Here’s an interesting paper written by Rachna Dhamija, J.D Tygar, and Marti Hearst on Why Phishing Works.
“This study illustrates that even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users can’t distinguish legitimate websites from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants”
The movie Office Space has been made into a fun little online Flash game. In the game you act as Peter Gibbons trying to complete the mission: “It’s Friday afternoon and you just know that Lumbergh is gonna ask you to come in on Saturday. Finish all you TPS reports and sneak out the side door before Lambergh catches up with you!”.
Play for Milton’s honor.
Milton: “And I said, I don’t care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I’m, I’m quitting, I’m going to quit. And, and I told Don too, because they’ve moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn’t bind up as much, and I kept the staples for the Swingline stapler and it’s not okay because if they take my stapler then I’ll set the building on fire…”
Dion Hinchcliffe wrote an interesting article about Ruby on Railshere. Between the article, and the embedded links the following quotes bug the crap out of me:
Ruby on rails is: “a stack that contains components for most Web applications.”
Most. Heh. Wow, that’s really gonna suck when a team is fully invested/committed to Ruby on Rails and they come up with a need for something that’s not in the “stack”. Now, not only does the team need to figure out how to use the new/needed technology but they must also figure out how to integrate the technology into the Ruby on Rails stack. Fun! More work in a project with doesn’t have enough hours already.
Ruby makes: “what most people do most of the time extremely easy”
“37signals not only built their 5 world-class online applications purely with Ruby on Rails, but they support almost 400,000 users on just 13 servers.”
How vague is that? 400,000 what? Concurrent users with sessions? Doing what? Do you mean 400,000 enrolled users in the database? That’s a sad, “world-class” hardware hog (13 servers). Let me see here, the development is faster with Ruby on Rails (saving money) but they bought 10 more servers than the typical 400,000 enrolled user database needs.
When I put it all together in my head my summary is this: Ruby on Rails is like Ebonics for developers.
Ruby on Rails may be easier for development of most Web applications (a quoted 80% by David Heinemeier Hannson) but seriously, the same thing can be done with existing languages. Yes, Ruby on Rails/Ebonics has come to market faster than the other languages and because of that the other languages will be forced to get Web 2.0 savvy quickly. But Ruby on Rails has a lot of work to do on their “stack”. Take .NET for example, let’s say it takes Microsoft 2 years to Ebonicize so that you can do things like program AJAX quickly and easily. Once those Ebonics are in place you have access to a deep and extensive set of libraries that are baked. Ruby on Rails will building their “stack” for many years to come.
It appears that phishers have resorted to honesty by just simply telling you truth about what they want from you. Pure genius!
I’m not sure if this is real or not because when I put in a Visa card number I get the following error AND success message:
Warning: fopen(/var/guaym/creditcards.txt): failed to open stream: No such file or directory in /var/www/giveusallyourmoney.com/taketheirmoney.php on line 9 error taking your money.
Thank you, Brent Strange ,for giving us all your money!
No, I wasn’t stupid enough to put in my Visa card number… I used my wife’s instead. Okay, okay, I didn’t use hers either. Give me a little credit. You can create test credit card numbers on your own using MOD 10. How do I know this? No, I’m not an evil hacker. I once was part of a payments solution group at Intel (TranSync) and I had to test various card types. Graham King has a great little article on credit card test number generation here.
Our good ol’ Mr. Alex Furman continues to add features and fixes to SWEA. SWEA is now up to version 126.96.36.199. Here is a list of his recent changes:
V188.8.131.52 (published 03-26-2006) Improvement: Added script recording for Multi-select list boxes. Improvement: Improved scene identification for pages with script and frames. Fixed: Various small bug fixes.
V184.108.40.206 (published 03-18-2006) Improvement: Added Create Control/Record Control sequence. After creation the control will be focused in the project view and the control editor will be activated to allow script recording. Improvement: Added IE restart button/menu. Improvement: Save of a new script will pre-fill the script file name using the current project file name. Improvement: Added Invoke tab for all controls to record Set/Get/Method/Script calls. Improvement: Added support for Multi-Monitor systems. Improvement: Added Drag&Drop support to the Script Recorder View. Fixed: Various small bug fixes.
How can you avoid this issue?
Developers From a development point of view the AutoComplete attribute should be set to “off”. This can be done at the form or input level. This looks something like this at the FORM level:
<FORM autocomplete = “off”>
and like this at the INPUT level:
<INPUT type=”password” autocomplete=”off”>
Testers From a testing perspective it is important to make sure you have AutoComplete enabled in the browser so that you can visually catch the risk if it occurs:
Internet Explorer 6 (Tools > Internet Options > Content tab > AutoComplete button):
FireFox (Tools > Options > Privacy > Passwords):
Users To protect yourself as a user you should UNCHECK the “form” checkbox in IE6 or in FireFox you should UNCHECK the “Remember Passwords” checkbox or use the Master Password feature (which will prompt a master password to be entered before the autocomplete occurs).
WET (Watir Extension Toolkit) is an add-on to the Watir Framework to provide some enhanced features and functions. I haven’t used WET myself since I’ve invested in SWEA instead, but the WET extension definitely offers some nice testing additions. Here is the description of WET from the WET site:
WET sits on top of Watir. WET classes inherit from Watir and therefore adds features without removing support for any of the existing feature. The marquee of the enhanced features is the availability of support for the XML Object repository. The XML Object repository, is a way of representing objects on a DOM page in a XML based hierarchy. Besides the Object Repository WET offers many other features like:
Microsoft’s up and coming InfoCard technology seems pretty cool. What is InfoCard? I can’t sum it up better than Microsoft:
“InfoCard” is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user’s digital identities and maintain end-user control.
InfoCard will be supported from the browser which leads me to the question: How am I going to automate InfoCard when my site uses it for authentication?
If you haven’t seen InfoCard work then you probably are wondering what the big deal is. Well, what appears to be the big deal to me is that InfoCard exists in a different “space” than the Window’s desktop. What I mean by “space” is that InfoCard loads and then the desktop along with all Windows applications are grayed out (like when you shut down Windows XP). I’m pretty sure your current browser automation tool is not going to know what to do with this when the browser calls InfoCard for Website authentication (e.g. click a button on the Web page that says something like “Logon using InfoCard”).
I’m sure we’ll find a way to automate this little gem but it may require a little work and re-factoring of your automation tool. I’m kind of concerned with the statement of “It is specifically hardened against tampering and spoofing“. I’m worried that this really means: “Impossible to automate“. You might want to ask your automation tool vendor what their plan is for support of InfoCard.
Ahh, the power of Microsoft BETA software! As a QA Engineer you should not only be test driving, you should also be thinking about compatibility and integration with the software you are currently testing to avoid possible issues in the future.