United States

The CA System is Intractably Broken

Tuesday, July 21, 2015 

I’m dealing with the hassle of setting up certs for a new site over the last few days. It means using startcom’s certs because they’re pretty good (only one security breach) and they have a decently low-hassle free certificate that won’t trigger BS warnings in browsers marketing fake cert mafia placebo security products to unwitting users. (And the CTO answers email within minutes well past midnight.)

And in the middle of this, news of another breach to the CA system was announced on the heels of Lenovo’s SuperFish SSL crack, this time a class break that resulted in a Chinese company being able to generate the equivalent of a lawful intercept cert and provided it to a private company. Official lawful intercept certificates are a globally used tool to silently crack SSL so official governments can monitor SSL encrypted traffic in compliance with national laws like the US’s CALEA.

But this time, it went to a private company and they were using it to intercept and crack Google traffic, and Google found out. The absurdity is to presume that this is an infrequent event. Such breaches (and a “breach” isn’t a lawful intercept tool, which are in constant and widespread use globally, but such a tool in the “wrong” hands) happen regularly. There’s no data on the ratio of discovered breaches to undiscovered breaches, of course. While it is possible that they are always found, seemingly accidental discoveries suggest far wider misuse than generally acknowledged.

The cert mafia should be abolished. Certificate authorities work for authoritarian environments in which a single entity is trusted by fiat as in a dictatorship or a company. The public should trust public opinion and a tool like Perspectives would end these problems as well as significantly lower the barrier to a fully encrypted web as those of us trying to protect our traffic wouldn’t need to choose between forking over cash to the cert mafia for fake security or making our users jump through scary security messages and complex work-arounds.

Posted at 00:53:59 UTC

Category: FreeBSDPrivacySecuritytechnology

Power Adventures In Iraq

Friday, December 12, 2014 

Plugging things in here is always an adventure. Most of the outlets are the horrible giant British style so they have interlocked grounds, but most appliances are European style, so plugging things in means either using something to jam open the ground interlock, breaking the interlock tabs with force, or dispensing with the plug entirely and just stuffing bare wires in the holes.

When using the latter method, it turns out the British plugs are actually kind of useful because toggling the ground tab with a screwdriver uses the interlocks to bind the wires in place.  You just hope the ground pin is wired to ground, not hot.  Usually it just isn’t wired to anything.

Most appliances and power strips here come from China and are the sort of manufacture China was famous in the US for about 30 years ago: taking something out of the package usually breaks it.  The wires inside are so thin it is amazing they survive and grounds are never, ever actually connected.  I have cables that on the inside have a ground insulator but no ground conductor inside the insulator.  Awesome!

But we just rewired the new villa and even though the ground isn’t wired (of course), the outlets are new and seem like they’re decent quality.  And we even got British style plugs to dispense with the highly problematic and very melt-prone plug adapters.  All seemed good until….

Uh oh.  Maybe it just needed to create a little vent….

outlet_going

 

Nope.  Melt down.  Good thing these have a built-in fuse…  (which is still fine, though encrusted in melted plastic).

outlet_gone

Posted at 15:27:24 UTC

Category: phototechnologytravel

India to Impose eMail Restrictions

Thursday, October 31, 2013 

The cloud is public and ephemeral. Never trust important data to anyone else’s hardware.

India and Brazil are getting it. Finally.

The USG is still moving data to the cloud. It will be an interesting day when it is realized the US isn’t the only country companies like Google and Amazon do business in that have national security data access requirements.

India to impose email restrictions

Posted at 00:33:10 UTC

Category: politicstechnology

Overthrow the Cert Mafia!

Friday, January 4, 2013 

The certificate system is badly broken on a couple of levels and the most recent revelation that Turktrust accidentally issued two intermediate SSL CAs which enabled the recipients to issue presumptively valid arbitrary certificates. This is just the most recent (probably the most recent, this seems to happen a lot) compromise in a disastrously flawed system including the recent Diginotar and Comodo attacks. There are 650 root CAs that can issue certs, including some CA‘s operated by governments with potentially conflicting political interests or poor human rights records and your browser probably trusts most or all completely by default.

It is useful to think about what we use SSL certs for:

  • Establishing an encrypted link between our network client and a remote server to foil eavesdropping and surveillance.
  • To verify that the remote server is who we believe it to be.

