Customer service « D-kriptik Blog

Archive for the ‘Customer service’ Category

Quickies – FIPS 186-3 etc., other notes, metro, etc.

Thursday, June 11th, 2009

Just a few quick and mostly old notes accumulated over the last few months…

–

FIPS 186-3 has been released, as announced here.

This notice announces the Secretary of Commerce’s approval of Federal Information Processing Standard (FIPS) Publication 186–3, Digital Signature Standard (DSS). FIPS 186–3 is a revision of FIPS 186–2. The FIPS specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman (RSA) algorithm. Although all three of these algorithms were approved in FIPS 186–2, FIPS 186–3 increases the key sizes allowed for DSA, provides additional requirements for the use of RSA and ECDSA, and includes requirements for obtaining the assurances necessary for valid digital signatures. FIPS 186–2 contained specifications for random number generators (RNGs); this revision does not include such specifications, but refers to NIST Special Publication (SP) 800–90 for obtaining random numbers.

[...]FIPS 186–3 allows the use of 1024, 2048 and 3072-bit keys. Other requirements have also been added concerning the use of ANS X9.31 and ANS X9.62. In addition, the use of the RSA algorithm as specified in Public Key Cryptography Standard (PKCS) #1 (RSA Cryptography Standard) is allowed.

In the announcement, some of the changes between the last draft and the final document are covered in a comments received and NIST response format. I found the most interesting NIST responses to be…

This permits the use of a public key algorithm and key size that is stronger in security than a hash algorithm, so long as both provide sufficient security for the digital signature process. The use of hash algorithms that provide equivalent or stronger security than the public key algorithm and key size is still encouraged as a general practice.

NIST studied the suggestion and decided not to impose further restrictions on the selection of the public exponent e. Such restrictions would negatively impact NIST’s Cryptographic Module Validation Program (CMVP) by precluding the validation of currently accepted implementations without providing a significant increase in security.

NIST reviewed the comments and made the appropriate changes to ensure alignment with respect to the generation and management of ECDSA domain parameters. NIST deleted the statement ‘‘ANSI X9.62 has no restriction on the maximum size of [the cofactor]’’, since the current version of X9.62 imposes limitations on the size of the cofactor. NIST also revised statements regarding elliptic curve domain parameter generation for purposes other than digital signature generation.

I commented on an early draft here and mentioned a later draft here.

Update:Annex A and Annex C of FIPS 140-2 have been updated to reference FIPS 186-3.

The algorithm testing tool has been updated to include testing for FIPS 186-3 algorithms, with some exceptions. As found the announcements,

New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS8.0). This version of the CAVS tool activates the FIPS 186-3 DSA2 validation testing with the exception of generation and validation of provably prime domain parameters p and q and canonical generation and validation of domain parameter g. It also requires the IUT to specify the assurances necessary for valid digital signatures specified in FIPS 186-3.

The exceptions to the algorithm testing tool are vendor affirmed for now, as per an update to the FIPS 140-2 Implementation Guidance.

Validation testing for FIPS 186-3, Digital Signature Standard (DSS) is separated into the three digital signature algorithms. Validation testing is available for FIPS 186-3 DSA, with the exception of the domain parameter generation and validation method listed above. These methods, along with FIPS 186-3 ECDSA and RSA, will require vendor affirmation until validation testing is available in the CAVS tool.

Update: NIST has released a new version of the algorithm testing tool (8.1) that “addresses several minor modifications and enhancements to CAVS including the Addition of a cover letter template, the addition of more efficient elliptic curve routines for NIST binary (e.g.., B-163 and K-571) curves, and the modification of several minor issues.”

Speaking of FIPS, the FIPS 140-2 implementation guidance (IG) has been updated over the last few months. There has been much in the way of important and clarifying guidance, translating both “FIPS lore” and the forward thinking on algorithms/protocols as well as revs to FIPS 140 into the current requirements.

New Guidance
o04/01/09: 3.2 Bypass Capability in Routers
o04/01/09: 9.5 Module Initialization during Power-Up
o03/24/09: 7.9 Procedural CSP Zeroization
o03/10/09: 1.14 Key/IV Pair Uniqueness Requirements from NIST SP 800-38D
o03/10/09: 5.3 Physical Security Assumptions
o03/10/09: 7.8 Key Generation Methods Allowed in FIPS Mode

Modified Guidance
o03/10/09: G.1 Request for Guidance from the CMVP – Updated NIST POC.
o03/10/09: G.5 Maintaining validation compliance of software or firmware cryptographic modules – Updated references to firmware and hybrid modules.
o03/10/09: G.13 Instructions for completing a FIPS 140-2 Validation Certificate – Updated examples.
o03/10/09: 1.9 Definition and Requirements of a Hybrid Cryptographic Module – Updated to include hybrid firmware modules.
o03/10/09: 7.1 Acceptable Key Establishment Protocols – For Key Agreement; added the KDF specified in the SRTP protocol (IETF RFC 3711) is allowed only for use as part of the SRTP key derivation protocol. For Key Transport; wrapping a key using the GDOI Group Key Management Protocol described in the IETF RFC 3547.

I don’t think any of these are a surprise, but reading through it might be useful. Much has been set done cleanly here, with the possible exception of IG 9.5, which seemed more confusing than clarifying to me, but maybe that was a case of my (unfortunately) “knowing” too much about the FIPS world. Anyway, the changes to or additions of IGs 1.9, 7.1, 7.8, and 1.14 are perhaps of the most interest.

Since I have been coming at things from a more deployment side these days, I think IG 5.3 helps to illustrate how to interpret FIPS 140-2 validation results as applied to the selection and deployment of FIPS modules.

The four physical security levels of FIPS 140-2 are focused on the protection of the modules CSPs by the module itself independent of the environment the module is deployed. Therefore selection of a security level is greatly influenced by the environment the module is to be deployed. At a Level 1 security level, which does not itself provide physical security protection, in the right environment, may be an acceptable solution because the environment provides the required physical security protection features.

In this same deployment regard, IG 1.14 makes the following note.

2. The standard sets the minimum security requirements. The buyer is free to demand that the module allows for longer names. Users should be smart enough to name their modules in such a way that name collisions become extremely rare.

Also, for the old timers, the following was an area of debate back in the day. Now it is officially documented in an IG 7.8.

To be used in FIPS mode, a secret value K can be any value of the form:

K = U XOR V, (1)

where the components U and V are of the same length as K14, are “independent” of each other, and U is derived, possibly using a qualified post-processing (see below), from the output of an approved RNG in the module that is generating K. In addition, each component may be a function of other values (e.g., U = F(U’), or V = F(V’)).

The security strength of the generated value K is equal to the larger of the security strengths of U and V. In general, the security strength of K is determined by the security strength of U, and the security strength of U is the minimum of the length of U (and K) and the security strength of the RNG used to generate U. Therefore, the length of U (and K), and the security strength of the RNG used to generate U shall meet or exceed the security strength required for K. However, a vendor can claim that the security strength of the generated value K is determined by the security strength of V if it can be demonstrated that V has a higher security strength than U.

Update: NIST released revised implementation guidance. Besides “certificate annotation examples” added to a few sections, there was the following modification.

08/04/09: 7.1 Acceptable Key Establishment Protocols – For Key Agreement; removed the KDF specified in the SRTP protocol (IETF RFC 3711). For Key Transport; added reference to EAP-FAST and PEAP-TLS.

Since I am on this topic, I guess a quick note that a number of new revs of the CAVS were released in months prior is in order. Most were bugfixes and tweaks, but there were some additions to supported algorithms. E.g.,

[04-15-09] — New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS7.4). This version of the CAVS tool adds the capability to test DRBG (NIST SP 800-90) implementations that do not have the optional reseed function.[...]

[03-12-09] — New release of the CAVS algorithm validation testing tool to the CMT Laboratories (CAVS7.1). In addition to minor modifications to enhance the tool, Version 7.1 of the CAVS tool adds testing for the draft of FIPS 186-3, Digital Signature Standard, Digital Signature Algorithm and file formating changes to the NIST SP 800-90 (DRBG) files to make them more similar to those used for other algorithms. As of the CAVS 7.1 release date, FIPS 186-3 is still in draft. No validations will be processed for this algorithm.

Update: NIST released the CAVS Management Manual. As per the announcements,

[08-17-09] — Posting of the CAVS Management Manual. The purpose of the CAVP Management Manual is to provide effective guidance for the management of the CAVP and other parties in the validation process.[...]

Switching direction, upgrading Gnome from 2.24 to 2.26 on FreeBSD through the ports went mostly smoothly. As always, follow the FAQ. I had been using xulrunner for a while, but I was happy to see this change for the removal for FF2.

A FreeBSD port of libxul-1.9 has been added as an alternative Gecko provider to Firefox 2. This can be used by setting WITH_GECKO=libxul in /etc/make.conf.

And, on Ubuntu, this deadlock hit me after upgrading to Ubuntu Jaunty (2.6.28-11.server). I have been manually loading the padlock drivers for quite some time via /etc/modules. To avoid the issue, I added in manual loading of the generic kernel crypto implementations for aes, sha1, and sha256 prior to loading the padlock drivers.

Moving along, this gives me deja vu, yet made me laugh. (Please consider avoiding that previous link and the first link in the following blockquote’d text if you mind profanity.)

[...]Listen to his comedy bit about the DC metro system, which is he says is “the [...] Tron compared to NYC subways[...]

Having lived both in NYC and DC metro areas and having ridden both the NYC subway and the DC metro quite a bit, I think there are two points to make about the DC Metro system.

The DC Metro is minor in scope compared to the NYC subway. Not only is it a fraction of the size moving a fraction of the people, but it is only part-time.
The DC Metro system is designed like an X, and much of that X only has a single track going in each direction. So, if anything goes wrong in your part of the X or the center of the X, well, lets just say you are out of luck.

Now, because of point 2, even if DC blows up in size and develops a late-night night-life, it would be quite difficult to do away with point 1 in any significant fashion without some fundamental design changes. Even if you could magically do away with unexpected problems in the system (and, yes, that would have to include rainy and snowy days), you are stuck juggling trains between single tracks best case or shutting down parts of the line and running shuttle buses worst case for basically any line maintenance, significantly impacting service on those parts of the system and on the overall system as you move closer to the center of the X. This becomes even more acute due to the increased wear and tear that lovely, underground center of the X suffers, especially as you ramp up service to handle more people or longer hours.

The NYC subway system, by contrast, looks like a bunch of parallel lines that crisscross here and there, and these multitudes of lines generally have multiple tracks supporting each direction. While there may be sparse coverage at some points (e.g., parts of Queens come to mind) and a large concentration of lines at other points (e.g., Manhattan), you still tend to end up with lots of independent enough ways to route around much of the maintenance work and unexpected problems such that the effect on the overall system tends to be quite limited and interruptions to the particular parts undergoing work or suffering issues can be mitigated/minimized (e.g., the handling of maintenance work on the 7 line happening right now), even in spite of 24/7 operation.

Like so much else that varies between NYC and its neighbors, there is a big difference in the scale/scalability and availability requirements of public transportation for an enormous 24/7 city accustomed to public transit and a large 18/7 city accustomed to the beltway. So, when it comes down to how to spend limited resources, one gets beauty sleep, the other keeps on keeping on.

Finally, it has been a while since I have pointed out notably pleasant customer service experiences. So, here is some praise for the LIRR cleaning crew in Penn Station left in a comment.

To Whom It May Concern, I would like to praise all the cleaning men and women who work in the station. They all do a fantastic job on keeping the station clean.

Posted in BSD, Crypto, Customer service, Debian & Ubuntu, Off-topic | No Comments »

Diner, petnames, misc

Tuesday, October 30th, 2007

Ok, as it has been a while since I last posted and will probably be some time until I next post, lets do two posts in one day. This one is just some miscellaneous items.

(Thats “diner” in the title, not “dining cryptographers and their problems”…)

I rarely talk about customer service with regards to places to eat. The main reason for that is I generally eat in my local neighborhood, and I learned a while back that talking about places you can be found reliably on a blog is not always the smartest thing to do.

That said, there is one diner in Manhattan that I make a point of swinging by quite often, namely Cheyenne Diner. Great customer service, including my absolute favorite waitress in Manhattan (I don’t think I have actually had to order for myself in over a year – my food just appears). Quality food and lots of it on the cheap. Open 24 hours, so perfect for a late night person (like me). Just an all around great experience.

Anyway, while I think I may be the only NY resident that absolutely loves this place, at least someone else has noticed it. (Unfortunately, the articles at the referenced site do not have separate links. Perhaps this will end up being the archive page for this month.)

On the block: Top 10 New York Classic Diners, a list of the best New York diners that haven’t changed much at all (including prices, interiors, and staff) in the last 20+ years. What you pay for one drink at some new fancy bar will get you a full meal (with bread, salad, and a side, of course!) at most of these places.

[...]
9. Cheyenne (Midtown West)

It is on the corner of 33rd st and 9th ave, a few blocks from Penn station (for those of us coming from, say Bayside ). Being smack dab in the middle of mid-town, you find locals, commuters, and tourists alike pop in.

Needless to say, highly recommended. I always end up there some time well into the nightshift, and I can’t say enough good things about the late night staff.

This is a petnames plugin for Firefox. [recently resurfaced in this mailing list post]

It reminded me of an old post. I pointed out using your bookmarks and commented on an SSH style of bookmark where public keys (in certificates) were part of it. I also noted that such a thing might not mean anything to average end users over a regular bookmark, which was the tricky part.

Attacks based on user ignorance of anything to do with PKI or TLS will apply regardless of “high assurance” certificates or not. What really matters here is whether or not browser security indicators matter to users (e.g., do users know about the security indicators provided by a browser, what the indicators mean, and what should be done in response to the indicators?).

[…]verifying that you are in fact establishing an SSL/TLS session with the proper entity.[…]
[…]countering an SSL/TLS MITM attack.[…]
This is an active research area. Petnames have been proposed, which I like (think PGP web of trust in some form). This has similarities to the SSH-type trust model, which has also been proposed and which I also like. In recent minutes to an IETF-PKIX meeting, the Opera people were looking at “extended validation” certificates. There has been all sorts of talk, pros and cons, about “high-assurance” certificates.

In this regard, while I like the idea of bookmarking a web site and its certificate(s), how exactly to inform a user that a certificate is changed, and establishing what actions a user should take in such a case, is the hard part. Every model I envision reduces to checking the digital certificates when the certificate presented is different from the one that is bookmarked, and then all the same problems come back into play – you might as well have just bookmarked the web site and left out the certificate.

So, I like the petnames plugin for Firefox, and I think most people familiar with the SSH way of doing things would be comfortable here. The plugin adds another layer to the advice provided here, and works well for me at least.

Bookmark web sites that you visit, especially where you conduct transactions like buying stuff, and then return to those sites only through your bookmarks (this is like what we do with server public keys in SSH). Now, when you receive that email, instant message, or embedded link in some rogue web site purporting to be from, or purporting to point you to, Paypal and you really do feel it necessary to log into Paypal in response, don’t follow any of the links provided – instead, use your bookmark for the Paypal web site. It doesn’t solve all these problems, but it helps quite a bit.

But, it looked real… [via the gold-silver-crypto mailing list]

Evidently, no one at Minnesota-based Supervalu bothered to confirm the authenticity of emails sent in late February. Purporting to come from two of the company’s suppliers, the messages instructed Supervalu to wire all future payments to new bank accounts. One email purported to come from representatives of Frito-Lay and the other from American Greetings. Both suppliers have established relationships with the grocery chain.

The emails were phony, but within two days, Supervalu began moving money into the accounts. Over the course of a week, the company transferred $10,128941.94 in nine separate payments. [...]

These kids have become my standard quote for this.

Teen #1: Hey, man, I think we should get our important stuff laminated. No one ever questions lamination.

Short article (behind a paywall) about talking tech to the non-techie.

Technology is very complex and intimidating, and technology folks are constantly getting knocked for poor communication and poor customer-service skills. It’s taking a lot of time, leads to a lot of frustration, and leads to a lot of money being misspent.

This brought to mind one of the core reasons I originally founded D-kriptik and the original point of this blog – bridging tech and non-techies. Customer service is still at our core, but we have wandered a bit off the general IT support course.

Perhaps its the Trek in me, but this reminded me of transparent aluminum.

By mimicking a brick-and-mortar molecular structure found in seashells, University of Michigan researchers created a composite plastic that’s as strong as steel but lighter and transparent.

