Development : Scrum needs a Software Life Cycle

I'm trying to avoid sounding like a dinosaur today, but I have an issue with Scrum... I've been a team member and a scrum master, but I've never really been a product owner, until now... I'm currently in the middle of a large background turn around for my employer where a project which was largely parked and ignored for nearing three years has been awakened like some mammoth from the permafrost.

For the project in question though it had been frozen for a long time, the whole team who worked on it had been let go, I am the soul development survivor.  I therefore find myself the team member, scrum manager and product owner...

And so I'm being pragmatic as I swap roles and perform different tasks, I do have a tester with me, so I have to hold a scrum for him, and I've passed on several stories and he in turn has helped, from the requirements, produce stories for us to tackle head on.

The large part of the work however is from a document, handed to me, and I've been left to generate some movement.

The first thing which has struck me, and something which you never really see mentioned when you look at the Scrum training materials or concepts, is that the product owner needs themselves to have a Software Life Cycle.

They need to Analyse their requirements, to Design what the product should be then hand it over to the team to Implement, before seeing it gets Tested and meets their requirements.... Very much as I was taught the general software life-cycle in the 90's and used it thereafter... Long before Scrum was in vogue.

I asked a peer to review my thoughts on this, that we were driving the development for the requirements at hand with a software development lifecycle, which struck both he and I has "old hat" delving down the chain to the team (still myself, but that will change soon) as a Scrum & Sprint pattern.

Our conclusion is that, indeed a "Product Owner" when they come to think about "AS A <ROLE>, I WANT <FEATURE>, SO THAT I CAN <DO SOMETHING>" stories they are really unguided, that Scrum talks about the team understanding the requirements, but the methodology assumes those above have a good grasp on the requirements.

We went to far as to say that modern development of small light parts, or pages, within an app or web-page might never meet this dichotomy, that you need to guide the whole system and thought about the whole thing long before you come to write your stories, only a large system implementation; such as I am undertaking; might fall into this crevasse.

I can see how easily it might be for myself in this temporary triple role to lead myself off course, I can see how hard it might be for the Product Owner to express what they want, and I look at the Software Development Life Cycle and I think... "If only they'd mention that Product Owners should be along that road before they run into Scrum", some projects might run more smoothly, the tasks of Scrum Masters might be easier.

Developer : Being the Outsider

As someone controlling projects it's sometimes hard to get into the action with others around me, the best way is to talk to those people, to be involved to offer anything you can; perhaps not opinion, but fact to start off with.  Over time working with people this way I've always found you are invited into the more intimate meetings, the nuptials of the project, if you will.

This is a natural, human, process.  Great, or grand, projects such as Nasa's probes to the outer planets in the 1970's had much press attention, indeed some projects such as Nasa'a Magellen probe of the 1990's had press not only present, but directly interacting with the engineers and scientists (and then writing excellent books - "The Morning Star" by the late Henry S F Cooper anyone).

However, the mundane and private enterprise contains projects of a lot less public interest, indeed they are private interactions.  And if as a member of a company you've not yet had time to foster those friendly interrelations to gain constructive access to the meetings about a project you do find yourself as the Outsider.

You can hop and jump and try to peer through the murky world of hints and conjecture, but without getting up and digging into the project this can be hard work.  You may just want to help, but those inside the project might perceive you as stepping on toes, or going beyond your bounds of responsibility.

This is where the management have to see something, if you're already in a position to approach the project as a higher grade or manager role and offer yourself into the loop, that's easy and relates back to building bridges.  But if you're not, management have to recognise and apply you to the project.

Beyond team membership, stepped aside from the scrum master, and not overarching the product owner; to use the right buzz words, that is you have to literally be a fly on the wall and then slide yourself into position to help, rather than hinder.

How you do this is dependent on the people, you can offer code review, document review, hints or tips on hardware or architecture.  You can assist the team members or scrum master, even getting a round of coffee in can be that little bit which helps keep the folks on track.

But without yourself oiling the cogs of development with presence, approachable and an obvious willingness then you will likely remain the Outsider, you won't be on the ground floor for development meetings, you won't be in the loop with e-mail about project, you won't even know what is going on around you.  If you end up in this situation, you need to address is up the chain, to push for somewhere to help yourself fit.

You always need a good manager above you to help with this, and in return you need to help them in order to help yourself.

Administrator : Fired Employee Stole Software Serials!

Today I've had to deal with a security issue for a friend, a certain department manager had a machine with a set of serial numbers for each of his developers tool stack, quite expensive stuff, these were stored in a text file on his desktop in a folder called "serials".

