DEV Community: Kostas P.

How to ace your PSM I assessment

Kostas P. — Thu, 26 May 2022 17:35:39 +0000

The Professional Scrum Master level I (PSM I) certification from Scrum.org

Mastering Scrum is a continuous process that requires a lot of on-hand practice. Acquiring a certification is not the end, but merely the beginning of this learning path.

A Scrum certification, such as the PSM I, can be a great opportunity for beginners to get acquainted with the Scrum framework or for more advanced individuals to solidify and prove their knowledge.

People who have passed PSM I, achieving certification, demonstrate a fundamental level of Scrum mastery. PSM I certificate holders prove that they understand Scrum as described in the Scrum Guide and how to apply Scrum in Scrum Teams. PSM I holders have a consistent terminology and approach to Scrum. (from Scrum.org)

In this article, I will share some of the resources and methodologies I gathered when studying for the PSM I exam. This is not an exhaustive list (I would like to add more items after feedback from readers), it is a proposal of how one can start getting set for their exams.

How to prepare 📖

The order in which the following points are written is indicative of the ones to start with.

Learn more about the PSM I certification
Before getting your hands dirty and going into the deep with PSM I study material, read about the general overview of the PSM I certification at https://www.scrum.org/professional-scrum-master-i-certification.
Read the Scrum Guide
Scrum Guide: https://scrumguides.org/index.html
The Scrum Guide has more than one version, so make sure to be reading from the latest one available. At the time of writing, this is the “Scrum Guide 2020".
The Scrum Guide should be your go-to place for any Scrum-theory dilemma.
I would suggest studying from the digital version, since it’s easily searchable (Ctrl+F), highlighting, taking notes on the PDF file, etc. You can also copy-paste specific parts from the guide into a personal note-space, with items that you find are really important or that you easily forget. This way, everything you want to review is centrally and quickly accessible.
Practice with Open Assessments
Open Assessments: https://www.scrum.org/open-assessments
These assessments provide a free way to practice for your Professional Scrum certification assessments.
Do note that the questions on the Open Assessments do not have the same level of difficulty as the certification assessments.
In order of relevance for your PSM I preparation, try: Scrum Open, Product Owner Open, Scrum Developer Open
I suggest taking the Open Assessment multiple times and, once again, keeping into a personal note-space the questions you get wrong frequently or want to review (plus after you finish each assessment there is a very helpful Feedback section for every question).
Try to get a streak of 3–4 assessments with a score of 100%, this will increase your speed and knowledge of the Scrum fundamentals.

Up to this point, the study material is free and comes from sources that we can consider credible regarding what is deemed correct for the PSM I assessment since it all originates from Scrum.org.
In my opinion, this is the minimum one should study to assemble the necessary knowledge and succeed in the assessment.

Other tips 📌

Don’t cargo-cult
While studying, it is important to understand the why and not just memorize terms. This will help you both in the assessment, and also when you, later on, have to apply Scrum to real-life problems.
Read the Scrum Glossary
An overview of Scrum-related terms
More advanced reads
‣ Scrum Master Learning Path
‣ The Professional Scrum Competencies
‣ Changes between 2017 and 2020 Scrum Guides
Free 3rd party practice tests
A note of caution here:
The answers on these assessments may not always be considered correct (they do not necessarily derive from Scrum.org).
Make sure that these tests consist of questions/answers based on the latest version of the Scrum Guide.
List:
‣ https://mplaza.training/exam-simulators/psm/
‣ https://mlapshin.com/index.php/scrum-quizzes/sm-real-mode/ (based on the Scrum Guide v2017, update for v2020 is in progress)
‣ https://www.thescrummaster.co.uk/assessments/scrum-guide-2020-update-practice-assessment/

The exam 📝

You can find the specific instructions on how to register for the exam at https://www.scrum.org.

At the time of writing, some PSM I details are:

Passing score: 85%
Time limit: 60 minutes
Number of Questions: 80

meaning an average of 45 seconds per question.

