Saturday, January 31, 2009

Software Testing e-learning

One of the best ways to stretch your training dollars - whether you are paying for training personally or from corporate accounts - is to consider e-learning.

Not only does e-learning cost less than live public or in-house training, it is a great solution for people who don't have the time to devote 7 or 8 hours (or 2 - 5 days) for training.

Studies have shown that e-learning is just as effective in getting the information across as live training. I think it may be even more effective because you can repeat material as needed. You can't do that in a live class.

It's also a great way to make sure everyone gets the same training no matter where they live.

And...for those training managers concerned about any trainer behavior (jokes, comments, etc.), e-learning is safe. No profanity, no inappropriate remarks, etc.

I have found that the key for effective e-learning is to interact with the instructor. That's why I offer teleconference sessions for my e-learning participants. You get the chance to ask questions and interact with me. Of course, I am always reachable by e-mail and try my best to answer questions by phone.

These are just a few of the benefits of e-learning. If you want to learn more about my e-learning courses (I have 13 of them now, including an ISTQB foundation level course), just visit

To experience free demos of any of my courses, just visit and select the demo section. You can login as a guest.

To buy a course, just visit We have a sale on right now! banned from Google

Well, the saga continues. Because of the redirects on my site, then my subsequent removal of the malicious links, I have been banned from Google. I'm not upset at Google - I understand their need for maintaining integrity in the search results.

It is frustrating to go from the #1 listed site for "software testing consulting" and the #4 site for "software testing training" to not even being in the search results at all.

So, if you are looking for me on the web, I hope this post helps you to find me.

I have gone through the steps to request re-inclusion and hope to be back in there soon.

Wednesday, January 28, 2009

Battling the Russian Hackers

I've been having an interesting time the past few days dealing with a bot attack on my web site. Don't worry - if you are a customer for my e-learning or anything else that required credit card payment. Your information is not kept on my server. Several months ago I got out of the shopping cart business and went with Volusion is PCI certified and is as secure as it gets.

Also, my Moodle e-learning environment is on a new secure server as well for several months now.

So, here's what happened. I hope this helps someone else defeat these guys.

In early December I noticed that my home page at was no longer an html page, but rather a php page. Also, my htaccess file had been changed to point to this new php file. I called my web host and they didn't know how it had been changed. So, I changed my ftp password and changed things back.

Last week, this happened again and I changed it back again to index.html. The next day the home page was index.php again.

After doing some research I discovered that my old version of Moodle still on the site had vulnerabilities which allowed the attackers to place the first Mad Shell script. So, I deleted every php application on my site. I also got rid of some old cgi scripts.

Then, they messed up. That's why I think it was just script kiddies.

They added a new file, named after one of my other pages, but appended with .php. By listing the main directory in my ftp client, I found the recent change.

I looked at the page source and found an encoded script on the page, which I was able to identify as Mad Shell. Now, this is a powerful script. It allows an attacker to do anything an ftp program can do. If you want to know more about Mad Shell, visit this blog.

I deleted that page, changed my htaccess file back to normal and started watching the server logs.

Sure enough, about 10 hours later, another change!

So I started studying the server logs again. This attack was using a redirect to bounce traffic from Yahoo Slurp through my site and on to a site selling drugs that enlarge things.

I was able to identify exactly when the redirects started happening again in the log and found two deeply embedded files - both newly created as php files. So, I deleted them. They had tried to hide them deep in my folder structure, but sorting by modification date helped find the folders.

Finally, that stopped the attack.

Here are my lessons learned (you may see others - if, please comment):

1) Whenever you introduce an application to a web site you are very likely to also introduce vulnerabilities. This is especially true for php apps and even more true for open source php apps.

2) Don't leave unused apps laying around on the site. I'm the kind of person that doesn't like to throw things away. In this case, I should have!

3) Take those security updates seriously. However, in the case of open source, you may not be notified of a vulnerability. It helps to keep an eye out on the support boards for the apps you use.

4) Keep an eye on your server logs and visitor stats. I have known for some time that bots kept hitting my site, but that's just the deal with bots. Every web site owner deals with bots. However, the server logs can be very revealing.

5) Don't expect much help from the web host. While a couple of people at my web host were informative and helpful, one guy told me to "do a Google search" to learn how to secure my files. I was looking for some specific ideas and his response was one of the most unhelpful. Back in December when I was asking support for reasons why my htaccess file had changed, they didn't have a clue. I would expect a tech support person with about one week of experience to suggest that an attack might be occurring. I think I'm ready to change hosting service providers.

6) Stay vigilant and fight back. These attacks can be defended and defeated.

Now, hopefully, it's on to more productive work!

Wednesday, January 14, 2009

Calling All Dashboards

In my December newsletter I asked for any of you that have created and/or maintained software testing or software project dashboards to let me know some of the most helpful metrics you track on those dashboards. I have received a few responses, but could use a few more to get a good sense of trends.

The reason I'm asking is because I am working on a keynote presentation for StarEast 2009 on that topic. It would be good to share the most popular dashboard items as described by you, my loyal blog readers, clients, students and friends (hey, some of you may be in all three of those categories!).

In case you are wondering what a testing dashboard is, you can view and listen to my original presentation here: Keeping it Between the Ditches - A Dashboard to Guide Your Testing. It's about 35 minutes long.

By the way, for all those who submit their ideas, I will send a copy of my StarEast presentation.

Also, I hope you can join me and my special guest Fiona Charles on Friday, January 16th at Noon Eastern time as we discuss the new book "The Gift of Time". This book is a tribute to the life of Jerry Weinberg and is a collection of essays by people like James Bach, Michael Bolton, Ester Derby, Johanna Rothman and many others.

I think you will leave this teleconference with wisdom and insights that Jerry Weinberg has imparted to us that can add a new perspective on "why" you do "what" you do in IT.

This Friday (January 16th) at noon Eastern time, you can get in on this call. You can also call in to ask your questions live!

There is no cost for this call, except for the long distance charges if you choose to call in. (You can listen free on the web.) If you can't be there live, it will be recorded for later listening.

Just go to The call in number is (724) 444-7444 Call ID: 26874 The start time is 12:00 EST (Friday) and the call will last no longer than an hour.

Once again, you can listen over the web and ask your questions by text message if you are in another country or just don't want to call in.



Tuesday, January 06, 2009

New Year, New Goals

Happy New Year everyone!

It seems that everyone I've been speaking with over the past week or so is really glad we have 2008 behind us. I am, too, but I'm not very sure 2009 will be better (at least in terms of the economy). I hope it is better, but I like to keep my expectations in line. We have pretty big challenges as a country and world.

I try to avoid making New Year resolutions because they are so easily forgotten. Instead, I try to focus on goals. One year, I made a list "10 things I want to remember" for the coming year. That was interesting to bring to mind throughout the year the important things.

I have some pretty major goals this year:
  • Finish three books I have in progress
  • Get about six more e-learning courses produced and out on the website.
  • Develop some test strategies and content for cloud computing (Thanks, Mike for that suggestion).
  • Contact at least two people in my network each day, just to stay in touch (so don't be surprised if you get a call from me).
  • Complete my advanced level test certification (one part down - two to go!)
  • Actually publish my newsletter every month this year!
  • I'm also working on this major project to document all of the processes used in my office - all the way from accounting to website maintenance.

Then, there are my personal goals: books I want to read, people I want to develop deeper relationships with, a better use of my time, and then the big one: to organize my office!

I also have this car restoration project (a 1949 Plymouth) I would like to finish while my dad is still alive to see it and ride in it.

One more thing - My goal is to journal each day. I have been hit and miss, but at least have been doing it for a few years. Back in November while in London I was able to stop by Harrods and get their 2009 Diary, which I find perfect for journaling. Plus, it's expensive enough to give me the incentive to actually use it.

I learned a great tip on this from my mentor, Jim Rohn. Mr. Rohn says that it's good to have a notebook with loose leaf pages for all my projects. Each project gets a tab. Throughout the year I will make notes about how each project is going. On the journals, the one time I spoke face to face with Mr. Rohn he told me that if I stay consistent, one day I'll have an entire shelf of journals to document for my kids and grandkids my ideas, experiences, pictures and thoughts. Today, I look at my shelf and I have about ten of those books. My goal is one book per year.

I hope this prompts you to make a short list of things you would like to do, be, or experience this year. It's easy to dismiss goals, like resolutions. But they really do propel us forward and give a chance to review at the end of the year the progress we have made. For me, if it's not a goal I probably will get distracted and not do it.

Your goals might be:
  • To learn a new skill
  • To visit a new place
  • To make a new friend
  • To be better at what you do
Just remember, it's not the economy that determines our success or failure - it's your outlook, faith and philosophy. There are always people that do well in bad times as well as good.

I hope you comment on this post and share some of your goals and thoughts about the New Year!