It seems blog popularity is a double edged sword. Yes, thousands of folks read our stuff every day. But that also means we are a target for many SEO Experts, who want to buy links from us. No, we don’t sell advertising on the site. But that doesn’t stop them from pummeling us with a bunch of requests each week. Most of the time we are pretty cordial, but not always.

Ivan Drago Unicorn, who'd a thunk?...Which brings us to today’s story. It seems Rich was a little uppity yesterday and decided to respond to the link request with a serious dose of snark.

Rich: Our fee is $10M US. Cash. Non-sequential bills which must be hand delivered on a unicorn. And not one of those glued-on horn jobs. Must be the real thing with a documented pedigree.

I guess Rich thought that it was yet another bot sending a blind request and that his list of demands would disappear into the Intertubes, but alas, it wasn’t a bot at all. This SEO fellow and Rich then proceeded to debate the finer issues of unicorn delivery. Interestingly enough, the $10MM fee didn’t seem to be an issue.

SEO Guy: Thanks for getting back. I may have some issues fulfilling your request. The $10M will not be a problem, however I don’t know if you’ve noticed, but unicorns are a heavily-endangered species. Even to rent one would require resources that exceed my nearly limitless budget. Do you know how much a unicorn pilot charges by the hour?

Rich: African or European unicorn?

SEO Guy: How far do you live from Ireland?

Rich: About 7000 miles, but my wife has unknown ancestors still living there and I have red hair. Not sure if that will get a discount.

SEO Guy: Would it be okay if the unicorn itself delivered the (what I am assuming is a golden satchel of) money instead? I know you want it hand-delivered (mind out of the gutter) and that unicorns lack hands.

Rich: Excellent point and I see that will save on the piloting fees. Yes, but only if we can time delivery for my daughter’s birthday and you also include a frosted cupcake with a candle on it for her. I think she’d like that. You can deduct the cost of the cupcake from the $10M, if that helps…but not the cost of the candle.

So yes, as busy as we are with launching our super sekret project, polishing the CCSK training course, and all our client work, we still have time to give a hard time to a poor sap trying to buy a few links for his SEO clients. So every time I’m grumpy because QuickBooks Online is down, the EVDO service in my favorite coffee shop is crap, and I have to restructure a white paper – I can just appreciate the fact that I’m not the SEO guy.

Yes, I do have to deal with asshats every day. But they are asshats of my own choosing. This guy doesn’t get to choose who he solicits and I’m sure a debate about unicorns was the highlight of his day of drudgery. Yes, I’m a lucky guy, and sometimes I need an SEO unicorn to remind me.


