in order
to identify and prosecute criminals, identify new cyber security
threats, and to prevent successful attacks on critical
infrastructure and economic systems.

The guidelines are intended to facilitate effective law enforcement
responses to attacks on private sector computers.  The guidelines
note that because of the sensitive nature of information security
threats, information security officers ("ISOs") are often reluctant
to share information with law enforcement or other industry groups.
The guidelines recognize this concern, but encourage ISOs to better
understand how law enforcement and other government agencies handle
a cyber threat report with regard to the impact of an investigation
on their business and how law enforcement handles sensitive

The guidelines outline (i) what elements to include in an
information system security plan, (ii) what types of incidents to
report, and (iii) when and how to report an incident.  To assist in
this process, the guidelines include a list of law enforcement
contact officials and agencies, including FBI and Secret Service
field offices, and include a form to use to report cyber threats.
                 The guidelines are available at

If you have any questions with regard to information security
issues, please do not hesitate to contact us at 202-639-7200 or

        Thomas P. Vartanian
        David L. Ansell
        Robert H. Ledig
        Washington, D.C.


          Special Issue: Software Testing and Verification

              IBM Systems Journal, Vol. 41, No.1, 2002
                     (IBM Order No. G321-0144)


      Editor's Note: The IBM Systems Journal is a very highly
      respected technical journal that has always reflected
      the best of IBM's thinking.  This special issue on
      Software Testing and Verification has powerful papers,
      to be sure, but is important in its own right for the
      fact that IBM has placed so much emphasis on the topic.

Issue Contents:

Message from the Corporate Director, IBM Software Test, Bill

Issue Preface, by John J. Ritsko and Marilyn L. Bate.

"Software debugging, testing, and verification," by  B. Hailpern and
P. Santhanamp.

"Metrics to evaluate vendor-developed software based on test case
execution results," by K. Bassin, S. Biyani, and P. Santhanamp.

"Improving software testing via ODC: Three case studies," by M.
Butcher, H. Munro, and T. Kratschmerp.

"A metric for predicting the performance of an application under a
growing workload," by E. J. Weyuker and A. Avritzerp.

"Testing z/OS: The premier operating system for IBM's zSeries
server," by S. Loveland, G. Miller, R. Prewitt, and M. Shannon.

"The STCL test tools architecture," by C. Williams, H. Sluiman, D.
Pitcher, M. Slavescu, J. Spratley, M. Brodhun, J. McLean, C. Rankin,
and K. Rosengren

"Using a model-based test generator to test for standard
conformance," by E. Farchi, A. Hartman, and S. S. Pinterp.

"Multithreaded Java program test generation," by O. Edelstein, E.
Farchi, Y. Nir, G. Ratsa by, and S. Urp.

"The Software Testing Automation Framework," by C. Rankinp.

"FLAVERS: A finite state verification technique for software
systems," by J. M. Cobleigh, L. A. Clarke, and L. J. Osterweil.


                        eValid 3D-SiteMaps

Did you ever look at a WebSite and wonder how it is really

Do you wish you could see how individual URLs in your WebSite depend
on one another?

Did you know that you can draw inferences about WebSite behavior and
effectiveness by studying how the WebSite pages interact?

Now there's a way to do this, and more!

eValid's new 3D-SiteMap charts show the dependence information in a
WebSite in a new and highly effective way.  The 3D-SiteMap display
is generated automatically from eValid Site Analysis data.

Each 3D-SiteMap chart shows a collection of URLs and their
interdependencies in a 3-dimensional display that can be rotated on
two axes (in 3D!), zoomed in and out, and scaled up and scaled down
-- all under the mouse control.

Live examples of eValid 3D-SiteMaps are given at:

      Important Note: The three pre-programmed examples total
      about 600 KBytes so please be patient when downloading
      the example file.  The pictures are worth the short

Examples of good and bad WebSite design -- as reflected from the
3D-SiteMaps -- are given at:

Please contact us at  if you would like to qualify
for a FREE evaluation copy of eValid Ver. 3.2 that includes this
unique and powerful 3D-SiteMap visualization feature.


        Unit Testing by Michael Reidy: A Reader's Reaction

Mr. Reidy is right: Unit testing is necessary for producing reliable
systems. However, I am not sure if his approach will always work and
be effective.

My experience is that you have to enable developers (designers and
coders) to develop their unit tests. These tests should be developed
BEFORE coding.  A good format is using an Excel spreadsheet.

XP, among others, requires that.

The unit test should then be automated. This can be done by using
test harness tools. (I have no experience with Software Research's
tools, but Parasoft, IPL, ATTOL testware and Testwell Oy are
suppliers of such tools.  Automation is done by analyzing the
completed code (which should have been reviewed and checked before,
see later) - and generating the necessary stubs and drivers as well
as data templates. The spreadsheet data can either be read directly,
or be converted.

Modern tools allow to regenerate drivers and stubs dynamically
whenever the code changes.  This test should then be collected in
the project library and rerun automatically every time the code is
changed. This works in organizations where reliability is necessary.

What else? There are the review, and static analysis. Reviewing
stuff that is improtant is a common best software practice. Reviews
of detailed design and code should be held during the work and after
completion. XP gives a good method, using pair programming for
continuous reviewing. You may use that without all the other XP
techniques. Otherwise you may assign two people for any unit, and
require person number 2 to be ready for review immediately (in
exchange for someone else being ready to review HER code).  Static
analysis is done by tools. Such tools exist widespread but are
nearly never used. The number of warnings generated is too large, or
it is too boring to review them. However, such tools can be
tailored, parameters can bet set, and developers may change their
code standards over time to prevent dangerous coding practices. This
all will reduce the number of false alarms in static analysis.

OK, these are my two cents of input.

                           Hans Schaefer
                      Software Test Consulting
              Reigstad, 5281 Valestrandsfossen, NORWAY


             Microsoft Haiku (Forwarded by Jack Grimes)

In Japan, they have replaced the impersonal and unhelpful Microsoft
error messages with haiku poetry, each with only 17 syllables: five
in the first line, seven in the second, five in the third.

Of course, it is still Microsoft products you're reading about.  But
aren't these more peaceful?

                        Yesterday it worked.
                      Today it is not working.
                       Windows is like that.

                       Your file was so big.
                      It might be very useful.
                        But now it is gone.

                        The website you seek
                       Cannot be located, but
                       Countless more exist.

                        Chaos reigns within.
                    Reflect, repent and reboot.
                        Order shall return.

                          Aborted effort.
                 Close all that you have worked on.
                       You ask far too much.

                        Windows NT crashed.
                   I am the Blue Screen of Death.
                     No one hears your screams.

                      Stay the patient course.
                    Of little worth is your ire.
                        The network is down.

                          A crash reduces
                      Your expensive computer
                         To a simple stone.

                      You step in the stream,
                    But the water has moved on.
                       This page is not here.

                           Out of memory.
                   We wish to hold the whole sky,
                         But we never will.

                        Having been erased,
                    The document you're seeking
                        Must now be retyped.


              Software Pioneers Conference (June 2001)

If you, just like me, are constantly looking for a better way to
understand the rationale and historical background of past major
software development concepts, tools, and methodologies (for
example, Structured Programming, Graphical User Interface, PASCAL,
Entity-Relationship Modeling, Algebraic Specifications of Abstract
Data Types, etc.), now there is a good source of information for you
to consider (and it is FREE, for the moment).  Nothing is better
than the explanation of the historical background and motivations
for developing those major software concepts by the persons who
invented the concepts themselves.

The "Software Pioneers Conference" which was held in Bonn, Germany,
in June 28-29, 2001, featured some of the top pioneers in the area
of Software and Information Systems and attended by over 1000
software professionals.  The presentations by the software pioneers
provide rich reading material for those teaching Computer Software-
related courses (including Software Engineering, Software Design,
Databases, Systems Analysis & Design, Programming Languages, Data
Structures, Operating Systems, Algorithms, Computation Theory,

