It all started with an innocent call from my mortgage broker. He started with, “What if I could shave 75 basis points off your note, with no cost to you?” As you might have noticed, I’m a skeptical type of fellow. I asked, “What’s the catch?” He laughed and said, “No catch, I can get you from 4.25% to 3.5% and I’ll pay the costs.” I responded again, “There must be a catch. What am I missing?” He maked some wise remark about Groundhog Day and then told me there really is no catch. I can save a couple hundred bucks a month I’m currently paying the bank.

Done. But you see, there was a catch. There is always a catch. The catch this time was having to once again bear witness to the idiocy that is the mortgage process (in the US anyway). So I gather together all the financial information. My broker asks if he needs to send a courier over to pick up the stuff. Nope, an encrypted zip file he can download from Dropbox suffices. That was a lot easier, so maybe it won’t be a total clusterf*** this time.

Yeah, I was being too optimistic. I knew things were off the rails last Tuesday when I got copied on an email to my home insurance broker needing a quick verification of the policy ahead of a Friday closing. Uh, what? What Friday closing? Is there a Friday closing? Shouldn’t they have shared that information with me, since I’m pretty sure I have to be there? So we schedule the closing for Friday.

About midway through Thursday I get a call asking about a credit inquiry from the idiots who do our merchant account for Securosis. Why they inquired about my personal credit is beyond me, but I had to take some time to fill out their stupid form, explaining that the world consists mostly of idiots and those idiots’ checklists, run personal credit reports for business accounts. Did I mention how much I like checklists?

Then I got a call Friday morning. Yes, the day we were supposed to close the note. They need to verify the Boss’s employment. But the Boss works for my company and I’m the managing member and sole officer of my company. They say that’s no good and they need to verify with someone who is not a party to the loan. I respond that there are no officers who aren’t a party to the loan. I figure they understand that and we’re done. Then Rich calls me wondering why he keeps getting calls from a bank trying to verify the Boss’s employment. Argh. I call the bank and explain that the Boss doesn’t work for Securosis and that she works for a separate company (that happens to own a minority share of Securosis). Idiots. At this point, I still haven’t received the settlement statement from the bank. Then I get a call from the closing attorney wondering if I could meet them at a Starbuck’s for the closing Friday night. Sure, but they’ll have to send a babysitter to my house to watch my kids. They didn’t think that was funny.

So the lawyer agrees to come to my house to close the note. We go through all the paperwork. I verify that I’m neither committing mortgage fraud nor a terrorist. And yes, I really had to sign papers attesting to both. The lawyer (who does about 15-20 closings a week) can’t recall anyone actually admitting to committing mortgage fraud or being a terrorist, but we sign the documents anyway.

And then we are done. Or so we thought. I figured it’s 2012 so I should just wire the money, rather than writing a check to cover the prepaid items like escrow, etc. So I dutifully wake up early Monday morning (in NYC) and log into my bank website to transfer the money. Of course, the web app craps out, I’m locked out of the wire transfer function, and the Boss needs to drop whatever she is doing and head over the bank to wire the money. Yes, that was a pleasant conversation. If getting kicked in the nuts 10 times is your idea of pleasant.

But all’s well that ends well. We closed the note and we’ll save a crapload of money over the next 10 years. But man, the process is a mess. These folks give a new meaning to just in time. For those of you looking for someone to manage incidents or fill another role that require an unflappable perspective, maybe check out some of these loan processors. They’d laugh at having to only coordinate legal, forensics, law enforcement, and the ops folks. That would be a day in the park for those folks. Seriously.


Photo credits: “rEEFER mADNESS” originally uploaded by rexdownham

Heavy Research

We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.

Vulnerability Management Evolution

Watching the Watchers (Privileged User Management)

Understanding and Selecting DSP

Incite 4 U

  1. Human context: Great summary by LonerVamp on some of our very own Myrcurial’s thoughts at this year’s Schmoocon. There is a lot of stuff in there and I agree with most of it. But the idea that resonated most was “knowledge of analysts vs. knowledge of tools,” as I had that very conversation with 15 Fortune-class CISOs this week. And there was no contest. These folks have budget for tools, they have budget for people, and they are still losing the battle. They can’t find the right people. The right folks understand how the data applies to their environment. They have context, which tools just can’t provide. No matter what a vendor tells you. – MR
  2. State of fear: Akamai announced their State of the Internet report this week, stating that the overall number of new IP addresses has grown some 13% YoY. And they say the largest percentage of attack traffic from any single nation is coming from China, at just over 13%. In this day and age of APT it’s easy just to accept that number at face value. But botnets and drive-by malware don’t pay any attention to geographic boundaries. And the Akamai report does not really differentiate between opportunistic nations and individuals trying to hack-a-buck from someone – anyone – else. What’s more, it’s likely that any state sponsored hacking has a counter-intelligence component, leveraging other countries’ infrastructure to launch the attacks while casting suspicion elsewhere. Besides, who in their right mind would launch an attack from their own IP address, or even nearby? The true nation of origin for any given attack is likely very different that what’s reported. The question on my mind is: are the US and Chinese proportions lower or higher that Akamai indicates? I’ve got a fiver on both being higher. – AL
  3. Lazy FUD: I really hate the constant onslaught of reports saying things like, “Only x% of organizations follow a security practice that involves buying our product or service. Everyone else is therefore, by definition, irresponsible idiots who need better education and should be paying us a lot of money so we can screw things up for them”. At least that’s how I read articles like this one over at CSO Online, which cites a vendor survey and makes dumbass claims like all data in the cloud needs to be encrypted. Except where firewalls, access controls, and VPNs are better. WTF? IGTFU! (I give the ____ up). Anyway, don’t bother reading the article. I only linked to it because Mike gets ansty if all I do is spew out text. But seriously, this is another example of not even making an effort to put out ‘good’ FUD, and why I prefer to work with tech journalists who are intelligent and inquisitive. -RM
  4. I C U: Most folks would consider their security programs to be in intensive care. But I’m not talking about that ICU – instead about visibility (I see you). We have long believed that you should monitor everything. We are not alone – Rocky D is doing a great series on what visibility means. There is a ton of data that you need, and he lists it all. Or most of them anyway. I love the idea that if you can’t pull logs from anything get it off your network. Rocky also mentions context and what kinds of data provides it. Again, remember that data does not provide context, but can give a good analyst the data they need, and they certainly can. – MR
  5. That depends on your definition of ‘fixed’: If you have not heard about the ‘TNS-Poison’ issue, it’s really funny in that sad TSA or People of Walmart “I can’t quite believe this is happening” way. It seems Oracle acknowledged Joxean Koret’s contributions in discovering a serious bug in the Oracle listener – that’s the code that establishes connections to the database. And it’s serious: remotely exploitable, no credentials required to view data on any connection – or DDoS the database – for any version of Oracle. CVSS score 10 of 10 serious. Oracle informed Joxean the bug was fixed. The problem, or the first problem, is that this serious flaw was reported in 2008. Clearly they were in no hurry. The second issue is that Oracle has a fix on their test servers, but has not actually produced a patched or delivered one to customers. Technically, Oracle’s statement is valid – it’s been fixed at least somewhere. But the worst problem is the third issue: Joxean, believing Oracle that this serious bug was fixed, released the details and exploit code a couple days later. Really. Insert your own punchline. – AL
  6. No Sleep til Brooklyn: It is so important to understanding how incentives drive behavior. Hat tip to Gunnar for pointing me to this WSJ article talking about how fire departments are having trouble gathering data to report on fire response times. Apparently lots of folks have different opinions about when response begins. And the firefighters’ organization suggests what those response times should be, but not necessarily how to measure them. Amazingly enough, some folks show improvement, but they are not necessarily measuring consistently. Any of this sound familiar? Probably not – because security folks can’t even agree on what should be measured, which we need to happen to even discuss the right way to measure those things. And then we would have to establish acceptable and expected levels, before we would be able to question whether someone was gaming them. Yeah, we have a lot of work to do. A. Lot. Of. Work. – MR
  7. The role of AD: The more I talk about cloud and mobility, the more I’ve had to learn about identity management. One of the things that’s always confused me a bit is how we use Active Directory as a systems management tool when it’s really an identity management tool. Having been a Windows admin for many years, I do understand the very legitimate reasons we got here, but AD is about a heck of a lot more than pushing install scrips and GPOs. Especially when users like me strip those GPOs out so we can retake admin control of our machines (not that I would ever have done that when I worked for a large Connecticut-based publishing company). Brian Madden does a great job of showing why AD doesn’t matter for Windows RT (the tablet version of Windows 8), where the lack of AD support of which has caused much consternation. He says AD is about the user, not the device, and it’s time to let the people control their own experience. Makes sense to me. -RM