tag:blogger.com,1999:blog-4496532024-03-24T03:09:51.395-04:00Randomblings from RichRandomblings from Rich - Random talk about technology, science, chess, news, hobbies, stupidity and myself.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.comBlogger641125tag:blogger.com,1999:blog-449653.post-14381035534012087422023-03-07T19:20:00.003-05:002023-07-02T16:55:47.707-04:00Retirement? Again?<p> Retirement - what does that even mean? I'm in my 50s, and that means my parents are over 70 years old. My mother still works part-time jobs. Not because she needs the money, but because, in her words, "after 6 months at home watching TV, I got up and opened the refrigerator, thought 'what am I even doing?' and decided to go back to work". She's been 'retired' for 20 years and still tells me about her 3 or 4 different jobs.</p><p>I worked for the same company from mid 1992 to early 2016. That was 23 and a half years with a company that changed hands twice while I worked there. I am now taking an early retirement from my Federal position, which I started in 2016. I have been in the position for 7 years, and along with my military service, this provides me a small pension. There's a number of different reasons for me to leave this position - and one of them is that I've driven myself quite hard in those years. I have so much vacation that my cash-out will end up providing me 6 weeks of salary. Honestly, I just don't know how to 'not work'. I've already lined up teaching jobs to supplement my pension and avoid collapsing my 401k before Social Security kicks in [if it kicks in! - allow me some small hyperbole]. </p><p>After 40 years in tech - I want to relax. I want to be able to let go and do a job without stressing about everything that can (and usually does) go wrong. I want to make a difference, and at the same time, also sit on the couch and finish my The Muppet Show DVD collection. I want to play golf, work out at the gym, have long lunches and dinners with my wife, but also learn linear algebra all over and write the next great video game. I want a boat, a beautiful piano, piano lessons and about 20 different hobbies. I can't have all of those things unless I continue to push myself. </p><p>We all want work-life balance - but none of us know where that balance lies. I could wile away a week without 'working' or I could spend a week solving some insane esoteric problem at the office - and enjoy either one. Now that I've retired again - I can do anything. But apart from a month's vacation I spent doing nothing...I'm not sure what it'll be. Here's to retirement - and to never retiring.</p><p><br /></p><p><br /></p>Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-86512703259051823322019-07-02T07:05:00.005-04:002019-07-02T07:05:55.232-04:00Tales from going KetoAbout a year and a half ago, I went in for my annual physical, and I had a list of complaints ready for the doctor. As I got up from the waiting room and went in to see the nurse, we stopped at the scale. I stepped upon it and it weighed 225. I was upset. My bathroom scale only said something like 218, that's 7 pounds too heavy. No way am I 225!! I'm wearing my winter coat - I should have taken it off...excuse, blame, denial...<br />
<br />
I met with the doctor and told him several things that were bothering me, including the fact that I was fat. By BMI standards, close to obese. After taking my blood-work, the doctor also told me that I was getting close to diabetic. He prescribed me a low-carb diet. Not no-carb diet, but a low-carb diet.<br />
<br />
But the problem, friends, is not the 7 pounds. The problem is that it read more than 188 at all. Why should I have been satisfied that I was ONLY 218 when the top range of my normal weight is 188?<br />
<br />
Last week I got on a scale and it said 187.2 (after a hefty work-out, so that was a low). How did I lose 31-38 pounds in a year?<br />
<br />
I folowed a keto diet regimen - less than 20g carbs (except for fiber) per day. Enough protein to keep my muscles from atrophy and fat to tide me over when I got hungry. It worked, and I lost a lot of weight. You'll be able to google this regimen, and find tons of information.<br />
-----<br />
And I'm finally finishing this post a year and a half after. I'm back up to 205, and I need to get back on the bandwagon. I've been cheating - chocolate and candies at work when I'm stressed. A donut here, a brownie there...thinking I could control myself. But I don't, I end up over-eating and stress-eating. <br />
<br />
What led to my success was tracking my calories in an app and being accountable. When I stopped being accountable (when I reached normal weight), I started to put the pounds back on. So, as of today, I'll be tracking my food again.<br />
<br />
I'll update this post again next year, I hope with better news.<br />
<br />
<br />
<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-52284285711679261022018-03-26T08:09:00.002-04:002018-03-26T08:10:34.355-04:00Is this Page Dead?No, only resting. Blogging requires time, time that it turns out that I don't have because I've been keeping myself very busy. Unfortunately, it's been replaced with 'rapid updates' on my Facebook page or Twitter account, and I haven't taken the time to sit down and write out any considered opinions. It's ironic, because this loss of intellectual depth is exactly the type of thing that I may have railed against in the past.<br />
<h4>
To the Cloud</h4>
I've finally let my web host account that I've had for years lapse. It's been replaced with cloud services from Google. They've already consumed Blogger long ago, but the images on my site were still hosted by a web server provider, LunarPages, up until February. I failed to renew my account, and that broke all of the links. Instead of just paying for the account, I decided to use this opportunity to learn more about cloud services. This weekend, I created a bucket and claimed/verified my domain name on Google Cloud, and moved over those images still being linked to by img tags on my blog. The next step may be to do some deep-link analysis. There are definitely dead links throughout the site as I'd linked to services that have long gone defunct. I may try to come up with some automated way of going through and fixing those as a project.
Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-33261267108927565532015-11-15T17:49:00.004-05:002017-04-06T07:20:38.135-04:00Next StepsI've reached a sort of capstone with my career.<br />
<br />
I currently manage about 20 people on a contract with a division of the Department of Justice. While not necessarily the perfect man for the job, I do fairly well and I still get to involve myself in technical decisions on a day to day basis. I get to preach from my pulpit about the way that things 'should be done' and complain about the lack of resources we have to do things properly. In all, I like my job. I've also applied for the job of Chief Information Security Officer [CISO] at the same agency, and have completed the interviews, awaiting a decision and negotiation to see whether or not they wish to have me join the federal work force, and whether I can accept the job for their offer. Let's assume, for the moment, that they give me the job.<br />
<br />
What next? What comes of my career, my hopes and dreams and everything else when I've met my life's goals? To become an executive IT officer, to have a stable job, to be able to afford a reasonable middle-class lifestyle without amassing debt, to have opportunities to continue to learn about interesting things, to have a grown child of whom I'm proud. It seems that I have accomplished all of these things and the question is going to require some thought about the nature of life, lifestyles and goal-driven life.<br />
<br />
<div style="background-color: #fcfae7; color: #333333; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 18.2px; margin-bottom: 0.3em; padding: 0px;">
<a href="http://www.imdb.com/name/nm0000698/?ref_=tt_trv_qu" style="color: #70579d; text-decoration: none;"><span class="character" style="font-weight: bold;">Willy Wonka</span></a>: But Charlie, don't forget what happened to the man who suddenly got everything he always wanted.</div>
<div style="background-color: #fcfae7; color: #333333; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 18.2px; margin-bottom: 0.3em; padding: 0px;">
<a href="http://www.imdb.com/name/nm0652578/?ref_=tt_trv_qu" style="color: #70579d; text-decoration: none;"><span class="character" style="font-weight: bold;">Charlie Bucket</span></a>: What happened?</div>
<div style="background-color: #fcfae7; color: #333333; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 18.2px; margin-bottom: 0.3em; padding: 0px;">
<a href="http://www.imdb.com/name/nm0000698/?ref_=tt_trv_qu" style="color: #70579d; text-decoration: none;"><span class="character" style="font-weight: bold;">Willy Wonka</span></a>: He lived happily ever after.</div>
<div>
<br /></div>
Um, great...but I'm not done...and I know I'm not going to live 'ever after'. I still have at least another 30 years to go on this Earth, 40 or more if I start taking care of myself a little bit better. Now that I'm approaching the pinnacles of Maslow's pyramid, I find myself wondering what my contribution will be to the world.<br />
<div>
<br /></div>
<div>
Well --- I have a few ideas.....</div>
<div>
<br /></div>
<div>
1. Information Security - The world needs an easier way. The more that Infosec has solidified itself as a discipline, the more I've noticed a struggle in the educational realm for thought above and beyond the mechanics of the field. There is need for thinking above and beyond the vulnerability of the day and the wow factor of discovering yet another amplification attack buried in the hidden recesses of a long-forgotten protocol. I have been thinking that what is needed is a visual model for applying information security to systems. It has to be simple enough for systems analysts to actually use and understand, but flexible enough to delve deep into the multiple layers and facets of system design. We need something formal, but something that can be taught in one semester. </div>
<div>
<br /></div>
<div>