The presentations (video and PDF files) are now available at

The following speakers, who have made truly outstanding
contributions to this field, spoke at the conference (in
alphabetical order):

  o Friedrich L. Bauer, From the Stack Principle to ALGOL
  o Rudolf Bayer, B-tree and Relational DBMS (in place of E. F.
  o Barry Boehm, Software Economics
  o Fred Brooks, OS/360
  o Peter Chen, Entity-Relationship Modeling, DB, Computer-Aided
    Software Eng. (CASE)
  o Ole-Johan Dahl, The Root of Object-Oriented Programming: Simula
  o Tom DeMarco, Structured Analysis
  o Edsger W. Dijkstra, From "Goto considered harmful" to Structured
  o Michael Fagan, Inspections
  o Erich Gamma, Design Patterns
  o John Guttag, Algebraic Specifications of Abstract Data Types
  o C.A.R. Hoare, Software Fundamentals: Assertions and Program
  o Michael Jackson, Data Structures & Algorithms
  o Alan Kay, Graphical User Interfaces: Mice and Windows
  o David L. Parnas, Decomposing Systems into Modules
  o Niklaus Wirth, Teaching Programming Principles: PASCAL

                        Raj Sharman, Ph. D.
                JF Seinsheimer Jr  Research Faculty
   A. B. Freeman School of Business, Information Systems Group,
                  Tulane University, New Orleans

The unusual announcements from three of the technology industry's
most powerful men came just weeks apart.  Microsoft Corp. Chairman
Bill Gates declared that making his company's software less
vulnerable to security breaches would take precedence over adding
new features. Oracle Corp.'s Larry Ellison pledged to make his
company's database programs "unbreakable." Cisco Systems Inc.'s John
Chambers told clients at a private conference that he no longer
regarded security enhancements on equipment that directs traffic
across the Internet as extras but as necessities.  The timing of the
announcements was no coincidence.  Directly or indirectly, the
statements were influenced by an aggressive public awareness
campaign orchestrated by Richard A. Clarke, who in October took on
the new job of White House cyberspace security adviser. In private
meetings with chief executives and in speeches at conferences,
Clarke has pushed companies to commit themselves to protecting the
online world from attacks by terrorists and other nefarious parties.
"There is . . . a growing consensus in government and industry that
we can no longer continue praising the emperor's new clothes,"
Clarke said in an interview this week. "There is a willingness to
admit that there are vulnerabilities and it is not inconceivable
that they will be used against us in a way that could be very
damaging to the economy."  Clarke's push is part of a government-
wide effort to improve cybersecurity and to better coordinate the
efforts of bureaucracies and corporations.  Just yesterday, the
House passed a bill that would allocate $880 million over five years
to computer-security research. And a coalition of companies in
partnership with the federal government announced a National
Cybersecurity Campaign to teach home and small-business computer
users how to safeguard their machines.

Over the past few months Clarke has drawn up his own ambitious
agenda, which includes:

* Creating an Underwriters Laboratory-type place to test software

* Establishing a priority cell-phone system for law enforcement and
medical personnel.

* Creating a "reverse 911," or multimedia emergency broadcasting
service, to send alerts to people in specific areas on land lines,
cell phones or computers.

* Establishing ties with cybersecurity experts in other countries to
coordinate investigations.

* Setting up a government-run Internet called GovNet.

Clarke successfully lobbied for an increase from $2.7 billion in
fiscal year 2002 to $4 billion in 2003 for government-computer

His office has created task forces of major Internet service
providers, router manufacturers and security experts in and out of
government to develop a plan to protect the basic infrastructure of
the Internet. Their proposals are due in April.

Clarke is still assembling a staff. He has filled only half of the
16 jobs.  The staff so far is a mix of national security officials,
businessmen and technical geeks. Howard Schmidt, the former head of
computer security for Microsoft, started in late January as Clarke's
deputy. Roger Cressey, a career public servant who has worked on
anti-terrorism efforts in Israel, Somalia and the Balkans, is the
chief of staff.  Also in the office are Paul Kurtz, a longtime
National Security Council staffer specializing in international
relations; Steve Poizner, a former Silicon Valley entrepreneur; and
Marcus Sachs, a retired army officer who is better known for being
part an elite group of hackers that helped the government neutralize
the "Code Red" and "Nimda" worms.

Clarke is emphasizing that government agencies and other interests
talk and share information.

"I see that office as having its greatest effect by bringing
together resources that already exist and making them go in the same
direction," said Allen Paller, director of research for the SANS
Institute, a computer-security think tank in Bethesda.

The various government agencies in charge of cybersecurity will come
together under one roof this month at the old Y2K initiative
headquarters at 18th and G Street. The Commerce Department's
Critical Infrastructure Assurance Office and the FBI's National
Infrastructure Protection Center outreach operations -- two groups
known for past turf battles -- will join Clarke's staff.

There has already been some awkwardness. While Tom Ridge's Office of
Homeland Security has taken the lead in issuing alerts about
physical threats, it has always been the FBI's job to let the public
know about viruses, worms, hacks and other things that threaten the
online world. And the mission of Clarke's office overlaps greatly
with the Commerce Department's critical infrastructure unit.

The groups have temporarily resolved the issues by making sure that
Clarke's office is informed when the FBI issues alerts and by
appointing John Tritak, director of the Commerce Department unit, as
a high-ranking member of the critical infrastructure protection
board that Clarke oversees.  Clarke spent much of his first 100 days
in office making the rounds of technology companies. Many corporate
executives expected feel-good pep talks about how government and
industry could work hand-in-hand to prevent cyber attacks.

Instead, Clarke and his staff brought binders full of research
papers raising questions about security vulnerabilities. They were
not above coaxing or bullying the business officials with threats of
regulation and appeals to patriotism.

"No vendor wants to appear like they are not being patriotic or
responsive to real concerns about security breaches or flaws now and
I think Mr. Clarke is very effective at using that to push them to
make changes," said Catherine A. Allen, the chief executive of the
technology group for the Financial Services Roundtable, which
represents the chief executives of some of the nation's largest
companies.  Microsoft spokesman Jim Dessler said while the company
chose on its own to redirect its software development efforts, "it
came in the backdrop of an increased emphasis in security that has
been put forward by those in government such as Clarke."

Mary Ann Davidson, chief security officer at Oracle, said that since
Sept.  11 federal officials have made many people realize that
perhaps "the most frightening type of attack is one that's launched
in cyberspace to bring down our critical infrastructures."  "To get
these companies to put their money where their mouths have been for
years, that is a major victory for his office," said Gilman Louie,
who heads In-Q-Tel, the high-tech venture fund financed by the
Central Intelligence Agency.

But even as they praise his aggressiveness, some question Clarke's
priorities.  His proposal to create GovNet has been criticized by
many experts as impractical and costly. His partnership approach to
get industry to do things voluntarily has clashed with the opinions
of groups such as the National Academy of Sciences, which recently
put out a report that said new liability laws are the answer.

Eugene Spafford, director of Purdue University's Center for
Education and Research in Information Assurance and Security, said
Clarke should spend more of his energy on getting federal computer
systems up to par.  "They are starting in the wrong place," Spafford
said. "If I were out in industry I would find it unpersuasive to be
told that I have to spend a lot of money on new security without
some indication that government has done it first."

Forwarded by Jeffrey Voas, Co-founder and Chief Scientist, Cigital,


                            Symposium on
              Cyber Security and Trustworthy Software

                       Friday, March 15, 2002
                  Stevens Institute of Technology
                      Hoboken, New Jersey, USA

This symposium brings together researchers and practitioners, in
government, academia and industry, to discuss problems and possible
solutions in cyber security, both for e-commerce and for homeland
security. A particular emphasis

of the symposium is to bring together those interested in
communications security and in end-to-end security.

Further information is available at the web site:

Here is the lineup:

  * AM Keynote: "The Case for Language-Based Security," by Fred
    Schneider, Cornell University.

  * "Decentralized Mechanism for Distributed Access Control," by
    Naftaly Minsky, Rutgers University.

  * "Java, Access Control and Static Analysis," by David Naumann,
    Stevens Institute of Technology.

  * "Security Protocols for Wireless Computing," by Susanne Wetzel,
    Stevens Institute of Technology.

  * PM Keynote: "Network Security," by Steve Bellovin, AT&T

  * "Fault Tolerance, Security and Programming Languages," by
    Dominic Duggan, Stevens Institute of Technology.

