Monday, February 17, 2020

Book review - The Surveillance state

So, I'm cheating a bit. This is not a proper book, but rather a series of lectures wrapped in an audio-book (the course material just happens to be a 198 pages PDF, so one might use that excuse too to call it a book) . At any rate, the surveillance state, big data freedom and you is a rather interesting listen. It's an introductory course to software security and privacy, but unlike many others, this book approaches the topic with the goal of covering the legal concerns, as well help the audience to understand why the subject is a complex one and how every choice made by a legislator is a choice of a specific balance between civil rights (that might conflict within themselves), safety & security, and technical soundness.
The "book" is comprised of 24 lectures, so I'll skip my usual chapter-by-chapter summary, and just go over some of the points that got my attention.
The first one is the claim that there's a trade-off between the government ability to protect its citizens, and its ability to track everyone, everywhere. This dichotomy sounds simple at first - of course we want our government to know where the terrorists are planning to plant a massive bomb, but even without going the length that Bruce Schneier does and claiming that this is a false trade-off, this book does raise the problems in this approach: Would we be as comfortable to allow complete surveillance in order to catch a drug deal? and tax evasion? Currently, we are willing to allow our government to invade our privacy only for certain reasons, and the fact that much of reality is moving to the cyber-space is changing what privacy means and how difficult it is to separate between "legitimate" invasions (such as espionage, counter terrorism and general anti-crime operations) and liberty limiting surveillance is becoming more difficult (there isn't a separate communication network for terrorists - they are using the internet, same as everyone else).

Another point I have not considered before was the necessity of some measure of transparency in order to have a meaningful policy discussion. The most obvious reason being that without it, the policy does not matter. However, transparency should also be limited in this game of balance - some actions are becoming ineffective when they are known to the target (wiretapping, for instance) and in other cases, just exposing that a nation has a certain capability is enough to thwart it (Today it is common practice to leave cell-phones out of top secret bases since the ability to track them is well known). A nice way to compromise for that sort of problems is to appoint an overseeing body of a sort, but one thing I gleaned between the lines was that protecting insiders who expose malpractice, since this observation mechanism is, in itself, something that needs to be checked.

I mentioned the word "privacy"  once or twice already in this post, and this leads me to a question - what is privacy? In the 8th chapter (or lecture), the professor, Dr. Paul Rosenzweig, is mentioning that there's a need for a new concept of privacy. While he's not using those words himself, he's saying that the big data revolution has killed privacy. Since there is truth to that, he suggests a different was of looking at privacy - Since preventing collection and retention of data is not an option when it is the same data that also enables services we actually want, redefining privacy is what we can do to adjust to this new world we live in. He uses a definition I'm uneasy to accept, and for a reason I simply reject. He suggests that the limitations we set to protect this new type of privacy would be there to prevent use of data in a way that would cause some "actual harm to an individual". I reject this, because showing "actual harm" is difficult, and it's easy to brush aside non-bodily harm as "negligible". The chilling effect caused by the eye in the sky? "Oh, that's not actual harm, is it? everyone else agrees... ".
Privacy, for prof. Rosenzweig is "a desire for the independence of  personal activity. a form of autonomy". This sort of  'autonomy' can then be protected in many ways - secrecy (for instance, no one knows who you voted for), direct protection on action (you are allowed to practice any religion you'd like) and anonymity - where our actions are not hidden, but they are, generally, stripped of consequence because the action is not linked to us in the relevant circles where this sort of link would cause us harm. For instance - a teenager buying condoms would very much like hiding it from their family and classmates, but might not mind the clerk or the other strangers in line having the same information. Or, in his words - "Even though one's conduct is examined routinely and regularly, nothing adverse should happen to us without good cause".
Personally, I prefer seeing privacy in simpler terms - privacy for me means that I can limit the knowledge about myself or my opinions and activities and to some extent, control who it will be visible to. I do not expect nor have complete privacy, and many bits of "my" data have different levels of privacy, but I believe we need to create a vocabulary that would help us identify the level of privacy I have for each such detail, and debate what it the appropriate level. For me, privacy is meant first and foremost to allow a person to save face. Avoiding additional harm is also desirable, but can be achieved by rules prohibiting some behaviors. In that sense, I think I agree more with the sentiment behind the GDPR principles, and why I really like the "right to be forgotten".

There's a lot more going in this course, and the more tech-oriented people might notice some inaccuracies or broad generalizations when the professor is explaining technology, but that's ok - it's a course about policy making.
The last section is a call for action - to participate in the public debate around privacy and help define boundaries and set up the grounding for the legislation to come. After starting with a claim that technological advancement always will be ahead of laws and policies, I completely agree - public discussion is probably the one way we can catch up on some of that gap, and even set the direction technology will be moving forward.

Sunday, February 16, 2020

ETC 2020 - conference days

It's official now. ETC 2020 is now over, and there's no more stretching it for me. It's been a wonderful conference, where I got to meet new people and some I've met before as well as learn about new ideas, skills and tools. All in all, those have been a packed couple of days, in the best way possible.
The conference has started with a talk by Mirjam Bäuerlein on TDD, and dogs.  The talk, as it is, was presented in a skillful manner and was a good overview on what TDD is and covered the "why" on top of the "how". Personally, I didn't connect with the dog theme and didn't really see a new insight on the topic emerging from this unique perspective. I think that as a keynote I expected a bit more out of this talk: I like keynotes to be inspiring or perspective changing, which wasn't the case for this one. Judged as a track talk, however, it was a very good talk with a subject that is quite important, even if it might be more familiar to regular conference attendees (And frankly, we had roughly 1/2 of the people at the conference there for their first time).
After a short coffee break it was time for a regular track talk - I started with Jeremias Rößler's talk - Test Automation without Assertions. The talk, as far as I could tell, was a presentation of a specific tool called Recheck-Web which he has created. As far as I could understand it's a combination of a stability-enhancer and a approval tool integrated into selenium. It was a decent presentation, but I could see that there's no real value for me in it, as I'm already familiar with the concept of approval testing (and visual validation), and I don't really like talk focused around code, since they are difficult to execute. Also, I have a request for all future speakers discussing coding related issues - There are a lot of bad examples in the coding space, especially around test-code. Please don't contribute to this pool without clearly marking "here's some bad code". If you want to suggest why your solution is a good thing, compare it to the best code possible without it.
So I left and went to check out another talk. As I was planning to attend the PACT workshop, I thought I might go and check out the talk about the same topic. Have I mentioned that coding talks are hard to pull off? Well, the part I entered was where a speaker stood with an open IDE and mumbled "here's how you can do this" for several times. It might have been a great talk for those who were there from the start, but I stayed 5 minutes to see if the talk would get to more interesting things than code, and left this one as well. The next event was speed meet. Those who read my ETC posts in previous years know that it can get a bit too crowded for my liking, yet this year felt slightly less so - I was able to both talk with some people and not end up so exhausted  I needed to take some time-off at a corner to recharge. I even managed to remember a name or two by the end of it. After the speed meet there was time for lunch, and I spoke a bit with Kaye and hear about their story of moving to the Netherlands.
Shortly after lunch it was time for the workshops. Due to a last minute change in the rooms I found myself in Fiona Charles' workshop titled "Boost Your Leadership Capability with Heuristics". It wasn't what I planned to go to initially, but despite having about five minutes before the actual start of the workshops, I decided to stay and learn. The workshop itself was meant to break down the vague concept of leadership down to more useful components and notice that most leadership qualities and practices are heuristics, which makes them fallible and means we should be noticing when it is suitable to use certain of them and when it wasn't. For instance, providing feedback  is generally seen as a good thing, but it is not suitable for cases where one does not have the credibility to provide feedback, or when the other side does not have the attention span to process it. Sadly, the time constraints were a bit too harsh on this workshop - we managed to complete a single exercise, and we were missing a bit of direction and maybe a summary from Fiona that would help participants notice what was it we did and how to carry this forward. I believe my explanation above is where the workshop was aimed, but I might be missing it completely.
Next on the menu - Hilary Weaver-Robb's talk on static analysis. It was a well rounded introduction to the concept of the topic, and really left me confident about starting such a thing back at home (next task - find some time to do that). In addition, Hilary divided the different types of outcomes we can expect to get from a static analysis tool - probably bugs, security vulnerabilities, code smells and even some performance enhancements. Each of those categories have a slightly different urgency to it, but the general thing to do about each of them is "understand, prioritize, fix". In most cases, one can skip just to "fix" since the tools are pointing quite clearly to a well defined issue. In some cases it exposes problems that are more complex to fix and one might not want to do right away.  We also mentioned the difference between linters that show up issues as one is coding, and analyzers running on the entire code base. All in all, I liked this talk very much.
Finally, it was time for lean coffee and the closing keynote. Lean coffee was, as usual, very interesting. It was a bit off that I was the only one with more than one topic suggested, but fortunately the topics presented by others were so good that only one of my topics actually made it to the discussion. Co-facilitated by Mirjam & Gem, everything went smoothly enough, with the one usual caveat of not having enough time for this activity.
The closing keynote for the day was given by Maaike Brinkhof and was confusingly titled "Using DevOps to Grow". Why confusing? Because in fact, this talk is not very much about DevOps, which exists in the background, but was in fact about growing professionally, and learning to expand beyond the narrow definitions of one's role. Sure, DevOps helps, as there are many collaboration opportunities, and as the role of a dedicated tester becomes even more narrow and other needs such as good monitoring, simply presents themselves, but one does not need to wait for DevOps to achieve such progress. At the end, it all comes down to working together as a team and focusing on value rather than on roles. This message, while it's not the first time I hear it, is extremely important, and is new enough to actually change the way people might think. As keynotes go - it was definitely a good one, and it was important to hear it during the conference, to encourage people to step outside of their familiar comfort zone.
End of day one, more or less - there was still some socializing with some drinks and refreshments happening for a couple of more hours, and then I went out for dinner with a bunch of cool people as well.
I managed to get to my room by the early hour of 23:30, and even thought I might end up going to sleep early. We;ll ignore my optimism for a moment and skip ahead directly to the next day, starting with the opening keynote of the day which was an overview of application security. More specifically, Patricia Aas presented her take on how DevOps culture changes the way application security is taken care for, with 6 ground rules to actually make it work: Live off the land (use the tools already in place, don't add your own tools and ask the developers to work with them), Have Dev build it (because you don't have time to do that yourself, also they will be more committed to it if it's theirs), Trunk based development (This one is just a tip taken out of "Accelerate", I don't think it has anything to do with security, but the jist of it is to have small chunks of code review so  that reviewing them for security is feasible), Use existing crisis process (and train for it, since people revert to their instincts when crisis hits), Automate as much as possible (and I would add - as much as sensible) and treat your infrastructure as code (since, you know, it is a part of your code, and needs to go through the same system of checks and deployment process). All in all, it was interesting to get the perspective of a security person on a development process. One particular point I connected to was her story of origin - starting as a developer on a company that was constantly hit by attacks, everyone in that team learned about application security, and from there she continues to the security path. Having worked on a regulated product for ~7 years, it felt very natural to me.