Posted in Authentication & Identity, Customer service, D-Kriptik, Off-topic, Security | No Comments »

Customer service and Pacha, etc.

Wednesday, August 22nd, 2007

It is time to cover customer service again with regards to NYC nightlife – this time up, bar customer service at Pacha. I chose Pacha because I know of more than a few people that berate the bar customer service they have received at Pacha, and I thought it good to point out that there is great service to be found there if you look in the right spots. Knowing my pickiness in this regard, that should say something.

But, before I get into Pacha, I want to mention some feedback I have gotten on places mentioned in this post. It seems a few people read that post and checked out some of the places mentioned, in particular Drop Off Service and Emerald. The feedback was positive, praising the excellent service at Emerald with a nod to the time-consuming, handcrafted Guinness pints (one person recommended ordering the next Guinness when about 2/3 of the way through the current one, if avoiding a pause between pints is a goal), and complementing both the service and cheapness of drinks (especially before 8PM) at Drop Off Service.

Now, back to Pacha…

I thought I should start out with proper expectation setting, as it seems some people have no experience with superclubs.

First, superclubs are huge. Expecting personalized, small venue-type customer service in a club of that size is, well, silly. Even if the bartenders could remember 10% of the people that run through a superclub on a decent weekend, that has still got to be over 100 people per weekend. That is too much to ask.

Second, worthwhile superclubs generally focus on the dance floor, so the sound system tends to be solid and they often bring in good DJ talent. Expecting a focus on bar customer service in a club not focused on bar customer service is kind of, well, silly. The bars seem to aim to serve as many people as quickly as possible, so the club can make its money and you can get back out on the dance floor without delay.

With that, expectations have been set properly for a superclub; however, if my intention was to lower your bar customer service expectations for Pacha, then I would not be writing this post. In other words, there is reliably good bar customer service to be found in Pacha.

So, where should you look for good service? Well, that is easy, the little nook bars – you know, the tiny bar in the basement, and the makeshift bar off to the side of the main dance floor on bigger nights.

From my experience, these little nook bars in Pacha consistently provide at least a good experience. Now, admittedly, I have a bias here – my preference for smaller bars/lounges/clubs, and, as I often say, these little bars in Pacha provide a small bar/lounge/club feel in the middle of a massive club. But, that bias comes from my experience that smaller venues tend to provide a better customer service experience, which is exactly what these little bars in Pacha provide. And, these little bars receive less traffic than the main bars, which gives their bartenders both an incentive and an opportunity to provide good service, and means less crowds to fight through. (I do note there is a downside to these smaller bars in terms of selection, as they don’t have the full stock of the main bars. So, if you can’t find something in their menu to suit your group, you may have to brave the main bars, or, better yet, send someone else to do so. )

Ok, with you pointed in the right direction for good service, there are two bartenders in particular, both of whom work at these little bars, that, when encountered, virtually guarantee great service. In fact, these two bartenders might make it into my top ten list of NYC bartenders, if I ever make such a list. (No plans on a top 10, but my old top 5 is still out there. That post also outlines some of my criteria for rating bartenders.)

(I have found Pacha bartenders not to be the most static, and any descriptions I could give of these two would be too generic to identify them from the various other bartenders; however, I think my directional pointers provide a very good chance of running into these bartenders in the near term.)

So, the first of these two bartenders works in the little basement bar on almost all Saturday nights. This bartender is always quite pleasant and quick to provide service. They has managed to remember what I get to drink, which is unexpected in this type of environment and makes life much easier as the volume makes it hard enough to order. Better still, the drink always ends up in my hand before I ask for it, even in a crowd. Perfect service.

The second bartender works in that makeshift bar setup for big parties off on to the side of the main dance floor on some Saturday nights. Now, this makeshift bar is only there sometimes, and this bartender tends to be there most of the times the makeshift is there. This bartender is very friendly and fast with the service. When there are multiple flavors of drinks (i.e., Gatorade), they ask which one, rather than just grabbing any, something I appreciate, because some flavors go down easier than others. Also, this bartender seems to enjoy the music, so they are not sitting their sulking when not running around.

For both bartenders, I give extra credit for maintaining consistently great service throughout the whole night (8+ hours for the little bars). The environment is very fast paced and stressful, especially during peak, and I have also seen some of patrons act quite rude and demeaning towards the bartenders.

Finally, I must say that, if it was not for these little bars within Pacha and the good service they provide, I would be a less frequent visitor to Pacha. These little bars fill in the service gap you generally encounter in superclubs (outside of VIP or table service), a gap that can be quite irritating over the course of a long night and many trips to the bar for staples like water and Gatorade.

So, rather than complain about things that superclubs generally don’t provide anyway, why not hit one of these little bars in Pacha and encounter bartenders that know good customer service? (Be sure to tip well.)

As I was writing up this post, I noticed the deluge of Ptacek posts over at Matasano. The technical content is valuable (especially the background info for the hypervisor rootkit detection discussion), but the humor is priceless.

Just search for the following in this post.

Wow. That is a cool story. Let me see if I can outdo you. I’m cheating, though: compared to yours, my story is plausible.

Or look for the memory hierarchy visual in this post.

Posted in Customer service | No Comments »

Dedications

Saturday, January 20th, 2007

It has been a long while since my last weekend post. It has also been quite some time since I commented on either NYC or customer service. Plus, I have a cold. So, let’s write a weekend post. You may want to skip this.

I am picky about service, and bartenders are no exception. Many people say I am too picky with bartenders because, well, this is NYC and I just have deal with it. Those people are wrong, which leads to this post of my best bartender picks in NYC.

So, lets get going with five of my criteria.

