Sunday, November 3, 2019

Book review - Social Engineering: The Art of Human Hacking



"Sir, you can't board this train with your bicycle"
I faced this statement (or something that conveyed its message in different wording, the translation from Hebrew isn't exact) from a train employee a while ago. As luck would have it, I was just listening to Christopher Hadnagy's "Social Engineering: The Art of Human Hacking", and thus went on to try and board the outcome - I burdened the employee with a barrage of accusations, making him responsible for my situation ("You're stranding me here at the airport after I bought a ticket and used it to get here to my connecting train", "what do you expect me to do now?"), claimed for precedence ("I've been boarding the train with my bike yesterday, and the day before", "why do you change the rules?") and applied time pressure ("Look, you are causing me to miss my train"). After a couple of minutes of arguing, he came to the conclusion that "If I can't see it, I can't stop you, if you would wrap it in your bike-case it's not my fault I didn't see it".
Ordinarily, I would have just thought it was me arguing and getting my way with it, but as you can see - I was employing several tactics to get what I wanted - I counted on the employee's empathy and the fact that he didn't want to be the bad person, added time pressure and offered an escape route that allowed him to save face in the form of "what if the bike had been covered?". I believe being aware of what I was doing helped me "win" this argument, and it sure did make me feel  uneasy a about how "evil" I was acting - consciously putting pressure on someone who was simply doing his job.

Since I neglected my blog for too long due to a multitude of things taking up my time and energy, I thought a good way to start writing again is with a task that have been waiting for quite a while now - a review of "Social Engineering: The Art of Human Hacking" by Christopher Hadnagy which is the first audiobook I listened to twice.

The first thing one should know about this book is that listening to it is a bit scary, as the book shows time and again how reasonable human behaviour can be (and is)  exploited to cause harm and then goes on to say "and were I a real malicious attacker, I would have take this to the next level by...". Apart from that, this book is a great first step in becoming a professional security engineer, and provides the next steps of practice in each step.
After listening to this book, there are two takeaways I continue with:
First - Regular, day-to-day human behaviour can be exploited in way most people don't imagine and leveraged in ways far more serious than one might expect.
Second - Despite the first point, defending against social engineering does not require behaving like a heartless automaton. Most of the times, it is enough to pause for thinking and double checking before acting.

In a nutshell - that's it. However, there's much more to this book, which is very well organised to topics.
First we start by trying to define social engineering, or SE, for short. This, perhaps, is the only place in the book where I think the author is not doing the reader justice. The book dwells on the rather blurry line between influencing a person for their own benefit (e.g. - convincing someone to quit smoking) and persuading them to act in favor of our own interest and against their own. The book claims a simple truth - the same skills and techniques used by malicious social engineers can be used in a variety of other, benevolent actors. A doctor will try to persuade their patients to take on healthier habits, a teacher will "educate" students and a friend might put some pressure on you to take that vacation you've been yammering on for ages. Still, in my eyes, the book is trying to paint a nice picture over a term that is used almost exclusively for actions that are, at least, unauthorized and most of the times - straight out malicious. The examples in the book in later chapters also fall in line with this approach and are portraying examples of misleading, putting pressure on people and in all ways get the upper hand of the victims.
Following on, the book goes on presenting the SE framework (more details can be found here) and the different skills and activities that comprise it.
First thing's first, the 2nd chapter is all about information gathering, showing how some trivial details can be used as a stepping stone to further attacks. For instance,knowing that someone is a stamp collection enthusiast is a good way to lure them to a malicious website claiming that you've inherited a stamp collection from your late grandfather and made a website with the stamps to be sold. Besides some examples on how destructive random bits of information can be in the wrong hands, the book mentions some tools such as BasKet and Dradis to organize the data, and points out to common sources of information - from social media and search engines to job adverts, whois registry, personal blogs and even simple physical reconnaissance and dumpster-diving (which, the book says, you should do with dark cloths and a good pair of boots). The chapter then goes on to the seemingly irrelevant topic of communication models, It's quite interesting, at least from the theoretical viewpoint, and it provides a nice way to break down any single social engineering "scene" (e.g. - sending a phishing email, having a conversation with a target), but it is not really a part of information gathering - a communication model can be used wen planning an information gathering strategy, but at the same time, it requires the information already gathered to succeed. Based on the Shannon-Weaver model of communication a social engineer can ask more specific questions: what is the type of feedback I want from the receiver? what sort of message would work best? what channel is the most effective way to communicate my message?

Next on the menu is the mysterious skill called "elicitation" and apparently that's a real word. Its meaning, in case that you are not familiar with it, is "drawing out". In our context, it's about drawing information out of our target. I assume that it can be used also to invoke an action (such as keeping one door open for a person, creating the expectation they'll hold the next door for you, which just happens to be the one you need a key card for) but the book does not dwell much on that aspect after mentioning that the goal of elicitation is to make the target take an action to the attacker's advantage - as small as answering a question or as big as providing access to a restricted area. The book lists some elicitation techniques, from simple ones that range between simply asking a direct question  and getting people tipsy and talkative to more elaborate schemes that may involve pretexting (see below) and preloading the target with information and emotions that will make them more susceptible to your suggestion.

