Category Archives: Secure things

GDPR – The forgotten tests – Test 3

Showing the status code 451 instead of a website is not enough to avoid GDPR penalties in particular cases.

Management report

Showing an error message instead of the website to users with a laptop or PC in EU is not enough. Tracking EU citizens without consent is still possible and therefore not GDPR compliant.

The section ‘Advice’ provides a more detailed description.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

Experience report

This is my way to reflect on my research in GDPR of the last months. It took me lots of hours.

If I missed a legal or W3C link, you can always contact me. I am happy to update this blog post.

 

This spring I prepared a workshop about blogging. I tweeted about the use of sketch notes to find fieldstones. It got attention from @ConstanceHermit and Mike Rohde.

Mike had a familiar name. I bought his book about sketch noting.
He asked me for a sketch note for testing. OK. Wow. WOW.
Sure no problem.

I only had to wait for a good opportunity to put his request in practice. After a few months I saw a tweet about code on a web page:
“451: the website cannot be shown because of legal reasons.”

I visualised some scenarios and found some problems in the chosen solution. In case of impatience you can skip to the end of the article for the sketch notes. Be my guest.

Numbers are fast to communicate. If people want a pizza and call numbers, then I can go to the website and just enter the called numbers.

A pizza menu was used to abbreviate the pizza names: 16 is pizza Salami, etc. This way a protocol was set up.

The internet Hypertext Transfer Protocol is used for web sites. Status codes like 451 provide information to the user.

The problem with being a tester is to make an understandable message. This is quite hard. It is like telling how a car works without using names of car parts. I wanted to put 451 in the sketch note, but that was intimidating. I also skipped flow diagrams.

I also wanted to show off with test techniques. This was again: Not done. This is only nice for testers, but this is no good for people unfamiliar with testing. I can guarantee you that their number is way bigger than the number of testers.

Several drafts later.
One sketch note became 2 sketch notes. First I drew with a dark marker, then I used other markers for more details.

Then I set a new deadline for myself. I would use the sketch notes in a presentation. If a speaker could not make it at the test conference a week later, then I would volunteer. GDPR is still interesting stuff for testers. In legal terms it is good for the public interest.

Now I had to check my picture. And I hit the wall. It hurt.
Access is denied to the website because of tracking without consent

451 was used for legal demands. I clicked on the link to the official request to add an extra code to the HTTP protocol.
This looked pretty official.

In this case the ministry of justice contacted the internet service provider, which in turn shows a 451 to the user. Sorry access denied.

So this was not about web sites silencing themselves.
So all the hours spent were for nothing. I lost hours of work. I felt miserable. This is part of research.

The weekend before the test conference I looked on the internet. This time I searched on 451 and GDPR. The blog post ‘Is http 451 suitable for GDPR blocking?’ popped up.

So I started my due diligence.

Is it right
What I write?

The author is Terence Dent. That was the guy who had the idea for 451. I looked again in the official proposal for 451. Terence was mentioned. So my sketch note was almost good.

So I only had to change the picture. And I was all set.
Access is sometimes denied to the website because of tracking without consent
I shared my deadline with my kids and they talked about it the next days.

The evening before the conference I checked my sketch note about citizenship. GDPR was quite vague:
“Data subjects who are in the EU” [Article 2]

I could not find something about nationality. So a Dutchman in his own country is a data subject in EU. But a Dutchman in the US is not a data subject in the EU. Did I miss something?

So again I was facing a legal problem in my sketch note.

I used my search engine and found several answers on my question: is it possible to track EU citizens outside the EU?
On Quora there was majority in favour for not tracking. One legal looking website had a complex advice with lots of conditions.

Law is not about democracy, but about sticking to the rules.
Basically I hit the wall again.

Now I am a Dutchman. The big advantage is that the number of Dutch web pages is lower than the number of English web pages.

I entered several Dutch words in my search engine and I found an official web page
“Bedrijven buiten de EU die gegevens van EU-burgers verwerken, moeten een vertegenwoordiger in de EU aanwijzen.”

Please allow me to translate this in English by using the language button on the page:
“Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.”

These are the first 2 times I found “EU citizen” on the official EU website pointing to GDPR.
“Is this legal stuff for the court?”
“Sorry no.”
“Really?”

There is a legal notice in the footnote containing a disclaimer. So I am quoting from an interpretation of the EU of GDPR. GDPR is leading and not the interpretation.

The day before first publication date I read article 2 again:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The location of the home of the user was not enough. Again I was trying to attempt to tweak this blog post.

Wait. In 2 (a) I found an interesting exception clause. What if an American shop offers products in the EU.
So I drew a shop in the EU.

Okay, here are the promised sketch notes. Sorry for the lengthy introduction.

In the first sketch note I point out that the web site uses the location of the laptop to identify an EU citizen. But this is different from GDPR. The nationality of the user and the location of the shop should be used instead.

Sketch note showing that a web site is denying access based on location instead of nationality and location shop because of tracking.

In the second sketch note there are two situations, which were not intended by the web site owner.

An American cannot access a website in the office in the EU. But GDPR is not applicable.

Suppose your American colleague comes to Germany to help you a hand. Then he wants to go to a website with an expensive subscription. It is not possible: 451. The web site owner will probably state something about GDPR. Hopefully a disclaimer was added for this case.

Looking at GDPR there is no violation. So no privacy penalties are involved.

The second sketch note is really worrying, because an EU citizen is tracked during her or his holidays in the US. That is not right.

EU citizen gets access to American website and gets tracked. This is not always possible according to GDPR because there is a shop in the EU.

The 2nd sketch note looks like

Sketch note which contains the pictures abouthe EU citizen and the American citizen  and emphasizing the differences.

Finally there is a test idea about an American living in the EU, who used to live in the USA and is planning to go back to the USA. I am quite curious whether customer tracking systems can handle all the moves.

For the people who are concerned about money.
Yes, GDPR can have a major impact on your profit.
“Failure to comply with the GDPR may result in significant fines of up to EUR 20 million or 4 % of your company’s global turnover for certain breaches.”

Advice

In some countries the privacy laws outside the EU allow more ways to track users of web sites than General Data Protect Regulation. According to GDPR it is not legal to track the users without their explicit consent in most cases. [Article 7]

A solution is to show an error page 451 that the website cannot be shown because of legal reasons. This is in spirit with the request.

A way to determine the nationality of the user is to use the location of the laptop or PC.  This can be done by determining the internet address.

This is true as long the laptop is used inside the EU. If the laptop is used by an EU citizen outside the EU, then the user might be tracked without consent. This is illegal, if the website offers products in Europe.  [Article 2.a]

According to me the best way is to switch off the immediate tracking of users and ask for explicit consent.

Tips for testing
  • Go as close to the source as possible.
    Read GDPR or find interpretation of the law given by the legislator or representative.
  • Check and double check information and sources.
  • Gamify testing by using different tools.
    I used sketch notes, mind maps, and the internet.
  • Get used to hitting the wall.
Note about experience report

This is my experience report about GDPR testing. I ran in some problems, but I was able to resolve them. I could just skip the problems encountered, but you, the reader, could get a false impression. Learning is stumbling and standing up. And walking again.

GDPR – the Forgotten Tests – Test 2

Black box testing is quite popular: the tester only has to focus on the functions of the system. There is no need to know about things like programming and other techy things.

“But the box in the picture is not completely black.”
“That is a good observation, because it is part of a black box.

Time for a legal break. After the break a pen test.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Pen test

My wife had bought a gift and she had also found a better gift. So she gave the second gift. And I had the pleasure to return the first gift to the shop. No problem dear.

I went into the shop straight to the counter. After a few sentences I came to my point.
“I want to get my money back.”,
while showing the first gift and the receipt.

The 2 young men went into action. There was a lot of pressing of keys and a new receipt was shown.
“Would you please sign this receipt?”

This was a standard computer generated receipt without a signature field. And I had to leave my signature here. I signed.

I remembered to explore.
“Why do I need to sign this?”
“This way my manager can control, that a customer is returning an article. And not we.”

I ran a quick scenario of returning articles in my head. This sounded reasonable.

