Here's an interesting paper written by Rachna Dhamija, J.D Tygar, and Marti Hearst on Why Phishing Works.

"This study illustrates that even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users can't distinguish legitimate websites from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants"

The movie Office Space has been made into a fun little online Flash game. In the game you act as Peter Gibbons trying to complete the mission: "It's Friday afternoon and you just know that Lumbergh is gonna ask you to come in on Saturday. Finish all you TPS reports and sneak out the side door before Lambergh catches up with you!".

Play for Milton's honor.

Milton: "And I said, I don't care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I'm, I'm quitting, I'm going to quit. And, and I told Don too, because they've moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn't bind up as much, and I kept the staples for the Swingline stapler and it's not okay because if they take my stapler then I'll set the building on fire..."

Dion Hinchcliffe wrote an interesting article about Ruby on Rails here. Between the article, and the embedded links the following quotes bug the crap out of me:

• Ruby on rails is: "a stack that contains components for most Web applications."

Most. Heh. Wow, that's really gonna suck when a team is fully invested/committed to Ruby on Rails and they come up with a need for something that's not in the "stack". Now, not only does the team need to figure out how to use the new/needed technology but they must also figure out how to integrate the technology into the Ruby on Rails stack. Fun! More work in a project with doesn't have enough hours already.

• Ruby makes: "what most people do most of the time extremely easy"

Most...Heh. Ditto

• "37signals not only built their 5 world-class online applications purely with Ruby on Rails, but they support almost 400,000 users on just 13 servers."

How vague is that? 400,000 what? Concurrent users with sessions? Doing what? Do you mean 400,000 enrolled users in the database? That's a sad, "world-class" hardware hog (13 servers). Let me see here, the development is faster with Ruby on Rails (saving money) but they bought 10 more servers than the typical 400,000 enrolled user database needs.

When I put it all together in my head my summary is this: Ruby on Rails is like Ebonics for developers.

Hey, have you heard about the new language taking Web 2.1 by storm? Oh yeah, by storm! It's called LAZY. What's really cool about LAZY is that you don't have to learn Ruby or JavaScript to use AJAX. The LAZY framework wraps Ruby, which wraps JavaScript which makes your AJAX programming a no-brainer. A wrapper, for a wrapper. Truly LAZY!

Ruby on Rails may be easier for development of most Web applications (a quoted 80% by David Heinemeier Hannson) but seriously, the same thing can be done with existing languages. Yes, Ruby on Rails/Ebonics has come to market faster than the other languages and because of that the other languages will be forced to get Web 2.0 savvy quickly. But Ruby on Rails has a lot of work to do on their "stack". Take .NET for example, let's say it takes Microsoft 2 years to Ebonicize so that you can do things like program AJAX quickly and easily. Once those Ebonics are in place you have access to a deep and extensive set of libraries that are baked. Ruby on Rails will building their "stack" for many years to come.

We have a new QAInsigh.net content contributor today! Friend and fellow QA Engineer Rohit Mathur writes:

I was going through Scott Hanselman’s blog and he mentions (in his Ultimate Tool list) the RegEx tool RegexDesigner.NET by Chris Sells.

I found the tool very useful trying to evaluate the RegEx used in our Corillian online banking implementations. In our implementations the list of regular expressions are contained in a .config file. 

You can extract ‘the Date’ RegEx out of the .config file:

<add key="Date" value="^([0]?[1-9]|[1][0-2])[/-]([0]?[1-9]|[1|2]\d|[3][0|1])[/-](\d{4})$"/>

and then, using the RegexDesigner tool, you can test the Regular Expression to see what format/characters are allowed/disallowed: 

IRS cracks down on phishers:
http://www.fcw.com/article92749-03-27-06-Web

"The Internal Revenue Service has set up an e-mail address for taxpayers to forward suspicious e-mail messages that claim to come from the IRS."

Nice approach, not. This isn't preventative it's reactive. Once the phish email is sent it's already too late. The IRS should think about being preventative with an application like Corillian FDS.

My coworker Milind Pandit sent me the following link the other day:

http://www.giveusallyourmoney.com/

It appears that phishers have resorted to honesty by just simply telling you truth about what they want from you. Pure genius!

I'm not sure if this is real or not because when I put in a Visa card number I get the following error AND success message:

Warning: fopen(/var/guaym/creditcards.txt): failed to open stream: No such file or directory in /var/www/giveusallyourmoney.com/taketheirmoney.php on line 9
error taking your money.

Thank you, Brent Strange ,for giving us all your money!

No, I wasn't stupid enough to put in my Visa card number... I used my wife's instead. Okay, okay, I didn't use hers either. Give me a little credit. You can create test credit card numbers on your own using MOD 10. How do I know this? No, I'm not an evil hacker. I once was part of a payments solution group at Intel (TranSync) and I had to test various card types. Graham King has a great little article on credit card test number generation here.

Our good ol' Mr. Alex Furman continues to add features and fixes to SWEA. SWEA is now up to version 1.7.7.1. Here is a list of his recent changes:

V1.7.7.1 (published 03-26-2006)
Improvement: Added script recording for Multi-select list boxes.
Improvement:  Improved scene identification for pages with script and frames.
Fixed: Various small bug fixes.

V1.7.6.1 (published 03-18-2006)
Improvement: Added Create Control/Record Control sequence. After creation the control will be focused in the project view and the control editor will be activated to allow script recording.
Improvement:  Added IE restart button/menu.
Improvement:  Save of a new script will pre-fill the script file name using the current project file name.
Improvement:  Added Invoke tab for all controls to record  Set/Get/Method/Script calls.
Improvement:  Added support for Multi-Monitor systems.
Improvement:  Added Drag&Drop support to the Script Recorder View.
Fixed: Various small bug fixes.

The password textbox in a Web form is pretty much a joke. Sure the password is masked, but only visually. You can easily view the password with a small amount of JavaScript. For example, if you paste the following JavaScript into the browser URL bar when a password textbox is present you can see the password in clear text:

javascript:var x=document.getElementsByTagName('input'); myVals='';for (var i=0;i<x.length;i++){z=x[i].getAttribute('type'); if(z=='password')myVals=myVals+'The password value is: '+x.item(i).value+('\n\n')};alert(myVals)

Here is the script in action:

Because passwords can be harvested in this manner the AutoComplete feature (the ability to save passwords) is very dangerous. If you were to use a computer in a kiosk environment or if your computer is compromised it would be possible for the attacker to review your browser history, navigate to the logon pages of those sites and extract your credentials through the AutoComplete feature and the above JavaScript.

How can you avoid this issue?

Developers
From a development point of view the AutoComplete attribute should be set to "off". This can be done at the form or input level. This looks something like this at the FORM level:

<FORM autocomplete = "off">

and like this at the INPUT level:

<INPUT type="password" autocomplete="off">

Testers
From a testing perspective it is important to make sure you have AutoComplete enabled in the browser so that you can visually catch the risk if it occurs:

Internet Explorer 6 (Tools > Internet Options > Content tab > AutoComplete button):

FireFox (Tools > Options > Privacy > Passwords):

Don't rely on your browser settings though, somehow they magically change once in a while. Do a manual review of the HTML source to validate the attribute is set. Or use the following JavaScript in the URL bar to extract it out:

Look for AutoComplete in INPUT tags:
javascript:var x=document.getElementsByTagName('input'); myVals='';for (var i=0;i<x.length;i++){z=x[i].getAttribute('type');if(z=='text' || z=='password')myVals=myVals+'ID attribute: '+x.item(i).id+'\n'+'Name attribute: '+x.item(i).name+'\n'+'AutoComplete: '+x[i].getAttribute('autocomplete')+('\n\n')};alert(myVals);

