Is it just me or does this:

www.theregister.co.uk/2008/10/07/new_mars_rover_snags/

sound like a Dalek with raygun roaming across the Martian landscape looking for Little Green Men to shoot seeing as it comes with a "laser able to "vapourise material" up to 10 meters off..."

*lol*
-C

Well folks, it has finally happened...

The bank I bank with has decided that only requiring 2 digits to be typed in online when loging into online banking makes their site somehow more "secure". They quote on their site that this will help protect against key loggers - which shows their Test/QA department can't use any test automation ;) If they did they'd instantly know that capturing data from drop-down lists is easy as a-b-c (hey we do it all the time), and replaying the data as easy as c-b-a. What is more, it is EASY to capture such data without the user ever knowing (which makes for a great April 1st joke... apparently).

I phoned them and spoke to a member of their Technical Department and asked him about this today and his response was (paraphrasing as I wasn't able to record the call):

1) "It DOES protect against key loggers as it means that a key logger won't get the data in one go" (to which I replied: "big deal - presumably the Average Joe will log into their bank account a few times a day when your system times out giving the logger all the ammo it needs?");

2) "And anyway even if someone gets the PIN they still need the second piece of information" (to which I replied: "do you mean that publicly available 'place of birth' information?")

Oh and if it is truly the case that a fraudster getting a PIN does not matter (I sure hope they recorded the phone call!) then why ask me for ANY PIN?

This is a brilliantly bad example of a company putting its toes into the security soup without asking the number one fundamental question:

DOES THIS PROPOSAL ACTUALLY MAKE IT ANY SECURER... REALLY... DOES IT...?

My take.. the answer is a resounding "No". I'm sure they would argue otherwise - but just in case a member of their Test/QA is reading this... stick your hand up, question this decision, ask and refuse to budge until taken seriously.

The oddest thing is that after stating the above I ought to say that in principle I am in favour of asking for "x" digits out of "y", but just not 2 out of 4 (as this represents just a 1 in 100 chance of getting the right combintaion) - and certainly not on the pretence that this provides some measure of protection against a key logger. As a starter for 10, how about 3 digits out of 6 as per some other companies? Better still, how about revisiting the whole premiss by which this decision was made.

-C

I've just purchased a bundle of 10 Apple Mac apps from:
www.givegoodfood2yourmac.com

The interesting thing is that if you pick carefully you can actually get 10 apps for less than the price of 3 because purchasing 3 apps gives a 30% discount, and 10 gives a 70% :)

If you want to take the opportunity to load up the Macs in your test lab with a large number of apps for minimum cost this could be the time to do it. Offer appears to expire in about 8 days.
-C

Yes you read that correctly. Today, a new Windows 2003 installation for our Test Lab needed some updates. In summary:

Windows had to update Windows Update to allow an update to be applied to Windows Update.

Well, after Windows had updated blah blah.. Windows Update then checks for any new updates - and top on its list of suggestions is an "upgrade" from Windows Update to Microsoft Update, which to my mind makes it:

Windows had to update Windows Update to allow an update to be applied to Windows Update, which when applied then checked for further updates and determined that Windows Update could be further updated.

Try saying that backwards!

Far too much for me to take in after only half my morning coffee...
-C

This amused me today, thought I'd share. I went into Sainsbury (for those "not in the know" this is a supermarket a-la small-Walmart in the UK) today to buy some things for lunch and an announcement came out loud and clear:

 "We apologise for the length of the queues as some of our checkouts have broken down. Thank you for shopping at Tesco."

(Tesco is a direct competitor to Sainsbury)

Someone clearly wasn't paying enough attention during the induction training...
-C

If you are considering purchasing an automated testing tool as well as the obvious questions like "does the feature set it provide match the objectives I have set?", one of the questions I feel you should ask is "will the company selling me the tool provide good quality support?"

I've written about this before elsewhere but I'm going to say it again here - Compuware Support has yet again exceeded my expectations.

We came across a problem with our QADirector database yesterday... something about a missing table in the schema. I assigned this problem to one of my Test Engineers, asking them to contact Compuware to resolve the problem. Compuware took his details and a Support Engineer phoned him back promptly.

The Engineer spent an hour or two on the phone diagnosing and rectifying the problem (without seeming rushed or in a hurry to close the call), and also demonstrated to my Engineer some of the advantages of the latest version of QADirectory.

