Category Archives: Privacy

Privacy, Retelling, Secure things

Minimal Viable Authentication: usability versus security

Trigger warning: stalking.

For the following stories I am using the imaginary VIP Cinema again instead of the real app. This way I can freely write about my experiences without naming the actual app.

Usability is king

The VIP Cinema app offered his clients a discount for parking. This service appealed to me. So, I contacted the customer service and got a power of attorney number. On request I had to mention the number to get my promised discount of 50 percent on parking.

After a while I wanted to reserve my parking without calling the customer service. There was a simple solution: a parking app. I installed the app and had to register. The first thing I did, was to have my power of attorney number ready.

The next step was to enter my email address and a password. Then I had to verify it by clicking on a link in an email. A dialog asked for my membership number of the Cinema VIP App. Then I opened the app and found the number.

I received an email to verify my email address for the parking app. After clicking a link, I had to enter my VIP Cinema membership number. The next moment I could reserve a parking place for my car without entering my power of attorney number.

The registration was smoothless and it saved me an extra step of entering another number. I really liked this experience.

Security is pauper

”I want to show something to you.”, I told another computer software professional.
“Here is my mobile. The Cinema VIP app is open and shows my membership number.”
I got a nod.

“Now I am going to the website to register a new user id and password for the parking website.”
Another nod followed.

This looks familiar

Then I entered a new email address and password. After clicking the link in the mail to verify my email address I asked him for my membership number. While he was citing the number, I entered it in the requested text field in the dialog,

 “Let us see what kind of information we can get based on this single number.
You can see where I live. This information is needed for billing.“

Worth noting

“Let’s have a look at my parking history. This is the parking I used every other week. This is an interesting pattern. Last week I parked there. So next Friday I will probably park the car there at 7 pm.”

Let me guess

“There is a high chance, that I visit a cinema close to this parking. The discount is offered by the Cinema VIP app. Notice that no power of attorney number was asked. This would improve the security.”

All that being said

“Even worse: I did not get an email that another account was coupled to my parking account. I refreshed my inbox: no mail was found about the double registration.

Certain social media apps inform me directly, if my account is accessed from an unknown device. But this was not the case for this app.”

This time I did not get a nod, but an astonished face.

Signals of poverty

When I phoned the customer service of the parking service, no power of attorney number was requested.

During this phone call there was a check of my birthday, my zip code, and my house number. These can be obtained using social engineering or extracting private information without getting attention.

This I Learned

Authentication is about making sure that the right person gets access. Some shortcuts can have severe drawbacks.

Privacy, Speaking

My Workshop At Agile Testing Days 2019

Preparation costs energy

After all the last weeks’ changes I could finally start my actual workshop.

I felt an energy drop and watched an expectant audience from a far distance. I used my automatic pilot for the intro.

While nobody moved, my distance to the audience became closer while I was talking.

Boom.
I was back in the room.

First test session

For me the most elementary things of Exploratory Testing are

  • Charter
  • Test idea
  • Explore
  • Debrief

For this I created a heuristic. CTED is pronounced as See TED. If I need some inspirational talks, then I go to Ted.com.

A charter is a short instruction for a test session.

Explore < target >
with < resources >
to discover < information>

This template of Elisabeth Hendrickson is compact and informative. As mentioned in Explore it.

For the interested people test charter is not found in the index, charter is.

In my workshop the Target was a website. But it is still quite big. Resources is often a web browser.

Information was focused on privacy. General Data Protection Regulation or GDPR, an European privacy law, is still quite huge, so the next step was to select some articles of GDPR.

Ik picked 2. 1 lead to the following question:
Does the website ask consent to gather information?

A charter can be quite abstract. A test idea can be used to focus on a feature, window, or term used in the website to explore.

Consent is not frequently used, but which words are used in a web site?
Privacy, cookies, permission, private data, etcetera.

Using the charter and test ideas it is possible to explore the web site, whether consent is actually asked from the user.

During the debrief the attendees shared their information, which could be used for the following test session.

Background information first test session

For the basic structure of the test session I used the heuristic DiSSS from Tim Ferriss. This stands for Deconstruction Selection Sequence Stakes.
I assume that i was added for pronounciation reasons.

I looked to all the steps I took during Exploratory testing.
Are detailed test cases needed? Not in every case. Most of the times a good description of the precondition is good enough.