Encryption is by far the most important, so much more important than verification that verification is almost irrelevant, and fundamental flaws with verification in the current CA system make even trying to enforce verification almost pointless. Most users have no idea what what any of the cryptic (no pun intended) and increasingly annoying alerts warning of “unvalidated certs” mean or even what SSL is.

Google recently started rejecting self-signed certs when attempting to establish an SSL encrypted POP connection via Gmail, an idiotically counterproductive move that will only make the internet less secure by forcing individual mail servers to connect unencrypted. And this is from the company who’s cert management between their round-robin servers is a total nightmare and there’s no practical way to ever be sure if a connection has been MITMed or not as certs come randomly from any number of registrars and change constantly.
cert_stupidity_google_perspectives.JPG
What I find most annoying is that the extraordinary protective value of SSL encrypted communication is systematically undermined by browsers like Firefox in an intrinsically useless effort to convince users to care about verification. I have never, not once, ever not clicked through SSL warnings. And even though I often access web sites from areas that are suspected of occasionally attempting to infiltrate dissident organizations with MITM attacks, I still have yet to see a legit MITM attack in the wild myself. But I do know for sure that without SSL encryption my passwords would be compromised. Encryption really matters and is really important to keeping communication secure; anything that adds friction to encryption should be rejected. Verification would be nice if it worked.

no secure encryption unless you pay the cert mafia

Self-signed certs and community verified certs (like CAcert.org) should be accepted without any warnings that might slow down a user at all so that all websites, even non-commercial or personal ones, have as little disincentive to adding encryption as possible. HTTPSEverywhere, damnit. Routers should be configured to block non-SSL traffic (and HTML email, but that’s another rant. Get off my lawn.)

Verification is unsolvable with SSL certs for a couple of reason, some due to the current model, some due to reasonable human behavior, some due to relatively legitimate law-enforcement concerns, but mostly because absolute remote verification is probably an intractable problem.

Akamai certs error har har.JPG

Even at a well run notary, human error is likely to occur. A simple typo can, because registrar certs are by default trusted globally, compromise anyone in the world. One simple mistake and everybody is at risk. Pinning does not actually reduce this risk as breaks have so far been from generally well regarded notaries, though rapid response to discovered breaches can limit the damage. Tools like Convergence, Perspectives, and CrossBear could mitigate the problem, but only if they have sufficiently few false positives that people pay attention to the warnings and are built in by default.

But even if issuance were somehow fixed with teams of on-the-ground inspectors and biometrics and colonoscopies, it wouldn’t necessarily help. Most people would happily click through to www.bankomerica.com without thinking twice. Indeed, as companies may have purchased almost every spelling variation and point them all toward their “most reasonable” domain name, it isn’t unreasonable to do so. If bankomerica.com asked for a cert in Ubeki-beki-beki-stan-stan, would they (or even should they) be denied? No – valid green bar, invalid site. Even if misdirections were non-SSL encrypted, it isn’t practical to typo-test every legit URL against every possible fake, and the vast majority of users would never notice if their usual bank site came up unencrypted one day with a DNS attack to a site not even pretending to fake a cert (in fact, studies suggest that no users would notice). This user limitation fundamentally obviates the value of certs for identifying sites. But even a typo-misdirection is assuming too much of the user – all of my phishing spam uses brand names in anchortext leading to completely random URLs, rarely even reflective of the cover story, and the volume of such spam suggests this is a perfectly viable attack. Verification attacks don’t even need to go to a vaguely similar domain let alone go to all the trouble of attacking SSL.

cert_stupidity_google.JPG

One would hope that dissidents or political activists in democracy challenged environments that may be subject to MITM attacks might actually pay attention to cert errors or use perspectives, convergence, or crossbear. User education should help, but in the end you can’t really solve the stupid user problem with technology. If people will send bank details to Nigeria so that a nationality abandoned astronaut can expatriate his back pay, there is no way to educate them on the difference between https://www.bankofamerica.com and http://www.bankomerica.com. The only useful path is to SSL encrypt all sites and try to verify them via a distributed trust mechanism as implemented by GPG (explicit chain of trust), Perspectives (wisdom of the masses), or Convergence (consensus of representatives); all of these seem infinitely more reliable than trusting any certificate registry, whether national or commercial and as a bonus they escape the cert mafia by obviating the need for a central authority and the overhead entailed; but this only works if these tools have more valid positives than false positives, which is currently far from the case.