But I was still hesitant to leave my signature in the hands of two young men.
“How long will my signature be saved?”
This question led to puzzled faces.

I scribbled the question on a piece of paper. It would be great to have a written answer, so I left my email address.

Then I got my money back and returned 1 week later.

The young man behind the counter recognised me. He went to a pole and pulled my paper with email address off. This was bad.

He dutifully repeated the story about the signature of a customer actually returning an article. The signature would be saved for 1 month. That was fine.

On my way home I was not convinced about the privacy. I had witnessed a breach of my personal data.

Breakdown

In this breakdown I will point to several articles of General Data Protection Regulation or GDPR.

The penalties can be quite big. Let me quote the worst cases
’20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher’ [Article 83 5].

Let me review the most important steps during my visits again. I wanted to return an article and get a refund. Because money is involved, the request for a signature is good [Article 5 1(b)].

The receipt was a bit confusing for me, because there was no clear signature field. I just had to trust what the young men told me [Article 6 1 (f)].

One of the most important things about data is retention period or how long will it be saved. The check of my signature could be executed within a month and then be destroyed. [Article 5 1(e)]

A signature alone is not special. But if I had paid in the online shop, then it is simple to combine my signature with my name and other personal data. This way it is possible for someone else to write letters on behalf of me. It is criminal, but possible.

The note with my email address on a pole was a personal data breach [Article 4 (12)]. It was not intended, but I could get a lot of mails with false promises.

Tips for testing
  • Test the UX or User Experience of the receipt.
    Is it clear to customers that they have to sign a receipt for a refund?
    Can they be specific about any doubts?
  • Ask the people behind the counter, how they explain the refund procedure. Also how they handle personal data like phone numbers and email addresses.
    There are of course managers who will answer the questions flawlessly. Unfortunately they cannot be present in more than 50 shops at the same time all the time.Receipts with signatures should be stored in the same way as money. I did not see how my receipt was stored.

    Small sidestep: after May 25 2018 there were boxes outside shops to collect receipts of customers. If I put a receipt with my name and phone number in the box, then I could be the lucky winner of some fantastic prize. They were cardboard boxes standing on tables.

  • This is an important lesson for myself. If something strange happens, wait to remember it and mention it.

To be continued

GDPR – The Forgotten Tests – Test 1

General Data Protection Regulation or GDPR is all about privacy. If a company handles privacy in the right way, then it can dodge penalties like 20 million Euro or 4 % of the worldwide revenue.

Time for a legal break. Right after this break some idea.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Bad idea

The job interview was about an agile tester. I thought I could handle that role. The probing questions from the interviewers were increasing. I tried to stay calm and answer the questions in a friendly way.

Then came the expected question about test cases. They should be written beforehand. Time to explore.
“You never know what you will find.”, I remarked.
“Let me give me an example.”

“Your company sent me this mailing.”
I showed a part of the mail.
“At the bottom of the mail I could say, whether I like this mail.”
There were two pictures: one green thumb up and one red thumb down. There was an orange arrow pointing to the thumb up.

“If I hover above the picture of the green thumb, the URL will be shown in the status bar of the mail.” The URL was contained in a red eclipse.

A sketch of a mail with an orange arrow pointing to a thumb up next to a thumb down. The mail also contains a URL in a red eclipse.

“As you notice: the URL is http. This is not secure. If the mail is intercepted, then the reaction of the customer can easily be determined. This is an email about credit, so you can derive that the customer probably has some debts.”

One of the interviewers politely interrupted me:
“Is it possible to intercept mail?”
I gave a technical answer using normal words.
Okay, I got his attention.

Then the exploratory tester awoke in me. And I could not stop him.
“There is a customer number in the mail. This number can be used to get access to an online account.”
I went in full brainstorm mode and described all kinds of product risks or things which could harm the user. I could find information about correspondence about money.

 

I didn’t get the job, but the mailing was fixed afterwards. Obviously 20 million Euros are not enough to qualify as a tester.

But there are retrospectives for.
[On the melody of ‘That’s What Friends Are For’.]

Breakdown

Most of the time primary systems were and are tested for GDPR and national privacy laws. Sometimes this software did not easily support mailings. An easy solution was to use another system outside the company. Specialised in mailings.

All kinds of data like email addresses, names, and profiles were used for mailings. Technical decisions were taken like http instead of https. Somehow the legal department and testers missed something.

According to GDPR the protection of personal data is a fundamental right [ (1) on page 1]. The economic situation of a person can be used for profiling. In turn this can be used to exclude people to get certain services like mortgage [ (75) on page 15].

My tips for testing:

  • become a customer of your own company and use all available channels. Watch for the legal details like the missing s of https. (See last tip)
  • follow security experts on social media. (You know about the last tip)
  • explain legal and security stuff in normal words.
  • let the owner control the flow of information. I should have send my brainstorm on request.
  • read  ‘Here’s Why Your Static Website Needs HTTPS’ by Troy Hunt, a security researcher. It contains an entertaining 25 minute video with several attacks on an http website.
    For people new to security, just watch the video and focus on what you would not like to happen on your website.

Closing note:
At the moment there are browsers showing whether a website is insecure. This was not the case, when I received this mailing.

To be continued.

Tweaking My Website Security

WordPress is frequently used for websites and therefore attractive to some unfriendly people. So I reconfigured my WordPress security plugin.
And the mails of failed logins started coming in. It was not me, so someone else wanted to use this web site.

A short history about my tooling
For me web site security is something to review on a regular basis. It all started with an article in a magazine.  I put some elementary stuff in place: limited number of log ins and removed the login from the web site.

Over the months I added extra stuff like SSL. It encrypts the traffic between the browser and my web site. In other words my user name and password are unreadable for interested bad guys
Troy Hunt mentioned SSL in his free web course with the haunting name: Hack Yourself First.  Cheers mate.
In case you missed it SSL can be obtained for free at Let’s Encrypt.

At a regular basis I updated the software for my web site. I thought I was quite good until I changed the settings.

A short note about security
Some people might complain about the default security settings of their web site settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugins. (As a Dutchman I could not ignore the free ones.)

I thought about the default security and try to explain to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Shorten my list of security mails
So I had changed something and security mails came into my mail box. I noticed that there were mails with wrong user names and passwords. Not good.

After a few days I expected them to stop. You know: “Oops wrong web site. Sorry for that.” But the flow of failed login attempts did not stop. So I had to change something. Again.

I remembered a firewall in one of my WordPress plugins, so I had my first taste of a firewall. Dry, not shaken.
I had IP addresses of the sources of attack. Courtesy service of one of my WordPress iplugins.
An IP address consists of 4 numbers separated by a dot (.) like the invalid 345 345.345 345.

So I put the most offending IP addresses on the black list.

Three strikes and you are out.

The brute force attacks continued. The following combinations were used:

table with failed login attempts

The  user name is in the heading and the password is  shown in the first column. More details about this teaser will be added in the appendix.

My action did not change the flow. I used the asterix. 345 345.345.*. All people coming from IP addresses starting with 345.345.345 got blocked.

Wrong zone. Offsite. Stop the game.

It looked like I had put oil on fire. My normal mails were somewhere between the security mails.

I also noticed that black listed IP addresses still passed through. So there were apperently some smart guys pick locking the door of my web site. I’ll add some words to this assumption  at the end.

It was time for harsh measures. I was so focused on the mails, that I skipped my notetaking. In my logs other URLs were mentioned.  I clicked on one containing wp-admin and noticed that I saw my login page.
I changed a name somewhere and the security mails did not come in any more. Phew.

Brief briefing about red teaming
My list of WordPress plugins would be quite interesting for the people who really want to block out the intruders. The main reason I do not list them is red teaming. This military term is like give my plan to the red team, who will misuse this knowledge to my full disadvantage. Did you notice that “full” sounds like “fool”?

My steps for red teaming of my web site:

  1. Install the web site with all plugins.
  2. Configure the web site and the plugins.
  3. Look at www.cvedetails.com for any bugs.
  4. Misuse the listed CVE or Common Vulnearbilites  and Exposures.
  5. Go to the subdirectories and look for strange files.
  6. Look whether those files are accessible from the outside.

