Subtle things in SCRUM – 1 Sprint Planning

In the past I was leading a team of 8 developers and a tester. We followed the Scrum method for close to 4 years. In this series of posts, I am planning to write things about Scrum method that I learned by practicing it. It is mostly out of my personal experience.

One of the major tasks in Scrum is sprint planning. Our regular sprint planning happened like the following

  • The product owner comes up with a list of features, bug fixes and refactorings that can be taken up in the sprint
  • I find out the team’s availability. (Actually taking all the planned vacations, trainings & holidays into account)
  • Next we break down the features into smaller work packages
  • We all sit together and estimate the work packages (using planning poker)
  • Then we pick up work packages that is equal to the availability
  • And finally we assign the work packages to the team members

This was working fine. But then over the time I found that we missed our team goal even though majority of the work was done. After some analysis and retrospective I found the problem was the last step.

  • And finally we assign the work packages to the team members

This step of allocating the work packages to the individual team members divided the team into individual members. So if someone completes a work package the next one was chosen from the team member’s pre-allocated subset. Sometimes this created situations where a work package of high importance to the team’s success was stagnant because of an overloaded team member. And another team member is busy burning some less important work package.

So we learned our lesson and stopped allocating the work to individuals upfront. We planned the work packages without assigning a name to it. Now once someone completed a work package the next one was chosen based on the team’s priority. It also made the sprint planning a lighter exercise.

This is a subtle thing which no one taught me in the scrum master training. And I learned it after failing couple of sprints.

–Ferose


 

Using an Elephant for Begging

This is a short post that I wanted to write for a long time. It is based on an example that I mention in majority of my training sessions. Let me get to the point quick. In India there is a common practice. If you roam around in the small towns, villages and in some cities too, you can see elephants in the road accompanied by the mahout. On seeing the huge animal everyone gets excited. Especially the children gets excited and frightened at the same time. And the routine is the same everywhere. The mahout will bring the elephant near each of them and it will bless the person by putting its trunk on top of the head. Then it will beg for money using the same trunk. We pay the elephant some money which it hands over to the mahout.

In India elephant is seen as a representation of the Hindu GOD Ganesh. So people taking blessing from it is fine. But one thing that I always wonder is, the effort the mahout put in training the elephant to beg and using that huge animal only for that purpose. You may be wondering why am I suddenly writing about elephants in India. No I did not quit my software job and started learning about elephants. In the software development industry I have often seen a team asking for a costly tool (Visual Studio 2XXX, Enterprise Architect, Rational Suit etc.,). The company looks at the cost and benefit. Finally it decides to buy the costly tool.

Now once the tool is bought and handed over to the teams, I have seen lot of teams using hardly 5% of the features provided by the tool. For eg

  • Use Visual studio only as a text editor with syntax highlighting.
  • Use the enterprise architect to draw UML diagrams

This is synonymous to using an elephant for begging. One of my major endeavor is to use the elephant for doing things that it is meant for.

Always spend time for learning the tool and use it to its full potential.

Target of vishing and credit card fraud

On Saturday evening 31 Jan 2015, I was the target of a vishing attack. Some smart set of people tried to steal my credit card details. The following things saved me from the fraudsters

  • Knowing some basics of credit card (card#, dates, CVV, 3D secure PIN etc.,)
  • Knowing the basics of telephone SMS
  • All those articles regarding fraud in arstechnica.com
  • Social engineering training from siemens

Here is how the whole thing went through. I am going to list the phone conversation here between myself and the fraudster. I have reduced the transcript here for the sake of brevity. The call went close to 20 mins. All of them were very polite and had nice fluency over English. The accent was north Indian.

(lady 1) Fraud: Hello. Am I speaking to Ferose Khan saab. (in hindi)

Me: Yes

(lady 1) Fraud: We are calling from icici bank credit card section. It seems one of your credit card’s 8000 reward points are expiring.

