Toyota’s Roadside app bug that delayed my tow, or was it a feature?

The running joke between QA professionals and Developers is to sometimes call a bug a feature. The premise behind it is pure sarcasm on all sides (well at least I think). What one person may consider a bug may actually be a feature and what another person considers a feature may actually be a bug. In between that “bug” and that “feature” may even be a usability suggestion.

Well last week I had the week of all weeks. On Sunday evening my cell phone gave up on me. On Tuesday my printer was malfunctioning. On Wednesday I was on my way to a business meeting with a toddler in tow, as I had been given permission to bring her. I packed lunch, snacks, two laptops, and all the materials I needed for the meeting and loaded them into the car. I turned on my car and it started saying all kinds of things to me, “CHECK OIL”, “CONTACT DEALER”, “BRAKE ON”, “ALIENS ARE COMING”. Okay maybe I’m lying about the alien thing.

I decided to call the dealership first. When I called the dealership they advised that I call Toyota roadside assistance so they could tow my car to the dealership. I then called roadside assistance and received the automated system. The automated system guided me through the process smoothly (at first). A text message and a link was sent to my phone and I was advised to put my phone on speaker and follow the steps. The automated system then guided me through the app. I was able to fill out my name, the type of car I had, what I presumed may have happened to the car and more.

The problem occurred when it came to narrowing down my location. I was allowed to “allow” the location and after I allowed my address appeared on the screen. However, there was a map dependency where it forces the user to also point the location with the pin on the map. So even though your address has already been allowed you still have to select it on the map with a pin. Between it being an usually hot November day and a toddler walking around the car saying, “Mommy, it’s time to go”, for some reason I couldn’t get the pin right. Every time I adjusted the pin it gave me the address of 2 houses up or it would go to a completely different street. When I tried to override it and type my address in again it would then tell me to select the pin on the map. If I didn’t adjust the pin but save my entry it would give me the wrong address. When I tapped to edit all of the information I entered previously would disappear and I’d have to start completely over by filling out my name, type of car etc. So eventually I decided to leave the wrong address in and type the correct address with a note in the comment section of the app. In the note I informed customer service why I couldn’t enter the correct address initially. After that I got a call from a roadside assistance customer service rep and they confirmed my address and that the tow was on the way.

Before customer service hung up I suggested that maybe the app shouldn’t be so dependent on selecting the pin on the map. If a user enters an address that should override anything else and the map should update. Or allowing the location should be just what it is. Allow the location and let it be. One person may say there were a few bugs here and some additional usability suggestions. Another person may say the app was fine and it was human error. But what I say is that I am very thankful that my daughter and I were in our home garage and not outside on the road somewhere. Whether it’s a bug or a feature people are dependent on technology and in some situations there may be life or death situations. Or maybe a toddler is just ready to go. No matter the issue this is why we improve upon technology and we know that no build is actually “final”.

So needless to say not only did I miss my meeting on Wednesday I also missed the networking event that I was scheduled to go to on Thursday. It was a rough week.

By the end of the week I felt like I loss the battle but won the war. I had a new phone, I resolved my printer issue, the meeting I was going to on Wednesday for assistance I actually conquered on my own and nailed it. I may have missed Thursday’s job fair but on that same day I was contacted about a 2 day contract assignment that I wrapped up by Saturday morning and enjoyed.

I forgot to mention that when I got my car back on Thursday morning the dealership told me that my car battery had died. They said it was a defective cell in the battery that most likely came from the factory.

I now scratch my head and wonder if it was actually a “feature”. A feature to slow me down. I had been so busy that week I missed taking my daughter to the library earlier in the week for story time. We did a few adhoc activities and picked up some new books. I try to do that at least 1-2 times a week. On that Thursday when I got my car back we went straight to the library after and later that evening I started my contract assignment.

Advertisements

Beginners guide to understanding the sticker details on your ISP’s routers

For those of you who don’t know ISP stands for Internet Service Provider. In simple terms, an internet service provider is any company that utilizes their network to allow you access to the internet. Depending on where you are located this could be Comcast, Verizon, CenturyLink, AT&T, Frontier, Spectrum and more. Here’s a link to find the best ISP’s in your area.

Your ISP usually provides you service through a router. There are two types of routers; wired and wireless. Nowadays wireless is more common. Routers allow you to connect multiple devices to your home network. This includes but is not limited to your laptop, phone etc. Here’s a little more detail on routers.

Below is a picture of my wireless router compliments 

 

Photo credit: AQSCORNER

 

What you need to know about your Router Model Number:

Just like many things you purchase a router has a model number. In this case the most important thing to pay attention to in regards to the model number is the 802.11n. Please note that your letter may be different. 802.11x references the version of WI-FI that you have. The higher the letter the more data the wireless router can obtain. So for example 802.11n can obtain more data than 802.11a.

What you should know about your SSID:

The SSID is the routers name and stands for Service Set Identifier. This name is often created by the ISP before it is sent to you. In my case the first half of my router name is CenturyLink and the second half is a numeric value determined by the company. This helps them identify and keep track of my router. Once your wireless connection is set up this is the name that you look for when trying to connect. I remember when I lived in New York I changed my SSID to say, “FBI VAN”. From time to time you’ll see people set up different names.

What you should know about your Security Type:

To keep thing simple in 2018 your Security Type is most likely WPA2-AES. This is an encryption method for the data being transferred on your network. So this helps to protect the privacy of your network.

What you should know about your KEY/Passphrase:

A Key/Passphrase is actually your “password”. However, it is called a passphrase because it is a bit longer than a regular password for added security. If you know anything about Multi Factor Authentication you’ll know that users are often authenticated on the following: something they are, something they have, and something they know. One of the examples of something they know is a “passphrase”.

What you should know about your Modem GUI Address:

The Modem GUI (Graphical User Interface) Address is essentially the ip address of the modem associated with your router. The ip address should appear as a numeric value similar to the following format: 192.XXX.X.X. You can open a browser and type your Modem GUI Address in a browser. You may get a login screen similar to below. My ISP is CenturyLink so this is how my GUI appears. Yours may appear different.

 

What you should know about your Admin Username:

In this case the Admin Username is for your Modem GUI Address. So once you are on the above screen you will login your Admin Username.

What you should know about your Admin Password:

The Admin Password is for your Modem GUI Address and is not to be confused with the Key/Passphrase. The Admin Password is for logging into your Modem GUI.

Once you use the Admin Username and Password you may see a screen similar to below:

 

All of the items in the above screenshot allow you to access a particular feature depending on how the GUI is set up. For example when I click “Modem Status” below is what appears on the screen:

The above screen may be useful if you are having a problem with your internet connection and can’t find any immediate issues. Once you contact your ISP you can let them know whether your router is showing a “connected” status or not.

So the next time you call your ISP don’t be so afraid when they tell you to look at the back of the Router. Show off your new tech skills. Have fun exploring your modem but be careful on changing any settings you may not be familiar with.

 

Beginners guide for testing your website against the Heartbleed bug

The “Heartbleed bug” surfaced publicly in 2014. However, it debuted in software long before that in 2011. If you are not familiar with the HeartBleed bug here’s what you should know:

  • The Heartbleed Bug was a vulnerability in the popular OpenSSL cryptographic software library.
  • The Heartbleed bug was a memory leak of protected information.
  • The Heartbleed bug affected the SSL/TLS and was said to be an implementation issue with older versions.
  • The Heartbleed bug not only affected the Transport layer, it also affected the Presentation and Application layer as well, as it affected (HTTPS, SMTP, IMAP, POP3, FTP, and SSL) which is a combination of all 3 layers.
  • The OpenSSL 1.0.1g released on 7th of April 2014 fixed the Heartbleed bug.

Fixing a bug does not mean we shouldn’t still keep an eye on it. In fact, the National Institute of Standards and Technology keeps a national vulnerability database and the “Heartbleed bug” is filed under CVE-2014-0160. “CVE” stands for Common Vulnerabilities and Exposures.

It is everyone’s job to be proactive and protect themselves and their end users against vulnerabilities and exploits. Here are 3 options for you to become comfortable with the process as a beginner:

TEST TOOL OPTION 1: SSL-TOOLS NET

  • After clicking “Test web servers” you would see the below result.

TEST TOOL OPTION 2: PENTEST TOOLS

  • After clicking scan now you should see a similar result to the below.

 

TEST TOOL OPTION 2: NMAP Utility 

For those of you who want to get really fancy and challenge yourself you can run a command using nmap:

I’m currently using a mac terminal so these instructions are based on a mac terminal. You may Google further for other options if necessary.

  • Navigate to your mac terminal
  • Before running the test you should ensure that you have the latest version of nmap 
  • Once you are at the terminal enter the nmap command with your hostname ip address. You can copy and paste the below and enter your ip address where the X’s are: nmap -sV xxx.xx.xx.xxx –script=ssl-heartbleed

NOTE: with nmap the “-sV” means: Probe open ports to determine service/version info

Below is an example of a healthy system. If you were vulnerable to heartbleed it would be listed in the port scan.

There are many tools on the internet that you can use to check your heartbleed vulnerability status. Take sometime to dig deeper.

If you’d like to see a full list of known vulnerabilities and exposures you can view them here.

 

Beginners guide to understanding SSL/TLS and your website certificate

For those of you who may not know what SSL is, it is the acronym for Secure Sockets Layer. In the case of your website SSL is a way to establish an encrypted connection between your website and a web browser. Essentially this is any browser that a user loads the URL to your website in.

Another term you should become familiar with is TLS. TLS is the acronym for Transport Layer Security. In some cases you’ll see SSL/TLS. TLS is the predecessor for SSL. If you are familiar with the 7 layers of the OSI model, you’ll know that the transport layer is the fourth layer and that it manages the packetization of data and also checks for errors. This layer also provides services for the applications as well. The Transport Layer controls end to end connections and works closely with the seventh layer, which is the Application layer. 

In simple terms if your website is “http” and not “https” it is likely that you do not have a certificate and your website is not secure.

My business website is hosted by WordPress.com and while studying for my CompTIA Security+ certification, I’ve decided to take a deep dive into what it means to have a verified site.

ACCESSING THE CERTIFICATE:

I loaded my website in a browser and tapped the lock icon in the top right hand corner. Afterwards, the “Connection is secure” pop up appeared.

From the “Connection is secure” pop up I clicked the “Certificate (valid)” option. After clicking the “Certificate (valid)” option the certificate pop up appeared.

 

The pop up immediately displayed 3 valuable things within a hierarchical structure:

  1. DST Root CA X3 – Root Certificate
  2. Let’s Encrypt Authority X3 – Intermediate Certificate
  3. aqscorner.com – Domain Name

DETAILS ABOUT THE CERTIFICATE PROCESS:

Let’s Encrypt is an automated and open certificate authority created by the Internet Security Research Group. These certificates provide users with the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free. Since “Let’s Encrypt” is still fairly new it also requires additional verification from another certificate. This process is referred to as cross signing. In the cross signing process the intermediate certificate Let’s Encrypt Authority X3 is signed by ISRG Root X1. ISRG Root X1 is still not yet trusted by most browsers so it’s signed by Certificate authority, IdenTrust, whose root is already trusted in all major browsers. IdenTrust has cross-signed the intermediate certificate using their DST Root CA X3. After that, Let’s Encrypt issues to the domain name aqscorner.com

 

 

 

GENERAL BREAK DOWN OF THE CERTIFICATE DETAILS:

 

  • Subject Name

Each of the 3 items in the hierachial structure (DST Root CA X3, Let’s Encrypt Authority X3, and Domain Name (aqscorner.com) have a subject name. The fields associated with the subject name are the organization and the common name. When you view the details you will see that the organization and common name are similar to one another.

  • Issuer Name

Each of the 3 items have a certificate issuer. Digital Signature Trust Co is the issuer for DST Root CA X3 and Let’s Encrypt Authority X3. Let’s Encrypt is the issuer associated with the domain name aqscorner.com

  • Public Key Info

Each of the 3 items have public key information displayed. You will see the RSA encryption in the algorithm section. RSA is an asymmetric cryptography algorithm. The value in using an asymmetric algorithm is that it works on two different keys (private and public). The Public Key is given to everyone and Private key is kept private.

  • Extension

Each of the 3 items has an extension. The extension section verifies the key usage. Key usage includes the common digital signature and key certificate signatures. However, it also includes a Certificate Revocation List (CRL) Sign and Key Encipherment. A “CRL” is a list of digital certificates that have been revoked by the issuing certificate authority and should no longer be trusted. Key encipherment is when the key in the certificate is used to encrypt another cryptographic key.

  • Fingerprints

Each of the 3 items has a fingerprint. A fingerprint is the unique identifier of the certificate. In the case of my website SHA-256 and SHA-1 are being used. SHA stands for Secret Hashing Algorithm. The differences between the numerical value is the encryption bit. SHA-256 is a larger encryption bit than SHA-1, as SHA-1 is a 160 bit encryption.

This article is just a general overview to get you started with understanding the security of your website. Take sometime to explore your website certificate to see what you learn.  

 

 

Microsoft Office Shortcuts you should know for Windows Environment

My very first Job when I graduated College in 2002, was working for an outplacement firm. This firm helped clients who were laid off gather the tools to re-enter the workforce. So I spent a very large portion of my day editing and formatting resumes. I had to learn a few keyboard shortcuts. In the workplace you will find these shortcuts helpful if you find yourself using MS Word often.

CTRL+U = Underline your text (This shortcut can be used prior to typing the text or once you have typed the text you can highlight and use the shortcut)

CTRL+B = Bold your text (This shortcut can be used prior to typing the text or once you have typed the text you can highlight and use the shortcut)

CTRL+I = Italicize your text (This shortcut can be used prior to typing the text or once you have typed the text you can highlight and use the shortcut)

CTRL + C = Copy your text

CTRL+V = Paste your previously COPIED text

CTRL + A = Select All text

SHIFT+F3 = Turns your selected text into all CAPS

ATL + PrntScr = Take a screenshot of an image, page etc. The purpose of this shortcut is if you want to send someone a snapshot in another program, you have the ability to do so. After you take the snapshot you can do a CTRL + V to copy and paste)

This article was originally published on my tumblr blog in 2012.

4 things newbies should ask a self hosting service, before signing up

Obviously there are a ton of questions you could ask. However, I wanted to include 4 very important ones that are rarely asked by newbies. Many newbies often go by the census. Meaning they go by what everyone else has told them. People will tell you things like, “it’s cheap”, it’s easy to use, and the most popular one,”i’ve never had a problem with it”. These are all good things to know.

However, neither of these things will help keep you safe. As I stated in my article, nothing is 100% safe. However, you should do everything you can to create a secure environment for both yourself and your visitors. When I self hosted a WordPress.org site during a class with Skillcrush, I used WP Engine. As they were recommended by Skillcrush. For me, they were a role model hosting service. In fact, working with them was part of my inspiration for this article.


Here are your top 4 questions:

Is Secure Socket Layer Certificate included in their package

If you are a newbie you are probably reading this like WTF is that! Here’s the thing, this feature is so important, that I will tell you not to sign up with any hosting company that makes you pay for it separately. As that means their priorities are completely out of order. Check out this article from Google where they talk about why they started to label any site that is not secure as unsafe. To skip right to the good parts of the Google article “HTTP” is not secure. “HTTPS” is.

If you are on an “HTTP” site someone can easily manipulate the data before it gets to you. Having an SSL Certificate encrypts the data, which makes it not so easy to manipulate. I say “not so easy” because again nothing is 100% safe. You just want to make sure you are not making things easy for hackers. As a user, I personally jump right off sites when I see “HTTP”. If you are a site that is selling something, I really don’t care if I can got to your site and get “HTTPS” on checkout. I’m not coming back if the rest of your site is “HTTP”. I want your entire site to say “HTTPS”.

Do they perform any security testing for new plugins or themes

Just because somebody created it and you’re allowed to install it, doesn’t mean it is safe! This should be a common thing for any Self Hosting Service that you utilize. Self Hosting allows for a lot of open source work to be done. When the term open source is used that means that anyone on the internet has access to it and can manipulate it whenever or however they want.

In simple terms that means any hacker can write code and put it in a plugin or a theme. Since you most likely have no way to confirm what is safe and what isn’t, you need to know someone is doing that for you.

How will they protect you if your site has been hacked

This is not just what’s written on the website. You should actually ask questions about this. Ensure that they can tell you about the steps they will take you through if you contact them and say you have been hacked. The conversation should start off with them telling you how they will verify you. This should include but is not limited to; how they verify you every time you sign into the portal, call in with a question, or how they verify you when using their online chat support.

So basically, you need to know if they are going to help you. Or if you are going to have to pay 30k to get your site back like this young lady. To which I sincerely appreciate her sharing her story. She shed light on so many things. Some things she mentioned about her hosting companies will shock and disturb you.

How great is their customer support

It’s nice that the site says 24/7 support, but you should know exactly what that entails. If you’re site is self hosted, that means you are always trying out a ton of new things. At least that’s why most people choose self hosting, as they want the flexibility to do whatever they want. You need to sign up with a self hosting company that doesn’t just say they have 24hr support, but actually does. As a newbie you need to know if you will be able to get someone on the phone when you call in. This should be in addition to the online chat support.

Please note that this article is not an advertisement for any particular service. This article is to get newbies to start thinking on their own feet. No matter what service you choose. Do your research. You can also check for local hosting companies in your city or state and possibly support a local small business if they are good.

Check out my article, “Here’s why WordPress.com is more restrictive than WordPress.org”

Here’s why WordPress.com has more restrictions than WordPress.org

People get so offended when they hear “WordPress” and “.com” in the same sentence. When you mention these two things together, you inherently become the dumbest person on earth (to them). If you think i’m being dramatic just go ahead and say WordPress.com in a crowded room. I dare ya!

Here’s the thing, both WordPress.com and WordPress.org are open source platforms. To keep things simple, open source means that anyone can contribute to building it. Even that hacker that probably wants to steal your data. The truth about the internet is that no one thing will keep you 100% safe.

As I type this, there is a hacker somewhere trying to find new ways to do awful things. However, you heighten the chances of being hacked when you don’t practice safe “interneting” (interneting, is not a real word, but it sounds nice).

Please take the time to read the WordPress.com plans page, the FAQ at the bottom is pretty helpful.

To make things easy, I copied and pasted 2 interesting FAQ’s below:

Can I install my own theme?

We don’t currently allow custom themes to be uploaded to WordPress.com. We do this to keep your site secure but all themes in our theme directory have been reviewed by our team and represent the highest quality. The business plan even supports unlimited premium theme access.

Can I upload my own plugins?

While uploading your own plugins is not available on WordPress.com, we include the most popular plugin functionality within our sites automatically. The premium and business plans even include their own set of plugins suites tailored just for them. Check out all included plugins.

AQ’s Corner site is currently being hosted by WordPress.com. I am taking advantage of the Business plan and I enjoy it. It works perfect for all of my needs. Whenever I need enhancements I can quickly enable them. I also have access to hundreds of different themes. When being hosted by WordPress.com doesn’t suit the needs of my business, i’ll transfer my account to a site that allows for self hosting.

However, i’ll be utilizing WP Engine or some other hosting service that is known for being secure, not just cheap. To be clear, we all want affordable, but if that is the main thing a web host is known for, you should find another one. WP Engine is known for their security, I learned about them while taking a WordPress Developer class with Skillcrush.

Even though WP Engine is a hosting service that allows you to control your own website, they also check plugins to ensure that they are safe. If you upload a plugin that is not allowed, it will not be enabled (I did that once). I contacted them and they advised that it was not an approved plugin. I definitely appreciated the extra layer of security while using WordPress.org.

Truth be told, I was going plugin crazy and just started installing stuff. Which will happen. Every time someone tells you about a plugin to make things easier you’ll opt for the plugin, rather than taking time to learn your theme. Or even taking the time to say, “is this plugin safe”. You need a web host that has your back. The customer service was outstanding as well.

Fun Fact: While researching for this article I learned about VIP WordPress.com. VIP WordPress.com is a web hosting service used by the elite of WordPress.com. Though the VIP service isn’t for the average person, as the plans are beyond expensive. One thing VIP WordPress.com has in common with WordPress.com, is that they are serious about security. So essentially there are clients willing to pay 10k per month, just to use WordPress.com rather than WordPress.org.

This is not a shot at WordPress.org because i’ve used it before. This is so beginners can understand that they shouldn’t overlook something just because another person said it was a dumb idea. It’s critical to do your own research.

VIP WordPress.com clients include New York Times, New York Post, Time, Dow Jones and more. So the next time someone tells you that going with WordPress.com is dumb, you can let them know you’re among the elite of the internet.

Check out my article on what to ask your self hosting service.