End result:
    Problem - Fixed
    Customer (me) - Happy

-C

Clearswift are offering a free White Paper entitled "15 Common Mistakes in Web Security":

http://www.clearswift.com/adsystem/edm/15mistakes_web/default.aspx

only perhaps they should have added number 16:

"16 - Always test your web site thoroughly to ensure you do not expose the internal structure of your network or database to the outside world"

Try it yourself at the above URL - click on "Submit" without completing any fields and sigh when you see:

Server Error in '/' Application.
Cannot insert the value NULL into column 'Name', table 'Web.dbo.tblLeads'; column does not allow nulls. INSERT fails. The statement has been terminated.
[snip]
Version Information: Microsoft .NET Framework Version:1.1.4322.2300; ASP.NET Version:1.1.4322.2300

This tells a would-be hacker a fair bit about the structure of their database, and kindly gives up the .NET framework information (and therefore can be easily cross-referenced with any exploits for such).

So that'll be 16 Common Mistakes then...

-Colin

Today we ran out of disk space on a server in the Test Lab. It's running Windows 2000 Server so I dutifully (as one does) went into Disk Cleanup and let it do it's thang. After pondering the universe for 30 minutes Windows reported a message along the lines of (paraphrasing as I forgot to write it down): "the following files have not been used recently and may safely be compacted or deleted".

Oh goody thinks me - Windows has for once done something helpful...

...then everything goes a bit Pete Tong. After allowing Windows to compact and delete the files that IT says are NO longer needed I get a System pop-up message from Windows File Protection:

"Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows 2000 Server CD now."

This made me laugh, then cry, then laugh some more, and finally shrug with indifference - I guess I should have expected Windows to mess up like this.

Moral of the story (and one I should have learned already ;) - never ever trust anything that Windows tells you.
-C

A quick lesson I just re-learned... "just because it says it will do what it says it does on the tin, doesn't mean it's the only thing that the contents of the tin can be used for" or some such...

...this had me confused for a couple of hours: there I was about to install Solaris 10 on to an Ultra 5, when up comes the following error at the OBP:

"fast data access mmu miss"

Ahah! - "that sounds like a nice descriptive error message, something a quick search on Google will help me resolve" thought I. How wrong I was. Apparently this error can be because:

 - the CPU is blown;
 - the RAM is corrupt;
 - something's amiss with the IDE bus;
 - something's amiss with the SCSI bus;
 - something's amiss with the PCI bus;
 - something else is amiss..;
 - the installed OS or some other software is somehow corrupt;
 - the CD media can not correctly be read.

Now I can understand that the last two are essentially the same thing (corrupt media = corrupt software), but why have the same message for all of these options? I spent a good couple of hours testing the CPU, RAM and searching around to see if I could swap in replacements.

In the end all I had to do was re-burn the .iso images with a different burner (an external LaCie - bootiful bit 'o kit). Maybe I should have tried this first, but hey you live and learn;)

For my test lab at home (do you have one too?) I took delivery of a "new" server yesterday. It's a refurb Sun Cobalt RAQ 4r running CentOS (community version of RHEL) and an updated BlueQuartz under the brand name of Strongbolt from the nice ppl at osoffice.co.uk.

IMHO a very good deal - for £130 UKP (inc. P&P) it came fully configured, ready to run out of the box. Setting up virtual site hosting via the included BlueQuartz interface was relatively easy - and where I did get stuck, the forum:

www.osoffice.co.uk/forum

came to my aid (ahhhh that's how you get phpMySQLAdmin working..!)

Oh and as a plus it looks well cool as well ;)

If you want to test web sites in a "production" environment without having to actually upload to your production server then the Cobalt / Strongbolt servers are definitely worth considering. I got mine from osoffice.co.uk 's eBay member rollistag, there's one up for sale at the mo:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=330047425777

or you could try osoffice.co.uk direct.

To-date not a single one of the UK Government's IT projects has delivered the desired functionality to a high quality standard on time and to budget. Not one, nadda, nothing... In the UK this is becoming something of a joke with endless "we have learned from our mistakes and will try harder next time" speeches from this politician or that civil servant.

So why the following:

http://www.silicon.com/publicsector/0,3800010403,39163450,00.htm

??

To quote the usually very reliable Silicon.com:

"The government won't test all of the technology underpinning its ID cards plans before the project goes live, it has revealed..."

I'm suffering a real sense of Deja Vu here (was it the same black cat?)

Well, a week after downloading Build 5600 of Windows Vista RC1 I finally got the obligatory "it's ready" email from Microsoft... only it appears just a bit more testing may have been useful because, you see, it just seems far too easy to crash...

Thing is I really wanted to test our company's software against the new logged-into-a-domain-capable Fast User Switching, but I can't. That thing which is more of a fact of life than the fact that one day we will all die, namely Mr Blue Screen of Death reared its ugly head - and yes my computer floundered on its back, wiggled its toes in the air and collapsed in a puddle of odd looking core dump messages.

