Adam Goucher

Multiple Secure Virtual Hosts with Apache

adam — Tue, 07 Oct 2008 13:22:29 +0000

We’re breaking our monolithic application into a series of smaller services that a much lighter-weight Rails application will then utilize. These services will be (initially) sitting on the same machine behind an apache load balancer. The front application will be talking SSL to the load balancer. This post is essentially how to wire this all together (so it can be tested in a configuration similar to production)

Before starting, here are the assumptions I am going to be working from:

The front application is currently able to talk directly to each of the services directly (no proxy or clustering)
Rails is being served by mongrel. Sorry Monorail or Passenger kids; you are too bleeding edge for me
This was written on a mac so some of the security conventions (like sudo for lots of stuff) might be OS quirks

Part 1: Generate SSL Certificates

In production, any customer port that is secured should likely be done through a commercial Certificate Authority (CA) as they have their Root Certificates installed in browsers by default (a perk they pay dearly for). But given that this is being done in the context of testing and the services will only only be used by clients of our creation we can use a pretend CA. The one that is in the copy of OpenSSL that is on this machine is called demoCA. Let’s set it up.

Setup your CA
$ mkdir ~/certificates
$ cd ~/certificates
$ mkdir demoCA
$ mkdir demoCA/certs
$ echo 00 > demoCA/serial
$ touch demoCA/index.txt

Now that you have a bit of infrastructure taken care of, you need to make the CA’s key

$ openssl genrsa -des3 -out ca.key 1024

Then create a new request and sign it with the key in one shot

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Now that we have a CA you can make the request for your service. But first it needs a key too.

$ openssl genrsa -out s1.key 1024

(alternatively you could have added a -des3 to password protect the key, but it is a pain. don’t do it)

Here is the actual request. It is very important that when it prompts you for the ‘Common Name’ (CN) that you put in the host name of the machine you are trying to access. For instance, adam.zerofootprint.net. Crypto is all about trust and one of the checks is that the hostname matches the cn.

$ openssl req -new -key s1.key -out s1.csr

And sign it using our CA

$ openssl ca -in s1.csr -out s1.pem -keyfile ca.key -cert ca.crt

If you put a password on your server’s keyfile, you should remove it. It’s not necessarily as secure anymore, but…

$ cp s1.key s1.key.orig
$ openssl rsa -in s1.key.orig -out s1.key

Repeat the creation of certificates for the amount of services you have making sure to change the name of the files things are saved into.

Part 2: Setup Virtual Servers
I really don’t like how Apache is configured on the Mac by default, so this next section will likely be redundant to Ubuntu or other nicely configured servers.

Everything in Apache for the last couple years has been setup as a Virtual Server. Even the default port (80) is setup in that manner. We’re going to pretend that there are 2 services going to be hosted in this setup. Infrastructure again.

$ cd /etc/apache2
$ sudo mkdir sites-available
$ sudo mkdir sites-enabed
$ cd sites-available

In the sites-available directory you put in the actual virtual host definitions. Here is the virtual host definition I started with for one of the services. I also have one for port 7501.

Listen 7500
NameVirtualHost *:7500


DocumentRoot "/Library/WebServer/Documents/s1"
# you need a different ServerName for each host
ServerName s1.your.site
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/s1-ssl-error.log"

In order to have apache pick up these hosts you need to include them in your main config file. On the mac it is httpd.conf.

Include /etc/apache2/sites-enabled/*

This of course won’t work without a bit of magic. I’m only showing the first service, but you have to do this for each one.

$ cd /etc/apache/sites-enabled
$ ln -s ../sites-enabled/s1 s1

Restart apache and make sure that you can get to all your virtual hosts. They are still running in the clear over http.

Part 3: SSL-ize Virtual Servers
The end goal of course is have communications to these virtual servers to be secured so now we actually turn it on. Again, some infrastructure.

$ cd /etc/apache2
$ sudo mkdir certificates
$ sudo cp ~/certificates/s1.key .
$ sudo cp ~/certificates/s1.pem .

Repeat for each of your service keys that you made in Part 1.

Now modify your virtual hosts

Listen 7500
NameVirtualHost *:7500


DocumentRoot "/Library/WebServer/Documents/s1"
# you need a different ServerName for each host
ServerName s1.your.site
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/s1-ssl-error.log"

# these were all the defaults from the stock mac install; tune as necessary/desired
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/private/etc/apache2/certificates/s1.pem"
SSLCertificateKeyFile "/private/etc/apache2/certificates/s1.key"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "/private/var/log/apache2/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Again, restart apache and see that going to your ports over https works and you have the correct certificate being served (view the certificate and check the CN)

Part 4: Contacting the Nodes
I’m going to skip how you setup a mongrel cluster as there are a tonne of sites that deal with that already. In this example I’m going to have a 2 node cluster.

We’re going to use the same convention for the cluster nodes as we used for the virtual hosts.

$ cd /etc/apache2
$ sudo mkdir nodes-available
$ sudo mkdir nodes-enabled
$ cd nodes-available

In the nodes-available you want to define the members of each node. Each of our services is going to have only 1 node in this example. And each member is going to listen on localhost.

BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001

Now you might be a bit alarmed that it is using http which is somewhat ironic given the whole point of this is to be more secure, but if someone has the ability to sniff localhost then you are screwed already. Naturally, each member needs to have its own ports and that the ports are correct.

In order to redirect clients around to the various nodes we need to do a bit of modification to our virtual hosts file we created in step 2 and added ssl stuff to in 3. Specifically the Proxy section and the rewrite rules.

Listen 7500
NameVirtualHost *:7500


  Include "/etc/apache2/nodes-enabled/s1*"



  # various SSL settings including certificates for this port go here

  RewriteEngine On
  RewriteRule ^/(.*)$ balancer://s1_cluster%{REQUEST_URI} [P,QSA,L]

That’s all there is to it. Now you will be able to run multiple services on the same host with proper ssl certificates. Once a service has outgrown its ability to share space with the other services you can just move the certificate to a separate machine and tweak the dns to point to the new location (since the CN is the machine name). No service reconfiguration necessary.

Hope this saves someone some thinking.

Types of Exploratory Testing

adam — Fri, 03 Oct 2008 12:41:18 +0000

At CAST 2008, part of my talk was on using skill progression charts to help testers grow just as how (lacrosse) coaches do. At the same time I was saying that I don’t think people new to testing should be given free hand to do exploratory testing as they do not have the library of tricks and problems to draw from.

James Whittaker ends his Prevention v. Cure series (Part 1, Part 3, Part 3, Part 4, Part 5) shares how Microsoft categorizes Exploratory testing which both confirms and makes me question the second point.

Freestyle Exploratory Testing - This is where new testers start at, and as James points out “it’s far more ‘exploratory’ than it is ‘testing’ so expectations should be set accordingly.” Yes, there is value from learning the system, but there is no reason why the learning and testing cannot be done accordingly. I suspect most experienced testers are incapable of doing Freestyle testing. They might claim they are, but they are applying a series of internal heuristics to the activity.
Scenario-based Exploratory Testing - If you are smart, this is where you try to start new testers at. This is a hybrid of the classical scripted testing and SBTM or as James says “involves a starting point of user stories or documented end-to-end scenarios that we expect our ultimate end user to perform.” The person doing the tester doesn’t need to have all the ‘l33t testing skillz’ to design the scenarios, but are encouraged to be brain-engaged with their testing.
Strategy-based Exploratory Testing - Strategy-based testing is the holy grail of exploratory testing where “the better the repertoire of testing knowledge, the more effective the testing.” Notice the better the repertoire aspect of this. It was this point that I was trying to make at CAST as new testers are not going to have the repertoire built-up. Testers with a couple years experience have started build up their own internal metrics and heuristics to apply to a testing problem that new testers just plain cannot have. The kicker is of course that these are continually involving.
Feedback-based Exploratory Testing - This feels like a sub category of Scenario-based Exploratory Testing. You are doing exploratory testing, but rather than executing against a user strategy you execute against some form of feedback. James’ example is code coverage.

Of these 4 buckets, I think the middle 2 are the most valuable. Stategy-based is where you will want to end up if you are going to continue having fun testing software. In the meantime, Scenario-based will help hone you instincts to get there.

5 more 5 questions with…

adam — Mon, 29 Sep 2008 22:28:35 +0000

I’ve been neglecting my 5 questions with… folder recently. Here is the catch-up; with commentary. Of course.

Amol Kher

Models are what developers will hate to love or love to hate - Or both?

Ethan John

I had no idea that [testing] was something I could do for a living. - This is such an important problem for the testing community. One which I have no idea how to fix.

Michael Corning

The first thing a tester needs to know about testing is that you cannot test what you do not understand - Oh I so don’t agree. Maybe if you tacked on a ‘or does not want to understand’ I could go along with the statement. As it is now it is equivalent to saying that all programmers need to know Assembly. Heck, a lot of programmers nowadays don’t even know C and the ‘joy’ that is pointers and manual memory management.
In my mind, the tester is an auditor. The function of the auditor is to attest. In financial auditing, the auditor attests with his or her signature that the financial results fairly represent the financial results of business operations. From this attestation, other decision makers make their decisions. Both the auditor and the tester provide information to the eco-system. - Attestation implies a certain level of guarantee. Again, to cite the diagram in the BBST Foundations material, there are so many factors that attesting to the quality is a trap — at best. An opinion, sure. But attestation? Nope.
I do my best to use the machine to generate test cases for me. - All hail the machine. This to me is the point you want to evolve your automation towards

Keith Braithwaite

Write tests to capture requirements. Count tests written to measure scope. Count tests passing to measure delivery. Use tests to drive design. Use tests to communicate between teams, with customers. Use tests to meet regulatory loads and show compliance without mountains of paper. Oh, and to find defects too. But that last one is just the cherry on the cake. - Count tests to get a useless number; I can write a million tests that provide useless information but still shows 7 figures in the count. Use tests to confuse the customer; maybe he deals with different people in different organizations, but the people on conference calls I have been on would go glassy-eyed in under a minute if presented with tests. Which isn’t bad as they don’t need to know how to read the tests. This applies too to requirements. I’m in this situation now, and it is not enjoyable in the least. Capture the requirements in a document, or series of documents and make sure they evolve with the application. Or better still, put them in a wiki.

Gil Broza
- Think-once-then-automate

The Identifiable Victim

adam — Mon, 29 Sep 2008 01:02:42 +0000

Once again thanks to Dan Ariely’ blog we have the concept of ‘the identifiable victim effect’ (which amazingly doesn’t seem to have a wikipedia entry). He describes this as the effect of one individual, identifiable, victim who is known in full detail can evoke a much deeper feelings, emotions and sympathy than a large group of anonymous individuals.

This has potentially huge ramifications for when we write bug reports. I’ve been saying for awhile that a large part of what we do is marketing (and thus the increase of marketing-esque posts). And I’m not alone on this. The slides for the BBST Bug Advocacy section includes a section on ‘motivating the bug fix’. Here is a line from slide 21 of the course notes:

You may or may not have found the best example of a failure that can be caused by the underlying fault.

I’m pretty sure in this case they mean example to be ‘a reproducible thing you could call a bug’, but example could also be read as ‘a story which conveys the nature or intent of the bug report’. In other words, have you started writing a report which is written in very fuzzy, vague ways or one that is specific to a person (or an identifiable group of persons)?

More on the identifiable victim effect can be found in:

Running Head: Learning about the Identifiable Victim Effect by Deborah A. Small, George Loewenstein and Paul Slovic
Crisis Mentality - Why sudden emergencies attract more funds than do chronic conditions, and how nonprofits can change that by Keith Epstein

(both are big articles and I didn’t actually read them, but they were referenced a couple times when looking up the topic)

There is a lot to think about doing execution replays

adam — Sat, 27 Sep 2008 14:01:27 +0000

I first became aware of the guys behind Power of 2 Games from a post one of them made comparing the speed of various c++ compilers; speed being important in the feedback loop that CI provides you. Their blog is pretty low volume and is generally aimed at the c++ and game worlds but is generally pretty high quality when they get around to making a post.

One of them from this month was a reprint from a game industry magazine in which they talk about using a playback system to aid in their testing. The second part of the article deals mainly with the problems that can trip up your playback system and I think apply even to those who are not using playback techniques for games. Here are the choice bits (with my commentary):

Middleware libraries will often have slightly different behaviors in debug and release mode - Lower environments almost always run with debug symbols, etc. installed. Production rarely does. Think about how, where and why your scripts will be run before trying to get value from them.
As a general rule, treat debug and release builds as if they were different versions
Cranking up the compiler warning level to the maximum will allow it to catch some of the most obvious cases of reading uninitialized variables. For extra checks, I recommend a static code analysis program such as PC Lint. That’s almost guaranteed to catch every use of uninitialized variables (along with ten thousand other things, some of them extremely useful, though most of them you probably won’t care about at all). - Be sure to spend the time to tune what the tool checks for to get rid of the ten thousand things fast or people will ignore the list quickly
… it’s considered a good practice to avoid using pointer values for anything other than dereferencing them and accessing the data they’re pointing to
Data received from the network most definitely influences the game itself, so it’s another input to the game. - I am reminded of a graphic in the BBST course (slide 17) which can be attributed back to Doug Hoffman.
ReplayDIRECTOR - appears to be a record/playback tool on some serious steroids

Ideology vs. Facts

adam — Fri, 26 Sep 2008 12:18:46 +0000

Here are a bunch of quotes from articles originally found via slashdot claiming ‘Studies Say Ideology Trumps Facts’. I think they go a long way in explaining the various political battles that go on in the testing world and how people seem to argue themselves into a corner in the face of (what appears to be) overwhelming facts to the contrary. Likely also explains the eternal optimism of product management in the face of a major bug backlog, etc..

ars technica

Cognitive dissonance won’t help people make rational decisions, but it also suggests that there’s little point in arguing with someone who holds an opposing belief.
The research might also apply beyond the political to other attitudes—I’m thinking of the constant flame wars between fans of the PS3 and Xbox 360, or Mac and PC users.
It seems to suggest that this effect might lead to problems when it comes to efforts to educate people about controversial or politically charged topics

Washington Post

… misinformation can exercise a ghostly influence on people’s minds after it has been debunked — even among people who recognize it as misinformation. In some cases, correcting misinformation serves to increase the power of bad information.
“backfire effect”
Upon hearing a refutation, … might “argue back” against the refutation in their minds, thereby strengthening their belief in the misinformation.

On The Media

… when people are predisposed to buy a piece of bad information, the refutation ends up essentially not correcting the misinformation entirely. It corrects it only part way, leaving residual feelings of negativity toward whoever the target of the misinformation was.

Stickiness

adam — Thu, 25 Sep 2008 12:40:30 +0000

I get a copy of Business Week from my father-in-law after he is done with it. The back page of each issue is by Jack and Suzy Welch where they answer a reader’s question. This week’s was what big business imperative doesn’t get enough attention. Their answer was stickiness.

Quality doesn’t get talk about as much as it used to, but that’s because it is a given.
What is surprising, however, is how exceptional and inventive customer service needs to be to stand out these days
… but another approach to stickiness can pack an even bigger wallop. It requires moving … to a product-and-long-term-service-business by guaranteeing productivity gains to customers
Almost all companies can create stickiness by sharing knowhow.
… unbridled sharing of expertise creates a real affinity …
… many businesses can create stickiness by building user communities. Every year … hosts conferences. These aren’t sales events per se, but you can be sure that attendees leave with a feeling of partnership …
Organizers must come to see the world through customers’ eyes

The first point is a biggie. Now they were talking about manufacturing (I think) but it applies to software as well. Especially when there are viable competitors in the space. Quality should be a given.

The other points are also interesting from a larger, more strategic perspective. How can you share expertise and knowhow? Open up your bug tracker. Or have someone from the QA or test groups contribute to the corporate blog about how they work to protect the customer’s interests.

Which leads to the last point. Running out of ideas to test with? Stop looking at the application with all your insider knowledge. Look at it instead as a user would, without all the tricks and secret switches you have picked up along the way.

Here is a link to the full article to read it in the proper context.

Controlling Apache nodes

adam — Wed, 24 Sep 2008 15:25:46 +0000

We have the pretty standard server configuration of a load balancer (apache) in front of two machines which serve the actual content. Through the process of trying to upgrade a machine I realized they were not configured to easily bring up or down on their own. In commercial production (Websphere and WebLogic for instance) you just go to the admin console and take a node out of the pool. Not so with our rig. Here is the solution I came up with. I think it is pretty elegant (though I am sure it is just reinventing the wheel).