I mentioned pretexting, right? because that's the topic of chapter 4.
A pretext, in laymen terms, is the image one projects about themselves. For instance, I go to work every day, carrying the pretext of a professional software tester. A social engineer might display pretexts that will mislead people - posing as an IT expert, as a worried father or as a pissed off customer. An important point this chapter makes: A pretext doesn't have to be a lie. In fact, it is much easier to pull of a pretext if you are using your own interests and knowledge as part of it. In fact, one of the dangers in pretexting is trying to pull off something completely foreign to you. For instance, I couldn't build, even in a month of intense research, the casual recall of events a soccer fan has experienced talked about dozens of times, so keep it simple and within your expertise. If you have to pretext as something you have no knowledge about - distance yourself. Communicate via e-mail, or on a short, carefully planned, phone call. It is also important to look the part - if you pose as the garbage disposal company representative, a company logo and a notebook will do wonders to your credibility. If you pretend to be a salesperson,  wearing a T-shirt is probably going to get you some unwanted attention.
No matter what you do, your pretext has to be carefully chosen and tailored to your needs and to the situation you're in.

The 5th chapter is all about magic.
Yes, yes, magic. Or at least as much magic as that possessed by a stage magician. If the skills up to this point were a calculated use of common human communication skills, now we are about to discuss some uncommon skills. Micro-expressions, for instance, are a very powerful way to detect how is a person feeling and quickly adapt your strategy if you aren't getting the reaction you were trying to get, but it is also a way to signal to the other person's subconsciousness without the filtering of the thinking facilities - a slight wrinkling of the nose will go unnoticed by many people, but they will still get an uneasy feeling.
Even more controversial than micro-expressions is the use of NLP, which, basically, is all about using side-channels. Regardless of whether you think NLP is a complete fraud or actual magic, There's no denying that NLP does provide extensive record of efforts to understand how human communication works, and that at least some of its methods are having some results. Sure, changing your tone of voice isn't going to magically make someone do your bidding, but it can divert attention and plant ideas. One "tool" I liked is labeled with the terrible title "The Human Buffer Overflow". Basically, it is directing the SE to rely on the automatic responses of people, and take advantage on social norms and expectations. If I helped someone with something, even if it's trivial, they will feel obligated to help me back. I'm unsure as to what exactly here is the so-called "buffer overflow", but I imagine that in order to be more effective, the SE can make sure to occupy the mind of the target with other things - a constant stream of talking, a difficult question, and so on. This way the mind will leave other tasks to the automatic part more easily.

The final chapter presenting the SE framework is about influence. After all, once we've gathered information and learned to control some neat tricks to elicit a response, it is time to cash in on our efforts and make people do what we want them to. Generally, the message is "know your goal, and improvise towards it". This, naturally, is a gross oversimplification - One does not "improvise", but rather builds a flexible plan, with options derived from the information gathered and constantly monitoring the target's response using the skills acquired and practiced ahead of time. The chapter discusses some important tools and principles, such as building rapport, constant monitoring, influence tactics and framing. Like most chapters, this one has a part that made me cringe a bit in discomfort. This one has a part about "manipulation". Unlike other types of influence, this is a direct attack against a person. It involves tips like "gain control over the target's environment" or "creating doubt", it does not shy away from "heavy intimidation", which is about making the target fear for physical harm or other "dire circumstances". In essence, this is the part people dislike the most about SE. The part which not only makes people behave the way the attacker wants, but may actually harm the target as a side-effect or even as a tactic. Being the pinnacle of the framework and cashing in on the previous ones, this chapters is quite long and full of interesting (and scary) techniques and stories.

The 7th chapter is about tools - everything from a lock-pick and business card to hidden cameras and software tools found in Trackback (The previous version of the Linux distribution now known as "Kali") very educational, and provides a lot of entry points to the different topics.

Of course, a book such as this won't be complete without an impressive list of case studies, demonstrating the wide range of possibilities - from the highly technical story of Kevin Mitnick hack of the DMV which involved breaking into the phone system and routing genuine calls of police officers calling the DMV to his own phone (thus collecting the necessary details to impersonate them later) which required deep knowledge of the phone routing system and of the identification process used by the DMV, and then some very convincing pretexting, to the simple case of a security tester who found a genuine hacker roaming through an unprotected server and then chatted using notepad until he got enough details to find the hacker offline. The stories are interesting by themselves, and each shows a different perspective demonstrates different skills and shows how they are applied in real world situations.

Scary, right? It seems that the smallest detail could be used to leverage more details and create an opening to an even wider attack, and most attacks simply rely on people acting as human beings. This is why the final chapter of the book is so important - how to prevent and mitigate attacks.
Like all defenses, it isn't perfect, but if being used properly, the techniques in this chapter could frustrate and exhaust someone trying to social engineer their way into your organization (or your private life, for that matter).
The easiest tip here is "keep your software updated". It might not be easy to implement, but it is a generally good rule to follow - updated software tends to have less known vulnerabilities, and thus prevent many software based attacks, so it won't matter if the SE managed to get you to open that PDF file.
The second is to teach yourself and your surrounding how to identify an attack - know what is generally possible (for instance, by reading this book) and how to identify the stupid kind of attacks of each vector. You might not be able to defend against someone calling and asking "can I have your email address? I want to send you details about the event I wish you would attend", but you'll be able to delete the obviously false "This file includes a debt you have not cleared, if you won't pay by next week, legal action shall be taken"
Another tool I find important enough to mention is developing scripts that allow you to stay kind without letting someone what they want: "I'm sorry, but our IT people don't allow external USBs, if you want to print a replacement to the paper ruined by your coffee, there's a printing service around the corner". Practicing situations and such scripts can help when facing a real SE attempt.

