November 23, 2013

Foray into the Cryptocurrencies (BitCoins)

I was at DefCon 21 and a guy was there with a homemade Bitcoin vending machine/suitcase.  It had a coin slot in the side, and it cashed in your USD for some Bitcoin at the current MtGox exchange rate minus an (it turns out exorbitant) fee.  No matter, I was only curious to the tune of 5 quarters and I received a piece of paper with both the public and private key for a wallet that had been sent the .00810374 Bitcoins.  This week, I loaded up the key and peeked into what my piece of a Bitcoin was worth.  $5.70!  That's right, I had made 570% on my $1 investment in just two short months.  That piece of paper got smoothed out, touched up (it had begun to smear) and put somewhere a little bit safer.

Some of you reading this posting may not know what a Bitcoin is.  It's an alternate currency - an experiment in basing value of currency off of a share of work toward solving cryptographic algorithms.  Is it nerdy - yes, on the face of it, it's very nerdy and at the same time, interesting.  You see, Bitcoins are not created by a government, their value is set entirely through free market, and it is possible to trade Bitcoins anonymously.  A Bitcoin is an experiment in the ultimate barter system, out of reach of 'the man' - and the only value is dependent upon what someone else will decide to give you for it.

There are a lot of things that make Bitcoins cool.

  • The complete lack of a centralized authority.  This makes Bitcoin automatically useful on a global scale as soon as there is a an acceptable market for the currency in other countries.  And now, the country with the largest population is on the Bitcoin ride.  
  • The ability to create a Bitcoin 'wallet' anonymously and exchange coins between wallets without involving third parties in performing the actual transactions.
    • This takes some care, since all transactions are essentially traceable through the blockchain from creation to current wallet.  It is important that one does not just register with a website, buy some coin and then promptly spend those on something that will get you into trouble.  To be truly anonymous, one needs to put some space between your name and the spending of the bitcoin.  Logically, sending the bitcoin to a vendor of some sort that handles a large number of clientele, without care for their identity, that will be willing to send the bitcoins back to a new address will be enough to break the link.  But I am not a lawyer, a policeman or an expert in money laundering.....
  • The free market value of the bitcoin is linked to important economic indicators - such as how expensive it is to create/mine a bitcoin, how many vendors will actually take a bitcoin in payment and how liquid a bitcoin is (until EVERYONE will take bitcoin, you'll still need to be able to cash it out in your native currency).  A list of bitcoin vendors comes in handy and is growing quickly.  I was frankly amazed at the number of physical product vendors that are on the list - and now a University in Cyprus will let you pay tuition in bitcoin.
  • There are numerous ways to store your bitcoin - with an online wallet service or exchange like coinbase or  Probably the most famous exchange is Mt.Gox although they've had some problems in the past like the DHS freezing their funds at Dwolla. If you run the Bitcoin client (effectively becoming part of the bitcoin network), you can create a wallet on your own and will only need to get someone to send bitcoins to the created wallet address.  You can also back up your wallets to paper copies of the public and private key associated with it.  This is normally done via QR code to make them easier to input.
  • Since bitcoin spending can't be controlled by anyone - spending them on things that would normally be against a government's desire is a very simple process. (although still traceable if not done properly to protect your anonymity!!)  This means there are a lot of casinos popping up online that take bitcoins.  Of course, I can't leave out the fact that some markets exist for the drug trade and that the creator of said marketplace is alleged to have arranged at least one hitman on that marketplace.
Of the many bitcoin sites I've seen today when poking around, most remind me of the early days of the web.  Horribly designed sights aimed at enticing the user with garish images and offers of FREE BTC!! If you've got a bitcoin wallet and would like some free bitcoin (less than a pennies worth on average) to start you off, go ahead and click there and give it your wallet address.