After the keynote it was time for the workshops again. Having the workshops run twice is a really nice thing, as one can gather impressions from the attendees of the previous day and the inevitable dilemma of "Out of these 5 amazing activities I really want to attend 3, and they're all at the same time". This way we can choose 2 of those sessions. I went to the workshop on Pact given by Bernardo Guerreiro. To be frank, it wasn't very much of a workshop as it was a live demo on the tool. Despite being a difficult feat, Bernardo managed to produce a good code intensive talk. Moreover, given the limited timeframe of the workshop, I believe it was the best possible choice. Bernardo walked us through an overview of the entire process of deploying Pact in your pipelines, so that we could get a good grip on what capabilities the tool had and what problems might occur as a result of mistakes made at the beginning so that we can learn from them. One thing that would have made the workshop perfect for me would have been a sign of "what are we aiming to achieve" and perhaps a handout of the different phases in the journey to help people remember the different insights, as they all played out very naturally during the workshop. I stayed a bit after the workshop to chat with Bernardo and we ran a bit late to lunch, which for me is an indication something is going right in this conference.
After lunch I attended Gem Hill's talk about "Value and Visibility; How to figure out both when you don't do any hands on testing", short version:  As you move to a more senior tester role, your job looks a lot different than what it was before and you might feel as if you're not doing anything and wonder where your time is slipping away. With the relevant differences, that's a pretty good description of feelings I had during my last couple of years in my previous workplace, and then again once I joined my current place and found myself in a completely different setting - working outside of multiple teams instead of embedded in one. Gem shared some strategies that worked for her - noting on paper what she has achieved instead of only what she planned is one that I remember.  Another thing was just the realization that work looks differently.
The final track talk I attended was Crystal Onyeari Mbanefo's talk: "Exploring different ways of Giving and Receiving feedback". The topic itself is quite important, but on a more personal level, I did not connect with the way it was presented. It felt a bit too dry and rule driven, with no real story to hold everything together, and the division between feedback to a peer, to a manager (or someone more senior) and to someone down the food chain wasn't very useful to me. Probably, what I missed the most was a sense of purpose. We ditched a goal oriented definition of feedback and used instead one with no obvious purpose (it can be seen  in this slide). For me, feedback with no intended goal is less valuable - I give feedback because I want to change a specific situation, or because I want to help someone learn, or because I want to encourage them for something they did. If I have no goal in mind, I can't really know if my feedback was effective, and it is not very different than any sore of observation or rant.
From that talk I went on to the open space, where I skipped raising a discussion around "quality is a toxic term", which quite frankly, is more suitable for a lightning talk. Instead I got to attend two awesome activities: The first one was a sketchnoting session by Marianne who has sketchnoted the keynotes for this conference as well. now I have a strategy on how to create my own sketchnote.
The second discussion I attended was a game of value. The idea of the game is to do some "work" (passing on some poker chips) and getting "paid" by the customer. The goal of this game is to practice learning about the customer value while still producing something. Short version - we failed miserably. I still managed to learn quite a bit from it - first thing is that without getting some feedback from the customer we waste effort (someone paying us, by the way, is one sort of feedback). Another thing I've learned was that we don't know the parameters we can tweak, nor what are the variables that have an impact on the value - is it time of delivery? predictability? new functionality? snazzy UI? Can the value of those parameters change over time? Maaret wrote about it in more details right here. the final slot in the open space was one I added to the board, with a call for help - We have at work a lot of changes that needs doing, and I've never actively persued a culture change in an organisation, let alone do that in a bottom up fashion. So I asked for help in order to see if anyone has some ideas about how to plan for such a thing, and how to track our progress. It was an interesting discussion, and I had some tips on things I might do, but with the short time we had, and my deficient facilitation skills, it wasn't wrapped up to something whole that I can take and say "now I know where I'm headed". I did gain some insights that I still need to process.
Open space was done, time for the closing keynote: "The one with the compiler always wins" by Ulrika Malmgren. I still think it could be a title for a talk in a python conference (and for all you pythonistas out there, I know python is technically compiled, just not in any way that is helpful for me), but in fact it was a reminder of how, at the end of all ends, the person doing the coding has a lot of power in their hands - they may deviate from pre-agreed design, add small features they like in between their tasks, and raise the price of tasks they dislike. This power means there are consequences to how we act (or, if you are not part of building your product, on how your devs work). Inspired by Marianne's mini-workshop, I made a small sketchnote. It is still a lot more practice hours before it can be compared to a proper one, and I'm unsure if the experience is something I enjoyed enough to repeat. Note taking, in any format, tends to distract me from listening (now, combine that with poor memory, and let the fun begin), but it was interesting to see what I could do with a small set of tricks and a piece of paper.
And that's it for the conference - lights out, people going home, and all of those. I stayed a bit to see if I could help tidying after us and after dropping several things to Marianne's car, I went to join a lot of people for dinner (I'll skip names, but you can see some of us here). A really nice surprise was when a small delegation from DDDEU came to say hi from the other side of town, so I got to say hi to Lisi Hocke as well. After dinner was done, we moved the conversation to the hotel's lobby and then just talking about a variety of things (From concrete feedback on a talk, to différance and speech act) and at some moment there were only 4 of us left - Jokin, MarkusMaaret and myself. As it usually happens in such conversations, I learned a lot. For instance, I learned that creating a safe space for attendees involves also caring for the content and presentation of the talks, and we had an intersting discussion around connecting people online (I'm still not a fan, but I can see now how it can work for some people), about CV filtering (We all agreed that it can cause a lot of missing out on great people, we differ in the question of whether we are willing to pay the price of using a more accurate but more time-costly predictor) and much of my insights from the game in the open-space came in this conversation where I learned about the various factors we should have considered, and about the options we had hiding in plain sight. Suddenly, it was 2:30 AM, so sleep time it is.

I still managed to extend the conference feeling for one extra day by meeting people for breakfast, then walking around in Amsterdam a bit, both alone and with Mira and by the evening we had dinner and were joined by Julia and her family, but that's ETC 2020 for me. It was a great mix of learning, meeting people and fun.

Thursday, February 6, 2020

ETC 2020 - day 0

So, after landing yesterday in Amsterdam, I used most of the day before ETC is starting to tour in some of the fishing villages around. That, at least, was the plan. At the hotel I was told that there's a hop-on hop-off bus I could take from central station, and so I went there, looked for the relevant booth and found out that this is true only during summer. Ah, well, I'll take a regular bus, the helpful man at the counter told me I could find tickets at the EBS office just on the other side of the central station.  So I went looking for it. about an hour later, I realized I have no idea where's that and went back to the info booth to ask for more specific directions (as no-one was familiar with the name I was given). It appears that the EBS is inside the train office, and so I managed to purchase a bus ticket - which in turn led to me looking for the bus. It took me a while to figure out that they were hiding hte buses on the 2nd floor, up the stairs. And finally, I was out to Volendam (which, as one can guess from the massive wooden stakes in the picture, is suffering from a grave problem of giant vampires). The village itself is a nice place to walk about, and the scenery is lovely and very calming. I took a ferry to Marken, and from there back to Amsterdam.
Then, after a quick shower (and time to recharge my phone's battery, that was depleting quite rapidly), down to the lobby and out to the pre-conference meetup, I met Marianne on my way down, and we met with more people in the Lobby (Joep, Elizabeth  and Marit) and most of us set out to the meetup venue at one of the ING buildings. At the meetup itself I met a lot of people I've met before, and some new people as well, but listing their names would be testing my memory a bit too much, so I'll just say that I got to meet Gem Hill, for the first time, and talk again shortly with Thomas, and that there was a nice talk given by Lisa Crispin and Janet Gregory, and that Maaret facilitated a very interesting discussion, and that I heard some horror stories from Fiona Charles with regards to disfunctional workplaces, as well as an interesting tip for the daily stand-up: come prepared. I wonder whether my team will buy into this one for an experiment, as we are having trouble just in keeping the stand-ups in time (Hi team! how are things back at home?), it feels like something worth trying.

All in all, I had  a really nice day, can't wait for the conference to start tomorrow.

Tuesday, January 7, 2020

Why don't I like python?

Some of you might have noticed that over the past 9 months I've been tweeting a bit under the hashtag #PythonSucks. As part of my pains with this language I asked the twitterverse to help me with finding sources that can confirm (or debuff) the claim I've been hearing a lot about python contributing to developers' productivity (for an example of this boast check this almost 5 y.o. podcast episode, around minute 11:30). During the conversation that sprung up from this question, Maaret mentioned it will be nice to see what am I missing when working with python.

As I went on to start answer, I figured out I have a bit more than a tweet's content to say about it - and so, this post is on. Some of the things I dislike about python are probably due to its nature as a dynamically typed language (I don't have a lot of experience in other languages that share this property, so I'm comparing it mainly against java and c# which are the closest statically typed languages (unlike c++ or c which are a bit more low-level)

So, what is it I don't like about python?

  • It's chaos prone.
    While it's definitely possible to write bad code in just about any language, my feeling is that in python writing well structured code is an extra chore. There are "type hints" that allow me to state "this variable should be of this type", but it is only optional, so we need to remind people to do this. It is possible to put multiple classes inside a "module", so we have to take care and ensure that the files are not growing out of proportion. The lack of the "private" concept is pushing people to abuse python features (check "name mangling") and instead a coding convention was invented to indicate "this should be private"  I also want to smear the variable scoping, but I'm not sure I understand it enough to do that.
    Under the mantle of "consenting adults" the language is allowing too much freedom and entrusting the programmer with the quite heavy task of keeping everything tidy with no purpose other than tidiness. Another example is the stupid decision in holy PEP8 (python coding style) with regards to string quotes (use single or double quote?): "Pick a rule and stick to it." Really? 
  • Tooling support sucks.
    Don't get me wrong here. I am rooting for my favorite python IDE (I use PyCharm) which saves me a lot of effort and is making everything less painful. Still, even with my limited use of the language, I found some stuff I was missing comparing with my favorite java IDE by the same vendor (IntelliJ) - since stuff is dynamically typed, auto-complete is weaker (type hinting helps, where it exists), the same property is probably why I spent several hours looking for a "generate equals and hashcode" functionality that was built-in in IntelliJ but missing from PyCharm - it is simply more difficult to do if there isn't a defined set of fields. Another thing that works less well is finding usage of a function, and I'm sure there's more. The tool vendors just have less metadata to work with
  • It's difficult to read.
    No, I'm not speaking only on the lack of curly brackets and reliance on indentation (there's a reason why whitespaces are ignored in most other languages - they are invisible!) I'm speaking on what seems to me like favoring writing code over reading it. It starts with the odd ternary operator ("a=c if bool else d" is done in  most other languages I could find as "a= bool? c:d" where we first inform the reader that this is a question) goes on with convenient to use but meaningless constructs such as for\while: ... else: (what does it mean to have an "else" statement on a loop? ) and goes on with removing the most useful metadata - types being send and returned. Sure, one can put type hints, or have this information in the docstring, but as we all know - documentation gets out of sync with the code very fast). So sure - I might have less lines to read per function, but I'll be forced to hop into all of the functions I'm calling just to see what am I getting from them.  Personally, I also don't like the convention of using less braces (my IDE yells at me if I write "if (a>b):" and would rather have me write "if a>b")
  • Libraries are difficult to use.
    Sure, another of pythonistas boasts that I've encountered is that python libraries have great documentation. While this might be true, I prefer not needing to read the documentation except for finding about corner cases or difficult to explain stuff. It's those missing types again. The only way know that the parameter "X" is supposed to be duck-typed as a string is to read something outside of the code (I have not encountered a library that used type-hinting, I assume they are some). There's a very popular way of sending parameters as "args, kwargs", which means that just to find the names of the possible parameters I'll have to step outside of the code.  
  • Importing a file executes it.
    I don't think I need to add here anything. 
  • Dependency management?
    This one is probably just something I need to learn, but I haven't found out yet a too to help me with dependency management (such as maven or Gradle in Java).
  • It's a special bloody snowflake.
    It might just be my feeling, but sometimes I can just stare at the code and wonder what have the designers of a specific language quirk been thinking (oh, who am I kidding, I'm always blaming that Guido chap). We've discussed above the ternary operator, there's the odd choice of not including a "switch\case" support in the language, having "join" as a method of String instead of a method of the collection, and a plethora of tiny things I encounter but cannot recall at the moment). It seems that python just wants to be different than other languages just because, and I prefer things that stick to the convention unless there's a reason not to. 
  • Say "pythonic" one more time...
    Seriously, are we professional coders or a part of a religious cult? While this can be used to improve code aesthetics  I've seen this argument used to justify ugly code ("It's more 'pythonic' that way ").  
Those are the pain points I think are most visible to me at the moment, and from the technical point of view, I  don't think adding more would help. 
There is, however, one other property I really don't like - It's too easy to learn. 
Normally, you could think that being easy to learn is a good thing, but what actually happens in python is that the learning curve is longer. Yes, it is less steep, but on java or c#, once you are able to write a small scale exercise you have already faced some OOP principles (in fact, since every variable has an explicit type, the new coder must have faced this concept), in python, stuff just work without trying. In some manner, python is suffering from the same problem as the testing profession - it is really easy to get started with limited professional capacity, so people just assume it's easy and don't invest the further effort required to be good at what they do. 
Another part of that is that you could write some bad code and it will work and will be enough for quite a while. It makes python a great tool for non-programmers (such as data scientists who just need their script to work while they focus on honing their data science skills. a lightweight scripting language with extensive libraries is exactly what they need), but for me it only means that once you'll find that you are missing those extra bits of information to manage your project properly, you'll have a lot more to rewrite. 

Sunday, November 3, 2019

Book review - Social Engineering: The Art of Human Hacking

"Sir, you can't board this train with your bicycle"
I faced this statement (or something that conveyed its message in different wording, the translation from Hebrew isn't exact) from a train employee a while ago. As luck would have it, I was just listening to Christopher Hadnagy's "Social Engineering: The Art of Human Hacking", and thus went on to try and board the outcome - I burdened the employee with a barrage of accusations, making him responsible for my situation ("You're stranding me here at the airport after I bought a ticket and used it to get here to my connecting train", "what do you expect me to do now?"), claimed for precedence ("I've been boarding the train with my bike yesterday, and the day before", "why do you change the rules?") and applied time pressure ("Look, you are causing me to miss my train"). After a couple of minutes of arguing, he came to the conclusion that "If I can't see it, I can't stop you, if you would wrap it in your bike-case it's not my fault I didn't see it".
Ordinarily, I would have just thought it was me arguing and getting my way with it, but as you can see - I was employing several tactics to get what I wanted - I counted on the employee's empathy and the fact that he didn't want to be the bad person, added time pressure and offered an escape route that allowed him to save face in the form of "what if the bike had been covered?". I believe being aware of what I was doing helped me "win" this argument, and it sure did make me feel  uneasy a about how "evil" I was acting - consciously putting pressure on someone who was simply doing his job.

Since I neglected my blog for too long due to a multitude of things taking up my time and energy, I thought a good way to start writing again is with a task that have been waiting for quite a while now - a review of "Social Engineering: The Art of Human Hacking" by Christopher Hadnagy which is the first audiobook I listened to twice.

The first thing one should know about this book is that listening to it is a bit scary, as the book shows time and again how reasonable human behaviour can be (and is)  exploited to cause harm and then goes on to say "and were I a real malicious attacker, I would have take this to the next level by...". Apart from that, this book is a great first step in becoming a professional security engineer, and provides the next steps of practice in each step.
After listening to this book, there are two takeaways I continue with:
First - Regular, day-to-day human behaviour can be exploited in way most people don't imagine and leveraged in ways far more serious than one might expect.
Second - Despite the first point, defending against social engineering does not require behaving like a heartless automaton. Most of the times, it is enough to pause for thinking and double checking before acting.

In a nutshell - that's it. However, there's much more to this book, which is very well organised to topics.
First we start by trying to define social engineering, or SE, for short. This, perhaps, is the only place in the book where I think the author is not doing the reader justice. The book dwells on the rather blurry line between influencing a person for their own benefit (e.g. - convincing someone to quit smoking) and persuading them to act in favor of our own interest and against their own. The book claims a simple truth - the same skills and techniques used by malicious social engineers can be used in a variety of other, benevolent actors. A doctor will try to persuade their patients to take on healthier habits, a teacher will "educate" students and a friend might put some pressure on you to take that vacation you've been yammering on for ages. Still, in my eyes, the book is trying to paint a nice picture over a term that is used almost exclusively for actions that are, at least, unauthorized and most of the times - straight out malicious. The examples in the book in later chapters also fall in line with this approach and are portraying examples of misleading, putting pressure on people and in all ways get the upper hand of the victims.
Following on, the book goes on presenting the SE framework (more details can be found here) and the different skills and activities that comprise it.
First thing's first, the 2nd chapter is all about information gathering, showing how some trivial details can be used as a stepping stone to further attacks. For instance,knowing that someone is a stamp collection enthusiast is a good way to lure them to a malicious website claiming that you've inherited a stamp collection from your late grandfather and made a website with the stamps to be sold. Besides some examples on how destructive random bits of information can be in the wrong hands, the book mentions some tools such as BasKet and Dradis to organize the data, and points out to common sources of information - from social media and search engines to job adverts, whois registry, personal blogs and even simple physical reconnaissance and dumpster-diving (which, the book says, you should do with dark cloths and a good pair of boots). The chapter then goes on to the seemingly irrelevant topic of communication models, It's quite interesting, at least from the theoretical viewpoint, and it provides a nice way to break down any single social engineering "scene" (e.g. - sending a phishing email, having a conversation with a target), but it is not really a part of information gathering - a communication model can be used wen planning an information gathering strategy, but at the same time, it requires the information already gathered to succeed. Based on the Shannon-Weaver model of communication a social engineer can ask more specific questions: what is the type of feedback I want from the receiver? what sort of message would work best? what channel is the most effective way to communicate my message?

Next on the menu is the mysterious skill called "elicitation" and apparently that's a real word. Its meaning, in case that you are not familiar with it, is "drawing out". In our context, it's about drawing information out of our target. I assume that it can be used also to invoke an action (such as keeping one door open for a person, creating the expectation they'll hold the next door for you, which just happens to be the one you need a key card for) but the book does not dwell much on that aspect after mentioning that the goal of elicitation is to make the target take an action to the attacker's advantage - as small as answering a question or as big as providing access to a restricted area. The book lists some elicitation techniques, from simple ones that range between simply asking a direct question  and getting people tipsy and talkative to more elaborate schemes that may involve pretexting (see below) and preloading the target with information and emotions that will make them more susceptible to your suggestion.

I mentioned pretexting, right? because that's the topic of chapter 4.
A pretext, in laymen terms, is the image one projects about themselves. For instance, I go to work every day, carrying the pretext of a professional software tester. A social engineer might display pretexts that will mislead people - posing as an IT expert, as a worried father or as a pissed off customer. An important point this chapter makes: A pretext doesn't have to be a lie. In fact, it is much easier to pull of a pretext if you are using your own interests and knowledge as part of it. In fact, one of the dangers in pretexting is trying to pull off something completely foreign to you. For instance, I couldn't build, even in a month of intense research, the casual recall of events a soccer fan has experienced talked about dozens of times, so keep it simple and within your expertise. If you have to pretext as something you have no knowledge about - distance yourself. Communicate via e-mail, or on a short, carefully planned, phone call. It is also important to look the part - if you pose as the garbage disposal company representative, a company logo and a notebook will do wonders to your credibility. If you pretend to be a salesperson,  wearing a T-shirt is probably going to get you some unwanted attention.
No matter what you do, your pretext has to be carefully chosen and tailored to your needs and to the situation you're in.

The 5th chapter is all about magic.
Yes, yes, magic. Or at least as much magic as that possessed by a stage magician. If the skills up to this point were a calculated use of common human communication skills, now we are about to discuss some uncommon skills. Micro-expressions, for instance, are a very powerful way to detect how is a person feeling and quickly adapt your strategy if you aren't getting the reaction you were trying to get, but it is also a way to signal to the other person's subconsciousness without the filtering of the thinking facilities - a slight wrinkling of the nose will go unnoticed by many people, but they will still get an uneasy feeling.
Even more controversial than micro-expressions is the use of NLP, which, basically, is all about using side-channels. Regardless of whether you think NLP is a complete fraud or actual magic, There's no denying that NLP does provide extensive record of efforts to understand how human communication works, and that at least some of its methods are having some results. Sure, changing your tone of voice isn't going to magically make someone do your bidding, but it can divert attention and plant ideas. One "tool" I liked is labeled with the terrible title "The Human Buffer Overflow". Basically, it is directing the SE to rely on the automatic responses of people, and take advantage on social norms and expectations. If I helped someone with something, even if it's trivial, they will feel obligated to help me back. I'm unsure as to what exactly here is the so-called "buffer overflow", but I imagine that in order to be more effective, the SE can make sure to occupy the mind of the target with other things - a constant stream of talking, a difficult question, and so on. This way the mind will leave other tasks to the automatic part more easily.

The final chapter presenting the SE framework is about influence. After all, once we've gathered information and learned to control some neat tricks to elicit a response, it is time to cash in on our efforts and make people do what we want them to. Generally, the message is "know your goal, and improvise towards it". This, naturally, is a gross oversimplification - One does not "improvise", but rather builds a flexible plan, with options derived from the information gathered and constantly monitoring the target's response using the skills acquired and practiced ahead of time. The chapter discusses some important tools and principles, such as building rapport, constant monitoring, influence tactics and framing. Like most chapters, this one has a part that made me cringe a bit in discomfort. This one has a part about "manipulation". Unlike other types of influence, this is a direct attack against a person. It involves tips like "gain control over the target's environment" or "creating doubt", it does not shy away from "heavy intimidation", which is about making the target fear for physical harm or other "dire circumstances". In essence, this is the part people dislike the most about SE. The part which not only makes people behave the way the attacker wants, but may actually harm the target as a side-effect or even as a tactic. Being the pinnacle of the framework and cashing in on the previous ones, this chapters is quite long and full of interesting (and scary) techniques and stories.

The 7th chapter is about tools - everything from a lock-pick and business card to hidden cameras and software tools found in Trackback (The previous version of the Linux distribution now known as "Kali") very educational, and provides a lot of entry points to the different topics.

Of course, a book such as this won't be complete without an impressive list of case studies, demonstrating the wide range of possibilities - from the highly technical story of Kevin Mitnick hack of the DMV which involved breaking into the phone system and routing genuine calls of police officers calling the DMV to his own phone (thus collecting the necessary details to impersonate them later) which required deep knowledge of the phone routing system and of the identification process used by the DMV, and then some very convincing pretexting, to the simple case of a security tester who found a genuine hacker roaming through an unprotected server and then chatted using notepad until he got enough details to find the hacker offline. The stories are interesting by themselves, and each shows a different perspective demonstrates different skills and shows how they are applied in real world situations.

Scary, right? It seems that the smallest detail could be used to leverage more details and create an opening to an even wider attack, and most attacks simply rely on people acting as human beings. This is why the final chapter of the book is so important - how to prevent and mitigate attacks.
Like all defenses, it isn't perfect, but if being used properly, the techniques in this chapter could frustrate and exhaust someone trying to social engineer their way into your organization (or your private life, for that matter).
The easiest tip here is "keep your software updated". It might not be easy to implement, but it is a generally good rule to follow - updated software tends to have less known vulnerabilities, and thus prevent many software based attacks, so it won't matter if the SE managed to get you to open that PDF file.
The second is to teach yourself and your surrounding how to identify an attack - know what is generally possible (for instance, by reading this book) and how to identify the stupid kind of attacks of each vector. You might not be able to defend against someone calling and asking "can I have your email address? I want to send you details about the event I wish you would attend", but you'll be able to delete the obviously false "This file includes a debt you have not cleared, if you won't pay by next week, legal action shall be taken"
Another tool I find important enough to mention is developing scripts that allow you to stay kind without letting someone what they want: "I'm sorry, but our IT people don't allow external USBs, if you want to print a replacement to the paper ruined by your coffee, there's a printing service around the corner". Practicing situations and such scripts can help when facing a real SE attempt.

All in all, I highly recommend reading this book, in any format convenient for you .

Sunday, June 2, 2019

להתחיל במקום חדש

מצמצתי לרגע, ועברו חודשיים. 
לפני חודשיים (בדיוק) התחלתי לעבוד במקום חדש, ועכשיו, בעודי יושב חסר מעש בשדה התעופה, זה זמן טוב לבחון את החודשיים האלה  ולנסות להבין מה למדתי. למה שמתי לב ומה אני צריך לעשות. 
כיוון שזו הפעם הראשונה בה אני מצטרף למקום חדש כשאני חושב שאני יודע דבר או שניים על העבודה, ניסיתי להיות מודע לתהליך הכניסה שלי ולשים לב למטרות שאני מציב לעצמי: אלה לטווח הארוך וגם המידיות יותר. הדבר החשוב ביותר ששמתי לב אליו עד כה הוא שהפער בין המקום בו אנחנו נמצאים כרגע לבין המקום בו אנחנו צריכים להיות הוא עצום. אם לפרוט את זה לפרוטות: יש לנו פערי יכולת בבדיקות המערכת, חסר משמעותי בבדיקות היחידה, קצרים בתקשורת בין צוותים, מחסור בתהליכים תומכים ושינוי תרבותי שאנחנו צריכים לעבור. אבל חוץ מזה, מרקיז, הכל בסדר. 