Look for AutoComplete in FORM tags:
javascript: myVals2='';y=document.getElementsByTagName('form'); for (var n=0;n<y.length;n++){if (y.length!=null) myVals2=myVals2+'Form AutoComplete is: '+y[n].getAttribute('autocomplete')+ ('\n\n')};alert(myVals2);

Users
To protect yourself as a user you should UNCHECK the "form" checkbox in IE6 or in FireFox you should UNCHECK the "Remember Passwords" checkbox or use the Master Password feature (which will prompt a master password to be entered before the autocomplete occurs).

Don't forget, as described in previous posts, you can add the above JavaScript as browser shortcuts so you can quickly access/run the scripts. Do this by right clicking the above JavaScript/link and select the "bookmark this link" or "add to favorites".

WET (Watir Extension Toolkit) is an add-on to the Watir Framework to provide some enhanced features and functions. I haven't used WET myself since I've invested in SWEA instead, but the WET extension definitely offers some nice testing additions. Here is the description of WET from the WET site:

WET sits on top of Watir. WET classes inherit from Watir and therefore adds features without removing support for any of the existing feature. The marquee of the enhanced features is the availability of support for the XML Object repository. The XML Object repository, is a way of representing objects on a DOM page in a XML based hierarchy. Besides the Object Repository WET offers many other features like:

• Object identification using multiple parameters
• Improved result logging
• Checkpoints
• Reliable handling of Popup dialogs
• Rudimentary datatable support
• Control of test execution using test definitions

Microsoft's up and coming InfoCard technology seems pretty cool. What is InfoCard? I can't sum it up better than Microsoft:

"InfoCard" is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end-user control.

InfoCard will be supported from the browser which leads me to the question: How am I going to automate InfoCard when my site uses it for authentication?

If you haven't seen InfoCard work then you probably are wondering what the big deal is. Well, what appears to be the big deal to me is that InfoCard exists in a different "space" than the Window's desktop. What I mean by "space" is that InfoCard loads and then the desktop along with all Windows applications are grayed out (like when you shut down Windows XP). I'm pretty sure your current browser automation tool is not going to know what to do with this when the browser calls InfoCard for Website authentication (e.g. click a button on the Web page that says something like "Logon using InfoCard").

I'm sure we'll find a way to automate this little gem but it may require a little work and re-factoring of your automation tool. I'm kind of concerned with the statement of "It is specifically hardened against tampering and spoofing". I'm worried that this really means: "Impossible to automate". You might want to ask your automation tool vendor what their plan is for support of InfoCard.

Ahh, the power of Microsoft BETA software! As a QA Engineer you should not only be test driving, you should also be thinking about compatibility and integration with the software you are currently testing to avoid possible issues in the future.

When testing dynamic pages using SWEA the IsOptional property must be used. If the property is set to true it allows the Scene to be validated without that control being part of it.

The other day I automated a page that had 3 dynamic levels to it. In other words, when control 1 was present, control 2 and 3 were not; when 2 was present, 1 and 3 were not; when 3 was present, 1 and 2 were not. In order to successfully automate the page I had to toggle the IsOptional property on the fly. In the past I've used IsOptional as it was defined during my recording and present in my SWEA htp file, but I never had to modify the property in the middle of a test so that the Scene could successfully load. This is how I did it:

I'm adding another category to the site: "Identity and Fraud". I like reminding you of how out of control the management of your account information and identity is. Here's two more great examples of failure on the business side:

Citibank card fraud - magnetic strip to blame

Laptop with Fidelity data stolen

After a year of himming and hawing I finally broke down and purchased myself a video card to go with my P4-3.4Ghz PC that I purchased around XMAS 2004. This is how cheap I am: Since I purchased my top of the line PC in 2004 I've been running a 16MB PCI video card on it. A brand new system with a piece of crap video card. Kind of defeats the purpose eh?Yeah...I'm cheap. I was holding out for something that would do video-in (for video editing) as well as have a top of the line chipset that could handle the latest game, all for under $200....Rrrrrrright.

