Wednesday, February 21, 2018

What a Story! An Agile Story


You've heard of this thing called a User Story right? Perhaps you've even seen the template:

"As a <type of user>,
 I want <some feature>
 So that <some goal>."

But perhaps you've wondered how to put a feature like "read the users name from the database and put the value in txtbxUserName" into that format.

Occasionally, I write about Agile on this blog. In that entry, I wrote about a broader view of Agile from a developer perspective. In this one, I made a case for leaving the work up to the pros. This time I'm focusing on something much narrower — the User Story.

The Wrong Way



Perhaps not "wrong" way, just not something that's going to align very well with the benefits of Agile.

"As the one telling you how to do your job, I need you to write code that reads the username from the Users table and put that value in the txtbxUserName field so that it shows up on the page".


Or perhaps "as the project sponsor, I want a check box there so the users have to check the box before they can submit the page."

It can be a bit awkward to put those kinds of instructions into User Story format...especially when the goal is not for the user but for the project sponsor or manager to tell a developer what to do. You can succeed at writing good user stories if you frame them in more general terms — don't think about implementation details. A good test is — if it's awkward it isn't right.

Maybe Better

"As a user with access to multiple user accounts, I want to know who I'm logged in as so I know which account I'm using at any given time."

"As the company's legal counsel, I want the user to accept responsibility for using our services so that we have a leg to stand on if something goes wrong." That's the "I have read and understand the 30,000 words of legalese" checkbox.

Real Life Example

For another look, let's imagine were doing some work for a burger joint where their customers expect one thing — getting their food quickly. They want to order quickly and they want everyone else to do the same so the whole thing can flow like clockwork and they can be on their way to consuming those cals in under 5 minutes.

What does that story look like? Actually it may be helpful to have multiple User Stories since there are multiple user types or personas. Let's see about defining those now:

Regular Customer - knows what they want and orders the same thing all the time.

Infrequent Customer - didn't visit much and needs a minute.

Bulk-Orderer (team mom) - is ordering for the office or a party and has a bunch of items to order.

A story from each persona might look like this:

"As a regular customer, I want to place my usual order and get on my way so that I don't have to hassle with getting my food."

"As an infrequent customer, I want to take my time browsing the menu so that I can figure out what I want to order."

"As a bulk-orderer, I want to place my order without confusion so everyone gets what they wanted."

We're going to need a lot of cheeseburgers to feed that many Air-Force Cadets!
Who ordered no onions?


Next Steps

Now that we see the user stories in a more "user-need-goal" format, we can start to think through different ways to resolve the issue. That part of the process is a conversation. A conversation between the team and the customer.

That's a Wrap...(for now)

In this entry, we've seen how we van write User Stories from the perspective of the users, through different user personas. I haven't captured all of them and that's inevitable. The magic is that as we start rolling out features to support the users based on their stories, related stories will filter in.

You may have heard a little about different roles such as Team Member and Customer — especially about who plays which roles. We'll take a look at how that works in the next entry — there are some things to think about depending on your organization.

Tuesday, February 6, 2018

Web Basics - TLS/SSL https

We've been looking at the basics of the internet. If you've been wondering about how it all works or are interested in web programming, you need to know the things in this series of posts.

Today's topic is TLS - Transport Layer Security. The transport layer is essentially the connection itself. The web can be divided into a model with 4 layers - two of which we've been talking about: application (HTTP) and transport (TCP and UDP). The other two are "network goo" that we really don't interact with directly. They're important, don't get me wrong, just not important to this series.

As we saw in the last post on TCP, your information is flying around the world at light speed. With the right equipment and wrongful intent, someone looking to make a buck could easily tap into your data in transit (that's what we call it when its on the move) and sell your information (usually a big batch of information) to someone who will exploit it to steal money. That is, unless its scrambled before it's sent, then unscrambled on the receiving side. Enter encryption.


Encryption



The newest big business buzz of currency - crypto-currency -  is all possible because of encryption (that's the crypto- part). It's built on the premise of uniquely encoding a "block-chain" and adding that to the existing chain to make it more valuable.

Encryption took off during WWII because radio transmissions were used by all of the militaries participating in that war. As we know, anyone can tune into radio frequencies and listen in (we can also listen to the radio transmissions of the cosmos - all the way back to the beginning of our universe!). Unless you can send a message in a way that only the receiver knows how to understand, you're toast! Every one of your moves will be known. It would be like playing chess while thinking your whole strategy out loud - you just can't win that way!

So they encoded the messages. With the messages encoded only those listeners with the decoding sequence would be able to understand. The U.S. got really good at cracking the code - which was one of the main reasons why the Allies won. Another was the perseverance and sacrifice of millions of lives of Russian soldiers. And the third was massive industrialization in the U.S. - both automated and manual industry.

History lesson aside, encryption has been used to protect privacy long before the internet. In modern times, it is used to protect data both in transit and at rest (in a database or on a hard-drive). TLS represents encryption in transit. SSL (Secure Sockets Layer) is the outdated predecessor to TLS - it's been deprecated by the authorities on internet security (the IETF*) as of June 2015.

TCP establishes a connection to communicate between two servers. TLS secures that connection by ensuring that all information transmitted through it is encrypted. The mechanisms for applying this encryption involve a certificate.

Certificates



Certificates operate on a trust basis. There are companies that issue certificates (issuer). Those companies are called certificate authorities (CA) and your computer has their root certificate pre-installed. If you are securing your server, you would purchase a certificate from one of those companies. Your URL would then be registered to that certificate. You install the certificate on your web server. When https requests are made to your server, the requester gets a copy of your certificate. Your certificate is used to establish your authenticity. It's kind of like a driver's license, passport, or other form of id.



If you are the requestor, your browser will check the certificate's signature against the signature you have on the root certificate of the issuer. The domain in the URL also has to match the domain name on the certificate you receive from the server. If there is a match, the server has been Authenticated. Once the Authenticity of the server has been established, your computer and the server will generate an encryption key for the session. All of the information shared between you and server will be encrypted and decrypted on either end using that key.

Issues

This site is not https, but it's readonly - you don't exchange any sensitive information. Be careful when you have sites that require sending sensitive info and there is no https or it is mis-configured.
This site is configured for https.


This is how most of your information is secured on the internet today - provided you and the server are using https properly. Often we see misconfigurations on servers or servers that still support unencrypted http connections (http without TLS). There are also different versions of TLS which creates more configuration issues. The best you can do is pay attention to what your browser is telling you and think a bit about what kind of information you are willing to compromise - and remember some hackers are fairly sophisticated and can piece information together from multiple sources if you are a specific target (e.g. have a lot of money or power or work for a target organization/industry).

TLS works well to protect us when configured properly, but we should still remain vigilant. It can be easy to think that https solves all of our internet security problems, but there are other ways that hackers will try to pwn you.

Continued Learning



Encryption is a vast subject in and of itself. It comes in many flavors and varieties. There are one-way and two-way hashing algorithms, asymmetric and symmetric keys, private-private and private-public keys. And it all involves some pretty intense mathematics. Crypto-masters are a rare breed but the work they do is vital to our lifeblood - secure data!


IETF - Internet Task Force



OWASP is the go-to for internet security - they have great info about TLS



Some certificate authorities along with more details are listed on WikiPedia here:


Wikipedia has a lot on the subject of TLS in general:



Thursday, February 1, 2018

Web Basics - The Internet - TCP/IP

Yesterday, I posted about the basics of HTTP. Of all the message protocols, it is the most common one used on the web. If you are in IT or use the internet - basically if you have a pulse - and you are curious about how the internet works...or, I don't know...want to learn web programming, then you should also learn about TCP/IP. That's TCP over IP.

But First - UDP


Our journey though the internet begins at your computer. Let's imagine that it's only connected to one other computer through a wire. That's the simplest kind of network. Your computer is networked with another. Both computers have a network interface - which is a card or microchip or something on your computer that knows how to connect to the outside world. Think of this device as a telephone.


The telephone allows you to connect with another person at a distance. You can talk and listen. A network interface card (NIC) can send and receive data (as packets) over a network. Your computer talks into its NIC, and its NIC uses the network to talk to other computers...just like your phone!

With the 2 computer network, the NICs in both computers will need to know how to exchange data. The simplest way is to just send the data to the other side. This is called UDP (User Datagram Protocol). This would work well in a simple network like two computers over a single wire. But lets imagine those computers are very far apart - one in New York and another in Los Angeles. And let's imagine they're connected over a telephone wire. And let's imagine they're sending data over that wire.

TCP


Since those old phone wires weren't designed for data - they were designed for talking - some of the data might get lost along the way. Luckily there's TCP (Transmission Control Protocol). TCP is a network protocol where the receiver tells the sender that it got the message and how much of the message it got. If it didn't get all of it, the sender sends the missing pieces. Sending this way takes longer, but it makes sure the right message was received.

Protocols are there to make sure we get the right message. They exist in everyday life, we call them manners - the pleases and thank you that ensure clear communications. The army has protocols for sending messages over radio. Imagine if a platoon heard the wrong thing over the radio - it could march straight into enemy hands! There are even communications protocols for Presidents of the United States of America! Those protocols keep the people of the world informed without going into a frenzied panic - or marching straight into enemy hands!

IP


The internet is a wide network - it spans the globe. Even into near-earth orbit. The ISS and its occupants tweet from the space station! This web of computers is very complex - it has smaller networks within and it has branched off networks. It exists over wires and radio signals. Each connection has an address. The address schema (a schema is a way to organize something) is called IP. Don't confuse this IP with Intellectual Property - also technology related. This IP is Internet Protocol.

IP is how the systems that run the network know how to find your computer. It's how your computer knows how to find NASA.gov. It's how your computer sometimes knows how to find your printer...and sometimes when it doesn't.

Your computer can use IP to talk to itself. There's a special address for this: 127.0.0.1 there's also a special name for it (called an alias): localhost. Your computer is also configured with an IP address for the internet - the network gateway. That IP address is where your NIC sends all of your requests that are bound for the internet. There could be other devices connected to your network - like your printer, other computers, servers, storage, your home, TV, etc. Those have their own IP address on your network. They can communicate within your internal network using that IP address. They can also communicate on the internet through the same internet gateway as your computer!

Ports


Along with the IP address, computers listen for incoming calls on Ports. Ports allow one computer to have many "conversations" at the same time. Ports can be numbered 0 to 65535 (that's 16-bits unsigned). Some common ports are:
80 - http
443 - https
There are many other common ports for things like ftp, ssh, and mail.
When your NIC sends a message, it opens up a port. It uses that port to send and receive messages to and from the other side.
What the receiver sees is your internet gateway - your router. Actually the last router in your network before your message gets sent into the great beyond of the internet. After that, it gets passed around the internet routers to your destination - if it can be found.

Continued Learning


The internet may be a fascinating and complex web of networks that span the globe, but almost every bit of it operates on a few core technologies. TCP/IP is how connections exchange data over a not-so-reliable network and HTTP is how two computers know how to interpret what's sent over the networks.

There is a glaring issue with all of this - if all this data is flying over the network and it really is possible to tap into those messages, how do we keep others from prying in on our messages? The answer is encryption! TSL to be specific - that's https to you. Well see how that works and how your computer knows the IP addresses of websites in upcoming posts in this series.

More information on UDP, TCP and IP is available in Wikipedia:

https://en.m.wikipedia.org/wiki/User_Datagram_Protocol
https://en.m.wikipedia.org/wiki/Transmission_Control_Protocol