cert_stupidity_google_cross_bear.JPG

Further, law enforcement makes plausible arguments for requiring invisible access to communication. Ignoring the problematic but understandable preference for push-button access without review and presuming that sufficient legal barriers are in place to ensure such capabilities protect the innocent and are only used for good, it is not rational to believe that law enforcement will elect to give up on demanding lawful intercept capabilities wherever possible. Such intercept is currently enabled by law enforcement certificates which permit authorized MITM attacks to capture encrypted data without tipping off the target of the investigation. Of course, if the US has the tool, every other country wants it too. Sooner or later, even with the best vetting, there is a regime change and control of such tools falls into nefarious hands (much like any data you entrust to a cloud service will sooner or later be sold off in an asset auction to whoever can scrape some residual value out of your data under whatever terms suit them, but that too is a different rant). Thus it is not reasonable for activists in democracy challenged environments to assume that SSL certs are a secure way to ensure their data is not being surveilled. Changing the model from intrinsic, automatic trust of authority to a web-of-trust model would substantially mitigate the risk of lawful intercept certs falling into the wrong hands, though also making such certs useless or far harder to implement.

There is no perfect answer to verification because remote authentication is Really Hard. You have to trust someone as a proxy and the current model is to trust all or most of the random, faceless, profit or nefarious motive driven certificate authorities. Where verification cannot be quickly made and is essential to security, out of band verification is the only effective mechanism such as transmitting a hash or fingerprint of the target’s cryptographic certificate via voice or postal mail or perhaps via public key cryptography.

Sadly, the effort to prop up SSL as a verification mechanism has been made at the compromise of widespread, low friction encryption. False security is being promoted at the expense of real security.

That’s just stupid.

Posted at 15:18:25 UTC

Category: technology

RIP WUXGA

Wednesday, May 9, 2012 

What happened to 1920×1200 laptop displays? Why are all new laptops regressing to 1920×1080? That’s the most asinine, disappointing regression since the end of commercial supersonic transport. It is so sad to be living in a world that is moving backwards at an ever accelerating pace.

My first transportable computer was a Mac Portable with a 640×480 screen and I lived with that through a couple of generations. Eventually I got a Dell with 1440×900 pixels and could actually do some real work on it. About 10 years ago I got a Dell M70 with 1900×1200 pixels on a 15.4″ screen and found an acceptable resolution for portable work. Little did I know that the era from about 2000-2010 would be the apex of laptop technology. It is all downhill from here.

Once I looked forward to a bright future with 17″ displays sporting about the same generally usable pixel pitch (about 147 pixels per inch). If the world had continued to advance technically, if the now retired SR71 wasn’t still the fastest, highest flying plane ever built, if the now retired Concorde wasn’t the only commercial supersonic aircraft, if the retirement of the space shuttle didn’t herald the end of US’s manned space flight capability, if we weren’t living on the burnt out ruins of our former capabilities watching our technical competency spiral down the toilet, we’d have WQXGA (2560×1600) 17.4″ laptops right now. Maybe even QXGA 15.4″ options for those of us with good eyes.

But we don’t. We have bizarre stupid Vaio VGN-AW11M/H with kid friendly 104 PPI displays sporting useless 1680×945 pixels on an 18.4″ screen. That’s a pixel pitch straight out of 1990. Thanks for nothing.

Nobody even makes a reasonably sized laptop with a 15.4″ screen with more than 1920×1080 pixels any more (the only WUXGA laptop I can find at any size is the oversized kidz pitch 17″ macbook pro). I’m going to have to stick with my W500, or buy used ones for the rest of my life. Laptop makers – there’s no way I’m going to regress to a less productive smaller pixel count. That’s just stupid. Pull your heads out and give us pixels. The only thing that really matters for productivity is pixels. More pixels=better. Less pixels=worse. Don’t bother releasing a new laptop if it is worse. If you’ve lost the competency, just pack it up.

Apple: the 264 PPI pitch of the 3rd gen ipad is pretty good. If you build a 15.4″ macbook pro with that pitch in QFHD (3840×2160) pixels instead of the bizarrely large type kid’s book useless 1440×900 pixel resolution the current 15″ macbook pro is crippled by, I would actually buy one to run Ubuntu on. And maybe even have a bit of hope for the future.

(I’d suggest refraining from buying a laptop until 2013: ivy bridge will make 1920×1080 laptops as quaint as those 640×480 displays from 1990: the era from 2010-2013 may be known as the dark ages of laptops.)

Posted at 00:18:47 UTC

Category: Negativereviewstechnology

Keep the Pitchforks Sharp

Tuesday, January 24, 2012 

While David Pogue’s opinion piece “Put Down the Pitchforks” makes a valid point about the alliance of varied views on the utility and validity of copyright that have come together to oppose SOPA/PIPA, the differences are more subtle than his language indicates.

Everyone, even those characterized (somewhat fairly) as the “we want our illegal movies” crowd, is horrified that the United States would contemplate outright censorship of the web à la North Korea or Iran, something we actively fight quite vigorously, and with USAID and State Department support, to ensure that dissidents can circumvent similar blocking schemes.

There is no way to fix the language of the bills to rule out those abuses. Universal filling a flagrantly illegal DMCA takedown request with YouTube to censor the MegaUploads advertisement video, the pernicious use of malicious prosecution by the RIAA, and the recent MPAA/Chris Dodd bribery flap all demonstrate incontrovertibly how the entertainment industry has been utterly shameless to date and there is no basis for the belief that they would voluntarily refrain from an aggressive and likely illegal extension of whatever new powers they are offered. If anything, we need stronger legislation to discourage the current abuse of litigation and take-down powers.

Thus everyone, including those that believe that copyright needs to be extended (again, further), recognizes that the premise of SOPA/PIPA—that parts of the international internet have to be blocked in the US—are fundamentally flawed and cannot be repaired.

The differentiation between the “ignorant mechanism” and “ignorant goal” camps is, however, unfairly characterized by Pogue when he draws an analogy to shoplifting. Copyright is not a property right—it is a privilege that is granted by we the people, an exchange where we the people voluntarily relinquish our right to copy, and we gift the inventor with a temporary monopoly as an incentive to promote the progress of science and the useful arts.

It is not “stealing” to copy a movie; it may be illegal, but it is not stealing. There is no legal basis to consider such an act theft—not in natural law, not in “denial of utility.”

“If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it.”

– Thomas Jefferson, 1813

(A letter that should be read in its entirety by anyone electing to weigh in on copyright.)

The basis and purpose of copyright is codified in the constitution: it is an agreement between we the people and inventors to promote the progress of science and the useful arts, it is neither a property right nor a human right. If any copyright legislation fails to advance the cause of promoting the progress of science and the useful arts it is simply prima facia unconstitutional. And not a single extension of copyright law, back to and including the Sony Bono Copyright Extension Act, has even bothered to pay lip service to the obligation to promote the progress of science and the useful arts.

The problem is that these bills retard progress by hampering important and economically relevant industries for economically irrelevant ones (regardless of how nostalgic they might be). It is fair, still, to frame copyright protections and copyright modifications with respect to the expected actual net contribution to the progress of science and the useful arts, as the constitution requires. It is unlikely that such an analysis would favor complete abolition of copyright but it is clear that only a mechanism closer to the patent model makes sense: a very limited and carefully regulated temporary monopoly granted to inventors and creators in return for fully contributing their efforts to the public domain promptly thereafter.

(Edited and enhanced by Carolyn Anhalt)

Posted at 14:42:48 UTC

Category: politicstechnology

The SOPA/PIPA Fight is Not Over

Friday, January 20, 2012 

Megaupload, the company that enables easy file transfer used by 50,000,000 people every day, was sized by the DOJ. Check www.megaupload.com

This is an illegal, unconstitutional seizure. It is an example of the scum who run entertainment companies like Universal (who illegally got MegaUpload’s video yanked from youtube by filing a false DMCA takedown) turning US law enforcement and the US judicial system into criminal enforcers to create a business model around theft and intimidation to replace their obsolete and irrelevant role as gate keepers and toll collectors between artists and their audiences.

If SOPA/PIPA pass, links to the sized domain would have to be expunged from any site even talking about them. This is intolerable. It is a subversion of democracy and outright theft of the public domain by those who would retard or even reverse progress to protect their profits and wealth.

The constitution grants the privilege of a temporary copyright to artists and inventors as a mechanism to promote the progress of science and the useful arts. Laws that extend this privilege in a manner that fails to promote the progress of science and the useful arts are plainly unconstitutional. Record companies have no natural right to stop you from using your hardware, your devices, to rearrange the bits on your systems in any way you like. They have turned the discussion to claim they have a property right to your data through manipulation and outright lies. The only fair response to their illegal and heinous acts is to revoke their privilege and drive them swiftly into bankruptcy so they no longer have the resources to bribe our representatives into ignoring the constitution.

The DOJ should be using RICO to shut down entertainment companies that use intimidation to protect profits, not innovative companies acting to expand the public domain in a manner clearly consistent with the goals of the framers of the constitution.

[youtube]http://www.youtube.com/watch?v=K9caPFPQUNs[/youtube]

Posted at 19:03:59 UTC

Category: filmsNegativepoliticstechnology

USAir, not my favorite airline…

Monday, November 7, 2011 

Carolyn and I were flying from LGA to DCA early this morning. I booked an award ticket through UAL on USAIR, but mine was a connecting flight through PHL as there wasn’t any availability on the direct for award tickets. On UAL this means you have a confirmed flight on the less optimal route but if there are seats at the gate the agent will get you to your destination the most efficient route available, which is also the lowest CO2 emission route and the lowest cost route for the airline: everybody wins.

I called US air the night before to verify that I could fly standby (no problem, I was told) and that there were seats (looks like plenty, I was told). No problemmo.

But not with US-Air. Not that they weren’t friendly enough, but as my booking class was “X” and they didn’t have any “X” seats left, they couldn’t book me even though there were plenty of open seats. I tried with the gate agent, the supervisor, all to no avail. I called UAL but they don’t have any visible inventory because US-Air doesn’t share it with them. US-Air tells me UAL has to get me into one of their open seats. UAL shows no open seats.

So I figure I’ll just go to the gate. Gate agents have special powers over last minute seating. I show them my ticket and they immediately hand it back “no, we already called United, they won’t put you on this flight.” I’m thinking there must be a note on my ticket – but no, apparently the counter had called the gate and specifically told them not to let me on the flight. I get on the phone with UAL and they tell me “I don’t understand why they won’t just accept your coupon.” No budging.

I thought maybe I’d take the shuttle over to JFK and fly direct to IAD, but Carolyn pointed out there was a UAL express flight from LGA-IAD. As I have to get back to IAD later in the day anyway, it is a better option (pick up a rental car and drive myself into DC and back out). UAL got me on it no problem. I bus myself over to the UAL counter, and a very cool and very knowledgeable agent at the counter tells me about his family in Italy and his recording business in Rome while he gets me a very good seat on the LGA-IAD shuttle and clears my upgrade and tickets me for tonight’s flight back to SFO. Friendly agents, premium seating, no hassle, expedited security line.

UAL win: USAir Fail.

Glad I’m not causing a transfer payment after all. Lesson: it is worth flying a less convenient route on UAL than a more convenient one on USAir.

Posted at 05:27:04 UTC

Category: -

FB vs. G+

Tuesday, July 12, 2011 

An interesting artifact of the FB vs. G+ debate is the justification by a lot of tech-savvy people in moving to G+ from FB because they believe Google to be less evil.  It is an odd comparison to make, both companies are in essentially the same business: putting out honey pots of desirable web properties, attracting users, harvesting them, and selling their data.

Distinguishing between grades of evil in companies that harvest and sell user data seems a little arbitrary.  I’d think it would make more sense to use each resource for what it does well rather than arbitrarily announce that you’re one or the other.

However, if one is making the choice as to what service to call home on the basis of least “evil” and assuming that metric is derived in some way from the degree to which the company in question harvests your data and sells it, then it is somewhat illuminating to look at real numbers.  One can assume that the more deeply one probes each user captured by the honey pot, the more data extracted, the more aggressively sold, the more money one makes. The company that makes the most money per user is probing the deepest and selling the hardest.

