Retelling, Secure things

Things which were not on my 2025 bingo card

The Club

This year I got a Community Star on the and for supporting your fellow community members with your positive Club of Ministry of Testing. “Thank you for creating a helpful community vibe contributions.”

A kind reminder

I also got a friendly reminder, that I was 20 years on LinkedIn.

Boat magic

For a special project, I made a steamboat from modelling balloons.

A guided tour

In Spring I took the first official Keukenhof guided tour for blind and visual impaired people. The most facts I remembered afterwards were about the trees in the park. Of course, there were flowers, but somehow the guide had some nice tree stories.

The tour was in Dutch and I bought the tickets using a special email address. Let me put it this way: it is not possible to get a private guided tour in English.

A thing to avoid

Kissing my wife while reading braille has its advantages, until she noticed it. My marriage advice to braille readers is not to move your fingers over braille, while kissing your partner.

Showing attention

During a conference, I was offered a program in braille. My first reaction was to leave it on the desk, but I took it any way.

During the last lecture, I got bored and looked at the rest of the program. I heard every word, which was spoken, and looked at the speaker.

Blogging along

This year I wrote some blog posts how to take over an account. The blog posts are based on my experiences. The first blog post starts with the basics. 

Thinking along

This year I tried to help my kid for a school assignment to hack a vulnerable website of a teacher. My contributions were not great despite some experience finding security issues.

The Club again

The Ministry og Testing also gave me a badge names Glossary Contributor. “Your insights are shaping the language of testing. Welcome to the Glossary Contributors”. I had written about accessing private documents using a browser.

The same dish

This summer I ate fish and chips in Volendam.  The previous year I ate it in London.

Another guided tour

The European Juggling Convention provided a special tour for blind and low vision people. The were several workshops, followed by the Gala Show. During this show, there was a commentator, who told what happened on stage.

How I stopped worrying about literature

In the summer, Time for stories started in my local library. The facilitators was the first couple. During the sessions small pieces of stories  and poems are discussed,

 Social media attention

The mayor of Gouda wanted to share a picture with me and other people on LinkedIn. We didn’t have to say cheese. So, I do not need to use a bad pun.

Changing the odds

For the first time in my life, my team won a pub quiz including a section about braille. This was my second pub quiz. Currently, I have a 50 %chance to win a pub quiz.

Teaching again

In November I became a language coach. It is challenging to teach people to speak Dutch.

Accessibility, Story telling

The current way of my blogging – Part 1

During the years, I slowly changed my way of blogging. I can just write about is, but I also want to add some thoughts about it. Welcome to my first State of the Blogging.

The first step was to put the whole blog post in a mind map on a mobile phone. I liked the auto complete typing. Then I copied all the text into a Word document.

Brewing blog posts

In the past I used the mind map intensively for blogging. I edited the first rough version with MindManager on my Android phone and then extracted the information with FreeMind on my PC.  Nowadays I use an iPhone and I could not find the right software, so I started blogging in Word right away. Like now.

The basic idea is still the same. I put little pieces of the blog post in a Word document. Then I expand the pieces to readable paragraphs. This is based on the Fieldstone method of Jerry Weinberg.

Most tech related blog posts can be quite boring with abundance of dry facts and tips. So, I tend to add jokes in the blog post. If I need to retrieve some information from a blog post, then it is easier for me to consume.

Nowadays, I put a rough overview of a blog post or serie of blog posts with similar theme into one Word document. In case of several blog posts, I split the overview in different parts. Yes, you are currently reading the first part.

Making it accessible

In the past I tried to make my blog posts better readable for other people. I added extra headings, so I had to add extra code for CSS or Cascading Style Sheets. I used the following code:

blockquote {
	color: black;
	padding-left: 5%;
	font-weight: 400;
}

h1 {
font-size: 20px;
line-height: 1.5;
}

h2 {
font-size: 18px;
line-height: 1.25;
}

h3 {
font-size: 16px;
line-height: 1.1;
}
Then I limited the size of the paragraphs. My thumb of rule is maximal 3 lines in Word, which leads to a reasonable paragraph in WordPress.

