Tag: communication

Troy Hunt: The Responsibility of Disclosure

Troy Hunt is a cyber security expert and creator of the popular website Have I Been Pwned. I do read his blog and listen to his podcast in which he mainly discusses cyber security (obviously) but also discusses some life events and hobbies.

YouTube recommended me a presentation he did for AusCERT2017 about responsible disclosures. It’s actually an interesting topic how some companies are very welcoming for people to report security vulnerabilities, whereas others are very distrusting and can threaten to sue.

You can watch the presentation in full:

AusCERT2017 Day 1 Troy Hunt: The Responsibility of Disclosure

Otherwise, here is a summary of the presentation.

He begins by telling a story of how someone found a security vulnerability on a website, extracted loads of data, used some of the login credentials to get in. He filmed it all and put it on YouTube. He got arrested.

Even though someone like that could claim to not be malicious, he would clearly violate some laws like Computer Misuse Act.

  • So how can you investigate a security flaw?
  • How can you disclose it?
  • Where is the line between being responsible and irresponsible?

Troy has a “Sinéad O’Connor” test. Enter her name in the data entry field of the website. If the apostrophe in a name gives you an SQL error, then you know there is a vulnerability – it is prone to SQL injection. You don’t need to go any further and actually carry out the attack; illegally accessing data to prove it.

If you grab 1 record, the company is obligated to disclose this to the user who lost their data. If someone takes 10,000 records, it’s a bigger problem and more inconvenient to the company. Just 1 unauthorised access to a record sufficiently illustrates the point. Accessing more than you need is more likely to be met with a negative response and possible legal action.

He then goes through some more notable examples and attitudes to the disclosure:

PayAsUGym got breached and ignored the hacker. Although the hacker was trying to extort money, by ignoring them completely, PayAsUGym had no idea how bad the breach was. Initiating the dialogue could have at least given them more information to attempt to limit the damage.

Cloud Pets had a security flaw in their toy, but also had a publicly exposed MongoDB database which attackers wiped and ransomed. Later on, when journalists contacted the owner, he responded

you don’t respond to some random person about a data breach“.

Spiral Toys CEO

As Troy says, random people are exactly the people that will tell you about a problem.

Australian Red Cross Blood Service disclosed their breach very quickly, put out communication through multiple channels, and apologised. Troy was impressed with this response. The problem was a third-party who placed backups on a public-facing server so they could have easily downplayed it or passed the blame.

For more info, Troy also has a blog about disclosures, including the example of Cloud Pets.

Ukraine Cyber Attacks

Our security expert in the IT department made a security announcement last week:

“Due to the growing tensions in Ukraine, it is not surprising that the UK may be subjected to increased cyber-attacks”

Security Expert

When I started reading this, I’m thinking “why is it not surprising that we would have increased cyber-attacks?“; it is written like it is stating the obvious, but why are we under threat? My immediate thought is that Russians aren’t able to tell the difference between the UK and Ukraine. I mean, they do sound kinda similar.😁

So I read on, and I was a bit confused when the following paragraph goes on to say “whilst there is no specific current threat to UK organisations…“. I guess the keyword is “specific“, because much later in the post, he finally clarifies what he means. He was referring to the usual phishing attacks and donation scams. For example: emails asking for donations to help Ukraine, and you could be likely to click links and hand over cash for a worthy cause; but you will be handing  money to criminals.

So it will be true that there’s more “cyber-attacks” across the world, so no idea why he mentioned the UK then had to clarify that it wasn’t specifically the UK in the very next paragraph.

He also wrote

“instructions have been issued to all areas of the business to bolster their cyber security measures”.

Security Expert

I find this a bit of a nonsense statement really; shouldn’t we already have max security? After all, just like he also states: “We take data security very seriously and it requires all of us to play our part.

So are we at our most secure or not? It makes me think that we aren’t. Anyway, after instructing everyone to be suspicious of clicking links, he then provides some links for us to click to find out more.

Excuse: Performing “Analysis”

I think I have discovered a new excuse to use in order to buy time; “Performing Analysis”.

Example 1

There was a Major Incident on Friday which I debugged and suggested a simple fix. However, instead of me going ahead with this fix, the managers wanted the team responsible for introducing it; to take accountability for it.