October 20, 2013

Download from B-Sides DC 2013

I went to my first DC-area security con, B-Sides DC, held yesterday and today, after attending Blackhat and Defcon earlier this year.  There's definitely a difference, going to a conference where you go home at night vs. one where you stay at the conference hotel and focus entirely on the con.  For one thing, you can't really give 100% of your attention to the conference contests and socializing. At the end of the day, you still have to commute back home, spend time with the family and deal with your normal responsibilities.  So, right off, attending Defcon was the better experience solely for this reason. On the other hand, B-Sides DC was $10 for two days of learning, and my travel costs were $12 for parking and $6-$9 for gas. Defcon still wins, because, hey - Vegas - but other than that, this was well worth my weekend.

After attending Defcon, I was asked to give some talks on what I've learned out in Vegas and I had prepared a slide deck that had several advantages.  One, I got to spread the knowledge to other people.  The talks I gave went from the very broad to the very technical in sharing the Blackhat/Defcon experience, and giving the talks helped to cement some of the knowledge from the whirlwind that is the con experience.  So I figured I should do a brain dump of sorts of my experience at B-Sides to cement some of the stuff I learned there, and organize some of the notes I've taken, links I picked up and Twitter accounts to add.  These notes are going to be rambling, and have referential information throughout that I needed to capture.  I'm only making a mild effort to make complete thoughts and sentences for the reader, and may not have even come to an assessment of what was important about each talk for me to take note of.

Day 1. Opening Talk - Bruce Potter - @gdead - Shmoo Group

I have in my notes that Bruce is an author - I remember him discussing that the first book he authored was with O'Reilly - I recall that SOMEONE (not necessarily Bruce) at B-Sides said that the entry point into signing up to write a book on technical subjects seemed to have a fairly low barrier and that writing a book on a subject you barely knew was not only possible, but something he had done.  Now that I think on it, I believe that was @grecs instead of Bruce (whomever it was, they had written a book on 802.11 and learned the subject while writing the book).

Bruce's talk was about education, skills, the difference that IT Security is from hard sciences, refocusing of the collective to the end goals of IT Security, and in the end, getting back to the roots of InfoSec by fucking shit up.  He had a lot of personal stories, but I think they were mainly to demonstrate that the path to becoming an InfoSec ninja is not a cookie-cutter career path.  In my notes I have written 'R U A WIZRD'? which refers to the Rock Star Syndrome he was discussing (not by name) of our over-inflated egos of thinking we're better than we really are just because we have the special skill of understanding how the magic smoke works.  He went on to rail against Certifications not necessarily being the answer to the irrelevant and outdated curriculum of university degrees in the fast paced industry of InfoSec.

Bruce also brought a three-year old to B-Sides (and told him he was about to learn some new words) - although I'm pretty sure he was being himself, and the kid had probably heard those words before (forgive me Bruce if I'm wrong). The talk was very humanizing and I think it really led to the audience being able to identify with the college-dropout, successful level 42 Wizard, author, industry leader.

In the end, though, Bruce had a point - he wanted us to try to figure out how to fix the education problem (where Youtube videos are better InfoSec teachers than instructurs), how to fix the qualifications problem (where who-you-know frequently passes for what-you-know and security certs are still testing whether you know outdated security models from the 1970s) and get to the business of ACTUALLY FIXING THE CUSTOMER'S PROBLEM - which is broken security.  And he had another point - Bruce asked for people to get back to the roots of InfoSec and maybe stop being so damned gentlemanly.  The bad guys aren't playing nice, and I think that he's a bit upset that everyone is being so damned nice to each other and respecting each other's boundaries at cons and other hacker battlegrounds.  Probably because it's dulling our senses and our abilities as a group.

Day 1 - Official Talk 1 - The Homunculus Problem - Why You Will Loose(sic) the Battle of BYOD - Michele Chubirka - Mrs. Y - @MrsYisWhy

B-Sides has two talk tracks (and one education track) - and it was this talk or a talk on why your corporate password policy is weak.  Since I'm already a soap-box candidate for preaching about password policies as a failed solution and I didn't want to learn what SANS 20 Security Controls were, I sat in on Michele's talk about why we'll fail the BYOD battle.  Of course, I was expecting a technical talk, not a psychology talk - which is what she ended up giving.  She explained the drug-like addiction properties of social media and the devices that we use, and encouraged empathy and embracing the user's wishes when it comes to BYOD [Sorry: that's Bring Your Own Device (to work) for the uninitiated].  She spoke about how Security [industry and policy] is seen as just a roadblock to users getting what they want.