Is it too much to ask that I should be able to log in with just two users, and swap between them just four times without losing all my open and currently unsaved data in Vista because Mr Blue Screen has decided to intervene?

I know this is "only" RC 1, but I thought such to be a statement of quality - "we believe that this product is spiffingly tippity-top and we're going for a build that /may/ be suitable for release" or some such.

I look forward to RC 2 - may it last more than 30 minutes before it Blue Screens (will that be a record?) Only thing is according to the email RC 1 is "The final pre-release of Windows Vista..."

*flurble*

Ok so you're given a Sun Solaris box to test with. You find a bug, you want to raise it - but how do you know what version of Solaris, and what revision exactly is installed?

At the most basic level booting the machine will reveal if you are running Solaris 8, 9 or 10 via a splash screen. However here are some useful commands:

uname -a <-- shows a summary of the system, its name and hardware type, eg:

SunOS Naylor 5.10 Generic_118833-03 sun4u sparc SUNW,Sun-Blade-1000

cat /etc/release <-- shows the exact release of the system, eg:

Solaris 10 1/06 s10s_u1wos_19a SPARC

showrev <-- shows the revision of the hardware and software installed, eg:

Hostname: Naylor
Hostid: 831263df
Release: 5.10 <-- this is the SunOS release which these days corresponds to the Solaris release (.10 = Solaris 10)
Kernel architecture: sun4u
Application architecture: sparc <-- this could also say x86 if not using a SPARC-based box
Hardware provider: Sun_Microsystems
Domain:
Kernel version: SunOS 5.10 Generic_118833-03

showrev -p <-- echos the list of patches applied to a system, which will be quite long.

Therefore:

showrev -p > system.txt

will output the system revision and patchlist to a file you can attach to bug reports if necessary.

Also try:

prtconf -v <-- Displays platform-dependent PROM or booting system version information.
prtconf -p <-- I like to think of this as a summary of the above (it's not quite that but it is easier to digest in a hurry)

If you've used Stop-A you can also:

show-devs <-- outputs the device tree.

I am impressed with the Hong Kong postal service, and the no-doubt numerous companies in between "there" and "here". Three times in a row now an item bought from HK on eBay has arrived at my door in the UK faster than posting a "first" class letter from my house to:

 - my parent's (who live approx. 20 miles away);
 - my "local" tax office (based in the midlands, approx. 100 miles away).
 - my brother in law and his wife (who live just-over in Ireland);

You've got to admire the efficiency of a process that can get widgets to me from half way around the globe faster than the UK's Royal Mail can deliver a letter to my relatives!

I'd love to see the documentation for that process - must be some nuggets I can pull out to improve the testing process we use at work.

Anyone have a copy? ;)

Another quick tip for fellow Testers trying to get to grips with Sun Solaris.

Forget the various patch managers available from Sun (smpatch, Sun Update Connection etc) - from experience they are oft prone to failure for the most inexplicable reasons. Instead what I needed (and found) was a simple to install, simple to use patch manager in order that I can keep the Sun Solaris boxes in the Test Lab up and running:

www.par.univie.ac.at/solaris/pca/

"Patch Check Advanced"

A simple "./pca.sh -i" once a day keeps the Sun boxes up to date. It really has made managing the Unix workstations and servers a lot easier in the lab.

Oh - the instructions mention you need wget. If it's not on your system you can get it from:

www.sunfreeware.com

1. Download the version of wget for your Solaris version (make sure you get the package and not the source) to your Sun box;
2. then gunzip .gz;
3. then su to root (or other user with permissions to add packages);
4. then do "patchadd -d ".

Eh voila!

The test lab at work continues to grow nicely, a sure sign that testing as an activity is being taken ever more seriously. This is good as having the right tools for the job means we can be more proactive and increase our coverage of any software build we are given to test. It also means we are amassing an ever increasing amount of packaging, mostly cardboard from the boxes it all comes in. I'm beginning to think that there is a relationship between the number of cardboard boxes, the number of mugs of coffee drunk I drink during the day (far too many) and our overall testing efficiency;)

I just wanted to share my pain of having to clear up yet another 2 dozen computer boxes last week (complete with enormous quantities of packing tape and SHARP industrial staples) - why can't there be a collect and return policy? Surely Mr Dell or Mr Jobs could collect their old computer boxes when they deliver new computers, and reuse them to package the items we buy on our next spending spree?

The one that really got me was a new hard disk that came in it's little Seagate branded box (fair enough) which was inside a cardboard box large enough for a mini tower (even though we only ordered the hard disk), which then was placed in a box almost big enough for a large server by the courier company. Well at least the drive arrived undamaged!

I'm suffering from geekedness. I just realised that I've set out on a mission to learn as much as possible about as many different hardware/OS platforms as possible in as short a time (as possible).

At home I have computers running Amiga OS 3, Fedora Core 4, Sun Solaris 10, Win 2k Pro, Win XP Home and Palm OS 5.

I just visited eBay and saw an SGI Octane 2 that looks yummy - and yes I'm interested because it has Yet Another (TM) OS (Irix 6.5) installed, on a completely different hardware architecture.

But I'll be good;) I'll wait till I've re-acquainted myself with Solaris first.

So what's the point I hear you cry (ie: what' this got to do with QA/Testing)?

Well, it's all about testing with fluency. You see, when I set about designing, writing and executing Test Plans, Schedules and Cases I like the whole thing to flow from A-Z, and this includes configuring the computers to perform such tests on. I find it a real disruption to the art and science of testing if I have to spend hour upon hour configuring something just to perform a single test because of my lack of understanding of a particular platform. Instead, I prefer to put in the leg work first to comprehend the system upon which I'll be testing, and then make use of the knowledge in a practical fashion: "Testing the Ay through Zee as easy as ABC".

My point? Well I've been caught off guard today... I'm here at work, at lunch, thinking "why o why can't I get it to work?" - and "all" I'm trying to do is something simple, a straightforward configuration... something that should just work (but doesn't). Now if only I had time to learn more about it all...

And that's my second point - Test Engineers are far too often expected to just "know" how to do something... "just go over to the server farm and set up an flibbetywhatsit with a whirlywibble and run through the test cases." Far too often, Test Plans and Schedules do not take into account the need for:

1. Training Test Engineers;
2. Allowing time for the Test Engineers to practice what they have learnt;
3. Giving adequate time to gain further knowledge through further experimentation.
   

I'll stop grumbling now and step down from soap box, and go back to getting it all to work...

How to change the resolution of your sun box? How to change it remotely?

/usr/sbin/m64config <-- changes the resolution of the PCX graphics card
/usr/sbin/fbconfig <-- changes the resolution of an Elite m3 (likely m6 as well) graphics card

WARNING: Changing the screen mode to a non-supported setting COULD DAMAGE YOUR MONITOR! These instructions work for me but may not for you - use at your own risk!

Examples

Show me some help:
 m64config -help
 fbconf -help

Output the current configuration and supported resolutions:
 m64config -prconf

This will immediately change the PCX graphics card to use the described resolution:
 m64config -res 1024x768x75 now nocheck noconfirm

This will immediately change the Elite graphics card to use the described resolution and colour bit depth:
 fbconfig -depth 24 -res 1152x900x66 now nocheck noconfirm

FAQs

1. What do I do if my screen is corrupt after changing the display? - log out and back in or reboot;
2. What do I do if I change my resolution to an unsupported value? - always use the -prconf switch to check the valid resolutions for your device, however see below for a neat get out of jail card:

Changing the resolution remotely

Just imagine... you are busy testing version 1.0 of ReallyExcellentApp and need to perform a test on a different screen resolution. You perform:

fbconfig -res 1600x1200x85

and *bzzzt* your monitor is just showing static. What can you do?

Well, assuming you need access to what's on-screen try the following remote recovery method:

1. On a second computer open up a shell prompt and: ssh -l
2. One you have established an ssh connection type: su
3. Enter your password and now type: /usr/sbin/fbconfig -res 1024x768x75 now nocheck noconfirm
4. This will set the resolution back to a displayable value.
5. Breathe out *phew!* You can now recover your test data.

Setting the resolution remotely allows you greater control over client computers when configuring for automated tests.

I'd like to introduce you to a term I just made up: "CV Testing".

To me this is a term used when someone applies for a job and hasn't read their CV. Comments such as:
        "Does my CV say that?", or
        "I've never heard of it" (but it's on your CV...)
are probably not the best way to get a job.

Unfortunately some of the interviews for potential testers that I've been involved in over the years have gone this way, which is a shame, as an otherwise good candidate is let down by what appears to be pure fabrication, given that anything written on their CV is "fair game" in an interview. This includes hobbies and interests... "so Mr X tell me about your experiences in the world of supercharged snail racing?"

I decided I needed to up my Sun Solaris knowledge (call me a geek if u will) for "potential testing purposes"...honest.

Anyway, if you are in the UK and are on the look out for a cheap but fully functional Sun box to learn more about these computers take a look at ebay and user ID tima441. I managed to pick up a fully functioning box for a very good price from Tim:

Sun Ultra 10  440mhz SPARC-IIi
1024mb RAM (the faster 50ns variety)
9.1gb HDD
Elite3D m3 gfx

Do go say hi - he seems to be a great chap; very helpful and sourced me just what I needed.

Now can someone explain why Sun keyboards have the Control and Caps Lock buttons swapped around?