The problem?  Before Christmas an individual was asked to leave the company, his parting gift?... He stole all the software.

They knew this because he got a little drunk with a common friend of the manager over New Years and boasted he'd be starting his own company with the same software stack... We're talking about £4000 worth of software.

The machine the chap was working on (windows 7) was pretty locked down, he could not  install, nor run a cloner, nor could he add a drive or boot from CD/USB or even get into the BIOS settings to take the software directly off as it was installed.

My friend, investigating, suspected that the chap had simply taken the serial numbers, the manager frankly denied this.  His machine was checked, no-one had been accessing it other than him, there was no file sharing set up and it too could not be booted into anything other than the Windows 7 installation on the machine....

There was no-way, in the managements eyes, that the software could go missing... My friend suspected different... And so co-opted me to help, getting a copy of the disk I was not able to log-on, but I could see a whole bunch of scripts run at start up, whenever ANY user logged onto the system, they ran a series of scripts, one of which was a batch file (slaps forehead).

This batch file was stored as a regular file in a folder "C:\devscripts" and could be written too... I had a hunch this was where something could go wrong, but couldn't initially see how, the file looked unchanged... But then I noticed a hidden folder... a git repo metadata folder... in the same directory.... It seems the source of both this folder and the file was a git repo, so updates to the devscripts would be stored and commited to the git repo... and pulled to each machine every-reboot.

But the git-repo was open for ANYONE to commit to!

The developer had simply, within the massive cloud of commits, committed a new batch file to the repo.  This new script started the python interpreter with the command line "-m http.server 8080 C:\Users\<manager>".

The development machines used port 8080 for the remote debugger, and let this connection start without warning the user that a new firewall rule was required.

The developer then simply used "wget --spider" to pull all the files from the managers desktop, this included a bunch of documents about staff performance and of course the serials folder in it's entirety.

Once he had all these files, just before the festive break and his departure he committed the original script again which removed the starting of python.  He did this in the midst of the sprints to the break no-one noticed that their commit numbering had slipped by a place!

If he had reverted the repo he'd have needed the managers approval, but as it was the script just went from green to a yellow to a green against their sign off system, so no-one paid it any attention that the revisions had slipped in date & time.  And that the sign-off system didn't treat the signature of the commit as being different was a bug in the system.

So the lessons to learn...

• Don't let batch files start as the root user on a machine, EVER!
• Don't update said files from a public or even open internal source
• Don't just ignore any subtle changes (like the commit number order changing) when you observe them!

And when you fire a developer, fire them!  Don't let them sit there with anything connected to your network, you just fired them!  They'll want revenge!

Administrator : Show Network Abuse...

As a network boffin it's always very difficult to express to every possible audience quite how busy & complex a job you have, not least in today's environment where you have wired and wireless connectivity from every imaginable device, uPnP, SSDP, ARP, netbios, Active Directory, DHCP, DNS, UDP, TCP... It's a plethora of fields you have to take collectively as knocking on the proverbial door to your network adapter.

Recently we've employed the excellent Solarwinds tools as a method of network node and inter-connectivity debugging, and as much as I enjoy presenting the truly informative flow-charts and information they don't show quite how huge the amount of data and number of packets flying around is.... I therefore set about visualising and displaying just such a situation to an audience...

A Ubuntu VM, with the I3 desktop and a little time later.....

cd~

git clone https://github.com/the-tcpdump-group/libpcap.git

cd libpcap

./configure

make -j4

sudo make install

Then...

cd ~

git clone https://github.com/the-tcpdump-group/tcpdump.git

cd tcpdump

./configure

make -j4

sudo make install

And now, I could... "tcpdump"... to just spew everything into a terminal window...

Open another terminal window and I could "tcpdump | grep 'facebook'" and see how much time people were flying off to facebook, the beauty and simplicity of the i3 desktop along with the raw output of tcpdump soon conveyed far more stark a message from a monitor on my desk than any e-mail could or diagram could communicate.

Just the TCP packet headers were enough, without prying into what was being sent over a company network, in company time to facebook... and ebay... and whatever else... 

Using egrep I could dig even further into the headers and get very specific, laying out the desktop with i3 just further emphasising the flow and pattern of usage... Anonymize it and I'd have a decent techy screen-saver too!

Announcement : My Book On Kindle!

You can pre-order my Kindle e-book today for delivery the 1st of January 2017!

https://www.amazon.com/dp/B01N7MSCC8

For all those times you wonder about not knowing quite how to approach programming, or if you've lost your confidence with overly technical tomes trying to teach you, try my personal, one to one approach!