My notes have three takeaways: 'Stoptional' - the optional stopping of a vehicle at a stop sign, presumably in Louisiana - a cute term someone behind me and to my right explained when comparing corporate security policy and the likelihood that your users will obey it to STOP signs and road laws. Empathy/working together - which summed up MrsYisWhy's point she wanted us to consider - key slide being 'Don't say No - say Yes, and....' (I personally prefer Yes, but... but I can see how that might make me out to be the bad guy) and which appears to take me to the Packet Pushers Podcast page - a podcast I had previously been unaware of.

She then handed out T-Shirts to some random trivia questions and was upset that no one remembered that Solaris 2.6 marked the beginning of their shift to a 64-bit OS.  Her personality overall, by the way, seems to match very readily to the picture she's chosen as an avatar on Twitter - a bit on the spiritual/kooky side.

Day 1 - Official Talk 2 -  Malware Analysis: N00b to Ninja in 60 Minutes* - @grecs

@grecs' talk was full of useful information and links on Malware Analysis - a weak point for me since I haven't done much of it.  Not only did I take notes, but I actually used my phone to take some [screen]shots of his talk on the projection screen that I need to transcribe later.

I think @grecs is a recovering stutterer, or is developing one - but he pushed through it fairly well and only had a few seconds of touch and go fighting it off during his speech.  Talking in public is HARD, HARD, HARD for anyone - I can't imagine how much more difficult it must be when your brain just decides to lock up on you like that - not only do you feel some embarrassment, but that just adds to the problem and it can go into a death good job pushing that stick forward and pulling out of the death spiral!

Grecs is actually a Twitter account I already follow, and I like some of the articles that recur on NOVA Infosec, his website.  It appears the Malware Analysis BSides DC slide deck has already been posted there from his talk (Thanks, Dude!!!!) Also, I should thank his sponsors @BulbSecurity and @PenTestTraining for bringing him to B-Sides DC and supporting his work.  It is people like @grecs who help the security industry's world go 'round and it can be hard to get paid to do work that benefits a community.

I also have a note that he takes in trade or pays cash for blog posts on NOVA InfoSec - the submission link was given at the talk.

Ok - for this talk I have THREE written pages of notes that are mostly a list of tools for the various aspects of setting up a Malware Analysis Lab, the step-by-step processes and alignment of the tools to those processes and relevant training websites.  Once he got going - this talk was probably the most STRUCTURED and INFORMATION DENSE talk of the conference.  The slides are up on SlideShare - use the link above on his website to essentially see what I've put down in my notes.  Knowing they're there - I'm not going to attempt to replicate the information here.

----Tired for now - will take a break and resume discussions of other talks later on ---------

September 28, 2013

BlackHat Report

I'm just finishing up my last (second) day of BlackHat briefings.  I was lucky enough to be able to be sent to attend BlackHat this year by my company (Dynamics Research Corp).  A few tips for attendees - water, deodorant, more water, and black T-shirts.  The uniform of the day for conference attendees seems to be the ubiquitous black T-shirt with some form of hacking slogan on it.  I'd say it's at least 50% if not more.

You'll need to drink plenty of water to stay hydrated.  So far, I think I'm winning this battle, but as soon as you step outside in the Vegas heat, your mouth dries up within seconds, and you can feel the water get wicked up your esophagus only to be lost to the desert.  While you won't spend much time outside, the dryness persists in the air-conditioned casinos, and while it's a slower process, it continues unabated the whole time you're here.

Also, don't forget to eat.  I think I ate dinner at 11:45PM last night.  There is so much going on, and it's so interesting that skipping a meal as you focus on something else is an easy thing to do.

With all that said, Oh My God! - I need to come to this every year, whether the company is picking up the tab or not.  I may not be able to afford BlackHat, but I can probably pick up BSides-LV and Defcon myself.  The people here are smart as hell - everyone is extremely congenial and open and the whole experience so far has been phenomenal.  It's going to take me all year just to DIGEST the amount of information I've picked up here - and my head is SWIMMING with new ideas spurred by some of this research.  I'm thinking in new ways about timing attacks, secondary communication channels, encryption, browser security, organizational's incredible!

