Reminder: President Obama Didn’t Give Himself the Prize

I find it funny that so many people have been upset by President Obama having been given the Nobel Peace Prize. Somehow, everyone (myself included) seem to miss one vital point: he didn’t ask for it. There he was, simply sleeping the night away (probably with nightmares because of all the trials he’s undergoing) and it was handed to him. Regardless of whether or not we think he deserved it (as I have talked about before), we have to remember that he wasn’t campaigning for it and has simply been doing his job.

Michael Moore (yes that one), wrote an excellent article on the subject on why he deserves it.: Get Off Obama’s Back: Second Thoughts From Michael Moore. An important paragraph (if you don’t want to read the whole thing):

The simple fact that he was elected was reason enough for him to be the recipient of this year’s Nobel Peace Prize.

Because on that day the murderous actions of the Bush/Cheney years were totally and thoroughly rebuked. One man — a man who opposed the War in Iraq from the beginning — offered to end the insanity. The world has stood by in utter horror for the past eight years as they watched the descendants of Washington, Lincoln and Jefferson light the fuse of our own self-destruction. We flipped off the nations on this planet by abandoning Kyoto and then proceeded to melt eight more years worth of the polar ice caps. We invaded two nations that didn’t attack us, failed to find the real terrorists and, in effect, ignited our own wave of terror. People all over the world wondered if we had gone mad.

And if all that wasn’t enough, the outgoing Joker presided over the worst global financial collapse since the Great Depression.

And my favorite single sentence from it:

Never before had the election of one man made every other nation feel like they had won, too.

That’s exactly what I was trying to refer to in my previous post. Imagine how difficult it would be to turn the world’s general attitude from a very negative and pessimistic one to a positive attitude full of hope and nearly-world-wide belief that a common good might just be achievable Now imagine trying to do that in the time span of an election. I’m not sure this has EVER happened so quickly before.

Don’t get me wrong, his work is far from over. It’s certainly not time to start slacking. But he’s already achieved a task you couldn’t possibly wish on anyone. Somehow I don’t think he’s the type of person to start just kicking back and enjoying the ride.

Leave a Comment

Should Have President Obama Been Given The Peace Prize?

I’ve been up for an hour, pondering the first bit of news I read for the day: President Obama has been given the 2009 Nobel Peace Prize. I’m now sitting and waiting for his speech on the subject and pondering my opinion on the subject.

The oddity of the prize comes from the fact that he’s not even a full year into his first term. In fact, he had to be nominated by February at which point he had only been in his post for a little over a month. He has certainly worked very hard during that 9 months and has a huge amount on his plate, both internally and externally to the U.S. Has he done enough to warrant an award yet? I’m left with many questions and few answers. I’m really only going to be documenting my questions here, since I’m neither a politics nor a Nobel prize expert.

The one thing I realized as the election was coming to a head in November 2008 was that Mr. Obama had the attention of the world in the way that hasn’t happened in a long time. Probably since the time frame of Mikhail Gorbachev’s work. He has a huge level of world-wide attention. Not just any-old attention, but positive attention.

I’ll pause now, because he’s started speaking and I’m going to listen…
(It was a good speech, but not one of his best. That being said, it was far better than I could have done after only being awake for a few hours after being told he won the prize!)

Before the election, as I was saying, I was watching TV one day and whatever I was watching was showing clips of people around the world saying how excited they were at the prospect of Mr. Obama being the next President of the United States. Coming from a point in history where there was practically world-wide disdain for recent United States actions, this was a huge change in viewpoint.

Think about it. Think about what the U.S. popularity was in October of last year compared to October of this year. Now, of course, the Peace Prize isn’t given because of how the world looks at the U.S. But it is given to people that can have a profound effect toward world harmony. I do think he has achieved that by just “being him” and winning the election.

But is that enough? Is it enough to just “be someone” with such extreme charisma that he should win a prize? Why this year? Certainly, he would have a longer track record to consider and judge. Or is now the right time in order to help him achieve even greater good by attracting even more world-wide attention. Should the peace prize be awarded as a flag to rally under?

I don’t have answers, but as the day goes on and I’ve had more time to think about it, I at least understand the reasons behind the decision more. And if I was going to award someone a prize for achieving world wide recognition as a positive person to rally, it would certainly be to him. he’s long since did that even before taking to office.

