Running The Gauntlet

I've been wanting to do a cover of this for ages. This lovely little track is from Les Claypool and the Holy Mackerel's 1996 album "Highball with The Devil", and I first heard it not long after the release when Alun Vaughan lent me a tape including superb bass tracks by Les Claypool and Victor Wooten. That tape properly switched my brain on to what bass could do when freed from the constraints of merely being in the rhythm section.

So anyway, I felt like doing an ukulele cover to try and break my mindset up a bit, and this popped to mind. I've been au fait with the bassline for ages, but only just decided that ukulele would work with it. And I think it really does. The bassline is the version played on Live Frogs, and the chords are pretty basic. I've done the verses as

D7, C, G

and then

D, E#, C, Eb, D, G

The drums were built in Hydrogen for Windows, imported into Audacity and a buffer added at the beginning. I then put down a scratch ukulele track to go with the drums, then put down a vocal, which I duplicated, adding reverb to one track and leaving the other dry, then splitting them slightly left and right. Muting the vocals, I then played in the bass track, trying a few different takes until I got a technique and an amp sound that seemed to fit. After that it was a matter of adding some extra ukulele tracks - two for the main body of the song, then an extra two overlaid on the last verse, including one on the banjulele - again splitting them side-to-side.

Everything went straight in via my big condenser mic, including the bass amp (a Roland Cube). I also put in some distorted electric ukulele but decided to leave it out for the final mix. The last thing I did was drive the drums really hard, to distort them a little and to lift them up above the main body of the track.

Et voila.

A new script for @BankWest

BankWest occasionally call me to discuss "a personal banking matter". Generally, it'll be one of

  • You're overdrawn. Again. Give us some money.
  • Your card has been used overseas. Again. Was it you?
  • You're a few days late on your payment. Again. Give us some money.

The first is a business necessity - I do occasionally overstretch my card and Bankwest are right to chase me for it. The second is a nice courtesy and important for security. The third is slightly needless but understandable.

HOWEVER, the way BankWest goes about making these calls is extraordinarily bad practice. And you'll see why in a moment. Here's how it goes


Me: "Oh, who's this? An unlisted number? It shows up as 'blocked' on my iPhone. I'd best ignore it. Probably a telemarketer or a recruiter"

(repeat several times through the day, eventually cave-in and answer)

Me: "Hello?"

Stranger: "Hello, can I speak to [legal first name*] please?"

Me: (suspiciously) "Yes, this is he"

Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. Can I first get your Date of Birth?"

Me: "No. You can't".

Stranger: "Oh. Well, you see, I need to identify you before I can tell you anything"

Me: "Likewise"

Stranger: "Huh?"

At this point, a stalemate ensues, during which I'll usually berate the person on the other end of the line for lacking even a basic working knowledge of information security and mutual authentication schemes. I'll also, often, take them to task for repeatedly calling me through the day, interrupting my podcast listening and generally making me quite pissed off. I might tell them that I'm relatively sure that they actually are from BankWest, but that this is a simple matter of infosec principles. Sometimes I feel bad about giving them such a hard time, but then I remember that these people are representing a business that should know better.

Eventually, I'll agree that at some point I'll call BankWest back on their published customer service number, at which point we will be able to mutually authenticate. I'll know it's them, so I'll be comfortable providing my PII (Personally Identifying Information), and then they'll know it's me. Then we can talk. It's a quite simple handshake protocol.

Without such a handshake, I have no way to distinguish "[name] at BankWest" from "Fraudster at random blocked number". No way at all.

In fact, since BankWest seem to do this to all their customers, they're actually providing "Fraudster at random blocked number" with a pre-rolled gateway into identity theft. After all, It's not too hard to find out my first name, phone number and the fact that I have an account with BankWest. This, apparently, is all our friend the Fraudster would need to get my DoB, Mother's maiden name and possibly other PII from me, all from the anonymity of a phone call.

A particularly convincing caller might be able to use such a position to ask for internet banking details, credit card numbers, bank account details and all manner of different things. He could even finish up the phone call by asking the customer to set up a new secret question, thereby getting PII that even BankWest doesn't have. Very simple indeed, when you know a little about infosec. Next thing you know, your bank account is empty, your house has been used as security on an overseas loan and your mother has been sold to the Russian Mafia.

So, BankWest, here's your new script for when you call me


Me: "Oh, look, an 08 number. Someone is calling me from WA. Who could this be?"

(hits "answer")

Me: "Hello?"

Stranger: "Hello, can I speak to [legal first name*] please?"

Me: "Yes, this is he"

Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. So that we can both be sure we're talking to the right person, could I ask you to call us back on the freecall number as listed on our website or the back of your card? As you know, we encourage our customers to practice secure phone banking."

Me: "Certainly. I'd love to call back. I think I know what it's about. Is it OK if I call you back in, say, two or three hours?"

Stranger: "Yes, it is. Would you like us to give you a reminder tomorrow if you don't call us back by then?"

Me: "Yes, that might be quite useful, I am rather busy today. Thank you"

Stranger: "Thank you. And have a nice day"

Me: "You too"

Isn't that better? Happy Banking for the win. It's much more secure, and it requires little change to how things currently work, but it WILL train your customers into being a little more sensible with their PII, which after all is the lifeblood of any competently-executed identity theft scam.

Oh, there are other ways we could do it. We could do a two-way handshake on the initial phone call, but that would require me to pre-arrange a passphrase of some sort for the purpose, which you'd have to securely store. Or you could provide me with some sort of physical token such as RSA, but that's rather expensive and logistically difficult.

Or (and I like this one merely for its technical aspects) you could have a simple smartphone app or web applet which acts as a trusted key provider for mutual authentication keys. You read me a one-off code, I tap it into my app (or the Bankwest website), which verifies it and returns me two codes. One code I can read back to you, which you can then verify at your end, reading a final code back to me which should match my second code from the app, thereby completing the transaction. Yes, we could do a form of syncronous telephone Kerberos.

These are all workable, but admittedly slightly complex options.

Or you could just have an identifiable caller ID on your initial contact, but I think the callback model requires the least re-engineering.

Feel free to implement this at your earliest convenience. I shall not, at this time, be charging a consultancy fee for information contained in this blog post, but I reserve the right to yell down the phone continually if nothing changes. And since I have whinged about this before, consider this a second strike. The third one may be less polite. Do not ask me for my date of birth over an unsecured channel again.

And finally, just a little excerpt from the January 2005 Financial Services Technology Consortium (now BITSReport:

"Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."


* Jason Brown is not my full legal name

Vaccination Saves Lives: Stop The Australian Vaccination Network
Say NO to the National School Chaplaincy Program