Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool. ”
“How did you find that mobile tool? “

You could call it luck. I prefer to bend it.“

No comments please
Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious
One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff
During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?

Speaking at TestBash NL 2017

The bus was about to leave Utrecht. But TestBash was in Utrecht. I politely asked the bus driver about my bus stop again.

He put the blame on the broken system in his bus.
Seen that. Done that.
I had a workshop to prepare, mate.

Just a few things
A few weeks earlier.
With a rapid approaching workshop I tried to get a good picture of the room. Okay.

10 people would attend my workshop. I expected more. After digesting my disappointment I looked at the bright side: I could handle them.

Then slowly stress was getting me. On my shopping list for my workshop were a beamer and a screen. Huib mailed back: there is a screen. You do not need a projector.

So I repeated my request. The reply was to attach my laptop to the screen. I was puzzled. It took some time to realize it was a flatscreen.

As a speaker I was allowed to participate in a workshop. I selected Gitte’s in the afternoon.

Then I got curious: was there a way to get more information about the morning workshops including my own one? I clicked.

My workshop was sold out. Wow. Excuse me. Just had another look. My workshop was sold out. I freaked out.

Almost ready
Back to the workshop day.

After the scenic tour with the bus I involuntarily extended it. Using a public traffic app I located the street after some backtracking.

A short walk later I saw a place. Wrong place. The venue should be, where the foreigner with the small backpack was heading to.

He was out of sight. So …. I had passed a church. You’re kidding. Outside was a banner with a 7. The venue had a 7 in the name and it was situated at no 7. I entered the building and saw Rosie. Bingo.

I got my ninja sticker and was ready to prepare my workshop. Huib provided the paper, markers and stickies. And up we went.

He entered a lovely room. Ideal for a workshop: tables and chairs. Just, what I had in my mind.
“You have another room.”, Huib remarked.
Other pleasant thoughts about the room were immediately muted.

I ended in a small room with one big table. A door with a glass plate on top of it. Good enough for an agile tester.

There was a facility manager, which was quite convenient. “We’ve got HDMI.”, she proudly announced.

I showed her the side of my laptop. “I need VGA.” And off she went. Returning with some fancy connector.

Sound was also difficult. The line from the connector was too short. A box was brought up.

“Do you need something?”, the lady informed.
“I would like to have some coffee.”

I prefer to have my laptop in front of me, so I moved my laptop and the screen. After some shuffling I had my preferred position for my laptop on the big table.

Then this table became my next point of concern. 10 people would attend my workshop and I had only place for 9.

Big sigh followed by moving back all stuff in the old position.

“Do you need something?”, the lady informed.
“I would like to have some coffee.”

Already some attendees were present for half an hour. I apologised and continued with my preparation.

I got a glass of coffee from a member of my audience. Cheers mate.

At the end I connected the laptop to the screen and saw a black screen.

It was time to start the workshop after sending a HELP request to facility management.

Work hard shop
The atmosphere was a bit spoiled by moving all that stuff. I had partial fix by connecting my smartphone to the box. Hopefully the music had a calming effect on the audience.

So I started my workshop to talk about visual testing. Why I thought, it could use some attention from testers.

The facility manager came back. And solved the problem with plugging an USB connector.

I should have noted that connection. A photo was faster. Exploratory workshop preparation anyone?

Anyways my presentation was shown on screen.
Now I really could start.

Draw it again Sam
I used some tricks to get interaction with the attendees. Within 10 minutes I got verbal feedback on several questions.

Then it was time for the time out exercise. It was a tough one to do. Paper and stickies were scribbled upon with markers.

I saw people stopping and staring. I showed the next slide and explained the next step.

The advantage and disadvantage of a visual testing is, that I can notice progress in a few seconds.

“Take a new piece of paper and start again.”, I encouraged the attendees. People stretched their arms for the paper.

Some attendees started to scribble on the stickies. “Just take this post it as a starting point.”

