Research

As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend. Bad times my friends, bad times. Like many of you, although my current financial situation is pretty solid, I can’t help but wonder what the future holds. We’re not merely entering uncharted territory, we’re headed straight for that big black circle marked “There Be Monsters Here”. That doesn’t mean we won’t make it to the other side, but the journey is fraught with danger and challenge. First, a couple of assumptions: Some sort of bailout package will pass. Times will get tough, but we won’t enter a full depression. If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions. I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world. First, our starting assumptions: We’ll continue to see severe credit restrictions- even tighter than now. With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most. We will see no decline in security threats, but the threats will morph to adapt to changing market conditions. We don’t need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly. These lead directly to some conclusions about the security market: Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can’t afford big acquisitions anymore. We will see continued, massive, consolidation as small companies struggle to survive and larger players can’t create growth. These won’t be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We’ll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn’t dependent on external financing. Best of breed loses to security suites. Users will demand more suites from their vendors, and “good enough” will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they’ll care less in the future. Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you’ll see sales guys tossing in their firstborn essentially for free. A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn’t required by the auditors, doesn’t reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won’t sell very well. Vendors who don’t solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else. We’ll also see some threat evolution: Tighter credit issuing will reduce new account fraud. If it’s harder for the good guys to get credit, it will also be harder for the bad guys. Existing account fraud will increase. It isn’t like the bad guys will go get some non-existent legitimate jobs. They’ll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad. Major attack vectors will be similar to what we see today- clientside and web application. I don’t see anything in an economic downturn that changes the technical nature of the attacks we see today- they’ll continue to get more sophisticated, but that’s happening regardless of any economic issues. And, of course, this will impact security professionals and how we do our jobs: The bad guys will keep us employed, but salaries will be under pressure. “Good enough” applies to us as much as it does to our tools. We’ll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming. We’ll have to do more with less. That’s so obvious I’m embarrassed to write it. We’ll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we’ve been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value. Get used to accepting more risk. We’ll have to take hits on the small stuff to focus our efforts on the biggest risks. Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you’ll be. It’s always been about getting the job done, but let’s be honest and admit that it isn’t always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times. In other words, get used to people trying to nibble at your job, tighter

When was the last time you thought about your email security? Have you reviewed the vendors or the market lately? If not, it may be time. It is no surprise that the market is mature; read the collateral and the discussion has long since moved away from technology nuances- rather it is reputational risk reduction & business function continuity. It is no longer startups but some of the largest firms in security. And while not seeing a lot of growth in the segment, we are starting to see changes in how the services are delivered, and that is leading to some vendor swapping. What’s more, these changes are so transparent that the effect on privacy and security is not always obvious. I have been doing a surprising amount of investigation in the email security segment lately. Rich and I have a couple of projects in and around email security, I have a friend who works in this area and was asking some market related questions, I have been helping another friend analyze a prospective job with an email security company, and at Securosis we have gone through the selection process for a supplementary spam filter (Postini, if you were interested). The focus on this segment showed a subtle change in direction, and raised a couple of issues you may want to consider. Every vendor claims 96-99% efficiency, and on any given week, delivers on that promise. Most offer inbound and outbound anti-virus, content scanning, image scanning, archiving, reporting and policy management. Want an appliance or software? No problem. Want it as a service? It’s a replacement market at this point, as every firm has some type of email security and filtering, either in-house or provided as a service. One company’s new email security customer come at another vendor’s expense. And there is a feeling that these offerings are a commodity. If you don’t like the vendor or product you have today, the cost of a switch is far less than it used to be. The battle in email security today is between the entrenched appliances and “security in the cloud”. And much like the AV market once it had reached this stage, changing providers can be a fluid event. Adding an extra layer of anti-spam at Securosis took a few minutes of work, and the cost is negligible. From a consumer standpoint, the ability to choose what I want and switch as needed shows the maturity of this space. Appliances still rule the day, but with firms like Google (Postini) and Message Labs offering quality services, it appears to be this subsegment of the market that is making inroads. I am talking to a lot of customers who have a hybrid in place today, but many I speak with have not looked at their email security solution in years as it works, and so they just don’t give it a lot of thought. Those who do find it an easy choice to adopt a hybrid model, with inbound spam and AV filtering to reduce the load on internal systems while they review their plans for the future. Once again, while there are few new customers to be won, there is quite a bit of switching between vendors going on, with services gaining share. However the change from in-house appliance and software brings some considerations in the area of data privacy. Outsourcing your inbound spam filtering and adding an extra layer of AV seems like a good idea, and can take the strain off older infrastructure. And the switch can be so seamless and easy that often thought is not put into where the IP is actually going. As many of the email security providers offer outbound content analysis, leak prevention, and compliance assurance, you are by nature sending the data you want to protect offsite. While it is almost invisible to daily operations, there are ramifications and considerations for compliance and privacy. In my next post, I will discuss some of these considerations. Share:

Over at the Washington Post they note that it looks like a “McCain Wins Debate” ad and quote accidently leaked before the… you know… debate actually happens. While I don’t plan on voting for him, criticizing preparing ads and responses ahead of time would be silly. It’s only prudent since there really isn’t time to create this content after the fact in our obsessive 24 hour news cycle driven society. What can be criticized is this could show a little lack of organization and discipline. Or not. If I were the Democratic equivalent of Karl Rove I might drop a few of these things on my own. Through front companies, of course. Sure, it would eventually be repudiated, but the initial damage will be done. Heck, that’s not even all that creative- aside from the ubiquitous YouTube ads and testimonials, there are all sorts of new attack vectors thanks to the Internet age. We already see plenty of this going on through email campaigns, which seem even more effective than the push polling of Bush II vs. McCain eight years ago. One reason this garbage is so effective? Most people have intense confirmation bias. As Adam posted recently, study after study shows we are inclined to believe that which aligns with our existing beliefs. On top of that, functional MRI studies have shown that political discussions trigger the same parts of the brain as religion- in other words, faith, and sections of our mind that are core to our identity. It is far easier to manipulate someone into believing what they want to believe than introducing contradictory information. The net is fracking perfect for this. Share:

As most of you know, Adrian and I have been pretty slammed lately; bouncing all over the inter-tubes (and airports) on our quest to save freedom and not default on our mortgages. One thing we’ve been wanting to do for a while is summarize everything that’s been going on through the week in a bit more of a structured format, a la Rothman’s Daily Incite. But we’re not nearly as motivated as Mike, but we figure we can handle once a week before we attend the official Securosis Weekly Research Offsite (happy hour). It’s a summary of what we’ve been up to, and our top post selections for the week. Webcasts, Podcasts, and Conferences: I put together the DLP Security School for TechTarget a few weeks back, but it was published while I was in the middle of my travel binge. I really like this education format, and believe it or not there are a few tidbits in there that aren’t in all the other stuff I’ve published on DLP. Adrian just finished the SIM Security School. Did I mention we like this format? Unlike the DLP school he put together a full webcast (as opposed to a video segment) with a ton of content. I spoke on a data masking panel at Oracle World. Here’s a post inspired by the session. This week on the Network Security Podcast Episode 121 our guest was T-Rob discussing Palin’s email hack, and MQ middleware security. Yeah, we thought it was a weird combo too. Outside Writing: The big one for me this week was Macworld- I was heavily involved in the security issue that’s sitting on newsstands this month. Except where it’s sold out, like my neighborhood Barnes and Noble. (I swear I didn’t buy them all). I’m really proud of the issue- it addresses the security needs and questions of average users, and is the kind of thing I can send to my mom. Favorite Securosis Posts: Rich: The Breach Reporting Dilemma. We really need to start looking at breach reporting differently, but I don’t expect it to happen anytime soon. Adrian: Behavioral Modeling. Some of the most significant advances we can make in security are in heuristics, but it’s also an extremely difficult problem. Favorite Outside Posts: Adrian: Jeremiah Grossman on YouTube. (description) Rich: Tim Wilson on Premature Chasm Crossing. I love articles/posts on thinking differently about the security market and, oh, I don’t know, focusing on the end users. Top News: The economy. Is there any other news? Blog Comment of the Week: I don’t agree with all of them, but Dre has some of the deepest comments on the blog. Here’s one on our PCI scanning post: [snip]… Most organizations implement firewall/IPS incorrectly. They assume it’s something you plug in. Most firewalls/IPS don’t protect on the outbound, and most policies allow outbound SYN origination from the DMZ on externally facing interfaces. Most firewalls/IPS don’t provide the real protections one would need without excessive CPU and memory usage. A few null routes (or uRPF) at the border is all that is necessary to prevent traffic to the 80 percent of the Internet we know we can”t trust. …[/snip] We hope you all have a great weekend. Share:

Some days I feel the suffocating weight of travel more than others. Typically, those days are near the end of a long travel binge; one lasting about 3 months this time. When I first started traveling I was in my 20’s, effectively single (rotating girlfriends), and relatively unencumbered. At first it was an incredibly exciting adventure, but that quickly wore off as my social ties started to decay (friends call less if you’re never around) and my physical conditioning decayed faster. I dropped from 20 hours or more a week of activity and workouts to nearly 0 when on the road. It killed my progression in martial arts and previously heavy participation in rescues. Not that the travel was all bad; I managed to see the world (and circumnavigate it), hit every continent except Antarctica, and, more importantly, meet my wife. I learned how to hit every tourist spot in a city in about 2 days, pack for a 2-week multi-continental trip using only carry-on, and am completely comfortable being dropped nearly anywhere in the world. Eventually I hit a balance and for the most part keep my trips down to 1 or 2 a month, which isn’t so destructive as to ruin my body and piss off my family. But despite my best scheduling efforts sometimes things get out of control. That’s why I’m excited to finish off my last trip in the latest binge (Oracle World) for about a month and get caught up with blogging and the business. For those of you earlier in your careers I highly recommend a little travel, but don’t let it take over your life. I’ve been on the run for 8 years now and there is definitely a cost if you don’t keep it under control. As we say in martial arts, there is balance in everything, including balance. Now on to Oracle World and a little security. I’m consistently amazed at the scope of Oracle World. I go to a lot of shows at the Moscone Center in San Francisco, from Macworld to RSA, and Oracle World dwarfs them all. For those of you that know the area, they hold sessions in the center and every hotel in walking distance, close of the road between North and South, and effectively take over the entire area. Comparing it to RSA, it’s a strong reminder that we (security) are far from the center of the world. Not that Oracle is the center, but the business applications they, and competitors, produce. This year I was invited to speak on a panel on data masking/test data generation. As usual, it’s something we’ve talked about before, and it’s clearly a warming topic thanks to PCI and HIPAA. I’ve covered data masking for years, and was even involved in a real project long before joining Gartner, but it’s only VERY recently that interest really seems to be accelerating. You can read this post for my Five Laws of Data Masking. Two interesting points came out of the panel. The first was the incredible amount of interest people had in public source and healthcare data masking. Rather than just asking us about best practices (the panel was myself, someone from Visa, PWC, and Oracle), the audience seemed more focused on how organizations are protecting their personal financial and healthcare data. Yes, even DNA databases. The second, and more relevant point, is the problem of inference attacks. Inference attacks are where you use data mining and ancillary sources to compromise your target. For example, if you capture a de-identified healthcare database, you may still be able to reconstruct the record by mining other sources. For example, if you have a database of patient records where patient names and numbers have been scrambled, you might still be able to identify an individual by combining that with scheduling information, doctor lists, zip code, and so on. Another example was a real situation I was involved with. We needed to work with a company to de-identify a customer database that included deployment characteristics, but not allow inference attacks. The problem wasn’t the bulk of the database, but the outliers, which also happened to be the most interesting cases. If there are a limited number of companies of a certain size deploying a certain technology, competitors might be able to identify the source company by looking at the deals they were involved with, which ones they lost, and who won the deal. Match those characteristics, and they then identify the record and could mine deeper information. Bad guys could do the same thing and perhaps determine deployment specifics that aid an attack. If logic flaws are the bane of application security design, inference attacks are the bane of data warehousing and masking. Share:

Thanks to Slashdot, here’s a story on Adobe PDF vulnerabilities: The Portable Document Format (PDF) is one of the file formats of choice commonly used in today”s enterprises, since it’s widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. I normally ignore stories coming out of vendor labs on new exploits that are coincidentally blocked by said vendor’s products, but on occasion they highlight something of interest. Back in February I mentioned three applications that are a real pain in our security behinds- IE/ActiveX, QuickTime, and Adobe Acrobat (the entire pdf format, to be honest). It’s nice to see a little validation. Each of these, in their own way, allows expansion of their formats. In the Adobe case they keep shoveling all sorts of media types and scripting into the format. This creates intense complexity that, more often than not, leads to security vulnerabilities. When you manage an open format, content validation/sanitization is an extremely nasty problem. Unless you design your code for it from the ground up, it’s nearly impossible to keep up and lock down a secure format. I suspect Adobe’s only real option at this point is to start failing with grace and focus on anti-exploitation and sandboxing (if that’s even possible, I’ll leave it up to smarter people than me). Truth is I should have also put Flash on the list. My bad. Share:

Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they’ve already matched the 2007 breach numbers this year. Personally, I think it’s a bit of both, and we’re many years away from any accurate statistics for a few reasons: Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 of the companies involved performed their breach notification. Let’s be clear, they absolutely knew they had a legal requirement to report and that their customer information was breached, and they didn’t. Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it’s reasonable that at least some of them never knew they were breached. I’d say less than 10% of companies with PII even have the means to detect a breach. Breaches do not correlate with fraud. Something else we’ve discussed here before. In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting. There’s no national standard for a breach, never mind an international standard. Every jurisdiction has their own definition. While many follow the California standard, many others do not. Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse. With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn’t reveal which third party lost our information. This is our third letter in the past few years, and we haven’t suffered any losses yet. Share:

I’ll be honest- it’s been a bit tough to stay up to date on current events in the security world over the past month or so. There’s something about nonstop travel and tight project deadlines that isn’t very conducive to keeping up with the good old RSS feed, even when said browsing is a major part of your job. Not that I’m complaining about being able to pay the bills. Thus I missed Google Chrome, and I didn’t even comment on McAfee’s acquisition of Reconnex (the DLP guys). But the acquisition gods are smiling upon me, and with McAfee’s additional acquisition of Secure Computing I have a second shot to impress you with my wit and market acumen. To start, I mostly agree with Rothman and Shimel. Rather than repeating their coverage, I’ll give you my concise take, and why it matters to you. McAfee clearly wants to move into network security again. SC didn’t have the best of everything, but there’s enough there they can build on. I do think SC has been a bit rudderless for a while, so keep a close eye on what starts coming out in about 6 months to see if they are able to pull together a product vision. McAfee’s been doing a reasonable job on the endpoint, but to hit the growth they want the network is essential. Expect Symantec to make some sort of network move. Let’s be honest: Cisco will mostly cream both these guys in pure network security, but that won’t stop them from trying. They (Symantec and McAfee) actually have some good opportunities here- Cisco still can’t figure out DLP or other non-pure network plays, and with virtualization and re-perimeterization the endpoint boys have some opportunities. Netsec is far from dead, but many of the new directions involve more than a straight network box. I expect we’ll see a passable UTM come out of this, but the real growth (if it’s to be had) will be in other areas. The combination of Reconnex, CipherTrust, and Webwasher will be interesting, but likely take 12-18 months to happen (assuming they decide to move in that direction, which they should). This positions them more directly against Websense, and Symantec will again likely respond with combining DLP with a web gateway since that’s the only bit they are missing. Maybe they’ll snag Palo Alto and some lower-end URL filter. SC is strong in federal. Could be an interesting channel to leverage the SafeBoot encryption