2. Self-sufficiency - The world has undergone a creeping change since the Industrial Revolution. The change is pointing us away from mechanical life support and back to finding self-sufficient means, such as unplugging from 'the grid', growing our own food, taking care of ourselves instead of allowing the machined existence dictate our flavorless lives. I'm just getting started in this field, but I have always been fascinated by how you can plant a seed and from it grows fruit and vegetables within a matter of a month or two. Aquaponics is definitely something that I want to explore and may be able to eventually contribute to, and has the potential to ensure that we can continue to feed the human race even as our current farming methods become unsustainable. They're doing amazing things in Japan with indoor hydroponic farming. I'd like to replicate their successes on smaller scale and in a 'community' atmosphere.</div>
<div>
<br /></div>
<div>
3. Information Technology Education - IT is a large field and has many practice areas. We used to think of Computer Science as one simple thing, but the field has exploded. Of course, that means that the education that we provide to newcomers in the field is more spread out amongst the disciplines, and that we haven't had time to teach and focus on the importance of the basics. I would love to contribute to a solution to this, and to find the time to develop and market these solutions to train the neophytes. Making it interesting enough to keep their attention when the blinking lights and fun sounds of the web are grabbing their attention will likely be one of the greater challenges.</div>
<div>
<br /></div>
<div>
So, there's three things I've set for myself, and they're goals I couldn't have thought of spending time on until now. I hope that everything turns out well with this potential change in my life and that I have the opportunity to change the world.</div>
<div>
<br /></div>
<div>
<br /></div>
Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-75260686346324251362015-11-13T19:21:00.001-05:002015-11-13T19:21:46.042-05:00Reminded of my BlogMy life is extremely busy. Not only do I find myself working a great deal, but I also have plenty of hobbies, some of which I have discussed on here. <br />
<br />
I actually went for an interview today and when I mentioned how multi-faceted I was [thanks for the word, interviewer!], one of the interviewers asked if I had a blog. I sheepishly turned and said that indeed I did, but that I hadn't updated it in a while.<br />
<br />
Part of the reason that I haven't is that I consider the work that I do day to day to be sensitive in nature. Not that it's hush-hush, but I certainly don't have my employer's permission to be posting the details of their network design or security implementations all over the web. Because work has been consuming the better part of my life since Feb 2014, there is very little posted since then. However, I have certainly had a lot of personal triumphs, changes, etc. I mostly share these with my friends on Facebook, though, and have really stopped writing opinion pieces for random strangers to stop by and read.<br />
<br />
Perhaps I can change that. I haven't written in a while, and I'm kind of rusty. I'm going to try to pick up the personal pen and pick my pitiful brain to put it down on this page probably twice a month. In two days time I will pick a topic, draft an opinion or a rant and type it out for you to read, if you're still there. And I'll try to continue at that pace - twice a month, while sitting at the TV, instead of falling asleep. See you then.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-60563433743886654732014-02-16T20:23:00.003-05:002014-02-16T20:23:56.871-05:00Developing for AndroidIf you're going to develop Android applications, and you've run into a problem with the Android Virtual Device Manager - as in, the emulator is just TOO DAMNED SLOW - I've got two tips for you I found elsewhere on the web:<br />
<br />
0. If you're on Windows, even the program recommends setting the RAM to 768 - so do this first - I wasn't even able to get an AVD to run with more than that.<br />
<br />
1. <a href="http://stackoverflow.com/questions/7430039/android-virtual-device-super-slow-pc-too-slow">http://stackoverflow.com/questions/7430039/android-virtual-device-super-slow-pc-too-slow</a> - Up the VM Heap Size available to apps - the default is just too damned small (I think mine was set to 48). Edit that Virtual Device and give that VM Heap size 512 - Just this alone sped up the emulator to the point where it could boot for me. It made a WORLD of difference.<br />
<br />
2. <a href="http://software.intel.com/en-us/android/articles/speeding-up-the-android-emulator-on-intel-architecture">http://software.intel.com/en-us/android/articles/speeding-up-the-android-emulator-on-intel-architecture</a> - Install the Intel x86 Emulator Accelerator. And not just install it from the Android SDK Manager. This only downloads the tool to your PC. You will need to go into the SDK's folder and find intelhaxm.exe and run it to actually install the Accelerator.<br />
<br />
3. From that same Intel reference: Use the Intel Atom CPU/ABI and choose 'Use Host GPU' for the Emulation Options.<br />
<br />
With those things, my emulator was up and running in less than a minute and ran smoothly.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-37273430332814343172014-01-19T11:28:00.000-05:002015-11-13T19:12:49.325-05:00Story Time - How Teachers Can Crush the Spirit of Young LearnersArt is a skill that has limited to no association with what I currently do for a living, but has been a quiet passion of mine for many, many years. Most people that know me have no realization that within me burns a passion for artistic expression, because I have learned to quell this from coming to the fore. <br />
<br />
There were two teachers in my middle and high schools that heavily influenced my artistic development, and neither of them for the good. This is just a story that needs to be told, so I thought I'd share it here on my blog.<br />
<br />
In sixth grade, I attended a single-grade annex school of I.S. 24 in New York. One of the classes we took was an art class that covered a large variety of materials and artistic methods. We did painting, mosaics using food-colored rice, paper mache', and drawing with watercolors and inks. One drawing firmly in my mind is a project that we were doing in class where we had copied some artwork from a book using pencils and tracing methods, but were tasked with coloring it with watercolors. We had to work at a table with other students, and I was stuck at a table where there was this one asshole kid who didn't give a shit about the class or the assignment. During the class, he decided it would be fun to take his wet brush with watercolors and flick it at other people's artwork, spraying it and destroying the painting. Of course, I had no choice but to tell the teacher he was destroying the artwork, and I would have expected that she would punish the little jerk-face and at least isolate me from him so that I could finish working on my piece. However, I was shocked and amazed when she came over and expressed to both of us that his 'flicks' made my piece look more INTERESTING. What the fuck!?! And then she turned off and went over to other tables!! No punishment, only encouragement for the asshole's behavior! Of course, the cackling little fucker took this to mean he could do whatever the hell he wanted. He and I began a battle of flicks that destroyed both works of art, but of course he could care less about his. And me, my spirit lay crushed, in the painting that I was proud of was now ruined by a little shit.<br />
<br />
In ninth grade, I took a drafting class [mechanical drawing] at South Brunswick High School in New Jersey, led by an older black gentleman with a gruff demeanor and the scowl of Scrooge himself. I didn't mind his demeanor and thought of him as a talented and experienced drafter who had given up his career to begin teaching and mentoring new students into THE WAY. The class was glorious! I loved going to the class and developing highly precise drawings of objects in all three dimensions, using the T-Square and Triangles, precisely copying the fonts and measuring to ensure the diagrams were accurate blueprints. It was fantastic up until the part where we had to ink the drawings. Now, this was back in 1980/81, so inking drawings was done using ink-well pens. I don't know if you've ever had to use one of these stupid things, but essentially the first thing you're going to do is blot your work. Then, you're going to blot some more. The solution to this is to ink a drawing over a thin see-through film, rather than right on the original. If you blot, you start the inking process over. I learned for the most part how to control the pen, but it was a difficult task, and even toward the end of the class, I would occasionally blot my inking and have to restart it. I was still doing fine, and I certainly had the patience to restart when needed - it was part of the requirement, after all. <br />
<br />
It all ended with the final exam. You see, the final exam counted for half of our grade, and it had an inking in it. That would have been fine except for two things:<br />
<br />
<ul>
<li>There was a time limit of the one hour class, so restarting or redoing the work would not be possible.</li>
<li>Just as he handed out the final exam, he made the statement, "If you blot your final work, you will receive an F"</li>
</ul>
But, hey, no pressure, right?!?! SHIT, when I got to the final ink, I was nervous as hell. I got 90% of the way through the final inking before you can guess what happened. The ink in a freshly welled tip spilled over the final draft, ruining the fine and precise lines I had spent 50 minutes making.<br />
<br />
I cried like a little girl. Yes, that's right, I cried, folks - I was ruined. I turned in what work I had finished (the pencil drawing), and sure enough - that [<b><i>Edit: there was a REALLY bad word here. When I wrote this, I passionately considered it and decided to write it anyway. However, some people may find it very offensive, and they may end up judging me by that one word. I do not have a career as a writer. Were I Norman Mailer, I would have left it in. I am not, it comes out.</i></b>] failed me just like he said. The emotional toil of failing a class that I absolutely LOVED and even had the majority of the skill-set for (apart from inking, apparently) was so devastating that I didn't touch a T-Square for 30 years.<br />
<br />
I now own a drafting table. I bought it when I moved into this house and saw a mechanical table on Craigslist. Some guy had been using it as a mechanical lift in his garage and it was covered in grease and oils. I cleaned it up and put a new surface on it from a local art store. When I find time, I go downstairs and I draw using the drafting table for a surface. I even have a T and triangle. Of course, the actual art of mechanical drawing is now very computerized. I like to play with Blender every now and again, but find very little time for those pursuits among all of the other things that grab my interest and require my time, but if I ever had lots of free time on my hands, it would be one of the things I love to do.<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-73241185991285291182013-11-23T17:56:00.001-05:002013-11-23T17:56:47.012-05:00Foray into the Cryptocurrencies (BitCoins)I was at DefCon 21 and a guy was there with a <a href="http://www.theverge.com/2013/8/3/4585220/bitcoin-suitcase-eats-your-pocket-change-spits-out-digital-currency" target="_blank">homemade Bitcoin vending machine/suitcase</a>. It had a coin slot in the side, and it cashed in your USD for some Bitcoin at the current MtGox exchange rate minus an (it turns out exorbitant) fee. No matter, I was only curious to the tune of 5 quarters and I received a piece of paper with both the public and private key for a wallet that had been sent the .00810374 Bitcoins. This week, I loaded up the key and peeked into what my piece of a Bitcoin was worth. $5.70! That's right, I had made 570% on my $1 investment in just two short months. That piece of paper got smoothed out, touched up (it had begun to smear) and put somewhere a little bit safer.<br />
<br />
Some of you reading this posting may not know what a <a href="http://en.wikipedia.org/wiki/Bitcoin" target="_blank">Bitcoin is</a>. It's an alternate currency - an experiment in basing value of currency off of a share of work toward solving cryptographic algorithms. Is it nerdy - yes, on the face of it, it's very nerdy and at the same time, interesting. You see, Bitcoins are not created by a government, their value is set entirely through free market, and it is possible to trade Bitcoins anonymously. A Bitcoin is an experiment in the ultimate barter system, out of reach of 'the man' - and the only value is dependent upon what someone else will decide to give you for it.<br />
<br />
There are a lot of things that make Bitcoins cool.<br />
<br />
<ul>
<li>The complete lack of a centralized authority. This makes Bitcoin automatically useful on a global scale as soon as there is a an acceptable market for the currency in other countries. And now, the <a href="http://www.ft.com/cms/s/0/0a5fae82-5341-11e3-9250-00144feabdc0.html#axzz2lVdLJKOC" target="_blank">country with the largest population is on the Bitcoin ride</a>. </li>
<li>The ability to create a Bitcoin 'wallet' anonymously and exchange coins between wallets without involving third parties in performing the actual transactions.</li>
<ul>
<li>This takes some care, since all transactions are essentially traceable through the blockchain from creation to current wallet. It is important that one does not just register with a website, buy some coin and then promptly spend those on something that will get you into trouble. To be truly anonymous, one needs to put some space between your name and the spending of the bitcoin. Logically, sending the bitcoin to a vendor of some sort that handles a large number of clientele, without care for their identity, that will be willing to send the bitcoins back to a new address will be enough to break the link. But I am not a lawyer, a policeman or an expert in money laundering.....</li>
</ul>
<li>The free market value of the bitcoin is linked to important economic indicators - such as how expensive it is to create/mine a bitcoin, how many vendors will actually take a bitcoin in payment and how liquid a bitcoin is (until EVERYONE will take bitcoin, you'll still need to be able to cash it out in your native currency). <a href="https://www.spendbitcoins.com/places/" target="_blank">A list of bitcoin vendors</a> comes in handy and is growing quickly. I was frankly amazed at the number of physical product vendors that are on the list - and now a <a href="http://www.digitaltrends.com/cool-tech/university-will-let-pay-tuition-bitcoin/" target="_blank">University in Cyprus will let you pay tuition in bitcoin</a>.</li>
<li>There are numerous ways to store your bitcoin - with an online wallet service or exchange like <a href="https://coinbase.com/" target="_blank">coinbase</a> or <a href="http://blockchain.info/">blockchain.info</a>. Probably the most famous exchange is <a href="https://www.mtgox.com/" target="_blank">Mt.Gox</a> although they've had <a href="https://www.mtgox.com/press_release_20110630.html" target="_blank">some problems in the past</a> like the <a href="http://www.theverge.com/2013/5/15/4332698/dwolla-payments-mtgox-halted-by-homeland-security-seizure-warrant" target="_blank">DHS freezing their funds at Dwolla</a>. If you run <a href="http://bitcoin.org/en/download" target="_blank">the Bitcoin client</a> (effectively becoming part of the bitcoin network), you can create a wallet on your own and will only need to get someone to send bitcoins to the created wallet address. You can also back up your wallets to paper copies of the public and private key associated with it. This is normally done via QR code to make them easier to input.</li>
<li>Since bitcoin spending can't be controlled by anyone - spending them on things that would normally be against a government's desire is a very simple process. (although still traceable if not done properly to protect your anonymity!!) This means there are a lot of casinos popping up online that take bitcoins. Of course, I can't leave out the fact that some markets exist for the drug trade and that the creator of said marketplace is alleged to have arranged at least one hitman on that marketplace.</li>
</ul>
<div>
Of the many bitcoin sites I've seen today when poking around, most remind me of the early days of the web. Horribly designed sights aimed at enticing the user with garish images and offers of <a href="http://freebitco.in/?r=42742" target="_blank">FREE BTC</a>!! If you've got a bitcoin wallet and would like some free bitcoin (less than a pennies worth on average) to start you off, go ahead and click there and give it your wallet address.</div>
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-11897819174476110712013-10-20T19:01:00.001-04:002013-10-20T19:09:34.418-04:00Download from B-Sides DC 2013I went to my first DC-area security con, <a href="http://www.bsidesdc.org/">B-Sides DC</a>, held yesterday and today, after attending <a href="http://www.blackhat.com/">Blackhat</a> and <a href="http://www.defcon.org/">Defcon</a> earlier this year. There's definitely a difference, going to a conference where you go home at night vs. one where you stay at the conference hotel and focus entirely on the con. For one thing, you can't really give 100% of your attention to the conference contests and socializing. At the end of the day, you still have to commute back home, spend time with the family and deal with your normal responsibilities. So, right off, attending Defcon was the better experience solely for this reason. On the other hand, B-Sides DC was $10 for two days of learning, and my travel costs were $12 for parking and $6-$9 for gas. Defcon still wins, because, hey - <b><i>Vegas</i></b> - but other than that, this was well worth my weekend.<br />
<br />
After attending Defcon, I was asked to give some talks on what I've learned out in Vegas and I had prepared a slide deck that had several advantages. One, I got to spread the knowledge to other people. The talks I gave went from the very broad to the very technical in sharing the Blackhat/Defcon experience, and giving the talks helped to cement some of the knowledge from the whirlwind that is the con experience. So I figured I should do a brain dump of sorts of my experience at B-Sides to cement some of the stuff I learned there, and organize some of the notes I've taken, links I picked up and Twitter accounts to add. These notes are going to be rambling, and have referential information throughout that I needed to capture. I'm only making a mild effort to make complete thoughts and sentences for the reader, and may not have even come to an assessment of what was important about each talk for me to take note of.<br />
<br />
<h4>
Day 1. Opening Talk - Bruce Potter - <a href="https://twitter.com/gdead" target="_blank">@gdead</a> - Shmoo Group</h4>
I have in my notes that Bruce is an author - I remember him discussing that the first book he authored was with O'Reilly - I recall that SOMEONE (not necessarily Bruce) at B-Sides said that the entry point into signing up to write a book on technical subjects seemed to have a fairly low barrier and that writing a book on a subject you barely knew was not only possible, but something he had done. Now that I think on it, I believe that was <a href="https://twitter.com/grecs" target="_blank">@grecs</a> instead of Bruce (whomever it was, they had written a book on 802.11 and learned the subject while writing the book).<br />
<br />
Bruce's talk was about education, skills, the difference that IT Security is from hard sciences, refocusing of the collective to the end goals of IT Security, and in the end, getting back to the roots of InfoSec by fucking shit up. He had a lot of personal stories, but I think they were mainly to demonstrate that the path to becoming an InfoSec ninja is not a cookie-cutter career path. In my notes I have written 'R U A WIZRD'? which refers to the Rock Star Syndrome he was discussing (not by name) of our over-inflated egos of thinking we're better than we really are just because we have the special skill of understanding how the <a href="http://www.urbandictionary.com/define.php?term=magic%20smoke" target="_blank">magic smoke</a> works. He went on to rail against Certifications not necessarily being the answer to the irrelevant and outdated curriculum of university degrees in the fast paced industry of InfoSec.<br />
<br />
Bruce also brought a three-year old to B-Sides (and told him he was about to learn some new words) - although I'm pretty sure he was being himself, and the kid had probably heard those words before (forgive me Bruce if I'm wrong). The talk was very humanizing and I think it really led to the audience being able to identify with the college-dropout, successful level 42 Wizard, author, industry leader.<br />
<br />
In the end, though, Bruce had a point - he wanted us to try to figure out how to fix the education problem (where Youtube videos are better InfoSec teachers than instructurs), how to fix the qualifications problem (where who-you-know frequently passes for what-you-know and security certs are still testing whether you know outdated security models from the 1970s) and get to the business of ACTUALLY FIXING THE CUSTOMER'S PROBLEM - which is broken security. And he had another point - Bruce asked for people to get back to the roots of InfoSec and maybe stop being so damned gentlemanly. The bad guys aren't playing nice, and I think that he's a bit upset that everyone is being so damned nice to each other and respecting each other's boundaries at cons and other hacker battlegrounds. Probably because it's dulling our senses and our abilities as a group.<br />
<br />
<h4>
<b>Day 1 - Official Talk 1 - The Homunculus Problem - Why You Will Loose(sic) the Battle of BYOD - Michele Chubirka - Mrs. Y - <a href="http://twitter.com/MrsYisWhy" target="_blank">@MrsYisWhy</a></b></h4>
B-Sides has two talk tracks (and one education track) - and it was this talk or a talk on why your corporate password policy is weak. Since I'm already a soap-box candidate for preaching about password policies as a failed solution and I didn't want to learn what SANS 20 Security Controls were, I sat in on Michele's talk about why we'll fail the BYOD battle. Of course, I was expecting a technical talk, not a psychology talk - which is what she ended up giving. She explained the drug-like addiction properties of social media and the devices that we use, and encouraged empathy and embracing the user's wishes when it comes to BYOD [Sorry: that's Bring Your Own Device (to work) for the uninitiated]. She spoke about how Security [industry and policy] is seen as just a roadblock to users getting what they want. <br />
<br />
My notes have three takeaways: 'Stoptional' - the optional stopping of a vehicle at a stop sign, presumably in Louisiana - a cute term someone behind me and to my right explained when comparing corporate security policy and the likelihood that your users will obey it to STOP signs and road laws. Empathy/working together - which summed up MrsYisWhy's point she wanted us to consider - key slide being 'Don't say No - say Yes, and....' (I personally prefer Yes, but... but I can see how that might make me out to be the bad guy) and <a href="http://www.healthyparanoia.net/">www.healthyparanoia.net</a> which appears to take me to the Packet Pushers Podcast page - a podcast I had previously been unaware of.<br />
<br />
She then handed out T-Shirts to some random trivia questions and was upset that no one remembered that Solaris 2.6 marked the beginning of their shift to a 64-bit OS. Her personality overall, by the way, seems to match very readily to the picture she's chosen as an avatar on Twitter - a bit on the spiritual/kooky side.<br />
<br />
<h4>
Day 1 - Official Talk 2 - Malware Analysis: N00b to Ninja in 60 Minutes* - @grecs</h4>
@grecs' talk was full of useful information and links on Malware Analysis - a weak point for me since I haven't done much of it. Not only did I take notes, but I actually used my phone to take some [screen]shots of his talk on the projection screen that I need to transcribe later. <br />
<br />
I think @grecs is a recovering stutterer, or is developing one - but he pushed through it fairly well and only had a few seconds of touch and go fighting it off during his speech. Talking in public is HARD, HARD, HARD for anyone - I can't imagine how much more difficult it must be when your brain just decides to lock up on you like that - not only do you feel some embarrassment, but that just adds to the problem and it can go into a death spiral...so good job pushing that stick forward and pulling out of the death spiral!<br />
<br />
Grecs is actually a Twitter account I already follow, and I like some of the articles that recur on <a href="https://www.novainfosec.com/" target="_blank">NOVA Infosec</a>, his website. It appears the <a href="https://www.novainfosec.com/2013/10/19/malware-analysis-slides-from-bsidesdc/" target="_blank">Malware Analysis BSides DC slide deck</a> has already been posted there from his talk (Thanks, Dude!!!!) Also, I should thank his sponsors <a href="http://twitter.com/@BulbSecurity" target="_blank">@BulbSecurity</a> and <a href="http://twitter.com/PenTestTraining" target="_blank">@PenTestTraining</a> for bringing him to B-Sides DC and supporting his work. It is people like @grecs who help the security industry's world go 'round and it can be hard to get paid to do work that benefits a community. <br />
<br />
I also have a note that he takes in trade or pays cash for blog posts on <a href="http://bit.ly/nispsubarticle" target="_blank">NOVA InfoSec - the submission link</a> was given at the talk.<br />
<br />
Ok - for this talk I have THREE written pages of notes that are mostly a list of tools for the various aspects of setting up a Malware Analysis Lab, the step-by-step processes and alignment of the tools to those processes and relevant training websites. Once he got going - this talk was probably the most STRUCTURED and INFORMATION DENSE talk of the conference. The slides are up on SlideShare - use the link above on his website to essentially see what I've put down in my notes. Knowing they're there - I'm not going to attempt to replicate the information here.<br />
<br />
----Tired for now - will take a break and resume discussions of other talks later on ---------<br />
<br />
<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-16566877948378108002013-09-28T09:34:00.001-04:002013-09-28T09:34:49.198-04:00BlackHat ReportI'm just finishing up my last (second) day of <a href="http://blackhat.com/">BlackHat</a> briefings. I was lucky enough to be able to be sent to attend BlackHat this year by my company (<a href="http://www.drc.com/">Dynamics Research Corp</a>). A few tips for attendees - water, deodorant, more water, and black T-shirts. The uniform of the day for conference attendees seems to be the ubiquitous black T-shirt with some form of hacking slogan on it. I'd say it's at least 50% if not more.<br />
<br />
You'll need to drink plenty of water to stay hydrated. So far, I think I'm winning this battle, but as soon as you step outside in the Vegas heat, your mouth dries up within seconds, and you can feel the water get wicked up your esophagus only to be lost to the desert. While you won't spend much time outside, the dryness persists in the air-conditioned casinos, and while it's a slower process, it continues unabated the whole time you're here.<br />
<br />
Also, don't forget to eat. I think I ate dinner at 11:45PM last night. There is so much going on, and it's so interesting that skipping a meal as you focus on something else is an easy thing to do.<br />
<br />
With all that said, Oh My God! - I need to come to this every year, whether the company is picking up the tab or not. I may not be able to afford BlackHat, but I can probably pick up BSides-LV and Defcon myself. The people here are smart as hell - everyone is extremely congenial and open and the whole experience so far has been phenomenal. It's going to take me all year just to DIGEST the amount of information I've picked up here - and my head is SWIMMING with new ideas spurred by some of this research. I'm thinking in new ways about timing attacks, secondary communication channels, encryption, browser security, organizational defenses.....it's incredible!<br />
<br />
Note: This post sat in draft mode because I never got back to finish writing it - Defcon was so engaging I forgot about it entirely.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-36469945501598010892013-07-16T19:58:00.001-04:002013-07-16T19:58:27.527-04:00What if we paid for risk with time?Cryptography offers us many things - not just the ability to lock up secrets that can only be decoded if we know some secret password. Using the processes of hashing, encoding and decoding, we've been brought capabilities such as digital signatures, network secrecy and non-shared key authentication. I was thinking about one particular capability offered by our cryptography geniuses - the use of hashing algorithms to derive secret keys over a given number of cycles without an easy way to determine the solution without actually performing the calculations over that number of cycles. Wow - that sounds like it's going to get complicated...Let's back up and take a look at just what a key derivation function is.<br />
<br />
In essence, what these protocols do is come up with a determinate sequence of pseudo-random numbers by performing a set of specific calculations over and over (you set the number of repetitions). By feeding the function a pass-phase, it will blend that pass-phrase into a messy sequence of numbers that supposedly can not be reverse-engineered through any other means other than using the same blending process with the exact same pass-phrase over the same number of cycles. There's different versions of this, bcrypt, PBKDF2 and scrypt, with scrypt being the more modern of the three - designed to not only take repetition into account, but also arbitrary memory usage, which helps you to keep function costs higher by requiring additional hardware costs for parallel attacks.<br />
<br />
What struck me today is that this function can essentially be used as a time-lock. To the analogies!!! You walk into a bank and go to hold up the teller - you might get out of the bank with $1,000 - $2,000...hardly worth the risk. Why don't you rob the safe in the back that holds all of the money? Because it has a time-lock on it. It can probably only be unlocked by the bank manager after putting in the combination and waiting for an hour for the safe to open. If you're robbing a bank, your time frame is a lot shorter than an hour. It raises the risk of being caught and the bank knows this - which is why they use time locks. The longer it takes you, the heavier the risk side of your risk/reward see-saw.<br />
<br />
What if people implemented time-locks for high-risk transactions in the automation of business transactions. The risk of a transaction could be a measurement of how long transactions would need to take. Time locks would be implemented in such a way that the verification of the transactions would utilize key derivation functions to complete, with half of the compute time being taken by the sender, and half the compute time being taken by the receiver.<br />
<br />
Scenario:<br />
<br />
Transferring $10 to your wife's account? No problem, sir, take but a second..<br />
<br />
Oh, you want to transfer $200,000 to a random account number in the Grand Cayman Islands? Yes, sir - we can do that for you - the transaction will begin now, and the transfer will complete in 12 hours. No, sir, the receiving party will not credit the amount until both sides reach the agreed upon key for the transaction. The transaction will show as 'pending' until it completes or is aborted.<br />
<br />
As computing time/resources get cheaper, validation time can be kept in line with the risk, requiring specific amounts of resources (cycles, processes, memory) to perform the transaction. Resource costs would have to be passed on to customers as part of transfer fees - time increases would be enforceable at the interface level, since communication of the transaction verification could not be done without the derived key, enforced by a protocol standard.<br />
<br />
Now for the devil's advocacy - This would have a negative impact on customers performing high-risk transactions. It would probably never make it past lobbying organizations, and people who regularly pass around large sums of money would find some other way of performing wire transfers to get around the limitations. Also, time-locks could be implemented without even using these processes if banks REALLY cared about the risks of risky automated transactions, through simple business rules and agreed upon timelines and risk limits. So- just another random rambling....<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-31078641972173878802013-07-08T09:57:00.003-04:002013-07-08T09:57:41.455-04:00Agile Development and DocumentationSome wisdom to write an article on in the future:<br />
<br />
Agile Development doesn't mean excluding the need for documentation – however, processes and tools can be used to create documentation FROM the process of development. Rather than putting the cart before the horse to lead him, you allow the horse to pull the cart, and, when you GET there, look back and follow the cart tracks to inform and document the path you've taken (upon which you can decide to pave a road, perhaps). This is why Agile CAN BE an effective software development practice - because you don’t have to pay for someone to pull the cart ALL THE WAY from Start to Finish and pull the kicking and screaming horse behind…you instead get smart drivers on the cart to lead the horse only to the next step toward the destination and a horse who is smart enough to walk around the trees.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-88322828535226892952013-07-06T09:55:00.001-04:002013-07-06T09:55:39.825-04:00Don't forget the AuditingYet another unfinished thought on auditing and system design - I cleaned up a little, but again - publishing from draft:<br />
<br />
When it comes to performing information security, it's easy to get lost in technical solutions and overtly technical discussions regarding what you need to lock down your business. With the complexities of password policy, application and network design, encryption algorithms, VPNs and firewalls all spinning around in your head, there is something very easy to understand that is at the core of providing risk awareness.<br />
<br />
Auditing, not just logging of security events, either - but I mean good old fashioned auditing of your books and business transactions. Keeping an eye on what's going on in your business may help you to identify when there's someone with their hand in the cookie jar - and it won't make any difference they got in to your network when you catch them in the act of siphoning off your accounts.<br />
<br />
Supervisory function: I can't imagine that a bank teller would be permitted to leave the premises at the end of his or her shift if their drawer was short of cash. Managers count them up and monitor whether or not their transactions line up and everything checks out. In so doing, anything out of the ordinary would be reviewed and questioned. The bank manager performs the supervisory function and is aware of the business rules that are applied to ensure proper operation of the business. Even with automated teller machines in banks, this supervisory function is not forgotten - review of transactions and matching them up to the cash in the machine during cash outs help the banks ensure that everything is performing at least to some modest business constraints.<br />
<br />
Constraints and Limitations: In the same instance, tellers are not given access to the entire bank balance. Those who rob banks will likely tell you that robbing a teller these days is hardly worth the risk since the take will be very low. It's probably more rewarding to hold up a cash business like a fast food restaurant, where the controls are not as involved and there's more chance of obtaining large cash drawer balances. Even ATMs, which are entrusted with large cash drawers (since they're not likely to turn over their cash to a gunman), still have a limit to their losses based on how much they're loaded with. When we design computer systems that access things like bank balances and accounts, we need to be reminded that business rules that impart these constraints and limits on transactions still need to be in place. Even more so, hair triggers on constraints should lock down transactions from a source (such as a web front-end) that shows signs of being erratic.<br />
<br />
<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-48093539498393509032013-07-06T09:32:00.004-04:002013-07-06T09:32:46.713-04:00There's a DifferenceSomething I had drafted - wasn't sure of whether I agreed with myself or had switched analogies where I'd meant things in an opposite manner, so I originally didn't publish - but I'm going to publish it now with the caveat that this is not completely thought out, and is indeed, just a rambling.<br />
<br />
In discussing atheism on the Internet, some people are making an assumption that atheists and agnostics and the nonreligious are one and the same. There is a difference, and an analogy came to me that I though I would mention. In computer science, there are three concepts that are similar but distinctly different. The concepts are NULL, ZERO and EMPTY. Some databases do not recognize the difference between null, zero and empty - after all, they are all void of any value, so why should I treat them differently? Some recognize a difference between zero and empty, but not null and empty.<br />
<br />
To store an EMPTY value, I must allocate memory appropriately sized to the type of value I intended to store in that location, and then not store any value there. In many computer languages, this EMPTY value will default to a particular value. In other languages, this particular action leaves an UNDEFINED value in the memory location that I have assigned. No matter, I have actually allocated memory space to hold some value - I merely have not made any effort to store something there. In our analogy, these are the nonreligious. The way that English defines this state is, upon recall, the response to 'What do you believe to be the supreme being?' is 'I don't know'. In some computer languages, this answer will be random gibberish. This means that when asked who is the supreme being, their answer MAY be 'a flying spaghetti monster'. The questioner has no way of knowing whether this value has been placed there intentionally or is a random response. It is obvious, however, that this is a garbage response and not an actual value [with the assumption that no one TRULY believes that a flying spaghetti monster exists and created the world]. It is also true that this person may, on random chance, answer 'Jehovah'. However, because this dimension is a known EMPTY value - the respondent will know that the answer holds no conviction, even though the questioner does not know this. To test the EMPTY value response against an actual belief, it is necessary to ask many more questions about the nature of the stored value and attempt to determine how that value got into that memory location. (This is beyond the scope of this discussion).<br />
<br />
<br />
Code sample for EMPTY value:<br />
<b>String supreme_being;</b><br />
<br />
<b>print supreme_being;</b><br />
<b><br /></b>
Sample output:<br />
@^&*#%^@&*%#<br />
Jehovah<br />
The Flying Spaghetti Monster<br />
Mahatma Ghandi<br />
Error: pointer exception!<br />
<br />
<br />
A ZERO value is when I have made the effort to allocate memory to store information, and have made a conscious effort to store the placeholder which means OF NO VALUE, invented by the Babylonians in the 4th century BC. So, I have set aside a location and stored a marker that is consistent with my data type that means this location is dedicated to the fact that the value of the dimension I am storing is void of any significant value. In our analogy, this memory location is pointed to by the dimension 'supreme being' and the value we are storing is ZERO (non-existent, no-value added). This is the atheist. When asked 'Who is the supreme being', their response is 'There is none.' and this is a definitive answer.<br />
<br />
<br />
<br />
<br />
Code sample for ZERO value:<br />
<b>String supreme_being;</b><br />
<b>supreme_being = "";</b><br />
<b><br /></b>
<b>print("The supreme being is %s.",supreme_being);</b><br />
<br />
<br />
Sample output:<br />
The supreme being is .<br />
<br />
<br />
<br />
The remaining concept is a little more difficult to comprehend at first - but it is best defined as the ignorance-is-bliss option. Failing to set aside any location in memory, and failing to set aside any pointer to the value dimension, when attempts to reference a NULL value are made, computer languages will normally throw an error, which means that the question will have to be handled as an exception to the logic tree. There simply is no dimension defined that meets the criteria of the question. In our analogy, this is the agnostic. The way that English defines this state is, upon recall, the response to 'What do you believe to be the supreme being?' is 'I don't care.' Another potential answer may be 'I have never given that any thought' - but this answer may allude to the person beginning to provide some thought energy to the subject - which may immediately put them in the EMPTY category as they begin to think about it.<br />
<br />
<br />
<br />
Code sample for NULL value:<br />
<b>print("The supreme being is %s.",supreme_being);</b><br />
<br />
<br />
Sample output:<br />
Error: Undefined variable.<br />
<br />
<br />
<br />