I gave up on the video-in, since there are so many external solutions that you can purchase for under $100, and decided to go shopping for the best that money can buy with $200. Co-worker Mr. Alex Scoble pointed me to the massive selections out at NewEgg.com and we filtered our way down to what I considered the best for my needs, the SAPPHIRE Radeon X850XT. The best thing about the 850XT is that I satisfied my cheap "habit" with the low, low price of $164.00. Check out these specifications:

Chipset Manufacturer: ATI
GPU Radeon: X850XT
Core clock: 520MHz
PixelPipelines: 16
Memory Clock:1080MHz
Memory Size: 256MB
Memory Interface: 256-bit
Memory Type: GDDR3

The specs are really impressive for less than $200! We couldn't find any NVidia cards that could compete in the price range that had 256MB memory, 16 pipelines, and have an interface of 256-bit. Sure the clock speed is not the fastest, but for my gaming needs I choose shading over speed which resulted in this card.

I received the card today and proceeded to install it as soon as I got home. Installation was quick and painless. In little to no time I had my long awaited dual monitors set up and was playing Call of Duty 2. With the game defaults I didn't see one pause on the first level. For the 2nd level I turned the dial from default to maximum EVERYTHING at 1024x768 which only caused occasional, very tiny pauses.

I'm happy. The SAPPHIRE Radeon X850XT from NewEgg.com has so far proven to be a good decision.

I somehow find this Super Mario Brothers race more fun and exciting than the 2006 Winter Olympics. What's wrong with me? I think I find it more interesting because I can relate to it. Think about it, the typical IT guy competes to survive using mouse clicks, response times and wit. I just can't get into figure skating. For the 2012 IT Olympics I'd like to see the following events:

• Double click: "athletes" compete to double click the fastest (left, middle, and right click). Athletes are judged on speed and technique.
• Inbox filing: "athletes" compete to file the contents of an inbox into junk, delete, postpone, and act now. Judges score on filing decisions and the possible impact of those decisions on the virtual business.
• Windows Installation: "athletes" compete to install Window Vista the fastest (no install scripts allowed). Athletes are judged on install time and ability to multitask during long waits.

What IT events would you like to see in 2012?

Oh, I almost forgot... When I was a kid my cousin was so good at Super Mario Brothers that he could complete the first level with his eyes shut. It was pretty cool to watch. Now that's what I call skill.

Recently a corrupt SilkPerformer uninstall kept me from re-installing due to the Segue Launcher Service still being present. I've never had to uninstall a Windows Service before, but there is a first time for everything. Perusing through the options that the MMC provided me, I saw no clear-cut way to uninstall the problematic service. I had to resort to Googling for it which yielded the following article from WinGuides. Their suggested fix worked well for me, on Server 2003; I was able to successfully uninstall the service. The magic is this:

1. Stop the service
2. Open the registry and navigate to:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
3. Delete the appropriate subkey

A little birdie sent me the cross site scripting attack today. I love it.

Note: no harm was actually done to the site with this attack, it only defaced the attacker's view.

Scott Hanselman recently posted a great Podcast titled "Functional Testing Tools Roundup" which focuses on practical tools for functional Web testing. In the Podcast he talks about the technical aspects, benefits, and downfalls of the following tools:

• WebRecorder
• PesterCat
• AutomatedQA TestComplete
• Watir WebRecorder
• Orb
• Selenium
• SW Explorer Automation
• IEUnit
• FireWatir
• BadBoy
• FireWatir Secret
• Segue SilkTest

If you are looking for a tool to test Web applications (UI not SOA) this Podcast is for you.

