Software Testing Blog

A number of years ago, I took a tour of a plate glass factory. Plate glass manufacturing is pretty simple: dirt pours in one end of a factory where it’s melted in a huge furnace. The melted dirt is then poured out as a thin sheet which then cools into glass as it rolls along a mile-long conveyor belt. The process is continuous – dirt constantly pours in and glass constantly flows out in a never ending ribbon. At the very end of the factory, away from the furnace, a lonely robot slices the ribbon into panes of glass for things like windows and doors.

Periodically, a technician will take one of those glass panes back to a lab where it is broken up, melted, dissolved with chemicals, and analyzed in fine detail under a microscope. That technician is a tester – one who is testing the production of the glass to make sure it matches quality requirements. His job is very different from that of a software tester, but surprisingly there are many things a software tester can learn from him.

That may sound bizarre because software isn’t manufactured. There is no real “production” in software – every copy of an application should be exactly the same. But production testing is about more than manufacturing. It’s about managing variability – and understanding variability should be incredibly important to software testers.

Read more…

According to tech analyst firm IDC, U.S. companies paid a record $14.2 billion for paid keyword-driven contextual ads in 2009, with Google dominating 55% of that revenue, Yahoo 9% and Microsoft 6%.

More dollars = More fraudsters. Period.

The company Click Forensics just released a report on the overall click fraud rates for the paid search industry. According to SearchEngineLand, the report said click fraud was up from 17.4% last quarter to 18.6% in Q2 of 2010. Traffic across 300+ ad networks is reflected in the data.

In addition, it was found that the countries outside North America with the greatest volume of click fraud were Singapore, Pakistan, Japan, Ukraine and China respectively.

Recent research by marketing intelligence company Visual IQ came out with similar numbers earlier this month. The company estimates marketers lose an average of 16.7 percent of their pay-per-click budgets to fraud.

So why is click fraud slowly trending higher and higher? The CEO of Click Forensics, Paul Pellman, stipulates that “the main reasons appear to be the continued sophistication of botnets and malware prevalent in the fast-growing search marketing space.”

According to Inc. Magazine, click scams use the following techniques:

• Manual clicking. Workers might be paid to click to run up totals.
• Software clicks. Automated clicks.
• Bot networks. Using malware to harness unsuspecting users’ computers, criminals can create large networks of computers employing programs that imitate clicks.

Despite detection innovations, click fraud rates show no signs of slowing. Attacks are becoming more sophisticated. Criminals are making more money. So what can we do? Any advice out there on how to mitigate it?



This past weekend, Vietnamese developer, Thuat Nguyen, hacked into 400 iTunes accounts to catapult his apps to best seller status. Nguyen accomplished this by buying his own Books apps — using the hacked iTunes accounts — which boosted his app ratings and launched his apps to the top of the list. The result? 42 of Nguyen’s apps were among the ‘Top 50 Books’ and up to $500 was deducted from each iTunes account.

After tracking down Alex Brie, a developer who first discovered the issues, PC World reported:

“After Brie’s calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store…[and] Brie speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple’s iTunes servers and skip the normal security steps, or run an automated scripted program.”

According to Engadget, Apple responded last night:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns…

I was under the impression that the App Store approval process was brutal. So, how did this rogue developer get through? What additional security measures and tests need to be put into place to prevent account fraud?

News has been all over the web the past few days about the AT&T and iPad security breach.  If you haven’t heard the details, in short a group of hackers discovered a vulnerability in AT&T’s private web APIs where one could send the ICC-ID from an iPad SIM card and AT&T’s servers would send back the corresponding owner’s email address – no authentication required. Since the ICC-IDs for the iPad are somewhat predictable, it was trivial for the hackers to send in thousands of semi-random guesses and collect any email addresses that came back. Some of those addresses were for people with addresses from domains like faa.gov and us.army.mil.

The hackers claim they reported the flaw to AT&T before sending their discovery to the fine folks at Gawker. AT&T, on the other hand, was not pleased to see their security problems appear in a popular tech blog at all, and had this to say in an email to their iPad customers:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.

…

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.

So who’s to blame for a problem like this? Is it AT&T, or do the hackers themselves deserve some of the blame for the public way they handled their disclosure? Give us your thoughts below.

Up until last week, Internet domain names were a pretty mature business.  Then the folks at ICANN decided to shake things up by enabling non-Latin character ccTLDs (country code Top Level Domains – like .co.il and .co.uk ).  What does that mean for you?  Well, here’s a quick test.  Try visiting this URL: http://موقع.وزارة-الأتصالات.مصر/.

What you’re looking at is an Internationalized Domain Name, or IDN for short.  It doesn’t contain western or “Latin” letters, and chances are everything you know about URLs is about to get turned backwards (in this case, literally).  What’s worse is that different browsers handle this kind of domain name differently, and there’s no one right answer.

Are you a software tester?  Then your ship has come in because IDNs open up a whole new category of software bugs.  Let’s take a look at a few big trouble areas, but hang on tight because this gets goofy fast.

Read more…

Our good friend Patrick Copeland of Google (who we interviewed a few months back) has just posted his keynote presentation from the recent ICST 2010 conference. If you’ve ever been interested to learn how testing is done at Google – and why it’s done that way – this presentation is exactly what you’ve been looking for. Enjoy!

Apple’s recent changes to their developer agreement have unleashed a torrent of anger, hate, and divisiveness on the Internet (which, to my knowledge, has never happened before).  To summarize, Apple announced that the only languages that can be used to develop applications for the iPhone are Javascript, C, C++, and Objective C.  This change was seen as a slap in the face to Adobe who was developing a Flash-to-iPhone app converter that would have made it easy to migrate a Flash application to the iPhone.

Through all of this bitterness, many have argued that Flash is ready for the deadpool – some even cheering its demise.  I disagree.  Actually, I believe just the opposite is true.  Here are 5 reasons why Flash won’t be going away anytime soon.

1. HTML5 is still very immature.
HTML5 is everyone’s favorite choice as a Flash replacement. Read the comments sections on just about any blog or article about this topic, and HTML5 is often hailed as the greatest thing to happen to computing since Apple “invented” the mouse (with Xerox’s help).  The problem with HTML5 is that it’s still an immature and unfinished platform.  While it’s supported by the very latest versions of Firefox, Safari, and Chrome, it’s not yet fully supported in Internet Explorer (although IE9 will bring support eventually). If most of the browsers on the web don’t yet support HTML5, it’s not a fully supported standard.

Read more…

Developers have long awaited the death of Internet Explorer 6; web heavyweight like Google, Facebook, Reddit, Justin.tv and Digg have all announced the expiration date for their support of IE6; Microsoft has been steering users away from IE6 for more than a year.  And last week, a funeral was held for the outdated browser which was two parts wake and one part wish.  Even Microsoft joined in the fun, sending a card to the festivities services.

So what will it take to kill the undead browser once and for all?  Well, it’s worth noting — and shocking — that IE6 still drives nearly 20 percent of all web access from beyond the grave.

How is this possible?  What outdated luddite segment of web users is still stuck in 2001?  Well, the prime culprit is large enterprises like Intel who bemoan the cost and complexity of upgrading thousands of employees and legacy apps that were built specifically for IE6.  So while the web citizenry has moved on and is ready to pull the plug, developers (and testers), IE6 will continue to be part of the web app testing matrix for much longer than any of us would like to believe.

Just to further illustrate the insanity of IE6’s continued survival, here are a few other things that were going on in 2001:

Read more…

These days, it’s hard not to know about Lady Gaga (and if you don’t know her, here’s her latest music video to get you started).  She’s become one of the hottest pop acts in the world, all by combining music, fashion, and a little bit of “Andy” (either Warhol or Kaufman – take your pick).  So what does this have to do with software?  Well get this: an astonishing 89% of the people who create an account on LadyGaga.com choose to do so using third party authentication from Facebook, Twitter, or Myspace.

Just think about that for a second.  That means that nearly 9 out of 10 people creating special purpose web accounts are doing so using their social networking platforms (skipping all those annoying new account questions like password, age, location, and favorite pet in the process).

This is huge, and it represents a big shift in the way people are going to interact with your website in the future.  If 89% of users are doing this on a mass market website like LadyGaga.com, then I guarantee they’re going to be doing it on other sites as well.  So what does this mean?

Read more…

Sometimes new technologies can inflame old problems.  For example, consider location based social networks.  Many sites like Twitter and Foursquare make it easy to post both what you’re doing and your current location.  This is a great concept, and as technologies go there are huge possibilities for combining location information with social networking.  But there’s just one catch: if you’re out and Tweeting about it, then you’re probably not at home.  And that makes your home a perfect target for robbery.

To help people become more aware about the ramifications of announcing that their plasma TV is unguarded, a new site has appeared called Please Rob Me.  Using the magic of social search, they track various networks and then list the posts from people who are clearly not at home.  Of course, this has caused quite a stir online as many have wondered whether or not something like this is legal, ethical, or even right?

Read more…