After a few minutes the cycle of explaining and exploring restarted. Slowly the result ended in a state transistion diagram.

After showing the diagram I rattled off all missing elements in the model. Then I justified my choices.

On the flip chart I wrote YAGNI, You Ain’t Gonna Need It. This principle of XP, Extreme Programming, could also be used in testing. Why should I describe all details in my model, when it does not really add value?

Looking back I should have switched the time out exercises. Real life examples are pretty nasty.

There was a break after 1 and 1/2 hour and I just had finished the first hour presentation. 2 hours to squeeze.
I just entered the second hour presentation. I already skipped 2 exercises. This was going to be tight.

On the other hand Huib granted me extra time, because the lunch would take place in another workshop room.

After the break I started with another exercise. People used state transition diagrams and process diagrams. I was really happy, that they made a visual model.

During the last part of the workshop I focused on the most important parts of a new visual model. And I succeeded.

In the weeks before the workshop I memorised the mind maps of the hour presentation. I had looked to supporting stories and slides twice a day. It benefited me greatly.

San Francisco Depot or SFDIPOT
During my workshop I remembered, that test ideas could be found using SFDIPOT. This powerful heuristic almost cost me a quarter of an hour.
I just skipped the explanation: I wrote it on the flip chart – “Just search on SFDIPOT.” – and moved on.

That evening I had a talk and a few beers with Klaas. He also used it frequently in combination with FEW HICCUPPS.

FEW HICCUPPS is another heuristic.
Should I use his advice?
Does it count, that he is a world champion in testing?
Yeah… Probably.
Great, extra homework for me.

The next day I remembered that I had blogged about SFDIPOT. So I tweeted this to my followers:

About connections
For one exercise I needed the Wifi. Every attendee needed only 20 kb. It was too much.

Huib had already mailed me several warnings: the wireless network was not fit for workshops.

Ofcourse I had taken measures: I made my smartphone a Wifi hotspot. Within minutes every attendee was on the web.

Later in my workshop the screen went black. One of the attendees pointed at the loose adaptor. By all the moves of my laptop I forgot something to connect. Oops.

I plugged my laptop to the electricity net. It was time for a Fieldstone. I had a small role playing game or RPG.
“If you are familiar with Fantastic Beasts and Where to Find them, he looked like Mewt Scamander.” And I let the game begin..

After the RPG I saw the login screen. I switched back to presentation mode.

Gravity in action
The workshop had to be finished in an appropriate way. I still had so much tell. I picked the Fieldstone with the Pendulum.

A few weeks before the workshop Katrina had written about a pendulum. She used it to illustrate to find the optimal way of testing.

I could not find my props, so I used the mouse. On the flip chart I wrote too deep and too shallow.

With my left hand I held the tail of the mouse. The right one grabbed the mouse and rekeased it at “too deep”. The mouse moved in arc until it lost all its speed. This was the optimum for testing.

In testing a lot of words are used. The trick with visual testing is to find the right balance between no pictures and too many pictures.

During my preparation I remembered Nassim Taleb telling the essence of Antifragile standing on one leg. I had the feeling, that I had done the same.

Relax man
In my mind I was still fretting about the fact, that I had to skip exercises and stories.  When I met Jean-Paul, I told him:
“I have so much material.”

He looked at my backpack and a cilindrical case on my back:
“You always have.”
Or was he really thinking about information, that could be shared?
I don’t know.

Our conversation continued about the small things which improved the life as a speaker like an available presenter. A click on a button of this laser device shows the next slide.
Use the force. Push.

That thing about courage
In the workshop about courage Gitte gave me homework. “Write on a paper the first step of something you are going to do next week.” It was about something that would require courage.

I wrote on my paper: “Short”. I wanted to write a short blog in a few days. Normally it takes me weeks from Fieldstone to blog post. I could reduce that, but how …

The week after TestBash I wanted to write about meeting people. Was there a way to change my way of blogging?
I focused on what I wanted to share. It was basically the feelings and thoughts I had. There was no test knowledge I would share.

