#ShellShock Bug attacks BASH

I saw this on The Register (original Article HERE), but thought the story was important enough to post –

Patch Bash NOW: ‘Shell Shock’ bug blasts OS X, Linux systems wide open

Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn’t vulnerable, but busted versions of Bash may well be present on the systems anyway. It’s essential you check the shell interpreters you’re using, and any Bash packages you have installed, and patch if necessary.

“Holy cow. There are a lot of .mil and .gov sites that are going to get owned,” security expert Kenn White said on Wednesday in reaction to the disclosed flaw.

The 22-year-old bug, dating back to version 1.13, lies in Bash’s handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it’s surprisingly easy to do so.

According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

An advisory from Akamai explains the problem in more depth, as does this OSS-Sec mailing list post.

Proof-of-concept code for exploiting Bash-using CGI scripts to run code with the same privileges as the web server is already floating around the web. A simple Wget fetch can trigger the bug on a vulnerable system.

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Jim Reavis, chief exec of the Cloud Security Alliance, claims the hole is comparable in seriousness to the infamous password-leaking Heartbleed bug in the OpenSSL library that was uncovered earlier this year.

“A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs,” Reavis explained in a blog post.

“Examples of this include web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

“In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird MIME types.”

Robert Graham of Errata Security, who suggested the name Shell Shock for the Bash flaw, also said the programming cock-up is as severe as Heartbleed. But he noted: “There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug.

“However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.

“A lot of wireless routers shell out to ping and traceroute – these are all likely vulnerable.”

The vulnerability (CVE-2014-6271) affects Apple’s OS X – and is useful for privilege escalation – as well as major flavors of Linux. Fortunately, patches are already available, and distros are ahead of the game in responding to the flap. BSD distros that do not use Bash are safe, obviously. Apple users will need to get their hands dirty until Cupertino issues a fix.

Red Hat security engineer Huzaifa Sidhpurwala has a rundown of the at-risk software, here. ®

Updated to add

Linux vendor Red Hat has warned the patch to fix Bash is not complete, and there are still ways to inject commands via environment variables. In an update at 0310 GMT, Red Hat said:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

 

Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn’t vulnerable, but busted versions of Bash may well be present on the systems anyway. It’s essential you check the shell interpreters you’re using, and any Bash packages you have installed, and patch if necessary.

“Holy cow. There are a lot of .mil and .gov sites that are going to get owned,” security expert Kenn White said on Wednesday in reaction to the disclosed flaw.

The 22-year-old bug, dating back to version 1.13, lies in Bash’s handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it’s surprisingly easy to do so.

According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

An advisory from Akamai explains the problem in more depth, as does this OSS-Sec mailing list post.

Proof-of-concept code for exploiting Bash-using CGI scripts to run code with the same privileges as the web server is already floating around the web. A simple Wget fetch can trigger the bug on a vulnerable system.

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Jim Reavis, chief exec of the Cloud Security Alliance, claims the hole is comparable in seriousness to the infamous password-leaking Heartbleed bug in the OpenSSL library that was uncovered earlier this year.

“A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs,” Reavis explained in a blog post.

“Examples of this include web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

“In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird MIME types.”

Robert Graham of Errata Security, who suggested the name Shell Shock for the Bash flaw, also said the programming cock-up is as severe as Heartbleed. But he noted: “There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug.

“However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.

“A lot of wireless routers shell out to ping and traceroute – these are all likely vulnerable.”

The vulnerability (CVE-2014-6271) affects Apple’s OS X – and is useful for privilege escalation – as well as major flavors of Linux. Fortunately, patches are already available, and distros are ahead of the game in responding to the flap. BSD distros that do not use Bash are safe, obviously. Apple users will need to get their hands dirty until Cupertino issues a fix.

Red Hat security engineer Huzaifa Sidhpurwala has a rundown of the at-risk software, here. ®

Updated to add

Linux vendor Red Hat has warned the patch to fix Bash is not complete, and there are still ways to inject commands via environment variables. In an update at 0310 GMT, Red Hat said:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

25. September 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Demon In A Bottle

It’s a great time to be a geek (or NERD).   I have said numerous times that I never (even in MY wildest dreams) thought I would be seeing some of the comic books I love come to life like they are now in theaters.