Directory structure - I created 2 directories in the apache config directory (/etc/apache2 in this case): nodes-available and nodes-enabled
Creating the nodes - We had all our load balanced ports in a single file. Those got broken in to separate files depending on which machine they were on. (Lets call them zfp1 and zfp2 for this example.) These files get placed in the nodes-available directory.
```
$ cat nodes-available/zfp1
BalancerMember http://x.y.z.a:8000
...
BalancerMember http://x.y.z.a:8019
```
Enabling the nodes - The nodes are at this point both disabled which is not really an ideal situation. To enable them we create a symlink from the nodes-enabled directory into the nodes-available one for each node. For example, nodes-enabled/zfp1 links to nodes-available/zfp1.
```
$ ls -l nodes-enabled/
total 0
lrwxrwxrwx 1 root root 33 Sep 16 14:12 zfp1 -> /etc/apache2/nodes-available/zfp1
lrwxrwxrwx 1 root root 33 Sep 16 14:36 zfp2 -> /etc/apache2/nodes-available/zfp2
```
Use the new system - Until this point we were just playing with files in a way that was completely transparent to apache. To start using this you need to make use of the Include functionality of apache’s configuration. I changed the reference to the single file (that we split in step 2) to be Include nodes-enabled/zfp*. By using a wildcard we can add more nodes without having to do anything to the actual server configuration. It also means we can use the load balancer for multiple clusters by just having differently named files.
```
  Include nodes-enabled/zfp*
```
Reload the config - Apache will happily run forever without re-reading its config file, so once you are comfortable with your new configuration, so you have to remember to tell it to reload.

All the above is still really only half the solution though. Actually, it is what makes controlling individual nodes possible, but it is a pretty manual process still. For this particular property we are using Vlad the Deployer to manage things, though I suspect you could use Capistrano or Puppet just as easily.

desc 'add a node to the server'
remote_task :add_node, :roles => :load_balancer do
  if ENV['node']
    run %{[ -f #{ apache_root }/nodes-available/#{ ENV['node'] } ] && [ ! -f #{ apache_root }/nodes-enabled/#{ ENV['node'] } ] && sudo ln -s #{ apache_root }/nodes-available/#{ ENV['node'] } #{ apache_root }/nodes-enabled/#{ ENV['node'] } && sudo /etc/init.d/apache2 reload || echo "Node does not exist"}
  else
    p 'You need to specify a node to be able to add it. node=foo'
  end
end

desc 'remove a node from the server'
remote_task :remove_node, :roles => :load_balancer do
  if ENV['node']
    run %{[ -f #{ apache_root }/nodes-enabled/#{ ENV['node'] } ] && sudo rm #{ apache_root }/nodes-enabled/#{ ENV['node'] } && sudo /etc/init.d/apache2 reload || echo "Node does not exist"}
  else
    p 'You need to specify a node to be able to remove it. node=foo'
  end
end

(Yes, I know that the error messages are not very nice, or even accurate in a lot of situations, but it does the job which is all I require of it right now.)

To enable a node you simply do a ‘rake lb:add_node node=zfpN’ where lb is the namespace you created for your load balancer machine and N in this case is the node number. In this example there is only zfp1 and zfp2 but it should scale linearly.

Roodi

adam — Tue, 23 Sep 2008 12:46:02 +0000

I have been looking for a Ruby/Rails equivalent of checkstyle since I started working with it, but have only found a single orphaned project. Until yesterday that is. Yesterday’s Double Shot had a link to the Roodi project. Roodi stands for ‘Ruby Object Oriented Design Inferometer’, but essentially it is checkstyle for Ruby.

The Java community has a rich set of guidelines to build static checks from, but the Ruby community seems to lack that cohesion. That is going to make for an interesting collection of checks over time and no doubt some discussion over what should be and checked and how. Here are the checks it currently does:

AssignmentInConditionalCheck - Check for an assignment inside a conditional. It‘s probably a mistaken equality comparison.
CaseMissingElseCheck - Check that case statements have an else statement so that all cases are covered.
ClassLineCountCheck - Check that the number of lines in a class is below the threshold.
ClassNameCheck - Check that class names match convention.
CyclomaticComplexityBlockCheck - Check that the cyclomatic complexity of all blocks is below the threshold.
CyclomaticComplexityMethodCheck - Check that the cyclomatic complexity of all methods is below the threshold.
EmptyRescueBodyCheck - Check that there are no empty rescue blocks.
ForLoopCheck - Check that for loops aren‘t used (Use Enumerable.each instead)
MethodLineCountCheck - Check that the number of lines in a method is below the threshold.
MethodNameCheck - Check that method names match convention.
ModuleLineCountCheck - Check that the number of lines in a module is below the threshold.
ModuleNameCheck - Check that module names match convention.
ParameterNumberCheck - Check that the number of parameters on a method is below the threshold.