Format: Multiple Choice, Multiple Answer and True/False
Language: English only
Required course: None

Scrum.org certification requires a minimum score on an online assessment. Attending a course is neither required nor sufficient for certification.

List of Professional Scrum Certificate Holders

References & Other study material 📚

Disclaimer: None of the above material constitutes an endorsement.

Originally published at https://medium.com on May 7, 2022.

Hacking my IP camera

Kostas P. — Mon, 04 Jan 2021 17:00:26 +0000

Deauthentication Attack + Physical Security

DISCLAIMER: All data and information provided in this article are for informational purposes only. The main goal is to increase security awareness, teach about information security, countermeasures and give readers information on how to implement a safe and functional system. If you plan to use the information for illegal purposes, please leave this website now.

A few days ago a friend of mine purchased and installed a new Wi-Fi IP camera at his house. Wanting to know how safe the system really was he asked me to take a look and try to “hack” it if possible.

The truth is that the Internet of Things (IoT) is a really hot trend at the moment and a lot of devices are being distributed into the market, many of which are not that reliable or safe.

IP cameras are a nice example of such devices that have invaded many households (or even small businesses in some cases) as a smart solution for surveillance and security.

Getting to the point now, I tried to hack the cameras using two generic techniques, not focusing on finding a specific software vulnerability. The two methods I used were a Deauthentication Attack and a Physical Security Attack. So let’s take a closer look at them:

Deauthentication Attack

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

With this attack, one can disconnect a client from the access point that it is connected to. For more details check out the following links: https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack and https://www.aircrack-ng.org/~~V:/doku.php?id=deauthentication

The Deauthentication Attack falls under the category of pre-connection attacks, meaning you can disconnect any device from any network before connecting to any of these networks and therefore without the need to know the password for the network.

Having said that, it was possible to disconnect the IP camera from the access point it was connected to (without having the AP password, as I mentioned earlier, since there wasn’t even the need to connect to the network), making it useless.

The camera would on normal occasions detect movement and/or noise and notify the user with an email if something was detected. Instead, during the attack the video feedback of the IP camera app was frozen and no notifications were sent when we triggered the sensors with motion and sound.

Below is the code I used for this simple attack (for a more detailed analysis on how to perform a deauthentication attack there is a great article on Hacker Noon):

Deauthenticating specifically the IP camera (only one client)

aireplay-ng --deauth [number of deauth packets] -a [AP MAC address] -c [IP camera MAC address] [interface]

Ex: aireplay-ng --deauth 1000 -a 11:22:33:44:55:66 -c 00:AA:11:22:33:44 mon0

You can possibly find the MAC address of the IP camera if you know the device’s brand since the first 6-digits of a MAC address identify the manufacturer (https://macvendors.com). You can also try to speculate which is the AP’s MAC address by the name of the SSID. Otherwise, you can use a more wide attack with the code below.

Deauthenticating all clients in a specific network

aireplay-ng --deauth [number of packets] -a [AP MAC address] [interface]

Ex: aireplay-ng --deauth 1000 -a 11:22:33:44:55:66 mon0

That wouldn't be the case of course if the camera app was programmed to periodically check the connection with the router/device and report a lost connection by sending an email to the user for example.

It is also important to point out, that if the IP camera had a wired connection and not a wireless one, this attack would not be possible. When using wireless communication we should always keep in mind that the medium is air and air is accessible to all (thus more “hackable”).

Physical Security Attack

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks).

It doesn’t do much if you have top quality security “software-wise”, but the physical devices you are trying to secure are not themselves placed somewhere safe. In our case, the local distribution frame box, where the internet-telephone cables terminate, was in front of my friend's house and unlocked. It would be very easy for someone to intervene in the cabinet, cut the cables and remove internet connection thus disabling the IP camera.