After the manager sent the email and Cc’d me in, the team responded with “The Team is analysing this issue; will update you shortly”. Then, after the entire day has passed, they send a follow-up email “this will be ready by close of play Tuesday.”

It was currently Friday, and we wanted it released for Monday (since it was a Major Incident) – not released on Wednesday. So I had to sort it out.

Example 2

Dave commented on a Code Review that he thought the Developer had changed too many files; and there was a simpler way of introducing their fix. They responded: “we need to perform some analysis” and took a day or so before coming up with new changes. It would have just taken 10 minutes to rewrite it; I didn’t see any scope for this so-called “analysis”.

I’ll keep an eye out for more examples of this.

Pointless Project Update Meeting

A couple of years ago, I was working on some new software but the management of it was an absolute disaster. Even though it was an absolutely massive project, I was often sat there not knowing what to do. Additionally, there were teams that were doing exactly the same work as each other. It was a mess, so eventually I moved back to work on our existing software.

This week, there was a project update demo by a team still working on this new software. I thought all the speakers were working on this feature, but it seems Jennifer might have been on annual leave or something because she didn’t understand what work was done.

After a few slides of their presentations, Jennifer interjects.

Jennifer : “How is this different from what Igor is doing?” 

(Igor is part of another team)

Luke: “I’ve had the conversation and I still don’t understand why this was brought in twice.”

Jennifer: “I don’t know what the use case is for the two versions.”

Mark: “We never got to the bottom of it, so we just cracked on and built what we got asked to do.”

Brilliant. So there’s multiple members of the team that were aware that another team was also making this functionality. Despite having conversations with managers, they still were none-the-wiser, so then they just made it anyway, despite knowing that one team’s work is going to be binned off.

I can’t believe a couple of years have gone by and they are still doing stuff like this.

Guess The Employee

Last year, we hired someone as a Communications and Engagement Coordinator and she came up with a “Guess The Employee” game. You are given a few clues, and if you guess who it is, you can win a £25 Amazon voucher. The thing is, we are quite a big company, and I only know people in Development, Support, and maybe know a few names of Directors.

I don’t even think I know most people well enough to know facts about their personal life either. For a few of my closest work friends I would – but then I don’t imagine they would be selected as a candidate. So even if there’s some really easy clues, how am I meant to know Becky from Marketing, or Mark from Finance? 

I imagine they only choose senior managers from each department as possible answers, since theoretically they would be more well-known. However, the people that know them the best will be their managers – so you are then awarding high-ranking managers and directors.

Recently we had this clue:

I display good performance for our customers, but I have been known for handing out red cards for other’s poor performance.

Obviously it is the “Customer Support Director”! He was a qualified Football Association referee, assigned to the North West Counties league.

£25 was awarded to a Director for knowing this.

Surely the Employee Engagement officer should come up with ideas that can engage lower-ranking staff rather than games that Directors can play.

Word To Your Mother

Recently, we had a bug with the Microsoft Word integration, specifically for MS Word 2010.

There was a meeting about it, and someone stated that we removed it from the list of versions we supported; therefore we don’t have to fix it. We can just tell users to upgrade to a version of Word that we do support.

However, after other people looked into confirming this claim, it turns out we never sent out any communications to notify users of this change. Since we didn’t give them adequate notice, we have to fix the bug and keep supporting this version for at least another 6 months.

Additionally, we don’t have Office 2019 listed on software we support, yet we support o365. Or we say we do, but no one in Development had a licence for it; not even Testers. So we just hoped everything worked fine up to this point.

“Human Resources”

Managers often talk about “allocating resources” when discussing project teams. I don’t understand why we are dehumanizing people. Why can’t we just say people/staff/developers? If we are talking about money or hardware, then it’s fine to use the term “resources”. However, the term seems to be embedded in the business culture since the department that deals with people is often known as “Human Resources (HR)”.

I was watching all the Bourne films recently, and in the scenes where you see staff in the agency office who are monitoring security monitors – they say lines like “Asset is on the move”. It probably makes sense here to dehumanise people; because your end goal is to kill them, so calling them “assets” and using terms like “dispose”/”eliminate” probably removes you from the fact that this is a person who has feelings and a family, and you’re about to end them. Maybe managers talk about people in this way so it’s easier when it comes to redundancies. “Cut 10% of the resources, and move on”.