Comments (2)

Coining a New Parental Phrase: Stubborn Block

We all get mind-blocks from time to time. Sometimes it’s just from sleep deprivation where we can’t think any longer. Sometimes it’s from a lack of creativity (e.g. “writers block”). Sometimes it’s from simple lack of will to do something tedious (“procrastinator’s block”).

But with children (and admittedly some adults) there is also the “Stubborn Block”. This block occurs frequently with homework and house-hold chores. This one takes hours out of your child’s life because they simply because they’d rather be doing something else. The problem, though, is that with a child who is rebelling against the very notion of doing something you want “simply because” there is no logic that will prevail. Statements like “if you would just buckle down and do it it would only take 10 minutes” has no effect and the stubborn block will instead result in a 70 minute ordeal to get the 10 minute task done.

I have no solution to this one. I surely wish I did. I simply don’t know how to function when logic stops having any effect at all. When a “stubbon block” appears within the confines of my house, I end up in a “frustration block”.

Leave a Comment

A Different Type Of STAR Test

My children teach me things on a regular basis.  They don’t realize it most of the time, as most of life’s little lessons you can only learn by being caught in the moment.  Sometimes I learn things because I have to relearn things, like tonight when I had to recall the statistical definitions of median and mode. Every time I learn something from them it’s always a treat and frequently a surprise.

The other night, as I was tucking our daughter in bed, the two of us came upon a discovery.  Above her bed (which is a lofted bed and close to the ceiling) she has glow-in-the-dark stars.  When you turn out the light they glow, of course (hence the name).  Their effect is amplified, though, by the fact that you’re left amazingly blind right after the light is turned out and they’re the only things that you can see (assuming the room is dark enough of course).  In this environment is where we made our scientific discovery. (And no, that picture on the right is not of a glow in the dark star that we’re talking about. It’s a glow in the dark ball but it just looks cooler than a little dot on a wall would have looked and I just like the picture).

Right after the light was turned off, my daughter and I decided to reach out and touch the stars.  What we found was we couldn’t.  Or at least we couldn’t without multiple attempts.  When you can’t see your fingers (because your eyes adjust so slowly to darkness) and the only thing you can see in the star you’re trying to touch, it turns out that your brain just isn’t sure exactly where in space your finger is.  The end result is that you’ll likely miss the star and your finger won’t land right on it.  In fact, you’re sense of where-is-my-finger is so bad you’ll likely get it wrong multiple times in a row (at least until your finger passes between the star and your eyes and gives you a clue). It’s an amazingly frustrating and simultaneously fascinating experiment to try.

Somewhere there is a research paper, or better yet, a school science project waiting to be written on this subject.  Probably involving a large number of study participants randomly poking stars in a dark room and seeing how many times it takes them to really touch the stars.  And somewhere, of course, in the results will be an interesting bunch of statistical data.  Probably involving median and modes.

I expect a mad rush on glow in the dark stars because of this article. It’s an experiment you should definitely try. Preferably with kids, as they’ll make it much more entertaining.

Leave a Comment

The Future of Communication

Imagine it. You have a cell phone but get no bill.

Imagine it. You’re in the middle of nowhere Nevada and you get notified of incoming email from your sister three miles ahead, further into nowhere. (She wants to stop for a picnic).

The day is coming

Your mobile phone (or whatever we’ll call it then) will communicate through any local network it can find from the many in range. And it’ll be able to pick the best one without you even realizing it. (Just like cell phones now pick the best cell tower to communicate through).

In the nearish future bandwidth will be so pervasive it’ll be free or close to it. The number of network access spots is already exploding to the point you can find a connection today just about anywhere but the middle of nowhere.

There is, however, a bandwidth crunch coming. Many are concerned about it. There will be a point where you will watch all your “TV” (or whatever we call it) only over internet based sources, because it’ll be cheaper and easier to produce shows and infinitely more flexible to you. This, however, worries the network current carriers because of bandwidth concerns. But that too will pass as technology for delivering data continues to improve. And since video is the most bandwidth intensive service that’ll we’ll likely need for awhile, once the bandwidth problems of delivering lots of video are past there is little else on the horizon to worry about (until we get to the point of needing to ship around 3-D holograms).

Combine bandwidth with access

Eventually we will reach a point where access and bandwidth are everywhere and free or virtually free. there won’t be a reason to leave the fate of our communication in the hands of the few companies that are providing such poor service today.