All in all, I highly recommend reading this book, in any format convenient for you .

Sunday, June 2, 2019

להתחיל במקום חדש



מצמצתי לרגע, ועברו חודשיים. 
לפני חודשיים (בדיוק) התחלתי לעבוד במקום חדש, ועכשיו, בעודי יושב חסר מעש בשדה התעופה, זה זמן טוב לבחון את החודשיים האלה  ולנסות להבין מה למדתי. למה שמתי לב ומה אני צריך לעשות. 
כיוון שזו הפעם הראשונה בה אני מצטרף למקום חדש כשאני חושב שאני יודע דבר או שניים על העבודה, ניסיתי להיות מודע לתהליך הכניסה שלי ולשים לב למטרות שאני מציב לעצמי: אלה לטווח הארוך וגם המידיות יותר. הדבר החשוב ביותר ששמתי לב אליו עד כה הוא שהפער בין המקום בו אנחנו נמצאים כרגע לבין המקום בו אנחנו צריכים להיות הוא עצום. אם לפרוט את זה לפרוטות: יש לנו פערי יכולת בבדיקות המערכת, חסר משמעותי בבדיקות היחידה, קצרים בתקשורת בין צוותים, מחסור בתהליכים תומכים ושינוי תרבותי שאנחנו צריכים לעבור. אבל חוץ מזה, מרקיז, הכל בסדר. 

מעבר לכל הפערים האלה, יש לי גם פערי ידע אישיים: אחרי שעבדתי על מוצר מבוסס WEB עד היום, המוצר הנוכחי דורש ממני היכרות טובה יותר עם מערכת ההפעלה (כרגע אני מתמקד בחלונות, בהמשך אתפנה גם למערכות הפעלה נוספות), וההנחה המאוד נוחה של מערכת SaaS - אני שולט בצורה מלאה בסביבה בה התוכנה שלי רצה, היא כבר לא הנחה שאני יכול להניח. בקיצור, סט שלם של כלים שאני צריך להתחיל להכיר וסט חדש לא פחות של משתנים שאני צריך להתחיל להתייחס לקיומם. בנוסף, העולם העסקי של סטארט-אפ זר לי, ולהחלטות עסקיות יש מחיר אחר שאני עדיין לא יודע עליו דבר וחצי דבר. אני גם לא מכיר את הלקוחות ואת מה שחשוב להם כדי שאדע איפה למקד את המאמצים שלי. אני לא מכיר את צוותי הפיתוח איתם אני עובד ואני צריך לצבור קרדיט בעבודה מולם כדי להשפיע כמו שאני רוצה. חוץ מזה, אנחנו כותבים קוד בפיית'ון, שזו שפה שאין לי ניסיון איתה ואני לא מכיר את הכלים התומכים בה שמאפשרים עבודה אפקטיבית באמת. 
עד כאן, הקשיים ההתחלתיים. 
עכשיו, איפה אני רוצה להיות בעוד נצח וחצי? מה המטרה אליה אני מכוון בטווח הארוך? 
בניגוד למקום הקודם, בו היה נראה לי נכון למחוק את צוות הבדיקות לחלוטין ולהטמיע אותו בתוך צוות הפיתוח (ולמיטב ידיעתי, עדיין עובדים על זה שם), קיומם של כמה צוותים שעובדים על חלקים שונים של המערכת גורם לי לחשוב שהמצב הנכון בטווח הארוך הוא של צוותי פיתוח שאחראים לבדוק את הרכיב שלהם, ונוסף להם צוות שאחראי לשלמות כל המערכת שיעזור לאתר כשלי אינטגרציה ולטפל בתרחישים המורכבים יותר. אני לא לגמרי בטוח איך צריך להיראות הצוות הזה, מה הכישורים שצריכים להיות בו או מה תחומי האחריות המדוייקים, אבל בינתיים יש לא מעט צעדי הכנה אחרים שצריך לעשות. 
אבל, המצב כרגע הוא שיש צוות בדיקות אחד שמספק שירות לכמה צוותי פיתוח, ולמעשה, מזניח לא מעט מהם כי יש גבול למה שיכולים לעשות שלושה אנשים. אם אני מנסה לצייר מפת דרכים גסה, סדר הפעולות שלנו צריך להיות בערך כזה: 
  1. בניית רשתות בטיחות וכלים שיאפשרו לצוותים לקבל מידה מסויימת של ביטחון במוצר שהם בונים. 
  2. תוך כדי 1, צבירת מוניטין ושיפור התקשורת. 
  3. בניית תהליכים שיעזרו לצוות הבדיקות לתקשר עם צוותי הפיתוח ולעזור להם בזמן אמת עם הפיצ'רים בניגוד למצב הנוכחי בו אנחנו מספיקים להגיע לפיצ'ר כשהוא בשלבי סיום. זה כנראה יצריך שימוש בחלק מהמוניטין שצברנו קודם. 
  4. יצירת קהילת בדיקות, או לחילופין, סיפוח של כל הבודקים לצוות אחד לטובת יישור קו בכל מה שקשור לכישורי הבודקים ולאסטרטגיית הבדיקות, כמו גם יצירת ערוץ תקשורת נוסף בין הצוותים. 
  5. אחרי שדברים מתחילים להתייצב - פירוק הצוות המרכזי והטמעת אנשי הבדיקות בתוך צוותי הפיתוח, כשהמטרה היא גם לשדר מידע החוצה, אבל בעיקר להכניס את תהליכי הבדיקות לתוך הצוותים על ידי חניכה פנימית של המפתחים וסיוע בהעברת האחריות על תחזוקת בדיקות המערכת מצוות חיצוני לצוותי הפיתוח. 
  6. כנראה שיחד עם 5, הגדרה מחדש של צוות הבדיקות תחת כותרת אחרת. לפחות בתחילת הדרך, הצוות הזה יהיה אחראי על המשך תיאום בין הצוותים השונים וסיוע לבודקים השונים לא ללכת לאיבוד בתוך הצוותים החדשים שלהם. מהמרחק הנוכחי, הרעיון של Engineering productivity נשמע לנו מסקרן, כמו גם גלישה לצד של ניטור המערכת וייבוא מסקנות פנימה, אולי תחת מחלקת operations. אני חושב שיש לנו שנה-שנתיים (או יותר) לפני שנצטרך להתעסק בזה. 
כרגע, בעודי לומד להכיר את האנשים ואת הסביבה, המיקוד שלי נמצא בסעיף 1, שהוא גם החלק הכי קל - לבנות כלים. בעיות טכניות הן כמעט תמיד קלות יותר מאשר השפעה על אנשים או על תרבות ארגונית. בינתיים, אני מטפל בבעיה פשוטה יחסית - אנחנו צריכים לכתוב מחדש את כל  בדיקות המערכת שלנו בלי לזרוק הכל לפח ולהתחיל מחדש, כי אחרי פעם או פעמיים בהן מישהו ראה מה יש ואמר "אי אפשר לעבוד עם זה, אני אכתוב לכם משהו חדש וטוב", אין לנו את הקרדיט הנדרש כדי לומר בדיוק את זה. אז אנחנו לוקחים את הפרוייקט הקיים ומעבירים אותו מתיחת פנים יסודית. זה נותן לי הזדמנות להיות יעיל עם מעט מאוד ידע ולהתחיל להרחיב את ההשפעה שלי משם.

אני צריך לשים לב שאני לא נשאב יותר מדי לתוך המשימה הטכנית הקלה ולהקדיש קצת זמן בבניית גשרים לצוותים האחרים. גיליתי שקשה לי מאוד לעשות את זה כשאני אפילו לא יודע על מה עובד כל צוות בכל רגע נתון. אחד היתרונות של סקראם היא הפגישה היומית, או ה"daily standup", שמאפשרת יחסית בקלות להתחבר לאנשים בלי ליפול עליהם באמצע היום ולשאול "מה אתה עושה? אפשר להפריע? אפשר לעזור?" אנשים אחרים עובדים כרגע על הכנסת תהליכים כאלה או אחרים, אז אני מקווה לנצל אותם כדי לשפר את המאמצים שלי במישור הזה, אבל גם אם לא, אני צריך למצוא דרכים אחרות למשוך אלי מידע ולהכיר קצת יותר את האנשים.

זהו, פחות או יותר.

אה, דבר אחרון שלא לגמרי קשור לפוסט הזה, אבל אני רוצה לנצל את ההזדמנות הזו ולהזהיר את כל הקוראים - פיית'ון היא שפה שמתאימה לכתיבת סקריפטים קצרים ופרוייקטים שנזרקים לפח אחרי שימוש קצר. ברגע בו עוברים את הגודל הזה, צריך להתחיל להילחם בשפה כדי לעשות דברים שאמורים להיות טריוויאליים ויותר מדי דברים מבוססים על קונבנציות מכדי שיהיה אפשר לסמוך עליהם. אם אתם מתלבטים עם מה לעבוד ואין לכם סיבות ממש טובות - הימנעו מפיית'ון. אפשר לפרט, אבל זה לא המקום, אז הנה כמה מאמרים שכבר עשו את העבודה במקומי.