Good drinks. This one is obvious, but must be stated anyway. A bartender has to know how to make good drinks. There are three drinks I normally order, and my expectations of good vary across them.
Fast as possible service. By fast as possible, I mean the drinks are brought as quickly as is possible when making the drinks well and taking the crowd into consideration.
Respectful. I don’t want a rude, demeaning, contemptuous, and/or aloof bartender. People seem to think that type behavior is acceptable in NYC bars, lounges, or clubs. It is not.
Friendly but not flirty. I want a friendly bartender, whether outgoing or not. I want to feel comfortable. And, a comp’d drink every once in a while never hurts. However, I don’t want the bartender flirting with me, as I don’t reciprocate and so this can turn negative after a few visits.
Caring about people. I want to walk into a bar dripping sweat and beet red in the middle of the summer, and have the bartender seem genuinely concerned and offer me water before asking for my drink.

I could keep going, but these five serve as good enough filters for the best. And, who are the best?

(Unfortunately, a portion of my list may be dated. I find that events and places I went to regularly six months ago are often quite different from what I do now. I will note dated information when applicable.)

The two best bartenders, I have found in NYC can be found on the mezzazine on Wednesday nights at Marquee. (Note: It has been about 6 months since I have been to Marquee. Hopefully, these two are still working at that time, but this is NYC.)
General – These bartenders handle a crowd, make perfect drinks, and always make you feel welcome, even when the Marquee crowd is a little disappointing. Also, they learn your normal drink quite quickly; however, this credit must go beyond these bartnders to the overall mezzanine bar staff on Wednesday nights, as they seem to communicate what drinks particular patrons like amongst each other, so you really only have to ask once and never again.

Notable – These two bartenders have spoiled me for drinking manhattans almost anywhere else. Once you have had the best, choking down the rest is no longer an option.

One (long curly black haired woman) mixes a manhattan by stirring it, which usually indicates a terrible manhattan, but not in this case (it must be the 60 seconds of blender like arm action). By far, the best manhattan in Manhattan, let alone anywhere else I have had the chance to drink a manhattan. The other (long straight black haired woman) mixes a manhattan in a traditional way, shaking it. This manhattan is oh so close to the perfection achieved by the former.

It does not get any better than these two, folks. Anywhere.
There is really only one bar I can think of where all the bartenders rank up there amongst the best, Emerald Pub. I have encountered four distinct bartenders here, all of whom are next in my best of the bartenders list.
General – Quite friendly, quick with the drinks, and fast to learn your normal drink. Sometimes I find the beer pouring to be a bit too painstaking, as the wait for the Guiness to settle really does not matter much to me (unless the keg is almost kicked). But, they do things the proper way and pour a good Guinness – you can’t fault them for practicing their craft.

Notable – It is rare you find one good bartender in a place, here you have at least four. This is the least risky place to step foot in for good service anytime, and I make a point of passing through here whenever I am anywhere near Tribeca.

(As far as bars go, this is where I point acquaintences and more homebody-type friends when they are visiting NYC .)
Rififi on weekday nights. I can think of two distinct bartenders, one (short brown haired man) that works on Wednesdays and one (long straight blonde haired woman) on Thursdays.
General and Notable – These quirky bartenders make Rififi feel like a second home. There is nothing else to say.

(As far as bars go, this is where I point the majority of my friends when they are visiting NYC. Be warned that Rififi can get a bit wild certain nights.)
There is a bartender (long curly blonde haired woman) that works Thursday evenings at Drop Off Service. (Note: It has been about 4 months since I last was in Drop Off Service.)
General – Outgoing, quick to learn your normal drink, and just plain fun.

Notable – This bartender manages to make a place that I normally don’t feel comfortable in feel totally comfortable.
There are two bartenders at Lotus Cafe, one (geeky woman) works on Wednesday evenings and one (bald man) on Saturday evenings.
General – Fast to learn your normal drink, friendly enough, quick with the drinks.

Notable – These bartenders just create a feel that makes me like coming here often. In the middle of the trendy bustle that has taken over the LES, that is saying alot.

Dedicated to the perfect bartenders scattered about NYC. (Be sure to tip them well.)

Update: I was asked for addresses of some of the places mentioned above. Normally I would say something condescending, such as “google is your friend,” but, in the spirit of good service, here you go.

Marquee is on west side of 10th avenue about halfway (IIRC) between 26th and 27th street.
Emerald is on the south side of Spring street about halfway between Greenwich and Hudson street (at the corner of some tiny street called Renwick).
Rififi is on the south side of 11th street between 1st and 2nd avenue (closer to 1st).
Drop Off Service is on the west side of avenue A between 13th and 14th street (closer to 13th, IIRC).
Lotus Cafe is on the, umm, southwest corner of Stanton and Clinton street.

I often hear people say that it is easy to be hidden in a big city such as New York. I have found quite the opposite to be true. I can’t say how often I get recognized from being somewhere or doing something, but sometimes I feel like a pseudo-celebrity, which would probably rank on my top 10 list of worst nightmares, if I had one.

This is a by-product of New York. New Yorkers have this sort of instant familiarity, as opposed, to say, a DC, where closed-circle cliques reign supreme. You can say hello to almost anyone, anywhere, and they will respond in kind. And, you end up in conversations with random people that feel just like conversations you have with close friends you see all the time. That is just the way it is around here, and even us loners have trouble being alone. (I have (re)adjusted to strangers saying “Aren’t you Andrew such and such…” or “We danced/spoke/etc. at such and such…”, but it still makes me nervous on occasion, as I always feel at a disadvantage in the conversation.)

An example of this that has what has to be my favorite closing line ever happened at a restaurant called Kion, roughly a year after I returned to New York. There were these two people working there, the bartender and the host. After verifying the place was open, I sat down at the front bar and the host came over and said, “I have seen you before, no?” This (and being asked the time) are two classic pickup lines I get hit with all the time, so I said dismissively, “Umm, maybe. I tend to go out a bit.” She said, “I am sure I have seen you before.” Then, thinking for a second, she said matter of factly “Leet. I have seen you at Leet. You used to go there a lot, but you have not been there in a while.”

Refraining from the urge to declare how I am always in the 733t 5k1l75 zone, I said, confused, “Leet? Umm, I don’t even know of a place called Leet, let alone been there. Sorry, you must be thinking of someone else.” Still, she was adamant. She even spoke to the bartender, and the bartender confirmed that they had seen me at “Leet.” “Leet. Leet. Leet.”

Now I was baffled. I suggested maybe they were confusing me with Moby, or Larry Tee, or any other skinny, bald guy that I have been told I look like. So, the host looked at me closely and said she was positive it was me. I continued to deny ever going to a place called “Leet,” and the host started to walk away in defeat when it hit me, “Lit?” She said, “Yes, Leet! It was you. I knew I had seen you before.” Turned out, she was from Peru and, with her accent, Lit sounded like “Leet” to me.

After the host walked off, the bartender leaned in, gave me an evil grin, and said, “Not as hidden as you thought you were.”

Dedicated to all those people that claim the innateness of big city anonymity. (Look ma, no surveillance cameras in here.)

This made me laugh.

you sounded dumb. The term “shared secret” is
used all the time in real cryptosystems

Which was a response to this, which also made me laugh.

the “shared secret” (now there is a high-tech sounding secure name)

This is why I sometimes lose people in conversation. I then have to step back for a moment and explain terminology I generally take for granted. We all know different things.

Oh, and I was laughing here too.

HERE’S A BROCHURE FOR MY CULT.

Weakest link, folks.

Dedicated to those that make me laugh.

As one of my jobs at a small business a few years back, I was the system administrator. Now, this company employed mainly technical people, which made me extremely impatient when dealing with their computer troubles that required nothing more than basic debugging skills to fix. There are a few engineers out there that have been laughed at and openly mocked by me for stupid moments, such as thinking their machines were dead without noticing the breaker on their surge protector had tripped, or trying to probe me to see if I could tell when they were browsing those “junk in the trunk” web sites .

Which leads me to my inane moment, as described by this short email chain. I quickly fired off the following message after playing with this headset for a couple of minutes, and the following reply appeared a few minutes later.

Andrew,
The Jabra JX10 need to be on, then push and hold the pairing button for 2 seconds, after that you should see the solid blue light.

Thank you
John
***snip***

Hello,

I just purchased a JX10 headset, and, after the initial charging, I tried to pair the device with my phone. Unfortunately, when I push and hold the pairing button on the JX10, the blue LED never lights to indicate that the device is ready for pairing. Additionally, my phone does not detect the JX10, so I don’t think it is just an LED problem. Are there any other troubleshooting steps?

Thanks
***snip***

You mean it has to be turned on? The connect/disconnect call button doubles as the power button, as clearly indicated in the manual and ignored by me. He should have just written, “RTFM.”

Dedicated to all those engineers that I have ridiculed for moments of utter “technical” stupidity. (Yes, I will still mock you the next time.)

Posted in Anonymity & Privacy, Customer service, Off-topic | 2 Comments »

Bank ordeal

Wednesday, March 8th, 2006

So, I went off to the bank (a branch office of a major financial) to open a new account. I noted a few of things during the (two and a half hour!) ordeal.

Social security numbers appear to be used as an index for bank accounts (no, not as the actual account numbers), and they knew of an old, deceased account I had with a bank they bought out a number of years ago based on my social security number.
When opening bank accounts, two forms of identification are required, and credit cards are considered a form of identification.
When depositing checks in amounts greater than $5000.00 upon opening new accounts, the timeframes for clearing are a bit longer due to additional processing and reporting requirements.
The workstations were slow, terribly slow, at performing their tasks. One machine even froze up just after entering all the information necessary to create my account, and we sat there chatting while waiting for about fifteen minutes to see if it would start working again. I kindly suggested CTRL-ALT-DEL, which did nothing as the box was totally locked, and then suggested power cycling. Windows XP crawled during boot and login until, after about fifteen minutes, the necessary applications were running again and they were (re-)entering my information. Then one of the printers would not print, so we had to debug that, checking the paper tray, toner, connection, etc. (I was not allowed to get on their workstation at this point) and eventually just switched to a different printer.
During the process of signing up for online banking, a senor bank person let me sit at their desk and access their machine directly to create my online banking account. They then walked away, leaving me alone at this machine for a couple of minutes. Yes, alone at the machine, fully logged on with their credentials, which, based on the transactions already performed for me, included the ability to create bank accounts, modify bank accounts, transfer money, and order debit cards and establish PINs for said cards. I wished they had at least exited/locked some of the applications that were running (and logged into), but no, they didn’t.

As to item five, given the senor bank person and I were clearly growing impatient with the various obstacles and delays created by the infrastructure problems, they tried to multitask by getting me working on creating my online account while they ran around grabbing printouts and getting other tasks done, like depositing checks. When people have to rely on an infrastructure that is clearly not meeting their needs, it frustrates them and can sometimes lead to various workarounds in an attempt to make up for the infrastructure. In this case, those workarounds combined the common priority of useability over security to create item five.

As to item four, that is the type of situation D-kriptik is in business to avoid. Afterall, at our core, we are trying to bring people and technology together for the better.

Posted in Customer service, D-Kriptik, Security | 3 Comments »

Smile like key logger 1 & 2 or implementation error, software as service, and be the best

Monday, February 27th, 2006

Always approach that person behind the counter with a smile and always asked them how they are doing. Not only is it pleasant, but it will get you better service as well. Most people just take them for granted – if you do not, it will stand out in a good way.

This is key when your seat reservation on that last minute, packed flight you had to book for business is awful. You could use electronic checkin, but you know there are better seats being held open (not available via electronic checkin) and you want one of them.

In DIY news,

Here’s how to make a PS/2 keyboard line keylogger

This was of interest because of a generic saying my buddies and I used to have when I was younger that revolved around attacks, such as social engineering techniques, key loggers, implementation errors, and rubber hoses, that often violated the assumptions of threat models and rendered the security mechanisms of a system moot – we used to say “yeah right, crypto this.” The term derived from our feeling that crypto was often not the weakest link and that claims like such and such crypto being used meant a product/system/whatever was amazingly “secure” were often effectively meaningless. (This previous post comes to mind.)

via Schneier on Security

In this same groove… FUD about “crypto for the masses” still exists, as this article about Skype illustrates. But, the interesting item is this.

[...]For the FBI, keyloggers are a popular choice; they obviate the need for backdoors or for sophisticated computer solutions. They simply steal the password. The same (metaphorical) approach may give them access to Skype calls; rather than breaking the encryption, they simply grab the key and decrypt the data.

There we go. “Yeah right, crypto this.”

Also of note,

The FCC ruled last year that VoIP providers need to offer backdoors into their systems for wiretapping reasons, but Skype isn’t based in the US and so is not subject to the rule. It is subject to the EU’s new Data Retention Directive, though, which may require them to retain call logs and decryption keys for a period of time. If so, real-time monitoring of Skype calls would still be out, but after-the-fact review of recorded calls from people of interest might well be possible for the government.

Key escrow. (Even without key escrow, 1024 bit RSA keys are coming within reach – that means a passive adversary could archive the calls, crack the 1024 bit RSA keys used during key transport (thus compromising the 256 bit AES keys used for data encryption), and satisfy those voyeuristic tendencies.)

via cypherpunks

A simple crypto implementation error.

The Perl Crypt::CBC module versions through 2.16 produce weak
ciphertext when used with block encryption algorithms with blocksize >
8 bytes.

Ciphertext encrypted with Crypt::CBC using the legacy RandomIV header
and the Rijndael cipher is not secure. The latter 8 bytes of each
block are chained using a constant effective IV of null, meaning that
the ciphertext will be prone to differential cryptanalysis,
particularly if the same key was used to generate multiple encrypted
messages. Other >8-byte cipher algorithms will be similarly affected.

Whoops, that ain’t AES in CBC mode.

This article discusses IBM’s belief and moves in the “software as service” area.

The growing interest in hosted applications, or software as a service, among corporate customers has prompted IBM to focus its ISV program on hosting, said Buell Duncan, IBM’s general manager of ISV and developer relations.

“Software as service” fits with this old post, in particular as another example for the following paragraph.

Selling software is so last century, much like long distance call fees. New software is distributed for free virtually immediately after its development, regardless of a company’s desire to sell it, and we could chat about ways to control that, but I don’t think there is much point in that. Services are what matter now.[...examples...]

Coming from a small business background, the real-world example of a successful “software as service” that always comes to mind is salesforce.com. They built a great CRM that should be at the top of the list for consideration by any small business looking at deploying such a tool.

Thanks to Potter for the pointer.

And, everyone here enjoyed this post by Lindstrom.

Don’t be first. Be best… at something. It doesn’t even have to be a product function – it could just as easily be customer service or price.

Amen.

(Should I start splitting these into seperate posts?)

Posted in Crypto, Customer service, Security, Skype, VoIP | 3 Comments »

Customer service and Heathers

Sunday, February 19th, 2006

This post varies from recent topics, but customer service is still important here and I wanted to note a relatively new bar, Heathers, built around customer service and reputation.

I ended up in a small bar called Heathers hidden behind a door at 506 E13th street in lower Manhattan for the second time a few days ago. I got there around 5:30PM EST, and pushed open the door to find the owner, Heather, getting the bar ready for opening. It turned out the place did not open until 6PM, but she invited me to sit down and have a drink anyway. A couple of other people wandered in about 15 minutes later, and she did the same for them. Now, that is not a norm in Manhattan, and it definitely signifies a great local bar.

Heather herself was extroverted and ran around talking to everyone that filtered in. She was the owner and filling in for the normal bartender that night. This was the first bar she owned after having experience working in bars, and she just opened it in December 2005. Heather was not big on advertising, favoring word of mouth for speading information about the bar. In other words, reputation will make or break this place. You know we respect and love that.

With all of this, you could tell that customer service was a core focus here and it showed. Both the bartender the first time I went and the owner this time were friendly, positive, energetic, and quick to please, which translated to attentive service and tasty drinks. They really cared about their customers, and that always stands out. It also translated to a very friendly environment with talkative patrons. (Not to mention, the drink specials were hard to beat.)

In all, from the ultra friendly atmosphere to just plain amazing customer service, Heathers should develop a great reputation and a loyal following. Yet another example for us to look up to, with both an understanding of great customer service and a belief in building a solid reputation.

(While on this topic, upstairs at Marquee on Wednesday nights is still a great experience. Late last Wednesday night when one of the regular DJs, Pete, intervened to throw on some classic tracks and the place just erupted in dancing and smiles from business suits to t-shirts was a typical moment there. These guys know their customers. And, the congenial blending of an upscale lounge and its regular crowd with a downtown rock crowd is just nice to see. I have even squeaked in a bit of business networking there, although it always feels surreal to do so.)

Posted in Customer service | 1 Comment »

Brief comment on Sony rootkit news

Tuesday, December 6th, 2005

The Sony rootkit news was revealing. While Sony had always been known for its strong support of DRM, now many people have gotten a bad taste for the lengths Sony is willing to go to in the name of copy protection. As a long time Sony customer, I wanted to briefly comment on me and my minidiscs in response to someone I met a few days ago.

Dated as they are, I like minidiscs and I use a Sony minidisc recorder quite frequently. The first Sony minidisc player I bought in a very long time was the Sony MZ-RH10 because it supported the MP3 format for playback natively (not just Sony’s ATRAC format – OMG!), and I could get my new recordings off of it and then use those recordings without difficulties.

Now, I use minidisc recorders solely for playing MP3s from my collection and for recording new audio, which means I transfer newly recorded audio off of the minidiscs, but recordings from my collection are only transfered onto minidisc and never off. (For distribution of media, such as audio, I mainly use darknets (WAN), streaming servers and shares (LAN), external hard drives, CDs/DVDs, and USB tokens.) I often record audio raw (PCM), but, every once in a while, I use lossy compression (Sony’s ATRAC3Plus format). I then transfer the recordings off of the minidisc using variants of SonicStage (official software is only available for Windows, unfortunately), set copy protection as desired (for me, that means no copy protection), and convert the recordings to WAVs. From there, I am free to convert the WAVs to any format, and normally I just convert them to MP3 format. There is no copy protection on the resulting MP3 files per configuration, and they can be freely played on various systems.

Unfortunately for Sony, I am now worried about upgrading any official SonicStage software in use, as goodness knows what Sony will think up, and I do not plan to buy another minidisc recorder or other related technologies from Sony.

Treat your customers like dirt, and they go elsewhere. In its desire to protect itself from its customers, Sony forgot that part. Perhaps a review of this post and this post is in order.

(An even longer time Sony customer, my mother, saved up to purchase a widescreen HD LCD television, and she enlisted my help in selecting such a television. We both have a history of Sony televisions; however, due to this behavior, Sony was immediately taken out of the running. My mother ended up getting a beautiful Samsung television and could not be happier with it.)

Posted in Customer service, Malware | 1 Comment »

Customer service and pride follow-up

Monday, October 17th, 2005

We received an email that had the following paragraph in it, which was in response to the “Customer service and pride” post a couple of weeks ago. Note: The company name was redacted by me, as the following paragraph was contained in a personal message and not an official statement from the company.

I agree with the comments you made regarding customer service. That
type of outlook made the difference at xxxxxxxx. Fortunately the
philosophy you describe was shared by many people at the company.

Suffice it to say, the company in reference has a worth in the hundred of millions (USD), is still customer focused, and is continuing to grow rapidly and successfully. They should serve as an example to us all.

Posted in Customer service, D-Kriptik | No Comments »

Customer service and LIRR

Monday, October 10th, 2005

We always take notice of great service, as it fits with our core values and so serves as a good example for the D-kriptik team (and hopefully others as well). These stories are always relayed within our community, but we used to say this was off-topic for the blog. We now feel that was a naive view and ignored our non-technical values, so these types of posts will become a norm on this blog.

Anyway, here was my experience. I was on the 4:54Am EST Long Island RailRoad (LIRR) train out of Penn station to the Bablyon one morning last week on my way out to Huntington. I was supposed to transfer at Jamaica to the Huntington train, but, unfortunately, I fell asleep on the Babylon train.

(For those that don’t ride the LIRR to Huntington or other destinations, the LIRR has conductors on the trains that come around and check tickets. Under normal circumstances, a one-way ticket from Penn to Huntington gets checked twice, between Penn station and Jamaica station, and between Jamaica station and Huntington station. Generally, the conductor will punch (a hole in) the ticket once between Penn and Jamaica, and then punch and keep the ticket between Jamaica and Huntington. The reason for this is that the conductors need to keep track of how much of the ticket is used but cannot keep the ticket at that point because the legs of the trip might involve transfers, such as switching trains at Jamaica. Once you are on the final leg of the journey with no more potential for transfers, the ticket is normally kept by the conductors as it is all used up.)

Well, after we had passed Jamaica, the conductor came around for tickets again. When he woke me up, I asked if we had passed Jamaica and said I was going to Huntington. He said that was a problem as we already left Jamaica, so we chatted a bit. He came up with two options for me: check if I could find someone to pick me up at some station other than Huntington, or go back to Jamaica and change trains to Huntington. I chose to go back to Jamaica, so he wrote a note on my ticket stating what happened, providing some identifying information, and giving me the “OK” to ride back to Jamaica without having to buy a new ticket, which was great. He also said to try to stay awake, at least until I was on the Huntington train. Friendly, caring, and helpful.

So, I hopped off the train at Lynbrook and caught a train going back to Jamaica at around 5:30AM EST. The conductor on this train came around, saw my ticket, read it, smiled with sympathy at what happened, and then chatted with me about when the next train to Huntington would be leaving from Jamaica (“6:02AM or 6:12AM”), which was her next train as well. Again, friendly, caring, and helpful.

The wee hours of the morning, and they were friendly, caring, and helpful. I walked away feeling like I got something extra for my money. Now, that is customer service, and, as a core value of D-kriptik, when we see it in others, we feel a need to praise it. Bravo to the LIRR employees.

Posted in Customer service | 3 Comments »

D-kriptik Blog