What A Lot Of Things: Tech talk from a human perspective

In this latest episode of the "What A Lot Of Things" podcast, hosts Ian and Ash explore intriguing aspects of technology and its broader implications. They delve into the evolving career paths for testing specialists, discussing how testers can navigate organizational challenges and develop fulfilling careers. The conversation shifts to a significant security furore involving the XZ compression tool, where they unpack the complexities of open-source software maintenance and the vulnerabilities introduced by subtle malicious contributions. Throughout, the hosts' lively banter and insightful anecdotes make for a thought-provoking listen that bridges technical details with broader tech culture reflections.

Links
...and our new email address: technologyeeyores@whatalotofthings.com

Creators & Guests

Host
Ash Winter
Tester and international speaker, loves to talk about testability. Along with a number of other community minded souls, one of the co-organisers of the Leeds Testing Atelier. Also co-author of the Team Guide to Software Testability.
Host
Ian Smith
Happiest when making stuff or making people laugh. Tech, and Design Thinking. Works as a fractional CTO, Innovation leader and occasionally an AI or web developer through my company, craftscale. I'm a FRSA.

What is What A Lot Of Things: Tech talk from a human perspective?

Ash and Ian talk about interesting Things from the tech industry that are on their minds.

Ian:

We've got an email address.

Ash:

What's the email address, Ian?

Ian:

Well, it was the subject of considerable, at least internal external monologue style debate. And I came up with some really rubbish ones. But it was not until we got together and started talking about it, that technologyeeyores@whatalotofthings.com really came into focus.

Ash:

So when did we coin the phrase of technology Eeyore?

Ian:

*We* didn't.

Ash:

Oh.

Ian:

It was our listener.

Ash:

Yes.

Ian:

I that the way I said that makes it sound like there's only one.

Ash:

Well, that's fine.

Ian:

And there is more than one.

Ian:

Our listener, Mary, coined that and described us as technology Eeyores. And I felt at the time that that was a very understandable description of us based on our content up to that point.

Ash:

We should get some stickers done, shouldn't we?

Ian:

We should get some stickers done.

Ash:

Because I believe that the image of Eeyore is in the, public domain as well as the

Ian:

I believe it is. So I think maybe I'll go on to my iPad in the same way that I did for the logo that we have on all our episodes and maybe do a "technology Eeyore's" image.

Ash:

We wear the the we will wear the badge with pride.

Ian:

And the floppy ears.

Ash:

And the floppy ears. See that?

Ian:

Thank you, Mary.

Ash:

Thank you.

Ian:

You've inspired our email address.

Ash:

Okay. So can I make my announcement now?

Ian:

Alright.

Ash:

Alright.

Ian:

Although I feel like the email address maybe had a few more legs in it, but, you know, that's fine.

Ash:

I'm just quite excited about my announcement.

Ian:

Go for it.

Ash:

This is quite monumental. So I've had an, an iPhone 7 plus.

Ash:

Seven.

Ian:

Plus.

Ash:

Plus.

Ian:

We're up to 15 now.

Ash:

Yeah. So which is now 8 years old, nearly 8 years old.

Ian:

Yeah.

Ash:

Still getting security updates, which is kind of a testament to Apple's commitment, isn't it?

Ian:

It is. Yeah.

Ash:

Yeah. So, you know, the the they they know that the world has changed and people perhaps aren't refreshing their phones quite as much as they used to. So they're keeping keeping the old ones up to date rather than saying, well, it's time you get with the now, isn't it, and get yourself a new phone.

Ian:

Yeah.

Ash:

So...

Ian:

Have you, had any time replaced the battery in it?

Ash:

Yes.

Ian:

See, that helps to keep it going.

Ash:

Yes. But I decided that it was time to make a change.

Ian:

What would be the natural change to make from from this point?

Ash:

Well, I thought, well, I could get, like, an iPhone...

Ian:

15.

Ash:

15... or a 12.

Ian:

Yeah.

Ash:

Yeah. But then I thought, let's have a total change.

Ash:

So I've now got a Samsung Galaxy s 22 plus.

Ian:

Plus? Plus. So you've retained a phone model with plus on the end of the name?

Ash:

Yeah. Yeah. Yeah. So that was so that's enough continuity for me.

Ian:

Is it?

Ash:

Yeah. Yeah. So I found, a refurbished one as well. So I bought secondhand. So I'm fully fully leaning into the

Ian:

Reuse.

Ash:

Reuse rather than, you know

Ian:

Replace.

Ash:

Dig up the dig up the ocean floor, insert it, and then, you know, insert it into a battery, and then put it in the latest iPhone. So I've I've I've rejected the orthodoxy

Ian:

Have you not

Ash:

and gone with refurbished.

Ian:

Have you not watched Apple's videos about, where where mother Earth comes and tells them off?

Ash:

Tells them off?

Ian:

Yeah. There was this whole thing where they did, an ad where, Mother Earth came to their annual check up

Ash:

Right.

Ian:

Of their environmental credentials and was in a negative mood, presumably having been to a lot of other companies' equivalent things in order to to tell them off. Yeah. And then she's grudgingly happy with Apple at the end of the

Ash:

Mhmm.

Ian:

Meeting.

Ash:

Yeah. I'm not sure about that. Feels like propaganda to me.

Ian:

Well, to be fair to Apple, I think their dedication in that area is is good. Although, they're laboring under some difficulties. But, I mean, I've got an Apple Watch now, which is carbon neutral

Ash:

Right.

Ian:

To the point where they've even offset all the possible electricity that could be put in it. Yeah.

Ian:

But yeah. So but this is this is about you, not me.

Ash:

Yeah. I keep winning Apple Watches.

Ian:

Do you?

Ash:

Yeah.

Ian:

How many have you got? I can't see any on your wrists.

Ash:

I don't I don't use an Apple Watch because, they're not good for running really. I don't think... they're not good for sport in general.

Ian:

No. This one is.

Ash:

So

Ian:

This one is for all of my, climbing up sheer cliff faces.

Ash:

Alright. Okay.

Ian:

Going for runs in deserts

Ash:

Yeah.

Ian:

Or the Arctic.

Ash:

Alright. Okay. Or maybe I'm wrong then maybe

Ian:

I saw all of those activities on the marketing video for it.

Ash:

That's what I decided.

Ian:

So I immediately had to buy it.

Ash:

So as soon as you put it on, you were like, right. Okay. I'm in the desert, running shoes on, off we go.

Ian:

Well, no. No. As soon as I put it on, I thought, well, that's the hard bit done. But, yes, I I recognize that the received wisdom on Apple Watches is they still don't last as long as Garmin's.

Ash:

Yeah.

Ian:

Even when they've got Ultra in the name and they last 2 days instead of 1.

Ash:

As long as you put Ultra or Plus in the name, then that totally changes the product, doesn't it?

Ian:

And then Ultra Plus pushes it right over the edge.

Ash:

So the the other thing, small thing Yes. That caught my eye was it was in Guardian's Techscape newsletter, and it was about ChatGPT's favorite words.

Ian:

Oh.

Ash:

What it's saying is that they don't appear that much in the Internet at large, but ChatGPT uses them quite often. So words like delve, explore, tapestry, testament, and leverage.

Ian:

Well, I think that's a testament to its significant vocabulary

Ian:

Yeah.

Ian:

That gives it the leverage that, enables it to compete so effectively in the, the large language models marketplace.

Ash:

It does kind of explain that when you read the output of a large language model. It seems immediately obvious that it's been written by a large language model.

Ian:

Yeah. But doesn't it make you want to delve more deeply and explore the topics that it raises?

Ash:

Of course. It's all part of the rich tapestry of AI, isn't it?

Ian:

Bingo.

Ash:

There you go. Got them all.

Ian:

Yeah. We can, we can... this is our new copyrighted game.

Ash:

Yeah.

Ian:

You heard it here first.

Ash:

So large...

Ian:

ChatGPT Favorite Word Bingo.

Ash:

So large language model output reminds me of how I used to write until I learnt to do it more simply.

Ian:

Do you do you think it... do you think it makes it not sound human?

Ash:

Yeah. I think so.

Ian:

Because I think I think it's quite good at sounding human. What lets it down is this kind of slightly flowery language that it that it indulges in. I, independently of, you reading this in The Guardian found a GitHub...

Ash:

Yeah.

Ian:

...Gist entitled "Chat GPT Cliches". Although, I'm always curious when people write ChatGPT as 2 separate words.

Ian:

I wonder if that's because they're making some kind of point that GPT stands for something and is a separate thing. But I'm pretty sure OpenAI run the 2 things together into one word. But, testament features at the top of that, in its in its cliches, a testament to.

Ash:

A testament to.

Ian:

"Important to note", "Important to understand", it says "fear not" apparently.

Ash:

See.

Ian:

And "multifaceted".

Ian:

I feel like that's a nice word. We should say multifaceted more often.

Ash:

Yeah. It's got "treasure trove" in there. I quite like that.

Ian:

Yes. Which can be "transformative", which it also has in there.

Ash:

It's almost similar to a a business language bingo, isn't it?

Ian:

This, though, is a much bigger bingo card than we were given by the Guardian.

Ash:

Yeah. True.

Ian:

We could be using this to to shed light on that. I can't do it. I can't do it. I'm gonna have to get rid of it, so I can't see it anymore.

Ash:

Okay. Let let let's stop that.

Ian:

Yeah. "And and that was when they all they could say in their podcast was ChatGPT cliches". I I do think that is an interesting one. It's funny that it surfaced for both of us independently. I wonder if it's a...

Ash:

Yeah.

Ian:

...it's a thing that people have just started really noticing.

Ash:

Yeah. I'm not sure that they're cliches either, are they?

Ian:

Strictly, possibly not.

Ash:

Yeah. But I don't wanna get too, like, militant on what is a cliche and what isn't.

Ian:

It might be a metaphor.

Ash:

Yeah. Yeah.

Ian:

Or a simile.

Ash:

Or onomatopoeia.

Ian:

Yes. It might be that. "Oh, dear. And that was when they went over the edge into the into the abyss".

Ash:

Into nonsense.

Ian:

Into nonsense. Oh, dear. Oh, dear. So yes. But I do think it is very it's interesting to see that kind of stuff.

Ian:

And I wonder... what if we did that with Claude or, indeed with, Gemini or Gemma. These are... Gemma is the open source

Ash:

Right.

Ian:

...model from Google. Now I guess it's small Gemini. All of which is just a stupid detail.

Ian:

So going... going back to the point, it's interest it will be interesting to compare, LLMs to find out if they're using the same common words.

Ash:

Uh-huh. Yeah.

Ian:

Although you'd expect, Microsoft Copilot to use the same words as ChartGPT because they're the same model.

Ash:

Yeah.

Ian:

But Claude and, Gemini from Google might be, might be different, so it'd be interesting.

Ash:

Maybe we need a "straight talking LLM that tells it how it is".

Ian:

Oh, you mean like Grok?

Ash:

Grok. Yeah. Yeah. I always when whenever someone says I'm a straight talking person who tells it how it is, I'm like, oh, god. You could have some horrendous views, aren't you?

Ian:

Well, maybe you'd have to correct them to you maybe you're telling it as you see it. And, you should get some glasses.

Ash:

Are you ready for any Things?

Ian:

Well, it would be unusually soon to start talking about Things. Normally, normally, we make at least an hour and a half of recording before we get to any frivolous topics such as Things.

Ash:

Frivolous such as Things. Yes. Who went first last time in the interest of fairness?

Ian:

Oh, my goodness. That is a an a very good question. Well, last time, we covered see, I'm doing this, trying to do it quickly to make it seem

Ash:

seamless to you. Seamless. Seamless.

Ian:

We covered managing IT service providers and voice cloning. So which one did we do first?

Ash:

I think we did IT service providers, didn't we?

Ian:

I think we did. So that sounds like it must be mine. So therefore, in the interest of fairness, which obviously is very important

Ash:

Is the chief interest.

Ian:

And we've simplified the meaning of fairness to just mean which order we do the things in. So that makes it a lot easier to be fair when you only have to consider that one dimension.

Ian:

Mhmm. Yeah. That simple version of fairness

Ash:

Yes. To to keep...

Ian:

Much more comprehensible for the regular person.

Ash:

Okay. So

Ian:

what do

Ash:

you think?

Ian:

Yes. Ash, what is your thing?

Ian:

So I get to talk about something really vague this time.

Ian:

Alright. Of course.

Ash:

I thought I'll pick something vague, because Ian always picks vague things.

Ian:

And so that must be okay if Ian does it.

Ash:

So so, yeah, it must be it must be successful. So once this is over after, like, 5 minutes Well,

Ian:

I think the woolier it is, the more, more you can make it last for 5 hours, which is a bit of an editing task.

Ash:

Yeah. Yeah.

Ash:

So my thing is career paths for testers or testing specialists.

Ian:

Is it? Well, that's an interesting one. So say a bit more.

Ash:

Yeah. So I was reading, I get the excellent Agile Testing Fellowship newsletter by Lisa Crispin and Janet Gregory.

Ian:

Two luminaries of testing

Ash:

Indeed.

Ian:

Whose contribution has been massive.

Ash:

I'm sure they're on Mastodon somewhere.

Ian:

They probably I

Ash:

thought I'd, I'd gotten away with that without you asking about Mastodon.

Ian:

But?

Ash:

But then I brought it up. So I'm sure that you won't be able to resist some point in this podcast another attempt to try and guide me towards signing up.

Ian:

I don't need to do that. The hand of inevitability is on you now...

Ash:

Do you think?

Ian:

Yeah. I mean, you're you're you're already referring to things on Mastodon, and soon you'll just realize that you need to be a first class player in this...

Ian:

Yeeeeah...

Ian:

...new and exciting and actually rather nice and sweet space. hachyderm.io.

Ian:

hachyderm.io.

Ian:

It's a pun.

Ian:

It's like pachyderm, which I'm gonna go out on a limb and say means elephant.

Ian:

But what they did was that they changed the p... for an h!

Ian:

Dear lord. I've not cried with laughter in one of these for a while.

Ash:

I don't know if we'll be able to recover from that, to be honest.

Ian:

I'm just very happy to have been able to enlighten you and by proxy our, amazing listening public as to to to why Hachyderm is a rather clever name.

Ash:

Puns are best when they're explained.

Ian:

Yeah.

Ash:

In a step by step manner, aren't they?

Ian:

They so are.

Ash:

So so my thing is about career paths for testing specialists. So why do I why do I find this thing interesting? So obviously, as a tester, it's quite dear to me.

Ash:

So Ian's just wiping the tears from his eyes.

Ian:

I promise I'll listen to you any second

Ash:

because I've gone from developer to tester to scrum master and then back to tester, and stayed in that relatively stayed in that role ever since, but always been dragged into, like, the general machinations of an organization afterwards. Even as a tester, kind of get drawn into, you know, like, the wider debates. And partially, it's me, because I can't help but get involved in such things.

Ian:

But it's not just you, is it? Because I was reading on a social media.

Ash:

Would you like to know?

Ian:

I'll give you a clue. The logo is an elephant.

Ian:

A... now you're gonna have to help me here. A tester called Maaret?

Ash:

Yes. The surname, I I can't say, and I wouldn't want to begins with...

Ian:

It's gonna be difficult because it's nice to say people's names when you cite them. But she has been talking about how she always ends up having to fix the organisation in order to be able to be a tester.

Ash:

Yep.

Ian:

And she made that point very, very well, actually, on this thing. I was just reading it this morning. Yeah. I mean, is that what you're talking about as well?

Ash:

Yeah. Yeah. Inevitably, when you try and do the role of tester well, you then come up against organizational constraint. Whether it be, like, the reputation of testing in the organization, how the the rest of the team perceives testing, what if people see it as valuable, or they think that you're an inconvenience, or they want to outsource you, or just get rid of you completely. So with all this in in mind, I often find myself at a bit of a crossroads, and more often than not, advised to get out of the testing game and, you know, go and become a engineering manager or an architect or Yeah.

Ash:

Or something like that. So I'm interested. What is the the the career path for a for a tester to stay, you know, to to remain in that role and and excel and add value for the organization?

Ian:

So when I saw you were bringing this to today's episode as as your thing, I tried to search for the most senior tester in an organisation, and it was very fruitless, actually. Yeah. So I found a post from somebody who became has just got a job as a software engineer at Facebook, but his previous experience has been, as an asset.

Ash:

Right.

Ian:

A software developer. What's the e standard?

Ash:

Oh, is it software? I should know this. There's software developer in test, and then there's software development engineer in test.

Ian:

Know the difference between Estet and tester. Software development engineer in test.

Ash:

Right. Okay. So similar

Ian:

Yeah. So, but he he and he was go for a software engineer, but that's not all that senior. And I was searching for distinguished engineers Yeah. In large organisations who come from a test background. And that they they they're bound to exist at least to to some point, but I didn't I couldn't find any, and that kind of bothered me.

Ash:

Yeah. Because I always used to have this argument with previous companies. So you would be offered, like, a technical or a people route. So either, you know, you go into security testing or performance testing or, you know, that that kind of way, or you become a manager. But what happens if you're a really great exploratory testing, like a a flare for finding interesting bugs?

Ash:

There's nowhere to go. You might become, like, a senior tester, but even if you excel at that and have loads of add loads and loads of value, there's there's there's very few places for you to go that aren't prescribed in technical or people routes.

Ian:

Let's say you had a career stage called a distinguished software tester.

Ash:

Yeah.

Ian:

What would that look like? So probably be called distinguished quality engineer, which would immediately annoy you. Yeah. But let's say it was distinguished software tester. What would that person have to be able to write in their case to be admitted to that professional level?

Ian:

Yeah. What sort of accomplishments would somebody need to have to have done that?

Ash:

Yeah. That's, that's an interesting one, isn't it? Because a lot of distinguished and sort of staff engineers will often pick up either a project or if a business was having, say, security issues, you might a very senior engineer, developer might pick that up and run with it and then, you know, help the business out, and that would be their staff or distinguished project if you like. Yes. So I think that's like a common path because it's like, okay.

Ash:

You've picked up something of value, and you've, you know, you've you've run with it, and you've, you know, changed the business basically into a into a better player. So probably something from a testing point of view would be would be similar as well. So, you know, we're having, I don't know, performance and load problems, so you would expect I would expect, I guess, probably a a principal or distinguished tester to say, right. Okay. Well, let's pick up let's start to, you know, get an approach together for performance and load testing, and then begin to implement it and make some changes based on those those test results.