  * "Formal Analysis of Security Protocols in a Concurrent Logical
    Framework," by David Walker, Princeton University.

  * "Intrusion Detection in Wireless Networks," by Constantine
    Manikopoulos, New Jersey Institute of Technology.


                         ICSE Venue Changed

With regret, the ICSE 2002 organizers, in consultation with the ICSE
steering committee, have decided to move ICSE 2002 from the
originally planned Buenos Aires, Argentina venue to Orlando,
Florida, USA. The conference dates, May 19-25, 2002, remain the

You are no doubt aware of the recent events in Argentina. We believe
that any risk to ICSE attendees as a result of these events is much
less than the impression given by news reports and that most likely,
the situation will stabilize by May.  In addition, we acknowledge
that no location is entirely without risk, as we were sadly reminded
in September.  However, many participants in ICSE must make travel
arrangements far in advance of the conference and we must consider
perceptions as well as actual risks.  After polling as many as
possible of those involved and the full ICSE steering committee, we
have concluded that many ICSE attendees do not feel sufficiently
confident to commit to traveling to Buenos Aires at this time.

We all looked forward to ICSE in Buenos Aires.  The exceptional
group of local organizers meant we were certain of a successful
conference.  We deeply regret the need to relocate ICSE 2002.  We
look forward to future conference opportunities in Buenos Aires,
which despite temporary setbacks remains a wonderful place to visit
and the home of a considerable amount of world-class software

Given adequate time, we would have preferred to move to another
location in South America.  The extremely short lead time and the
difficulty of making arrangements for a major conference such as
ICSE dictated relocation to Orlando, Florida, USA.  We are fortunate
to have obtained excellent conference facilities at the Marriot
hotel, with favorable room rates and without a change to the
conference dates.  Although Buenos Aires would have been preferable,
we have every reason to be believe that ICSE 2002 in Orlando with
its excellent technical program will be a rewarding experience for
attendees.  We look forward to seeing you there.

For additional information visit: <http://www.icse->

The ICSE 2002 Executive Committee:
        Will Tracz, General Chair
        Jeff Magee, Program Co-Chair
        Michal Young, Program Co-Chair



Interesting little tidbit-doesn't really have any meaning, but may
be of interest.

As the clock ticks over from 8:01PM on Wednesday, February 20th,
2002, time will (for sixty seconds only) read in perfect symmetry.
To be more precise:

                        20:02, 20/02, 2002.

It is an event which has only ever happened once before, and is
something which will never be repeated. The last occasion that time
read in such a symmetrical pattern was long before the days of the
digital watch (or the 24-hour clock): 10:01AM, on January 10, 1001.

And because the clock only goes up to 23.59, it is something that
will never happen again.

Forwarded to QTN by Susan Low.


              Workshop on Ubiquitous Web Applications
                  Keynote Address by Roy Fielding

                           July 1-2, 2002
                        Siemens Forum Vienna
                          Vienna, Austria

In the near future, an increasing number of Web applications will
become "ubiquitous" i.e., delivered to a veriety of devices and
communication channels, an will often be targeted to inexpert users.
Their quality - in terms of customised behaviour and effectiveness
of their development/maintainance lifcecycle - may be threatened by
the current inability to properly design them.

The UWA project aims at defining a set of methodologies, notations,
and tools to tackle the main forseen problems in the design of such
applications. These include the definition of proper concepts and
languages for describing their behaviour, the ability of tracking
correlations among their different components, and the capability of
correlating their requirements to design and implementation. In
order to address the need for standards in design and documents
notation, the project defined suitable extensions to the Unified
Modeling Language (UML).

The workshop hosts presentations and tutorials about requirements
elicitation, design, and customisation of ubiquitous Web
applications. The presentations are targeted at technology and
product managers, designers and developers, from both academia and
industry. The workshop is also supported by leading personalities
from the industrial and research communities, who will be presenting
the state of art in the fields of context awareness (Tom Gross,
Frauenhofer Institute, Germany), e-Services (Fabio Casati, Hewlett-
Packard Labs, Palo Alto, USA), and the future of the Web (Roy
Fielding, Chairman of the Apache Software Foundation, USA).

Key topics addressed by this workshop are:

  * Design of Web-based applications
  * Context awareness
  * Design methods
  * Ubiquity and multi-channel delivery
  * Requirements for ubiquitous Web-based applications
  * Customisation
  * e-Services

Andrea Savigni, Ph.D.
Research Fellow, Department of Computer Science
University College London, UK


                       SQRL Report Abstracts

The web address for downloading reports is:

SQRL Report No. 2:  Hierarchical Interface-based Supervisory
Control: AIP Example for Parallel Case, By: R.J. Leduc, M. Lawford,
and W.M. Wonham

In this report we present a large manufacturing example (7.01 x
10^21 states) that uses the Hierarchical Interface-based Supervisory
Control method. We discuss the application of our method to the
Atelier Inter-etablissement de Productique (AIP), a highly automated
manufacturing system. We describe the system, and our supervisor
design, closing by discussing the results of successfully applying
our method to show that the system is nonblocking and that our
supervisors are controllable.  This example demonstrates that our
method can be applied to interesting systems of realistic complexity
that were previously far beyond our means.

SQRL Report No. 3, Model of Concurrency in Object-Oriented
Databases, By: Daniela Rosu

The most commonly used model for concurrency control in traditional
database systems represents transactions as streams of partially
ordered operations that are scheduled for execution by a central or
distributed transaction manager. The various scheduling strategies
are proved correct by using the serializability theory. This theory,
in its classical form, operates successfully on systems with at
(non-nested) transactions but is unable to represent conveniently
complex (nested) computations, inherent to the object-oriented

This report presents a more general model for transaction management
which permits nested computations and a technique for proving the
correctness of the schedules designed by the concurrency control
mechanism. All objects in the database are assumed to have their own
concurrency control mechanisms that schedule the operations local to
the objects according to the order devised by the central
transaction manager. The classical serializability theory is
extended with an abstract model for computations allowing for
arbitrary operations and nondeterministic programs.

    ------------>>> QTN ARTICLE SUBMITTAL POLICY <<<------------

QTN is E-mailed around the middle of each month to over 9000
subscribers worldwide.  To have your event listed in an upcoming
issue E-mail a complete description and full details of your Call
for Papers or Call for Participation to .

QTN's submittal policy is:

o Submission deadlines indicated in "Calls for Papers" should
  provide at least a 1-month lead time from the QTN issue date.  For
  example, submission deadlines for "Calls for Papers" in the March
  issue of QTN On-Line should be for April and beyond.
o Length of submitted non-calendar items should not exceed 350 lines
  (about four pages).  Longer articles are OK but may be serialized.
o Length of submitted calendar items should not exceed 60 lines.
o Publication of submitted items is determined by Software Research,
  Inc., and may be edited for style and content as necessary.

DISCLAIMER:  Articles and items appearing in QTN represent the
opinions of their authors or submitters; QTN disclaims any
responsibility for their content.

STW/Regression, STW/Coverage, STW/Advisor, TCAT, and the SR logo are
trademarks or registered trademarks of Software Research, Inc. All
other systems are either trademarks or registered trademarks of
their respective companies.

        -------->>> QTN SUBSCRIPTION INFORMATION <<<--------

To SUBSCRIBE to QTN, to UNSUBSCRIBE a current subscription, to
CHANGE an address (an UNSUBSCRIBE and a SUBSCRIBE combined) please
use the convenient Subscribe/Unsubscribe facility at:


As a backup you may send Email direct to  as follows:

   TO SUBSCRIBE: Include this phrase in the body of your message:

   TO UNSUBSCRIBE: Include this phrase in the body of your message:

Please, when using either method to subscribe or unsubscribe, type
the  exactly and completely.  Requests to unsubscribe
that do not match an email address on the subscriber list are

	       Software Research, Inc.
	       1663 Mission Street, Suite 400
	       San Francisco, CA  94103  USA
	       Phone:     +1 (415) 861-2800
	       Toll Free: +1 (800) 942-SOFT (USA Only)
	       Fax:       +1 (415) 861-9801
	       Web:       <>