Photo credits: “Unicorns!” originally uploaded by heathervescent

Incite 4 U

  1. Testing my own confirmation bias: There are many very big-brained folks in security. Errata’s Rob Graham is one of them. Entering a debate with Rob is kind of like fighting a lion. You know you don’t have much of a chance; you can only hope Rob gets bored with you before he mauls your arguments with well-reasoned responses. So when Rob weighed in on Risk Management and Fukushima, I was excited because Rob put into words many of the points I’ve been trying (unsuccessfully) to make for years about risk management. But to be clear, I want to believe Rob’s arguments, because I am no fan of risk metrics (at least the way we practice them today). His ideas on who is an expert (and how that changes), and what that expert needs to do (have the most comprehensive knowledge of all the uncertainties) really resonated with me. Maybe you can model it out, maybe you can’t. But ultimately we are playing the odds and that’s a hard thing to do, which is why we focus so heavily on response. Now Alex Hutton doesn’t back down and has a well reasoned response as well. Though it seems (for a change) that both Rob and Alex are talking past each other. Yes, my appreciation of Rob’s arguments could be my own biases (and limited brainpower) talking, which wouldn’t be the first time. – MR
  2. Careful with that poison: Some days the security industry is like cross-breeding NASCAR with one of those crappy fashion/cooking/whatever reality shows. Everyone’s waiting for the crash, and when it happens they are more than happy to tell you how they would have done it better. As analysts we get used to the poison pill marketing briefs. You know, the phishing email or press release designed to knock the competition down. And there is no shortage of them filling my inbox after the RSA breach. At least NASCAR has the yellow caution flag to slow things down until they can get the mangled cars off the track. But I have yet to see one brief that shows any understanding of what happened or customer risk/needs. So I either delete them without reading or send back a scathing response. I have yet to see one of these work with a customer/prospect, so it all comes off as little more than jealous sniping. And besides, I know RSA isn’t the first security company to be breached, just one of the first to disclose, and I doubt any of the folks sending out this poison could survive the same sort of attack. If they aren’t already pwned, that is. (No link for this one since you all are probably getting the same emails). – RM
  3. No poop in the sandbox: Good article in Macworld describing the issues surrounding use of JavaScript on iOS. It’s so rare that security takes precedence over functionality that it needs to be pointed out when it happens. To be clear, Apple restricting JavaScript is a very good thing! To execute JavaScript, you must convert human readable script embedded in web pages into executable code segments. The problem is that human readable text stuff – or any downloaded content – is not normally supposed to get executed, and it’s not allowed to copy itself into executable space. Why? Because that’s how lots of malware works. The average iPhone user does not know that Apple’s security model prohibits downloaded content from executing to protect the phone from malware and spyware – or that this protection is defeated by jailbreaking – but that does not stop competitors and clowns from insinuating (or just stating flat out) that Apple’s up to no good. Apple’s security model is pretty solid, and being paranoid about executing JavaScript is the right choice, so I applaud them for taking the high road on this issue. Even though their competition will continue to call it the low road. – AL
  4. Cloudifying your response plan: So Greg Hoglund surfaces and is starting to share his lessons learned from having all his company’s dirty laundry posted on BitTorrent. The key lesson, besides not having some idiot dangle fresh meat in front of a lion, is to make sure you can control your data, especially as you embrace cloud architectures. It seems (according to Hoglund, at least) that HBGary’s network (as opposed to HBGary Federal’s networks, which were separate) was never breached, but its Gmail account was compromised via the stolen password. So if you are hosting anything in the cloud, you need to be very familiar with the process to gain/regain control of your information and how to take it down if need be. In the middle of a hack, after you’ve taken your networks down proactively, you don’t want to learn that Google won’t take your mail down unless you can verify your identity by posting something to your website. Anyway, there are a few good pointers in there – learn from these mistakes, so you don’t have to make them yourself and then learn the hard way. This doesn’t mean your mail spool won’t end up on BitTorrent, but hopefully at least not because you didn’t know how to get Google to take it down. – MR
  5. Twitter inference attack?: A while back on the Network Security Podcast my co-host Martin mentioned concerns with services responding to customers over Twitter via @ replies, because that publicly identifying the customers. It turns out that in the UK merely responding to a tweet might violate a 1924 law. This is a great example of how you need to think through your social media policies – not merely to protect yourself against phishing/malware, but to protect your customers who may not realize what they are exposing. For the most part this is likely innocent, but it’s still worth talking to your legal folks and establishing policies around what kind of public contact you can make, what information you will exchange, and how to migrate users to private channels. Even if you aren’t a bank, it’s worth making sure you are both within the law and looking out for your customers. – RM
  6. Mmmmm…Creepy: Saw this TechCrunch article on how RapLeaf extracted the shopping habits of Microsoft and Google employees from its loyalty card database, and compared their buying habits. Yikes! I see the results of data analytics all the time in this job, but I remained shocked to see these results. Any little thing you do might not be much to think about, but the aggregate has the potential for mischief and mayhem. This is one of the principle points Rich was making in his Macworld article: that there is no real damage to individuals yet – it’s just creepy. But there is no reason to believe this information won’t or can’t be used by police or offshore firms or hackers for any purpose. Just be aware that there is very little you do that is not recorded somewhere, and that data can be fully cross-referenced with other data sources. Just a name or address or birthdate may be enough to link millions of data points in thousands of other databases. – AL
  7. Are you full of cert?: I am proud to say I don’t have a CISSP. Not having to renew it each year probably pays for a month of my Starbucks habit. But that is a generalized certification that doesn’t prove much of anything. There are a lot of more focused, more specialized certifications that seem to be interesting. Do certifications help you in any way, shape, or form? Given the investment we’ve made in building the curriculum for the CCSK (Certification for Cloud Security Knowledge), we are betting that a specialized certification is useful, but what kind of cert and for how long? Our pals Lee Kushner and Mike Murray are doing a survey to figure out the value of certifications. Please fill it out, because it would be great to get some numbers to back up (or dispel) our gut feeling. And also to get a feel for when a certification jumps the shark. – MR