I think it isn’t even that effective to talk about people using their job roles. When managers only look at the Job Titles and not the individual skills, then they end up creating imbalanced teams. This could be that you need to spread a certain skill across teams such as SQL Databases, so a manager who only looks at Job Titles could end up putting the people with SQL skills together.

Additionally, some Seniors aren’t that great, and therefore lower-ranking Developers are better than them. I’ve definitely seen it happen where managers create a team consisting of 3 underperforming seniors, then wonder why it isn’t working. This was a source of my frustration a few years back and was some major motivation to start this blog. 

Creating a team based on 3 underperforming developers is a rarity, but a recent trend for us is to have only 1 Senior leading a few Developers and a Junior. If the Senior isn’t very good, then the team has no guidance at all.

In conclusion, I think managers should show respect to staff and refer to them as people (not “resources”). They should also try to understand where individual people’s skills are, rather than simply making assumptions based on a Job Title. This should lead to better balanced teams. Balanced teams should lead to high performance and morale.

Database Patching – Everything Is Fine

When it comes to changes to the Database, we have a tool (which I will call DBPatcher) which runs your changes, runs the Unit Tests and runs Code Analysis (finds bad formatting, violations of coding standards, common mistakes etc). So it is vital that this passes successfully before you send your code to review.

I was doing a Code Review aka Pull Request (PR) and I saw evidence that they hadn’t run it through this DBPatcher tool.

Ronald was eager to get his code checked in, so wanted me to approve. However, I wanted them to run the tool and fix any issues first. The conversation went like this:

[Thursday 8:21 AM] Ronald
     Can we complete the PR? do you have any doubts on it 
​[Thursday 8:23 AM] Me
    I'm convinced DBPatcher will flag those select statements because there is a mix of tabs and spaces
<yes it is trivial to flag, but DBPatcher will flag this, so this is evidence they haven’t run it. There could be other errors too, but I will let DBPatcher find them>
​[Thursday 8:23 AM] Ronald
    OK, thank you. I will complete the PR 
​[Thursday 8:25 AM] Me
    what? I am saying the DB patcher will give you errors
​[Thursday 8:26 AM] Ronald
    sorry for misunderstanding 
    I ran it in the morning. We didn't get any error for our DB changes and unit testing also didn't throw any error for our code
<he attempts to send me a screenshot of the final result but it didn’t seem to transfer>
​[Thursday 8:44 AM] Me
   The image isn't showing for me. But since I started running DBPatcher when you messaged me, and mine has just finished, I can only assume you disabled the "Run Code Analysis" to speed it up
​[Thursday 8:45 AM] Me
    In fact, there's some failing unit tests too
<this is contrary to what Ronald claimed. He said there were no Code Analysis errors and no Unit Test failures, and I see both.
[Thursday 8:45 AM] Ronald
   I have enabled those and haven't unchecked it before running the patch 
​[Thursday 8:45 AM] Me
    What is in the output window?
​[Thursday 8:46 AM] Ronald
    yes there are some errors, but not related to our code and our schema 
​[Thursday 8:48 AM] Me    
DataWarehouse
Error on line: 12
ColumnListFormatting: Select column list incorrectly formatted
<clearly his code>
​[Thursday 8:50 AM] Ronald
    oh ok 
​[Thursday 1:19 PM] Ronald
    we resolved formatting in our SQL commands 
    we couldn't find which unit testing is failing and we are not sure if this unit test is part of our project. Can you help us with this one ?
​[Thursday 1:21 PM] Me
    
|20|[DataWarehouseTest].[Test1] |Error |
|21|[DataWarehouseTest].[Test2] |Error |
|22|[DataWarehouseTest].[Test3] |Error |
|23|[DataWarehouseTest].[Test4] |Error |
|24|[DataWarehouseTest].[Test5] |Error |
​[Thursday 1:26 PM] Ronald
    