product. What does this mean to the average security pro? Not much, to be honest. We’ll see McAfee and Symantec moving more into the network again, likely using email, DLP, and mid-market UTM as entry points. DLP will really continue to heat up once the McAfee acquisitions are complete and they start the real product integration (we’ll see products before then, but we all know real integration happens long after the pretty new product packaging and marketing brochures). I actually have a hard time getting overly excited about the SC deal. It’s good for McAfee, and we’ll see some of those SC products move back into the enterprise market, but there’s nothing truly game changing. The big changes in security will be around data protection/information centric security and virtualization. The Reconnex deal aligns with that, but the SC deal is more product line filler. But you can bet Webwasher, CipherTrust, and Reconnex will combine. If it doesn’t happen within the next year and a half, someone needs to be fired. Share:

A number of months ago when Rich released his paper on Database Activity Monitoring, one of the sections was on Alerting. Basically this is the analysis phase, where the collected data stream is analyzed in context of the policies that are to be enforced, and the generation of an alert when a policy is violated. In that section he mentioned the common types of analysis, and one other that is not typically available but makes a valuable addition: Heuristics. I feel this is an important tool for policy enforcement- not just for DAM, but also for DLP, SIM, and other security platforms- so I wanted to elaborate on this topic. When you look at DAM, the functional components are pretty simple: Collect data from one or more sources, analyze data in relation to a policy set, and alert when a policy has been violated. Sometimes data is collected from the network, sometimes from audit logs, and sometimes directly from the database’s in-memory data structures. But regardless of the source, the key pieces of information about who did what are culled from the source, and mapped to the policies, with alerts via email, log file entries, and/or SNMP traps (alerts). All pretty straightforward. So what are heuristics, or ‘behavioral monitoring’? Many policies are intended to detect abnormal activity. But in order to quantify what is abnormal, you first have to understand what is normal. And for the purposes of alerting, just how abnormal does something have to be before it warrants attention? As a simplified example, think about it this way; you could watch all cars passing down a road and write down the speed of the cars as they pass by. At the end of the day, you could take the average vehicle speed and reset the speed limit to that average; that would be a form of behavioral benchmarking. If we then started issuing tickets to passing motorists 10% over or under that average: a behavior-based policy. This is how behavioral monitoring helps with Database Activity Monitoring. Typical policy enforcement in DAM relies on straight comparisons; for example, if user X is performing Y operation, and location is not Z, then generate an alert. Behavioral monitoring builds a profile of activity first, and then compares events not only to the policy, but also to previous events. It is this historical profile that shows what is going on within the database, or what normal network activity against the database looks like, to set the baseline. This can be something as simple as failed login attempts over a 2-hour time period, so we could keep a tally of failed login attempts and then alert if the number is greater than three. But in a more interesting example, we might record the number of rows selected by a by a specific user on a daily basis for a period of a month, as well as an average number of rows selected by all users over the same of a month. In this case we can create a policy to alert if if a single user account selects more that 40% above the group norm, or 100% more than that user’s average selection. Building this profile comes at some expense in terms of processor overhead and storage, and this grows with the number of different behaviors traits to keep track of. However, behavior polices have an advantage in that they help us learn what is normal and what is not. Another advantage: as building the profile is dynamic and ongoing, thus the policy itself requires less maintenance, as it automatically self-adjusts over time as usage of the database evolves. The triggers adapt to changes without alteration of the policy. As with platforms like IDS, email, and web security, maintenance of policies and review of false positives forms the bulk of the administration time required to keep a product operational and useful. Implemented properly, behavior-based monitoring should both cut down on false positives and ease policy maintenance. This approach makes more sense, and provides greater value, when applied to application-level activity and analysis. Certain transaction types create specific behaviors, both per-transaction and across a day’s activity. For example, to detect call center employee misuse of customer databases, where the users have permission to review and update records, automatically constructed user profiles are quite effective for distinguishing legitimate from aberrant activity- just make sure you don’t baseline misbehavior as legitimate! You may be able to take advantage of behavioral monitoring to augment Who/What/When/Where policies already in place. There are a number of different products which offer this technology, with varying degrees of effectiveness. And for the more technically inclined, there are many good references: public white papers, university theses, patents, and patent submissions. If you are interested send me email, and I will provide specific references. Share:

This is an off topic post. Most people don’t think of me as a photographer, but it’s true, I am. Not a good one, mind you, but a photographer. I take a lot of photos. Some days I take hundreds, and they all pretty much look the same. Crappy. Nor am I interested in any of the photos I take, rather I delete them from the camera as soon as possible. I don’t even own a camera; rather I borrow my wife’s cheap Canon with the broken auto-cover lens cap, and I take that little battery sucking clunker with me every few days, taking photos all over Phoenix. Some days it even puts my personal safety in jeopardy, but I do it, and I have gotten very stealthy at it. I am a Stealth Photographer. What I photograph is ‘distressed’ properties. Hundreds of them every month. In good neighborhoods and bad, but mostly bad. I drive through some streets where every third house is vacant or abandoned; foreclosed upon and bank owned in many cases, but often the bank simply has not had the time to process the paperwork. There are so many foreclosures that the banks cannot keep up, and values are dropping fast enough that the banks have trouble understanding what the real market value might be. So in order to assess value, in Phoenix it has become customary for banks to contract with real estate brokers to offer an opinion of value on a property. This is all part of what is called a Broker Price Opinion, or BPO for short. Think of it as “appraisal lite”. And as my wife is a real estate broker, she gets a lot of these requests to gauge relative market value. Wanting to help my wife out as much as possible, I take part in this effort by driving past the homes and taking photos of homes the banks are interested in. And when you are in a place where the neighbors are not so neighborly, you learn some tricks for not attracting attention. Especially in the late afternoon when there are 10-20 people hanging around, drinking beer, waiting for the Sherriff to come and evict them. This is not a real Kodak moment. You will get lots of unwanted attention if you are blatant about it and walk up and start shooting pictures of someone’s house. Best case scenario they throw a bottle at you, but it goes downhill from there quickly. So this is how I became a Stealth Photographer. I am a master with the tiny silver camera, sitting it on the top of the door of the silver car and surreptitiously taking my shots. How to hold the camera by the rear view mirror but pointing out the side window so it looks like I am adjusting the mirror. I have learned how to drive just fast enough not to attract attention, but slow enough so the autofocus works. I have learned how to set the camera on the roof with left hand, shooting across the roof of the car. My favorite maneuver is the ‘Look left, shoot right’ because it does not look like you are taking a picture if you are not looking at the property. Front, both sides, street, address and anything else the bank wants, so there are usually two passes to be made. There is a lot to be said about body language, when to make eye contact, and confidence in order to avoid confrontation for personal safety and security. I have done this often enough now that it is totally safe and seldom does anyone know what I am doing. Sometimes I go inside the homes to assess condition and provide interior shots. I count bedrooms, holes in the walls, determine if any appliances or air conditioning units still remain. Usually the appliances are gone, and occasionally the light fixtures, ceiling fans, light switches, garage door opener and everything else of value has disappeared. One home someone had even taken the granite counters. Whether it is a $30k farmer’s shack or a $2M dollar home in Scottsdale, the remains are remarkably consistent with old clothes, broken children’s toys, empty 1.75?s of vodka and beer bottles being what is left behind. For months now I have been hearing these ads on the radio about crime in Phoenix escalating. The Sherriff’s office attribute much of this to illegal immigration, with Mexican Mafia ‘Coyotes’ making a lot of money bringing people across the border, then dropping immigrants into abandon houses. The radio ads say if you suspect a home of being a ‘drop house’ for illegal immigrants to call the police. I had been ridiculing the ads as propaganda and not paying them much attention with immigration numbers were supposed to be way down in Arizona. Until this last week … when I walked into a drop house. That got my attention in a hurry! They thankfully left out the back door before I came in the front, leaving nothing save chicken wings, broken glass, beer and toiletries items. This could have been a very bad moment if the ‘Coyotes’ had still been inside. Believe me, this was a ‘threat model’ I had not considered, and blindly ignored some of the warnings right in front of my ears. So let’s just say I am now taking this very seriously and making some adjustments to my routine. Share: