Off Topic

Cash Only

By Adrian Lane

Off-topic post ...

My wife is constantly reading about the banks and lending institutions, and likes to read to me every gory detail she learns. Occasionally I do listen. About a month ago she made the comment "If the banks do go under, we'll have to go back to cash. That will be strange." I thought about it for a while and I realized just how true that was. I seldom carry cash. I do a lot of my shopping on the Internet. Can't really do that with cash very well. I used the credit card for everything ... even the occasional Starbucks triple-shot-Hoff-inspired-venti-iced-coffee-with-splenda-shaken-not-stirred gets a credit card swipe. Then my wife says "Let's see if we can go for a month without spending on the credit card. Just cash!" Being the contrarian that I am, I decided "What the heck, let's try it."

We failed miserably.

The whole thing about spending cash is you have to go somewhere and get cash before you can spend cash. An important small step. We had a minor medical emergency and we were not about to slow down and get cash first. When you take enough out to cover expenses, the bank teller's get weird and antsy like you are doing something wrong. Trying our best, by the end of the month, we looked at the results, and we were only 60% credit card, 40% cash by dollar amount. But overall, our spending and it was down quite a bit. While we hear about how much easier psychologically it is to spend money when it's not cash, I see just how true that is. Either you reel yourself in because you are not sure you have enough cash on you, or you feel a little more attached to the money that the concept of money and hold back on some purchases that are not necessary. So we are going to try it again this month, and we think we can reverse this to 60% cash, 40% CC.

I have never been mugged. I have never had my wallet stolen, and I am not really worried about carrying some cash around. I have had fraudulent charges on my credit card, more than a dozen times, and I am constantly worried about my bill having bogus charges. I usually state that the reason I use credit cards so much is that I have reduced risk. Lost or stolen, I am only liable for $50.00. Airline tickets and hotels are a nightmare without a credit card. And I would never buy something on line without the ability to shield myself from bogus merchants. But my perspective has changed that, given most common situations, cash has a lower risk than credit and changed my behavior in a positive way.

It's been an interesting experiment, and I think we are going to keep doing it for a while.

–Adrian Lane

Phil Collins is the Mel Torme of my generation

By Adrian Lane

This post is deeply off topic, has nothing to do with security, and everything to do with my personal realizations about music.

My calendar says that it is 2009. My radio says it is 1978. The radio must be right because I just listened to 'Warewolves of London' each and every day for the last three days.

It's just weird, because I like music, but I am also getting tired of itl. I like to have the radio in the background pretty much all the time. I am what is called a 'Stereophile' as well. I love music and I love the intricacies of the technology used to reproduce music, so playing with stereo equipment is nirvana for me. When not writing white papers and blogging, I am reading about and listening to my stereo systems. 3 systems in all, plus a radio in the kitchen, car and garage. My musical tastes vary, but tend to listen to rock during the day, jazz/ragtime/blues at night. The latter has been great as I am not saturated with it, and I am constantly finding new stuff that I like (while I am on the subject, James Brown was a bad-ass!). But it's the rock and roll on the Radio that's got me really vexed. Why?

On the Radio it is 1987. I know this because I have heard 'Welcome to the Jungle' each and every day for the last 8 days.

Did our brains somehow imprint an image of what music was supposed to be when we were young, and now we cannot move away from that? It never thought as a child that when I became an adult I would be listening to the same music I was listening to at 4, 8, 12, 15, every day, day after day for eternity. Bad when you grow tired of songs you like, awful when you still hear the songs you grew weary of in high school. I always assumed that there would continually be new music that I liked, from the bands that I liked, and the radio stations would progress as the musicians did. Not so! AC/DC and Aerosmith may have the odd hit, most new music flops horribly. Chinese Democracy can't get half the air time of Appetite for Destruction. Sure, that's a blessing, but one is new and the other is a tired 22 years old. A couple new bands offer the interesting song or two, but the rock & roll stations continue to play the same music, over and over and over. It appears that every major rock band in the world wrote three songs and the reminder of their recordings were burned so that we could focus all our time and energy on a handful of 'important' (re: safe) songs.

Oh, listen, it's Aqualung. Just like yesterday.