Ash:

So that that kind of activity. And then maybe something a bit more like cross cutting as well, because I I have been in the principal role before and trying to spend time with each of the teams. Like, so one of the things that, like, I did was I offer a menu of different services to the teams to say, right. This is where we can help you out, you know, better test automation or, training and exploratory testing or whatever it is to try and, like, raise the general level of testing, like, everywhere. But for that role, you put this is like it requires a certain set of skills, then obviously the ability to communicate well.

Ash:

So it might not be for everybody, but you can have a kinda said, you can have a great tester who hasn't maybe got those skills but will be stuck, you know, where they are. And there's what's the progression for for that tester?

Ian:

Well, how do they get into situations where they can begin to learn those skills? Yeah. And a lot of it also is mentoring. Yeah. And I think you would expect someone who is achieving that kind of level in testing to have done a lot of mentoring.

Ian:

But also part of that mentoring is helping people to grow their careers in these kind of directions. And that mentoring has often got sponsorship in it, so it's kind of, okay. Well, I'm gonna recommend you to this project. Yeah. I'm looking for somebody to do this, and we know you haven't got that experience, but I'll vouch for your general ability and and that you want to grow your career, you know, by doing that.

Ian:

Yeah. And so you end up with that that kind of sponsorship can be very helpful as well. It's a it but managing your career, I mean, it took me years of at IBM before I even began to really understand about that, and I had some really good mentors, who just completely transformed my understanding of of how to do that.

Ash:

Yeah. Yeah. Because I think, like, in the past, I've done less of that because the the the the way forward was clearer. Mhmm. But then I think it's probably like once you get to a certain level, you then need to, you know, have a bit more of a plan to manage, like, what you're gonna do with yourself.

Ash:

So but that's where the going in different directions comes in. So, like, I know loads of testers who've become, say, scrum masters. I went down that path for a while myself as well. So and then they've kind of stayed in that area and become agile coaches or or or whatever. I have a bit of a mixed relationship because I quite like when testers do migrate to other roles.

Ash:

Yeah. Because if a tester becomes a developer, some testers get a bit upset, and they're like, oh, well, you know Splitter. Yeah. Well, or or well, you you did that because you have to to get paid more. Mhmm.

Ash:

It's like, I want to have a bit more of a yeah. Like a a kind of view of it because it's like, well, if a tester takes what they've learned from being a tester into a developer role, I think that's probably like a net positive for, like, the team. So I I think that's that's a good thing, not a bad thing.

Ian:

So I I think you're right. And I suppose in the end, this this has to work for teams, But it has to work for individuals as well. Yeah. I just great specialization in something is sometimes very, very valuable. Yeah.

Ian:

But there are normally when you become very specialized in something, you've gotta pick your thing. Yeah. Because when you as you narrow your experience and your skills, you're implicitly saying, I don't do these other things. I I do this thing. And if you pick the wrong thing and it suddenly goes out of fashion or something, then that can be a mistake.

Ian:

But I feel as though dive diversity of experience is a good thing.

Ash:

Yeah. Because some some testers in terms of path have picked, like, Adi Stokes. He's now like a accessibility specialist. Yeah. So he's picked that as an explicit specialism because he believes in it, and he he wants and knows that things can and should be better.

Ash:

So he's picked it as a as a as a specialty. So that's I guess that's kind of another path, isn't it? So it's like, well, which is slightly more tangential to the normal organizational path. Because, say, if your organization offers you, like, continue to be a tester or go become a people manager, but then if you say, right. Well, I'm going to, you know, deeply learn and bring accessibility testing principles and practices into my work, then you've taken, like, your own path then, haven't you?

Ash:

So I guess you've got 2 things. You've got what's available to you via your organization, and then what's available to you sort of extra organization wide. Mhmm. So and then you can pick, you know, which way to go from there. So that's kind of interesting as well.

Ash:

But, and also I think we shouldn't assume that, obviously, people will stay with one organization and adhere to their career path, because every organization has slightly different ones. So you're probably gonna move around a little bit. Right? Yeah. And that's gonna, like, affect you affect your path.

Ash:

So, but I don't know. I mean, artist is just like any other role in that regard. It's like for a developer, can you just go, oh, right, there's like an architect path and, you know, team lead path, and then, you know.

Ian:

But I think these things converge as you raise as you become more senior. Yeah. And your deep specializations often become less sort of what you're doing overall because as you become more senior, as you rise through your career, then leadership and dealing with people becomes a more important Mhmm. Kind of thing on the whole. And, you know, if you cut if you can't communicate with people about your subject matter area, then it really holds you back.

Ian:

Yeah. You can't rise up in that way. And so a part of me is sort of thinking, I wonder if the idea of a distinguished engineer is a sort of executive technical position. Yeah. Maybe maybe these things kind of converge, and, actually, you you you become a distinguished engineer from a test background or from a development background.

Ian:

But actually, it kind of blurs together because what what will happen is that when you get into those kind of roles, you're a troubleshooter or you're you're leading very large things that contain your specialisation, but everything else as well. Yeah. I don't think you can retain a deep specialisation. Maybe you can, but probably in in various areas of a bit if it's a very big business, then having a distinguished engineer who really knows about one very narrow thing or product or something might be a good idea. But it seems to me that that as you rise through the the kind of ranks of a technical role, then first of all, you need a a business that lets you do that.

Ian:

Yeah. So it has the concept of a distinguished engineer or, you know, very senior technical role. But if it does, I feel like testers should be able to rise into that as much as any of the other disciplines. Yeah.

Ash:

But maybe that doesn't in my experience, that doesn't really happen. So if I look at, organizations, I think back to organizations I've worked for, and they've had team leads, technical leads, or or whatever. None of them have been testers. It's always been developers. And there's there's some slight sort of oddity there, isn't there, that you don't see technical team leads, architects very rarely come from a tester background, especially with the architects one.

Ash:

I'm like, well, it's a kind of like a a whole system, you know, a systems thinking sort of role, isn't it? Yeah. Where a tester's skills of thinking about risk and impact, and what could go wrong and, you know, what what situations we need to handle would be quite well suited to that role, but it seems to happen quite rarely.

Ian:

Yeah. And I I suppose there's a cultural angle to that. People don't expect testers perhaps to do that.

Ash:

Yeah. And testers don't expect to want to do that either or don't put themselves forward, leave that to someone else because it's like kind of the accepted accepted role.