Starting in a new place


I blinked, and two months(to the day) have passed since I joined my new workplace. and now, siting at the airport with not much to do, is a great time to reflect on those two months and try to figure out what I have learned, what I've noticed and what I should be doing.
Since this is the first time that I join a new workplace  with some confidence about knowing my way around and holding some firm beliefs about the way things should be, I tried to be conscious about my ramp-up and notice the goals I set for myself - the long and short term ones. The most important thing I've noticed is that there is a big gap between where we currently are and where we should be. Or, to be more specific - We have a large debt around testing in the system and unit levels, communication channels that need to become more robust, lack of supporting processes and a cultural shift that we need to undergo. Mais à part ça, tout va très bien. Besides,
Besides all of these gaps, I have my own personal gaps to fill in: Having worked on a web based product until now, I never needed to dive into the workings of the OS (right now I focus on catching up on Windows, other operating systems shall follow) and the really convenient assumption of a SaaS solution - I can control the environment in which my product is running - is no longer true, which means that I need to think different variables than those I'm used to. In addition, the business world of a start up is foreign to me and business decisions have an impact I don't fully understand yet, I am not yet familiar with out clients or what is important for them to help me focus my efforts, and I still don't know the development teams I work with enough, certainly not enough to have the stack of credit I'm used to rely on to influence things. Oh, and we write code in Python, a language I don't have a lot of experience in and I'm not familiar with the tools and libraries that enable working with it effectively.
So, those are the starting challenges.
Now there's also the question of where I want to get to,  you know, once I had all the time in the world to set things the way I believe they should be. Unlike the previous place, where I believe it was right to completely remove the tester role and just stay with engineering teams (They are still working on it, to the best of my knowledge. I think that me leaving was a good step in that direction), I believe that in this place, since there are many teams working on different parts of the system, it is still the right thing to have a team that will be responsible for the larger picture. I'm unsure about how to brand this team or what exactly should fall under its responsibilities, but there's enough to do until then. One thing I am sure about is that this team should rely on strong testing capabilities that should exist within each team, so we still have a lot to do until we need to figure this out.
At the moment, though, the current situation is that there is a dedicated testing team that should provide service to three other developer teams (some of which have a dedicated tester, but from what I've gathered, they are being swallowed into doing feature development and are not able to contribute enough to educating the team or even just taking care of the testing gap), so  if I try to sketch a way forward, I imagine a growth and a shrink.

  1. Build safety nets and tools that will enable teams some level of confidence in the product they are building. 
  2. While doing 1, increase our reputation stack to better influence what is happening. 
  3. Set in place the processes required to connect with feature work while it is being defined and executed instead of getting something vague at the end. This will require using some of the reputation tokens we've accumulated. 
  4. Create a testing community, or, failing that, a testing team comprised of all people in testing positions - the idea behind this is to boost and align the testing skills of everyone, as well as a unified testing strategy and also to create another communication channel. 
  5. Once things are working, roughly, split the team and distribute most of the working force to be embedded in the development teams. With the goal of having them educating the rest of their new team, helping them take responsibility of testing and pushing out relevant information.  
  6. Probably at the same time as 5, redefine the smaller team left after most team members have been embedded in the teams. Initially, it will have the responsibility of maintaining the testing community and keeping the communication channels open, as well as help the testers not to get lost in their new teams,  but after this is covered, I'm unsure. For the time being, the concept of having an "Engineering productivity" team sounds quite appealing, but we won't know until we get closer if this is the correct usage of that team. Maybe, since keeping tabs on the bigger picture is part of that team's role, it will be a good idea to have that team as part of the operations group and push towards having a real DevOps culture. I believe we have at least a year or two before we'll have to deal with those specifics.
At the moment, while I'm still learning my environment, my focus is on the first bullet, which also happens to be the easiest one - build tools. Technical problems tend to be almost always easier than influencing people or culture. In the meanwhile, I'm dealing with a simple problem - we have to re-write the existing testing framework without actually saying we're doing that - after at least one time when someone said "We can't work with that, here, let me show you how to do that" we don't have the credit to do the same, so instead we refactor. Heavily. It gives me a chance to be effective quickly, even if only in limited capacity, and start building up from there. 
I need to notice that I'm not being carried away too much into the easy technical task and invest some time in building bridges to the other teams. I have also noticed how much I relied on the scrum daily standups - I feel a lot more comfortable hearing "I'm doing X" and then asking that person a bunch of questions, or suggest my help than I am comfortable interrupting someone and asking "Hey, what are you doing now? Oh, I have zero relevant input? Thanks for your time". People other than me are working on instituting such procedures, so I think I'll wait a bit and try to leverage those efforts. 

That's it, I think. 

Oh, one last thing, not completely related to this post, but I would like to use this opportunity and warn all readers: Python is a scripting language. It is not suitable for anything long-term or bigger than a couple of files. Once you are over that size, you have to fight the language to write maintainable code or do things that should be trivial, and there are too many convention-based practices out there to actually be able to rely on them. If you ever find yourself in a position where you can choose and you don't have some compelling reasons to do otherwise - avoid Python. I can go into details, but this is not the place, so here are some articles that do this for me.

Saturday, June 1, 2019

Nordic Testing Days - day 2



The second day of NTD had started just great with Alex's keynote about exploratory testing, microheuristics, and the general recommendation "notice what is it that you do" as a way to both improve (your own techniques as well as teaching others)  and help others notice the expertise you've gained. You are doing everything besides "just clicking around". This keynote had everything a keynote talk should, dinosaures included.