During editing, I tried to simplify the language, so a beginning engineer can understand my blog posts. Example: the previous version of the last sentence contained “to reduce the level of my language to a level of a beginning engineer”.

In one blog post I added a warning for people, who uses screen readers to read the text aloud. Most of the time it is tiring to listen to every period and comma in a sentence. So, a lot of people set the level of the screen reader to skip these characters. But this this is not handy, if source code is shown.

Bonus tip: I also used warnings for readers to avoid situation, which trigger things like anxiety.

Just checking

English is not my native language, so I try to use proper words. On the web I regularly asked for the meaning of a word. If I find a reference to urban language, then I need to change the text.

Fact checking on the web is also included in my blogging. Especially, if laws are involved. Luckily, they are published on the web. They are great link fodder.

Use the Source, Luke.

To be sure, I added a disclaimer, that I am not a legal expert.

Word offers spelling and grammar checks. I prefer to use English UK. There are a lot of people who like to speak Oxford English, but use American words or phrases. Yes, I am one of them.

Using open standards

A Word document cannot be copied and pasted on the Web. I prefer HTML, the language used to make web pages. Then I store the Word document with the option ”Web page (filtered).”.

To be continued.

Secure things

Reverse Engineering an Account Takeover or what I discovered while updating my email address – part 3

In the previous blog posts, I wrote about my observations, which could lead to an account takeover.   Under certain conditions this was possible using the laptop of some one

 else. But if there is no laptop available,
then there might be other opportunities.

Observations

During the period updating my email addresses, I found several ways to find the Account section. I could search for the word Account.

Another way was to scan for an icon. A circle above the upper halve of a circle is a Profile menu. The picture resembles a head above a pair of shoulders. Another picture of three horizontal bars is a more common way to indicate a menu. For the fast-food lovers, it is also known as the hamburger.

And there is a third way. On a day I could not find the word Account or some similar symbol like profile. It costed me several attempts to stop searching on my own.

Who you gonna call? The helpdesk.

The friendly call center agent asked me, which help could be offered.  I just called to change my email address. In return I got a lot of questions to authenticate, that I was the rightful owner of the account. Questions were about personal information like name and other private information.

The call center agent told, that my email address would be changed. I would get some emails. One of them contained the message, that my account was removed.  This was not my initial plan.

Not on my call.

But there was something wrong with the security. There were some dangerous things, which could go wrong.

Hiders in the storm.

Discoveries

If there is a way to change things, it only takes one call.

Naming the term

Security questions are questions, which can only be answered by the owner of the account. It is like two factor authentication as mentioned in the previous blog post.

Naming the conditions

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover.

Sketching a test idea

Here is a rough description to take over an account.

Collect personal information about a person.

Call the help desk and tell, that the email address must be changed.

Answer the security questions using the collected personal information of this person.

After receiving the mail, that the email address has been changed, then it is time to change the rest of the account.

Later, to the login page, press on the link ‘Password forgotten’, and follow the instructions.

Change the password and then the user name. password. The account has been taken over.

Maling a concern

After the incident with the call center, I mailed the security issue to the company.

Recommendations for the system administrators

Configure the system in such way, that calls about changing user settings are recorded. There are systems, which can record phone calls. This includes the phone numbers.

Check the login patterns. using the log. E.g. if the user entered a wrong password once every 3 attempts and only right passwords are entered, then is a change that another user is using the account.

Check patterns of changes of accounts. E.g. if several accounts of team members have been changed within a short period of time, then there might be someone who uses personal information to take over accounts.

Check the use of two facto! authorization.

Check new email address on a frequent base.

Automate checks. Determine new metrics to act upon, make code to check it, and mail the strange patterns to the administrator. E.g. the use of the account during the night.

Looking backward

For better, for security.

Sharing knowledge about testing and other things on my mind