מעבר לכל הפערים האלה, יש לי גם פערי ידע אישיים: אחרי שעבדתי על מוצר מבוסס WEB עד היום, המוצר הנוכחי דורש ממני היכרות טובה יותר עם מערכת ההפעלה (כרגע אני מתמקד בחלונות, בהמשך אתפנה גם למערכות הפעלה נוספות), וההנחה המאוד נוחה של מערכת SaaS - אני שולט בצורה מלאה בסביבה בה התוכנה שלי רצה, היא כבר לא הנחה שאני יכול להניח. בקיצור, סט שלם של כלים שאני צריך להתחיל להכיר וסט חדש לא פחות של משתנים שאני צריך להתחיל להתייחס לקיומם. בנוסף, העולם העסקי של סטארט-אפ זר לי, ולהחלטות עסקיות יש מחיר אחר שאני עדיין לא יודע עליו דבר וחצי דבר. אני גם לא מכיר את הלקוחות ואת מה שחשוב להם כדי שאדע איפה למקד את המאמצים שלי. אני לא מכיר את צוותי הפיתוח איתם אני עובד ואני צריך לצבור קרדיט בעבודה מולם כדי להשפיע כמו שאני רוצה. חוץ מזה, אנחנו כותבים קוד בפיית'ון, שזו שפה שאין לי ניסיון איתה ואני לא מכיר את הכלים התומכים בה שמאפשרים עבודה אפקטיבית באמת. 
עד כאן, הקשיים ההתחלתיים. 
עכשיו, איפה אני רוצה להיות בעוד נצח וחצי? מה המטרה אליה אני מכוון בטווח הארוך? 
בניגוד למקום הקודם, בו היה נראה לי נכון למחוק את צוות הבדיקות לחלוטין ולהטמיע אותו בתוך צוות הפיתוח (ולמיטב ידיעתי, עדיין עובדים על זה שם), קיומם של כמה צוותים שעובדים על חלקים שונים של המערכת גורם לי לחשוב שהמצב הנכון בטווח הארוך הוא של צוותי פיתוח שאחראים לבדוק את הרכיב שלהם, ונוסף להם צוות שאחראי לשלמות כל המערכת שיעזור לאתר כשלי אינטגרציה ולטפל בתרחישים המורכבים יותר. אני לא לגמרי בטוח איך צריך להיראות הצוות הזה, מה הכישורים שצריכים להיות בו או מה תחומי האחריות המדוייקים, אבל בינתיים יש לא מעט צעדי הכנה אחרים שצריך לעשות. 
אבל, המצב כרגע הוא שיש צוות בדיקות אחד שמספק שירות לכמה צוותי פיתוח, ולמעשה, מזניח לא מעט מהם כי יש גבול למה שיכולים לעשות שלושה אנשים. אם אני מנסה לצייר מפת דרכים גסה, סדר הפעולות שלנו צריך להיות בערך כזה: 
  1. בניית רשתות בטיחות וכלים שיאפשרו לצוותים לקבל מידה מסויימת של ביטחון במוצר שהם בונים. 
  2. תוך כדי 1, צבירת מוניטין ושיפור התקשורת. 
  3. בניית תהליכים שיעזרו לצוות הבדיקות לתקשר עם צוותי הפיתוח ולעזור להם בזמן אמת עם הפיצ'רים בניגוד למצב הנוכחי בו אנחנו מספיקים להגיע לפיצ'ר כשהוא בשלבי סיום. זה כנראה יצריך שימוש בחלק מהמוניטין שצברנו קודם. 
  4. יצירת קהילת בדיקות, או לחילופין, סיפוח של כל הבודקים לצוות אחד לטובת יישור קו בכל מה שקשור לכישורי הבודקים ולאסטרטגיית הבדיקות, כמו גם יצירת ערוץ תקשורת נוסף בין הצוותים. 
  5. אחרי שדברים מתחילים להתייצב - פירוק הצוות המרכזי והטמעת אנשי הבדיקות בתוך צוותי הפיתוח, כשהמטרה היא גם לשדר מידע החוצה, אבל בעיקר להכניס את תהליכי הבדיקות לתוך הצוותים על ידי חניכה פנימית של המפתחים וסיוע בהעברת האחריות על תחזוקת בדיקות המערכת מצוות חיצוני לצוותי הפיתוח. 
  6. כנראה שיחד עם 5, הגדרה מחדש של צוות הבדיקות תחת כותרת אחרת. לפחות בתחילת הדרך, הצוות הזה יהיה אחראי על המשך תיאום בין הצוותים השונים וסיוע לבודקים השונים לא ללכת לאיבוד בתוך הצוותים החדשים שלהם. מהמרחק הנוכחי, הרעיון של Engineering productivity נשמע לנו מסקרן, כמו גם גלישה לצד של ניטור המערכת וייבוא מסקנות פנימה, אולי תחת מחלקת operations. אני חושב שיש לנו שנה-שנתיים (או יותר) לפני שנצטרך להתעסק בזה. 
כרגע, בעודי לומד להכיר את האנשים ואת הסביבה, המיקוד שלי נמצא בסעיף 1, שהוא גם החלק הכי קל - לבנות כלים. בעיות טכניות הן כמעט תמיד קלות יותר מאשר השפעה על אנשים או על תרבות ארגונית. בינתיים, אני מטפל בבעיה פשוטה יחסית - אנחנו צריכים לכתוב מחדש את כל  בדיקות המערכת שלנו בלי לזרוק הכל לפח ולהתחיל מחדש, כי אחרי פעם או פעמיים בהן מישהו ראה מה יש ואמר "אי אפשר לעבוד עם זה, אני אכתוב לכם משהו חדש וטוב", אין לנו את הקרדיט הנדרש כדי לומר בדיוק את זה. אז אנחנו לוקחים את הפרוייקט הקיים ומעבירים אותו מתיחת פנים יסודית. זה נותן לי הזדמנות להיות יעיל עם מעט מאוד ידע ולהתחיל להרחיב את ההשפעה שלי משם.

אני צריך לשים לב שאני לא נשאב יותר מדי לתוך המשימה הטכנית הקלה ולהקדיש קצת זמן בבניית גשרים לצוותים האחרים. גיליתי שקשה לי מאוד לעשות את זה כשאני אפילו לא יודע על מה עובד כל צוות בכל רגע נתון. אחד היתרונות של סקראם היא הפגישה היומית, או ה"daily standup", שמאפשרת יחסית בקלות להתחבר לאנשים בלי ליפול עליהם באמצע היום ולשאול "מה אתה עושה? אפשר להפריע? אפשר לעזור?" אנשים אחרים עובדים כרגע על הכנסת תהליכים כאלה או אחרים, אז אני מקווה לנצל אותם כדי לשפר את המאמצים שלי במישור הזה, אבל גם אם לא, אני צריך למצוא דרכים אחרות למשוך אלי מידע ולהכיר קצת יותר את האנשים.

זהו, פחות או יותר.

אה, דבר אחרון שלא לגמרי קשור לפוסט הזה, אבל אני רוצה לנצל את ההזדמנות הזו ולהזהיר את כל הקוראים - פיית'ון היא שפה שמתאימה לכתיבת סקריפטים קצרים ופרוייקטים שנזרקים לפח אחרי שימוש קצר. ברגע בו עוברים את הגודל הזה, צריך להתחיל להילחם בשפה כדי לעשות דברים שאמורים להיות טריוויאליים ויותר מדי דברים מבוססים על קונבנציות מכדי שיהיה אפשר לסמוך עליהם. אם אתם מתלבטים עם מה לעבוד ואין לכם סיבות ממש טובות - הימנעו מפיית'ון. אפשר לפרט, אבל זה לא המקום, אז הנה כמה מאמרים שכבר עשו את העבודה במקומי.

Starting in a new place

I blinked, and two months(to the day) have passed since I joined my new workplace. and now, siting at the airport with not much to do, is a great time to reflect on those two months and try to figure out what I have learned, what I've noticed and what I should be doing.
Since this is the first time that I join a new workplace  with some confidence about knowing my way around and holding some firm beliefs about the way things should be, I tried to be conscious about my ramp-up and notice the goals I set for myself - the long and short term ones. The most important thing I've noticed is that there is a big gap between where we currently are and where we should be. Or, to be more specific - We have a large debt around testing in the system and unit levels, communication channels that need to become more robust, lack of supporting processes and a cultural shift that we need to undergo. Mais à part ça, tout va très bien. Besides,
Besides all of these gaps, I have my own personal gaps to fill in: Having worked on a web based product until now, I never needed to dive into the workings of the OS (right now I focus on catching up on Windows, other operating systems shall follow) and the really convenient assumption of a SaaS solution - I can control the environment in which my product is running - is no longer true, which means that I need to think different variables than those I'm used to. In addition, the business world of a start up is foreign to me and business decisions have an impact I don't fully understand yet, I am not yet familiar with out clients or what is important for them to help me focus my efforts, and I still don't know the development teams I work with enough, certainly not enough to have the stack of credit I'm used to rely on to influence things. Oh, and we write code in Python, a language I don't have a lot of experience in and I'm not familiar with the tools and libraries that enable working with it effectively.
So, those are the starting challenges.
Now there's also the question of where I want to get to,  you know, once I had all the time in the world to set things the way I believe they should be. Unlike the previous place, where I believe it was right to completely remove the tester role and just stay with engineering teams (They are still working on it, to the best of my knowledge. I think that me leaving was a good step in that direction), I believe that in this place, since there are many teams working on different parts of the system, it is still the right thing to have a team that will be responsible for the larger picture. I'm unsure about how to brand this team or what exactly should fall under its responsibilities, but there's enough to do until then. One thing I am sure about is that this team should rely on strong testing capabilities that should exist within each team, so we still have a lot to do until we need to figure this out.
At the moment, though, the current situation is that there is a dedicated testing team that should provide service to three other developer teams (some of which have a dedicated tester, but from what I've gathered, they are being swallowed into doing feature development and are not able to contribute enough to educating the team or even just taking care of the testing gap), so  if I try to sketch a way forward, I imagine a growth and a shrink.

  1. Build safety nets and tools that will enable teams some level of confidence in the product they are building. 
  2. While doing 1, increase our reputation stack to better influence what is happening. 
  3. Set in place the processes required to connect with feature work while it is being defined and executed instead of getting something vague at the end. This will require using some of the reputation tokens we've accumulated. 
  4. Create a testing community, or, failing that, a testing team comprised of all people in testing positions - the idea behind this is to boost and align the testing skills of everyone, as well as a unified testing strategy and also to create another communication channel. 
  5. Once things are working, roughly, split the team and distribute most of the working force to be embedded in the development teams. With the goal of having them educating the rest of their new team, helping them take responsibility of testing and pushing out relevant information.  
  6. Probably at the same time as 5, redefine the smaller team left after most team members have been embedded in the teams. Initially, it will have the responsibility of maintaining the testing community and keeping the communication channels open, as well as help the testers not to get lost in their new teams,  but after this is covered, I'm unsure. For the time being, the concept of having an "Engineering productivity" team sounds quite appealing, but we won't know until we get closer if this is the correct usage of that team. Maybe, since keeping tabs on the bigger picture is part of that team's role, it will be a good idea to have that team as part of the operations group and push towards having a real DevOps culture. I believe we have at least a year or two before we'll have to deal with those specifics.
At the moment, while I'm still learning my environment, my focus is on the first bullet, which also happens to be the easiest one - build tools. Technical problems tend to be almost always easier than influencing people or culture. In the meanwhile, I'm dealing with a simple problem - we have to re-write the existing testing framework without actually saying we're doing that - after at least one time when someone said "We can't work with that, here, let me show you how to do that" we don't have the credit to do the same, so instead we refactor. Heavily. It gives me a chance to be effective quickly, even if only in limited capacity, and start building up from there. 
I need to notice that I'm not being carried away too much into the easy technical task and invest some time in building bridges to the other teams. I have also noticed how much I relied on the scrum daily standups - I feel a lot more comfortable hearing "I'm doing X" and then asking that person a bunch of questions, or suggest my help than I am comfortable interrupting someone and asking "Hey, what are you doing now? Oh, I have zero relevant input? Thanks for your time". People other than me are working on instituting such procedures, so I think I'll wait a bit and try to leverage those efforts. 

That's it, I think. 

Oh, one last thing, not completely related to this post, but I would like to use this opportunity and warn all readers: Python is a scripting language. It is not suitable for anything long-term or bigger than a couple of files. Once you are over that size, you have to fight the language to write maintainable code or do things that should be trivial, and there are too many convention-based practices out there to actually be able to rely on them. If you ever find yourself in a position where you can choose and you don't have some compelling reasons to do otherwise - avoid Python. I can go into details, but this is not the place, so here are some articles that do this for me.