(This is a coincidence that made me trust her. I have 2 ICICI cards and one expired recently. May be that card’s points are expiring with it. Also I had close to 8000 points.)

Me: Yes. I have an icici platinum credit card. is it related to that card?

(lady 1) Fraud: Yes. We will redeem the points for you and send the coupons to your address and credit 5000 reward points since you are our platinum customer.

Me: Okay. But I have changed my address recently. So I am not sure whether that request went through?

(lady 1) Fraud: I will have to transfer you to another agent who deals with address change also.

Me: Okay.

(lady 2) Fraud: Hello sir. It seems you have requested an address change.

Me: Yes.

(lady 2) Fraud: To check that I need to verify your credentials. Can you tell your card number.

Me: 1234 5678 1234 5678

(lady 2) Fraud: Can you tell me the date of expiry?

Me: 11/11

(lady 2) Fraud: To verify your phone number I am going to send an OTP to your mobile and email. Tell me the OTP.

Me: I get an SMS from VM-ICICB “One time password (OTP) for IVR transaction for your card ending with xxxx xxxx xxxx 1234 is 123456.”

(lady 2) Fraud: Can you tell me the OTP.

Me: Yes its 123456. I am a bit confused. Why are you redeeming the points for me. I will be back tomorrow. I can do this on my own.

(lady 2) Fraud: No sir this has to be done now.

Me: Okay. What are the coupons that you are going to send me?

(lady 2) Fraud: Some travel coupons, gift coupons, a free wrist watch, Belt and a branded shoes.

Me: Don’t send those travel coupons. I am not interested in them. There will be a coupon from shopper stop. Can you look it up. That’s what I order normally.

(lady 2) Fraud: (she fumbles a bit and could not answer). Sir actually I am from the verification department. The other department will handle the gift details.

Me: Okay

(lady 2) Fraud: At the back of your card there will be a 7 digit number starting with 1234. Can you tell that number?

Me: But that is my cvv number. Why do you need that?

(lady 2) Fraud: I need that for verification.

Me: No I am not going to give that over phone.

(lady 2) Fraud: So I will transfer the call to my superior.

Me: Okay

(guy 1) Fraud: Hello sir.

Me: I am really irritated now. If my points are expiring why didn’t you call me last month?

(guy 1) Fraud: I am sorry for the inconvenience caused. we tried calling but couldn’t reach you sir.

Me: Okay

(guy 1) Fraud: Are you interested in this automatic redemption service.

Me: yes. do it.

(guy 1) Fraud: Can you verify the card valid from date

Me: 01/01

(guy 1) Fraud: Can you turn your card back and tell me the 7 digit number.

Me: Yes. There is a 7 digit number. But that is the cvv number. I am not going to give that.

(guy 1) Fraud: Sir I am not asking any confidential details here. As per icici your date of birth, mothers maiden name and 3D secure pin are the confidential details. kindly tell me that number

Me: If I give that number then you can go and make a purchase. Its as good as giving my card to you.

(guy 1) Fraud: But that will require your 3D secure pin sir.

Me: But if the store is from out of india for eg amazon.com. You can make a purchase without that PIN.

(guy 1) Fraud: Sir you received an OTP from VM-ICICB just now right. Are you doubting us?

Me: Anyone can send such a message with “from number” being VM-ICICB

(guy 1) Fraud: No sir its not possible.

Me: It is possible. give me a number I can send a similar message.

(guy 1) Fraud: Sir are you interested in this service from us?

Me: Yes I am interested.

(guy 1) Fraud: Then kindly provide that number. Without that I cannot update the system. I will increase your credit limit to X mount sir.

Me: But my credit limit is already more than X.

(guy 1) Fraud: In that case its okay. To send the free gift kindly tell me the number sir.

Me: No I am not going to give that number to you.

(guy 1) Fraud: Sir you are not listening to me sir. That number is cvv “customer verification value”. It is used to verify the customer. Also when you give the card at any merchant location it is visible to all. You need not worry.

Me: No it is a secure information. In my card I have even scrapped that number. I am not going to give that number over phone. If my points will be lost because of that, then let the reward points go to bin. I will cancel the card this monday.

(guy 1) Fraud: Sir. No sir. please don’t do like this. you are an esteemed customer based on your transaction. Kindly allow us to provide this service. Are you interested in this service?

Me: yes

(guy 1) Fraud: Then let me know the cvv number.

Me: No.

(guy 1) Fraud: Thank you sir. Nice talking to you.

(call disconnected.)

There are couple of things that triggered my doubts.

  • When I was telling the card number. Typically icici would have this so they don’t repeat them. But in this case she was repeating the number orally. And I felt something wrong.
  • Sending an sms from VM-ICICIB can be done very easily with the internet based sms clients. I have done it myself. It doesn’t prove that they are from icici.
  • Typically if I don’t provide an information. Icici customer care will cut the call. But here the guys were persistent.
  • When I asked for the shopper stop coupon. she fumbled. This too made me think about the genuineness of the call.
  • That cvv is not a confidential information.
  • They transfer the call suddenly without any need.
  • The credit limit stated was less than my current limit.

Mistakes that I did

  • I gave the card number to one agent. (they used last four numbers in formatting an OTP)
  • To different agents I gave different information. (credit card #, From, To)
  • I should have told them to send an email and cut the call.
  • I took the call at a wrong time (when we are packing our stuff to return and there are lot of guests returning back). So I was not prepared for it.
  • Whenever I ask them some tough question they transfer the call and start over altogether.This irritated me and also made me loose focus.

Some basics

  • The information that is printed at the back of the card is secure. Once you get the card memorize the cvv and scrap it.
  • In case if someone demands a crucial information over phone. Ask them to send a mail.
  • Ask them some questions like your name, address etc and verify them.
  • Don’t be in answering mode. This is not a quiz rapid fire round. And if someone calls you you need not validate your identity. It is them who has to validate their identity.
  • You won’t know when you will get such a call. Be prepared for it.
  • A bank will never take responsibility for such mistakes from your side.
  • 3D secure PIN is only for india. So any foreign currency purchase can be done without that.
  • cvv is card verification value. This is used to make “card not present” transactions. In places where you cannot enter PIN number this number will be asked for. And the merchant is not suppose to store the cvv number as a part of transaction. That way the card will not be compromised if this data is stolen.
  • Some purchases don’t show up in the statement immediately. Also be cautious and check the alert sms sent by banks.

Wish you all safe banking.

–Ferose

Design for People

As a software engineer one has to make design decisions. I always ask my fellow engineers to keep the people factor in mind. The decision should follow the principle of least astonishment(POLA). To explain the POLA I am going to take a real world example. It is easy to remember real world examples better.

In the recent times I have accumulated lot of mobile devices. Out of them I am going to take only the following 3 devices

  • Nexus 7
  • Samsung Galaxy s3
  • Apple ipad

I myself and my family members use them interchangeably. One of the major use case is to adjust the volume. After using these devices I know that the volume button is somewhere in the side. I try to use the muscle memory, search for it and adjust the volume. But the experience differ between the devices. I will list them in the order of worst to best.

  • Nexus 7 – This the worst one among all the three. The volume and power button are placed on the right hand side. I tend to push the power button instead of the volume button and then press the power button again and get back to volume control. For a human being its hard to remember the exact location of the button unless otherwise one is using the same device for a long time.
  • Samsung Galaxy 3 – In GS3 the volume buttons are on the left hand side and the power button is on the right hand side. Even though this looks better, again correctly remembering the type of button and left/right side is hard. I tend to do the same thing here too. I press the volume button and course correct later.
  • Apple ipad – Here the volume buttons are placed on the right hand side. The power button is placed on the top. There are couple of advantages here.
    • In the above 2 cases I actually cross checked the devices for correctness of my post. In case of ipad it was not needed. I can remember top & sides. But its not easy to remember whats on left & right.
    • I always end up pressing the volume button and never enter an alternate operation by mistake.
    • This provides the best experience for me.

Now the third case of ipad satisfies the principle of least astonishment. In the other 2 cases I intend to do something, but end up doing something else and then after a moment of surprise I course correct. Now if you are an engineer make sure the design decisions follow the principle of least astonishment. It definitely saves lot of time for your fellow engineer/human being.

To give an example from the software side guess what the following object represents

var d = new Date(2011,1,23);

Any one would make a guess that it represents 23 January 2011. But if you are programming in JavaScript then it represents 23 February 2011. While the date and year start from 1, the month start from 0. When I was programming in JavaScript the question I had was hours,minutes,seconds all start from 0. That is natural. But why does month start from a 0? That was my moment of surprise.

Hope you consider the people first when making the design decisions.

Learning Microsoft Azure

Introduction

Cloud computing is growing day by day. More and more business are adopting it. Being a software engineer one has to learn the recent technologies and be relevant in the days to come. So I decided to spend some time and learn Microsoft’s azure cloud computing. In this post I am going to list down the list of road blocks and how to cross that without violating the corporate security regulations

Pay per use

Learning cloud computing involves money. A valid credit card is needed. Once a credit card is registered azure makes a test transaction of $1. Then the subscription is setup.

Azure provides a one month free trial with $150 credit. But this is too short a time to try and learn the azure offerings. Initial set of months I did pay from my own pocket and learned the azure services. The bill was not huge but it is a pain.

MSDN Subscription

As a part of our regular software upgrade I received a visual studio 2012 with MSDN subscription. MSDN subscription is a programmers treasure box. There are so many things that are available as a part of the subscription. One among them is the $50 azure credit every month. If one is careful a lot can be learned with this small credit each month. Now I don’t spend my hard earned money but use this credit. Thanks to those folks at Microsoft and our procurement :-)

Access Azure from Powershell

Azure has 2 management portals. They provide a nice UI for every management task.

And like me if you hate UI and like the command line then there are 2 offerings from Azure

  • Powershell cmdlets
  • Node.js based cross platform command line tools

Being a windows user and having power shell readily available, I installed the powershell cmdlets. But because of our proxy authentication I couldn’t access the azure service from these cmdlets. After some search I found a solution. Including the following line in powershell profile, makes powershell talk to the azure REST api through our proxy.

[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

Programming for Azure

Azure SDK provides 2 emulators. So before deploying the program to Azure one can locally build and test with these emulators.

  • Azure compute emulator
  • Azure storage emulator

And at times when I had to access the azure service from a local program through our proxy authentication then the following trick similar to the powershell one works. Add the following block to the app.config

  <system.net>
    <defaultProxy useDefaultCredentials="true" />
  </system.net>

SSH is blocked

To feel the power of windows azure finally I reached the point when I had to create and use the virtual machines. Here again our proxy blocks both RDP & SSH for the security reasons. Without these protocols I cannot do anything with the virtual machines. I thought of solving this problem using the cloud itself and found a nice solution. After some searching around I found the awesome “shell in a box”  from google code. This exposes a shell through a web interface. It also supports https. Now this is how I have made my setup.

  • I have one small VM (Basic/A0) with shell in a box running at 443 (It is speaking https for security reason). This has to be setup onetime from outside office.
  • I start this machine using powershell and ssh into it using a browser.
  • From that VM I ssh into any other machine if needed. (yes the whole world is just a ssh away)
  • Once I am done I shut down this machine using powershell.

Keep an eye on the $$$

Last and important point is the money that is involved in learning cloud computing. Always do the following without fail or else all the free credit will be burnt soon and one has to wait for a month to continue the exciting journey.

  • Always keep a tab on the azure credit.
  • Based on the utilization it will be green or red.
  • Green means no need to worry. But in case if its red then the money in the subscription will not last for the entire month.
  • Always shutdown the VM/service instances that are not needed immediately (not at the end of the day).
  • If there is a need to preserve the IP keep the cloud service running and shutdown only the VM.
  • For some services like websites, database etc there is a free tier available. Use them instead of the paid tier.
  • Some services like redis cache are way too costly. Be careful with them.
  • And my rule of thumb is compute is always costlier than the storage.

I am still exploring the technologies. I hope this helps someone who wants to learn cloud computing…

–Ferose

Refactoring software

If you have done professional software development for some years then you know the value of refactoring. As time moves on, more and more
features are added to the software. The team learns a lot about the domain, problem at hand, broken assumptions and design mistakes. It is
natural that the team wants to correct the software with this new found knowledge. But most of the teams never do it. Sometimes there are valid
reasons for not doing it for eg

  • The software works and meets the user need. And the software has already matured enough. There will be no more active development.
  • The software contains lot of fixes with respect to issues from the field. If a refactoring is done then all this polishing will be lost.
  • There are no unit tests available for the software. So there is no way to check the refactoring for correctness.

But there are times when a refactoring is being avoided for the wrong set of reasons like

  • The product owner wants new feature over refactoring.
  • The team is lazy and considers the complexity as a pride.
  • There are no resources available to do refactoring.
  • Team wants to do a reengineering instead of refactoring.
  • The manager believes that refactoring is a waste of time.

From my own experience all these reasons can be avoided and refactoring can be done. Let me take one by one and see how we can get around.

Product owner wants new feature over refactoring

Refactoring will not provide anything new to the user. The user still provides the same set of inputs and the software responds back
in the same manner. So if we request the product owner to allocate time only for refactoring then we will never receive the time for it.
And the alternative is to take the entire new feature request and based on priority trade the least priority items for a refactoring. This way
product owner gets the new feature and the development team gets some part of the software cleaned up.

Team is lazy and considers the complexity as a pride

Most of the software development team starts with a clear and concise design. Over the time with the advent of new features and new team members
the design accumulates lot of incidental complexity. Instead of planning some time to identify and fix this situation, some teams tend to enjoy
this complexity. Smallest of the fix takes lot of time, new developers often find themselves lost in call stacks and no one can guarantee something
will work by design. If this situation is not properly handled then in the near future the whole software will need a reengineering. An expert
will always come up with an elegant and simple solution. So teams need to get out of their comfort zone and cleanup things then and there.

No resources available for refactoring

Most of the time finding resources to do refactoring is always hard. There are different solutions to this one and I have one solution that
always worked for me. Whenever I get a new team member as a replacement for some attrition I spend some time in training them. As a part of that
training I request them to refactor some part of the software. Yes new developers are crude, they lack the knowhow, they may complicate that
part etc., And one important fact is they have lot of energy and want to prove themselves. For me the refactoring succeeded most of the times using this technique. Give a try.

Team wants to do reengineering instead of refactoring

Most of the time if the topic of refactoring is started, some teams always want to throw the whole thing into bin and start a fresh. This may look
fascinating. But old code is not bad. It is not a rusting iron. Actually old code has accumulated lot of runtime knowledge. It contains lot of
small tweaks here and there with respect to customer feedback. So if a team is matured then it will always prefer to preserve the old code and
cleanup only those parts that are ugly.

Manager believes refactoring is a waste of time

In any industry the highest paid person’s opinion (HIPPO) has lot of value. So if you really want to do refactoring the manager has to be
convinced about the advantages and benefits. Here I have seen always show the benefit as something concrete. For eg number of saved man days,
amount of money saved, code/design metrics etc., Managers tend to believe hard facts and numbers over qualitative statements. This too has worked for me in the past.

So take that extra effort and cleanup the code.

-Ferose