![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Tuesday, February 19th, 2019 05:45 am
so this is all mostly theory, which is the entire problem
In honor of only two days of work this week as Holiday!Monday and Escapade Starts Thursday, I've been contemplating the more esoteric parts of my career, or more specifically, my least favorite part.
For those who don't know, I'm a Quality Control/Quality Analyst; my formal title is System Analyst IV, my job description is program testing, primarily, UAT, aka 'User Acceptance Testing' but have done and will do everything from unit testing to testing live in production literally during and after deployment. UAT is the last line of defense before a program is released in production, and our job is to break it with only the tools and general knowledge available to the average user of this program aka Everyman.
And when I say 'the program', that refers not just to 'one single program' but 'an entire program ecosystem that all work together to do shit'. We call the latter Integration Testing, which combines 'so breathtakingly boring even death avoids you when you have to do it' with 'astronomically high stakes'. For System Integration is literally repeating all your tests on those same damn programs (sometimes you're on your fifth repetition and resent key parts of the alphabet) but now while all programs are connected to each other.
In general, if there are problems, they're tiny; earlier testing of the individual parts of a program and then the program itself should have and generally does catch everything with a realistic chance of happening, quite a bit that realistically won't but possibly could, and some that is technically impossible but when you were on repetition three of the same set of ten to twenty goddamn tests, dev was naturally the target best suited to share your suffering. At that point, they were so goddamn tired of seeing your name on defects they didn't care if it was possible this situation would ever occur, they'd code as if it would happen every day just to avoid how rejection at end of business day inevitably meant that the first thing they'd see in their inbox the next morning would be a gratingly cheerful email that included an essay (and references) on why the defect was not only very possible but could cause the apocalypse if not fixed like right now please, sometimes with malice aforethought in thirteen point Comic Sans.
But I digress.
Let me go back a bit: user testing is basically 'use program like a user would', which on the surface seems less 'a job' than 'doing what everyone does on a computer every day' but salaried with health insurance, a generous leave policy, and a pension on retirement along with paid health insurance until I die. Yeah, I'm totally living the dream here, and also, no.
What you don't know is the average user using a program is an idiot savant with an IQ ranging from 'potato' to 'requires the use of exponents to represent accurately' at the exact same time. Keeping people from deliberately fucking with a program is the testing equivalent of taking crayons from toddlers, comparatively speaking; there are some fairly strict limits for a hacker to work with and very little room for error, and that's before security specialists exercise their professional paranoia on it by assuming any attempt to hack is actually literally going to kill them dead in their beds if they don't stop it and that's not entirely hyperbole.
The average user doesn't recognize limits as a thing or if they notice them, think don't really care or, on occasion, are insulted by them for reasons vague. In horrific wtf example, you can set a text box to integers only for phone number and the end user will somehow paste in their email address and crash oracle. How the fuck is that even possible, we tested for pasting. We didn't test for entering your phone number, saving the page, hitting 'back' to reopen the saved page and for reasons very likely not even malicious control-v'ed their email in there and hit save again.
The answer of 'how' is actually not 'witchcraft' (or at least not only) but does involve 'cache', which is not dissimilar, but yeah, that's one example of how users are the nightmare offspring of chaos theory and honey badgers with fingers that may or may not be individually possessed when they touch a keyboard, you cannot predict this shit.
Now, with that context of user ability to crash oracle with back and control-v, Integration Testing.
As stated, this is not testing one program, but it's also not just testing three and how they interact or even sometimes all the programs. This involves bringing up the entire system with all functionality working and extremely accurate mockups of every single possible program/system that it interacts with or gets data from that we do not own, and not a few belonging to the Federal government. As in, these mockups aren't just supergood at pretending to be terrifyingly secure federal systems that have a start value of twenty years in prison for fucking up, some could pass for copies because fear is really motivating and no one wants to wake up to being responsible for accidentally crashing the United States with a random control-v.
And sometimes--much worse--we get access to the live system when data is read only, and now we get to where 'more boring than anything ever' would be a relief.
Specifically, on those thankfully rare days that Data Broker is involved, because as we all know, the one thing all of us lack in our lives, work or not, is active terror. Data Broker, for those playing the home game, is a database (possibly a literal 'base' I really don't know) where something not unlike your entire life history from SSN/DOB/marriages/children/job history to every address you have ever had and every neighbor you have had at every address and that's just to start. It's super secure, access is incredibly limited, and even looking at the button on the screen too hard creates a log. It can only be used to look up info absolutely required and looking up anyone for any reason outside the specific person you're supposed to be looking up is a firing offense plus felony and the attention of possibly multiple Federal agencies and more acronyms that anyone sane should deal with sober or even drunk. And for the most part, because it's possible your blood pressure isn't critical quite yet nad that must be fixed, 'accident' is not something that is recognized as separate from 'deliberate attempt to identity steal/stalk/blackmail', which is equal to 'deliberately breaking into a federal system'.
Now to be fair, they're not entirely wrong; it is, actually, incredibly hard to do anything accidentally and to get any (criminally useful) data, intent is required. The average authorized user just doing their job has nothign to worry about, and I say that as a former authorized user who accessed it several times a day in the course of my job. In an honestly surprising display of logic, they made it super easy to be ethical even before you had coffee and even should you abruptly become catatonic. Doing evil took effort, and for that matter, more effort than any state employee would bother expending without a consummate increase in salary with or without a higher classification and a blood contract stating two days we could work from home into perpetuity.
(Before anyone even thinks anything close to 'totally overpaid' I am for all intents and purposes an expert, I am legitimately good at my job, and I can and do act as lead and quasi supervisor and check the work of private contractors hired by the state whose salaries at start value are twice mine. If the next statement is 'you could work for them, then', that's possible but problem: they will hire me for the same exact job I am doing now--including leading--but my pay will be equal to or less than now, almost no PTO, higher medical premiums, and no pension, because I don't have a four year degree. Yeah no.)
The problem is I am not the average authorized user accessing the system in production and only know it works for reasons that may or may not involve wizards and elves or not, they never even wonder because, much like gravity, it never doesn't work. I am the one testing brand new code for production that is sometimes interacting with other programs for the first time ever and some of those programs possess code that is also brand new, and combining that with database access where accidents are synonymous with felonies. My job is to not just make sure the code works, but to the average authorized user it is mentally classified as gravity; it works, don't care.
In a very real and not at all logical sense, my job is to do my best to get an accidental felony so the end user doesn't. If it is possible to do it accidentally, I am ethically and morally obligated to mkae it happen. You might even say that the day I am convicted of [you have no idea how many felonies this shit falls under] and sent to a minimum security federal prison, I will have reached the epitome of my career and set the bar so high when it comes to the ethical standards of my profession no one will be able to match, much less surpass me, without the addition of lethal injection and/or quite a bit of electricity. The rush for that hypothetical person would be goddamn amazing which hopefully isn't lost under the entire 'impending death' thing and also I'd be pissed because how the fuck do I top that? Asshole.
On the scale of drama from 'paint drying' to 'lady gaga wearing a meat suit to a PETA meeting with a furry paleo bodyguard' how much am I milking this if not outright lying? Not lying but definitely much higher than paint, but having said that, the principle of uncertainty assures it is not actually ever out of the realm of possibility when it comes to legality. The penalties are explained to authorized users in enough detail to assure PTSD is not out of the realm of possibility, but user testing, funnily enough, was not in mind (or technically existed as such or at least in this form) when the legalities were hashed out and as of yet, no one is really feeling this should change. Technically, a user tester could simultaneously be both an authorized user with all privileges and responsibilities inherent and hackers doing evil, who can really say but a Federal judge, which sure, does have the advantage of some legally defined clarity but also, you know, prison. So uncertainty, not all that bad, really.
And to add to this; Data Broker isn't the only program with some grey area, just the most serious. There are many that have very strict legally-binding access rules that lack clear guidelines on the status of testers, and some with read-write access.
The fear is real, is what I'm saying, and sure, somewhat theoretical, and taken individually, not much. When combined, however, that is a lot of goddamn theory to have just hanging around. Pure chance says one of these totally theoretical concerns will be tested, and while it's unlikely it will be me, 'chance' is now getting a little too big an area as well. Yes, the odds are good I am wasting very valuable worrying time on this which could have been spent on increasing the amount devoted to alien abduction and my rabbits eating me if I fall down in the cage and knock myself out (rabbits? NOT ACTUALLY OBLIGATE VEGAN AND HAVE EATEN MY LASAGNA), but would it be such an imposition to de-grey some areas without duress being involved? Get that out of the way and I could get some serious worry-traction started on the likelihood of Alexa telling me I really want to buy Frye lace-up boots that are on sale to wear for my murder spree while I'm asleep and worse, that I'd wear new leather boots on a murder spree and risk bloodstains on cognac leather. That shit would never come out.
...yes, I am doing integration testing this week. How'd you guess?
For those who don't know, I'm a Quality Control/Quality Analyst; my formal title is System Analyst IV, my job description is program testing, primarily, UAT, aka 'User Acceptance Testing' but have done and will do everything from unit testing to testing live in production literally during and after deployment. UAT is the last line of defense before a program is released in production, and our job is to break it with only the tools and general knowledge available to the average user of this program aka Everyman.
And when I say 'the program', that refers not just to 'one single program' but 'an entire program ecosystem that all work together to do shit'. We call the latter Integration Testing, which combines 'so breathtakingly boring even death avoids you when you have to do it' with 'astronomically high stakes'. For System Integration is literally repeating all your tests on those same damn programs (sometimes you're on your fifth repetition and resent key parts of the alphabet) but now while all programs are connected to each other.
In general, if there are problems, they're tiny; earlier testing of the individual parts of a program and then the program itself should have and generally does catch everything with a realistic chance of happening, quite a bit that realistically won't but possibly could, and some that is technically impossible but when you were on repetition three of the same set of ten to twenty goddamn tests, dev was naturally the target best suited to share your suffering. At that point, they were so goddamn tired of seeing your name on defects they didn't care if it was possible this situation would ever occur, they'd code as if it would happen every day just to avoid how rejection at end of business day inevitably meant that the first thing they'd see in their inbox the next morning would be a gratingly cheerful email that included an essay (and references) on why the defect was not only very possible but could cause the apocalypse if not fixed like right now please, sometimes with malice aforethought in thirteen point Comic Sans.
But I digress.
Let me go back a bit: user testing is basically 'use program like a user would', which on the surface seems less 'a job' than 'doing what everyone does on a computer every day' but salaried with health insurance, a generous leave policy, and a pension on retirement along with paid health insurance until I die. Yeah, I'm totally living the dream here, and also, no.
What you don't know is the average user using a program is an idiot savant with an IQ ranging from 'potato' to 'requires the use of exponents to represent accurately' at the exact same time. Keeping people from deliberately fucking with a program is the testing equivalent of taking crayons from toddlers, comparatively speaking; there are some fairly strict limits for a hacker to work with and very little room for error, and that's before security specialists exercise their professional paranoia on it by assuming any attempt to hack is actually literally going to kill them dead in their beds if they don't stop it and that's not entirely hyperbole.
The average user doesn't recognize limits as a thing or if they notice them, think don't really care or, on occasion, are insulted by them for reasons vague. In horrific wtf example, you can set a text box to integers only for phone number and the end user will somehow paste in their email address and crash oracle. How the fuck is that even possible, we tested for pasting. We didn't test for entering your phone number, saving the page, hitting 'back' to reopen the saved page and for reasons very likely not even malicious control-v'ed their email in there and hit save again.
The answer of 'how' is actually not 'witchcraft' (or at least not only) but does involve 'cache', which is not dissimilar, but yeah, that's one example of how users are the nightmare offspring of chaos theory and honey badgers with fingers that may or may not be individually possessed when they touch a keyboard, you cannot predict this shit.
Now, with that context of user ability to crash oracle with back and control-v, Integration Testing.
As stated, this is not testing one program, but it's also not just testing three and how they interact or even sometimes all the programs. This involves bringing up the entire system with all functionality working and extremely accurate mockups of every single possible program/system that it interacts with or gets data from that we do not own, and not a few belonging to the Federal government. As in, these mockups aren't just supergood at pretending to be terrifyingly secure federal systems that have a start value of twenty years in prison for fucking up, some could pass for copies because fear is really motivating and no one wants to wake up to being responsible for accidentally crashing the United States with a random control-v.
And sometimes--much worse--we get access to the live system when data is read only, and now we get to where 'more boring than anything ever' would be a relief.
Specifically, on those thankfully rare days that Data Broker is involved, because as we all know, the one thing all of us lack in our lives, work or not, is active terror. Data Broker, for those playing the home game, is a database (possibly a literal 'base' I really don't know) where something not unlike your entire life history from SSN/DOB/marriages/children/job history to every address you have ever had and every neighbor you have had at every address and that's just to start. It's super secure, access is incredibly limited, and even looking at the button on the screen too hard creates a log. It can only be used to look up info absolutely required and looking up anyone for any reason outside the specific person you're supposed to be looking up is a firing offense plus felony and the attention of possibly multiple Federal agencies and more acronyms that anyone sane should deal with sober or even drunk. And for the most part, because it's possible your blood pressure isn't critical quite yet nad that must be fixed, 'accident' is not something that is recognized as separate from 'deliberate attempt to identity steal/stalk/blackmail', which is equal to 'deliberately breaking into a federal system'.
Now to be fair, they're not entirely wrong; it is, actually, incredibly hard to do anything accidentally and to get any (criminally useful) data, intent is required. The average authorized user just doing their job has nothign to worry about, and I say that as a former authorized user who accessed it several times a day in the course of my job. In an honestly surprising display of logic, they made it super easy to be ethical even before you had coffee and even should you abruptly become catatonic. Doing evil took effort, and for that matter, more effort than any state employee would bother expending without a consummate increase in salary with or without a higher classification and a blood contract stating two days we could work from home into perpetuity.
(Before anyone even thinks anything close to 'totally overpaid' I am for all intents and purposes an expert, I am legitimately good at my job, and I can and do act as lead and quasi supervisor and check the work of private contractors hired by the state whose salaries at start value are twice mine. If the next statement is 'you could work for them, then', that's possible but problem: they will hire me for the same exact job I am doing now--including leading--but my pay will be equal to or less than now, almost no PTO, higher medical premiums, and no pension, because I don't have a four year degree. Yeah no.)
The problem is I am not the average authorized user accessing the system in production and only know it works for reasons that may or may not involve wizards and elves or not, they never even wonder because, much like gravity, it never doesn't work. I am the one testing brand new code for production that is sometimes interacting with other programs for the first time ever and some of those programs possess code that is also brand new, and combining that with database access where accidents are synonymous with felonies. My job is to not just make sure the code works, but to the average authorized user it is mentally classified as gravity; it works, don't care.
In a very real and not at all logical sense, my job is to do my best to get an accidental felony so the end user doesn't. If it is possible to do it accidentally, I am ethically and morally obligated to mkae it happen. You might even say that the day I am convicted of [you have no idea how many felonies this shit falls under] and sent to a minimum security federal prison, I will have reached the epitome of my career and set the bar so high when it comes to the ethical standards of my profession no one will be able to match, much less surpass me, without the addition of lethal injection and/or quite a bit of electricity. The rush for that hypothetical person would be goddamn amazing which hopefully isn't lost under the entire 'impending death' thing and also I'd be pissed because how the fuck do I top that? Asshole.
On the scale of drama from 'paint drying' to 'lady gaga wearing a meat suit to a PETA meeting with a furry paleo bodyguard' how much am I milking this if not outright lying? Not lying but definitely much higher than paint, but having said that, the principle of uncertainty assures it is not actually ever out of the realm of possibility when it comes to legality. The penalties are explained to authorized users in enough detail to assure PTSD is not out of the realm of possibility, but user testing, funnily enough, was not in mind (or technically existed as such or at least in this form) when the legalities were hashed out and as of yet, no one is really feeling this should change. Technically, a user tester could simultaneously be both an authorized user with all privileges and responsibilities inherent and hackers doing evil, who can really say but a Federal judge, which sure, does have the advantage of some legally defined clarity but also, you know, prison. So uncertainty, not all that bad, really.
And to add to this; Data Broker isn't the only program with some grey area, just the most serious. There are many that have very strict legally-binding access rules that lack clear guidelines on the status of testers, and some with read-write access.
The fear is real, is what I'm saying, and sure, somewhat theoretical, and taken individually, not much. When combined, however, that is a lot of goddamn theory to have just hanging around. Pure chance says one of these totally theoretical concerns will be tested, and while it's unlikely it will be me, 'chance' is now getting a little too big an area as well. Yes, the odds are good I am wasting very valuable worrying time on this which could have been spent on increasing the amount devoted to alien abduction and my rabbits eating me if I fall down in the cage and knock myself out (rabbits? NOT ACTUALLY OBLIGATE VEGAN AND HAVE EATEN MY LASAGNA), but would it be such an imposition to de-grey some areas without duress being involved? Get that out of the way and I could get some serious worry-traction started on the likelihood of Alexa telling me I really want to buy Frye lace-up boots that are on sale to wear for my murder spree while I'm asleep and worse, that I'd wear new leather boots on a murder spree and risk bloodstains on cognac leather. That shit would never come out.
...yes, I am doing integration testing this week. How'd you guess?
no subject
From:...I knew nothing and actually still don't, but I do know now enough to realize now there is no acronym in the US Federal government that has as much power as the USDA has, so much they almost never have to use it. At the time, the governor was under a lot of pushback and pressure to fix the problem with the new computer system that ran food stamps, TANF, Medicaid et al, the Texas legislature was upset, there was shit from the Federal level for Medicare/Medicaid about 'this shit is getting critical, people aren't getting their benefits' because the AARP was showing some crankiness--I could list off all the honestly alarming feedback and letters he was getting, but all of it was still effectively toothless. This by hte way had been building for about three to five years, since I was a caseworker, so it was almost background; everything sucks, must be alive. There was a very real possibility we'd have to literally crash the entire system and be in all the lawsuits ever to even start a re-evaluation but Republicans, so yeah.
The USDA does the equivalent of "Hey, I notice you exist", shit didn't just become real, it did an entire reversal on a dime of everything. Why? Food Stamps. It is not an exaggeration to say not even worst case scenario is bankrupting the state by pulling all our Food Stamp funding--which is Federal money, lots of Federal money, so very much Federal money--while we are still Federally mandated to not stop giving food stamps, so we'd keep doing it until we ran out of money, which give or take two months, tops, maybe three, while cutting funding to every possible thing teh state is not required by Federal law (or state law but that would get squiggly) and rouse pretty much every elder god slash lobbying group in existence and the Eldest Gods the AARP and their vast over-sixty voting pool and that does not include the all the farmers in an agricultural state and the political careers of like everyone up to Congress.
And if you're curious: yes, they would have cut us off without blinking and not even bothered to watch the state burn. Why? USDA-->Agriculture-->Food-->Food Stamps, a program that directly benefits food-making activities, and for all people whine about "CANDY AND SODA BUYING" cute but tiny: milk, eggs, beef, chicken, pork, bread, butter are all on the top 10 and billions of dollars. This program has a positive economic benefit across the board; you can even use food stamps at farmer's markets!
One day, I'll go into more detail on the ACA rollout drama and how they tried to play with hte provisions in regard to Medicaid and ended up showing their belly and making me analyze, parse, design and write tests for, and test a massive portion of the online application process as regards to all the Medicaids halfway through a major release code/test period but I should be drinking first. Not USDA (please God no) but kind of funnier.
(- reply to this
- parent
- top thread
- link
)