Take a second and look at the list above. Notice that the list is pretty much composed of open source, free, and/or ultra cheap tools. The demand for cheap and smart Web application UI testing tools is high and organizations are starting to push away from the big dogs like Segue and Mercury (i.e. Corillian pretty much uses Ruby/Watir and SWEA/C# for automating UI testing now). This is an awesome, awesome movement if you ask me. There are a lot of different types of solutions out there now and most are cleaner, smaller, less complex and targeted toward a specific crowd. If you spend the time reviewing the different tools you are most likely going to come up with a solution that will fit your need and will save you a lot of money in the long run with things such as tool cost, learning curves and training (take SWEA and me for example).

In the spirit of beatin' down the big dog, a great paper was recently submitted by Babu M. Narayanan to StickyMinds that outlines the benefits of Open-Source Test Automation (OSTA) in the industry. This is must read if you are skeptical about going with an open-source tool.

Man, I love this stuff! It's exciting to see so many people and great apps out there making testing easier and faster. 

Google Earth and Google Maps have given us a whole new way to express ourselves using their satellite imagery. People are going crazy showing us their art, graffiti, and advertising from the bird's eye view. I wonder how long it will take before somebody figures out the photographic path and schedule of the satellites. Just think how much graffiti some young, punk, geek could do if he knew when and where the next picture was being taken. Want to make a bet on when the first wedding proposal happens? How can she say "no" to such geekiness?

See Target's new form of advertising here. See modern day tagging with profanity here. Recently I got in on the craze and put a little advertisement for QAInsight.net on the roof of my house (see blog post picture).

Google has an awesome technology here, but let's kick it up one more notch. Here's my challenge to you Google:

• Allow registration of land coordinates to the land owner. Require meta-data input such as address, URL, rent or own. Lease city and utility meta-data to corporations: cable, phone, public sewer, FIOS, etc...
• Allow people to click on registered coordinates. Clicking directs the user to URL specified by land owner.
• Allow the meta-data to be searched and graphed. Imagine the power for house buying, rental search, track the creeping FIOS installation across town...

I love playing around with the DOM and DHTML. I'm old school like that... Don't make fun of me, you recently started poking around with AJAX which makes you no better than me! :)

I find it REALLY cool to be able to manipulate Web pages from the browser URL bar using JavaScript and the DOM. In the past I posted about displaying the site's cookies by simply clicking a Internet Explorer Favorites link that contained JavaScript to display the cookies. Now days, we have cool tools such as the IE Developer Tool Bar, FireFox Web Developer extension, and Site Inspector which all report the same data to you via the same method (DOM and DHTML).

Here at Corillian, we have a test case for every form textbox to check that it has a defined maxlength.. We test for this to help with usability and most importantly to provide the first line of defense in form input. Sometimes something as simple as checking for textbox maxlength is not worth opening a tool and digging through it's data, but on the other hand digging through the HTML can suck too. How often do you find yourself not wanting to do either, but instead count the characters as you type them into the textbox to figure out what that maxlength is? Stop it, stop it, stop it! Stop wasting time! You can do this with JavaScript from the URL bar in the browser. For example, post the Javascript below into the URL bar of your browser and hit the enter key:

javascript:var x=document.getElementsByTagName('input');myVals='';for (var i=0;i<x.length;i++){z=x[i].getAttribute('type');if(z=='text' || z=='password')myVals=myVals+'ID attribute: '+x.item(i).id+'\n'+'Name attribute: '+x.item(i).name+'\n'+'Maxlength: '+x[i].getAttribute('maxlength')+('\n\n')};alert(myVals)

Bam! Nice eh? This script dumps the maxlength for each HTML input tag that has a type attribute equal to text or password to a JavaScript alert. Since some sites use the attribute of name and some use id I dump both to help you figure out what textbox the maxlength applies to.

Add the script above to your Favorites by right clicking this link and selecting "Add to Favorites" in IE or "Bookmark this link" in FireFox. If you add it to your Links toolbar (IE) then it's only a click away on each page where you need to see the maxlength of textboxes. Look at you now, you one click tester! Happy testing.