What I noticed during Deconstruction was that certain steps always came back. These steps I used for the Selection for CTED. This also led to a logical Sequence. The Stakes were twofold: people had to tell whether the workshop is worthwhile. Also the fines for privacy could be quite high.

Second test session

One test session done.
Another one to do.

At the beginning of the session I enhanced the resources with personas. For me a persona is a person with a need, who interacts with the system.

Examples for a need are: acceptance, cooperation , safety, purpose, learning, support, inclusion, etc.

E.g. a known persona is a marketeer. The more she or he knows about a website visitor, the more she or he will sell.
For this purpose I had made a set of persona cards.

I also handed out an one pager to the attendees with articles and test techniques which could be used for testing websites on GDPR compliancy.

The test techniques were selected using DiSSS.

After the Explore phase more issues were mentioned during the Debrief phase.

Background information second test session

Once again I used a heuristic of Tim Feriss, CaFE. This is an abbreviation for Compression Frequency Encryption. Once again I assume that ‘a’ was added for pronunciation.

Was it possible to compress information for testing GDPR? Yes, by making an one pager.

I tried to make to Frequency high, so attendees had to go through Charter – Test idea – Explore – Debrief cycle multiple times.
I used Encryption by using CTED.

In case you need more background information, please have a mind map.

What went wrong

The time to explore was quite short. I did this on purpose. For beginners it can be terrible to click through a site for 10 minutes on your own without finding anything.

In hindsight a group activity was better suited to explore the website.

While I tried to keep the introvert involved, it was a challenge to give them enough speaking time. I really liked the sticky notes for found bugs in the workshop of Lisa Crispin and Lena Pejgan.

My prerequisite for the workshop for a laptop was not needed. I could demo certain tools using my own laptop. Luckily there was an Open Space to demonstrate GDPR and Exploratory Testing.

What went right

The demo was a great way to change the pace of the workshop. I had good feedback during the repetitions

My impression was, that most attendees were hesitant to test their own websites or websites of their employers. My test website provided a safe environment to explore.

During the preparations I learned a lot about websites and tools.

Thank you José Diaz and your team for this wonderful journey.

Privacy, Speaking

Warning: Code of Conduct ahead

On November 5th I gave a workshop about Exploratory Testing and General Data Protection Regulation. GDPR is an European privacy law.

Need

In the past I wrote about the Code of Conduct. A good set of rules will ensure the safety of the delegates, the speakers, and the organisers of a conference. When enforced.

Therefore I was keen to adhere to this Code. The more diverse people at a conference, the more perspectives being shared. A new perspective is not always out of the box thinking, but natural for some people.

A woman looks different to privacy than a man.

Now I had a dilemma: I had a workshop about privacy. If a name and address would become public, then unpleasant things could happen to certain people.

I remembered a conversation with a white man not realising the consequences of a data breach. So I shared a story with him. It had some impact on him.

But this same trick would have a bad impact on women present in my workshop. So I would not stick to the Code of Conduct.

Imagine being removed from the conference as a speaker. Not good. At all.

Contact

It was time for me to mail to Uwe Gelfrich, my contact at the conference. I made a brutal honest warning like:
the workshop contains situations about violence and harassment.

In this way I could still talk about certain situations. Because people were warned in advance.

Uwe replied thoughtfully: violence and harassment would not be used in the workshop. And he proposed a warning along the following lines:
the workshop may contain situations about violence and harassment.

I agreed.
The warning was set on my abstract on the website.

And I would not use a rant.

Attention

During the preparation of my workshop I read a tweet about an anxiety attack of a delegate on a conference. According to me this person was angered about the vague content warning.

I reacted with the following tweet:
“During Global Diversity CFP Day this year I heard about trigger warnings for the first time.

So I did my homework.

I contacted the conference about a suitable and specific warning. It is on my abstract. It will be shown before and right after the start. I will tell it.”

Start

On the day of my workshop I tweeted about the warning. It was retweeted by Agile Testing Days.

During the arrival of the delegates I regularly switched between the workshop title slide and the warning slide.

After the opening I gave a warning and an explicit permission to leave the room. I would not be offended. Then I waited about 20 seconds before continuing.

So this looked like an inclusive opening of my workshop.

Actually no.
I missed some accessibility items which will be covered in the next blog post. Reads like a pretty cliff-hanger.

Change

On the Women and Allies evening a delegate told about a talk with HR. If colleagues would not behave themselves, then they would probably be removed from conferences because of the Code of Conduct.