Back in March I mentioned it was about time for a new set of wheels. Of course nothing happens quickly in my world, so it wasn’t until mid-June that I got serious about a new car. You’d figure a guy like me would relish the opportunity to sit across from a car salesperson and beat them into submission to get the best deal. I’m not the kind of guy to blink, and I’d just as soon walk out if I don’t get what I want. Turns out I’ve been there and done that, and despite living to tell the tale, I have learned there is a better way to skin this specific cat.

Of course, not everyone gets this or is willing to listen to a different approach. I remember 8 years ago when my in-laws told me they were going to test drive a new car. I told them not to buy the car that day. Just go in and test drive it. That I’d help them and save them some money. Sure enough they had to drive over to show me their spanking new generic car that they bought right off the lot. From the first dealer they visited. They got a good deal. That was their story and they were sticking to it. But they pretty much got raped. Hard. I just shook my head. But you know, they felt good about it, so I wasn’t about to piss in their oatmeal.

But going into a car dealership and buying a car is a pretty stupid way to do things. Regardless of how good a negotiator you are, if you go into a dealership to negotiate for a car you’re doing it wrong. About 10 years ago I was introduced to a service called Fighting Chance. It’s pretty much a research service for car buyers. I get the power of research and tracking trends and leveraging other folks’ experiences to save time and money. That’s what I do for a living, after all. The fine folks at Fighting Chance teach you how to buy the car based on what’s really happening in the field, give you information about promotions and deals, help you figure out the data you need to compare apples to apples, and provide target values for recent sales for the model you are looking for. The service is awesome. It costs something like $40 and has saved me thousands.

Their idea is that a car is a commodity. If you live in a typical metropolitan area, each car brand has 10-25 dealers within a short drive who will be happy to sell you a car. The exact same car. It’s not like Dealer A has a different Honda than Dealer B. You don’t buy a commodity by dealing with one seller. Not if you’re smart, anyway. You buy a commodity by getting dealers to compete with each other. I won’t give away the exact process (you should buy the service), but it involves getting dealers to bid against each other. I was able to buy a brand new current model Honda CR-V substantially under invoice by getting bids from 5 local dealers. I handled the process via email and a few phone calls, and it took me a couple hours.

By the way, most car dealers hate this approach. They prey on folks who don’t know what they are doing. But it turns out that smart dealers focus on volume and make it up on the back end through incentives and other payments from the manufacturers, with far higher margins on services and trade-ins. These folks love guys like me, since I know exactly what I want and can get the transaction done in an hour.

Notice I said CR-V, not Prius V, my preference back in March. Both the Boss and the dealer pointed out to that driving only about 7,000 miles a year means negligible savings in gas, and for 10% less I could get the fully decked-out CR-V instead of a mid-level Prius V. And they were right. Who said I’m inflexible and rock-headed?

–Mike

Photo credits: USED CAR SALESMAN KITTY originally uploaded by victoriafee

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Pragmatic WAF Management

• Securing the WAF
• Application Lifecycle Integration
• Policy Management

Incite 4 U

1. Showing your true colors: Great post by Conrad Constantine about maintaining your sanity when dealing with a high profile incident. He should know – he was at ground zero for a pretty serious one. He points out that you’ll get to meet some pretty big wheels in your organization, and they will want answers and direction. Even if you don’t have any. He starts by telling you to keep a timeline of exactly what happened. Even if that information never sees the light of day (and likely it won’t) you need it. Conrad provides tips for playing above your pay grade and living to tell about it, and talks about the reality behind the PR spin machine. His point that it always ends at some point, and things go back to the new normal, are exactly right. But the best idea in the post is the reality of how people behave under duress: “Before anything else, no matter what field you work in during times of crisis you will see everyone’s true colors brought forth – not least of which – your own.” What he said. – MR
2. Security Bypass: It’s not that IT users thumb their noses at IT security, as claimed by the author of this analysis of the iPass Mobile Workforce Report. But users sidestep anything that makes work more difficult. If the impediment is security controls on applications or data usage, users find ways around it. Mobile platforms are not just about bringing work along with you wherever you go, but the way we all interact with these devices demands simplicity and ease of use. It’s a totally different user experience than the classic office desktop. If your traditional controls make it hard, users will exercise their creativity to find faster more efficient ways to do things – and leave your protections in the dust. If your identity/encryption/VPN tunnel requires a user to stand on his/her head to make it work, you need to understand where the blame belongs. And it’s not on the users. – AL
3. Disinformation and media lemmings: Krebs got it right in this tweet and it seems Anon has spinmeisters as capable as the US Presidential campaign staffers. There is a lot of he said/she said going on here. Many folks reported about a million Apple device IDs stolen on a compromised FBI laptop. The FBI denied it. And now the media is spinning some more to figure out what’s the truth. Even the guy who dressed up in a tutu to get at the truth. You know the Anon guys are just cracking up at that. But I digress. What these media idiots don’t realize is that the truth is irrelevant. Maybe the FBI is hiding something or playing word games. That has been known to happen, but ultimately the AntiSec folks just want us to talk about them. Whether you are saying they are liars or l33t hackers or whatever, their evil plan’s working – the page view whores will get lots of views, and the myth of AntiSec will continue to grow, as the story continues to play out in public. – MR
4. Data, data, who has the data? Let me make a different point than Mike (above) on the alleged Apple UDID leak. The recent disclosure on Pastebin that alleges some 12 million or so unique device identifiers (UDIDs) raises many serious questions about privacy and possibly security. It’s still not clear whether the FBI really held this data, or if so why. Mostly the news out there is a lot of FUD and speculation, colored by each media outlet’s agenda, on spam and government surveillance. To me, any leak of this data is bad. The problems is, and the reason so many people are more than a bit annoyed by this, is that there is no benefit for Apple or app customers from anyone except Apple keeping the data – just risk. My worry is that some rudimentary forms of two-factor authentication use UDID, which could now be faked. Couple that with other data sources, like leaky wallets, and you begin to see many different avenues for fraud. This will not end well. – AL
5. Network baselines are your friend: Unless you are a new visitor to our little site you know we believe in a monitor everything approach, that baselining your traffic (and everything else) is a good thing, and that looking for obvious anomalies can point you in the right direction to figure out if you have been pwned by bad folks. It turns out not enough folks do any kind of traffic analysis on their networks. As Johannes Ullrich points out, they still focus on signature matching on their IDS and IPS devices, and have a hard enough time with simple blocking and tackling. Johannes goes through a pretty simple process to figure out the traffic on his network and point out some stuff that may not make sense. Does the strange traffic indicate an issue? Likely not, and he systematically goes through packet captures to analyze what’s going on. This traffic analysis gives him a place to investigate protocols and traffic flows and determine whether something is wrong. Much better than waiting for the FBI or your payment processor to tell you something is wrong. Network security monitoring. Learn it. Live it. Love it. (h/t to Bejtlich, who wrote the book. Literally.) – MR