The text takes on the same format as the books I learned to program from in the 1980's, it helps you understand the basics never throwing into fits of rage or despair, I am right there with you to guide you.

This is the first book in what I hope to make a series, it takes you through basic variables, numbers, math, text processing, into the basics of lists and then object orientated programming, ending up with error handling and file processing.

I think the Python programming, despite a few quirks, is an excellent starting point for any beginner today, it lends itself to introducing programming across multiple platforms oh so very quickly, but one can still find jobs out there specifically requiring Python skills!

Pre-Order today!  And I'll see you inside!

Administrator : Blocking Spammers & Hackers (Basics)

To see whom has been trying to connect to your Debian (or Ubuntu) server, use:

cat /var/log/auth.log | grep "Failed"

This will list out the failed attempts, then add the successful with:

cat /var/log/auth.log | grep "session opened" | grep "LOGIN"

You can note the IP addresses for the unwanted attempts and block them with iptables, like this:

sudo iptables -I INPUT -s AAA.BBB.CCC.DDD -p tcp --dport ZZZ -j REJECT

Where the IP to block is "AAA.BBB.CCC.DDD" and the port is "ZZZ" as a number, so to block 192.168.0.1 on port 7000 you would do:

sudo iptables -I INPUT -s 192.168.0.1 -p tcp --dport 7000 -j REJECT

Instead of REJECT you can use DROP, and in place of tcp you can use udp and icmp protocols.

To block a whole subnet range I just do this:

sudo iptables -A INPUT -s AAA.BBB.CCC.000/AAA.BBB.CCC.255 -p tcp --dport ZZZ -j DROP

This makes all addresses in the range not respond, the range could have been 192.168.0.0/192.168.0.255, or you could block higher up the range like this 192.168.0.0/192.160.255.255, the first address range blocks just the last section subnet mask, the second blocks the last two sections of the subnet mask!

You can view the iptables in use with:

sudo iptables -L

Why Does This Exist?

Its not often I have to actually turn a server towards the outside world, my personal servers usually sit on my LAN and never route to the internet, like-wise the items I provision in the office are for internal use...

Yesterday however, I had the pleasure of being told to make a service available to the outside world...

No big deal, it's Apache2 on a Ubuntu host, set up done... And I only opened port 80 then left it... All was fine...

It has run for six hours... six... On a brand new acquired IP address, no-one but the recipient at the far end knows about the server being there, it has no DNS entry, it has no other services, just port 80 and ssh open...

Yes, I have had hacker, poking, security breach attempts from China, Vietnam, the British Virgin Islands, Canada, the Netherlands and Russia...

The mind boggles at quite how much hacking and infiltration is going on out there...

I've been checking the mainly ssh breach attempts with the command:

cat /var/log/auth.log | grep "Failed"

I run this to a file and then have a python script to log the IP addresses into a table for me, and I can then just block them individually or as a subnet range, though iptables.

I also check for successful logins just in case with:

cat /var/log/auth.log | grep "session opened" | grep "LOGIN"

I wonder however whether a python script to manage all this for me might be in order... Hmmm, project time!

People: I am Xelous (Someone else has an Identity Crisis)

I bring this to the public attention of these pages as I had what could only be described as an ill conceived lecture last night about my name, now let us be clear we all know "Xelous" is not my actual name, it is however a name I have use and evolved online since 1996.

If you google "xelous" you will find me.. I admit also a young lady on Picorama... but you find me....

If you google my actual name you will find the Gillingham Goal Keeper, and a well known film franchise, you will not find me.

You will like-wise NOT find me vaunting myself on LinkedIn, again I have been challenged about this.  My first reason for not really embracing Social Media in this manner is that I get a lot of spam, an awful lot of spam, the second is that it's simply not mature enough for me yet, Facebook is too much a dictatorship and not professional and LnkedIn is not mature and insecure.

I noted how that LinkedIn hack disappeared from the radar pretty quickly in the Summer... I however remembered it.

I've had the comment that "Xelous" is a silly name, it's a name... It is actually a name, I thank "Nacel Xelous Elal Ybab" of the Philippines for letting me make this point.

I have worked professionally in the Entertainment Software industry under the pseudonym "Lord Xelous" as well, and it is the name on my YouTube channel.

So to that nay-sayer, you were wrong, and sounded silly.  Indeed I looked you up online, with your buttoned down collar supposedly "correct" name, you were WWAAAAY down the google search listings and even came second on the LinkedIn listing and your surname is quite unique in of itself!  FAIL!