I ran the DB patcher 20mins ago with the code analysis checked and we checked the output results also, we couldn't find anything related to DataWarehouseTest 
Attached the DB patcher output result we got 
[DBPatcher OutputResult.txt] 
<I look at the file. It has hundreds of errors, so it is hard to make sense of. His database is clearly screwed. No wonder it was running quick and he couldn’t see any Unit Test errors; they simply weren’t running>
​[Thursday 1:31 PM] Me
    your database looks absolutely messed up. You shouldn't have those errors. The unit tests are failing to run

C:\DatabasePatcher\tSQLt\RunAllUnitTests.sql
Could not find stored procedure 'tSQLt.RunAll'.

    you need a new database.
[Thursday 5:50 PM] Ronald
    Thanks for notifying us of these issues.
    Now we have fixed these issues and ran the patch, and there were no issues with our project.
​[Thursday 5:51 PM] Ronald
    please review it from your side

I then look through their changes which fixed the unit test. With Unit Tests, you usually create a variable called “Expected” then set that manually. Then you create an “Actual” variable and this is set based on the actual code. They had those statements as normal, but then they had added this:

update #ActualResult set SessionGuid = '38090f0d-3496-48c3-a991-a0220fe3b58f', SlotGuid = '0b817794-7ffb-4ae3-8013-a7847a1b2139';

So this means their code isn’t returning the correct result, but they are then manipulating the result (#ActualResult) to force it to match – so the test passes. They could have just changed the Expected result, but that would be sabotage anyway. Why would they knowingly break a feature like this?

Anyone who is serious about software development shouldn’t be doing this. They have “Senior” in their job title, and this change was approved by two of their team members. It was up to me to be the gatekeeper and reject this change.

[3:51 PM] Ronald
Sorry for the unit test update statement, I have removed those and all the unit tests are passing correctly.
Sorry, that was some typo.

A typo!? How can you possibly claim that was a typo? “Sorry, I accidentally bashed on the keyboard and somehow produced a sequence of characters that was valid: not only to be executed without error, but for the unit tests to pass too.”

I also don’t understand how you can have hundreds of errors and just continue working like everything is fine. Then when someone is telling you something is wrong, you still pretend everything is fine. When I tell him he hasn’t run DBPatcher, why didn’t he respond with “I did, but there were loads of errors. Can you help me fix this?” Proceeding like he did just wasted my time, created unnecessary friction and made himself look like a complete idiot.

Office Tales

Introduction

Going to the office 5 days a week for my Software Engineering role was such a standard thing until the whole Coronavirus and lockdown became the new world. It’s crazy that my employer doesn’t have any interest in us returning to the office other than for optional collaboration. I mean, it does make sense, but it’s a complete u-turn on their previous ideals. We used to have a few offices nearby, but I think we only have 1 now. They redecorated the remaining office, cutting down the number of desks, and we are allowed to book time in the office if we wish, either individually or as an entire team. I have never been in though, and have only seen a handful of colleagues on a recent night out.

Things I miss about the Office

I think I miss the conversations you overhear from nearby desks, and communication is much more efficient when you can just walk over to someone’s desk. There will be people that you don’t need to interact with for your current work, but will acknowledge them as you walk about the office (often going/returning from lunch breaks). So it’s much more social when working in the office. I think there is a general awareness of what things are happening across the business, because you see people moving about and hear them talking about work. Now I only get that information if people post on communication software such as Slack/Yammer.

It seems I have quite a few draft blog posts that aren’t that exciting on their own, but I’ve put together a collection of ideas to reminisce about office life.

I’ve just discussed some things I miss about the office in this introduction, but the rest of the blog is basically “Things I don’t miss about the office” and “Other tales”.

Things I don’t miss about the office

Moving Desks

Every so often, managers decide to reassign loads of people between projects. Then, if the team sizes aren’t the same, they have no choice but to rearrange the desks, or simply relocate teams. This meant the entire department would move, even if the new desk is just 1 desk away. It was a major disruption and was basically a waste of half a day. People tended to unplug their PC a bit too early, but you did have your PC, 2 monitors, keyboard, mouse, drawer unit, then loads of cables and other items. It’s a big chain of moves though because you can only move if your new desk is free, but it is only free if the current person’s new desk is free and so on.

There was supposed to be a big move shortly before the lockdown happened. We were told that it was coming but then seemed to get delayed but no announcement (so no one knew what the holdup even was). 