Note: This post sat in draft mode because I never got back to finish writing it - Defcon was so engaging I forgot about it entirely.

July 16, 2013

What if we paid for risk with time?

Cryptography offers us many things - not just the ability to lock up secrets that can only be decoded if we know some secret password.  Using the processes of hashing, encoding and decoding, we've been brought capabilities such as digital signatures, network secrecy and non-shared key authentication.  I was thinking about one particular capability offered by our cryptography geniuses - the use of hashing algorithms to derive secret keys over a given number of cycles without an easy way to determine the solution without actually performing the calculations over that number of cycles.  Wow - that sounds like it's going to get complicated...Let's back up and take a look at just what a key derivation function is.

In essence, what these protocols do is come up with a determinate sequence of pseudo-random numbers by performing a set of specific calculations over and over (you set the number of repetitions).  By feeding the function a pass-phase, it will blend that pass-phrase into a messy sequence of numbers that supposedly can not be reverse-engineered through any other means other than using the same blending process with the exact same pass-phrase over the same number of cycles. There's different versions of this, bcrypt, PBKDF2 and scrypt, with scrypt being the more modern of the three - designed to not only take repetition into account, but also arbitrary memory usage, which helps you to keep function costs higher by requiring additional hardware costs for parallel attacks.

What struck me today is that this function can essentially be used as a time-lock.  To the analogies!!! You walk into a bank and go to hold up the teller - you might get out of the bank with $1,000 - $2,000...hardly worth the risk. Why don't you rob the safe in the back that holds all of the money? Because it has a time-lock on it. It can probably only be unlocked by the bank manager after putting in the combination and waiting for an hour for the safe to open. If you're robbing a bank, your time frame is a lot shorter than an hour. It raises the risk of being caught and the bank knows this - which is why they use time locks. The longer it takes you, the heavier the risk side of your risk/reward see-saw.

What if people implemented time-locks for high-risk transactions in the automation of business transactions. The risk of a transaction could be a measurement of how long transactions would need to take.  Time locks would be implemented in such a way that the verification of the transactions would utilize key derivation functions to complete, with half of the compute time being taken by the sender, and half the compute time being taken by the receiver.


Transferring $10 to your wife's account?  No problem, sir, take but a second..

Oh, you want to transfer $200,000 to a random account number in the Grand Cayman Islands?  Yes, sir - we can do that for you - the transaction will begin now, and the transfer will complete in 12 hours.  No, sir, the receiving party will not credit the amount until both sides reach the agreed upon key for the transaction. The transaction will show as 'pending' until it completes or is aborted.

As computing time/resources get cheaper, validation time can be kept in line with the risk, requiring specific amounts of resources (cycles, processes, memory) to perform the transaction. Resource costs would have to be passed on to customers as part of transfer fees - time increases would be enforceable at the interface level, since communication of the transaction verification could not be done without the derived key, enforced by a protocol standard.

Now for the devil's advocacy - This would have a negative impact on customers performing high-risk transactions.  It would probably never make it past lobbying organizations, and people who regularly pass around large sums of money would find some other way of performing wire transfers to get around the limitations.  Also, time-locks could be implemented without even using these processes if banks REALLY cared about the risks of risky automated transactions, through simple business rules and agreed upon timelines and risk limits.  So- just another random rambling....

July 08, 2013

Agile Development and Documentation

Some wisdom to write an article on in the future:

Agile Development doesn't mean excluding the need for documentation – however, processes and tools can be used to create documentation FROM the process of development.  Rather than putting the cart before the horse to lead him, you allow the horse to pull the cart, and, when you GET there, look back and follow the cart tracks to inform and document the path you've taken (upon which you can decide to pave a road, perhaps).  This is why Agile CAN BE an effective software development practice - because you don’t have to pay for someone to pull the cart ALL THE WAY from Start to Finish and pull the kicking and screaming horse behind…you instead get smart drivers on the cart to lead the horse only to the next step toward the destination and a horse  who is smart enough to walk around the trees.

July 06, 2013

Don't forget the Auditing

Yet another unfinished thought on auditing and system design - I cleaned up a little, but again - publishing from draft:

When it comes to performing information security, it's easy to get lost in technical solutions and overtly technical discussions regarding what you need to lock down your business.  With the complexities of password policy, application and network design, encryption algorithms, VPNs and firewalls all spinning around in your head, there is something very easy to understand that is at the core of providing risk awareness.

Auditing, not just logging of security events, either - but I mean good old fashioned auditing of your books and business transactions.  Keeping an eye on what's going on in your business may help you to identify when there's someone with their hand in the cookie jar - and it won't make any difference they got in to your network when you catch them in the act of siphoning off your accounts.

Supervisory function: I can't imagine that a bank teller would be permitted to leave the premises at the end of his or her shift if their drawer was short of cash.  Managers count them up and monitor whether or not their transactions line up and everything checks out.  In so doing, anything out of the ordinary would be reviewed and questioned.  The bank manager performs the supervisory function and is aware of the business rules that are applied to ensure proper operation of the business.  Even with automated teller machines in banks, this supervisory function is not forgotten - review of transactions and matching them up to the cash in the machine during cash outs help the banks ensure that everything is performing at least to some modest business constraints.

Constraints and Limitations: In the same instance, tellers are not given access to the entire bank balance.  Those who rob banks will likely tell you that robbing a teller these days is hardly worth the risk since the take will be very low.  It's probably more rewarding to hold up a cash business like a fast food restaurant, where the controls are not as involved and there's more chance of obtaining large cash drawer balances.  Even ATMs, which are entrusted with large cash drawers (since they're not likely to turn over their cash to a gunman), still have a limit to their losses based on how much they're loaded with.  When we design computer systems that access things like bank balances and accounts, we need to be reminded that business rules that impart these constraints and limits on transactions still need to be in place.  Even more so, hair triggers on constraints should lock down transactions from a source (such as a web front-end) that shows signs of being erratic.

There's a Difference

Something I had drafted - wasn't sure of whether I agreed with myself or had switched analogies where I'd meant things in an opposite manner, so I originally didn't publish - but I'm going to publish it now with the caveat that this is not completely thought out, and is indeed, just a rambling.

In discussing atheism on the Internet, some people are making an assumption that atheists and agnostics and the nonreligious are one and the same.  There is a difference, and an analogy came to me that I though I would mention.  In computer science, there are three concepts that are similar but distinctly different.  The concepts are NULL, ZERO and EMPTY.  Some databases do not recognize the difference between null, zero and empty - after all, they are all void of any value, so why should I treat them differently?  Some recognize a difference between zero and empty, but not null and empty.

To store an EMPTY value, I must allocate memory appropriately sized to the type of value I intended to store in that location, and then not store any value there.  In many computer languages, this EMPTY value will default to a particular value.  In other languages, this particular action leaves an UNDEFINED value in the memory location that I have assigned.  No matter, I have actually allocated memory space to hold some value - I merely have not made any effort to store something there.  In our analogy, these are the nonreligious.  The way that English defines this state is, upon recall, the response to 'What do you believe to be the supreme being?' is 'I don't know'.  In some computer languages, this answer will be random gibberish.  This means that when asked who is the supreme being, their answer MAY be 'a flying spaghetti monster'.  The questioner has no way of knowing whether this value has been placed there intentionally or is a random response.  It is obvious, however, that this is a garbage response and not an actual value [with the assumption that no one TRULY believes that a flying spaghetti monster exists and created the world].  It is also true that this person may, on random chance, answer 'Jehovah'.  However, because this dimension is a known EMPTY value - the respondent will know that the answer holds no conviction, even though the questioner does not know this.  To test the EMPTY value response against an actual belief, it is necessary to ask many more questions about the nature of the stored value and attempt to determine how that value got into that memory location. (This is beyond the scope of this discussion).