This is what prompted me to try and diversify from Rock a bit, but with very little success. Old school Hip Hop gets my occasional attention when I run across something like 'You Be Illin', but I have never been able to really enjoy Rap. Tried real hard with classical; even accepted the 1200 classical albums to see if my musical tastes somehow 'matured' enough to listen to these composers. Boredom forced me to give the collection away to someone who would appreciate it. Country and Western makes me feel like life is not worth living and I want to slash my wrists. There are plenty of popular mexican music stations that are somewhat entertaining, but after a while, especially when you do not understand the words, the same 'da da da dat dat dah' accordion bridge grows very fatiguing.

So I tune back to one of the 6 rock stations I get here in Phoenix, where it's 1985, and I am listening to this fresh cut of Sussudio.

In my teens I would never have dreamt that Phil Collins would be on the radio, every day, as if he was a first run artist that everyone listed to - with a new top 10 hit every week. But just listen a few minutes and there he is, as if we just loved his stuff. He gets more air time than Kanye West. A competent singer, songwriter & drummer, I really have no problem with Phil Collins. OK to listen to, say, once a month. 4 times a day on the radio makes me want to hurl. And now I know why Phil Collins is the Mel Torme of my generaiton. Good enough to make the favored radio station play list, but if you were a non-fan of the art, you would think this guy is a Louis Armstrong or Mozart-esque musical genius.

What can you do? Keep singing along I guess ... "Aaahoo, Werewolves of London".

At least I LIKE that song.

–Adrian Lane

Contingency Planning

By Adrian Lane

'I was a bit shocked to read about Adolf Merckle's suicide yesterday. You just don't see this sort of thing coming and I cannot even fathom the reasoning behind it. This has sent tremors through the market and certainly his holding company into dis-array for a while. It also reminded me of other similar events surrounding the last economic downturn , and that was kind of the 'final straw' that prompted this post. With many of the same signs and issues occurring as they did in the tech collapse of 2000-2002, few are eager to look at the downside, but it is time to spend a few minutes and verify contingency plans within your organization. It is a New Year, and what's more a bright sunny day in Phoenix, so while it feels a bit incongruous to be talking about disaster recovery and such, it is a good time for you to give it a little thought. I am not really going into the issues of natural disaster, rather economic disaster. Nor am I focused on executives who need to consider change in management, but for the general well being of the people who work in your company whose livelihood and personal information may be dependent upon some degree of continuity.

Files: Budget in advance for the storage of sensitive information. I am not just talking about electronic data, but all of the legal, contract, HR and other files that contain sensitive information. Pre-pay for files to be housed off site and stored safely. This is typically not that expensive, and in the event that the company changes hands or goes out of business, could become essential- but when the need is clear, it might already be too late. What you don't want is contracts, accounting information, and employee files getting chucked in a dumpster. It happens, and it happened a lot in 2001, only this time there are regulatory fines if you get caught. If you are not doing this today, look into it. Many of the services provide destruction services at the end of term so the data is safely disposed of.

Executive transition: Executives leave, and sometimes in unexpected ways. I am not trying to make fun here but point out that in stressful times, people look to change their situation. In tough economic climates, executives leave for what is perceived to be a safer place to work. As a board, HR department or executive team, think about the risks and have a basic plan of action in the event that any of the key staff leaves the company. Executive departure can stall incoming revenue, business partnerships, financing and even sale. There may not be a lot you can do, but better to be prepared.

On-site and off-site backups: You are probably already doing this, so I will focus on an equally important issue: Verify your backups. In the tech collapse of 2001-2002, many firms went out of business without access to the data that formed the core business value. Backups could not be found or were unreadable. In many cases, their servers were 'in hock', locked up at the Colo facility with unpaid fees. This stalled the sale of assets and cost jobs that would have otherwise been offered had the data been available. So verify that the backups are complete and readable. If the backup are encrypted, make sure the key and de-cryption infrastructures is also available.

Employees on Visas: I have seen some very uncomfortable moments for those employees on a Visa that are in a much more vulnerable situation. If this applies to you, go through a couple 'what-if' scenarios and have a plan to deal with the company shutting down, downsizing or being acquired. Press your HR team for assistance in this area.

General Security: As a company begins to reduce staff, items walk out the door, from office supplies to computers. You really don't want a laptop with customer data being sold on eBay, so you will want to tighten up on security. Physical security- make sure major assets are accounted for. Have your IT staff take inventory. Electronic security- Make sure you procedures are in place for shutting down accounts and snap-shotting the end point so there is no loss of data or correspondence. You may want to consider adding email filters to forward business related email, or re-routing telephone numbers.

Startups: If you work for a startup, you want to take this advice a little more to heart. Startups by their very nature tend have less cash reserves, their margin for error is smaller, and their tolerance for both is higher. That means when things go bad, they do so very quickly. Most entrepreneurial CEO's always figure the next deal is around the corner and are out of business the next day when it does not come. This leaves for some ugly exits where the employees do not get paid, benefits not covered and investors are wondering where all of the remaining assets are. If your revenues are not on the rise, then look for ways to cut costs at a company and individual level. Look to eliminate things you deem wasteful. Demand that management be forthright with you on what they are doing to cut costs and what a realistic run rate is. Set expectations with supervisors that you will be more tightly focus on priorities, but doing less with less. Without these steps, life devolves into a Dilbert cartoon.

Personal Development: On a positive note, downturn s offer opportunity, and are a great time to expand your horizons. As companies try to perform the same functions with fewer resources, it is an opportunity to offer your assistance in areas you are interested in and broaden your skill set and increase your value. Education and training is also a great for this, providing a distraction form the daily grind and a good motivator as well. Try to contain your exposure to bad economic news if possible; I used to watch people in the tech collapse go to F**ckedCompany.com a dozen times a day and becoming more and more depressed. Being informed is one thing, but wallowing in bad news is unhealthy. Stress is a major factor so continued exercise and out of work diversions are necessary, because if you are forced to look for a new job, positive attitude and confidence are your best friends.

–Adrian Lane

I Do Not Have A Relationship With GDS International Or Business Management Magazine (Updated With GD

By Rich

It came to my attention today that Business Management Magazine (www.busmanagement.com- not linked on purpose), part of GDS International, is using my name to sell sponsorship of their publication and some roundtable event at the RSA conference.

Not only do I have NOTHING to do with them, they were advised over a year ago to stop using my name or the Gartner brand to sell their reports.

I participated in an interview nearly 2 years ago, mistakingly thinking they were a valid publication. Reports started coming in that they were using my name to sell themselves, implying endorsement, and I retracted the interview before publication. The editor I worked with quickly left the company afterwards based on seeing the deceptive practices himself. He warned me that his computer was seized and the interview used without permission. It's over a year later and they are still using my name without permission.

They are also implying that they are timing the release of their publication with a major report I'm releasing. This is completely false- I have not revealed my publishing schedule. I don't even know exactly when the report is coming out.

I'm pissed. The only people who can use my name to sell anything are Gartner. If you ever hear anyone else implying my sponsorship, endorsement, or participation, please let me know.

Update on 16 December, 2008:

For some reason, this post started receiving a large amount of comments about 2 months ago, many of which were inflammatory and inconsistent with this site. GDS then contacted us to discuss the incident.They provided a statement/apology that we agreed to add to this post, and we also offered to just remove all the comments and lock future comments.The incidents occurred years ago, and we see no reason to let this drag on.

Here is a response from Spencer Green, Chariman of GDS:

Dear Mr Mogull — while it is not my practice to respond to each and every comment on my company, I feel that this thread warrants particular attention. I too have the strange compulsion to defend. GDS International employed a member of staff two years ago who misrepresented our relationship with yourself and Gartner. He was caught before we received your letter and dealt with accordingly — fired for gross misconduct. The editor you mention did not leave the company based on seeing our "deceptive practices": they too were sacked (for a number of reasons, yours included). No computers were "seized". We made a full and frank apology to Gartner at the time, which was accepted, and our two companies moved forward. Misrepresentation is completely against GDS policies. It is antithetical to our business model — a short-term act that benefits the individual over long-term thinking that benefits the organisation. GDS is proud of the work we do, of the many long- and short-term business relationships that we maintain, and of our employees, who — this example excluded — consistently perform to our high standards. GDS has been trading for 15 years and currently employs over 450 people. In these last two years, we have grown 50% year-on-year. We are a robust, ambitious company with a solid, proven and scaleable business model — not a house of cards. It is a real shame that the actions of one GDS employee affected you. Hundreds more are working to produce the best business magazines, events and websites. I hope you will take the time to check us out. Thank you for the opportunity to draw a line under this incident. Regards, Spencer Green Chairman, GDS International

–Rich

Focus & Priorities

By Adrian Lane

This scene I ran across last week captured the essence of one of the points I want to make regarding security programs. This is a picture from a foreclosed home that I walked into Friday. The view is from the throne room master bedroom door, and you can see the shower stall off to the left, the bed to the right. It appears that the owners spent a great deal of time buying tile at Home Depot and making 'improvements', what with pretty much the entire house being self expression in fired clay and strategically placed mood lights. Rather than focusing on the basics, like say, paying the mortgage, they spend hundreds of hours and thousands of dollars in materials building a shrine to some toilet deity I am unfamiliar with.

In data security and home improvement alike, focus on any specific function or appliance will leave you exposed.

–Adrian Lane

Holiday Bargain Shopping

By Adrian Lane

'Did you buy one of the deeply discounted Plasma Televisions this weekend? How about a new digital camera? How about eBay? No, not something being sold there, but the company itself. Chris O'Brien over at the San Jose Merc speculates on what it would take to buy the auction site as there have been some rumors floating around on this subject, and indirectly points out why cash is king. Meanwhile while the London times claims Microsoft was doing a little Black Friday shopping of it's own, another rumor that probably will not die until it is no longer a rumor. What the heck, take half off and let the Holiday rush begin!

–Adrian Lane

Sensitive Data Dumped

By Adrian Lane

I swore that I was not going to cover data 'breach' events unless there was something that was really interesting or unique about it. There are too many and the general public has grown desensitized as the number of records and the overall number of breaches is, well, mind numbing. But this caught my eye as I think I may have taken photos of this house when it went back to the bank:

Boxes containing loan applications, Social Security numbers and bank account information for residents of a Gilbert neighborhood have been discovered in a ransacked model home abandoned by a bankrupt developer. Several Higley Park model homes have been broken into since builder Randall Martin ceased operations. One home even had its garage door stolen, residents say. Julio Gonzalez, member of an ad hoc committee of Higley Park residents, found the boxes of paperwork when he was surveying the damage to the model homes.

This sort of thing is going to be a lot more common in the coming months: bankrupt businesses throwing their files in the trash, or in this case, just leaving them behind in the building and walking away. Weird that the police wanted nothing to do with the files as I would think this is evidence of a crime.

–Adrian Lane

Pumping Out Noise

By Adrian Lane

I kind of get a chuckle from articles like this recent series at Dark Reading on phishing, spam and malware. First came the contradictory posts, both posting that Phishing Attacks are reaching record highs, while simultaneously trumpeting that the king of spam and botnets had been shut down. I don't suppose it dawned on the editors that if the channel that conveys the phishing attacks is "shut down", then we are not likely to see "Record Highs."

Then there is the headline that November 24th, the biggest shopping day of the year, could be a "Black Monday" in terms of malware threats ...

"PC Tools predicted Nov. 24 would be the most active day for malware threats after analyzing worldwide virus data on more 500,000 machines and data from last year's holiday season".

Then again, maybe not:

"And while spam and malware typically surge during the holiday season, this year may actually be a little less active than in years past, says Roger Thompson, chief research officer at AVG Technologies. No one should be especially worried about Nov. 24 ...".

Um, yeah. I am all for articles with interesting & topical information, and I understand the need to balance both sides of an issue, but if you are going to use attention grabbing headlines about some huge threat, you should at least provide some links or direction on what to do about it. Missing from all of this was a singularly relevant piece of useful information that most end users could easily use to help themselves in the battle against phishing and malware attacks, namely: DON'T CLICK EMBEDDED EMAIL LINKS.

–Adrian Lane

“Felon” Database

By Adrian Lane

Most of you probably have a friend like mine, someone who forward you every joke, video and picture they find amusing to their friends list. Sometimes humorous, I still look through all of the emails. Buried in the daily offering was the following link for a site called FelonSpy that I found somewhat fascinating. It was kind of like a reality TV show; insipid, but just different enough I had to check it out.

