Internet of Things, Black Magic and Humans

In the recent times I read a lot about IoT(internet of things). And the way they are going to improve our lives in so many ways. For example the story goes like

  • By the time you reach home the thermostat will start the AC or the heater and setup a pleasant temperature
  • The new age LED lights are connected to internet and switch on/off based on your location pattern
  • The fridge finds out, there is no milk and adds a to-do entry to your to-do list to get the milk
  • There will be sensors everywhere. Based on the data they will decide and act intelligently

Yes. All of this is well and good. But among all this intelligent set of things there is a dump thing mixed in. It is none other than the HUMAN. At times I feel scary how this billion of IoT is going to handle the human. I will quote one of my own examples here.

  • At our home we have 2 iPods a nano(8GB) and a touch(32 GB)
  • My father used the nano while I used the touch

I load the songs into the iPod using the following routine (Because of the difference in the iPod memory size)

  • Remove all the songs from iTunes
  • Connect the iPod to the PC
  • Add the songs based on the need into iTunes
  • Run the iTunes sync
  • Disconnect the iPod

Sometime back I was travelling to USA for a long term. As a part of the travel preparation I made sure I loaded my entire music library into my iPod touch. One check list item done and ticked. My father requested me to load some of his personal favorites into his iPod nano. I did my regular routine and gave the iPod back to him. He thanked me and verified all his songs were loaded. I felt happy that in between the travel preparation, I could get this small job done.

I packed my bags and reached USA. After a week I thought of listening to some of my favorite music. I took my iPod touch, charged it and connected my headphones to it.


I hear some old song that was my father’s favorite. I thought maybe I added that by mistake. I shake the iPod for a shuffle. Again another old song. After lot of shake I found my entire music is missing and is filled with my father’s collection. I am wondering what has happened? I didn’t touch my iPod after the last sync. I clearly loaded all the songs myself. That was the first step in the travel preparation. I was wondering what sort of black magic has happened?

Then I found out, I turned on itunes wifi sync by mistake sometime back. So when I was loading the songs to my father’s iPod, my iPod touch found that out, intelligently wiped all the songs from its library and loaded all my father’s songs into it over wifi automatically. From the iPod touch point of view this is perfectly fine and intelligent doing all this in the background. But the outcome was a disaster from my point of view.

The problem is humans have a tendency to forget things. Until now it was my PC, internet and the so called Smartphone that has to deal with this situation. Now I am not sure how this billion IoT is going to handle this situation.



Subtle things in SCRUM – 2 Burnout

In continuation to my last post, Here is another subtle thing that I learned by practicing scrum.

The success of a SCRUM team depends on the effective sprint execution. Our typical sprint execution is like

  • We have a sprint backlog. This is prepared as a result of sprint planning
  • Each team member takes a task and starts working on it
  • Each day in the daily stand up meeting the team member reports the amount of time needed to complete the task (it is like estimating the task daily based on the latest knowledge)
  • Once completed pickup the next task based on priority

But during the retrospective meetings the team members complained about burn out. The following were the comments

  • This methodology is too taxing
  • I have no time for any other work other than the project
  • In case of waterfall we had pressure at the end but here in scrum we have constant pressure all the time

Over the time the team’s productivity also came down a bit. After some analysis we found the problem. It was “Allocating all our time for the project during sprint planning ( 8hrs/day )”. In addition to that during the planning phase we tried putting in as many hours as possible. And during the sprint we tried to meet those numbers.

The problem was solved in 2 parts. One was from the project management side. The other was from our own.

  • From the project management side they too felt this burnout and made a small change. Instead of planning for 8 hours a day, we were asked to plan only for 6 hours a day. The remaining 2 hours went for all the non project activities.
  • From our side we made sure that the team brings in all time burners to table (training, vacation, holidays, supporting other teams, reading, learning etc.,).

Now the team had a constant load and we started to make predictable deliveries. In addition to this we never got the feeling of being under constant pressure and burnout. Again it’s a small correction but we learned it only during the practice.


Subtle things in SCRUM – 1 Sprint Planning

In the past I was leading a team of 8 developers and a tester. We followed the Scrum method for close to 4 years. In this series of posts, I am planning to write things about Scrum method that I learned by practicing it. It is mostly out of my personal experience.

One of the major tasks in Scrum is sprint planning. Our regular sprint planning happened like the following

  • The product owner comes up with a list of features, bug fixes and refactorings that can be taken up in the sprint
  • I find out the team’s availability. (Actually taking all the planned vacations, trainings & holidays into account)
  • Next we break down the features into smaller work packages
  • We all sit together and estimate the work packages (using planning poker)
  • Then we pick up work packages that is equal to the availability
  • And finally we assign the work packages to the team members

This was working fine. But then over the time I found that we missed our team goal even though majority of the work was done. After some analysis and retrospective I found the problem was the last step.

  • And finally we assign the work packages to the team members

This step of allocating the work packages to the individual team members divided the team into individual members. So if someone completes a work package the next one was chosen from the team member’s pre-allocated subset. Sometimes this created situations where a work package of high importance to the team’s success was stagnant because of an overloaded team member. And another team member is busy burning some less important work package.

So we learned our lesson and stopped allocating the work to individuals upfront. We planned the work packages without assigning a name to it. Now once someone completed a work package the next one was chosen based on the team’s priority. It also made the sprint planning a lighter exercise.

This is a subtle thing which no one taught me in the scrum master training. And I learned it after failing couple of sprints.



Using an Elephant for Begging

This is a short post that I wanted to write for a long time. It is based on an example that I mention in majority of my training sessions. Let me get to the point quick. In India there is a common practice. If you roam around in the small towns, villages and in some cities too, you can see elephants in the road accompanied by the mahout. On seeing the huge animal everyone gets excited. Especially the children gets excited and frightened at the same time. And the routine is the same everywhere. The mahout will bring the elephant near each of them and it will bless the person by putting its trunk on top of the head. Then it will beg for money using the same trunk. We pay the elephant some money which it hands over to the mahout.

In India elephant is seen as a representation of the Hindu GOD Ganesh. So people taking blessing from it is fine. But one thing that I always wonder is, the effort the mahout put in training the elephant to beg and using that huge animal only for that purpose. You may be wondering why am I suddenly writing about elephants in India. No I did not quit my software job and started learning about elephants. In the software development industry I have often seen a team asking for a costly tool (Visual Studio 2XXX, Enterprise Architect, Rational Suit etc.,). The company looks at the cost and benefit. Finally it decides to buy the costly tool.

Now once the tool is bought and handed over to the teams, I have seen lot of teams using hardly 5% of the features provided by the tool. For eg

  • Use Visual studio only as a text editor with syntax highlighting.
  • Use the enterprise architect to draw UML diagrams

This is synonymous to using an elephant for begging. One of my major endeavor is to use the elephant for doing things that it is meant for.

Always spend time for learning the tool and use it to its full potential.

Target of vishing and credit card fraud

On Saturday evening 31 Jan 2015, I was the target of a vishing attack. Some smart set of people tried to steal my credit card details. The following things saved me from the fraudsters

  • Knowing some basics of credit card (card#, dates, CVV, 3D secure PIN etc.,)
  • Knowing the basics of telephone SMS
  • All those articles regarding fraud in
  • Social engineering training from siemens

Here is how the whole thing went through. I am going to list the phone conversation here between myself and the fraudster. I have reduced the transcript here for the sake of brevity. The call went close to 20 mins. All of them were very polite and had nice fluency over English. The accent was north Indian.

(lady 1) Fraud: Hello. Am I speaking to Ferose Khan saab. (in hindi)

Me: Yes

(lady 1) Fraud: We are calling from icici bank credit card section. It seems one of your credit card’s 8000 reward points are expiring.

(This is a coincidence that made me trust her. I have 2 ICICI cards and one expired recently. May be that card’s points are expiring with it. Also I had close to 8000 points.)

Me: Yes. I have an icici platinum credit card. is it related to that card?

(lady 1) Fraud: Yes. We will redeem the points for you and send the coupons to your address and credit 5000 reward points since you are our platinum customer.

Me: Okay. But I have changed my address recently. So I am not sure whether that request went through?

(lady 1) Fraud: I will have to transfer you to another agent who deals with address change also.

Me: Okay.

(lady 2) Fraud: Hello sir. It seems you have requested an address change.

Me: Yes.

(lady 2) Fraud: To check that I need to verify your credentials. Can you tell your card number.

Me: 1234 5678 1234 5678

(lady 2) Fraud: Can you tell me the date of expiry?

Me: 11/11

(lady 2) Fraud: To verify your phone number I am going to send an OTP to your mobile and email. Tell me the OTP.

Me: I get an SMS from VM-ICICB “One time password (OTP) for IVR transaction for your card ending with xxxx xxxx xxxx 1234 is 123456.”

(lady 2) Fraud: Can you tell me the OTP.

Me: Yes its 123456. I am a bit confused. Why are you redeeming the points for me. I will be back tomorrow. I can do this on my own.

(lady 2) Fraud: No sir this has to be done now.

Me: Okay. What are the coupons that you are going to send me?

(lady 2) Fraud: Some travel coupons, gift coupons, a free wrist watch, Belt and a branded shoes.

Me: Don’t send those travel coupons. I am not interested in them. There will be a coupon from shopper stop. Can you look it up. That’s what I order normally.

(lady 2) Fraud: (she fumbles a bit and could not answer). Sir actually I am from the verification department. The other department will handle the gift details.

Me: Okay

(lady 2) Fraud: At the back of your card there will be a 7 digit number starting with 1234. Can you tell that number?

Me: But that is my cvv number. Why do you need that?

(lady 2) Fraud: I need that for verification.

Me: No I am not going to give that over phone.

(lady 2) Fraud: So I will transfer the call to my superior.

Me: Okay

(guy 1) Fraud: Hello sir.

Me: I am really irritated now. If my points are expiring why didn’t you call me last month?

(guy 1) Fraud: I am sorry for the inconvenience caused. we tried calling but couldn’t reach you sir.

Me: Okay

(guy 1) Fraud: Are you interested in this automatic redemption service.

Me: yes. do it.

(guy 1) Fraud: Can you verify the card valid from date

Me: 01/01

(guy 1) Fraud: Can you turn your card back and tell me the 7 digit number.

Me: Yes. There is a 7 digit number. But that is the cvv number. I am not going to give that.

(guy 1) Fraud: Sir I am not asking any confidential details here. As per icici your date of birth, mothers maiden name and 3D secure pin are the confidential details. kindly tell me that number

Me: If I give that number then you can go and make a purchase. Its as good as giving my card to you.

(guy 1) Fraud: But that will require your 3D secure pin sir.

Me: But if the store is from out of india for eg You can make a purchase without that PIN.

(guy 1) Fraud: Sir you received an OTP from VM-ICICB just now right. Are you doubting us?

Me: Anyone can send such a message with “from number” being VM-ICICB

(guy 1) Fraud: No sir its not possible.

Me: It is possible. give me a number I can send a similar message.

(guy 1) Fraud: Sir are you interested in this service from us?

Me: Yes I am interested.

(guy 1) Fraud: Then kindly provide that number. Without that I cannot update the system. I will increase your credit limit to X mount sir.

Me: But my credit limit is already more than X.

(guy 1) Fraud: In that case its okay. To send the free gift kindly tell me the number sir.

Me: No I am not going to give that number to you.

(guy 1) Fraud: Sir you are not listening to me sir. That number is cvv “customer verification value”. It is used to verify the customer. Also when you give the card at any merchant location it is visible to all. You need not worry.

Me: No it is a secure information. In my card I have even scrapped that number. I am not going to give that number over phone. If my points will be lost because of that, then let the reward points go to bin. I will cancel the card this monday.

(guy 1) Fraud: Sir. No sir. please don’t do like this. you are an esteemed customer based on your transaction. Kindly allow us to provide this service. Are you interested in this service?

Me: yes

(guy 1) Fraud: Then let me know the cvv number.

Me: No.

(guy 1) Fraud: Thank you sir. Nice talking to you.

(call disconnected.)

There are couple of things that triggered my doubts.

  • When I was telling the card number. Typically icici would have this so they don’t repeat them. But in this case she was repeating the number orally. And I felt something wrong.
  • Sending an sms from VM-ICICIB can be done very easily with the internet based sms clients. I have done it myself. It doesn’t prove that they are from icici.
  • Typically if I don’t provide an information. Icici customer care will cut the call. But here the guys were persistent.
  • When I asked for the shopper stop coupon. she fumbled. This too made me think about the genuineness of the call.
  • That cvv is not a confidential information.
  • They transfer the call suddenly without any need.
  • The credit limit stated was less than my current limit.

Mistakes that I did

  • I gave the card number to one agent. (they used last four numbers in formatting an OTP)
  • To different agents I gave different information. (credit card #, From, To)
  • I should have told them to send an email and cut the call.
  • I took the call at a wrong time (when we are packing our stuff to return and there are lot of guests returning back). So I was not prepared for it.
  • Whenever I ask them some tough question they transfer the call and start over altogether.This irritated me and also made me loose focus.

Some basics

  • The information that is printed at the back of the card is secure. Once you get the card memorize the cvv and scrap it.
  • In case if someone demands a crucial information over phone. Ask them to send a mail.
  • Ask them some questions like your name, address etc and verify them.
  • Don’t be in answering mode. This is not a quiz rapid fire round. And if someone calls you you need not validate your identity. It is them who has to validate their identity.
  • You won’t know when you will get such a call. Be prepared for it.
  • A bank will never take responsibility for such mistakes from your side.
  • 3D secure PIN is only for india. So any foreign currency purchase can be done without that.
  • cvv is card verification value. This is used to make “card not present” transactions. In places where you cannot enter PIN number this number will be asked for. And the merchant is not suppose to store the cvv number as a part of transaction. That way the card will not be compromised if this data is stolen.
  • Some purchases don’t show up in the statement immediately. Also be cautious and check the alert sms sent by banks.

Wish you all safe banking.


Design for People

As a software engineer one has to make design decisions. I always ask my fellow engineers to keep the people factor in mind. The decision should follow the principle of least astonishment(POLA). To explain the POLA I am going to take a real world example. It is easy to remember real world examples better.

In the recent times I have accumulated lot of mobile devices. Out of them I am going to take only the following 3 devices

  • Nexus 7
  • Samsung Galaxy s3
  • Apple ipad

I myself and my family members use them interchangeably. One of the major use case is to adjust the volume. After using these devices I know that the volume button is somewhere in the side. I try to use the muscle memory, search for it and adjust the volume. But the experience differ between the devices. I will list them in the order of worst to best.

  • Nexus 7 – This the worst one among all the three. The volume and power button are placed on the right hand side. I tend to push the power button instead of the volume button and then press the power button again and get back to volume control. For a human being its hard to remember the exact location of the button unless otherwise one is using the same device for a long time.
  • Samsung Galaxy 3 – In GS3 the volume buttons are on the left hand side and the power button is on the right hand side. Even though this looks better, again correctly remembering the type of button and left/right side is hard. I tend to do the same thing here too. I press the volume button and course correct later.
  • Apple ipad – Here the volume buttons are placed on the right hand side. The power button is placed on the top. There are couple of advantages here.
    • In the above 2 cases I actually cross checked the devices for correctness of my post. In case of ipad it was not needed. I can remember top & sides. But its not easy to remember whats on left & right.
    • I always end up pressing the volume button and never enter an alternate operation by mistake.
    • This provides the best experience for me.

Now the third case of ipad satisfies the principle of least astonishment. In the other 2 cases I intend to do something, but end up doing something else and then after a moment of surprise I course correct. Now if you are an engineer make sure the design decisions follow the principle of least astonishment. It definitely saves lot of time for your fellow engineer/human being.

To give an example from the software side guess what the following object represents

var d = new Date(2011,1,23);

Any one would make a guess that it represents 23 January 2011. But if you are programming in JavaScript then it represents 23 February 2011. While the date and year start from 1, the month start from 0. When I was programming in JavaScript the question I had was hours,minutes,seconds all start from 0. That is natural. But why does month start from a 0? That was my moment of surprise.

Hope you consider the people first when making the design decisions.

Learning Microsoft Azure


Cloud computing is growing day by day. More and more business are adopting it. Being a software engineer one has to learn the recent technologies and be relevant in the days to come. So I decided to spend some time and learn Microsoft’s azure cloud computing. In this post I am going to list down the list of road blocks and how to cross that without violating the corporate security regulations

Pay per use

Learning cloud computing involves money. A valid credit card is needed. Once a credit card is registered azure makes a test transaction of $1. Then the subscription is setup.

Azure provides a one month free trial with $150 credit. But this is too short a time to try and learn the azure offerings. Initial set of months I did pay from my own pocket and learned the azure services. The bill was not huge but it is a pain.

MSDN Subscription

As a part of our regular software upgrade I received a visual studio 2012 with MSDN subscription. MSDN subscription is a programmers treasure box. There are so many things that are available as a part of the subscription. One among them is the $50 azure credit every month. If one is careful a lot can be learned with this small credit each month. Now I don’t spend my hard earned money but use this credit. Thanks to those folks at Microsoft and our procurement 🙂

Access Azure from Powershell

Azure has 2 management portals. They provide a nice UI for every management task.

And like me if you hate UI and like the command line then there are 2 offerings from Azure

  • Powershell cmdlets
  • Node.js based cross platform command line tools

Being a windows user and having power shell readily available, I installed the powershell cmdlets. But because of our proxy authentication I couldn’t access the azure service from these cmdlets. After some search I found a solution. Including the following line in powershell profile, makes powershell talk to the azure REST api through our proxy.

[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

Programming for Azure

Azure SDK provides 2 emulators. So before deploying the program to Azure one can locally build and test with these emulators.

  • Azure compute emulator
  • Azure storage emulator

And at times when I had to access the azure service from a local program through our proxy authentication then the following trick similar to the powershell one works. Add the following block to the app.config

    <defaultProxy useDefaultCredentials="true" />

SSH is blocked

To feel the power of windows azure finally I reached the point when I had to create and use the virtual machines. Here again our proxy blocks both RDP & SSH for the security reasons. Without these protocols I cannot do anything with the virtual machines. I thought of solving this problem using the cloud itself and found a nice solution. After some searching around I found the awesome “shell in a box”  from google code. This exposes a shell through a web interface. It also supports https. Now this is how I have made my setup.

  • I have one small VM (Basic/A0) with shell in a box running at 443 (It is speaking https for security reason). This has to be setup onetime from outside office.
  • I start this machine using powershell and ssh into it using a browser.
  • From that VM I ssh into any other machine if needed. (yes the whole world is just a ssh away)
  • Once I am done I shut down this machine using powershell.

Keep an eye on the $$$

Last and important point is the money that is involved in learning cloud computing. Always do the following without fail or else all the free credit will be burnt soon and one has to wait for a month to continue the exciting journey.

  • Always keep a tab on the azure credit.
  • Based on the utilization it will be green or red.
  • Green means no need to worry. But in case if its red then the money in the subscription will not last for the entire month.
  • Always shutdown the VM/service instances that are not needed immediately (not at the end of the day).
  • If there is a need to preserve the IP keep the cloud service running and shutdown only the VM.
  • For some services like websites, database etc there is a free tier available. Use them instead of the paid tier.
  • Some services like redis cache are way too costly. Be careful with them.
  • And my rule of thumb is compute is always costlier than the storage.

I am still exploring the technologies. I hope this helps someone who wants to learn cloud computing…