Code sample for EMPTY value:
String supreme_being;

print supreme_being;

Sample output:
The Flying Spaghetti Monster
Mahatma Ghandi
Error: pointer exception!

A ZERO value is when I have made the effort to allocate memory to store information, and have made a conscious effort to store the placeholder which means OF NO VALUE, invented by the Babylonians in the 4th century BC.  So, I have set aside a location and stored a marker that is consistent with my data type that means this location is dedicated to the fact that the value of the dimension I am storing is void of any significant value.  In our analogy, this memory location is pointed to by the dimension 'supreme being' and the value we are storing is ZERO (non-existent, no-value added).  This is the atheist.  When asked 'Who is the supreme being', their response is 'There is none.' and this is a definitive answer.

Code sample for ZERO value:
String supreme_being;
supreme_being = "";

print("The supreme being is %s.",supreme_being);

Sample output:
The supreme being is .

The remaining concept is a little more difficult to comprehend at first - but it is best defined as the ignorance-is-bliss option.  Failing to set aside any location in memory, and failing to set aside any pointer to the value dimension, when attempts to reference a NULL value are made, computer languages will normally throw an error, which means that the question will have to be handled as an exception to the logic tree.  There simply is no dimension defined that meets the criteria of the question.  In our analogy, this is the agnostic.  The way that English defines this state is, upon recall, the response to 'What do you believe to be the supreme being?' is 'I don't care.'  Another potential answer may be 'I have never given that any thought' - but this answer may allude to the person beginning to provide some thought energy to the subject - which may immediately put them in the EMPTY category as they begin to think about it.

Code sample for NULL value:
print("The supreme being is %s.",supreme_being);

Sample output:
Error: Undefined variable.

One could argue that there are few people in modern western society who have truly given no thought or significance to the question 'Who/what is the supreme being' and will continue to do so.  Because of our society giving great weight to the discussion of this question, you could argue that it is difficult to find people who are truly agnostic and that people are either religious, nonreligious or atheists.  In fact, Richard Dawkins argued that one should not and can not logically define oneself as an agnostic.  And this holds true with these analogies.  The only agnostics are those that can not or will not self-identify because either they do not care, or have not heard of religion.  However, I disagree with Dawkins that all agnostics are atheists.  By my analogy, people who have identified themselves as agnostic are actually nonreligious.  If they TRULY are agnostic, they wouldn't identify themselves as anything - they would simply respond to religious queries with 'I do not care.' or 'You're not making sense - please leave me alone'.

Because of the nature of the true agnostic, it is impossible to include them in the debate field.  Rather than all four opinions, all religious debate automatically excludes them (because they don't care to get involved).  All debate, therefore, exists between three populations: religious/nonreligious/atheists.  It is also impossible for an outsider to know the difference between someone who is religious and nonreligious because of the possibility that a non-committal answer to religious questioning may come from a nonreligious population.  This discussion is important, but outside of the scope of this article.

Bleagh - Hot Today

Probably to my neighbors' dismay, I woke up early and cut the lawn this morning at 7:30.  I was trying to beat the heat in this wonderful DC area July.  Unfortunately, that means I don't get to beat the dew.  The lawn was wet, it's still hot as hell and between the moisture on the grass and the buckets of water streaming down from my head, I only got the front lawn done in the hour I was out there.  That's right, I packed it in early once I'd finished the front.  My rear lawn is definitely looking pretty long comparatively, but it takes every bit as long as the front to finish, and I'll be damned if I'm going to spend another hour plus out there.

So, Microsoft is getting rid of TechNet.  They sent out an ad to people on their mailing lists last week, and in it, they mentioned two alternatives for people who still need to test and use their technology to learn.  One of them is TechNet Virtual Labs and the other is TechNet Evaluation Center.  I tried out one of their Virtual Labs to play with AppBlocker technology in Windows 8, and then decided to download Windows 8 evaluation edition for my virtual lab that I run at home.  I downloaded the 64-bit Windows 8, which means I had to turn on Intel Virtualization Technology in my BIOS - simple enough to do while running patches last night.  I'm going to try out Windows 8 this weekend and see how I feel about it.  I don't like the tightly squared windows of the design, but then I didn't like Windows XP look and feel at first, either.  It may grow on me.