Some of you may recall my excitement leading up to the first Iron Man, and then there was Nick Fury hinting at the Avengers.  No WAY!  I thought they couldn’t pull that off, because there was no established group yet – and we would never see HellCarriers in a movie…..even Hollywood couldn’t do that.

We then got a pretty good Hulk (sadly losing Ed Norton), a passable Iron Man 2, Thor…and then, it all came together with Captain America.  IMO – a near perfect origins story.

When the Avengers came out – Downey stole the screen again, the team came together….AND there were Hellcarriers!

 

At this point, Marvel could do no wrong – and this was proven out this year with Winter Soldier and Guardians of the Galaxy.  Winter Soldier made a super hero movie that plays out like real life (as one can be in the Marvel Universe) and GotG took a product not many had heard of, and made it a phenomenon. 

Remember when I said it was great to be a Geek (or Nerd)?  This is why – because of arguing about how bad a movie was (Fantastic Four anyone?), we can nitpick on the great things – which leads to  this article.

With the current popularity of GotG – you knew at some point we would hit saturation. Everwhere you turn, you have Groot popping up, and now even Marvel is jumping their own shark. 

Over at Comic Alliance, you have the headline Marvel Announces Rocket Raccoon And Groot Homage Covers.  In the article, you learn that Marvel is going forward with some variant art covers, portaying Rocket and Groot in some classic scenes.   Personally, I am underwhelmed – liking only the Thor crossover.  But the one I dispise the most is this one – that take on Demon in a Bottle.

 

RRG06

As cute as baby Groot is, you don’t mess with the inner turmoil of Tony Stark or the possibly one of the greatest storylines in Iron Man history.  Especially when Disney is so afraid to do this story line – because of the kids going to see the movies.  Either you respect the brand (and don’t tease us about it in other movies) or you leave it alone by not marketing to kids with your two new cash cow characters.  You cant have both.

Ugggh – now I want an R-Rated Marvel Universe movie (please do  a Punisher movie right!).

See what I mean – the world is so great in the Marvel Universe, we are debating (we cant even argue) about variant comic covers.  Life is good!  Am I off base on the Demon in a Bottle debate?  Who is your favorite Marvel character?  Most glaring nit-pick?  Debate it all below.

Cheers – and make mine Marvel.

22. September 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Sunday Agile Humor–Soooo TRUE

21. September 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Revisiting an old post and the FLR-9

After reading the article “The Wullenweber Array (CDDA): An Era Of Intelligence Gathering”, I was reminded of an article I wrote over on SmokesAndBooze.Com called – This Day in History Aug 17 1987.  This story linked Rudolf Hess, Gablingen Germany and a bit of my history all into one story.  As an added bonus – we get a picture of a FLR-9 on a beer label. 
So – I thought I would repost here on my personal blog….and I highly encourage you to visit the timeline above about the Wunneweber Array….a marvel in caging elephant.
Enjoy-
 

(On Aug 17 1987) Rudolf Hess was found hanged by an electrical cord at Spandau Prison, aged 93. He was incarcerated there for 40 years, 21 of those years as the solitary inmate. In 1941 Hess flew to Scotland with ideas of peace in his head, making Hitler very very upset.

Why does this make the blog “Smokes and Booze”? – Hang in there, there is a payoff.

Rudolf Hess was a prominent Nazi politician who was Adolf Hitler’s deputy in the Nazi Party during the 1930s and early 1940s, was an SA commander during the failed Beer Hall Putsch (but that doesn’t qualify him here), transcribed Mein Kampf for Hitler and eventually rose the rank of Deputy Fuhrer.

What brings him up today on S&B happened later in his life. 

During the later parts of WW2, Hess privately hoped that he could convince Britain to join Germany as an ally.  So on the  10th of  May 1941, Hess (a competent flier) took off from Augsburg in a Messerschmitt Bf 110 (radio code VJ+OQ) which he had equipped with drop tanks to increase its range.  He later crashed his plane and demanded to see the Duke of Hamilton.
Hess was tried at Nuremburg and was given a life sentence, that ended on this day in history when he committed suicide. Flr-9-2

What links Hess to S&B is not the man himself, but where he chose to steal his Messerschmitt from;  Gablingen Field, Augsburg Germany.