Was there a message I could share?
Yes. Meeting peers is great. Surprises are great. The test community is .. you got the message.

I started with a mind map. Then I added notes. I made a funny picture. I gained more and more speed.
The result was the previous blog post BTW.

Soon afterwards I started this blog post. All kinds of memories about my speaking experience at TestBash I put here. Piece by piece. Day by day.

Look who’s speaking
The conference day started a bit unusual for me.
“Welcome mister speaker”, Huib said, followed by a bow.
I tried to find a funny answer. That was difficult without coffee:
“Hello mister organiser”

The day before the conference day I was asked twice:
“Will you speak tomorrow?”
How did they recognise me?

So on the conf day I asked, whether the colour of my ninja badge had an extra meaning. E.g. Talk in black. Workshop in green. Silver for free beers. Etc. Actually there was no silver. Mind you.

There was no connection between colour and role however. Maybe a Chinese with a Dutch accent is associated with a speaker. Or people actually recognised me from the program. Or I was carrying simply too much stuff in a backpack and case on my back.

In a room filled with goodies I got my badge of honour, a T shirt with a golden Ninja.
“Now you are one of the Golden Guys.”
I hereby can confirm there is a connection between the golden ninja and the ministry of testing.

In the morning I remembered, that two attendees had asked me a strange questoon. So I twittered:
Attendee: “Do you give workshops for a living?”
Me:”No, I am a tester.”

In the afternoon other people started to like this tweet. Some of my testing muses did. For a short period I was energised and then drained afterwards.

Zone of what?
During one of the breaks on the conference day I had a talk with Marcel, who wore a sweater with the intimidating text:
“You cannot scare me. My wife has a PhD.”

I told him, that I was surprised about the progress during the exercises. I could solve exercises from my workshop within minutes.   He remarked, that it was all about the zone of proximity.

It is easier for me to transfer knowledge to someone, who has the same experience or only a few years experience less or more. She or he is in my zone of proximity.

This meant, that it would take me more time and effort to teach people, who have significant less experience in testing.

Within an hour I had a new follower on Twitter: a German guy, who had written a respectful blog post about the test pyramid. He looked somewhat familiar. And I had talked to him.

Look who’s speaking
A week after the announcement on the web I met Huib Schoots, the program chair. He asked:
“Did you see the program?”
“Yes, you were not on the list.”, I replied.

“I noticed, that Manon is on the list.”
“I encouraged her to submit.”, Huib admitted.

During the last break on the conference day I saw Manon sitting in the last row. So I informed about her workshop. We talked about tables and Wifi. Pieter and she had set up their own network. Another way to address a workshop risk. Jack in the box. Check.

After the break the audience was asked whether they had switched places. This conference was a way to meet other testers. I had moved from the front row to the back row.
Guilty as charged, Your Honour.

Thanks for the invitation Huib and Rosie.
And it all started here.

Four Meetings and uh View ‘Em All

My first blog post about TestBash NL 2017

Just before the Lean Caffee I saw one of my Twitter heroes.
I stood up and shaked hands with Patrick Prill.
“Nice to meet you.”
“We already met in Runo a few years ago.”
And I could not remember it. Hmmm.

During the Lean Caffee I was tapped on my left shoulder. Curiously I turned my head to the left: nobody.
O yeah, that old joke.
I turned my head to right seeing Bart Knaack smiling. Still in for a joke.
Always nice to meet him again.

So I asked the wonan with bright pink hair: “Are you @gwendiagram?”
“Yes.”, she confirmed.
Curiously she asked: “What is your Twitter handle?”
“@MIndfulTester.”,  I answered in a neutral tone.

A big smile came up:
“You are @MIndfulTester!!”
I loved the positive energy, which I felt. But I was puzzled about the reasons.

After the talks I told Mary Gilmartin about our talk in the pub the day before:
“I did not know you were talking.”

Somehow I was more surprised about this fact than our little chat about TDD.