First thing I have to mention is that the data is bogus. Click the 'Search' button a few times in a row with the same address and you will see that the graphs are random. I have felons appearing and then disappearing on raw BLM land down the road from me. And if you change the address often enough, you will see the same names and crimes appear over and over in different states. Whatever the real case is, this explanation is bull$!^#, and makes me believe that the entire site is bogus.

Still, if the data was real, do you think this is a valuable tool? Would it help you with safety and security?

Being someone who had a recent event that has changed my approach to personal safety, this sort of thing is on my mind. Part of me thinks that this type of education helps people plan ahead and react to threats around them. But once it became obvious the data was bogus, I started thinking about people I knew in my area that had criminal backgrounds; the startling discovery that half of the people I know who have criminal backgrounds are some of the nicest and most trustworthy people I know in the area! Some I don't trust, most I do, which is a slightly better percentage than when I meet random strangers in public. It seems to me this type of technology blindly creates a virtual scarlet letter of sorts, and is an unreliable indicator of good or bad. It probably does not help anyone be more secure- instead listing events that feed paranoia and fear, but still inadequate to make any sort of valid assessment.

–Adrian Lane

Stealth Photography

By Adrian Lane

This is an off topic post.

Most people don't think of me as a photographer, but it's true, I am. Not a good one, mind you, but a photographer. I take a lot of photos. Some days I take hundreds, and they all pretty much look the same. Crappy. Nor am I interested in any of the photos I take, rather I delete them from the camera as soon as possible. I don't even own a camera; rather I borrow my wife's cheap Canon with the broken auto-cover lens cap, and I take that little battery sucking clunker with me every few days, taking photos all over Phoenix. Some days it even puts my personal safety in jeopardy, but I do it, and I have gotten very stealthy at it. I am a Stealth Photographer.

What I photograph is 'distressed' properties. Hundreds of them every month. In good neighborhoods and bad, but mostly bad. I drive through some streets where every third house is vacant or abandoned; foreclosed upon and bank owned in many cases, but often the bank simply has not had the time to process the paperwork. There are so many foreclosures that the banks cannot keep up, and values are dropping fast enough that the banks have trouble understanding what the real market value might be. So in order to assess value, in Phoenix it has become customary for banks to contract with real estate brokers to offer an opinion of value on a property. This is all part of what is called a Broker Price Opinion, or BPO for short. Think of it as "appraisal lite". And as my wife is a real estate broker, she gets a lot of these requests to gauge relative market value.

Wanting to help my wife out as much as possible, I take part in this effort by driving past the homes and taking photos of homes the banks are interested in. And when you are in a place where the neighbors are not so neighborly, you learn some tricks for not attracting attention. Especially in the late afternoon when there are 10-20 people hanging around, drinking beer, waiting for the Sherriff to come and evict them. This is not a real Kodak moment. You will get lots of unwanted attention if you are blatant about it and walk up and start shooting pictures of someone's house. Best case scenario they throw a bottle at you, but it goes downhill from there quickly. 

So this is how I became a Stealth Photographer. I am a master with the tiny silver camera, sitting it on the top of the door of the silver car and surreptitiously taking my shots. How to hold the camera by the rear view mirror but pointing out the side window so it looks like I am adjusting the mirror. I have learned how to drive just fast enough not to attract attention, but slow enough so the autofocus works. I have learned how to set the camera on the roof with left hand, shooting across the roof of the car. My favorite maneuver is the 'Look left, shoot right' because it does not look like you are taking a picture if you are not looking at the property. Front, both sides, street, address and anything else the bank wants, so there are usually two passes to be made. There is a lot to be said about body language, when to make eye contact, and confidence in order to avoid confrontation for personal safety and security. I have done this often enough now that it is totally safe and seldom does anyone know what I am doing.

Sometimes I go inside the homes to assess condition and provide interior shots. I count bedrooms, holes in the walls, determine if any appliances or air conditioning units still remain. Usually the appliances are gone, and occasionally the light fixtures, ceiling fans, light switches, garage door opener and everything else of value has disappeared. One home someone had even taken the granite counters. Whether it is a $30k farmer's shack or a $2M dollar home in Scottsdale, the remains are remarkably consistent with old clothes, broken children's toys, empty 1.75?s of vodka and beer bottles being what is left behind.