You see, Gablingen Airfield was captured by the Americas at the close of WW2 and later converted to a Military Intelligence Station for monitoring electronic traffic during the Cold War.   The large “Elephant Cage” Antenna (a FLR-9) was the most prominent (and talked about) feature of the base.

When I arrived in 1992 to work on Trojan Classic and Trojan Spirit as a government contractor, we had offices in what affectionately called “The Back 40” – First in abandoned buildings in a compound within a compound, left over from WW2, and later in in the last remaining (of two) hangers left over from that faithful day  on 10 May 1941. 

Old Trisa

Again, even my crazy ties to this story (and I wont even get into “The Vagabond Series” with Glenn and Jeremy – That is a whole 10-15 different blog posts) are not what brings this to S&B.

Instead, we go to a brewery – Thorbräu, one of the oldest breweries in Germany, founded in 1582 in Augsburg, Bavaria.  You see, beer is such a part of German culture that everyone drank all the time.  In many cases, there German Contractors/Soldiers on the bases, and once the Military went “Dry” at lunch during the 80’s, the Germans still had a right to drink during the day.  Since Gablingen was a Military Intelligence installation, it had to have items specially vetted prior to bringing on base…..and so Thorbräu had a special beer made for the installation, believed to be the only one of its kind.  The label even depicted the secret base and it’s trademark antenna.

20374_1205813273571_1475839143_30565630_1832316_n

As Paul Harvey would say – And now….you know the rest of the story.

Jump over to the S&B Facebook Page for some pictures of Gablingen (Then and Now)

21. September 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Software Development Tip #330

This goes out to some dear friends of mine.  Perhaps they can pass it around and SOMEONE can learn something.

http://image-store.slidesharecdn.com/d7d38cf0-1919-11e4-b60c-123139077642-large.jpeg

19. August 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Dungeons and Dragons–A Birthday and A Movie

I make it no secret that I am an old school Gaming Geek – and I really feel old when I hear that one of my favorite games, Dungeons and Dragons, turns 40 this year. http://blogs.westword.com/latestword/gygax.jpg

Originally designed by the late great Gary Gygax (RIP Gary), this game literally changed how the fantasy genre was viewed and was the kickstart to the role-playing revolution. 

It exposed fantasy writing to the next level, opened minds and really was a phenomenon unto itself.

If you think about it, without D&D (and Notre Dame Football) – you probably would not have had the Marvel Universe brought to light, nor the current blockbuster – Guardians of the Galaxy in the theaters – as director Jon Favreau credits Dungeons & Dragons with giving him “… a really strong background in imagination, storytelling, understanding how to create tone and a sense of balance.”.  Also…..Groot is a gamer too (via Vin Diesel).

Sadly – D&D also led to Bronies.

 

Anyway – back to the post, I wanted to point out two topics every gamer should be interested in – First we have the release of the latest edition of the game.  I have only perused the rules, you can too for free…HERE, but things look very streamlined and interesting.  I might get a gaming group together and check it out….if just for nostalgia’s sake.

Secondly…there is a movie coming out, and it ties just as directly to the popularity of the RPG industry as the game itself.  Of course, I am talking about DARK DUNGEONS!

Dark Dungeons originated as a small comic book (called a Tract) released by Jack Chick and his Chick Publications in the late 70’s and continues to this day.  Like many of the “Chick Tracts” – it decries the subject matter and details through narrative his twisted Christian theology….and how you must denounce the topic at hand to be saved.

In this case, it is Role Playing Games – and tells the classic take of Black Leaf, and how RPGs caused a young girl to commit suicide.  You can read the whole tract HERE.

Personally – I am proud to be attacked by multiple Chick Tracts (RPGs, Freemasonry, Catholicism, Halloween & many others) and that is why I wanted to bring everyone’s attention to DARK DUNGEONS – The Movie.

In this, the producers whip out a vorpal weapon and take on (in the best way) the stupidity of Jack Chick’s Tracts.  Don’t believe me?  Then watch the first 8 minutes below:

How could you not love the chants of RPG? 

So – for only $5, you can watch the entire movie….and I will be this weekend, with a review soon to follow. 

Enjoy and viva la Black Leaf!