I was told I was moving desks by my manager. An entire month went by with no update. I ask my manager what is going on. He says “I’ve been asking many times and I don’t get a concrete response. If you hear anything before I do, then tell me“.

A few days later, I heard another team talking about the new seating plan. I told my manager as requested.

He says he has the seating plan “but I need to spend some time to digest it“.

What are you on about? Just send it to me.

It’s a seating plan that has been released, and many developers were already reading it. Why is he making out it’s something he has to analyse then explain to me?

Anyway, the conclusion is that desk moves are very disruptive, managers find it a really hard task and they change their minds about it, then this makes it seem like a bigger event than it needs to be.

Sounds Of The Office

When I need to concentrate on programming, I often put my headphones in and listen to music. Drowning out all the random talking really helps you focus on your work. If people are talking, I’d often want to listen just in case it is something interesting and work-related, or maybe some funny casual chat that I want to hear.

Periodically, I’d take my headphones out, or maybe I would have to because I want to speak to someone or have a meeting.

Although the general sounds of the office were fine, there were some sounds that would do my head in.

Many people also used headphones to listen to their music, but there was one woman that often had her music on really loud. One time I looked over and saw that she had hair covering her ears, a beanie hat over that, then the headphones were placed over that. So the speakers have to go through a hat and her hair to reach her ears. No wonder she has it that loud. Also, I found it more distracting if I recognised the song. When Tool’s highly anticipated Fear Inoculum came out, she was listening to classic Tool every day and it went on for well over a month.

There were a few people with really exaggerated laughs. In previous blogs, I have mentioned one guy which I nicknamed Beavis for his style of laugh, but there were plenty of others that often did a fake laugh. One person sounded more like they were in pain rather than having a good time. It stressed me out.

There was one person that coughed a lot but it was more like a “ah mmm” like a stereotypical teacher would do to get a student’s attention. It wasn’t aggressive enough to actually clear her throat so it just seemed pointless to me, and extremely annoying.

Maybe the worst thing is this next subject, because I wouldn’t ever consider doing this whilst at work. I didn’t realise until I heard these sounds in the office, but I think it is a sound where it’s very satisfying to hear when it involves you, but hearing someone else do it; then it is vile. There were 2 managers sitting a couple of desks behind me, the woman was filing her nails and the scraping sound was very distracting. The worst thing that had me cringing though – the male was clipping his nails. Like I said, really satisfying if I am clipping my nails, but hearing that “click” sound on someone else’s; it had me cringing. I had to put my headphones on and crank up the volume, and try to not imagine those fingernails fly across his desk.

Kicked out of large meeting room

Meeting rooms were a really in-demand thing. Managers do love meetings, especially pointless ones. Then when you really do want a meeting, you just can’t get a room.

There were two meeting rooms next to each other, located near my desk.

  • Meeting Room A holds about 8 seated people, but you can get more people in if standing
  • Meeting Room B holds 3 people but you can get more people in if standing

I was called for an ad-hoc meeting with 3 other developers. Both rooms were free at the time. We take the larger room (Room A), since there’s 4 of us.

5 minutes in, someone knocks on the door

Sorry, I have a one-to-one and have booked this room

My fellow developers didn’t seem interested in arguing, so I followed suit and kept quiet. It’s a one-to-one so it’s a meeting for 2 people. Room B is perfect for them.

So after moving to Room B, we were trying to crowd around a laptop – crammed awkwardly in our seats. Meanwhile 2 people were sitting comfortably around a large desk in the opposite room. It looked ridiculous.

Office Tales

Empathy Lab

As I just explained, Meeting rooms were in high demand so we needed more of them. Of course, we like cutting down the number of meeting rooms for some cool initiative. One of them was the “Empathy Lab”.

“We were inspired in part by Facebook’s empathy lab which shows how people with impairments may interact with Facebook using assistive technology.

However, when building our accessibility empathy lab, it was important to us that it had a dual purpose: To raise awareness about accessibility, but also be an assistive technology testing space.”

I never saw it get used, but I did see many people get frustrated that they couldn’t find a meeting room.

The Recruitment Letter

Beavis gets a hand-written letter delivered to work written in a green pen. I don’t think I’ve seen anyone get anything delivered with their name on it that wasn’t a package, mainly from Amazon.