Without an Internet connection, the user would be under the illusion that everything is secure since he wouldn’t get an email notification (like he is supposed to if something is detected), and that his IP camera would alert him as soon as someone tried to invade into his house, while the camera would have just stopped working without any warning.

Below is an extract of a previous article I wrote, “IoT without Internet… how does that affect its functionality?”, proposing a solution to this issue:

That is why I am proposing that IoT devices that are connected to the Internet should all include a basic feature. That feature is to notify when internet connectivity is lost from the device. If at the side of the IoT device there is no internet access, of course, there aren’t any means of sending an alert. That is why I am suggesting that at the client side app there should be monitoring (at a rate that will be determined by the severity of the device’s task and need to be online) of the connection between device and controller app.

In our previous IP camera example, the i.e. smartphone app would have detected the loss of internet connectivity of the home router, the user would have been sent a notification, thus taking the appropriate measures to resolve the problem (calling the ISP, sending someone to check, etc).

Thanks for reading, leave a like ❤️🦄🔖 if you found the article interesting and of course your feedback 📝!

Originally published at https://medium.com on May 02, 2019.

Postman Collection to Swagger UI Documentation

Kostas P. — Tue, 29 Dec 2020 16:11:44 +0000

Project Goal 🎯

In this article, we demonstrate how to convert documentation given as a Postman Collection (that is hosted online) to a Swagger formatted documentation (OpenAPI Specification), that is real-time updated according to the Postman Collection given in the beginning.

To visualize and interact with the documentation we use Swagger UI.

The technology the project is based on is Node.js.

Besides the differences in the User Interface and the basic features between Swagger UI and Postman, there is another reason why we might want to use the former tool.

At the time of writing, a Postman link is only a snapshot of your collection and you need to create a new link for the most up to date version (source Postman Docs). At least that is what is true about the free version, while there might be a solution to this limitation using Postman's Pro API (https://support.postman.com/hc/en-us/articles/212510625-How-do-my-team-members-update-a-collection-link-that-I-created-).

With our implementation, if you are provided with a stable URL for accessing the documentation, you can always have the most up-to-date view of the API docs on Swagger UI, using only Node.js.

Specific Application 🎩

The idea for this project was born from studying the API documentation of skroutz.gr, a Comparison Shopping Engine and e-commerce marketplace.

The API was given in JSON as a Postman collection in the following link.

So what we wanted to achieve was:

to be able to visualize the documentation using Swagger UI
our Swagger UI documentation to be updated periodically according to the JSON Postman collection that skroutz.gr initially provided (see here)

Packages 📦

Shortly, the packages we used for this project are:

express - a minimalist web framework for node
nodemon - automatically restarts the node application when files change in the directory
swagger-ui-express - serves swagger-ui generated API docs from express
node-fetch - a module to make HTTP requests
fs - access and interaction with the file system
api-spec-transformer - helps to convert between different API specifications
yamljs - a JavaScript YAML Parser & Encoder
dotenv-safe - ensures that all necessary environment variables are defined

Let's see some code 🐱‍💻

As a beginner in Node.js myself, I advise you, if you are not aware of it, to study first a bit how Async Programming works in this particular programming language (suggested material: https://blog.risingstack.com/node-hero-async-programming-in-node-js/).

As you can see below, in our app.js file, we used the express package for our API framework and the swagger-ui-express package to produce API docs from express, based on a swagger.json or swagger.yaml file type.

const express = require("express");
const swaggerUi = require("swagger-ui-express");
const ymlfile = require("./documentation")

const app = express();

// load env variables and create .env.example file
const dotenv_safe = require("dotenv-safe");
dotenv_safe.config();

// middleware
app.use('/api', swaggerUi.serve, swaggerUi.setup(ymlfile));

// listening on environment port if defined or 8080
const port = process.env.PORT || 8080;
app.listen(port, () => {
    console.log(`Node JS API is listening on port: ${port}`);
});

In our other JS file, documentation.js, is where we create our ymlfile, which we give as an input to swaggerUi in app.js.

First, we need to query (fetch) periodically the URL where the JSON formatted API documentation is and store it locally into a JSON file. We do this with our createJSONFile async function:

const fetch = require('node-fetch');
const fs = require('fs').promises;
const transformer = require('api-spec-transformer');
const YAML = require('yamljs');

// set a timeout so that we can periodically query the website where the JSON formatted API documentation is
// currently set at 6 hours
setTimeout(createJSONFile, 21600)

async function createJSONFile() {
  try {
    console.log("ORDER OF EXECUTION: 7")

    const response = await fetch('https://developer.skroutz.gr/assets/misc/skroutz_postman_collection.json')
    const json = await response.json()

    await fs.writeFile("./docs/skroutz_api.json", JSON.stringify(json));
    console.log("The JSON file was saved!");

  } catch (error) {
    console.log(error.response.body);
  }

  console.log("ORDER OF EXECUTION: 8")

};

After that, we convert the JSON/Postman formatted file of the documentation to the YAML/OpenAPI Specification/Swagger format and store it locally, while also creating ymlfile.

(async function createYAMLFile() {
  const autoToSwagger = new transformer.Converter(transformer.Formats.AUTO, transformer.Formats.SWAGGER);

  console.log("ORDER OF EXECUTION: 1")

  autoToSwagger.loadFile("./docs/skroutz_api.json", function(err) {
    if (err) {
      console.log(err.stack);
      return;
    }

    console.log("ORDER OF EXECUTION: 4")

    autoToSwagger.convert('yaml')
      .then(function(convertedData) {
        // convertedData is a swagger YAML string
        // console.log(convertedData);

        console.log("ORDER OF EXECUTION: 6")

        fs.writeFile("./docs/skroutz_api.yaml", convertedData, function(err) {
          if(err) {
              return console.log(err);
          }     
        });
        console.log("The YAML file was saved!");

      })
      .catch(function(err){
        console.log(err);
      });

      console.log("ORDER OF EXECUTION: 5")
  });

  console.log("ORDER OF EXECUTION: 2")

})();

console.log("ORDER OF EXECUTION: 3")
const ymlfile = YAML.load('./docs/skroutz_api.yaml');

module.exports = ymlfile

Finally, in order to avoid using anything else but Node.js we do a little trick to always keep the Swagger UI dynamically up to date. In the scripts in our package.json file, we use the nodemon package to start our application, since every time a file changes locally nodemon restarts the server. Otherwise, even if our JSON and YAML files were updated, their latest version would not be served by our /api route. As another possible solution, check out "Modify swagger file on the fly before load" at https://www.npmjs.com/package/swagger-ui-express.

In package.json:

 "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "build": "npm install",
    "start": "nodemon app.js",
    "dev": "nodemon app.js"
  },

Some useful reads:

Running the project ⚙️

You can find all the above code on the project's GitHub:

KAUTH / Swagger-Skroutz-API

The Skroutz API documented live with Swagger UI

In order to run the project, first, clone the repository from GitHub, e.g.

git clone https://github.com/KAUTH/Swagger-Skroutz-API.git

To run this project locally you need to have npm installed.

When deploying the project for the first time, install all the required packages by running the

npm install

command on a terminal in the root directory.

After that, to run the project, use the

npm start

command.

The Swagger UI API documentation will then be accessible from http://localhost:8080/api/.

Important: There is 1 .env file (with environment variables) that our project uses, which is not on the repository for security reasons (as a best practice). In order for the project to run properly, you have to create your .env file in the same directory (root directory) that the .env.example file (example of how our .env file looks like) is present in this repository.

Enjoy 🎈

The project is deployed with Heroku and can be found online at http://bit.ly/swagger-skroutz.

Thanks for reading, leave a like ❤️🦄🔖 if you found the article interesting and of course your feedback 📝!