After the keynote I missed (again) Bailey Hanna's workshop on feedback and communication in the workplace, and instead, evacuated myself to ER.
To cut a long story short - I fell from my bike a bit over a week ago, and until then I thought recovery was going fine, so I didn't bother checking it up. After all, it was only a bruise, and it is normal to have a bulge where a hit has landed. However, once the coloration was mostly gone and the swelling did not, I did the obvious thing and googled my symptoms the night before. The results - scary. I woke up that morning at 5:30 AM and couldn't go back to sleep, so I did the responsible thing and called a doctor from my travel insurance. I described the fall and the symptoms, and strictly avoided sounding my guesses or fears to the doctor (which, in case you wondered, is the correct thing to do if you did google your symptoms - don't interfere the professionals with your uneducated guesses). I wasn't very happy to hear that the doctor was worried about the same thing as I was, and he recommended getting it checked quickly. So I did exactly that. I asked the organisers for the correct place and took a cab there.
The Estonian medical system seemed to me as efficient as I could hope for - I was taken within 10 minutes to have my vitals checked and soon after saw a doctor. Upon seeing my injury, The doctor made one of the sounds you don't want your doctor to be doing, and sent me to do an ultrasound. Then I waited, and as I did, I checked my options of returning home sooner, hoping that the doctor will say it's safe enough to postpone a surgery until I'm home. Just one thing - finding out that you might be in a life-threatening situation is no fun, and doing that far away from your home & family is even less so, please avoid that if you can.
A couple of hours later, the ultrasound results were in, and at least as far as it seems from the scan, the real situation is not dangerous at all (though it might get complicated a bit). The treatment: rest, and take an off-the-shelf medication for the pain.
Cool, that left me feeling a lot better (it's amazing what fear can do to your general feeling), suffering only the effects of not enough sleep and no real food since morning, where for the same reasons (lack of sleep, fear) I didn't have that much of an appetite. Anyways, I got back to the conference just in time to catch the closing key note, where Erik Kaju told us about the engineering practices in transferwire. It was nice, even if  I've heard such talks before. It is always nice to see that some companies are doing things a bit better than what we do back at home and we can improve.

After the conference I went to sleep for an hour, and then I joined Lisi and we went to eat dinner with Joep and Elizabeth. We tried some sort of an Indian restaurant, which was quite nice. Not as nice as the company, but still :) We broke off around 22:30 and walked back to the hotel (except for Elizabeth that was staying elsewhere). Somehow, we ended up talking at the lobby until almost 2AM, but then it was (well past) time to go to sleep.

Quite a good day after all.

Friday, May 31, 2019

Nordic Testing Days - day 1


Tutorial day is over, and it's time for the first day of the conference. I did the responsible thing and got enough sleep, despite some people (whom name shall remain undisclosed) who were dragging speakers to try out this "traditional" alcoholic beverage (and by "traditional", I mean "is probably going to kill you horribly"), so a fresh start for a new day.
I got into the venue just in time for the keynote about machine learning and testing. It was interesting,  and would have made a good track talk, I was expecting more out of a keynote.
Then, I went to give a workshop and teach people about unit testing. It's a bit long, and setup always takes longer than planned, but all in all,  I think it went well, I hope the participants agree.
After lunch i went to participate in Alex Schladebeck's workshop on testopsies and micro-heuristics, in which we spent some time learning about how to think about what it is that we do while testing. Narrating a testing session can be quite challenging, but very insightful. Being forced to communicate reason ("I'm surprised by x, so I'm going to investigate that by doing y") is a great way to both learn what we do and teach others how we think.
Apparently, one opening keynote and two workshops leave time only for the closing keynote of the day, in which Raimond Sinivee told about his journey and how relying on his existing testing skills he was able to become a well rounded software engineer (for the purpose of this talk, an engineer is someone who has both testing and development skills and is functioning in those two roles). It was a very good keynote, inspiring people in what I think to be a good direction.
Naturally, things do not simply end after the last lecture - we had a conference party, alongside with two activities I really like: lightning talks and Powerpoint karaoke. I could probably tell you about it, but it will not do it any justice. I guess you really should have been there.

Thursday, May 30, 2019

Nordic testing days 2019 - tutorial day


Tutorial day is over, and the conference is starting with a very positive note. After arriving late to Tallinn (and enjoying the beautiful weather here - rain and everything, while at home it's 35 degrees centigrade), I woke up, had some breakfast, and headed to the conference venue.
I didn't remember which workshop I chose (there were two options that I could have selected for different reasons), and was very happy that the one I preferred now was the one I chose on registration as well. I attended the tutorial on android security, hoping to have some insight to what's going over there and collect some pointer for future reference in case of need. Marko Belzetski did a fine work as an instructor and took us on a sightseeing trip that covered a lot of topics - from reverse engineering to repackaging and exploiting internal procedure calls, as well as using a proxy to inspect the outgoing data and avoid certificate pinning.
After a packed learning day, I went to the hotel to rest for half an hour, and then - off to speakers' dinner. We got up on a boat where good food and better conversation awaited.  All in all, a great way to finish a day, especially when the sun is still up at 22:30.