This reads like the plot of a bad B movie. But it works.

A short note about security
Some people might complain about their default website settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugin.

I thought about the default security and try to explain it to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Had a short glance
The days after the intentional reduction of my mail I had another look to my log files. My login page was requested several thousands times in a month. And I can assure you that I was not blogging so much.

There were other pages or URLs which led to my login page. So a check on the hits on my login page would give me the wrong impression of safety. There are people who do not like to use numbers or metrics. Some numbers can be really useful when pondered upon.

Somehow I had not paid attention. Too much focus on blogging. Obviously.

An article of Santosh Tuppad was quite helpful to increase the security. Thanks mate.

I even noticed that wp-content was open. So any pictures of draft blog posts could be viewed before publication. I even discovered a CSS file of a WordPress security plugin, which I could access without logging in. It was like finding a business card of a security team at the doorstep.

Wait a moment.

Let’s turn this into a multiple choice question.
What is the reaction of thieves on the business card?
A. Let’s skip this house.
B. I know how these guys operate. Piece of cake.
C. Look at the big bird and the shield of armor. That is pretty neat. We need 500 of those cards.

Definitely something for an action movie.

Some tips:

  • Read the reviews of the WordPress plugins.
  • Install WordPress plugins from the official site.
  • Write down, what works.
    Some plugins do not mix. This might be the cause of the strange behaviour of my firewall.
  • Make an offline copy of the website before tweaking.
  • Tweak the website security several times a year.
  • Go to your web site on a regular basis and install the updates.
  • Keep on an eye on Social Media.
    Troy and Santosh are great sources.
  • Basically, explore your web site security.

Appendix A bit of data crunching
For my first real life forensic investigation I wanted to use the gathered data. As in Data the Gathering. In order to process my e-mails I used baregrep, vim, Javascript, CSS, HTML.

People had attempted to break in my web site. I expected a concentrated set of failed attempts like
expected heat map

When I looked to the patterns I noticed this:
observed heat map
This is an example of a Blink Test. Lots of info processed in milliseconds and still getting useful info.

Facts:

  • Combinations were entered once.
  • Combinations where user name was the same as the password were frequently used.
  • The same for combination with user name equal to admin

Conclusions:

  • There is a high chance that a group tried to break in. There is a moderate chance that there were more groups which used different lists.
  • A popular user name is admin. See the first column.
  • Single words are favourite, followed by words and numbers.
  • Some user names and passwords were linked to my blog.
  • My blog posts are read.

daD Talk

One of the things I wanted to develop is critical thinking. Not only by myself, but also by my kids themselves. The led to a rather unpleasant start of one of those dad kid conversations.

There was no way back: a subject I tried to delay for a few years:
computer security.

The complaint about a program was packaged as a request:
“I want to have a computer, which can execute [dangerous module] programs without using [dangerous module].”

I exhaled. My kid had absorbed the information and realised that the use could have a severe consequence for the computer. No more computer time. On the other hand the disadvantages were too big to forget about it.

I tried to find a solution, but I could not find one. If a program can change things on a computer, then it can do bad things.

While blogging I realised I was wrong. There was a work around.
There are programs, which can do same things like the original program, but they are built differently. They are called emulators. Some gamers like to play low resolution games on emulators of very old operating systems.
Wow, that’s my kid.

It’s hammer time
“If you have a hammer, then you can use it to break a window. But that’s not right.”
My kid nodded.
“So I program the hammer, so it cannot be used for a window glass. Then I can go to a door and use it to break a lock. I can program it not to break a lock. Then I can use it for a window frame.”

It would be easier to tell the hammer it could only be used on wood. This looks brown and it has grains. But it could be changed, so that everything looks like wood.”
I made a wide gesture with my arm pointing to different objects in the room.

“But I could change the picture. All objects would look like wood. That is not a good idea, so I store the picture in a book. But the picture in the book can still be changed.

Then I could place a lock on it. But the lock could be picked. I could place a better lock on it, but then the whole book could be replaced by another book.

And that’s why it is so difficult to secure things.”