One could argue that there are few people in modern western society who have truly given no thought or significance to the question 'Who/what is the supreme being' and will continue to do so. Because of our society giving great weight to the discussion of this question, you could argue that it is difficult to find people who are truly agnostic and that people are either religious, nonreligious or atheists. In fact, Richard Dawkins argued that one should not and can not logically define oneself as an agnostic. And this holds true with these analogies. The only agnostics are those that can not or will not self-identify because either they do not care, or have not heard of religion. However, I disagree with Dawkins that all agnostics are atheists. By my analogy, people who have identified themselves as agnostic are actually nonreligious. If they TRULY are agnostic, they wouldn't identify themselves as anything - they would simply respond to religious queries with 'I do not care.' or 'You're not making sense - please leave me alone'.<br />
<br />
Because of the nature of the true agnostic, it is impossible to include them in the debate field. Rather than all four opinions, all religious debate automatically excludes them (because they don't care to get involved). All debate, therefore, exists between three populations: religious/nonreligious/atheists. It is also impossible for an outsider to know the difference between someone who is religious and nonreligious because of the possibility that a non-committal answer to religious questioning may come from a nonreligious population. This discussion is important, but outside of the scope of this article.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-62930253192029900202013-07-06T09:29:00.001-04:002013-07-06T09:29:08.888-04:00Bleagh - Hot TodayProbably to my neighbors' dismay, I woke up early and cut the lawn this morning at 7:30. I was trying to beat the heat in this wonderful DC area July. Unfortunately, that means I don't get to beat the dew. The lawn was wet, it's still hot as hell and between the moisture on the grass and the buckets of water streaming down from my head, I only got the front lawn done in the hour I was out there. That's right, I packed it in early once I'd finished the front. My rear lawn is definitely looking pretty long comparatively, but it takes every bit as long as the front to finish, and I'll be damned if I'm going to spend another hour plus out there.<br />
<br />
So, Microsoft is getting rid of TechNet. They sent out an ad to people on their mailing lists last week, and in it, they mentioned two alternatives for people who still need to test and use their technology to learn. One of them is <a href="http://technet.microsoft.com/en-us/virtuallabs">TechNet Virtual Labs</a> and the other is <a href="http://technet.microsoft.com/en-us/evalcenter">TechNet Evaluation Center</a>. I tried out one of their Virtual Labs to play with AppBlocker technology in Windows 8, and then decided to download Windows 8 evaluation edition for my virtual lab that I run at home. I downloaded the 64-bit Windows 8, which means I had to turn on <a href="http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/hardware-assist-virtualization-technology.html">Intel Virtualization Technology</a> in my BIOS - simple enough to do while running patches last night. I'm going to try out Windows 8 this weekend and see how I feel about it. I don't like the tightly squared windows of the design, but then I didn't like Windows XP look and feel at first, either. It may grow on me.<br />
<br />
I've been playing Texas Hold'em recently. If you know me on <a href="https://www.facebook.com/rich.gautier">Facebook</a>, I play on Zynga Poker and I'm happy to hook up with folks. I actually managed to zero out at Zynga Poker - fake chips are fake chips after all. When I did, their mini-game slot machine that gives you 1 free spin a day starting spitting out 10x rewards when I pulled it. They make sure their players don't completely run out of chips. I had a chance to play 1/2NL at <a href="http://casinoniagara.com/">Casino Niaga</a> while I was on a trip 2 weeks ago. It was a lot of fun to sit down with 10 total strangers and to see the wide range of abilities. There were definitely some guys that showed up that probably shouldn't be playing for real money yet. One of them folded from checked-around in the big blind, three times, no less. Either he was nervous, or he's only barely learned to play.<br />
<br />
<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-53414653855319736802013-03-04T20:18:00.000-05:002013-03-04T20:18:05.476-05:00Skype Service and Customer Service Fails Big TimeMy wife has family in South Korea. She likes to talk with them, and online phone services have become the norm for doing so. However, the people that she talks to are not always available online. For this, she used to use Yahoo Voice to call the landline/mobile number of those family members. Occasionally, she'd load up a few dollars on the Voice service and use it to make first contact. <div>
<br /></div>
<div>
Unfortunately, Yahoo ended their Yahoo Voice calling service. I suggested to her that Skype offers these same services, and I put $10 in Skype credit on her account. She loaded in the phone numbers of her family members, and tried to make contact. Well, it connected to someone in South Korea - the language was right (so the country code was correct), but the phone number she was connected to was different than the one she called.</div>
<div>
<br /></div>
<div>
I attempted to connect to Skype's customer service via online chat. I probably should have known better. Here's all the things that went wrong on this call:</div>
<div>
1. The first CSR I was connected to immediately hung up.</div>
<div>
2. I was reconnected to that same CSR, and it took them 3 minutes to acknowledge my presence.</div>
<div>
3. The CSR did not understand my problem.</div>
<div>
4. The CSR continually used cut and paste 'feel good' customer service speak to communicate. While attempting to make me feel cared for and understood - they only lent to the feeling that I was talking to a brick wall.</div>
<div>
5. The CSR could not help me and transferred me to another CSR</div>
<div>
6. This first half of the call took 12 minutes.</div>
<div>
7. The second half of the call with a different CSR had problem number 4 as well.</div>
<div>
8. The second CSR told me that since I had initiated the calls that I would not get a credit. (Thus #3 again).</div>
<div>
9. After 22 minutes, I hung up the call with the CSR. 35 cents was not worth my time and frustration with the idiots on the other end of the call.</div>
<div>
<br /></div>
<div>
This is customer service done WRONG! I hope that I save you from making the mistake of trying to use Skype to landline/mobile for overseas numbers. I hope I save you from even making a deposit with their service. Their website says they will not refund deposited funds after any of the funds have been used. I have lost $10. I hope you do not.</div>
<div>
<br /></div>
<div>
<br /></div>
Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com1tag:blogger.com,1999:blog-449653.post-11066227210805705532013-01-16T15:23:00.001-05:002013-01-16T15:23:05.679-05:00Science Writers, Please EvolveJust today I saw two articles that stated claims that 'something' evolved to be able to do 'something else'. It's been bothering me for some time, but I don't think I've ever written about it. In the first story, the claim was that bats evolved to be able to repair DNA radiation damage from flight. In the <a target="_blank" href="http://rss.slashdot.org/~r/Slashdot/slashdot/~3/qjs85ycgfT8/story01.htm">second</a>, that human fists had evolved to allow humans to make fists for punching other people. This makes it sound as if a group of homo erectus got together and agreed to only mate with people with a good right hook. This is hardly an accurate concept.<br /><br />Both of these are fundamentally wrong statements. In fact, I find the statements downright misleading. It mixes the mindset of intelligent design with that of evolution. We, and our counterpart life forms, do not evolve toward a purpose. Instead, it is right to think that we evolve BECAUSE of specific environmental changes. E.g. Bats have evolved to the point where they repair DNA radiation damage experienced in flight. Humans have evolved fist-making hands most likely due to the survival advantage offered by being able to punch someone in the face.<br /><br />It may be a nit picking argument, but I think it would serve the greater good if evolution were properly characterized by statements that indicate its actual mechanism rather than set in the minds of the reader that we, or anyone else, evolve toward a specific purpose. The only purpose evident in the function of evolution is survival. Thus, it is really only right to say that 'something' evolved to be able to survive its environment.<br /><br />No one knows why my branch of the evolutionary tree has evolved to be so pedantic. <br /><br />- Recovered from a missing draft using BlogPress from my iPad<br /><br /><br /><br />- Posted using BlogPress from my iPad<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-9391562849548145722012-10-19T12:18:00.001-04:002012-10-19T12:27:24.525-04:00Copyright Alert System to turn everyone into copyright cops?The forthcoming Copyright Alert System ( <a target="_blank" href="http://www.cnn.com/2012/10/18/tech/web/copyright-alert-system/index.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_tech+%28RSS%3A+Technology%29">Verge article on Copyright Alert System</a> ) has a few kinks in it from the get-go, as well as some basic misunderstandings of technical constraints of the majority of end-users.<br />I'm not familiar with the technology that CAS will utilize to identify targets for ISP warnings, but the first potential problems will come at the identification stage. Unless the most egregious users are identified prior to warning letters going out, the ISPs should expect a large backlash from its installed base. <br />The system expects ISP customers to become copyright cops as part of their responsibility for having an Internet connection. This is an unreasonable expectation for unqualified, nontechnical, users of their service. Relying on the general populace to become learned about Internet technology as well as legal experts on identifying potential infringing content is a giant leap in expectations beyond just asking someone to pay their bill on time. Explain this all to my mother who still thinks her Operating System is Internet Explorer and who just learned last month about right-click menus.