For months now I have been hearing these ads on the radio about crime in Phoenix escalating. The Sherriff's office attribute much of this to illegal immigration, with Mexican Mafia 'Coyotes' making a lot of money bringing people across the border, then dropping immigrants into abandon houses. The radio ads say if you suspect a home of being a 'drop house' for illegal immigrants to call the police. I had been ridiculing the ads as propaganda and not paying them much attention with immigration numbers were supposed to be way down in Arizona. Until this last week ... when I walked into a drop house. That got my attention in a hurry! They thankfully left out the back door before I came in the front, leaving nothing save chicken wings, broken glass, beer and toiletries items. This could have been a very bad moment if the 'Coyotes' had still been inside. Believe me, this was a 'threat model' I had not considered, and blindly ignored some of the warnings right in front of my ears. So let's just say I am now taking this very seriously and making some adjustments to my routine.

–Adrian Lane

Uniform Time

By Rich

As many of you know, I'm more a washed -up paramedic than a security analyst. My youthful indiscretions tended to involve ambulances and fire trucks (you'd be amazed at all the fun things you can do with them when no one is looking).

Although I'm just an EMT these days, I'm still on a federal response team for disasters and other large incidents. In a couple hours I'll be heading out to wear uniforms for a week and sleep with 60 other people in an undisclosed location (don't worry, I'm not breaking opsec by revealing that). I'm just a low level grunt on the team but find that a little manual labor does the soul some good on occasion.

I may still get some writing done since we should have a fair bit of down time, but I won't be very responsive over email.

A day after that, I head off for a real vacation -- my wife and I are cruising Alaska before it all melts. If I try to work on that trip I've been told I better practice my cold water swimming skills. Still, I'll be checking email for emergencies.

The next couple of weeks will definitely be ones of contrasts.

–Rich

What to Buy, Part Two

By Adrian Lane

So we took the plunge at the Lane household and bought an iMac. That is the good news. The bad news: it was my wife, and not me, who made the purchase.

My wife's laptop performed the 25 month post-warranty belly flop while I was at DefCon. A few flickers on the monitor and nothing. A very cold no-boot followed. So off we went to Fry's today and after an hour browsing she wandered by the Macs. She was looking at the iMac and asked. "Where is the box? Doesn't this thing have a disk drive?", to which I replied "The disk and processor are built into the monitor housing, so there is no box". Her eyes opened a little wider and she stared for another minute or two. That was all it took, and she jumped in with both feet. I warned her there would be a learning curve with the new OS and software, but she was not deterred. I made the statement more for my benefit than for hers, as she is a type 'A' personality with a bullet, so patience is not usually a word used in her vicinity.

However there is one consolation prize in this effort, as the phrase "I don't know" is the correct answer. Let me explain what I mean by that. As many of you may have experienced, when you are the Computer Guy in the house, it is expected that for anything that goes wrong with anything that has electricity, YOU will fix it. You know what is wrong with any piece or hardware or software and exactly how to fix it instantly. Otherwise you get the "You call yourself a CTO"? jokes. Not only that, when you're married, friends and family get to ask for IT tech support as well. This is one of my major annoyances in life. But when you know next to nothing about a Mac, the stream of questions directed at me always results in "I don't know, why don't you look it up?" This brings a wonderful, liberating sense of freedom from responsibility. "Why is Safari doing that?" "How do I ______?" and my personal favorite, "I am taking this &;@%"@%/ of *&@(;( back to the store if this does not, oh, wait, now it works." And I have been smiling at the fact it is not my problem all day long.

She has let me use the machine for a bit. All in all this is a seriously nice, well engineered and very cool looking piece of hardware. While the approach is different, everything is conceptually easy once you get used to the difference in perspective. She really likes it and I am very much looking forward to buying a MacBook for myself. In the meantime, I am going to fly off to California for the next couple of days until the swearing stops.

