note I’m seeing a bunch of search traffic come in on this one. Solution: Mouse over the video and click the Video title to watch the video on Youtube.

I wonder what the point was for making sure that video player is of a certain size to play the video in this case?

Also, how do you expect your video to get views if you can’t share it?

My guess is that they didn’t want the video to be able to play at a size where ads would be too small to display so they forced a minimum size. Update From the links at the bottom, this is exactly what’s causing it. Turning off advertising for a video will allow it to be played.

I had to figure out what the difference was so I made a quick page to compare them as you can see in this screenshot:

Let’s take a less restrictive channel and see if these work. I give you John Green of the Vlog Brothers

This works just fine. So now the question remains… why can’t you play music videos on Facebook?

Here’s the Vlog Brothers video

Update At least I’m not the only one having these issues. Found a Yahoo Answers question regarding this. The solution was to up the video player size. And here’s a Youtube group posting

We’re 9 hours 57 minutes away from the end of the overnight website challenge. I woke up at 5:30 this morning and was here by 6:45. We’ve got a great client and this has been a lot of work by me and Team Pegacorn (That’s Pegasus + Unicorn).

Lots of activities going on today, but since I’ve never had a caricature done of me… ever… and they had comic artists out there I got myself all done up robot style. It was drawn by Kevin Kosmo

I’m able to write this now that the issue I found is fixed. The Minnesota Department of Revenue used to put your social security number in plain text within a non-http-only cookie and it wasn’t a session cookie.

While this is bad enough that wasn’t the limit of the issue. You could also guess SSN’s and be returned legal names attached to them; within the cookie. This was kind of scary.

I should put a disclaimer out there about this. I wasn’t doing testing in any official capacity, I was paying my tax bill. I had logged into the site from work and hadn’t finished up the task of paying before closing the tab and putting  my laptop into hibernate to go home. Once I got home I opened my laptop again and revisited the site. It auto-logged me in. This scared me since the only login credentials was my social security number.

Being a tester, I went straight to the cookies. I found a govdata cookie that was pipe delineated with my Social Security Number and my full legal name (which I hadn’t yet put into the site). I cleared my cookies immediately. I tried the steps again: Log into the site with my SSN, view govdata cookie. Again my name was shown. So I tried my wife’s SSN. Her full legal name showed up as well.

I stopped there. I didn’t want to type in any other random SSN’s and be returned legal names (power scares me at the right times). I knew how to make a script that would just start from 000-00-0001 and count up until the end and store all that data. I’m assuming that the state is using the social security administration’s API for checking the validity of an SSN. Also, I’m assuming that the same service provides the full legal name attached to that number.

It wouldn’t have been hard. If you entered an invalid SSN you were shown an error. Enter a valid one and you were shown the next step. The poor sap with the example SSN displayed on the page had his number out there for years.

But why am I publishing this now? First off, it’s fixed. I had contacted a number of officials to make sure they knew about this issue and that it should be corrected ASAP (including a tip to take down the site until it was fixed). The MNDoR communications person replied to my email saying that a new system was due to be in place soon and gave me exact dates.

Her response was a bit alarming and totally incorrect, however, it’s likely because she either received a blown-off reply from the development team or didn’t understand the reply from the development team (emphasis is mine)

Thank you for your e-mail.  The Department of Revenue is in the process of transitioning the e-file program you are referencing to a new system.  On January 16, 2012, all business taxpayers will be transitioned to the new system and on January 29, 2012, individuals making estimated payments will transition to our new system.  The new system will never create a cookie.

To which I replied:

Thank you for the prompt reply. That is great news to hear about the move. However your statement about the “new system will never create a cookie” is impossible on a browser. There’s always a cookie involved when handling transactional processes. If the statement should be amended to say that the new system won’t store a cookie with private information in plain text then that is a better solution.

Keep in mind. Cookies aren’t the bad thing, what is stored in cookies can be.

Yes, I should have combined the 2nd and 3rd sentences (realizing that while proofing this post) but she got back to me pretty quickly with a better answer:

Thank you for the follow-up question.  To clarify, we do use a cookie that is a temporary session key.  It is unique and temporary and is used to guarantee that the user logged in is the same user for that session.  It is set to expire at the end of the session and has a time out feature on it as well.

YAY! A session cookie!

I checked on January 29th to see if the new system had gone up, and it hadn’t. I then forgot about this post due to being really busy with my job and checked it today seeing that it was fixed. Now the cookie is a session cookie that is marked as httponly and isn’t storing the ssn hashed within the cookie itself.

While this security issue doesn’t quite hit the OWASP top ten it’s the second time in a few months that I’ve hit an issue that’s only duplicatable within cookie data.

I’m also disappointed that the other people I contacted never got back to me. Minnesota Attorney General’s Office, United States Department of Justice, IRS Security Department, Social Security Administration Security Department. They were all copied on the email I sent to the MNDoR and I never received a response. I did receive canned responses from our two senators though, the canned responses being that they don’t handle state affairs and that I should take it up with the MNDoR and the Attorney General’s Office.

How many of you testers check cookie data obsessively like I do? I use the “Edit This Cookie” Chrome extension to quickly view what cookies are stored for the domain I’m on. I love that extension and suggest it to anyone who wants to know what the website they are on is tracking about them.

Image Credit: Shanta on Flickr

It’s because they didn’t realize that people use the back button.

Megan and I bought a Philips Sonicare set tonight at Target after taking back the camera that we bought the other night.

I went to register the product online so that we could extend our warranty by 6 months and get 15% off and free shipping from their website (like was promised on the insert in the box). First off, they didn’t have this model on the website so I spent a good 10 minutes trying to figure out how to register a product that doesn’t exist as far as the manufacturer is concerned.

Then I stumbled upon a SECOND registration site in the philips domain that not only didn’t need anything more than a “click the picture of your product and enter your personal details” but they kept giving me different codes for 15% off product & free shipping. They must have felt bad for not remembering they made my toothbrushes (they so nice).

So here’s the steps I took (complete with screenshots)

Choose to get 15% off & free shipping

Verify that you don’t want spam

See that you have a code for 15% off product and free shipping

Print the code (because we ALL have printers… i don’t)

Then press back… rinse/wash/repeat. Yeah… i’ve got enough. don’t need that one.

Update: Apparently their mail server is a bit slow… apparently I registered 8 times. Sweet!

Seth Godin put up a good post about the difference between trust and trustiness. He mostly pointed at corporations that showed their trustiness through PR campaigns and made a pretty strong comment about it in the last few paragraphs:

The difference should be obvious. Trust experienced is remarkable, trustiness once discovered leaves a bad taste for even your most valued customers.

The perverse irony is this: the more you work on your trustiness, the harder you fall once people discover that they were tricked.

Combine this with James Bach’s guide to faking a test project (that’s a pdf link) and you can probably guess where I’m going with this.

There’s been a lot of talk recently about how test is dead. Whether it’s being sarcastic about when test can be dead or the definition of testing. Testing is still very much alive, but is still evolving.

Tying this into the Trustiness idea again. As a tester, are you trusted or do you ooze trustiness? Are you submitting bug reports to look busy or as you find them? Taking a note from faking a test project: how detailed are your bug reports? How much do the developers you work with trust your bug reports when they see them?

Companies are always looking for ways to save money. Regardless of how people centric they are, they need to spend the least possible and make the most possible. Too many times testers get the short end of the stick in regards to timelines, resources, and budget. How do you stay relevant in your organization and prove that the money spent on you is worthwhile?

With stories about test being dead and end-users getting used to seeing bugs in their free/beta/trial software out there end up with quotes like this from Testjutsu:

At Google, the majority of the tools they produce are free for the end user. Their model is based on building things that people will use (for free) and building advertising into it. If it doesn’t work perfectly, oh well. It’s not like you’re paying money for it.

However, an increasing amount of times there are large bugs in paid for apps, OSes and Hardware. Which lead to posts titled “Software Bugs are a Regular Part of Smartphone Life for Windows Phone and Android users“.

I’m not trying to say that you should release something only when all bugs are fixed because that would take too long to release. But a bug that’s considered minor or not reported internally can come across as an issue that affects the trust level of the brand. This, in turn, can could come back on you because “Why didn’t you find that during testing”.

So are you trusted or full of trustiness?

 Image Credit: elycefeliz on Flickr

We use TestLink at Clockwork. I have a love/hate relationship with this software. I love the fact that there’s a place to store tests, display tests while executing, and get reports during execution times. I hate using the software. This includes creating test cases and plans. The entry method is a hodgepodge of rich text fields and the tab order isn’t all that intuitive. Making it even worse is that copy/pasting text that you’ve created into the fields is SLOW since the editor on page can’t access the machine’s clipboard directly and has to popup another field so that you can paste it in.

Solution for entry: My coworker Leaf made a converter using markup so that we could create test plans and tests in a plain text file and then convert it to the xml that TestLink requires for importing. It’s kind of awesome. Here’s his post on the creation of the program and here’s the github link so you can get it for yourself.

I wrote a blog post over at my employer’s blog called “Don’t make it hard for me to do the right thing“. You should read it.

I’m not going to post the full text over here for the sake of not having duplicate content on the web. However, I just want to say that the entire process was not only hugely frustrating, but extremely rewarding. The following assumes that you’ve read the link above.

That post morphed from a detailed one listing how the vulnerability was executed to a story about the ethics of reporting. It was extremely difficult to keep the detail out of the post while still providing good context. It also helped the have a few amazing editors looking at it to make the story flow better and be more smoothly told.

The original XSS bug I found was that you could comment as anyone you wanted to on the first newspaper site, but that quickly turned into posting executable javascript as a username and potentially doing whatever I wanted to.

In the first response from the CRM after reporting the vulnerability not only did they blow me off and treat like I was one of their clients, but they feigned responsibility for any of it and put it back on me (the apparent client) to fix templates. This tells me that they KNEW ABOUT IT but only offered tips on how not to do it.

I almost gave up at that point, but this was after I’d already started communications with the sites that were vulnerable therefore I already had a relationship in place with people that this actually affected and I wasn’t going to cause more work for them by giving up. That, and I’d promised not to go public with anything until they had a chance to fix it.

The final contact to the CRM was just plain out of boredom. I was desperate because a plea to the sales channel, the online chat that no one is ever online with (even during business hours) and calls to the support/sales lines since they’re one-in-the-same.

I’m still glad I waited. I’ve got some decent new contacts.

Google Reader for Android recently made an update the allows you to go the next item in your feed by swiping to the right (previous to the left).

I hate it. It drives me crazy.

I am constantly accidentally flipping to the next or previous item prematurely. The worst part about it all is that when I go back to what I was reading it’s back at the top of the post. This is a horrible experience when reading longer write-ups from anybody.

It’s not only Google Reader that’s the issue. Blogger displays on my phone are also subject to the swiping of my time. Google+ for Android has it now as well.

But why is this such a problem for me? I’m human.

Touchscreens recognize the input of multiple “Swipe Up” patterns in order to move down a page. This is where the problem starts. A swipe up pattern that moves slightly to the left or right can also initiate a left or right command.

Because of the fact that I’m human, the movements my fingers make aren’t perfect. I never make a perfect swipe up or any other direction for that matter.

Of course since blogger mobile has this ‘feature’ as well the issue compounds itself with blogs that don’t post their full feed content to RSS and require me to click through to read the rest of the post. They usually get a few more page views due to this issue.

Of course since one of those sites is Michael Larsen’s Test Head I can’t help myself but to look at the seeming lack of coverage for this feature from a testing perspective. The good news is that it definitely passed with flying colors. When you swipe left you get the previous, when you swipe right you get the next item. Good, done, closing this ticket. The problem is when you move slightly right while moving up, should that initiate the next post to display?

Was this even a testing issue? Should the requirements that the engineer had to go on been more specific? Maybe there should have been a pause to allow for a more deliberate motion.

Whatever the answer is, this wouldn’t have annoyed me nearly as much if there was a simple setting in the application that let me turn it off.

As software testers, we are called on to deliver bad news first, good news second. We sometimes shoot from the hip in an ask questions later type of method just to make sure the bug gets logged before it gets forgotten and comes back to bite the company, and possibly yourself, in the ass. This works well, as long as you have a good set of steps and the backup of documentation for why it’s a bug, you’re good to go. However, we often carry that personality feature beyond our project code which often turns out to be a bug in the new context.

When we go beyond code in our testing we can very easily be seen as arrogant and ignorant. Don’t get stuck in testing mode when you task switch to replying to emails. Make sure you’re reporting in the correct place when you don’t have your tracking system to depend on. An incorrect reply with what could end up being invalid information will come across as disrespectful to the people involved in your reply.

So, keep filing those bugs, and keep looking at the finer detail points to make the software you test the best software that it can be. Just make sure that you turn that blunt part of your brain off when it’s not required.

That’s what I was thinking after I read about the South Carolina Gamecocks being told to change to their normal jerseys during warmups of the game where they were going to wear Under Armor’s “Wounded Warrior” Jerseys.

The link above is a little bit non-obvious to what is really the problem (since they show the regular jersey’s as the first picture). But if you look at the second picture on that article you’ll see the issue. Although this story shows the preview of the jerseys.

I can imagine a conference room filled with Under Armour executives, designers, South Carolina representatives, and miltary representatives. A large conference room for all those people lit with florescent light that brought out the labels on the jerseys.

It’s probably even worse that the jerseys were special so they wouldn’t even be worn on game day. Once they did, the referees had a hard time reading the numbers so they told South Carolina to change to their normal home uniforms

So please, testers, consider the environment that your product is going to be used in or it may be scrubbed altogether.

The good news to this is that Under Armour is auctioning off the jersey’s to support the Wounded Warrior Project. (I couldn’t find the link for that auction and I somewhat doubt it’s a public one)

This question  came in from formspring:

“what is the coolest project you’ve ever worked on professionally?”

This is actually a difficult one. Even though I don’t have to do any research to do a post correctly, I have to be careful because a lot of the projects I’ve worked on since I became a software tester 10 years ago involved NDA’s. Also difficult is the fact that I’ve worked on a LOT of fun projects. I guess I’ll just have to list them.

My first testing job was at Digital River. I had never done software testing prior and this started out as a contractor position. A few months later I started on one of the most exciting projects. It was for a major league sport. Their webstores for each team and the main one. The project took a lot of work and a lot of late nights, but I was never disappointed. I think the major part of the excitement for me was the fact that it was a sport I liked to watch, I got free stuff, and it was fast paced. Each year during their playoff season I’d have to wait around to see which team one and push changes to their store with the winning gear. This project was most exciting due to who the client was, but the project itself was pretty standard since it was the same type of testing I was doing for all the other clients I worked with.

The next project that I was really excited about was testing and managing the process for a web based disc copying application and the associated equipment. This was the first job that I really got to travel for. The company owned a manufacturing facility in northern California. This was my first time testing hardware and hardware integration with the software we were developing. Also, I was building assembly manuals for the products as well as helping with efficiency of the assembly line process. I don’t really enjoy travelling for business any more, but I got to do it, and at least now I know.

Now that I’m at Clockwork we’ve got a lot of awesome stuff that we’re working on. And because each project is unique regarding functionality and scope I’m constantly discovering new and exciting projects that keep trumping previous “most exciting” projects. It’s nice to be at a position that keeps challenging my way of thinking about web applications and how people interact with them.

—————————

I’m taking your advice on what to write about. Give me an idea

As a follow up to my post “Your Mobile Website Blows” I want to do something more productive. I have a decent list of things that mobile websites should have and not have, but I know that I’m probably missing some things.

So here’s your chance to get in on the action. Comment here, on my original post, on Facebook, or on Twitter. Don’t worry about regurgitating ideas that someone else has already said since I’ll take those as more important.

I’ll make sure that each of the ideas are represented in my follow up and respond with my feelings on them.

Just to let you know, I made some changes to my blog before and after that post.

Prior to that post I hadn’t put enough love into the mobile version of my own site, so yes, I was talking to myself with some of those points. Afterwards it was recommended by Bill that I remove the CAPTCHA from commenting and let Akismet deal with the spam so as to give readers from full and mobile browsers an easier way to leave comments. His own words “there is nothing more limiting to comments than those fucking things“, are very true.

I do a decent amount of browsing on my phone. Most of this browsing is done via my Blackberry Bold. However,  I also have been known to browse on my iPod Touch and the myTouch that I have. What have I found since I started browsing your mobile website? Let’s start a list:

• You’ve hard-coded a width for a specific device
• You’re using a specific domain for mobile (m.yoursite)
• Your Mdot urls are different than your wwwdot urls
• Your entire site is in flash
• Your javascript is loading at the top
• You still have two columns
• I still have to zoom in to read your content
• You don’t have full RSS feeds and I have to click through to your non-mobile site because you don’t auto-choose the style sheet presented

Let’s peer into each of these and find out why they’re an issue

You’ve hard-coded a width for a specific device

Let’s assume you made this choice consciously based on the analytics for your site visits. Now, if you’re going to take the time to exclude anyone not using that device then you should take the time to include everyone else. Not everyone uses an iPhone (the majority of sites with this issue hard-code for an iPhone screen).

I’m actually really confused by this one because I’ve seen a few sites that with this hardcoding makes it difficult to look at when you turn your phone sideways for landscape display.

Mdot verses wwwdot

Newsites are the worst for this. “Just go to m.startribune.com to see the news on your phone”.  This is a great solution if everyone you follow on Twitter or are friends with on Facebook ONLY share the Mdot versions.

People consume content from more than just their desktop machine. You should automatically assign a stylesheet for the browser that’s viewing the content.

Your Mdot urls are different than your wwwdot urls

Let’s go out on a limb (a really short limb) and say that I try to circumvent your obvious distaste for my non-desktop browsing habits and I try to manually switch the link I’m at to the Mdot version of your site. A 404 page is not content no matter how fun you try to make it look.

Your entire site is in flash

Fuck off, I didn’t want to visit your restaurant anyways…

Your javascript is loading at the top

This is just bad practice, but I’ve seen a few sites that load the javascript at the bottom of the page on their full-site and then load it at the top on the mobile version. Do you hate me? Why must I wait for your overloaded corporate tracking software to render and execute before the content even shows up. It’s bad enough that I have to look at a damned loading bar at the bottom of my screen while that stuff is executing, but now you just hate me and make me wait for it while the content downloads.

You still have two columns / I still have to zoom in to read your content

When your site STILL has two columns in the mobile version which makes me have to zoom in on your mobile version to read your content you have failed. Worst yet is when you make it two columns and THEN lock out the zoom function which makes me punch the wall pretending it’s your face.

You don’t have full RSS feeds and I have to click through to your non-mobile site because you don’t auto-choose the style sheet presented

I’ve deemed you worthy of my time by subscribing to your feed so that I can get each update on my own time in the browser/reader that I choose so that I don’t have to monkey around with everything that I’ve stated above on your below-par excuse for a website. Then you pull the “We want you to read it on our site and in order to see it you have to go here and wait for 20 hours for our flash ads to load because you HAVE to see them for us to get monies”. Fuck you. Unsubscribed.

Conclusion:

I don’t really punch the wall, but I do get frustrated. And I’m upping my policy. If you have a mobile site and you’ve obviously taken the lazy route to making it work then I’m not going to visit your site in any browser. Those of you that don’t have mobile sites yet, get one, but put a dash of love in it for me… I’ll appreciate it (and no doubt your other adoring fans will as well). For you bloggers out there, just make sure you’ve got a full content RSS feed enabled and I don’t care what your site looks like. Add ads into the content, don’t care, at least you won’t make me angry and I can still read about that thing you did with that guy and girl at a public place… GOING TO A CONCERT WITH YOUR FRIENDS… gosh, your mind went in the gutter fast, didn’t it.

I’m cleaning out the micro-SD card on my phone and I noticed a folder for Foursquare. When I opened it there were 344 .dat files in the folder totally 1.64MBs of space.

I’m not all that concerned with the fact that there were .dat files in the folder, what I am concerned about is the fact that they are most likely used for caching data, but not cleaned up.

I’m all for portability and convenience, but I wonder how much other crap is on here that doesn’t have good cleanup mechanisms around old files. Also, had I left it alone it probably would have approach epic levels of *gasp* 2MBs. After cleaning them up the application continue along, but this time a bit leaner.

Moral of the story: Be kind to your users. Clean up after yourself.

Yesterday I received a few emails from OneForty.com which is a directory of applications to use with Social Media sites.

I signed up for their email list because I wanted to receive updates from them when they added new features to the service, etc. However, I didn’t expect:

It’s not particularly a big deal because I work for a company that manages email lists and mailings through our CMS platform, but one thing that’s very clear is that part of the process got screwed up.

The content of the email was pretty much standard for testing a mailing. The lesson is that you should be only entering in test data to mailings that are either A) on a test server or B) assigned to a mailing list that only contains yourself or your coworkers.

I’m also going to assume that the reason that two emails were sent out was because the first one wasn’t received by the person testing.

While writing this I received a DM from Laura Fitton (CEO of OneForty) apologizing for the test emails but she mentioned that they didn’t send out an apology email because they didn’t want to further annoy with an apology email (good move in my opinion).

The lesson here is to check your setups before testing your platform if you have to work in a production environment.