He opens this suspicious letter, and it is from a recruiter apparently from LinkedIn.

She explains that the unconventional approach to contacting him is due to the fact that his profile lacks detail and therefore that signals he doesn’t want to be contacted by recruiters.

<Sure, that makes sense.>

She likes the lack of detail in his profile though; it’s the kind of person she is looking for, so she wants to meet in person and talk at a Café.

I’ve never heard of this before? Is it a weird scam?

AWKS

Years ago, I wrote about how I was working in a team that was making the framework for a new application. One of our developers, Timothy, got moved to a team known as “Solutions Team” who were making a framework for the new application. I had asked him how his team differed to mine, surely we were doing exactly the same work? He said he was just doing what the managers told him.

A new developer, Nina joined the Solutions Team.

She comes over and asks Timothy to send her some documentation so she can understand what they have done over the last few months. (The correct answer is “nothing really, just messed about and partially duplicated another team’s work).

You could see the absolute terror in Timothy’ face. I think at that point, he was probably realising that I was right all along and their team was pointless.

Nina detects the panic and says in a concerned tone “are you okay?”

Timothy says “yeah” dejectedly, and then mumbles about “maybe he should update the documentation.”

Nina says she will come back later

It was the most awkward situation in a long time.

Just Paste It In

William has been working closely with a Junior developer. The Junior had a list of objects and needed a simple sort.

William is new to Javascript, but the syntax is exactly the same as C#. He looked at the method signature and didn’t understand it, so he told the Junior to google it.

The first solution they stumbled upon on Stack Overflow had an overly complex solution, but the original poster did request he required only one method that can handle sorting various items. Therefore it required an elaborate solution.

In the Junior’s case; he just wanted to simply sort a list; therefore this code wasn’t appropriate.

William told him to paste the complex method in and “it will work”. The Junior challenged him on it, asking if the algorithm sorted the items in ascending/descending order, and asking him to explain how the code worked.

William then just reads the name of the method and the parameters, trying to say some words in a confident way to blag that it was the correct thing to do: “It’s a dynamic sort, you just pass in the list, along with the name of the property you want to sort by“.

The Junior asks again if it sorts in ascending or descending order.

He then says “yeah you are right, this might not work“.

He had no idea what that code did, he was just hoping it worked – so was just confidently telling him it would work if he just pasted it in.

I ended up telling him how to do it. It’s a one line solution; not a 30 line method.

Can I have o365?

We recently had a bug in our software that only occurred with users that were using Microsoft Office – o365. I couldn’t recreate it with my Office 2016, so I logged a ticket with IT to acquire a licence so I could test it out. As a software developer, once recreated, I can fix the issue or pass it on to Microsoft if it is their fault.

Some users are having problems with the Email functionality. It sounds like these users are using the o365 desktop apps. In order to attempt to recreate this issue, is it possible to get a temporary licence for the o365 desktop app for Outlook?

Me

Not understanding this request.

You currently have an E1 licence and Office Standard 2016 should have been installed on your machine as standard during the configuration process.

Are you able to test with that?

IT

It works fine for my Office 2016. These users have the desktop apps for o365, and we don’t have this version to investigate if this version is problematic.

Me

Would you be able to provide a list of users that are currently having this issue?

IT

No, these are our customers.

Me

(I knew he wouldn’t care about people’s details because obviously IT only deals with our staff. I could sense this response coming…)

We only support and manage the software for internal users.

If customers of the business are having issues, it would be up to Support to identify the issue and then find out what version of the software the customer is using.

We have the installers for versions from 2010 to 2016, so if Support or yourself find out which version is required, we can probably work out a way to install and activate this if the situation required it.

IT

DOES THIS GUY EVEN READ. I WANT o365

Users have complained to Support. Support have logged the bug and it’s come to Development for investigation. I’ve picked it up. I’m logging a ticket for myself because I need it to recreate the issue. Then I can fix the issue for our users. I don’t get why it’s so difficult for IT to understand. I think he was just trolling.

I eventually asked my line manager to get involved, and suddenly, IT fully understood the situation. The licence was promptly assigned. It’s strange how fast work gets done when people with authority get involved.