Tuesday, May 28, 2019

End of an era

Hebrew version

Almost two months ago ago was my last day at RSA, and I wrote a bit about it in Hebrew. I intended to publish The English version at the same day, but barely managed to get the Hebrew version out, and as it turned to be, I was a bit occupied in the past couple of months, part of it was preparing my workshop for Nordic Testing Days. Now, when I'm at the airport, waiting for a long connection, I have some time to catch on this gap.

After seven years and a bit, following an opportunity that jumped into my hands, I decided to move on. What can I say? It's not an easy decision to make after so much time, especially since RSA was my first "grown-up" job where I've learned a lot and where my entire professional persona has evolved. Such turn points are a good opportunity to look back and reflect, so here I am, reflecting.
The easiest thing is to drown thoughts with numbers, and thus I'll start with it:

  • Seven years
  • 41 team members
  • 8 managers (two of which were team members before)
  • One product, two versions (of a sort)
  • ~25 major releases
  • 13 conferences in which I've participated, in 4 of which I attended as a speaker
  • two certification diplomas, one is completely useless, and the other one is not much more so.
Naturally, those numbers are not telling any significant story, and tell nothing about how my professional approach has changed alongside with my role. 
Officially, my role in the team has not changed. I was hired as a (junior) tester, promoted to a (senior) tester and even to a (principal) tester. Each promotion came with the expectation "please continue to do what you are doing". In practice, what I did changed drastically. 
I started my way in RSA fresh out of the university after a friend who worked there referred me, and since all I knew about testing was what I've learned in one introductory course to software testing, I thought that the job of a software tester is to test software (spoiler - it is not). I started with almost decent programming skills, and with knowledge about testing that was just a bit over the required knowledge to pass the ISTQB CTFL test (The professor passing this course was a member of ITCB - the Israeli chapter of ISTQB, but we had some extra material in to fill a semester-worth of course for CS students that don't need to waste time on "what's a loop"). This meant I came prepared to write mountains of documents and to deeply analyze the software I was about to work on. Frankly, my initial experience was pretty close to that: I came to what soon became six regression cycles running back to back due to some major changes that incorporated a lot of risk - we upgraded the OS and then upgraded some central components in our system, so we had to go over most of the system just to see that nothing was very broken. We worked with tests that were written some time ago in Quality-Center, and with rudimentary automation that wasn't that great, and in most cases - simply wasn't there. In fact, one of the test scripts was so poor that I asked for, and got, some time to re-write it using the framework we've started building so that it will be easy to understand what's going on and in case of failure, understand what were the symptoms of the failure. All in all, my focus was on learning the product and while doing so, learn also how to test software. Oh, and bugs, what fun was it to find bugs. 
After about a year I got to a point of unease - I was a bit more familiar with the product, and I thought I did a decent job, but I felt that my theoretical knowledge on testing wasn't improving and I looked with my then manager (The third one, after maternity leave and a wave of layoffs) and we came to a conclusion that a course could be a good thing. But what courses are available on testing? We didn't find anything we thought was relevant or useful, but there was a CTFL certification course, so what the heck - company's paying and we're out of ideas. Now's probably the time to say: Despite what I have against this lousy certification, the preparation course can be used to learn a thing or two about testing if the instructor is experienced, you have some knowledge about how real software projects look like and you are prepared to ask a lot of "why" questions each time you hear a recommendation that does not align with reality (which is about 90% of the material). I got out of the course with some ideas for improving our process, which, unsurprisingly, included more paperwork. I think this was a point where I can mark a changing point - about the same time I decided to act upon a rumour I heard back at the university that said professional hi-tech workers should real to always stay current. I probably started doing some reading a bit before the course, but it takes some time for knowledge and impact to accumulate. That second phase came when I've encountered James Bach's &Co. ideas, out of which the most representative example is probably this video. Another idea that I found very helpful was the concept of the "testing schools" which I found convenient, as it connected well with what I learned at the university about different literary schools and, more importantly, different paradigms 1.
The concept of different testing paradigms seemed very sensible to me, and the division to five schools was convenient. The factory school, which is represented very clearly in the ISTQB syllabi (mostly in the CTFL, but it was in the others I skimmed through), is focused on managing the testing process, and treats software creation like an assembly line - where consistency and predictability are the main focus, as well as cost saving. The analytical school focuses on scientific and formal methods of measuring and improving testing, and it provides tools to practitioners of the other schools that are busy with the real world of software delivery. The agile school is focused on the developer's perspective - unit testing, TDD, fast feedback and freeing bottlenecks are the bread and butter of the agile tester, and this school provides language to engage non-testers in testing, which is mission-critical in most software projects. The control school (or, in Pettichord's terminology - "quality assurance school" tries to understand how to prevent mistakes from getting to production, on setting standards and regulations and deploying measurements to deal with bug escapes). The line between this one and the factory school is a bit blurry, but I think that having two focal points is important enough to have those two schools separate. The final school, which has assumed the title "Context Driven school" (To be honest, only people within the CDT communities are using the notion of testing schools. Others, such as Rex Black, are opposed to it) and is focused on the skills of the individual tester and treats testing as performance - In the balance between personal skills and methodology, the former has much more influence on how effective will the testing process be.
The message carried by the CDT community appealed to me very much - It said that *my* skills are the most important  to do a good job, and I found there encouragement to think on how I test software and to notice the language I was using. My focus shifted gradually from processes and bug finding to improving as a software tester.
Roughly at the same time, by the end of 2013, I connected, almost by mistake, to the local testing community. A colleague of mine told me of a testing meetup in Jerusalem and I thought it could be a good way to connect with people working in the city and maybe find my next position (I don't know if I mentioned it before, but when I first started in RSA I had full intentions of staying there for a year or two and then return to Jerusalem. A blink of an eye later and seven years have passed, me still living in a self imposed exile) I got there, met some people, and someone managed to convince me to participate in an online forum (Facebook wasn't as dominant as it is today in the testing community in Israel, or rather - the forum wasn't yet as dormant as it is today). This is how I began chatting with other testers and going to meetups.
In the meantime, things progressed at a slow and comfy pace at work - my coding skills improved, I learned the product, people and processes and there even were parts of the product I was the expert on, having been the one working on them. In addition, my team was maturing as a scrum team: We've learned to work closer and minimize gaps between functions in the team and the pace was speeding up nicely. As time passed, I noticed that most of my contribution was not while I was "working" with the software but rather when I chatted around with other team members, offering some advice, passing on rumors and asking questions, and then Brendan Connolly wrote this post, which connected well with what I was experiencing and  it helped me define my role as a nexus of information and not as "someone who comes to check that everything's ok"
Time passed, and some of the faces around me changed, when I started noticing that not enough testers at work are showing interest in professional development, and unsurprisingly, things had some place for improvement. It wasn't only that information didn't really pass between teams working on similar products, but the standards were different as well: People who worked for years in one team  didn't have the skills to even pass a basic interview for junior position in another, let alone function in that team. Once I noticed this phenomenon, it was impossible to un-notice it, so I looked for ways to help resolve this (I was sadly unsuccessful in that). Completely unrelated to this but about the same time I saw a post in Maaret's blog I was (and still am) following that published an experiment - half price tickets for a testing conference, based solely on the reputation of the organisers. Well, cool. I was wondering about professional conferences, but they were quite expensive to try out and pay for myself, and this one was not that expensive, and being in Romania it was a cheap enough flight and the extra expenses were also cheap enough for me to decide on taking a vacation and attend the conference. What can I say? The European Testing conference was a great conference to start with - I met awesome people, learned a bunch, and came back home with some ideas I wanted to try out. It was also the point where I met the European testing community2 and started disconnecting from the American CDT ideas (mainly because I connected more to an inclusive discussion instead of the debate oriented one).