Ian:

So what do we say to testers? What would you say to testers about how to to transcend that those perceived or actual Yeah. Limitations, career limitations.

Ash:

I think about... I think you told me this story about... I think it was people at Eton were asked were given a situation and said, you're prime minister, and you need to decide.

Ash:

Yeah.

Ian:

This is their admissions...

Ash:

Yeah.

Ian:

...paper that they used to have on their website for...

Ash:

Yeah. Yeah.

Ian:

Sample admissions paper.

Ash:

So it's like, you

Ian:

For twelve year olds.

Ash:

So you go to a you go to a a comprehensive school as it as it were, and you would never get asked that question. So I see it kinda similarly with with testers, because testers have been relatively late admission to development teams. Previously, there would be a a testing team. And then and then people talk about, like, embedded testers. It's like, I I really don't like that phrase because it's part of the team.

Ash:

It's part of the team's work.

Ian:

We've just fired them into a team with very high velocity.

Ash:

But it makes it such it sounds like they're some kind of, you know, external entity Yeah. You know, that's been, like, plugged into this, into this previously, like, unsullied body.

Ian:

Unsullied body.

Ash:

So it's a very, very strange sort of turn of phrase to me.

Ian:

But it means what it means is teams need to have testers. They need to have those those skills. Yeah. Because in the end, who's understands what a good testing configuration, if you like, is for a particular project?

Ash:

Yeah. So it all started off quite basic. So I remembered my first sort of jobs transitioning from being on a testing team where all the testers sat together and waited for the thing to come over the wall, to being actually on the development team. I just don't know if we've got, like, a to a comfortable spot with what we want from testers, I think. Because, like, companies, like, often purge all their testers as well.

Ash:

So I remember I think it was Skyscanner that did it. They just sort of one day were like, right. The testers are gone, and it's time. The developers have to pick up the testing work, and and off we go. And that was it.

Ash:

But and they since returned because turns out that, a lot of the developers didn't like it.

Ian:

Well, there's that whole thing, isn't there, about how developers just think, oh, testing is someone else's job so they don't have to do anything.

Ash:

Yeah. But there's this sort of continuous, like, struggle with with testing and testers getting outsourced, purged, and it's always like some sort of quasi religious sort of argument about, like, whether or not, you know, you should have testers doing the testing or developers doing the testing or, you know, god forbid you just try and have, like, a blend of skills, and everyone contributes to the activity.

Ian:

Of the team?

Ash:

Yeah. Of the team. But then some teams get on fine without testers as well, don't they? And that's a good thing to me. I'm like, well, probably.

Ian:

Well, they probably don't get on that well without testing.

Ash:

Yeah. Exactly. So, so I think in terms of, like, career paths, this testing still gets sort of, like I said, insourced, outsourced, purged, re added. Some teams have tested, some teams don't. It's all like this, like, inconsistency, and I think that contributes to, like, testers continuously having to, like, justify their role within a development team, which is quite exhausting and doesn't help you, like, get on with your career either.

Ash:

No. So I think there's, like, there's lots of subtle blockers in terms of how organizations sort themselves out. There's general perception of testing in the industry, and then you've got others who just seem to say, oh, well, I'm gonna pick up accessibility testing on performance or security, and I'm gonna go and do that. And then they generally get, you know, some career satisfaction out of that. Yeah.

Ash:

And, you know, some think test testers are doomed with AI, but I guess it's

Ian:

Well, they've been doomed before that are still here.

Ash:

Yeah. Yeah. So that was my thing. I'd I find myself, like, always in the middle of this thing because I I I really enjoy testing, and I enjoy being a specialist in it. But, also, I feel the forces trying to either tell me to get out of the testing game or to continue to kind of plow a path in there while inevitably getting involved in the scrapes of organizational I think organizational therapy is the, is the phrase.

Ian:

Well, I found the quote that I was talking about, and while the person that published the quote was, as I said, the person whose quote it was was somewhat different, and that's the quote.

Ash:

As testers, we're often expected to not only do our work, but to fix the organisation to be able to do our work. And that was Anna Beyke who said that, wasn't it? Yeah. So, yeah, very well put.

Ian:

Very well put.

Ash:

Yeah. Superb. But imagine if you had to fix the organisation in order to have a career path. That's tough.

Ian:

Yes. It's something that's more normally, put in the job descriptions of senior managers.

Ash:

Yeah. Yeah. Absolutely. So that's tough.

Ian:

So that was a great thing, and I think there's there's a hell of a lot we could still

Ash:

More questions

Ian:

than answers.

Ash:

More questions than answers, probably.

Ian:

Well, I think but there is a there is something there where you could start to say what the basics might look like. Yeah. And it's gonna be things like, like good mentoring, things like those those wicked problem kind of projects around how things are tested, how you how you lead something like that. I feel like there's some there's some stuff there. But I think maybe the biggest thing from just thinking, you know, about it is is really how do you give testers the feeling that they can do all this stuff Yeah.

Ian:

And that they they they deserve it. Is that

Ash:

No. That being unfair? No. That makes sense. I think, again, from from previous experience, the majority of testers that I have worked with would not put themselves forward for, you know, opportunities like that.

Ian:

So we're saying, Tasters, rise up. Yeah. Yeah. Forward the rebellion.

Ash:

Yeah. Yeah. Absolutely. Always. Always.

Ash:

That's the answer.

Ian:

Right? Yeah. Yeah. Superb. Superb.

Ian:

Well, thank you for for that one.

Ash:

Thanks, Ian.

Ian:

So we have the agile interlude and the pigeon interlude. Mhmm. What we did last time. So maybe this one could be a we can't have a joke interlude. That sounds like the kind of thing that appears to be an interlude, but when you look into it properly, there isn't really.

Ash:

Fake interlude.

Ian:

A fake interlude. We could have a fake interlude, which is, more stressful than the, the things surrounding it.

Ash:

I'm about to have an interlude, a job interlude.

Ian:

A job interlude.

Ash:

So that we could talk about that interlude.

Ian:

Do we call that a holiday?

Ash:

Well, part of it would be holiday, but I might put it on my I was reading the other day. Someone had posted on LinkedIn that, so they'd posted about people taking career breaks, on their what what to do, what to put it on your or what to

Ian:

put it as on

Ash:

your CV.

Ian:

So So as to give the impression of, of a valuable interlude.

Ash:

No. A valuable interlude.

Ian:

This is a valuable interlude. Yeah. So agile interlude, pigeon interlude Valuable interlude.

Ash:

But rest is valuable as well. Right?

Ian:

Am I am I setting us on the course now that every time we record an episode, we have to think of a new kind of interlude that we're gonna have?

Ash:

So my CV will have an interlude in it, I'm proud to say. But it's got a few interludes in it, to be fair. So but I'm I'm happy to have an interlude. Good. I don't think we should fear No.

Ash:

The interlude. If if one can do it, then don't fear the interlude. Yes. And I've often come back refreshed and ready for the next thing.

Ian:

Following a

Ash:

Following an interlude. When I've not had an interlude, I've been less refreshed and less ready for the next thing.

Ian:

Yes. Yes. But none of them presumably were pigeon interludes. No. Or agile interludes.

Ash:

Well, maybe agile interludes. Yeah.

Ian:

Yeah. I suppose that's that's very possible, isn't it?

Ash:

Are you ready to begin your thing?

Ian:

I'm just trying to remember what it is.

Ash:

Well, you only wrote it about an hour

Ian:

and a half ago. That's true. That's true. Okay. So my thing.

Ian:

So I bagged this at the end of the last run.

Ash:

Yeah. Yeah.

Ian:

And you were obviously going to compete with me, but instantly forgot that that's what you're gonna do. Yeah. Hence, your wooly your wooly thing.

Ash:

Slightly vague. Stop picking on Tester's thing.

Ian:

Yeah. Yeah. Yes. Don't be mean to Testers, kids. So, my thing is the x zed, he said resolution, refusing to say zed.

Ian:

I've just said it now. The x zed security issue. So this was just astonishing to me. I mean, in but also completely unsurprising. Yeah.

Ian:

I guess the 2 those two sides of it for me were partly that it took such a lot of planning by all these bad actors. Mhmm. You know, they it took them a couple of years to do it. But I'm also very conscious because I do a reasonable amount of development as part of just various projects I'm involved with, and I would never particularly say I'm a software developer. No.

Ian:

But I do end up doing a reasonable amount of writing code. And I'm always including libraries. In Python, I do a lot of things with Pandas and Yeah. Langchain and NumPy and all these kind of libraries. And in JavaScript, I make free use of NPM Yep.

Ian:

Libraries to do things. And as always, I've always been aware that there's a certain danger to that, that there's or I've been aware of trusting when I and so I kind of look at when I look at NPM things that I'm considering using Yeah. I look at them to see, is it a lot of developers?

Ash:

Yeah. Is it is it a lot of developers? Is it up to date? Is it, you know, do they do they keep their packages up to date?

Ian:

Exactly. But that's not the same as any kind of code review.

Ash:

No. No. It's more of a general feel, isn't it?

Ian:

Yeah. And I suppose that what's happened here is that somebody's made a kind of has approached the whole somebody's approached the whole thing of compromising a piece of software Yeah. In such a slow and careful way

Ash:

Mhmm.

Ian:

That that kind of gut feel test is is not valid.

Ash:

No. No. No. It's not.

Ian:

And, there's a couple of really great articles, where people have sort of documented what happened during the course of this this compromise. And it's really an amazing coincidence that it was even noticed at all. But going going going back to how it was done, effectively, people made new accounts on GitHub in 20, I think 2020 or something like that. And they did made various minor contributions to open source projects. But then they focused on this xzedxz compression package that was widely used.

Ian:

Yeah. So a lot of things you've heard of kind of use it in the background, including, SSH, which is how everybody logs on to everything. Yep. And they made this this patch, which introduced this security vulnerability. And then people all these accounts started logging on to the to to the GitHub repository and and leaving all these comments, pressurizing the moderator of the open source project and actually the main contributor by far, pressurizing him to accept these these changes, you know, that you you need to appoint more moderators.

Ian:

This isn't moving fast enough. We need this to be maintained. Blah blah blah. Yeah. That pressure that they applied to him meant that he agreed to this change being incorporated

Ash:

Yeah.

Ian:

Without, I guess, the level of review that he would probably have liked to have done. And it was kind of bullying, really. Yeah. And it just and it's shocking how somebody's giving their time for free on top of a day job to maintain something, and yet it's quite commonplace for people to feel like they can Yeah. Give them a load of abuse for not for not doing things fast enough.

Ash:

It fits with the open source discourse, doesn't it, when you go go to any widely subscribed packet, which has an issue of some description. You will see comments saying, this essentially means that I have, you know, I've stopped development, or this is giving us giving us a live issue. When will it be fixed? Yeah. And it's like, well, you know, like you say, the main tenants are like, well, I've got a day job, and I might do it at some point this week or that evening or something.

Ash:

Yeah. But I think it's

Ian:

something more fundamental even longer than that.

Ash:

Yeah. But it's become it's like the clashing of worlds, isn't it? So you've got, like, you've got free free software at the point of use that's meant that's, you know, that's maintained by volunteers being included in systems which, you know, generate 1,000,000,000 of dollars of revenue. So there's the the kind of pressure to to to, you know, to to take it on and and to make sure the issues are fixed, but, you know, that's not like the volunteer way, is it? You know?

Ian:

And you see that, and you can see why so many open source projects are sponsored by large organisations like React, for example, comes from Meta. Yeah. And they field a lot of the developers that work on it. IBM does a lot of that as well. Google do it.

Ian:

Yeah. And without that, you know, you see that there must there are vulnerabilities with these individuals whose packages are very wide. I know there's one you like to cite.

Ash:

Oh, left pad.

Ian:

Yes. Yeah. Where where people are downloading a package from the Internet in into their source code base in order to,

Ash:

Yeah. It's like the classic trope, isn't it, to do something, like, really simple, like adding zeros to the left side of a number. But, again, it's like writing the code to do that yourself in the, you know, in a in a way that hasn't been, like, consumed by 100 of other projects, and all the bugs have been, like, squashed out of it over time by use. There's some real value there, isn't there? Yeah.

Ash:

You know? Which is one of the powerful things about open source software, because instead of I often think of this from, like, a testing point of view. So if your company writes a piece of software and you try and test it, then by the nature of testing, you've only got, like, a limited you can only do a limited amount of testing, whereas open source, well subscribed open source projects are extremely well tested because they're tested by the world Yeah. And by real usage and fixing over time, which is like which you can't, you can't replicate that from a testing point of view.

Ian:

So you have to trust? Yeah. And you focus on testing the bits that are internal that were produced as part of the software package rather than the libraries that

Ash:

Yeah. Yeah. Absolutely. Absolutely. So you have to trust because it it became you know, you look at, like, the sort of I I don't know what the average number of packages in a software project now, but I know that my Mac is full of node modules focused, which, you know, gradually sucking the life out of my my Mac.

Ash:

So you can't go and test all those things. You have to trust and rely upon the testing that's been done as part of that package. And like you say, that look and feel that you have, when you say, well, okay. It's got a 99% rating on NPM or pub.dev or whatever it is. And it's got some tests, and there's not been issues open for months months months from no one fixing it, and they've got a few maintainers.

Ash:

It's like, well, okay. That's probably good enough.

Ian:

You've already demonstrated how much deeper you look into it than I do. But

Ash:

Well, I suppose it depends what you're trying to do as well, doesn't it?

Ian:

There's this wonderful, XKCD cartoon. Do you know the one I'm talking about?

Ash:

Right. Okay.

Ian:

It's, got this very, very elaborate building kind of block construction thing on it, labeled all modern digital infrastructure. And then there's some stuff at the bottom, which is all balanced on this one thing, which is labelled as a project a project some random person in Nebraska has been thanklessly maintaining since 2003. Yeah. And that that cartoon was everywhere when this vulnerability was discovered, all over the social media that you probably didn't And

Ash:

I think the of service. Well, yeah. But I think the word there is thanklessly as well, isn't it?

Ian:

Yeah. Exactly.

Ash:

Yeah. Yeah. Because if you compare it to, say, if you volunteered, as a home help or, you know, at the local leisure center Yeah. To, you know, bring cups of tea out to people, then I suppose you might still get some grief if you did that badly. But you're still a volunteer.

Ash:

You can still withdraw your labor at any time.

Ian:

Yeah. And people would thank you and recognize that Yeah. You were doing that. Yeah. But on the Internet

Ash:

On the Internet, no one says thank you. They just say, when when will you make the change? And it's like, well, you know, they might say that probably has a day job and maybe some kids and, you know, can't just drop everything and do that for you. But like like you said about in this example, with the subtle pressure to say, you know, oh, well, you know, we need this merging because we're trying to do this. And, you know, can we make sure this is in the next release, please?

Ash:

Because it's causing me a problem. You know, all those things. Yeah. And there are, maintainers are obviously humans, and they'll just every now and then, they will maybe merge something that they're not quite ready to merge. Yeah.

Ash:

And I think that that definitely does happen.

Ian:

So the other side to this was how unlikely the process was of it being discovered. Yeah. And, actually, it was a Microsoft engineer called Andres Freund who was mentioned, but he he was doing trying to test Postgres, which he works on

Ash:

Yeah.

Ian:

Which is a database package. And he noticed that some other packages, the SSHD, processes were using a lot of CPU. And then he linked that in his mind to some odd test failures from post grads from, like, 3 weeks before. And it led him into this investigation where he actually discovered all this. But the chances of that happening were sufficient.

Ian:

You kind of think how many other instances of it are there.

Ash:

Yeah. Especially like like you say, the ones where it's been such a long game in order to to get to this point. Yeah. As a as a tester, I loved the the, the malicious code was part of the test. So, well, basically, binaries that were gonna be used to support the testing.

Ash:

So which I found really interesting, because it's often the case that test code will not be scrutinized Yeah. As closely as, as application code, which I found, like, I think that's that's really it's a it's a really interesting point in there that, you know because I remember, like, hooking up a security scanner, and I I did this. I just said, right, well, it was it was a Java project, so it just went to the, you know, the application source code folder, and just ignored the test folder to do the scan. Yeah. It's like, oh, you know.

Ash:

So there's there's, like, an implicit there's something implicit in there, which is you will treat the test code slightly differently to the application code.

Ian:

But if it was the test code, how how did it affect the SSHD execution?

Ash:

So there was a test code in some make files. It said in the video that I watched. So when you run the make files, it went and looked in this binary, which was checked

Ian:

in probably patched the source code from the test.

Ash:

Yeah. Yeah. So I I don't sort of fully understand the because someone that I watched the video or someone had reverse engineered it all.

Ian:

Will include a link.

Ash:

Yeah. But, the other thing that I enjoyed was that, the backdoor was actually in an xzed file as well, Yes.

Ian:

Which, you

Ash:

know, the hackers do love a bit of irony. I do. You know, you know, they might not be the, the the nicest actors in the world, but, you know, they do have a little bit of style. So I really enjoyed that as well, but it's part of the analysis of the issue. And I guess with the the, with the chap who's doing the performance testing, Andreas Freund, I I quite like that when you do when you do performance testing, you find all kinds of things, and it just shows that one type of testing doesn't preclude another.

Ash:

No. So you do some performance testing, and it shows you where a security issue might be. Whether or not you can understand that and do what he did, and say, well, actually, there were some funny test failures a few weeks ago, and now this. I'm sure that they're they're kind of related. Whether or not you make that that link or not is is probably a bit more sort of open to debate.

Ash:

Mhmm. But by looking at things from different angles, with an individual SSH SSH session, you would never see this?

Ian:

No.

Ash:

Whereas trying to do it at some kind of scale.

Ian:

Well, he was trying to the machine, and he couldn't understand why it was Yeah. I mean and there's that curiosity as well. Yeah. That is another great tester quality that's kind of driving him to find out why why is this happening.

Ash:

Yeah. Yeah. So rather than just dismissing the just having a that's weird moment and saying, just moving on, which you could do in this in this situation. He's gone a little bit further, which is really interesting, isn't it? But I just like that by doing one form of testing, it shows you something about the application, which is not necessarily related to, you know, that form of testing.

Ash:

It's not exactly what you're looking for with that test. Yeah. But the information is there to be looked at.

Ian:

Oh, given that the thing he was testing was something completely else.

Ash:

Yeah. Yeah. Yeah. Absolutely.

Ian:

I always remember back in the day that the scary testing was the nonfunctional testing, and the scariest of all the testing was file over testing.

