Random thoughts

  • Rory's visit to MS

    Rory's account of his visit to MS campus: Immediately upon my arrival, I was stripped naked, cavity-searched, and interrogated. My blood was replaced with a synthetic compound that would blow me sky-high if I attempted to leave the premises without permission, my bags were checked for penguin feathers, and one side of my skull was removed for placement of my temporary borg headgear. He should see what they do to you when you start full time. I didn't know Rory's birthday was the same day as mine or that he was coming to the campus. Otherwise, I would've bought him (and installed myself) a B0rg Pro unit for home use... Continue reading...

  • Visualizing blogs

    Ever wondered what a blog looks like? Steve Makofsky has implemented small tool to visualize blogs. It would be interesting to add the feature to show a map of the links between the posts in the various blogs. Let's see if I can find the time and play with this in the next week... Continue reading...

  • Authentication and authorization

    [Disclaimer: I am not a security expert. 'Nuf said...] Ivan Medvedev (test lead on CLR security team) has a great article about the security and psychology. Its main topic - people as the weakest link in any security system. In the article Ivan says the following: What can you do to make the system you are architecting more secure? The rule of thumb would be – require as much as possible information for a person to be able to access the data. Ivan's words above mean to me “require as much information proving the right to access the resources”. Unfortunately lot of people confuse this with “always know everything about people that access your resources”. It's a confusion between authentication and authorization. While the tow features are tied to a degree, they are not the same. Authorization requires proof of one's right ro access particular resources. The authentication requires proof of one's identity (she is who she claims to be). It is possible to have authorization without knowing the identities of the persons trying to access the resources. This is relatively easily achieved and demonstrated in the software systems. In fact, most computer software relies on one basic identification verification system - username/passwords. Based on this pair, it is assigning an identity and doing access authorization. There is nothing preventing a user to have two or more usernames/passwords to access the same resource or multiple users sharing the same username/password. In other words, the software does not know the true identity of the user. This is even more obvious in distributed systems such as web services. Let's say Google provides paid web service for their services and Microsoft pays for its employees rights to access these services. Let's I write small application to use these services. Should Google care about my identity? Of course, Google wants to know my identity because of lot of other reasons - targeted marketing for … Continue reading...

  • When did the software grow up so much?

    [Disclaimer: If your kids are smarter than the average installer, I didn't know that, so no offense, huh?] The latest software strongly reminds me of kids. It's cunning, intelligent and will use every possible trick to make you do what it wants you to, not what you want to. Why do I think so? Here's the conversation I had with one installer: Installer: “I can't install this update“ Joe Dumb [me]: “Why?!“ I: “Invalid drive S:“ JD: “Well, duh, I know it's invalid. In fact, it's not even there, as I deleted the partition. Here's the original CD, play with it.” I [crying]: “I don't want it! I want my cache! Give me my S:!” JD: “I am sorry, but I don't have S: anymore.“ I: “It's your fault - why did you messed up with my cache?“ Now, I don't have any experience with kids. But seeing this I recalled my friend's baby. This Christmass she saw Stanley's new keyboard. She grabbed it and tried to start smashing things around. When the keyboard was pulled out of her hands, she started crying. Stanley had to give her his old keyboard to make her stop. Well, I tried similar trick with the Office installer - connected a network share as S:. You can't blame me for trying - things like that used to work with the installers couple of years ago. Little did I know... I: “Umh, I can't install the update.“ JD [still me]: “Why?“ I: “'Cause I won't and you can't make me! You are bad user!“ At this point I had to resort to the worst crime a parent can do - read the child's diary. With trembling hands I opened the log file and read there the following: “JD tried again to make me install the update. He gave me a fake S:; a network share! What was he thinking? I am not a baby anymore! I want a real S:. I mean, L's user gave him one for last Christmas, why can't I have one as well?“ Apparently, the software these days has grown up and has … Continue reading...

  • Florin Lazar in the house

    Hm, it looks like Florin Lazar - one of the guys responsible for the transactions testing at our team, is in the blogging house... I have to subscribe once I am back from LA. Continue reading...

  • Three reasons to keep pushing a bug...

    Often when filing a new bug based on convoluted scenario, I get the same answers again and again from the PM and devs. Here are the reasons I have to keep pushing: 1. If you can think of it, your customers will think of it. The usual first answer I get from PM/devs when I come up such a bug is “nobody would think about it”. I am far from the notion that I am the only “genius” that can think of something and nobody else would have the same idea. I just hope that I can think of enough things to cover 90% of the scenarios people can come up with. 2. Even if you can't think of a reason to do it, your customers will find one. The second answer I get is usually “why would you want to do it?”. Well, I do it because I want to break the product and find bugs. :-) But people can find a way to use anything. In fact, there is a whole area in Microsoft, called Application Compatibility, that deals with applications that do exactly what the PM/devs don't want them to do in a way they never expected them to do it. 3. You customers will do things you never expect them to. The third answer I get is “this is an Einstein scenario“. An Einstein scenario is a scenario that the PM expects no more than 2000 people (guestimate number) in the world to understand and use, thus it is somewhat lower priority. In fact, in the Now and Here a single "Einstein" blog can have huge impact on what people do with your product and and how they use it. Lot of the modern Einsteins in the IT industry have great visibility, the ability to explain advanced things in simple terms and they post lot of source code samples. Morts and Elvises of the world read and learn and adopt Einstein techniques in their everyday work. So today's Einstein scenario might as well turn out to be tomorrow's Elvis and next month's Mort scenario. Continue reading...

  • The future of the software testing

    Harry Robinson predictions about the future of the software testing - http://www.stickyminds.com/sitewide.asp?Function=WEEKLYCOLUMN&ObjectId=6887 The model-based testing is picking up speed here at Microsoft. There is increased participations of the test teams early in the design phase of the products. There is lot of other “smart” test writing techniques being adopted. We have great internal tolls in development, that help us immensely with the automation of the product testing. However, although I do share some of Harry's expectations, I am not that optimistic about the testing future in the short term. One big problem (and a big reason for my pessimism) is that lot of people don't look at the software testing as an engineering discipline. Most of the bright young people that come out of colleges use it as a step towards the “ultimate” goal of becomming a “true” developers. In two or three years they move on to the other side of the fence, taking with them all the experience and knowledge they gathered during the development of the automated tests, leaving all the code base to somebody as bright and entusiastic and as equally unexperienced as they were when they started this job. And since that code base was also used as a platform for learning tips, tricks, useful techniques and experimenting with various ideas, it usually is a typical example of “spaghetti” code. (Good luck maintaining a 10 year old test owned by 5 different people and without good documentation) So, what are your predictions for the future of the software testing? Continue reading...

  • Introduction

    I was trying to start new blog for about few months now. Unfortunately, my website host offers very limited environment, so no blog engine works. Thus, I finally gave up and joined the hordes of other Microsoft employees on ASP.Net weblogs. Here's a short introduction of me: My name is Franci Penov. I work as SDE/T or test developer at Microsoft's Indigo team.I will be blogging about various technical and non-technical stuff. Ocasionaly I will be posting controversial opinions and if somebody feels offended by anything I write, please remember that anything here is my personal opinion. Even though I work for Microsoft and this blog is hosted on Microsoft site, the content here reflects only my thoughts at particular moment of my life. Continue reading...