I've been playing Texas Hold'em recently.  If you know me on Facebook, I play on Zynga Poker and I'm happy to hook up with folks.  I actually managed to zero out at Zynga Poker - fake chips are fake chips after all.  When I did, their mini-game slot machine that gives you 1 free spin a day starting spitting out 10x rewards when I pulled it.  They make sure their players don't completely run out of chips.  I had a chance to play 1/2NL at Casino Niaga while I was on a trip 2 weeks ago.  It was a lot of fun to sit down with 10 total strangers and to see the wide range of abilities.  There were definitely some guys that showed up that probably shouldn't be playing for real money yet.  One of them folded from checked-around in the big blind, three times, no less.  Either he was nervous, or he's only barely learned to play.

March 04, 2013

Skype Service and Customer Service Fails Big Time

My wife has family in South Korea.  She likes to talk with them, and online phone services have become the norm for doing so.  However, the people that she talks to are not always available online.  For this, she used to use Yahoo Voice to call the landline/mobile number of those family members.  Occasionally, she'd load up a few dollars on the Voice service and use it to make first contact.  

Unfortunately, Yahoo ended their Yahoo Voice calling service.  I suggested to her that Skype offers these same services, and I put $10 in Skype credit on her account.  She loaded in the phone numbers of her family members, and tried to make contact.  Well, it connected to someone in South Korea - the language was right (so the country code was correct), but the phone number she was connected to was different than the one she called.

I attempted to connect to Skype's customer service via online chat.  I probably should have known better.  Here's all the things that went wrong on this call:
  1. The first CSR I was connected to immediately hung up.
  2. I was reconnected to that same CSR, and it took them 3 minutes to acknowledge my presence.
  3. The CSR did not understand my problem.
  4. The CSR continually used cut and paste 'feel good' customer service speak to communicate.  While attempting to make me feel cared for and understood - they only lent to the feeling that I was talking to a brick wall.
  5. The CSR could not help me and transferred me to another CSR
  6. This first half of the call took 12 minutes.
  7. The second half of the call with a different CSR had problem number 4 as well.
  8. The second CSR told me that since I had initiated the calls that I would not get a credit.  (Thus #3 again).
  9. After 22 minutes, I hung up the call with the CSR.  35 cents was not worth my time and frustration with the idiots on the other end of the call.

This is customer service done WRONG!  I hope that I save you from making the mistake of trying to use Skype to landline/mobile for overseas numbers.  I hope I save you from even making a deposit with their service.  Their website says they will not refund deposited funds after any of the funds have been used.  I have lost $10.  I hope you do not.

January 16, 2013

Science Writers, Please Evolve

Just today I saw two articles that stated claims that 'something' evolved to be able to do 'something else'. It's been bothering me for some time, but I don't think I've ever written about it. In the first story, the claim was that bats evolved to be able to repair DNA radiation damage from flight. In the second, that human fists had evolved to allow humans to make fists for punching other people. This makes it sound as if a group of homo erectus got together and agreed to only mate with people with a good right hook. This is hardly an accurate concept.

Both of these are fundamentally wrong statements. In fact, I find the statements downright misleading. It mixes the mindset of intelligent design with that of evolution. We, and our counterpart life forms, do not evolve toward a purpose. Instead, it is right to think that we evolve BECAUSE of specific environmental changes. E.g. Bats have evolved to the point where they repair DNA radiation damage experienced in flight. Humans have evolved fist-making hands most likely due to the survival advantage offered by being able to punch someone in the face.

It may be a nit picking argument, but I think it would serve the greater good if evolution were properly characterized by statements that indicate its actual mechanism rather than set in the minds of the reader that we, or anyone else, evolve toward a specific purpose. The only purpose evident in the function of evolution is survival. Thus, it is really only right to say that 'something' evolved to be able to survive its environment.

No one knows why my branch of the evolutionary tree has evolved to be so pedantic.

- Recovered from a missing draft using BlogPress from my iPad

- Posted using BlogPress from my iPad