Perusing through the latest MSDN Magazine today, I saw an article about another HTTP/HTTPS analysis tool called IEWatch. Tonight I've installed the tool and compared the features of IEWatch against my old favorite HTTPWatch (which I previously posted about here). With a brief run through of all the features I found a few cool points and features that HTTPWatch doesn't have:

• Price. IEWatch is $89 (HTTPWatch is $249)
• HTML Analysis
  • Grouping of all the links, images, scripts, and forms on the page. Clicking of the individual items gives details in the Explorer bar as well as highlights the object in the actual Web page.
  • Show HTML object in code. Each object can be right clicked on and the actual HTML code for that HTML object will be shown.
• HTML spotlight: Click on HTML objects in the actual page to view the code for that object.

Although these are pretty cool features I wouldn't switch from HTTPWatch. The reason being is that IEWatch is lacking key QA testing features that HTTPWatch has. These are important features that help with my Web application testing. The biggest items that stick out are the easy viewing of:

• Cookies
• Cache
• Query string
• Post data
• Content stream

If all you care about is viewing the HTTP headers and getting a WSYWIG view of a page then IEWatch is for you. If you want to see more details of the HTTP/HTTPS traffic and find all the defects that I describe in my prior post, then in my humble opinion I feel that HTTPWatch is a better fit. Who am I kidding? I'm not humble. Just pay a little more and get more with HTTPWatch. HTTPWatch simply wins the throw-down.

With new features and bug fixes in the tool WatirNUt, Co-worker Dustin continues to improve the ease of automating Web application using Ruby, Watir, and NUnit. Dustin writes in his latest blog entry:

"This version has several bug fixes but also includes Visual Studio support.  WatirNUt provides Visual Studio support for your NUnit assembly, by generating a project file (.csproj) that contains your watir artifacts, as well as all other compiled resources. This is very useful for debugging, especially if you use the TestDriven.Net Visual Studio add-in to run NUnit tests. The project can also be used as a starting point to integrate your non-web contextual NUnit tests with your watir tests."

Download the new WatirNUt installer here.

A while back I wrote about the Netscape product archive which proves to be helpful when you get an old and odd browser test request. FireFox used to make their browser archive easy to find back in the day when their list of browser versions was small. The other day I needed to revert from 1.5 back to 1.0.7 to do some regression testing on Intelligent Authentication. I couldn't find the archived versions from the menus and links on the FireFox.com site. Google searches eventually unearthed the "magic" link that pointed to the curb that the old versions had been kicked to. Going through the search and discover motions I found a few other valuable links that I bookmarked too. Here are all the links:

FireFox download archive:
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

FireFox release list:
http://www.mozilla.com/firefox/releases/

Unofficial change log archive:
http://www.squarefree.com/burningedge/releases/

Also, did you know that you can install multiple versions of FireFox on the same machine without any big issues (much like the old Netscape). You can do this by just installing into separate directories. While testing, keep in mind that the installations share the same cache. The only issue that I encountered was that when I had 1.5 installed and then installed 1.0, 1.0 overwrites all the 1.5 desktop and start menu icons with 1.0 icons even though the options are unselected in the installer. Double checking the version number through the Help menu ensures that you are testing in the version that you intend to (sometimes this can get confusing if you don't manage and separate the installs very well). I've been doing this with Netscape versions for years now and have never been burned; FireFox smells the same way (I found issues in 1.5 that weren't in 1.0, indicating the installs are truly independent). I currently have the following browsers installed on my test machine and do not experience conflicts while doing browser compatibility testing:

• Internet Explorer 6
• FireFox 1.0.7
• FireFox 1.5
• Netscape 4.79
• Netscape 6.0
• Netscape 7.2
• Netscape 8.0
• Opera 8.5