Another unpleasant guest
My kid had seen a cool app. And it should be installed absolutely. So I did my dad thing:  looking at the permissions, which I would grant to the app. It could handle my files. It was just a game and why should game have a peek at my files? Time for the bad news.

So I told my kid, that the app would access files on the phone. The reply was to buy a phone just for games. Then I told that after a while the phone would be also used for other purposes like making pictures. “You don’t want your pictures in someone else’s hands.” There was a lack of nod.

I needed another way to tell the warning. A visual one.
“Suppose someone comes in. He looks television for the whole evening. And he eats the whole fridge empty.

If you protest, he will say:
“You said I could come in.”

The next evening he comes back. He takes the table and the sofa out of the house.

If you protest, he will say:
“You said I could come in.”

Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool. ”
“How did you find that mobile tool? “
“#30daysoftesting

You could call it luck. I prefer to bend it.“

No comments please
Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious
One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff
During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?

Losing gracefully

“Han Toan, something has to be tested.”
I got a short briefing, csv files and decent specifications. A senior tester and I had to test an interface. He started sprinting: opening a csv file and logging bugs. I froze. No time for writing test cases and reviewing them. I confessed to the tester, that I was uncomfortable with the situation. I tested a csv file, but I was losing gracefully.

Theory and practice revisited
The following text is translation of a text I found in a Dutch farm:

“Theory is: if one knows everything and nothing is right.

Practice is: if everything functions and nobody knows why.

In this company theory and practice are combined.

Nothing is right and nobody knows why.”

Learning to win
One evening I was playing Skip-Bo with my wife. My plan was to lose gracefully. So I forced myself to play the wrong cards. Her position in the game improved gradually. She was happy, so was I.

After a while I was holding too many good cards in my hand. There was no way, that I could hide them for long. I would either win or lose awkwardly. The last option was worse than the first one.

In the months after this clumsy situation I tried to repeat the steps during other games. What was the first wrong move I made? What were my following strange steps? Based on my observations I was able to extract a single rule to win or heuristic.

I think, that I might be able to find scientific evidence for my heuristic. But I chose not to, because it worked. That was my goal.

No log in required
During an afternoon session James Bach told about testing without scripts. He was in a hotel lobby and saw a computer. He described the techniques and heuristics he used to get access to this computer. At the end he succeeded.  

I was in the library. Killing my time with browsing newspaper articles. But that was not exciting after a while. I had an appointment within half an hour. In the meantime there should be something to be tested. I was still staring at the computer, when I remembered the story of James.

The computer environment had 2 access levels for normal users. A guest could use only basic functions, which were also limited. I did not have a library subscription, which would grant me a time slot to use standard office software and the browser. I could buy a time slot, but that would lower the challenge.

So I started testing the applications. There were many search engines for news and books. Then I noticed, that I could open the browser. It did not take me much time to go the download area. A document with Resume in the title drew my attention. I expected an error message, when I would attempt to open the file.

Then I actually opened the file. I had access to Word. And to personal data like name, address, birth day, …. I got more information than I had anticipated.

It was time to inform the information desk about this particular situation. One of the women acted adequately:
“Did you log in?”
“No. I did not log in.”
One brief look on the computer screen made her check the other computers in the library. She asked me the steps to reproduce the error. After my answer she continued with:
“After logging out the cache should be cleared. I’ll contact the system administrator about this situation. ”

I went back to the computer, which still showed the resume. I closed it. Then I noticed, that a pdf reader had been installed on the PC. One of the recently opened files contained passport in the name. One click gave me a high resolution full colour scan of a passport including social security number and picture of a fellow citizen.

I had made a little start. To explore in unknown environment. Without a script.

 

Déjà vu

Story number 1
My wife and I were enjoying the sun set. We had settled ourselves on a bench with cushions on the beach. A waiter came in our view:
What would you like to drink?
My wife answered:
“One hot chocolate milk please.”
“With or without whipped cream?”
“Without whipped cream.”
Then it was my turn to order a drink:
“One tea without whipped cream. ”
When the waiter went away, my wife remarked something about my joke.

After a few minutes the waiter came back with two hot chocolate milks without whipped cream.
“I did not order this beverage.”
“You ordered a hot chocolate milk without whipped cream. ”
“I ordered a tea without whipped cream. ”
The waiter was silent for a few moments. Then he offered me to bring me a tea.

Story number 2
When I was looking for a parking space for the car, one of my kids said:
“That car has the same colour.”
I said something like “A huh”.

I parked the car and my wife left to do some fast shopping. I stayed with the kids. After a few minutes I noticed movement in the rearview mirror. My wife had changed her coat, hair colour and glasses. And she had shopped.

“Something is wrong.” flashed through my mind. I turned around to have a good look. The woman looked me straight in the eyes. She was surprised. Her view shifted to the license plate. Then she looked to me with an apologising smile.

She slowly turned around, looking for her car. Then her eyes fell on a car with the same colour, the same model and the same brand. And off she went.

Breakdown
The waiter and the woman have some things in common: first they used the auto pilot (System 1). Then they forced themselves to think (System 2). This leads to the following graph:mindful-tester-deja-vu-systems-timeline

Back to business
The following story is fiction. So enjoy.  

Steve was waiting for things to happen. For more than one hour it was just him and his pen. The other stuff was boring: the same people moving on the screens in the same patterns. He noticed, that a pizza delivery boy parked his car on the parking lot. He just knew, that it was a pizza delivery boy. While many of his colleagues were regarding strangers as potential criminals, he just looked and knew.

The young man came to his desk:
“One large pepperoni pizza for mister Neal.”
“Sorry”, Steve replied. “You are not allowed to deliver, because your delivery is not on the list.”
Then a phone call came in.
“Hi Steve, John here. I forgot to notify you, that a pizza would be delivered.”
Steve checked off the following points:

  • It was the internal phone number of John.
  • He had an American accent with Scottish accent.
  • He was always late with meal notifications.

“Sure, no problem. One pizza coming up.”
“Fine. I’m hungry.”
Steve thought: “He always is.”.
He said to the pizza delivery boy:
“You can go the 6th floor. Mister Neal is wearing a T shirt.”
Steve thought: “He always is.”.
The young man nodded and entered the elevator.

Outside a car stopped. The same man came to Steve’s desk. Steve looked at the first car, which was still parked outside. There was something wrong. The pizza delivery boy looked genuine.
“He’s real.”, flashed through his mind.
Steve asked: “One large pepperoni pizza for mister Neal?”
“That’s right. Can I deliver the pizza?” with the same voice.
Steve looked at the monitor, which showed the same delivery boy in the elevator.

He looked to the pizza delivery boy.
“I have to write down the delivery time.”, while tapping 3 times on his watch. 3 short taps is S in morse: Social engineering threat. He felt 3 short vibrations of his watch. Now Steve had 3 minutes to evaluate the situation, before the alarm went off.

In the meantime another pizza delivery boy with the same face had come to his desk:
“One large pepperoni pizza for mister Neal.”
The same face, the same suit and the same voice.
“He’s not an actor. The body language is from a reluctant man trying to earn extra money for his study.”
Steve looked to the two pizza delivery boys standing for his desk: they looked like twins.

John was a hungry programmer: he ordered at most two pizzas at a time. Steve recalled, that John had ordered just one pizza. He pressed his two hand palms on the desk to push himself up. This way he concealed two small movements. With his right index finger he pushed the Down The River button. People inside the building could only leave the building: elevators would only go downstairs; doors would only open to the hallway. Etcetera etcetera. Annoyance crept in Steve’s mind:
“This is the real thing and my intuition failed me for the first time.”

With his left index finger he locked the control panel in front of him. While Steve was standing at ease, he casually placed his right palm on his watch. The watch scanned his palm and vibrated for half a sec: the alarm was confirmed. He imagined himself as a concrete wall. Now he had to stall, until the backup would come. The guitar music from the opening scene of Pulp Fiction started to play in his head. He defocused to get a better view of the situation. This way he could see the two pizza delivery boys and the entrance at the same time. Then tensome pizza delivery boys entered the building. Packed with pizza boxes. The trumpets in his head began to play harder.