The upcoming bandwidth availability will be a significant change in the way we live with information, as it will always be nearby.

Imagine getting into the car and it asking you “where are you heading to today?”. We already have cars that respond with a map when you say “longs”. But what we don’t have (and isn’t that far away) is a car that responds “please remember that Longs was bought out by CVS and its name has changed. Also, although the store is open, you should be aware that the pharmacy is closed. Do you still wish to go?” I wish I had that feature the other day…

Combine online inventory and pricing with instantly updating maps and when you ask your car to take you to buy a good quality socket wrench set, it’ll tell you which streets to turn on, what brand choices are “good quality” these days, what the prices will be when you get there and what isles they’re in for the store it has selected for you that carries them.

Or imagine chatting with your friend over a half-double-decaffeinated-half-calf with a twist about an old friend and wondering what they’re up to and suddenly having your phone pipe up with “Charlie is currently living in L.A. And is working as the senior manager of “Tomorrow Land” in Disneyland. How cool and creepy would that be?

Like any revolution, it’s hard to predict what “the other side” will look like. The shift to the internet meant suddenly having access at home to a wealth of information. But soon, with spreading access ability, we’ll get to the point where it will feel odd not to have access.

Imagine never not having information at your instant beck and call.

Comments (1)

Continued Conversations With AT&T

So, previously I got depressed about SMS conversations with AT&T. I was then consoled and warned at the same time by my friend that I was not alone. And after his advice, and some other random advice from google results I decided to try the magic “stop” word. It is supposed to work when “no” doesn’t. So, when the next message came around:

AT&T from #4436:
AT&T Free Tip: Get weather, movie or restaurant tips from Google
on your phnoe. Text HELP to 466453 to get started.
To end Tips send no to 4436

Ah ha! I got you now silly AT&T. I now know your magic key word!!!

me:
Stop

And then I waited. I’ve never waited so long for a text message. I felt like I was in high school again. Ok, not really.

AT&T from #4436:
You have Opted out of AT&T Tips messages.
Please do not REPLY to this message.

Victory! I stood up, danced around my office and laughed at the ceiling while beating my chest with my fists. Ok, not really either.

But I was happy. Finally an end!

And then…

And then…

5 days later:

AT&T from #1111301000:
AT&T Free Tip: You can check your
voice plan minutes used & sms
messages sent with My Account.
Click Go to try.  To end Tips no
to 4436

NOOOOOOOOOO!!!

Now, I don’t know if you caught it. Go back, look at that last message and catch the difference. Go ahead, I’ll wait.

Done?

You didn’t cheat did you?

Good. You spotted it (I’m giving you the credit here): it’s from a different number. It’s no longer from 4436, it’s now from 1111301000. Now, lets do some quick math. 10 digit number, with 10 possible digits (1-9) in each spot. I actually think that first number is a 1 meaning country code one (+1 is how they write it in the rest of the world; that same “rest of the world” that uses metric and other standardized conventions). So, lets assume that there are only 9 numbers they can vary. That’s 10^9th possible combinations.

Or: 1,000,000,000 (1 billion to save you from counting zeros)

Now, assuming I can send 200 free text messages in a month under my plan (they say their messages are free. They never once say that sending back “no” or “stop” is free), then it would take me….

1000000000/200 = 5,000,000 months to cancel them all with “stop”
which is:
5,000,000/12 = 416,666 years!

Yes! I can actually calculate the days until freedom! (152,187,500 days)

And yes, I included leap years. Because I’m just that much of a geek.

Comments (3)

Limitations of SNMPv3/USM When Combined With EngineID Discovery

SNMPv3/USM, unfortunately, does suffer from some elements of man-in-the-middle attacks. But these are poorly understood and certainly not well documented (if at all). This document attempts to describe the weakness inherent in the SNMPv3/USM protocol.

Background and Conventions

Although this document coves some of the necessary background, it’s still expected that the reader already understands how SNMPv3 with its User Based Security Model (USM) works. The details of the SNMPv3 protocol and the USM-subprotocol aren’t discussed in this write-up.

It’s also expected that the reader is familiar with the USM concept of “discovery”, which can be summarized at a high level as this: a manager is allowed to send a “probe” message to an agent and the agent should return a “report” message that says “I’m using securityEngineID 1234″. An important element of this discovery request and response process is that it’s fundamentally unauthenticated. There is no proof that the agent responding actually is the right agent. The belief is that because future requests and responses are authenticated and use a key only known to the agent the manager wants to communicate with that the unauthenticated discovery request isn’t a big deal. But, in fact, it is and it does open the door for certain types of man-in-the-middle attacks.

USM contains a key-localization process provides the ability for the administrator to provide only a master password or a master key and the management software can transform that key through a series of one-way hashes into a key which is unique to each agent that the packets are destined for. Though this does prevent keys stolen from one agent from being used to break into another, it doesn’t help in the problem described below as will be shown. It won’t matter if the key localization process is used or not; they could have been randomly generated for each remote agent.

For documentation simplicity I’m only showing the use of one key in this document. But in SNMPv3/USM there are actually two: one for authentication and one for encryption. For purposes of the discussion, however, we can treat the keys as a “pair” and any time one is affected then so is the other.

SNMPv3 also has the notion of a contextEngineID, which is not discussed in this document as it is not relevant. Only USM’s specific securityEngineID is relevant to this discussion.

Typical Real-World SNMPv3/USM Start-Up Sequence

Pictures are always easier to understand, so let’s pretend we have the following network setup. Agent B will be colored red in these pictures since in the examples below we’ll consider it to be a machine which has been taken over by an attacker.

Typically a management station starts talking to an agent for the first time over SNMPv3/USM it will send an an securityEngineID request. And, of course, the agent sends back a response with its own securityEngineID:

At this point, the management station can start sending authenticated and encrypted traffic to the agent by using the authentication and encryption key assigned to the given securityName for the remote agent. Each agent has its own unique key pair that the manager uses to communicate with it and internally the manager has a table (the usmUserTable) of all the users and keys for the agent it wants to talk to.

The Attack

The problem with this situation is that the manager uses two values in order to look up the key for a given communication.

  1. It uses the securityName value it was given by some dialog box or command line option. In these diagrams this value is “userJoe”.
  2. The securityEngineID that it potentially learned from the discovery process.

But Discovery Results Aren’t Authenticated

Assume in the diagrams that Agent B has been compromised and it’s keys are now known to the attacker. Normally traffic sent from the manager to Agent A should be authenticated and encrypted with Agent A’s keys. This means that Agent B shouldn’t be able to see or respond to requests sent to Agent A because it doesn’t know the right keys.

But, if an attacker has compromised a device that is able to see traffic destined for more than just itself (e.g. when connect to a hub or truly in the middle of the path) then there is a problem if it can also spoof traffic. All it has to do is spoof responses to other addresses with its own securityEngineID for any securityEngineID probe that comes it can see. It will have to do this faster, of course, than the real agent can respond (but that can frequently be easily helped by launching DOS attacks). The end result is that the manager will get back a packet in response to it’s securityEngineID probe with a packet that looks like it was from Agent A but internally has a securityEngineID for Agent B.

Now, the manager thinks it has the right securityEngineID for Agent A, but in fact has the wrong securityEngineID for it (i.e. it has “engineIDB”). It uses this securityEngineID (“engineIDB”) in combination with the operator-provided securityName (“userJoe”) as indexes into it’s user/key table to figure out which key to use for protecting traffic. This look-up succeeds in finding a key, but has in fact found the wrong key for the agent it wants to talk to (Agent A). Instead, it finds Agent B’s key and starts its communications using KeyB.

Agent A will actually drop any requests that fail authentication (possibly sending a notification; but more on that later). But Agent B no longer even has to beat Agent A’s response back to the manager so there won’t be a race any longer and Agent B has successfully captured the entire communication stream until the manager looses its knowledge of Agent A’s securityEngineID again.

What Power Does This Leave Agent B With?

This only buys Agent B two things:

  1. The power to receive and decrypt traffic that was intended for Agent A. Typically GET and GETNEXT requests from a manager shouldn’t have anything but OIDs in them (though from an analysis point of view it might contain information about what functionality Agent A is supposed to have). SET requests, however, might have more interesting information encoded into the values that might be worth “stealing”.
  2. The power to spoof Agent A and return fictitious data from it. Agent B can now adequately pretend to be Agent A and thus can return bogus data as well as pretend to have acted as if SET requests had really been processed. This lets untold number of bad things happen, including convincing a management station that a device is fine when it really isn’t, under-reporting bandwidth usage, etc…

Protecting Yourself From The Attack

There are only a few choices when considering what to do about this attack:

  1. Understand the weakness and be OK with it. Just don’t be ignorant of it.
    • Understand that:
      • Management data sent from the management station can be stolen.
      • An agent can be “spoofed”. A management application may think it’s talking to agent A which has possibly:
        • Accepted and acted upon SET data.
        • Has returned real and true values that you can trust to be from that agent.
    • Protect yourself as best as possible:
      • Leaving your management applications long-running so they memorize securityEngineIDs can be helpful (though if the attacker succeeds at any point, you’ll believe he’s the right agent for a longer period of time so it’s still a trade off).
      • Doing a “leap of faith” type approach and believing the first securityEngineID and expecting it “from then on” (even if the management station is shut down; though I don’t know of software that stores securityEngineIDs in persistent storage.).
  2. Don’t use the securityEngineID discovery process and pre-populate the management database with the real expected securityEngineIDs extracted from their consoles. Unfortunately, this doesn’t scale well. And thus I don’t know of a single person who actually manages their network this way.
  3. Use different securityNames on every agent. Unfortunately, this doesn’t scale well either. I don’t know of a single person that manages their network this way either.
  4. Use another form of SNMPv3 security, such as SNMP/SSH transport or the upcoming SNMP/(D)TLS transport. These forms of SNMPv3 don’t suffer from this weakness but have only recently been defined by the IETF and aren’t widely implemented and deployed.
  5. Only run management commands over a protected physically separate and entirely switched network. Fortunately, this is frequently common practice. Though it doesn’t necessarily eliminate the threat depending on which network components have been broken into, it should help reduce the threat significantly.

Questions and Answers

Does This Attack Work If Not Man-In-The-Middle?

The short answer is “no”.

The longer answer is that if the attacker can’t see the traffic, then they’d have to be able to guess the manager’s messageID and time the securityEngineID response appropriately.

But even if they could do that, it doesn’t help much unless they can see the traffic since they won’t see what they can now decrypt and respond to. The attacker can’t easily respond to what they can’t see (without an unreasonable amount of guessing of packet contents and timing).

The best an attacker can hope to accomplish would be a denial of service attacker because the manager would fail to communicate with Agent A while the securityEngineID mismatched.

What About Authentication Failed Notifications?

If all the agents are configured to send out SNMPv2-MIB::authenticationFailure notifications then in theory the manager would receive a notification every time agent A received a packet that wasn’t authenticated with the proper key (keyA).

This is true and maybe helpful if authentication-failure notifications have been turned on. But the evil Agent B entity may find it possible to spoof securityEngineID query responses from the management’s notification receiver to stop INFORM notifications from being encrypted with the right authentication key thus causing the notification receiver to drop the notifications. TRAP notifications are sent using the local (correct) engineID so this attack won’t work on them.

Comments (4)

My Friend’s Older Conversation With AT&T

I recently posted my both funny and depressing text message conversation with AT&T as a result of their spamming me (which, by the way, I still haven’t managed to turn off mostly because I gave up).

A friend of mine (WY0X) gave me permission to post his recap of his on-the-phone conversations with AT&T about a similar, but even worse, problem:

Be really careful with those. I recently had to deal with a scam on Karen’s phone. Apparently AT&T has made it super-easy for 3rd party “providers” to send you a text message, and if you reply AT ALL, that’s all AT&T can see in their system. The 3rd party company then uses the convenient “upload an XML file full of phone numbers and any arbitrary price we desire to extract from said phone users” file to AT&T for AT&T to handle the billing. When you call to contest this $19.99 monthly “subscription” that shows up on your AT&T cell phone bill, they say, “Well, we see you exchanged text messages with the company in our system. You must have accepted an offer from them.” Only after an hour of explaining that my wife was NOT that stupid and NEVER replied to any message that said “will you sign up?”… did they offer to refund the charges and set up “Parental Controls” (HA!) on both of our accounts so NO 3rd party could ever bill anything on them. I highly recommend to all on AT&T.

So seriously, some company could send you this message “Hey, what you doing tonight?” from a number you don’t recognize, and you could send back, “Who is this?” and AT&T would see that as “proof” that you had a business relationship with them. When I pointed this out to an AT&T supervisor they said, “I suppose that could happen — we are getting a ot of complaints right now. However I’ve refunded the fees this month.” … Okay lady, how do I stop it FOREVER, and why are you making it easier for unknown third parties to bill me, your customer, than it is for me to opt-out of such shenanigans? Oh by the way, I will be reporting this to our State Attorney General since it’s generally considered bad business to bill for another party whom you can’t prove has a business relationship of any kind with your customer. You yourselves say you can’t see the text messages for privacy reasons… so how do you know EVERY one of the bills you’re sending out isn’t a scam such as I described?

She was like a deer in headlights, and started reading from the script again. After about four attempts I said, “What would you say if this were my 12 year old’s phone?” “Oh, we have Parental Controls for that!” Well, there ya go lady… fire me up some “Parental Controls” on both lines, please… my wife’s and mine. “But you won’t be able to order any other services!” “That’s absolutely correct, and I can’t see us ever NEEDING those other services either, but my wife did enjoy a few of the Trivia questions she received once a month from these idiots.” That was pretty much the end of the conversation at that point. 30-45 minutes of my life wasted, stopping my cell carrier for billing me for other people’s scam businesses.

AT&T *did* do the “right thing” and refund it, but there were clueless about why I was upset about it. I finally got down to asking everyone I talked to there: “Please prove I have a business relationship with XYZ third party company, which allows you to bill me for their services.” They were dumbfounded. There was nothing on their (so called) customer service scripts to handle someone asking such a “tough” question.

I love the fact I have intelligent friends. I hate the fact I have less-than-intelligent companies.

Comments (4)

Stuck In Stockholm

Recently my wife and I went to Stockholm, Sweden. We were there, accidentally, for 2 weeks in total. For the first 2 days we wandered around and tried to battle jet-lag through a healthy regiment of walking in the sunlight with frequent stops to consume cappuccinos. Following that, I had a week long convention while Dawn did whatever suited her at the time.


Our first major outing was to the island of Gamla Stan, which is one of the oldest parts of Stockholm. It’s narrow streets are filled with stores, restaurants and brightly colored walls. It’s an extremely relaxing area of the city to walk around that is devoid of cars and full of things to feed your eyes. There are, especially in the summer, a huge number of tourists so the streets are crowded but it’s worth it. The Stockholm guidebooks we looked at mentioned pick pockets but we felt much safer in Stockholm than many other large European cities.

During my working-week we did get to spend an evening at the wonderful Vasa museum. This museum is dedicated to a huge wooden war ship which sank in 1628 and was recovered in 1961. It’s a wonderfully done museum dedicated to a ship that is stunning to walk around. Though it does feel odd to visit a museum entirely dedicated to a ship that failed so dramatically: it sunk only a few minutes into its maiden voyage. The museum is on the “must see” list if you ever plan to visit Stockholm.

After these first few wonderful days of touring the city we were emailed by our currently preferred credit card company (thank goodness for conference internet access!) that we needed to contact their fraud department ASAP and they had deactivated our card. After calling, we learned that they suspected something was wrong. They asked us if we had purchased plane tickets recently. Certainly, we assured them, we had. Also, did we purchase anything from overstock.com on July 24th. Well it so happens that was the day we were travelling (and travelling and travelling), so we certainly hadn’t. They immediately cancelled our cards and promised to send new ones to our hotel and they “should hopefully get there by Saturday”. This was a good thing as we were set to check out on Sunday.

We had a wonderful last day in Stockholm on Saturday visiting some of the museums that we hadn’t seen yet. The Nordic and historical museums are well worth visiting in Stockholm. The historical museum in particular goes into great depth about the fascinating Viking history in wonderful detail. That evening we returned to the hotel and were told by the front desk that, sorry, but we hadn’t received a package. Oh uh, we thought. Now what. Our only choice was to stay longer and wait for it. So much for our “last day”. Fortunately, they had enough room that we could stay until Monday if we liked while we were waiting “our package” (we of course didn’t admit we were waiting for cards to pay them with). So much for our plans to see the south of Sweden.


So we spent another wonderful “last day” on Sunday visiting Skansen, which is an outdoor museum of Swedish historical architecture and culture. In a large open space on the top of a hill in an island with a beautiful view of the water around Stockholm, they brought in houses and buildings from around Sweden from various time periods and let visitors walk around and through them. It is an absolutely fascinating area that we spent over 10 hours in before giving up and realizing we couldn’t see every possible structure (but we still felt good about getting to 90% of them or so).

The next day, Monday, we slept in after our 10+ hour walk. Around 11:00 (an hour before checkout time) we checked with the front desk and they informed us “no package; yes you can stay until tomorrow”. Then we brain stormed. What now? Well, we hadn’t yet taken a boat cruise through the city, so… let’s do that. We opted, after pouring over brochures, to forget the simple cruise around the city and go all out for our “3rd last day”. We signed up for an all day boat cruise for the day after that would take us through some of the neighbouring islands. And yes, we could stay until Wednesday since the all-day Tuesday trip would ruin our chances of checking out on Tuesday. And yes, they could add the boat trip tickets to our hotel room bill. Excellent, I thought while slyly trying to glance through the kitchen doors to see how many dishes we’d be able to wash in order to pay the upcoming larger and larger bill without a credit card.

The boat cruise was fantastic. Just off the coast of Stockholm are 30,000 archipelago (small islands for those of you with a vocabulary similar to mine). The boat cruise took us around and through a gazillion of them and dropped us of for an hour on three of them. Each were different, the final including a cute village with brightly colored houses. All red. My favorite of the three islands, though, was the most remote, desolate, rocky island. I could have spent a full day on that small island walking across the barren terrain through the fog.

Upon arriving back at the hotel that evening we, of course, found no package waiting for us at the front desk. We called the bank again and they apologized profusely and explained that they couldn’t even find a tracking number for the package they had sent. They were deeply concerned about this and would look into it.

Now, I don’t want to say anything particularly negative or positive about the bank in question. It’s probably not even worth naming them. On the plus side, they were extremely courteous (of course) on the phone. But, on the down side they did fail to get us new cards within even 5 days. They’re on par for the typical banks in the U.S. of America.

We learned one important lesson during the trip: always carry two credit cards. Of course we always knew you should do this, but now we really understood why. I think this is the first trip we hadn’t taken two and naturally it was the first one where we needed two. At least we had an ATM card (which is also supposed to work as a visa but never seems to act that way consistently). Next time we’ll certainly take a back up. We’ve learned.

If there is one thing I’ve learned from travelling: you need to roll with the punches. Almost no trip goes perfectly (oh the stories I could tell about just airports!). When travelling, if you spend all your time just fighting the good fight, you’ll have a lousy vacation.

In the end the bank informed us that we could ask the front desk to charge the bill to our old credit card and it would fail. Then we could call the bank and they would authorize the next charge of that amount and it would succeed the second time. Now, when you go to the front desk of a hotel that you’ve just spent two expensive weeks at and tell them to “try this card but it’ll probably fail” you should have a camera ready to capture their expression. It’ll be priceless. But the process did work as expected and I’ll now quote the receptionist after the second charge succeeded: “Yessssss!” (while throwing a fist in the air).

All in all, Stockholm is a wonderful city to visit. There is more to see and do than you can fit into even two weeks, as it turned out. And if you have to get stuck in a city, it’s a good one to pick to be stuck in. My wife summed up Stockholm wonderfully: it isn’t Paris, but it’s definitely right underneath it as good places to visit.

Leave a Comment

Today’s Conversation With AT&T

So, AT&T has gotten in the recent habit of spamming you with “tips”. “tips” are really “spam” when they’re trying to get you to do things that will eventually make them money (ie, by using more of their services).

Here’s the “tip” I got today:

AT&T:
AT&T Free Tip: Get weather, movie or restaurant
tips from Google on your phone.
Text HELP to 466453 to get started.
To end Tips send no to 4436

Easy, enough, I thought.

Me:
No

And a few seconds later, I got the response back:

AT&T:
Sorry, we did not understand
your response.  Reply ONLY the
word "YES" to activate the 4
channel/$6 Mobile TV plan

HUH???

Ok, I thought. Maybe it’s because my phone auto-capitalized the word “No”

Me:
no

And a few seconds later, I got the response back:

AT&T:
Sorry, we did not understand
your response.  Reply ONLY the
word "YES" to activate the 4
channel/$6 Mobile TV plan

NOOOOOOOOOOOOOOOOO

sigh…

[UPDATE 2009/08/20: Read the follow-on story from a friend describing his conversation with AT&T]

Comments (6)