Ash:

Yeah. That's why you never did it. Right? You just had nice thought exercises. Yes.

Ian:

Yes. Yes.

Ash:

So this is probably what will happen if we fail over.

Ian:

So security testing, you'd always do, and that that wasn't too terrifying. Yeah. But, performance testing was the the one above that, and then flight over testing was just the testing the the testing too far.

Ash:

Yeah. Yeah. So do you think that open source software will might I don't know if it will suffer from a a a loss of faith, but we talked a bit about, like, you trust the packages or you have to trust the packages that you in install.

Ian:

Well, I feel like the open source or the software world will have to become resilient against this kind of attack.

Ash:

Mhmm.

Ian:

And I'm I'm sure people are thinking about how that might be able to happen, but I'm wondering about whether AI will Yeah. Because, actually, one thing I've seen with Lang chain as I've been using it is that their GitHub issues are managed by an AI. Right. When you put in an issue, it gives you a view of what might be the problem and what other things you might try and stuff like that. And I wonder if pull requests could start being automatically code reviewed by AI.

Ian:

Because an AI code review might well have picked up or given the human enough of a clue that there's something going on here Yeah. That they might have then felt as though I'm gonna look into it myself.

Ash:

Yeah. Well, considering that the malicious code was in a binary, then it would be very hard for a human to, to see that, wouldn't it?

Ian:

Yeah. And, in the end, it's a pull request is is really a list of is is a list of changes, isn't it?

Ash:

Yeah. Yeah. Yeah. Yeah. Absolutely.

Ash:

Because it reminded me of with when we were talking about voice cloning, and we did a you we kind of went down a path where we compared it to, like, open source Yes. And the issue of trust.

Ian:

Mhmm.

Ash:

So because I I think I remember you saying, my general my general intent is to say, let everybody have it and then see what

Ian:

What happens.

Ash:

Yeah. But but this is kind of what happens with because you can go onto GitHub with any any old email, set up an account, and begin to contribute to open source projects, and that's part of the beauty of it. So I can go on to any, any repo that I like, raise an issue, or pick up, you know, a good first issue, fix it, put some documentation in, and then submit a poll request. And then, I don't know, you might get some questions from the maintainers. But in general, that's that's how you start, isn't it?

Ash:

Yeah. So anybody can do that. So good people can people with good intent can do that and people with bad intent. But, again, it's, like, in the same spirit as, well, you've got to give it to them rather than holding it back, because in theory, you could say, okay. So what's gonna happen is is that GitHub is gonna go through an extensive vetting process for everyone who registers an account.

Ash:

Yep. But then what happens? Because then then GitHub is suddenly in control of what happens with open source software to a greater degree than it is now.

Ian:

Well, it's interesting because LinkedIn do that, don't they? You can now be verified on LinkedIn using government ID to to show that you're really you. I wonder but I I wonder what that gives LinkedIn and what it would give GitHub. Yeah. I mean, privacy is a a never ending

Ash:

Yeah. Oh, yeah. Absolutely. Trade off. Yeah.

Ash:

Yeah. But in theory, you have open source software being used in, like, society defining products, banks, you know,

Ian:

hospitals. Well, it's ubiquitous.

Ash:

Yeah. Absolutely.

Ian:

Our phones are full of it.

Ash:

Yeah. So, you know, and essentially anyone can come in and contribute to it, which is a beautiful thing, isn't it?

Ian:

Especially your new phone.

Ash:

Well, yeah. But that's a beautiful thing. Right? It

Ian:

is. And the open source has enabled. It it's enabled the technology that we've got now. We we would be so much further back if it did not exist. Yeah.

Ian:

Yeah. I mean, imagine a world with no Linux in it. I mean, there'd be All

Ash:

set.

Ian:

There'd be no Android. There'd be no Yeah. There'd be no everything we'd all be running web servers on Windows NT or something.

Ash:

Sounds like fun.

Ian:

No. No. It doesn't. Sorry. I don't wanna be be too rude to Windows.

Ian:

No.

Ash:

It's okay. I understand.

Ian:

Assuming you're gonna tell me next that you're going to abandon your Mac and No. Run Windows.

Ash:

No more of that.

Ian:

No more. Cool. So I think, like all the things we talk about, there's much more to say about this, but I feel like I feel like we've been going for a long time.

Ash:

Well, yeah, indeed. But, again, it it's a you know, there's obviously a deeply technical part to it. And then there's, like, the wider societal issue with how it, you know, how it how it happened. And an interesting approach from the hacker to play such a long game to know that this might take years in order to come to fruition, which is really which is really interesting, isn't it? Yeah.

Ash:

It's forward planning in a in a serious, serious way.

Ian:

Almost, you wonder if any government Yeah. Were involved in it. Yeah. And then you get into which ones might it be. Yeah.

Ian:

And, it's there's not a very it's not it's not possible to rule out large swathes of the world Yeah. Doing something like that.

Ash:

And lots of these backdoors probably exist and have been merged into open source software, which is deployed regularly on so this this this was generally consumed into, operating systems, wasn't it? Into into Debian, I think it was, and others. So

Ian:

Well, it didn't get very far, fortunately, because, the the chap spotted it. But you do sort of it does kind of beg the question of what else has happened.

Ash:

Yeah. Well, we won't know until it happens. No. I guess is the is the thing.

Ian:

Okay. I think I will abandon thing there

Ash:

Abandon thing.

Ian:

Say that's my thing.

Ash:

Excellent thing. Loads to think

Ian:

about. Yeah. Or more likely to just worry about without really being able to do anything.

Ash:

Yeah. Yeah. And then just continue to do what we already do, but just with slightly more fear.

Ian:

Would you like me to explain about Hachyderm again to you?

Ash:

Yes, please. I don't think I understood the first time around. I'm not

Ian:

sure the world is ready for that, that level of amusement twice in one episode.

Ash:

No. Probably not.

Ian:

It'll just be, an episode of us just giggling.

Ash:

Okay. So that was 2 things?

Ian:

It was 2 things. And they were quite deep, both of them really.

Ian:

So email us on our email address, which is

Ash:

technologyeeyores@whatalotofthings.com.

Ian:

It so is. Thank you, Mary.

Ash:

Thank you, Mary.

Ian:

No. I I can't think how to stop.