Thats all well and good, but a tool that is not run is just a clever piece of code. And relying on people to remember to run a tool is not a plan I would bet the house on. But that is why we have things like CruiseControl.

Here is a pretty heavily edited version of our Rakefile.

desc "Cruise Control"
namespace :cruise do
  output_dir = ENV["CC_BUILD_ARTIFACTS"]

  task :build do
    ...
    CruiseControl::invoke_rake_task 'cruise:roodi'
  end

  desc "Run the roodi tests"
  task :roodi do
    `roodi -config="#{RAILS_ROOT}/config/roodi.yml" "#{RAILS_ROOT}/app/**/*.rb" > #{output_dir}/roodi.txt`
  end
end

There is not (yet) a roodi_on_rails plugin, though I expect it is only a matter of time, so I just run the tool on the commandline and put the output in the place CruiseControl needs it to display it on the report page. The output is, to say the least, un-pretty but if the community backs this tool I can see it growing nice rspec like reports with links to the actual offending line.

Oh, and here is config/roodi.yml, which is just the default configs for all the rules, but explicit is better than implicit.

AssignmentInConditionalCheck:    { }
CaseMissingElseCheck:            { }
ClassLineCountCheck:             { line_count: 300 }
ClassNameCheck:                  { pattern: !ruby/regexp /^[A-Z][a-zA-Z0-9]*$/ }
CyclomaticComplexityBlockCheck:  { complexity: 4 }
CyclomaticComplexityMethodCheck: { complexity: 8 }
EmptyRescueBodyCheck:            { }
ForLoopCheck:                    { }
MethodLineCountCheck:            { line_count: 20 }
MethodNameCheck:                 { pattern: !ruby/regexp /^[_a-z<>=\[\]|+-\/\*`]+[_a-z0-9_<>=~@\[\]]*[=!\?]?$/ }
ModuleLineCountCheck:            { line_count: 300 }
ModuleNameCheck:                 { pattern: !ruby/regexp /^[A-Z][a-zA-Z0-9]*$/ }
ParameterNumberCheck:            { parameter_count: 5 }

Mirroring People

adam — Mon, 22 Sep 2008 15:18:58 +0000

Michael has explored the usefulness of emotions as oracles when testing. I tend to explain this with a physical component as well; if your eyebrows move, it is a bug. Furrowed in frustration is a sign that we need to explain something better or set their expectations in a different way. Oppositely, when they go up in surprise it can mean the same thing for different reasons.

In this podcast, Dr. Marco Iacoboni discusses ‘mirror neurons’ which allows us to empathize with people. The more neurons, the more empathetic. It so happens that one of the traits of people with autism is that they lack (or disfunction) of these neurons. (The first half of the podcast is the most interesting as it talks about the neurons and how they test for the presence of them. After that, it goes off about the election and a few other things which wasn’t nearly as interesting.)

My first thought when listening was whether we want people in the testing craft to be those with more, or less mirror neurons. On further thought though I think it wouldn’t make much difference as the interaction in a pure testing context is between tester and machine; so no empathy necessary. One place I can think it would be very important is if their role is to debrief testing sessions. In that case you want someone who can pick up the nuances of what people are actually telling you through their voice, body language and inflection.

Walking further out on the limb, I think a lack of empathy might also be valuable when logging bugs. If a developer is having a bad week, a highly empathetic tester might hold back on logging a bug as a result. A person with low empathy would log it anyways. If our primary objective as testers is to identify issues in the code then clearly the low empathy person is the one actually fulfilling the mission.

To link this back to the shaky ground I’m thinking on here.

There are a number of people who are successful in technology who have the minor form of autism called Asperger Syndrome. BitTorrent creator Bram Cohen comes to mind immediately, but I recall reading an article which posited that Bill Gates has a number of the traits of this as well. Does anyone know of someone who has been successful as a tester that has been (clinically) identified as having AS or a more severe case of Autism? Although I have been testing for over 10 years now I have only worked closely enough with about a dozen testers to be able to make any sort of guess about them (rightly or wrongly). In my very limited sample set, I don’t think I have.