Monday, April 4, 2011

WTA09 - Bugs in Your Pocket? A Weekend Testing Follow-Up

On Saturday, I had the opportunity to participate in and help facilitate another interesting and fulfilling session of Weekend Testers Americas.

This was our 9th gathering since forming in November of 2010, and the mix of participants was varied and multi-national. It was, however, notable in the absence of a few long term participants by virtue of the fact that it was the same day as the cricket World Cup, and by virtue of the fact that India was one of the finalist teams, we had a much lower percentage of Indian participants, not just from India but from elsewhere around the globe. I mention this because I find it amusing that a Cricket match could have such an impact on an Americas testing event, but it goes to show just how far ranging our participants are and from how many countries they participate.

So this weekend, we focused on an idea from a new cast related to how the newer credit card and passport documents that use RFID chips can open up a whole new range of issues related to the ability to steal information without individuals having any idea that it happened. If we have an RFID credit card, the idea is that we just touch it to a sensor and we can generate a transaction. While I do not have an credit cards with this technology (currently), I do carry a train pass and a parking pass that use this technology, so I'm just as vulnerable. The key point of the newscast was to show that, with some specific pieces of equipment (a touch-point card reader, a cable and a net-book computer), an enterprising thief could walk up to someone, pass the reader hidden in a carrying case next to someone's pocket, and effectively read the card, capturing information that could be used fraudulently.

The group that gathered had varying levels of experience with testing, and with a few exceptions, almost nobody in the group had any real experience with RFID technology. What made this interesting was that it showed that, even if the technology was foreign or unusual, we still as a group could come up with a lot of testing ideas and methods. Additionally, ideas from one tester would spawn thoughts and ideas from another tester, which made for a dynamic discussion.

We posed a number of questions to the group:

  • Who might our testing be considered valuable to?
  • What risks are we looking at with this device?
  • Do the Potential risks outweigh the Actual risks?
  • Where could we find out more details about this?
  • What might the bug(s) be in this instance?
  •  How could we develop tests around this technology, even though we may know little about it?

The group as a whole gamely stepped up to the plate and kept the discussion going, with lots of details and lots of interesting specific approaches we could apply. We focused a good amount of attention to the fact that the potential risks, while significant, had to be measured against the actual risk of such thefts occurring.

Each of these sessions gives us an opportunity to "think differently" or to explore other methods of thinking. In some ways, I consider that to be just as important, if not more important, than developing testing specific skills. Our ability to approach unique problems and find interesting solutions for them, coupled with an ability to go "off script" and examine products and projects that we may have limited familiarity with can be an excellent advantage to a tester. At the same time, it's important to de-focus and realize that an expert's advice is invaluable. Much of the discussion, while interesting, was entirely speculative. If an RFID engineer with deep expertise in the field were to participate, it's likely that many of our ideas, theories and approaches would be found to either be wanting or completely irrelevant.

Each Weekend Testing event is a chance to try something different, and see where those sessions lead us. Very often, our best laid plans can get scuttled by the approach the group(s) choose to attack, and there has to be a certain amount of willingness to deal with that ambiguity. Very often, it seems, charters, missions and strategy can be envisioned as one way, only to turn out a totally different way at the end of the session. In some ways that can be unnerving, but it's also fun in that thinking gets challenged, ideas that were set one way can be considered with new information, and often ideas we were sure of become less sure and obvious with new information. Overall, though, these sessions stretch my perceptions and ideas, and I'll encourage that any time!

No comments: