Outsourcing test process

Development market in Poland become more adult during last couple of years and I am happy to see that there appears head hunting for new job titles like Quality Assurance specialists. That is a strong signal that software houses become more responsible for their products and their do understand that you can not leave the client alone with the software testing. The problem is that sometimes, because of different reasons there is no possibility to build such a team in-house. For example executives believe it is too expensive and despite your error cost analysis their refuse to hire quality specialist. The different reason may be that there is just one big project, which has releases once per month or three and there is no sense to hire full-time employee. These situations happen more often in smaller companies, however there are also situations in bigger once where developer or consultants are testing software and not regular quality specialists. The other topic is that there is quite many tools, which may help you during testing and you must be very experienced person to not buy a crap for big sum of money. There is many potential black holes like test automation, where you can waiste plenty of time and money without a significant effect. Where to install this tool? How to establish test environment which is totally separated from development and production systems (e.g. different domain)? Yes... there is plenty of question and things to do and most of developers don't want and should not make their hands dirty in this mud. Besides... lets be honest. Testing is an adventure and there is often that is repetitive, benedictine work. This is why outsouring QA work is quite interesting solution. The question is only how to do it smart, because it is very easy to get pile of wastful papers from the external company, which does not give any add-on values to your development process.

1. Which cash flow model to choose?

There are generally following possibile models:

A. Times and material - where you pay for time, which people from the external company spend on your projects. There may be different hours wage for people who prepare tests and write final tests and people who actually do the tests. That is definitely the best option where you start cooperation with external company as both sides can easily switch the level of cooperation and adjust it to real needs.

B. Fixed price - if you have some bigger project(s) and there is possiblity to define easily the range of cooperation plus you want to transfer some part of responsiblity on external company, you may think about preparing the contract. The problem is that most usually the border between develoment and testing is quite blurred and this type of deal has always the risk of doing 'only what is in contract'. As live brings many surprised you may find yourself easily in unpredicted situation, where you will have to come to A option any way (e.g. testers must explain developers what the problem is about and contract does not predict such option.

2. What is needed to prepare cost estimation?
That is probably the hardest topic, when you start coopeartion. It is smaller problem in option A as both sides realize that the total value is flexible, but it is very hard topic in option B and most probably outsourcing company will add there some reserver/risk budget for unpredictable situations. Anyway... There must appear answers on number of questions...

A. What is the size of work? The best way is a simple presentation of application and discussion which parts of the system will be tested. Then, basing on number of screens/forms or number of functions plus predicting the number of test iterations, external company will have to estimate their engagment.

B. Who maitain and provide externally test environment?

C. Who installs the software in test environment?

D. What type of tests are done? You have wide range of options:

• code review - basing on provided, general or existing rules you provide report about the code purity
• unit tests - writing unit tests for code (usually should be done by development team)
• integration - putting all the modules together (usually should be done by development team and good idea is to link them with building process - smoke test with daily builds is here a good option)
• installation - test of installation package in different environments
• functional - testing all the functions of code (the minimum package is called acceptance tests)
• platform - testin application on different type of machines, OS systems, internet browsers etc.
• performance - checking how the system behaves (eg. what is response time, how much RAM, CPU, disk space is used) during heavy workload (e.g. many users at one time).
• security - checking if the system is secure and nobody from outside or inside can break in, there is also the option of doing the hardening
• destruction - emulating dummy users (eg. monkey test - play on keyboard like the monkey)
• documentation - check if you can use the system without any interaction with software vendor
• legal - verifing if the application follows particular legal regulations

...

E. What is test approach? Generally the tests are done basing on prepared test scenarios (accepted by both sides) plus some number of ad-hoc test. The question is how many of tests are basing on written scenarios and how many on intuition?

F. What is communication model?

INPUT: The best option is if the external company gets the packed product with instructions and they should do all the tests alone. Then they emulate the real users and situation is quite clear.

OUTPUT: By default the external company will provide the summary report and some list of errors. Most important thing is to have full and detail reporduction list in case of any bug. It should contain the number of action from particular, written test scenario if possible plus as many screenshoots as possible.

Roadblocks
It happens quite often, especially an early stage that there happens the road block - the event which stops QA team from testing all application, module or particular, bigger set of functions. It is opened question how both sides deal with this option and there is wide range of option starting from the very formal one where external company closes whole iteration of tests offically as it is to the very informal where developers delivers quickly some patches. Both solutions have though positives and negatives and each case is different.

Bug Tracking System
More adult organization will provide Bug Tracking Systems, which allows to monitor the life cycle of errors. The open question is who maintain the system and what are the rules of coopeartion? Choosing the particular platform is quite easy thing as there is plenty of options - there is number of interesting web-based open source solutions.



Oursourcing testing process is quite challenging task and there is some risk of miscommunication as testers are usually adding the work to developers and developers are writting buggy code ;) If both teams are located in different companies managers must put the real effort in communication improvment and perfecting the process. On the other hand the external company gives a fresh look at the appliaction, bigger independence in testing and kind of the insurance that a final product is usable. Except detecting errors they may also add number of suggestions/change requests, which make the system *turely* more userfriendly and smooth.

Projects scoring system in PMO

Many of Project Management Office (PMO) realize number of projects in parallel and quite often it raises the resources conflict. That is mostly about people, but it includes also hardware, budgets and the others. Companies fix these conflicts (or not) in different way...

Independent project teams

Very good solution is to organize the whole company basing on project or product teams focused fully on realizing dedicated project/product road-map. The organization structure is quite simple and there is no management conflicts like two managers claiming that particular task/person's work is her/his duty. That approach allows also to assign 100% time of particular person to the one and one thing only, what is base assumption for most Agile methodologies. This allows people also to specialize deeply and company may benefit from it in low "introduction cost" when new project starts.

The drawback of this solution is limited possiblity of resources load balancing. You do not have "universal soldiers", which you can use at various projects and you must accept situations, when particular people have "lazy time" in particular project phases - eg. during stabilization phases developers are not allowed to add new functionalities, testers does not have much to do when developers prepare the first prototype, analysts turn on usually at the beginning and at the end of projects etc. These situations causes that number of companies have dedicated managers/leaders positions, which focus on managing resources in parrarel with project managers...

Renting services from specialized teams

In this approach the project manager (PM), when he starts the projects asks internal team leaders (eg. one for analysts, developers and testers) how much time will cost them to do particular job (eg. analysis, development, testing). PM has also free choice, if he wants to use internal or external resources - it put team leaders in competetive position to the market possibilities. PM has usually a choice, if he wants to supervise personally the resources (smaller projects, times&material) or move part of the responsibilities to subteams leaders (bigger projects, fixed price). That follows Prince2 guidelines and its 3 or 4 level organization.

The drawback of this solution is that PMs compete for resources, what raises number of conflicts. How to define, which projects are more important?

On the surface the answer seems to be simple... Where the purse with possible profits is the biggest!!! :D

Unfortunatelly the devil is details! and it starts from tricky simple questions... What is the probability of gaining money? When we will see them? Are the money the most important? Most of companies have quite high, informal political factor eg. we must do the project X, even when we have small profit from him, but we win in this way very important sector of the market... and similar and so on... Do you know it? If you have PMO, I bet you do ;)

Prioritizing projects

I know that is a horrible thing to write, but... I thought about this, during summer weekend when my skin were becoming brown ;) and then I have reminded myself about Kerzner book "Advanced Project Management", which shows number of real stories like the one above. Quite quickly I have found Drawing 7.8 "Scoring model for one project". The simples solutions are the best, so instead of explaining the whole solution I have prepared the simpler version of the matrix... where each 5 key managers taking a part in steering comitee meetings got 5*[number of projects], which they could spend at any projects as they wanted as far as no more than 10 points are spent for one. When scoring, each person must describe the key factor, which has been used to assign points. Of course the director voice is stronger than managers, so there is also wages system, which is always specific for the company as well as group of people doing the excerise. Generally the whole mechanism is quite simple...

In pratice, you need to do it couple of times until the importance are fitting the company specific and they are satisfactory for the whole commitee. The main target of it is to provide the guidelines for the whole company, when more than one person is engaged in setting the real company's strategy. Of course the whole excercise must be redone once per some time, depending on how often the strategy changes and new projects appear or existing are finished.

And one tip at the end... Take the fat book with yourself, when you introduce the system like the one. When I put the Kerzner (3kg of wisdom) on the table, everybody have been more interested in it, than in the prioritizing concept. It allowed me to go smoothly through the acceptance chain of pain :D

Tips and tricks for start-ups

The internet is lastly like a wild west. We move from the east coast and it seems like we are still far away from the Pacific Ocean. Instead of the run for a ground, we reserve the domain names. The cost of establishing your own business in the internet is nowadays very cheap or even free and there is plenty of people with various specialization, who saw the gold in establishing their own web page. If you have the vision how to put particular process on the web and make the money on it, you just need to give it a name, find doers who code it and partner who will host it. This causes that number of enterprises, which did not have a chance in the past, have the chance to exists now. Very good sample of it, are the survey services and web page like http://webankieta.pl/ - one man can do a change.

The reality is not though so colorful and most of start-ups die quickly. If you think about starting your own business and you do not want to finish it as the silent tomb, consider couple of points below...

1. ALWAYS FOCUS ON CLIENTS OR POTENTIAL CLIENTS – do not loose yourself having a fun watching your desings becoming true; that is a business and business is where the money is. Most of start-ups bankrupt before the first invoice appears – if you cash your first client you WON the first and the most important point.

2. Keep your costs low at the beginning – if you fail you will not loose too much and you will have the strength to start up something new. Pump up the money in the working business - if you cash the first invoice, there will be a time to invest money.

3. Check the competition – you always think you have invented something unique, but there is number of smart people over the world, who do amazing things and you must position your idea among them. Very good way to do it, is to discuss with various people and learn to convince them why your idea is better than the others. If you do it couple of times, it means you truely have something.

4. Find the partner – if you can not convince at least one of your friends to the enterprise, it means that you are probably Don Kichot. No... even he had a partner - Sanczo Pansa. Yes... If plan long journey, you should not do it alone.

5. Leave the solution opened and do not spend too much time on details – the only thing which you can be sure of is THE CHANGE

6. Do the nice graphics – if you do it smart the cost of it is low and this is what clients like.

7. Create the prototype as soon as possible so you can quickly show it to the potential clients and ensure what they truly need. There is a big difference between talking about the solution and showing it. That is also about the agile approach and if it is possible the best way to create the product, is to do it iteratively with your client.

8. Reserve quickly nice domain names – it is quite cheap and you never know who may buy it before you, when you start to discuss it with peoples.

9. The best way to promote you idea over the web is to get the partnership with one of big national portals or worldwide vortals. The other option is to buy the positioning service, which will let your dot-com be found, when people search for certain words in Google, but… you will have a time for it later on. You should find your first client personally at the beginning.

10. When you consider the technical realization of the project ask about proposals couple of companies and verify they offer with some of your technical friend or independent consultant. Set up the key criteria like performance or security and ask straightforward how possible doers plan to realize it. Higher the cost of realization is – more formal the process should be.

Start-ups are exiting and challenging, even when that is a high risk mission. Everybody wants to be a cowboy. If only you will put the attention more on your cows and less on a revolver, everything should be fine ;)

Sucessfull scheduling

I have been asked lastly if I know how to schedule successfully. For novice PM the task seems to be easy in Microsoft Project - simple Gantt chart is all what you need. More experienced fellow, who has realized at least one bigger project will just smile as he knows already how tricky the life is.

PMBoK defines 4 main project dimensions - scope, quality, time and budget. Most of stakeholders likes to track mostly the schedule (time) as it is the easiest thing to track. PM must be a solid man to be able to clarify connections between schedule changes and 3 others things (scope, quality and budget) - this is why the best option is to avoid baseline changes.

There are the following key tips, which should be followed in any schedule - some of them may be for you a cliche, but believe me that they are easy to forget:

1. Ensure that you included any formal holidays (may and december is full of them in Poland) or informal holidays (like the integration camp)
2. Ensure that you included teammembers holiday&training plans within project timeframe (like any other days when they are not at work)
3. Estimate time conservatively, but remember about the Parkison's paradox - somehow even the longest predicted time for a task will be used in 100%
4. You MUST to have some buffer if somebody will be sick, if things will go not as planned - higher the project risk is, bigger the buffer should be. 20% is the default value calculated once by Accenture.
5. Include milestones (0 day long tasks) to mark achieving important moments in the project
6. Prepare for change - make the schedule as simple and as solid as possible so it is easy to maintain. For example if you have the team-mate who will do 4 concurrent tasks, it does not have a sense usually to model it in the schedule as 4 tasks with 25% usage of resource - usually 2 or even 1 task is enough.
7. Make phases as short as possible (1-3 months) and at the end of each has some part of visible and production work finished - yes, it comes from agile world and it works!
8. Share the schedule among all teammates - how you do it, it is up to you, but everybody should have the schedule in their vision range daily.
9. Save the baseline and track the schedule at least weekly - have a quick session with your teammates and review progress.
10. Prepare that the last 10% of task will be the worst and it will consume about 20% of your time.

I know many PMs and each of them schedule slight differently, even when they use the same MS Project - they have they own scheduling style, so to speak. The bullets below are just the guidelines and you may have your reasons to do the things differently:

• Use schedule calendars to realize (1) and personal calendars to realize (2). Tools>Change work time.
• Note who estimates too conservatively and too optimistically and make necessary corrections of their estimations (3).
• The task should not last more than 5 working days (3)
• Use dependencies between projects wherever possible - do not use constant start and end date (this approach causes usuaylly that the schedule is harder to maintain)
• When using dependecies there is quite cool option to delay or make quicker particular task - use it wherever applicable
• Very often if you request the time buffer offically you get the refusal from the stake holder - this is why the best approach is to add AT THE END of each important task group the solid task(s) like integration or unit tests with significant amount of time and ensure it is on critical section as only than it is a real bugger; you as PM are responsible for efficent usage of it during the project (4)
• MS Project gives many different ways to share the schedule among people - tasks via emails, WebAccess, EPM, Project Reader etc. I have tried most of them and I must say that still the best way is to print on paper number of copies of the schedule and pass them to all the teammates and hang it somewhere in visible place (8)
• Printing schedules in MS Project is the art itself, but there is very usuful way to do it nicely - delete all the irellevant task like the next unestimated phase (but do not save the change), go to print preview>page settings and use the option of fitting to 1 page (for small projects) or more (for big projects).
• If the schedule does not go as it is planned and the difference is significant, you must be tough enough to admit it and introduce the repair plan - do not hide the problem under the carpet, do not limit the time for tests or other following actions because any of this solutions will explode at your face later on and it will be just worse. I know it is a painful thing to explain this type of things to the stakeholders, but believe me... Even when they will angry on you, you may always tell that at least your are this type of person who can openly discuss the issue and... do not kill the messanger ;) (9)
• If the project goes better than planned, never ever promise too much... If it will be finished on time - you are the one then (10)
• Use "Resources workload" to ensure that there is no overallocation
• Using "Rosources spreadsheet" you may add cost of work and calculate easily the cost of work for the whole project
• ALWAYS, ALWAYS remember what is the target of the project and ALWAYS have it in front of your face - do not loose yourself in papers as you are not a EU clerk and do not loose yourself playing with toys as you are not a kiddo ;)

Microsoft Solution Framework - tips and tricks

I have refreshed lastly my knowledge about the MSF. I have looked backward and deep into my soul and here there is a short list of my private suggestions if you think about going into the direction...

Choose carefully MSF3 or MSF4
There is quite a big twist in Microsoft approach to the MSF lastly. When MSF3 is the loose set of good practices written on paper, MSF4 is their implementation within VSTS... some people say even that MSF has been monetized. MSF4 defines two main templates and guidance - MSF for Agile and for CMMI. There is an option to define your own process with Template Editor, but that is not an easy process.
In general...

• Option 1 - If you have small team and you want easily customize the process - MSF3 will be a good choice and set of VS Pro licenses will be fine.
• Option 2 - If you work within big corporation, in distributed geographically team, keeping a standard is a problem... you may think about MSF4 and convincing stakeholders to spend a lot of $ for VSTS installation (that is not just about buying licenses - you have servers, administrators, infrastructure - all the heave equipment).

BTW, if you are in second option and you works with open technology, you need to consider RUP and Eclipse from IBM. There funny thing to write but in first option you may do .Net projects with RUP and you may do J2EE projects with MSF, even when MSF+Visual Studio belongs to Microsoft and RUP+Eclipse belongs to IBM.

Do not be religious
You just read what MSF is about, you are very excited... Lets rock, lets put it into play...
No, no... Hold on for a sec... go for vacation... Chill down...
Whatever you do, does not do it because the paper says so. MSF is just the tool to realize the goals. Which goals? What do you want to achieve? Whatever you do, does not forget that you are about improving things.

Introduce Framework step-by-step
Anayze the current status! Do you have some well working processes? Take care about them and protect them. Do not hesitate to customize MSF, so old-well-working things stays where they are.

If something works wrong, indentify 1-3 the biggest problems and solve them using particular mechanisms from MSF. Daily builds, bug triage, zero bug bounce - these are the good candidates at the beginning... Does it work? Do people like it? It is MSF... Lets start the new project with 5 phases, but if there is project manager in Prince2 meaning, do not hestiate to unite Program and Product manager role if that is necessary.

Team model in practise
Team model in MSF is quite unique and white paper says that each role has to work in each phase. That is not totally true. Release Management comes into play rather in the final phases. Keep in touch with the guy, but does not insist on having him at each meeting and 100% engaged into the project at any stage.

The other story is User Experience fellow. The main problem is, that there is so little people with this profile on the market. In practice very often the role is taken by business analist... and that is fine. In similar way the Program Manager role is often classic Project manager and Product Manager is Sponsor of the project. As far as it works... lets leave it ;)

Use trade-offs
Trade off theory has helped me often in practise to leverage new requirements and staying assertive - nothing is for free!

- Of course we can add the functionality! What do I get in return? Extra time or person? When he will be on the board? In 2 months? Ok... When he is on board we will analyze the new functionality ;)

In very taugh times you may mention fourth dimension - quality; triangle story extended to tetrahedron (three sided piramid)...

- I may agree to add new functionality, within the same timeframe and resources, but you must approve to me on paper that you accept lower quality of the final product.

... Yes, that is just the intelectual trip ;)

>Keep the balance between the phases
If envisioning took 1 week, the planning will probably take around 1 month. If during planning you have done all the key Proof of Concepts in code, you may close the developing phase in next 1 month. Stabilizing will the next 1 month and Deployment about 1 week.

For example... It is quite common error, that when things goes wrong the stabilization time is cut off. The effect? The same time doubled or tripled is spent during Deployment. That is a dark side of Project Management that in crasis, the taught situation must be faced and not just postponed.

If you prepare the schedule in planning phase, do not expect that you will be able to close 3 next phases in 2 months and 1 week, if getting to the point since the beginnig of the project took you over 2 months - there are some exceptional situation, but at least look in the mirror and answer yourself where these exceptions truely are.

Use bug triage
I bet my surname domain on the short setence - BUG TRIAGE WORKS!

Things, which are not monitored once per a time, go into the chaos stage. Let's face it - reparing bugs is boring and painful work to do for developers. Everybody knows it. Anyway it must be done though, in the same way how you must clean your flat (at least once per a while). Project Manager must be sometimes a mommy who says: "Sweetheart... Clean your room tommorow, ok?" or "When finally you will put these dirty socks into this damm wardrobe!" :D

Having whichever Bug Tracking System (excel / customized open source project / customized SharePoint poratl with lists / commercial product / VSTS ) is at great help - anybody may quickly see what happens with bug #645.

- Hey Bart! Our CEO has looked today in our BTS and he has asked about this problem with dockable windows. Can you add him some comment about #645 and send him a link?

...and this is it - you definitely will not loos by knowing what MSF is about ;)

Heroes happen here - {in Warsaw}

Mood: Too much paper work, too much organizational stress, but... finally weekend incoming

Yesterday (6.III) I have attended to MS conference Heroes Happen Here in Warsaw, which was sold as countrywide premiership of Windows 2008, VS 2008 & SQL Server 2008. It happened 7 days after the premier in LA (27.II), where quite a big show took a place including Steve Ballmer speech - do you prefer pictures or text from this event?

Comparing Warsaw HaHaHa to LA event or MTS 2007, it was quite modest one, but I liked it as I am not the one who screams seeing fireworks. In fact that was the Microsft&Parnters RoadShow around Poland presenting the bundle of new products. The split on admnistration and programming part was very smart and working well. MS became much better in organization of these events last years and they served quite good, standard package: hotel Gromada; 4 coffee brakes; good food, which you could eat staying in crowdy place (the only constant disadvantage); and nicely looking hostesses. The service was generally decent with one exception, which I have finally figured out - stuffy conference rooms, which made everyone sleppy, but only the technical staff could do it without a shame ;)

Hey man! Who are you? Stop to talk about logistics! The conference is about gaining the knowledge!

Yes, that is true and this is why it was a fruitful day - I had good, quick review of my knowledge about .Net Framework and 2 out 4 speeches were really good.

I must mention new MS ISV Evangelist Barłomiej Zass, who had sold MS religion in eatable way. He did not go with easy way showing just bullets, but he spend visible amount of time to prepare the real examples of "how VS 2008 makes your code shorter". Some of these samples were a little bit marketing like the new face of Unit Tests (descendant ACT was not mentioned), but most of them truely made me thinking about buying the thing, when I saw houndreds lines of code decresaing to dozens with usage of LINQ tricks. At the end there was one thing, which truely surprised me... Version Digresion- he described the versioning strategy, which set up the rules of making the build AFTER EACH check-in. Furthermore, this rigoristic approach is even tougher in some companies (luckily in US), who turns on the red lights and trumpets in open space, if some developer checked-in the wrong code, which does not compile!!! Can you imagine this? How motivating is that, to double check your changes (at least if they compile) before you check-in. Good and scary!

The 1st star of the conference was though Bartosz Pampuch from Comarch. I must admit, he is the one, who makes me beliving in polish MVPs. He taught among others the perfect answer for any architectural question - IT DEPENDS! :D The laugh was iterational :D His nice slides warmed up the audience and his great speech showed plenty of real-code situations including positives and negatives of new MS solutions. He was brave enough to show sincerly the problems when making transactions with WCF, WWF is not easy to understand and acceptable by final users (what is the story with this Properties panel? Why that is so complicated? :D) and some problems with scalability of WWF. This is why his positive feedback about .Net 3.5 was so reliable and at the end of his part, you are willing to play with "his" toys. It was very visible that this fellow has a fun working with these new technologies and he had the ability to share it with others.

And at the end I came back to my workplace... Emails, Words, Excels and other "cool" stuff... Trying so deseprately and unsuccessfully clean up my desk, so I can open for 4 hours straight at least VS 2005 ;)

Mailbox migration, C drive running out of space and other *fun*

Mood: Stabilized
Sound of the day: What if I say I will never surrender!

The regular reality brings you the number of small, administrations problems, which you have to "micromanage" by yourself. As I have been asked couple of time how to manage them - here there is a couple of tricks...

Mailbox migration

Assuming you have regular Exchange server, your Outlook points to OST or PST file, which is stored by default at "C:\Documents and Settings\[login]\Local settings\Application Data\Microsoft\Outlook\Outlook.xxx". Do not be surprised if you notice that this file weight couple of GB. If you have PST file it means that you are a lucky guy and you have fully movable copy of your mailbox; if you copy this file on any medium you will be able easily to restore it on the other PC. That is the best way to import/export your PIM data.

If you have OST file, the situation is more complicated as in this case the data are offically on Exchange server and the OST file can not be opened on the other machine, which has no connection to that server. Offically. Inoffically there is a couple of possible tricks... The best one which worked for me and the mailbox from Outlook 2003 was to pay 15$ to PasswordCrackers, who transformed for me OST file to PST file. In fact I just have followed Matt Goyer .

I am quite sure that they have used that they have used one of possible solutions like Outlook Recovery Toolbox or from Nucleus Technologies, but the trial versions of these will not be enough and paying 60 and more $ for a software, which you probably use just once is pointless.

C drive running out of space

I am in situation where there is no space on C drive and plenty of it on D drive.

Sounds trivial like the problem for dummies? Believe me it is not, if you start running out of ideas.

Having just XP, full Office, MS Project, SQL Server (installing this one od D drive was a horrible experience) and VS 2005 plus couple of the other small items believe me that after a year of use 12GB becomes very tiny space.

After I have uninstalled number of unnecessary things there, cleaning regullary all temp files including waste bin, there was still a problem. If you run out of the ideas I suggest you to follow the checklist:

• Install free OverDisk software which will show you in cool way what eats your hard drive
• Ensure that you do not have any old user profiles, which may weight even 1 GB
• Clean "C:\WINDOWS\Downloaded Installations" directory which may store even couple of GB of patches from MS
• Decrease the size of the virtual space
• Turn off hibernation
• Turn off System Restore
• Turn off File Protection
• Turn off HD indexation

... and then my todays discovery with OverDisk. Check how much weights your archive.pst file, which you may easily move from C to D drive (in my case it was over 1GB!).

After whole process do not forget about disk defragmentation, what truely saves you nerves decreasing the chance of blue screen during system heat-up.

... and at least but not at last

Live well with your local administrator :D

Dual-use items

Mood: Too much work
Music: Cool sounds


Introduction - Background of the story

Taking a part in one of the tenders, I was surprised by the issue called "dual-use items". The thing was put on the table by Jakub Manikowski from IBM, who pointed out that exporting some items from EU country, outside EU borders bring you within the range of these regulations. "Dual-use items" are in general, items which may be used for military or civil purposes and surprsingly it applies also to some advanced technology including even some better IBM servers. Somehow in rings the bells in the head, but... Step-by-step... First the homework ;)

EU regulations

The whole thing is defined by fat, 215 pages long EU regulations No. 1334/2000 (polish short version) and there is couple of surprises like:

• passing the technology via "electronic media" (8)
• software is next to nuclear weapon !!! (Chapter I, Article 2a)
• "oral transmisttion of the technology by phone"! (Chapter I, Article 2b iii)
• "This Regulation does not apply to the supply of services
  or the transmission of technology if that supply or transmission
  involves cross-border movement of natural persons." (Chapter II, Article 3.3)

The key thing is that if your product is on the list you need to manage "individual permission on the export", which is defined in Article 7. The permission must created according to the template in Appendix IIIa (p202) and "in accordance with the indications set out in Annex IIIb (p205) " (Article 10).

The items are listed in Commerce Control List (CCL) categorized by ECCN numbers Export Control Classification Number, which are common for EU and US. The first number of the ECCN identifies the category to which it belongs, for example, 1 = Nuclear Materials Facilities and Equipment, 4 = Computers, 9 = Propulsion Systems, Space Vehicles and Related Equipment. Next the letter specified the product:

A. Systems, Equipment and Components

B. Test, Inspection and Production Equipment

C. Material

D. Software

E. Technology

Among things on the list, the most interesting are (for me obviously ;) ):

• 0D001 Software specially designed or modified for "development", "production" or "use" of goods specified in this Category (p. 42) - Category 0 "Nuclear materials, facilities, and equipment"
• 0E001 similar for "technology", what may means whatever including hardware
• 1D Software for Category 1 "Materials, Chemicals, Microoranisma and Toxins" including software for radars (1D103) (p. 73)
• 1E102 Technology according to the General Technology Note for the "development" of software specified in ... (p.74) and similar in 1E202, 1E203
• 2D Software for Category 2 "Materials processing" (p.94) - among others "capable to coordinate simulatenously more than four axes for counturing control"
• 2E Technology - among others "Technology for development of interactive graphics as an integrated part in numeric control units for preparation or modification of part programmes" and "Technology for development of integration software for incorporation of expert systems of advanced decision support of shop floor operations into numerical controls units"
• 3D and 3E, Software and Technology for Category 3 "Electronics" (p. 124) - among others some kinds of CAD software
• Category 4 "Computers" (p. 126)! - among others "equipment designed for image enhacment and signal processing" (4A003), designed and modified for fault tolerance (including some mirroring mechanisms!), operating systems designed for "multi-data-stream processing" (4D003a)
• Category 5 "Telecomunications and information security" (p. 136) - "fiber cables and accessories for underwater use" (5A001c2), "Equipment employing digital techniques designed to operate exceeding 1,5 GBit/s" (5B001b1), "Equipment employin)g optical switching" (5B001b3), symmetric alogirthms can not exceed 64 bits! (Note3 p.142) and assymetric exceeds 512 bits (5A002a1b), smart cards regulations incl. money transactions (p. 144)
• 6DE for Category 6 "Sensors and Lasers" (p. 169) including software for Air Traffic Control (over 150 simolatenous system tracks)
• 7DE for Category 7 "Navigation and Avionics" (p. 176) inclduing the software which reduces GPS navigational errors, some kinds of CAD software
• 8DE for Category 8 "Marine" (p. 186)
• 9DE for Category 9 "Propulsion systems, space vehicles and related equipment" (p. 195)

The list of countries which does not go into "dual-use items" regulations is provided at p. 200 and it includes countries like US, Canada, New Zeyland, Australia and Japan.

There are three ways how you can define if particular item goes into dual-use items regulations or not:

• Do it your self
• Ask the manufacturer
• Get offical classification from appropriate beurue in EU country or from BIS in US

Other sources

In US you must be aware of Export Administration Regulations

In US law there is a specific difference between the item, where "No Licence Required" (NLR) and the one which is not listed yet in CCN (EAR99).

BIS posses dedicated SNAP-R service to register export licence application

Some news about last changes in EU regulations

FreeBSD ECCN!

ePassport - intro

Mood: Wife does not sleep at home, husband rest in peace ;)

Music: This is how I have learned the word 'remedy' :D

Note: All the materials available and provided below are publically available on the internet.

Introduction

The biometric passport is in general the passport with the RFID computer chip, which stores the data necessary to uniquely identify the person. Once per a while there are organized the Interoperability Test Events, where number of companies presents their passports and test them with various readers discussing and analyzing the results - one of them happened last time in Berlin. The well known deliverers of complex solutions are (among others):

• Giesecke&Devirent
• Oberthur
• Bundes Drukerei
• PWPW
• Österreichische Staatsdruckerei

The chip

The content of the chip is the top secret knowledge of any country and the specficiations for such processors (including the OS) are not publically available. You may split them on two subsets - the one, which have just OS and the one which has additional Java Virtual Machine. Some of the most known brands are (among others):

• Gemplus (which inquired lastly Setec)
• Sharp
• NXP (founded by Philips) offering MOB line of processors used among others in german passports
• Siemens

Of course except the processors, you need plenty of the other items and there is couple of other niches like "passport readers" equipments (Omnikey, 3M, Oce) , but the main trend is established be the ICAO norms - document 9303, which you must pay for.

BAC > EAC

The communication with a chip is specified by ICAO New Technology Working Group within two standards:

• Basic Access Control (BAC) - it is already working in number of countries and it is mandantory in EU already
• Extended Access Control (EAC) - it works just in Germany since Nov 05, but number of countries are preparing for that, as it is planned to be obligatory since 2009. (there is a couple of opened issues yet in specification)

BAC specifies mainly the fundamentals answering the questions, where chip should be wrapped within the passport, what data should be stored in processor (including the picture and digital signature to detect modification - the content of the chip should stay static from verification to verification) and how the data should be passed from the chip, including the encrypting mechanism based on MRZ - machine readable zone, which you can see in the passport as:

P<UTOERIKSSON<<ANNA<<MARIA<<<<<<<<<<

BAC is "criticized as offering too little protection from unauthorized interception" and it happens because the cryptography key are symmetric, they base on passport serial number, date of birth and exipry date (no infrastructure provided).

Lukas Grunwald demonstrated that it is trivial to copy the biometric certificate
from an open e-passport into a standard ISO 14443 smartcard using a standard
contact-less card interface and a simple file transfer tool. This is hardly
surprising, given that the certificate is simply stored as a file, and had been
obvious to those involved in the design of the ICAO e-passport standard
throughout its development. In particular, Grunewald did not change the data
held on the copied chip, which binds biometric data (e.g., photo) to identity
data (e.g., name and date of birth), without invalidating its cryptographic
signature, which means at present the use of this technique does not allow
reprogramming of fake biometric data to match a different user. Grunewald also
did not clone the Active Authentication functionality, an optional feature of
the ICAO e-passport standard that some countries implement such that the
embedded microprocessor is not only a floppy-disk-like data carrier for a
biometric certificate, but also a tamper-resistant authentication token that can
participate in a public-key
cryptography based challenge-response protocol. Nevertheless, Grunewald
created international media headlines with his claim that such copying of the
biometric certificate constitutes the creation of a "false passport" using
equipment costing around USD$200

The source

The EAC is a remedy for it and it includes additionally (among others):

• the necessity of storing the finger prints (standard specifies which fingers but not the format of storing the data)
• assymetric cryptoraphy based on secure communication based on the pair of keys - private in the passport and public one in the passport reader; both provided by the specific PKI infrastructure:

Picture comes from Crypthomatic sites

In fact, n case of passport where a cross-country authentication is required, the PKI is not so simple as it seems...

Original slide 25 comes from Kim Nguyen (Deutsche Drukeirei)

Conclusion

As you can see the ePassport is typical sample of two-tier architecture: the very thin client and huge back end ;)

Resources

• Cool and simpler clarification of BAC and EAC
• Bundes Drukerei guidelines about BAC and EAC
• Bundes Drukerei security issues about BAC and EAC
• EAC about article
• The output from Berlin Interoperability Tests
• JavaCard technology in ePassport
• Australian passport

Interesting

• SIS (Schengen Information System)
• VIS (Visa Information System)

Surely You're Joking, Mr. Feynman! - Book review

Mood: Lack of sleep

There is a question, somewhere deep in my head: Is it possible that Leonardo da Vinci has bored just once per whole civilization? Is there truely no place nowadays for real "renaissance person", who has some achievement in more than two,three disciplines? The book is the answer for the question: definitely there is at least one such a person - Mr. Feynman.

The book describes the incredible life of open-minded person, who can during one life do the following:

• learn to repair radio as a thirtenn years old child
• how to learnd italian quickly :D
• take a part in Manhattan project (atom bomb) - surprisngly he writes the most about how the life in Los Alamos looked like, than about his real work. It seemes like he worked more in nearby factory in Oak Ridge, than in Los Alamos ;)
• open locker, wardrobes and safes (I need to remember 25-0-25 and 50-25-50)
• how to make impression on women in bars (do not pay for them silly)
• how to earn money in Las Vegas
• how to be friend of big fish in Las Vegas
• try to repair Brazilian schollar system
• play on pandeiro and frigideira (whatever it is) and took a part in Carnival celebration as the samba school member. Hotel boy screaming - "O PROFESSOR!"
• learn why you should not earn too much
• paint
• why to be in touch with people from other disciplines and not to go for the interdisciplinar conferences discussing general topics
• get Nobel prize (it sounded like the ceremony was the worest challenge)go through the hell of scroing US school books
• how to play hald-professionaly on the drum for the ballet

So when you read the list there may be the following feelings in your head.

• Did he really do these things? Yes.
• Is he a megaloman? A little.
• Why I hear the surname for the first time? I was surprised as well :)

As you can see making the extract from the book, which is the extract from such a rich life, like the Feymann's one, gives the odd results. Nevertheless what was the most inspring in this all - Feynman has always very pratical approach and even when he speaks about VERY complicated things (including philosophy), everything is served in straightforward way (without a single formula).

• You can not be the professor Mr. Feynman.
• Why?
• Because I understand everything what you are saying.

On the other hand the book is simply SMART. It contains plenty of tips&tricks including not only "uncommon integration" (how you can gain from possesing the other toolkit), but also "how to cut massive number of string beans" or "how to deal wit a women". What is truely inspring it desribes the things AS-THEY-ARE and not with rounded words, so you can find even once a crossword on f, when he speaks about the government :D

He was also the one, who reminded me that if you want to achieve something in long term, you need to be honest in front of yourself and when you present the results of your work you must present ups and downs.

And at least, but not at last - the book is hilarious, so you enjoy reading it. It will be definitely well spent 11$.

Score: 6/6 (very good)

Google Trends

Mood: The weekend with XBox 360 and Call of Duty 3 is truely the cure

Link: I would love to fix projects problems as he dances :D, but at the end there is usually blood :D :D

Intro

Google Trends is the set of services, which allows you to analyze through ALL the search requests send to Google and news appearing on the web by geographical region and by date (since 2004). There are the following services:

• Google Trends
• Google Hot Trends
• Google Music Trends

It is produced by Google Labs and it is still in Beta phase since may 2006. At the beginning, Google had some problems with data updates, but since 17 July, they started to provide the data on the regular basis - Google Trends daily and Hot Trends hourly.

Juice

The service is truely cool and you open mind has a play ground... staying focused on rather professional things:

Project management methodologies

• South Africa turns on the PMBoK?
• Prince2 is the winner in EU
• RUP is very popular in Poland (polish language also)

Web languages

• Polish language is the most popular generally and in HTML/PHP!!!??
• There is HTML renaissance, when we speak about publications
• Ajax gets the ground slowly
• The other interesting analysis in the area

eCard

• the e-cards become less and less popular year-after-year
• they are the most popular in Viet Nam, Thailand and Honk-Kong (Viet Nam and Thai language), than in Belgium- Netherlands (Dutch language); is truely english 3rd the most popular language?! Probably not in greetings :D
• they are the most popular in Christmas time and New Year (seasonal trends metioned by wikipedia)

Issues

I truely spend a lot of time just to produce these three, looks-like-quick analyzes as that is truely hard to find good set of keywords for search. Just as and example I have tried to compare the top three most popular business social network using the wikipedia list as primary resourse and I felt into XING trap, which is also the big Chinese teleco. There is plenty of similar cases - Java means also the island and Eclipse is mainly the astrology term.

Google Trends does not show the popularity, but just the number of searches and publications (whatever it means).

System bases on IP addresses wherever from the query was issued and it happens that pools of IPs are transferred from one country to the other by "smart" internet providers (I know about such pools hijacked from Finland to Poland) ;)

You may request up to five key words at once.

Conclusion

The service is defintely cool, but you need to use it VERY carefully and you probably need also some other resources, which proofs your hypothesis. Incoming popularity of Facebook (comparing to MySpace) is possible,

but XING comparing to LinkedIn or Plaxo? ;)

Anyway the incoming API for the service, will be definitly the cool thing to play with! What else will come up from these Labs? It seems like there is a lot of rocket science going on! ;)

UML, RUP, MSF and the others versus reality

Mood: Monday was not as horrible as expected
Link: I am not the fan of the serie, but the sounds keep pinging my mind ;)

"We need simply to use UML and it will fix all the problems" - I was quite surprised to see the idea in MY mind and luckily not in my mouth yet ;) I am quite sure you know also the people, who believes that particular approach like Prince2 or RUP will be the remedy for any diseas. The problem is that effectiveness of these solutions always depend on particular situation. That is always the most important to diagnose the problem first and then to find the medicine in various books ;) Sounds like the cliché, but there is still so many werewolf hunters fully equipped with silver bullets. I have made conscience-searching and here we are...

General
· None of these specify necessity of designing GUI, but usually when you start drawing how particular screens will look like you may gain a lot of information (unless you plan the prototype first or strictly agile, iterative approach)
· None of these (but Prince2 books mention it unofficially) specify necessity of hard-numbered profit versus cost estimation. Business analysis should include some predictions of key indicators like Net Present Value or Internal Rate of Return
· QA is different topic, which you need to have in back of your head regardless from everything else (RUP and Prince2 mention it just)

· No one below will remind you about the law issues and regulations (legal acts, being compliant with standards, corporate regulations)

UML
· UML diagrams are really cool, but THAT IS NOT THE METHODOLOGY – that is simply some set of boxes, which you may use in drawings. Nothing more, nothing less.
· Very many companies uses UML to attach some images to documentation (good), but unfortunately not too many generates even the classes skeleton from it; even less keep synchronization between the physical and logical model. Surprisingly I have never heard or read about any CMMI-like model, which would suggest it or score it!
· When we speak about Use Case diagram remember about drawing the border of the system and if necessary about the version of the system (quite often technical spec says about the subset of functionalities enlisted in business spec)
· Use Cases are also about identifying the type of users

· Apply packages to simplify Use Cases

· Always look for reuse of diagrams and avoid copy&pasting (eg. <>, <> in use cases)

· Think about Deployment Diagram and general plan on early stage; it is also a good moment to think which OSes and browsers might be used by final users (it is often forgotten and it blows out when the deployment truely starts)

· Sometimes it is quicker to scetch, scan and paste even sligthly against the rules, that draw the diagram with 100k EUR worth software beign strict; pretty-good is usually enough ;)

· UML is one of the best for desiging software, but it is not the only one - have a look here.

RUP
· That is quite cool approach, which nicely show 4 important stages of the project – preparation, analysis, realization and deployment, but there is no point where all the analysis is finished. It means that even when you start the 3rd Construction phase you do not have all use cases finished (just 80% is required)!

· Against RUP I prefer rather to start coding when I have complete set of uses cases and the range of first release fully established - I found too often one, nasty case, which caused total redesign

· Surprisingly RUP does not go deep within technical aspects - it mentions mostly use cases, business aspects and risk management.

· Martin Fowler in his book The New methodology says something like: “My experiences with RUP are, that you can customize it without the boundaries and it causes problems. I have met couple of RUP usages, starting from the cascade model with analytical iterations, finishing at the full Agile process. I was surprised that this promoting RUP as one process caused that people may do everything and call it RUP – it makes RUP the word without meaning” - I guess this happens because IBM strategy is to allow in the same time the marriage of it with SCRUM and Prince2
· You can quicker find interesting documentation about RUP outside IBM (like Wikipedia) than inside, where you must go through tons of commercial crap to get kilo of knowledge. The kilo is probably somwhere within 270 pages long red book.

· Some sample documents templates

· RUP defines couples of disciplines - among others Business Modelling, Requirements, Analysis & design. In situation, when you need to make the interview with clients (in order to specify the contract), it means that each specialty must be represented at each meeting.

MSF
· Unfortunately since the new version (at least the document is ONLY 47 pages long ;) ), the split between logical and physical design is not bolded so strongly. You need to spend significant time to find the sentence like “There are three levels in the design process: conceptual design, logical design, and physical design”. I guess that is caused by the necessity of generalization caused by MSF for Agile.
· Good trade-off mechanism, which finally learned how to be agile, when customer wants something more :D
· User experience role, which you will not find in RUP.
· Practical bottom-up approach for estimation and no word about it in RUP

I was thinking for a sec to weight both RUP and MSF and put the score, but the truth is that the covarage which both companies for their development environment (IBM with Eclipse and Microsoft with VS.Net). There is couple of interesting places, where you can find deeper comparsion of both like even some Master Tesis prefering slightly RUP. At the end of the road, it does not matter what label you wear, but how you feel with it. Is it flexible? Can you show in the suite on the business meeting? Can you run to catch the cab? Do you buy clothes in regular market or you can afford the tailor? Do not you think you need to have couple of clothes? :D

Sources of knowledge

Mood: Just after straight-11 free days without ANY business phone call (can you imagine that?)
Link: Odd Christmas wishes

I have got some time ago the very good question: "Where from do I know, what I know?". I am the type of the guy, who asked about non expected thing, usually can not come up quickly with a clever answer, so I answer something not-clever-enough. The problem is that, this type of things keep staying in the darkness of my mind for some clever-enough story. The worst of all, the dark side of the soul wakes up usually 5' after I should be already sleeping and once per a while instead of behaving like the 31 years old man should behave I get to the laptop and write something like right now (tommorow morning will be truely a horrible intiation of the new year ;) ).

Anyway... lets do the home work.

I am the type of the guy who does not like to go to the courses, which I usually very expensive, time-consuming, borning and not-engouh related with the real life. This is way I usually prefer some self-pace paths, where books and web materials are the best, primary friends. In case of Microsoft certificates (MCSD.Net) I also convinced my boss to buy the examination training kit from Transcender (wow! they have a new web page) and I was very satisfied from it. I always focus myself and my subordinates to focus on some certificate. It is not to be some type of a label whore, who needs to have a jeans from Wrangler in order to feel better, but having a material goal is always a good motivator and the one, which you can set in time - usually the certain date and hour of the exam, when you shake like the leaves on a tree in autumn. Anyway I am crossing my fingers for you ;) and I give you one hint...

If you fails, there is always a possiblity to have a next shoot. I remember until today one exam at my university, when I had three make-ups; the most horrible was that each time I have spend doubled amount of time over the books and the result was doubled misrable :D The professor Jan Węglarz finally gave me the lowest possible note to pass, just to get my out of the range of his sight. Staying in front of him I truely considered to refuse the offer despite my desprate situation, but as usually my opprotunistic side has won ;) EVERYBODY has at least one story of this type - you must to set up and take a challenge.

The second and more interesting source of knowledge are people. There are two main figures who have been the sources and spiritus movens (surprsingly I could not find yet the english explanation of these latin words). One of them is positive and second one is rather negative.

The first one, was Clem Predergast who rather acts than publish and this why there is nothing about him on the web. He was though the one, true manager whom I met and whom I could watch managing and leading the people in software projects. It was more about the soft skills and possibility to motivate people in right direction, but there was also about the "know-how" import from Irish island and Performix company. How the support mechanisms works, how QA labs should look like, what road show is about, where there is a sense to pump the money and how to gain the support from executives. He had tones of his phresals, which I am sure, most of people who have worked with him, will remember for a long time like "all hands on pump". I keep catching myself on repeating them or doing some small things in the same why how he did it like learning first how "cool" and "shit" sound in foreign language, when I am in one these countries where german and english is not the mother tongue. Learning by the example is definitely the best possible method.

The second person is much more interesting and I have been growing up with this feeling for years. This person had probably better hard skills than I had on each, technical level - starting from code, through the architecture and finshing at methodologies knowledge (especially the agile once). I am quite sure that he still has these skills better, but he had some problems with soft skills. Unfortunatelly it has appeared after some time that we do not work together but against. Why I come up the situation? Because he was a perfect challenge, which (or rather who), I admit publically in this new 2008 year, still sits in my mind and keep challenge me in the ares, which about we had this short, usually intense discussions. Of course that is not my main or even secondary motivator, but for example it forces me to review once per a while all the existing methodologies and only the ones, which I prefer or can be useful.

Where books can be treated as hardware, people would be the software - you need both and you need to have some balance. You need to have hardware to load software, you should not have too much software on the weak machine and the most important... do you really need Vista? :D