<br />That's just part of the problem with the system. Next up is the access control problem. When Verizon installed FiOS in my house, they put in a WiFi router with WEP security. Even with WPA (of the pass-key variety), cracking into my WiFi will take my neighbors less than an hour, and there's tons of tutorials on how to do it. While I may have secured my network further, others won't have been as fortunate. After just one CAS letter, my next door neighbor will likely be piggybacking on my less savvy neighbors. This can't be controlled, not with today's technology, and not without significant expenditure. Maybe it's time for me to hang out a 'will secure your wifi for food' shingle.<br />The one thing that really irritates me is the $35 charge they intend to foster on people who ask for account reviews - putting the onus on the accused to pay for their own defense. Maybe it's the legal eagle in my blood that says this flies in the face of what Americans consider fair and due process. I can see this being the first part of this agreement to make it fall all to hell.<br />Good luck, ISPs, I don't think you know what kind of failure you're setting yourself up for.<br />- Posted using BlogPress from my iPad<br /><br /><p class='blogpress_location'>Location:<a href='http://maps.google.com/maps?q=-%200628%20Massachusetts%20Av%20Nw,Washington%20D.C.,United%20States%4038.901272%2C-77.021364&z=10'>- 0628 Massachusetts Av Nw,Washington D.C.,United States</a></p>Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-83828037313073599242012-10-18T07:29:00.001-04:002012-10-18T07:29:16.527-04:00Fear of Failure?Fear drives a lot of things in life, but there is especially one fear that is ironic in its nature - the fear of failure. Being afraid of failing at something puts me in the 'frozen' mode. I am so afraid of doing something wrong that I don't take those first steps necessary to succeed, action itself. Like that last sentence, for example. It's terrible in its structure, and normally I would have erased it and started over. (I didn't only because I am self conscious about it due to the subject at hand). My Randomblings have become less rambling over the years, and turned into the Infrequent writings of Rich instead. Part of that is due to fear. Fear of saying the wrong thing, afraid of saying it the wrong way, or just being wrong in general. <br /><br />This post has been sitting on my iPad for months waiting for me to finish my thoughts on this subject. Point more than proven......<br /><br />- Posted using BlogPress from my iPad<br /><br /><br />- Posted using BlogPress from my iPad<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-72325084717537533702012-05-19T14:47:00.005-04:002012-05-19T14:47:53.693-04:00Facebook's Real ValueThis week, many people in the IT Industry have been asking "Where is FaceBook's value", trying to figure out why the company might have such a huge valuation on the stock market (where it's IPO valued the company at over 100 Billion Dollars(!)).<br />
<br />
There's two ways to look at Facebook, with regards to its customers. The first is the adage: "You're not the customer, you're the product". That is, everyone signed on to Facebook is actually part of the social media empire's product line - that it turns around and sells to advertisers. Arguably, it is the largest collection of personal taste and demographics information in the world. I'm not one with the advertising industry, and I have no idea how long it might take to collect the amount of demo data that they have, or how much it can be sold for - but as a data set - it is of reasonable quality. With that said, advertisers should be aware that people game the system. That is, more than one account, relationships between people that aren't based on real relationships, but are instead people who are gaming the Facebook friend system for points in some Zynga game, and that people have a tendency to click on buttons on the web JUST to get free stuff.<br />
<br />
Personally, my 'like' of Tide laundry soap was more likely based on a coupon giveaway than any real desire or care for the actual product. About half of my 'friends' are actually just friends because I needed more Cityville neighbors, and I probably have 3 Facebook profiles. Maybe I'm not indicative of the whole data set, or perhaps I am - but it certainly plays into the quality of the data, even if it doesn't eventually lead to wrong conclusions on the part of advertisers. Oh yeah - just so you know, I've never clicked on a Facebook ad. I don't even look to the right side of the screen.<br />
<br />
So, what's the benefit of Facebook from the other side? Well - Facebook has slowly and stealthily become something of an Internet authentication authority. Signing up for membership on some new website? It's likely made easier by a button that says 'Sign on with Facebook' on that site. Why re-enter all of your demographic data when you can just authorize the site to go and get it? The user convenience of a central authentication portal is pretty powerful, and Facebook has made it oh-so-easy for developers to integrate their 3rd party authentication into their websites. <br />
<br />
There may even be a business model in it for Facebook eventually - perhaps charge people for strongly authenticated Facebook identities (ones that use OTP token devices) and extend the service to places like banks, utilities or bill-pay services. Or, start charging web developers for Facebook integration - frankly, I'm surprised they haven't started doing that already - although free is the fastest way to build your userbase.<br />
<br />
Eventually, Facebook is going to have to figure out how to turn a profit that's big enough to hold it's stock price afloat. What are your thoughts on how they will monetize their application platform?Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-28006385254345001862012-04-27T18:48:00.001-04:002012-04-27T18:48:04.573-04:00Politics is uglyThe Republican primary isn't even over yet - but Republican allies (womensrights@obamasaliar.com) are sending cell phone text message SPAM to anyone they can get their hands on (phone number-wise). I hope and pray that this won't catch on - but I'm afraid that it will. Will my cellphone now be bombarded with pointless text message spam about who said what? (Today's message is: Subject: Dems on Women Obama ally Hillary Rosen criticizes stay at home mom's like Ann Romney. Listen 312-569-0397).<br />
<br />
Who cares what Hillary Rosen said about a billionaire's wife? I mean, really!?! Seriously?! and you need to send this to my cell phone, interrupt my day with political posturing?<br />
<br />
Text messages on my cell phone are normally limited to two things - my son needs something and can't get a-hold of me, or someone at work needs something and wants to tell me something important. The stupid phone beeps at me, and demands my attention - so I have to drag it out of my pocket to see what it says - because it's usually important. It was the last communication medium I had left that I could rely on being something important rather than be more junk about politics or someone wanting to sell me a car warranty. I suppose those messages will be next, though.<br />
<br />
I would go so far as to say this is 'dirty politics' - smear campaigns are insulting and stupid - and my GOD, man, it isn't even MAY, much less voting season.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-30657313961539854462012-03-01T18:13:00.002-05:002012-03-01T18:24:08.832-05:00Life MovementsMarch 1st, 2012 - Refinanced the house yesterday - Got a very good deal from an awesome lender. If you're ever in the need for a good lender, talk to Mike Lyons @ <a href="http://www.embracehomeloans.com/Apply-Today">Embrace Home Loans</a>. He hooked me up with 3 loans over the past year as we bought and refinanced property. He's a good worker, and is always there to answer questions - and he'll go out of his way to find answers when he doesn't know them. I emailed him at 11:30 one evening, and he answered within a minute. Other times, he'd reply "I'm at dinner, but I'll get back to you later this evening.." - hardest working man in the home mortgage industry. Seriously - no jokes here.<div><br /></div><div>Shaved off the beard last night for spring. Baby face me has a double chin again - time to hit the exer-bikes and the Zumba routines on the Wii. </div><div><br /></div><div>Turned the water on at the house and the back deck water attachment at the house came loose. I had to turn the spigot off again. We crawled under the back deck and got spider webs all over ourselves trying to figure out what happened. Looks like it's attached to an extension of the water line in a rubber hose attachment, and the connection came loose - maybe expansion/contraction from the winter. I'll have to climb under there with my gardening clothes this weekend.</div><div><br /></div><div>I've got to cut out 2 6'x6' areas for the garden this weekend - it's going to be a lot of digging, but the neighbor has a roto-tiller he said I could use to get it started. We planted seedlings for lettuce and cabbage and they're already sprouting like mad 5 days later. The race is ON!<br /><div><br /></div><div><br /></div></div>Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-13448335810481383192012-02-05T12:05:00.000-05:002012-02-05T12:05:03.492-05:00Might and Magic - The Encrypted FilesBack in 1986/1987, I owned a Commodore 64 computer. I love to play the video games of the day, especially the dungeons/adventure based games of the era. One of these games was Might and Magic. The game came in 4 disks, which you loaded in depending on where you were in the world. The game was loaded from Disk 1, and once the game got going, you might switch to another disk when asked. As you might imagine, that meant there was a relatively large amount of content for the day. <div>
<br /></div>
<div>
After playing the game for a while I bored of following the game - as it was a very long adventure and became sort of repetitive. However, I wanted to see later aspects of the game, and get the feeling of power that larger and better weapons and armor might give me over the challenges within the game. It was at this point that the aspect of the game changed for me. No longer was it a role-playing game based in the middle ages; now it was a computer-based game - me against the original programmers. I wanted to edit my character files on the disk to see if I could change the items in my inventory to something a bit more favorable.</div>
<div>
<br /></div>
<div>
I started up a disk editor. On the Commodore 64, diskettes were broken into track and sector, and the file system was serial in nature. Starting at track 18 (from what I recall) and sector 00, the first two bytes of the track and sector pointed to the next track and sector in the sequence. Starting up and looking at this first track, everything seemed normal, and I began analyzing the disk contents. When I followed the link to the next sector, however, I got a bit of a surprise. There was a word that had begun on the last few bytes of the sector I had just left, but the word did not continue on in this sector.</div>
<div>
<br /></div>
<div>
I started looking around the disk for plain text content, and I couldn't find any except on that first sector! The whole disk was encrypted! I checked the other three disks and they too were encrypted. Well, this was a new challenge for me - I'd never seen a program that encrypted the disk contents as a method of protection. I had wanted to edit my game characters, but I wasn't goingg to be able to do that if I couldn't read the contents in the first place. Luckily for me, I had done many cryptograms when I was younger, so I was familiar with both the Caesar shift cipher as well as replacement alphabets. </div>
<div>
<br /></div>
<div>
I made the assumption that the computer would have to use some type of formula to easily translate the disk contents, and I had some known plaintext to work with due to the string content that bled from one sector to the next. One of my character names had ended mid-word at the first sector, so I made the assumption that it must continue into the second sector. Having some math background and being obsessed with the new challenge, I quickly got to work, figuring out what the shift would need to be for my name to continue uninterrupted. I came up with a value fairly quickly, and went about testing it on the new sector's contents. </div>
<div>
<br /></div>
<div>
Plaintext quickly became apparent throughout the sector's encrypted bytes! I had done it - I'd figured out the proper byte shift with just one incomplete word of known plaintext. Pleased with myself, I continued on to the third sector....but alas, it wasn't going to be so simple. The shift value was no longer presenting me with any known text. While most of the file contents were gobbledy-gook, on sector 2 of the file, I had at least been able to make out some plain words (names of my party characters). Lucky for me, I had another plaintext that had only partially translated at the end of sector 2, so I figured out the shift value that would get me the plaintext continuation into sector 3. It worked!</div>
<div>
<br /></div>
<div>
So, now I had two different shift values for two different sectors. I continued on to the fourth sector and accomplished the same, but I ran out of luck when it came to the fifth (IIRC). No more known plain text bordered the two sectors. I'd either have to guess at 255 values for shift and try them all, or come up with another way. At this point, I figured that the shift values had to follow some kind of pattern for the computer to be able to figure out what the next shift value would be. </div>
<div>
<br /></div>
<div>
I got out some more graph paper. It occured to me that the value would have to have some constraints, to be able to have values between 1 and 255 - and I had just finished a trigonometry class, so the sin() wave was looking like a good bet to me. I plotted the 3 shift values I had, and plotted 0 for the first track and sector. I used the sector value itself for the x variable and set about plotting a formula that would give me the known values. I tested the formula on subsequent sectors and sat up for hours working on it.</div>
<div>
<br /></div>
<div>
Into the next day (after little sleep) I had cracked at least part of the puzzle. I don't recall what happened that led me to use more than sin() waves. I do know that in the end, there were three parts to the formula, and that the equation used track, sector and disk number to determine the shift offset. I had decrypted the disk and determined the encryption algorithm, based on sin(), tan() and a constant based on one of those values. </div>
<div>
<br /></div>
<div>
I modified a disk editor program to decrypt the disk as it edited it, and re-encrypt when writing the modified values back to the disk. I manually edit my character's inventory to have item numbers that I did not already possess, and started up the game. Success!!!!</div>
<div>
<br /></div>
<div>
I never played Might and Magic again after that weekend. The game had become boring - especially compared to the game I had just played - battling not the trolls and wizards of lore, but battling the developers who relied upon in-house encryption to protect their secrets. I will never forget that weekend and the dozens of pieces of graph paper that littered my floor amongst the empty bags of chips and soda cans.</div>Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-1803225132362456042012-01-30T05:47:00.000-05:002012-01-30T05:49:24.002-05:00Weekend Messing Around with CityVille/FaceBookLoad-Divs bookmarklet 1 - javascript: {divs=document.getElementsByClassName("UIActionLinks_bottom"); i =-1; punder=0; }<br />
Open Next Div - bookmarklet 2 - javascript: {i=i+1;if(divs(i).parentElement.children(1).children(1).text == "CityVille") {button_me=divs(i).getElementsByTagName("button")(0); if(button_me.name == "like") {button_me.click(); elem_me=divs(i).getElementsByTagName("a"); if(punder) punder.close(); punder=window.open(elem_me(0),'myscript','width=400,height=500',left='-400'); punder.blur();} }}<br />
<br />
<br />
The left=-400 doesn't work like I wanted it to - it can be left out...it's a fragment of 'try this' that is left over from playing.Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0tag:blogger.com,1999:blog-449653.post-86019583571562883452012-01-24T08:56:00.003-05:002012-01-26T07:00:16.617-05:00Natural Rights vs Granted RightsIn Colorado, a woman being charged with fraud has been <a href="http://www.wired.com/threatlevel/2012/01/judge-orders-laptop-decryption/">compelled by a judge to decrypt her hard drive</a>. The woman, in arguing against this action claimed that the Fifth Amendment protected her from self-incrimination. The judge found against the woman, stating that since she had already admitted to the existence of the electronic documents, she could be forced to produce them.<br /><br /><br /><br />As expected, I believe that there's some room for improvement on both sides of this case. I believe the judge is incorrect in his judgement that a person can be compelled to produce any evidence, even though I understand why he could come to this conclusion based on current case law (which I believe to be flawed). I also believe the defendant is wrong on several counts. One obvious count being that she has even openly discussed the case at all [she admitted to the existence of the documents!].<br /><br /><br /><br />The Bill of Rights are not meant to be a list of rights that are given by men to men. The Declaration of Independence and the Bill of Rights are linked by a core concept - a concept that we are 'endowed by [our] creator with certain unalienable rights'. The Bill of Rights embody into law that those natural rights, which we possess by our very existence, shall not be infringed by government. <br /><br /><br /><br />In declaring independence from England, the United States of America stated that they had the right to abolish government which deprived them of these natural rights and form a new government to protect them from that deprivation. We would do well to remember this during the execution of our own government over ourselves, as we protect individual rights, we protect the rights of ourselves.<br /><br /><br /><br />Take the First Amendment (as this lady should have). It states that we have freedom of speech (and as been held up many times - freedom of something also can mean freedom FROM something - thus the right to remain silent). This is not a right that was handed from the government to the individual. It is an ability, a natural extension of the person-hood, that the government may not take away. A person can not or should not be compelled to speak. I personally would go so far as to say that the government has no right to compel a person to act in any way, shape or form - which leads to a discussion about the right to sit-in on public by-ways. <br /><br /><br /><br />This ability to remain silent is a very simple right to utilize - just shut your mouth. The government has certain guidelines whereby they can hold you against your will for the purpose of investigation and non-interference, but they have guidelines - and you can sit in a holding cell while they rummage through your belongings. This is definitely the tactic to take in any criminal investigation. Note that the fifth amendment also applies here, in that the government may not deprive you of 'liberty' without due process of law.<br /><br /><br /><br />The right against self-incrimination was and is an extension of the right of freedom of speech. Reading through history, it seems to me that the point was to ensure the spoilage of evidence obtained through coercive measures.<br /><br /><br /><br />In this particular case, where the government knows that there is evidence against the defendant, and they are attempting to 'force' her to produce access to that evidence, I think they're mistaken in what they claim can be done. To compel her to produce the necessary information, they would have to lock her up forever. At some point in that time, she will likely forcefully or absentmindedly forget the information she's been asked to produce, and there would be no route to obtain the information. She could claim immediately that she no longer remembers what the key to the information is. Depending upon password complexity and the amount of time between when she's used it last, it may even be a believable claim. How can locking someone up forever to compel them to provide detailed evidence be proper due process?<br /><br /><br /><br />The government should utilize the woman's previous statements as evidence of the documents. A jury should be directed what assumptions they should make regarding the fact that she does not wish to produce them -- allowing negative connotations toward what they think the documents might contain. There is already case law that allows for these assumptions.<br /><br /><br /><br />To go further than this? I think we've begun a slippery slope..<br />Rich Gautierhttp://www.blogger.com/profile/06254416673946498275noreply@blogger.com0