–Adrian Lane

Security Researchers Discover ... 5 Stages of Disclosure Grief

By Adrian Lane

Denial: "Dan may be smart, but Tom Ptacek states the obvious that this isn't a new threat. Maybe a new spin on an old flaw."

Anger: "Dan didn't find shit. He read RFC3383 ..." and "Dan has brought NOTHING new to the table. Simply made a name for himself by regurgitating the same old problems."

Bargaining: "... the sky was already falling before Dan opened his mouth, ...", and "This is just another reason why we need DNSSEC", and "What Should Dan Have Done?"

Depression: "What can we say right now? Dan has the goods."

Acceptance: "Dan Kaminsky Disqualified from Most Overhyped Bug Pwnie" and "This is absolutely one of the most exceptional research projects I've seen. Dan's reputation will emerge more than intact ..."

DNS Vulnerability: Very interesting. Blog Discourse on DNS Vulnerability: Absolutely mesmerizing. Dan Kaminsky finds a DNS flaw, and half the security research community grieves.

–Adrian Lane

The Art of Dysfunction

By Adrian Lane

Another off-topic post.

They say when you are frustrated, especially with someone in an email dialog, write-delete-rewrite. That means write the reply that you want to write, chock full of expletives and politically incorrect things you really want to say, and then delete it. Once you are finished with that cleansing process, start from scratch, writing the politically correct version of your reply. This has always been effective for me and kept me out of trouble.

One problem is I never delete anything. Quite the opposite- I save everything. Some of the best stuff I have ever written falls into this write-delete-rewrite category, only with the delete portion omitted. I ran across several examples this evening and some of them are really pretty funny ... and completely inappropriate for public consumption. Still, I found a particularly large set of letters dedicated to one individual who was so profoundly dysfunctional and so exceptionally bad at his core set of responsibilities that I created a small tome in his honor. This particular person was "in sales", despite not really ever having sold anything. And while we expect some degree of friction between sales and development (and I am sure some of you in marketing, product development, & engineering can relate), I have never before or since seen anything this profound. Over 20+ years in this profession, from big companies to small, there is one clear 'winner' in the category of utter failure. 

But over time, the more I looked at the body of dysfunction as a whole, the more I realized the practiced magnificence of the art of not-selling that he had mastered. If you view this as a master practicing his craft, you can almost admire his skill in avoiding the basic set of job requirements on the path towards organizational destruction. 

I am starting to wonder if I should turn these into a book on how to not sell because some items are truly special. Sort of an equivalent to Anti-patterns in software development, only as a sales management "do not" list. I have broken down some of the categories into the following chapters:

• "Early Funnel Cheerleading": how to use a "parade of suspects" as a smokescreen
• "ABB": always be blaming
• Layering dysfunction behaviors
• "It is OK to NOT sell": building a culture of failure
• The "Gatling gun of blame": the art of proactive pre-failure blame dispersal
• 5 traits of a bully and how to use them
• Action phrases, long email, and the illusion of activity
• Name dropping your way to legitimacy
• "Delegate everything": responsibility avoidance for the modern sales guy
• Process? Process is for losers!
• "Playing it close to the vest": how to share nothing important about your prospects so embarrassing details never come to light
• "The customer is always right": feature-commiting your way to commissions
• Engaging in prospect politics: how to become a pariah even before the POC
• Surrounding yourself with losers: elevation through lowering the bar.

Do you think I have enough for a complete book?

–Adrian Lane

Google AdWords

By Adrian Lane

This is not a 'security' post.

Has anyone had a problem with Google AdWords continuing to bill their credit cards after their account is terminated? Within the last two months, four people have complained to me that their credit cards continued to be changed even though they cancelled their accounts. In fact, the charges were slightly higher than normal. In a couple of cases they had to cancel their credit cards in order to get the charges to stop, resulting in letters from "The Google AdWords Team" threatening to pursue with the issuing bank ... and, no, I am not talking about the current spam floating around out there but a legitimate email. All this despite having the email acknowledgement that the AdWords account had been cancelled.

I did a quick web search (without Google) and I only found a few old complaints on line about this, but in my small circle of friends, this is a pretty high number of complaints considering how few use Google for their small businesses.

I was wondering if anyone else out there has experienced this issue?

Okay- maybe it is a security post after all...

–Adrian Lane