I was also influenced by the changes in my team - when one of of our developers left, I found myself in a position where I was the only one in the team who was familiar with the bureaucracy around software security (or rather, the only one who was familiar with it and wasn't already swamped with back-to-back meetings) I had the opportunity to develop my understanding in software security and became the team's expert. On a side note, being an expert does not require any specific knowledge, just declaring "I'm an expert", and whenever anyone comes to you with a question, respond with "I don't know, but let's figure this out together". Another such event was when after 5 years at RSA my manager for 3 years, who was a technical leader in the team when I joined,  left to work at another place and I had to help my new manager to figure out what was going over, and in the meanwhile to shield the rest of the team from external pressures. I was thus exposed to just enough of the process of managing people to know that this is not something I want to do at the moment.

All of those processes, alongside the progress we made in combining the test and dev parts of the team, and listening to the ABTesting podcast helped me grow to the paradigm that currently appeals the most to me, which is phrased quite eloquently under the modern testing principles, which despite the name, is not a testing paradigm but rather a software production (or however you would call the process of defining, developing, testing and deploying an application) one. There is one point on which I disagree with those principles, and this is the exaggerated focus on the "customer". I wrote about this before, so I won't go into it again, I'll just mention that for me - the business comes first. I work for my employer, and in the cases where my employer interests are not aligned with the customer, I'll choose my employer.

After all this time, when I'm looking back, what I see is mostly people. Those who were there when I arrived and those who stayed there when I moved on. There were good and difficult times, and each person added their own unique something into this cauldron. I think I learned at least a bit from everyone I worked with (even if some people taught me patience by testing it over and over), I've learned that every software out is a matter of compromise, how to work as part of a team and how to write better code and talk about the principles that guide me. I learned a thing or two about software security and bureaucracy and how to both ask and receive help. Most of all, I've learned that the most important thing are the people you work with.
So, thank you for everything, and we'll probably meet again. 


1 In short, a school is a group of professionals that share a common paradigm (maybe more than one?), and a paradigm is an angle to look on and define the problem space in a field. It's a set of questions that are interesting and some tools to answer them.
For example, the "reader's response" school  is focused on answering the question "how is a text processed by a reader and what are the mechanisms through which a text is having its effect on us" (So, The Iliad would be a very different thing for contemporary readers and ancient Greeks). Questions such as "what was the writer's intentions" are mostly irrelevant and secondary to the perception of the act of reading as a dialog between the reader and the text) 

2 I use the term "European testing community" from my own personal perspective, There are multiple testing communities in Europe, with varying amounts of overlapping. I use this term to note the people I met through ETC (not necessarily at ETC, though)