19. August 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Windows 7 Update causes BSOD

<Ed Shaking his head> – Its as if there is not an entire IT Field specializing in Quality Assurance.

Microsoft urges customers to uninstall ‘Blue Screen of Death’ update

Computerworld – Microsoft on Friday quietly recommended that customers uninstall one of last week’s security updates after users reported that it crippled their computers with the infamous “Blue Screen of Death” (BSOD).

The update, identified as MS14-045 in Microsoft’s numbering, was one of nine released on “Patch Tuesday,” Aug. 12, was designed to fix three separate flaws, including one related to a font vulnerability and another in the Windows kernel, the heart of the operating system.

Within hours of its release, however, users reported that MS14-045 had generated a Stop 0×50 error on some systems, mostly on Windows 7 PCs running the 64-bit version of the OS.

“Installation went smoothly. After rebooting everything worked fine. But when I shut down my notebook and switched it on a little later it came up with a blue screen with a Stop 0×50 in Win32k.sys. I could not even boot into safe mode as Windows failed to start no matter which mode chose,” wrote a user identified as “xformer” to start a now-long thread on Microsoft’s support discussion forum.

As of Sunday, the thread contained nearly 380 messages and had been viewed almost 50,000 times. The latter is a large number even for Microsoft’s support forum, and hints at the scope of the problem.

Others on that same discussion thread pointed to different updates issued the same day that caused identical problems, including one meant to support the Russian ruble symbol.

Woody Leonhard of InfoWorld, like Computerworld an IDG publication, reported the BSODs on Thursday, Aug. 14.

Some customers were able to regain control of their PCs by using System Restore to return the machine to a previous date, but only after they’d booted the computer using original install media.

In the updated MS14-045 and other supporting documents, Microsoft said it had removed the patches from its Download Center. As of Saturday, however, the flawed update was still being pushed by Windows Update, Microsoft’s service for delivering patches to PCs.

“Microsoft is investigating behavior associated with the installation of this update, and will update this bulletin when more information becomes available,” the company said in the revised MS14-045′s Update FAQ. “Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2982791 security update.”

Microsoft’s advice, however, may not be of any help to those already afflicted. It told users, for example, to boot using Safe Mode, which many on the support thread said didn’t work.

Not every PC that installed MS14-045 or the other suspect patches reported problems. Several IT administrators posted messages on Patchmanagement.org, a mailing list dedicated to the subject, that said they had successfully updated hundreds of client systems and servers.

Last week’s patch problem was not Microsoft’s first by any means.

In April 2013, Microsoft urged Windows 7 users to uninstall an update that had generated BSOD screens. And last August and September Microsoft had such a run of problems with updates for its Office suite that experts called it a “worrisome” sign of declining update quality.

In October 2013, Microsoft yanked a Windows 8.1 RT update from the Windows Store after some tablet owners reported their devices had been crippled.

Although Microsoft always publicizes its Patch Tuesday slate, it has not broadcast that MS14-045 should be uninstalled. Neither the blog run by the Microsoft Security Response Center nor the Twitter account the group uses has mentioned the flawed update or the company’s recommendation.

Additional information on how customers should deal with the buggy updates can be found on Microsoft’s support site.

http://www.computerworld.com/s/article/9250446/Microsoft_urges_customers_to_uninstall_Blue_Screen_of_Death_update

18. August 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Ever Cross a Samurai With Rudolf the Red-Nosed Reindeer?

As a way to change things up, I decided to go over to the “Geek Side” today.

With the success of Guardians of the Galaxy…I thought I would turn to another comic classic that I have been a fan of for years…..Usagi Yojimbo.

http://media.ignimgs.com/media/ign/imgs/minisites/topN/comic-book-heroes/92_UsagiYojimbo.jpg

Usagi Yojimbo (meaning Rabbit Bodyguard) has been around for 30 years, starting in 1984 (also the first  year as TMNT and later picked up by the same publisher – Mirage Comics), this was one first indie comics I was introduced to back in 1987.  I loved the artistic style and the use of animals as characters (no – I am not a furry)…and when I was at Ft Deven’s, the Comic Shop in ran a TMNT RPG based on this world. 

Much like saying – I will never see a Hell Carrier or a Sentinel accurately depicted in movies (WRONG) or a third tier comic series come to life (WRONG again with GotG) – I am now seeing what could be a fun rendition of another great series from my youth.

Done in Stop Motion style (hence the Rudolf reference), the folks at Lintika Films (please like their FB Page) have really done a great job with this short.  I definitely will be picking up the DVD when it is released, and if you have kids getting into the genre – I highly recommend checking this out…

13. August 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Web Controlled Short-Wave Radios..what’s not to enjoy?

Time for something a little different – this time targeted to the 33s and Analysts out there.

Ever want to go back to the “Exciting” Days of yesteryear, and have access to a short-wave receiver?

Well, I found one you can control online – actually the first ever WebSDR (Web Software Defined Radio) from the University of Twente. http://websdr.ewi.utwente.nl:8901/

Break out your Morse and enjoy.

[picture of the SDR hardware]

21. July 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

Implementing Agile Practices In A Support Oriented World

ACII was recently introduced to the Accredited Scaled Agile Practitioner (ASAP) from a colleague at work (thanks Justin).

At first glance, this seems similar to other Agile Certifications – with one interesting piece, applicants must write a “Thesis” pertaining to Agile Methodologies.

Just the thought of writing something on subject would weed out many, and although this would not unseat any of the PMI Certifications, I do think will help maintain the exclusivity.

So, as I began preparing for the – I put together this piece, and am placing here for peer-review.

Enjoy

Implementing Agile Practices In A Support Oriented World

Introduction

In today’s world, more and more organizations are making the transition to Agile software development, but can some of these same methodologies be applied to Support Structure?

It has been my experience that they can, and that this can make your teams more effective and efficient.

I present below, three Agile Practices that can be implemented into an organization that contains both Software Development and a Support Group.

The Daily Scrum

The first take-away from Agile practices, and the easiest to implement, is the Daily Scrum. In a development world, this is a daily 15-minute meeting where each participant highlights the previous days accomplishments, what is on their schedule for that day and is there anything impeding their progress.

In the Support World, this type of meeting is just as critical.
It allows team members to understand the workloads, problems and achievements of their peers. It brings clarity to the teams daily objectives and highlights any showstoppers or big picture issues that may arise, and it provides immediate insight to team leaders as to what is actually going on in their teams.

Efficient and Face-to-Face Communication

It is often said (rightly or wrongly) that software developers sit in an ivory tower and have little insight to the real-world applications of their product. Agile methodology strives to correct that by having Product Owners as customer facing advocates. I put forward, that having an additional voice in Planning and/or Scrum of Scrum meetings could be beneficial, and that voice would be from the Support Group.

The development teams will not only receive valuable feedback from customer facing teams as to how external perception of the application, but also how it is applied in unique environments, possibly giving unique perspective that can be re-applied or refactored into the product, especially as it is often the work of the Support Group that turns into User Stories as they escalate defects in the product.

Definition of Done

The Agile process that Support Groups should be included in, is that of Definition of Done.

As mentioned before in INCLUSSION, Support Groups have a unique insight in how Product X is being utilized in a customer/end-user’s environment. By including the Support Group in the Definition of Done, they continue to bring that insight to the table – possibly by validating the current increment against set customer facing scenarios or previously reported incidents.

Conclusion,

We utilized all of the examples in my previous position of Director of Technical Services, and this had an immediate and positive impact.

The Daily Scrum removed the ambiguity of workloads and impediments of the day-to-day workflow, and allowed management to better schedule and adjust as needed.

Efficient and Face-to-Face Communication allowed another voice into the collaborative environment of SCRUM, bringing a different and unique perspective as the Support Groups voice was heard throughout the organization.

By adding the Support Group to the Definition of Done, this helped expedite deliverable increments/releases as they assisted in QA Testing and verified fixes towards reported issues. This verification ensured that customer problems were being addressed in each increment, and increased customer satisfaction with a more reliable application release.

Ultimately, but implementing Agile practices in multi-team environments, you bring cohesion to an organization by unifying methodologies, terminology and practices. Teams then can perform cross-functioning tasks when applicable and overall efficiency dramatically increases.

21. July 2014 by edbellmcse
Categories: Uncategorized | Leave a comment

← Older posts