From Technology Review May/June 2011, annual revenue per monthly unique US visitor:

Facebook: $ 12.10
Google:     $163.60

Google squeezes out and sells more than 13.5x the data per user. Google wins. But Facebook is gathering $12.10 worth of user data, why should Google allow Facebook to have it? If Google wins that last morsel of data to take to market and takes out Facebook, Google can increase their gross revenue by 7%.

I’ve also heard people argue that Zuckerberg seems more personally avaricious, mean, or evil than Google’s founders, comparing Google’s marketing spin to “The Social Network”

Zuckerberg’s only newsworthy purchase was a $7m house in Palo Alto. Google co-founders were in the news over a lawsuit between them over whether their 767 “party plane” (Eric Schmidt) could house Brin’s California king bed. This is in addition to their 757 and two Gulfstream Vs they talked NASA into letting them park at Moffet under the pretense that the planes would be retrofit with instruments for NASA. When they couldn’t do that (FAA regs, who knew?), they bought a Dornier Alpha, but still get to park their jumbo jets and gulfstreams inside NASA hangers for some reason. Suck on that, Ellison!

Posted at 01:25:13 UTC

Category: technologyvanity sites

Singapore Air: Nice planes, Crappy customer service

Saturday, July 2, 2011 

Singapore Airlines sucks… OMG.   Not only do they seem to have real trouble handling bags, they have absolutely no customer service at all.  None.  Zilch.

I flew SFO-JFK on a UAL PS flight first class on the 1st; JFK-FRA on Singpore Air, first class on the 1st-2nd; FRA-FLR on Lufthansa business the 2nd.  When I arrived in FLR, no luggage.  I waited for the next FRA-FLR flight to arrive, no luggage.  There had been 3 FRA-FLR flights before mine my luggage could have taken, no luggage.

I had a 3 hour layover in JFK, somehow Singapore did not get my luggage on my flight, despite flying first class and having one of those “priority” tags on my bag (as if). United’s scan showed they delivered the luggage to singapore on time, but that Singapore just hadn’t boarded it, and rather than find the fastest way to get it to me at my destination, put it on the same flight (SQ25) 24 hours later.  They hadn’t bothered to try to contact me.  At all.

Now that’s lame, lame for coach, pretty much intolerable for first, but to make matters worse:

Their online luggage check tool at http://www.worldtracer.aero/cgi-bin/fileframe.exe?tran=XXXsqXXXXXl1=enCB=Y does not have current information, but United has more recent information – FOR SINGAPORE. If they could give me some information, any information about the luggage, I’d be more confident, but that the only useful information I could get at all came from United, and from them only as a courtesy, is just astonishing.

I was given this number by united to call: 800 742 3333, it is a call center that could do nothing at all to help but sound vaguely apologetic and give me the Local airport number.

I called that number, 718 751 3832, and got voice mail. Of course I left a message, of course nobody called back.

I called their lost and found number at 1 800-2244243 and got fast busy every time (during daylight hours Singapore time, daylight hours EST, daylight Europe time… the number seems disconnected: WIN SQ!).

I wrote them at sqbaggage_enquiry@sats.com.sg, no answer so far.  (update, 12 72 hours later, no response at all).

I found the JFK office number on the Singapore site, which is actually their “traffic number” at +1 (718) 751-3830 and called and got voice mail, no answer, no response. (update, no call back 12 hours later UPDATE again – still no contact at all from Singapore – 3 days).

I found the JFK baggage office email at JFK_LostNFound@singaporeair.com.sg and sent a note there, of course no response.

I filled out the form at https://www.singaporeair.com/baggageFeedBack.form and at https://www.singaporeair.com/customerServiceFeedBack.form, but of course got nothing back – so far not even an automated response (update: got an automated response, but no real response 12 72 hours later).

I called the 24 hour call center in singapore at +65 6223 8888 and their phone tree system had real trouble recognizing DTMF signals and they had no default to human operator. It’s a reservations system and has endless hold problems, but at least I eventually got hold music. No help, but hold music. Update – I did eventually get someone but they were as useless as the first number. I had serious trouble explaining that I needed to speak to a human being and that it wasn’t useful to give me a number to call where nobody answered.

I demanded that the operator connect me, and she finally connected me to someone who said “hello.” I said “hello.” He said “hello.” I said “hello.” Excuse me, who are you? No “can I help you?” No “I’m sorry we screwed up and didn’t get your luggage on the flight?” But finally, finally, someone at Singapore who could, if not entirely politely, at least look up the status. I had to correct him when he said “you lost your bag” to me: “No YOU lost my bag, you failed to board it on my flight. Where is it?”

People rave about Singapore Air and while the flight was comfortable enough and the food excellent… and the FAs the nicest and most attending I’ve experienced, their baggage handling and customer support is horrible. Unbelievably worse than even a discount airline in the US. And the thing that pisses me off most (and this is the same with UAL): they KNEW my luggage didn’t get on the plane before my flight took off – certainly long before I landed. Why wait until I get to my final destination to file a claim before fixing it? Flying first class on a transcon flight they should have had someone waiting for me at FRA with a toiletries kit and an apology and an update as to where my luggage was so I didn’t have to waste 90 minutes at the airport filing a claim and another hour or two following up to find out the status of their screw up (Update: 4 days later and Singapore has yet to take a single step to rectify their mistakes or apologize).

UPDATE 1: 12 hours after arrival, UAL is still the only airline that is willing to answer their phone or check on updates.  I haven’t tried to track down Lufthansa, though they haven’t yet answered  their email.  UAL is at least polite and responsive on the phone and can track the bag for me, even though they didn’t lose it, Singapore did.  Note that Singpore has known my bag wasn’t on my flight for almost 36 hours already and has not bothered to contact me (update: 4 days later and not a word from Singapore)

UPDATE 2: 24 hours after arrival, Singapore’s web site still says “Bag 1 Status TRACING CONTINUES. PLEASE CHECK BACK LATER”   But FINALLY got through to Singapore Air and spent some time teaching the bag guy there how luggage scanning works at different airports and why it is reasonable for him to be able to answer whether my bag had made it to FLR yet or not (shaming him a bit by explaining that if he couldn’t answer, I can call UAL and they DO know because their computer WORKS).

He kept telling me he was the one who “rushed” my bag to FLR.  I’m sorry, using the word “rushed” for putting my bag on my same itinerary 24 hours late isn’t “rushing.”  Just like making me call HIM to find out the status when he knew my bag was misplaced isn’t “customer service.”  In a moment of honesty he said “I don’t know why your bag didn’t get on your flight.”  SQ simply screwed up, but hasn’t done anything to fix it at all.

He finally managed to look it up after I basically explained how to do it over the phone and confirmed it was in Florence, but had made no arrangements for final delivery.  At least he knows how to check on the status of a missing bag now, so if anyone else loses their bag out of JFK on Singapore and wants to find the status, call +1 (718) 751-3830 during regular daytime hours and if you’re lucky the same guy will be there and know how to look it up for you.  You’re welcome.  I forgot to ask him to add a local cell number to the record, but that was too painful, I’ll call UAL and ask them to do it, even though this is all SQ’s fault.

UPDATE 3: 36 hours after arrival, Singapore’s web site now says “Bag 1 Status ITEM LOCATED, PENDING CONFIRMATION”  According to Singapore Air the bag was actually delivered to FLR last night. I called the airport and they were very polite but couldn’t give me any information other than to take my number and offer to call tonight.  As it might be out for delivery, I won’t drive back to the airport yet.   Singapore still has yet to call me, message me, or respond to any email. UPDATE – they were wrong, the bag had not made it to FLR.  They were either lying or incompetent.

UPDATE 4: 48 hours after arrival, still can’t reach anyone at Singapore at any number.  I’ve taken to calling sequentially all of their listed numbers in the entire world trying to reach someone, anyone, with 1/2 a clue… or who will even answer the phone.  As that was complete FAIL I called UAL again.  Of course they knew exactly what was going on.  My luggage seems to have gone on SQ 25 from JFK a day late, and flown to FRA… but…  it seems they FORGOT TO UNLOAD IT.  WTF?  OMFG.

So UAL tells me it is now actually on SQ 326 from SINGAPORE to FRA.  It is supposed to connect tomorrow on LH308 arriving on the 5th.  They lost it on the 1st.  That’s 4 full days Singapore has known they screwed up, and two MAJOR screw ups, and not a single contact from them, not an email, not a phone call, not an SMS, not anything.  I’ve written them maybe 6-8 emails and called every number I could find and actually talked to two people, including the guy in NY who insisted that he RUSHED to get my bag on the same flight 24 hours later (but didn’t bother to contact me or assist me in any way to either locate my luggage or offer to assist with the absence of luggage) and still not one single proactive step from them at all.

I finally got some poor guy at the LA office and gave him a bit of a chewing out for their corporate incompetence.  He promised to tell his manager and try to get back to me.  We’ll see, but what can they say?  “Um, sorry we forgot to load your luggage.  Sorry we didn’t bother to say anything at all about it.  Sorry we forgot to unload it in Frankfurt and took it on a world tour instead… I guess we’re just incompetent morons?”

UPDATE 5: 60 hours after arrival.  Still not a word by any means from Singapore Air. They have yet to even apologize for losing my luggage, not once, but twice on the same trip.  That’s just inexcusable.  I called FLR’s automated luggage line and they told me the luggage has been found and will go out for delivery as I arranged with them.  No call yet to arrange delivery, but at least it is no longer in Singapore Air’s incompetent hands.

UPDATE 6: 72 hours after arrival.  I got through to someone at FLR.  Their automated line in English and Italian is at +39 055 3061 302.   The information they provide has so far proven correct, so it is a fairly reliable system (unlike Singapore Air).  They also have a direct line, though the people there are quite hassled and busy, but if you need to update your record, you can reach them at +39 055 3061 680.  Still not a word, not an email, not an SMS, not a call from anyone at Singapore.

UPDATE 7: 84 hours after arrival.  I finally got an email from Singapore Air – first contact from the company.  It reads:
Dear Mr Gessel,

thank you for your e-mail sent to our baggage enquiry department in SIN.

According to your Missing Report FLRLH82547 raised in Florenz with LH, the bag was received in Florenz yesterday, on the 05th of July.
Unfortunately, I cannot tell you the status of the delivery as I´m at Frankfurt. But I´m confident that our colleagues from LH will arrange a fast delivery to your mentioned adress in Italy.

We apologize for any inconveniences caused to you because of this unfortunate incident.

Best regards,
SINGAPORE AIRLINES LTD.

Silke Ruthotto
Senior Customer Services Agent
_____________________________________________

SINGAPORE AIRLINES LTD.
Gebäude 201 HBK 277
60549 Frankfurt/Main

Tel.: 069-690-32881
Fax.: 069-690-54681

I appreciate the apology, but it has been 5 days since Singapore first discovered they lost my luggage and this is the first they’ve bothered to say anything, and that thing is “OK, we’re done screwing it up, Lufthansa can sort it out.”   Still no delivery advice. Perhaps he could have taken the time to find out what the delivery timing will be and let me know.

UPDATE 7: My luggage was just delivered, at 0710 ET July 6.  Singapore Air first became aware they had failed to board it on SQ 25, presumably shortly after takeoff at 2125 ET July 1.  It took them 100 hours to contact me at all, and then only after I sent them dozens of messages and called every number they had to try to track down my luggage, and my luggage finally go to me 92 hours late.

It has been all over the world since I checked it in at SFO 5 days ago.  The Singapore reroute tags tell the tale: they start on the 2nd, and are crossed out and updated with 4th and then 5th.  Nice work!  Once it got to LH, it was delivered quickly.

My Luggage travels more than I do

Conclusion: Singapore Air gives a great front office experience, but their back office needs some serious work.  With the amount I’ve flown, I’ve had my luggage misdirected plenty of times, but never twice on the same flight – never misdirected in the effort to get it to me.  That is a special category of fail.  I’m particularly annoyed by Singapore’s astonishing lack of responsiveness: they provide no functional way to track down luggage they’ve lost.  None at all.

If you’re lucky and you’ve connected with another carrier, a responsible one, you can get updates and keep track of what is taking so long, but not through Singapore.

Singapore’s in-cabin reputation is well deserved, definitely one of the best in the business, but their back office is one of the worst.  Discount airlines do a better job.  I would not trust them with my luggage again.

Posted at 16:15:59 UTC

Category: planestravel