Early Lessons Learned from Capital One Data Breach

Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.

This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.

Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.

There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.

Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.


Cloud Computing does not outsource risk and security

Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.

Regular Reviews

We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.

Soft Skills

Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.

Audit, Logging, Monitoring, and Acting Upon Them

A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.

This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.

Repost of: “No, You Really Can’t” by Mary Ann Davidson

This is a copy of a recently deleted blog entry by Oracle Chief Security Officer (CSO) Mary Ann Davidson. It was some of the best writing we have seen in quite sometime that we felt it was worthwhile to post a copy on this blog for posterity. A more formal reply will be composed after we stop laughing hysterically.

No, You Really Can’t – by Mary Ann Davidson

I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, we’ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool – there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,” even though:

  • A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
  • A customer can’t produce a patch for the problem – only the vendor can do that
  • A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we don’t just accept scan reports as “proof that there is a there, there,” in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD. (That is what I planned on saying all along: FUD.) This is why we require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Why am I bringing this up? The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are.

Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.

For this reason, I want to explain what Oracle’s purpose is in enforcing our license agreement (as it pertains to reverse engineering) and, in a reasonably precise yet hand-wavy way, explain “where the line is you can’t cross or you will get a strongly-worded letter from us.” Caveat: I am not a lawyer, even if I can use words like stare decisis in random conversations. (Except with my dog, because he only understands Hawaiian, not Latin.) Ergo, when in doubt, refer to your Oracle license agreement, which trumps anything I say herein!

With that in mind, a few FAQ-ish explanations:

Question: What is reverse engineering?
Answer: Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it). The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”

If you are trying to get the code in a different form from the way we shipped it to you – as in, the way we wrote it before we did something to it to get it in the form you are executing, you are probably reverse engineering. Don’t. Just – don’t.

Question: What is Oracle’s policy in regards to the submission of security vulnerabilities (found by tools or not)?
Answer: We require customers to open a service request (one per vulnerability) and provide a test case to verify that the alleged vulnerability is exploitable. The purpose of this policy is to try to weed out the very large number of inaccurate findings by security tools (false positives).

Question: Why are you going after consultants the customer hired? The consultant didn’t sign the license agreement!
Answer: The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”

Question: What does Oracle do if there is an actual security vulnerability?
Answer: I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Question: But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?
Answer: Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *

Question: “But I hired a really cool code consultant/third party code scanner/whatever. Why won’t mean old Oracle accept my scan results and analyze all 400 pages of the scan report?”
Answer: Hoo-boy. I think I have repeated this so much it should be a song chorus in a really annoying hip hop piece but here goes: Oracle runs static analysis tools ourselves (heck, we make them), many of these goldurn tools are ridiculously inaccurate (sometimes the false positive rate is 100% or close to it), running a tool is nothing, the ability to analyze results is everything, and so on and so forth. We put the burden on customers or their consultants to prove there is a There, There because otherwise, we waste a boatload of time analyzing – nothing** – when we could be spending those resources, say, fixing actual security vulnerabilities.

Question: But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
Answer: Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.

That said, no tool finds everything. No two tools find everything. We don’t claim to find everything. That fact still doesn’t justify a customer reverse engineering our code to attempt to find vulnerabilities, especially when the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code, which – frankly – hardly any third party will be able to do, another reason not to accept random scan reports that resulted from reverse engineering at face value, as if we needed one.

Question: Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!
Answer: <Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Question: If you don’t let customers reverse engineer code, they won’t buy anything else from you.
Answer: I actually heard this from a customer. It was ironic because in order for them to buy more products from us (or use a cloud service offering), they’d have to sign – a license agreement! With the same terms that the customer had already admitted violating. “Honey, if you won’t let me cheat on you again, our marriage is through.” “Ah, er, you already violated the ‘forsaking all others’ part of the marriage vow so I think the marriage is already over.”

The better discussion to have with a customer —and I always offer this — is for us to explain what we do to build assurance into our products, including how we use vulnerability finding tools. I want customers to have confidence in our products and services, not just drop a letter on them.

Question: Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?
Answer: Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.

* I suspect at least part of the anger of customers in these back-and-forth discussions is because the customer had already paid a security consultant to do the work. They are angry with us for having been sold a bill of goods by their consultant (where the consultant broke the license agreement).

** The only analogy I can come up with is – my bookshelf. Someone convinced that I had a prurient interest in pornography could look at the titles on my bookshelf, conclude they are salacious, and demand an explanation from me as to why I have a collection of steamy books. For example (these are all real titles on my shelf):


    1. Thunder Below! (“whoo boy, must be hot stuff!”)
    2. Naked Economics (“nude Keynesians!”)***
    3. Inferno (“even hotter stuff!”)
    4. At Dawn We Slept (“you must be exhausted from your, ah, nighttime activities…”)

My response is that I don’t have to explain my book tastes or respond to baseless FUD. (If anybody is interested, the actual book subjects are, in order, 1) the exploits of WWII submarine skipper and Congressional Medal of Honor recipient CAPT Eugene Fluckey, USN 2) a book on economics 3) a book about the European theater in WWII and 4) the definitive work concerning the attack on Pearl Harbor. )

*** Absolutely not, I loathe Keynes. There are more extant dodos than actual Keynesian multipliers. Although “dodos” and “true believers in Keynesian multipliers” are interchangeable terms as far as I am concerned.

**** I might be exaggerating here. But maybe not.

#1YearToGo and Brazil Launches Corruption Probe in Olympics Scandal

Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)
Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)

One of our readers sent in a couple of news tip about how the Brazilian Government is launching a massive investigation into the corruption associated with the 2016 Olympic Games.

Here are a couple of highlights from the main article that caught my attention

  • Rio’s city government is at times being forced to act like a bank, lending companies money to prevent a slowdown in construction
  • OAS, one of Brazil’s biggest construction firms, filed for bankruptcy protection in March after its credit lines dried up. OAS is part of the group that is behind the very much delayed Deodoro Sports Complex.
  • Mendes Junior SA backed out of a contract to fix the drainage around the Maracana soccer stadium set to host Olympic matches.
  • Rio has admitted it will fail to make good on promises it made in its Olympics bid to improve the sewage system and reduce water pollution in the Guanabara bay by 80 percent.

Forgive me, but the fact that the Rio government is bailing out construction companies is quite concerning. Moreover, it appears the Government too itself is at fault for not paying these construction companies in time so they can complete payroll and pay operational costs. Combine that with the recent discovery that Glanders disease was discovered at Rio Olympic Sites, we have a disaster beyond our imagination waiting to happen. Even Ganders is recognized by the Center for Disease Control as something that could potentially infect humans, despite it normally affecting animals.


What we have here ladies and gentlemen, is a diseased ridden country, with corruption that’s touched all corners of the Rio government that it can’t even pay its own vendors on time. Moreover its these same vendors who are caught in a massive investigation on accusations of bribery and corruption.

We are ONE YEAR AWAY from RIO and we’re just barely dealing with this? I walk away in disbelief in this article that two construction firms are in massive trouble, with one of Brazil’s largest firms about to go under because of the sheer crushing volume of debt and another one who’s broken contractual agreements (likely because of the lack of payments from the Brazilian government). That’s two construction companies who are likely not operating or assisting in construction.

We also have two means of infectious diseases impacting guests and athletes of the 2016 Olympic Games: From contaminated water and sewage impacting the Guanabara Bay AND now Glanders impacting horses, trainers, vets, and countless others.

The 2016 Olympic Games is becoming a death trap. There are no backup plans for ANY of the venues, and right now, both animal and humans lives are at risk.

If I was an athlete, I would say no to Rio. If I was a coach, I would be demanding the IOC move the 2016 Summer Olympic Games right now.

It’s clear that no amount of money thrown at these problems will correct these problems in a manner that would be safe for both spectators and athletes. The most valuable currency the Rio and Brazilian Government needs is time, and it is something they do not have enough of.

It is after all one year until the 2016 Summer Olympic Games.

AP Investigation: Rio’s 2016 Olympic Waters Highly Contaminated

Last week, the Associated Press (AP) published the results of an independent investigation for both viruses and bacteria in the waters surrounding the boating and swimming areas.

The results: According to the AP, “the water is so contaminated with human feces that they risk becoming violently ill and unable to compete in the games”

In some instances, some tests show that there is “1.7 million times the level of what would be considered hazardous in a Southern California beach”. It is essentially “raw sewage”.

In fact, not one water venue was found safe for any water sports, swimming, or boating.


Forgive me, but President Bach, members of the International Olympic Committee (IOC) – We are one year away from the 2016 Olympic Games. Where is your concern for the welfare of athletes? Do athletes need to suffer from massive illness, or even death before the IOC will act and intervene?

These latest results are screaming “move the Olympics”. Brazilian officials are not planning any alternative venues should these venues not be ready. Experts are weighing in that 99% of all athletes who swim in those waters will likely contract something if they ingest just three teaspoons of water.

We are asking for a HUGE black eye for the Olympics where politics and money trump common sense. It will be a massive, huge distraction from the Olympic games should athletes fall ill, or even, die from something that is preventable.

Even Rio Gov. Luiz Fernando Pezao has acknowledged “there’s not going to be time” to finish the cleanup of the bay ahead of the games.

Members of the IOC, it is time to make the judgement call. It is time to put the welfare, and health of athletes ahead of all else. Brazil and Rio has had their chance to be on the global stage. They’ve had more than sufficient chance to prepare for the Olympics.

Now it is time for Rio bow out.

2016 Rio Olympic Games Construction Update

Thanks to one of our readers, they sent us a link for a construction update on the 2016 Olympic Games in Rio as of June 15, 2015. The Daily Mail, granted, while not the most popular piece of journalism out there, did take quite a few photos and videos.


0 (14)

Ideally the Olympic Village should start resembling as proposed above, however, the reality is that after looking at several of the photos and aerial footage taken by the Daily Mail, I’m astounded at how far behind they are.

Alex Riberio for Mail Online. Photo Courtesy of The Daily Mail
Alex Riberio for Mail Online. Photo Courtesy of The Daily Mail.

There are additional photos, videos and details available at The Daily Mail. Construction is in complete disarray. Several buildings are really just concrete foundation. There is a complete lack of urgency that the games are 400 days away, and nothing is completed. This is clearly becoming classic case of “over-promising and under-delivering”. It appears only three of the venues on the map are remotely complete, and that’s just externally.

Even though they have the exteriors of a few facilities complete, they still have to build out each of the stadiums internally. That means plumbing, electrical, heating, ventilation, air and cooling! We are not even factoring in other things such as seating, signage, concessions, and other arena amenities.

According to Wikipedia, there are 34 proposed sporting venues. Of which, 10 of them do not require any permanent work. 8 requires some permanent work. 9 more venues require brand new construction and there are still 7 temporary venues that need to be worked on.

The writing is on the wall, and it is clear as day that Rio is completely far behind. The situation is grave, and the 2016 Olympic Games are at risk. The budget risks are swelling to astronomical proportions, and no doubt the International Olympic Committee is wearing Rose Colored Glasses thinking and believing everything will still be delivered on time. Construction, project, and budget risks are not being managed.

If what the Daily Mail witnessed is true, the Brazilian Government is in complete disarray and disharmony, not able to work together to bring the 2016 Olympic Games to fruition in Rio.

Rio is so far behind it makes the Athens Games look competent. Can they pull off a Hail Mary like Athens? Doubtful in my opinion as Greece has full access to existing infrastructure and technical resources in the European Union that enables them to recover. Remember they barely delivered all venues on time in the July/August 2004 time frame! Literally down to a few days before the Olympic Games. The situation is completely different in Rio and they may not have the resources or existing infrastructure to accomplish what Greece did.

It is time to select and enact Plan B, International Olympic Committee. It is time to rescind the games from Rio and award it to another city.


A Case for Moving the 2016 Olympic Games to Los Angeles

2016 Rio Olympic Games LogoThe 2016 Olympic Games are scheduled to begin in a little over 400 days. That is 400 days to complete venues. 400 days to build infrastructure. 400 to prepare to invite the world to the 2016 Olympic Games. The sad reality is that Rio is not ready.

In May, Reuters ran a piece on the readiness of Rio:

  • Rio has only 10% of 56 Olympic Construction, overlay and energy projects are finished. This is in contrast with 80% for the 2012 London Olympic games
  • State-run Oil Company Petrobras is embroiled in a corruption scandal, which has implicated several construction firms delivering Olympic Projects, is adding to the possibility of delays.
  • Deodoro – The second largest cluster of Olympic Venues located west of Rio where 11 sports including equestrian, BMX Biking, and kayaking will take place is completely unfinished
  • Deodoro has limited construction going on – mostly scaffolding about two stories high but nothing else.
  • Contracts have yet to be tendered to build the beach volleyball stadium on the sands of Copacabana
  • Guanabara bay – where sailing is suppose to be held – is a complete health hazard. The promises to clean the bay will not be cleaned in time.
  • Temporary venues for rugby and mountain biking have not been selected.
  • Power contracts have not been awarded yet. London awarded them in 20 months before the London games began. There are less than 14 months left before the Rio games begin.

Even Senior International Olympic Committee official John Coates commented that Rio’s readiness for the Olympics are the “worst I have experienced”

It is safe to say Rio is no where near ready, and we’re getting to a point where we’re nearing a level of incompleteness similar to Sochi.


The Case for Los Angeles

2024 Los Angeles Olympic Bid
2024 Los Angeles Olympic Bid

Los Angeles last held the Olympics in 1984. Despite the passage of time between 1984 and 2015, much of the venues have since has been refurbished, modernized, maintained, or replaced. Unlike the venues of the 2004, 2008, and 2012 Olympic games, they still exist and are actively being used in one capacity or another.

In fact, Los Angeles may be one of the very few cities that can adequately be ready in the compressed timeframe of a little over a year. With its recent 2024 bid, arguably, 95% of the plans of where sports should be held are complete. There are a few exceptions as some venues proposed in the 2024 plan are not remotely ready (example: Farmer’s Field)

Proposed 2016 Venues (Adapted from the 2024 Plans)

  1. LA Memorial Coliseum – (Opening Ceremonies, Closing Ceremonies, Track and Field)
  2. LA Convention Center – (Badminton, Gym – Rhythmics, Gym – Trampoline, Table Tennis)
  3. Staples Center – (Volleyball Finals – Indoor, Gymnastic Artistic)
  4. Galen Center – (Basketball)
  5. LA River – (Canoe/Kayak Slaom
  6. Uytengsu Swim Stadium – (Diving)
  7. Microsoft Theatre aka Nokia Theatre – (Fencing – Finals)
  8. Aquatics Center – (Swimming, Sync, Swimming)
  9. LA 84 Foundation Swim Stadium – (Water Polo)
  10. Walt Disney Concert Hall – (Taekwondo Finals)
  11. Shrine Auditorium – (Weightlifting)
  12. Drake Stadium – (Archery, Cycling – BMX)
  13. Pauley Pavilion – (Basketball Prelims 2)
  14. Rivieria Golf Club – (Golf)
  15. Corsair Stadium – (Field Hockey)
  16. Santa Monica Beach – (Triathlon, Volleyball – Beach)
  17. Velo Sports Center – (Cycling – Track)
  18. StubHub Track Stadium – (Field Hockey)
  19. StubHub Soccer Stadium – (Rugby, Football)
  20. StubHub Tennis Stadium – (Tennis)
  21. Long Beach Marine Stadium – (Canoe/Kayak Spring, Rowing)
  22. Walter Pyramid – (Handball)
  23. Long Beach Marina/Queen Mary – (Sailing)
  24. Long Beach Arena – (Handball)
  25. Long Beach Convention Center – (Judo, Taekwondo, Wrestling)
  26. Griffith Park – (Cycling – Mountain Bike)
  27. Hollywood Sign – (Cycling – Road)
  28. Santa Anita Park – (Equestrian)
  29. Hollywood Blvd – (Fencing)
  30. Rose Bowl Stadium – (Football Finals and Prelims)
  31. Qualcomm, AT&T, Sam Boyd Stadiums – Football Prelims 3, 4,& 5)
  32. The Forum – (Volleyball – Indoor)
  33. Fairplex Fairgrounds – (Modern Pentathlon, Shooting)
  34. Rodeo Drive – (Triathlon)

Possible other venues that could be used that was not proposed for 2024:

  • Dodgers Stadium
  • Angels Stadium of Anaheim
  • Honda Center for Basketball or Boxing
  • Anaheim Convention Center (Used in 1984 Olympics)
  • Ontario Convention Center
  • Mount San Antonio College
  • California State Polytechnic University Pomona
  • California State Dominguez Hills (Used in 1984 Olympics)
  • California State Fullerton (Used in 1984 Olympics)
  • East Los Angeles College (Used in 1984 Olympics)

Despite not having Farmer’s Field to host basketball, Los Angeles has a huge amount of additional venues capable of hosting any number of additional sporting events. All these facilities are actively being maintained and used.

If anything, the possibilities of being ready in a short amount of time is realistic. The money being invested into Rio could be invested into Los Angeles in building out mass transit for the residents of Los Angeles as a thank you for saving the games.


Let’s face it. Los Angeles is more ready than Rio, and it isn’t even trying. International Olympic Committee, it is time to face the reality that Rio isn’t ready. No amount of money we throw at it will have it ready in time. Let’s save face for the Olympic Games. Let’s move the games to Los Angeles.

Athlete’s health and safety are in jeopardy. The reputation of the Olympic Games are at risk. It is time to accept the fact that we need to execute Plan B, and Los Angeles may be the only real city that wants the Olympics and is ready for the 2016 Olympics.

What’s Next for Rio and us

2016 Rio Olympic Games LogoChronos and I have been spending a lot of time, talking offline enjoying the wonders and taking in life. Since 2009, we have been authoring the disasters of Internet Brands and vBulletin. Here we are six years later, and it is safe to say things have gone from bad to worse. Needless to say, our voices fell on deaf ears at Internet Brands, and the outcome was less that spectactular (unless you count the spectactular blunder that is called vBulletin 5).

We both have been talking as of late what to do with this blog. We both agreed that walking away from it is not in the best interest as we have a unique opportunity to share our thoughts and some very blunt truths.

We are still intending to blog about vBulletin and how Internet Brands is more like “imitation brands” but we’re taking the unique opportunity to occasionally talk about other upcoming disasters.

We will be blogging in the coming weeks about multiple upcoming disasters, and one of them comes to mind: the Journey to Rio – as in the 2016 Summer Games.

Both Chronos and I are avid sports enthusiasts and we have been appalled at the fact the International Olympic Committee and the host country has been mismanaging the project. In fact, both of us are once again in a similar spot to where we were six years ago: Frustrated at a management team who is completely disconnected from what is happening at the front lines. Both Chronos and I felt it’s time to voice our opinion as there is something more at stake.


The issues and problems facing the Rio games are so bleak, my heart becomes heavy thinking about all the friends and families of athletes to have to endure and suffer through the 2016 Games due to potentially inadequate or shoddyly, and hasily constructed facilities.

In fact, the official word from the International Olympic Committee is that there is no backup for Rio. In fact, the only solution they have at this point in time is to throw more money at the Rio games in an effort to get things complete by 2016.

The reality is that money can fix many things, but it won’t fix cultural issues and continously gross mismanagement. Sochi was a clear indicator for that, and it was a massive spectacle as athletes that the 2014 Winter Games started trending on social media as #sochifails.

As we head into the 2016 Summer Games, it appears the sheer volume of #riofail are growing, and tensions are rising. The safety and welfare of atheletes, coaches, and guests from around the world are in jeopardy. The reputation of the Olympic Games are at stake.

Hard Decisions need to be made. These are no ordinary times. It is time for extraordinary actions and steps to be taken. Politics be damned, there is more at stake than simply the pride of a country. It is the pride of the entire world.
It is time for the International Olympic Committee to recind the games from Rio and move it to a city that has facilities that can support the summer games. Move the games to Beijing. Move it to Atlanta. Move it to Sydney. Move it to Los Angeles.

Either way, a disaster beyond our imagination is growing in Rio.

vBulletin 5 – Years Later…

Chronos and I have been busy with real life. Sadly, we both gave up on vBulletin. The once iconic forum platform is now a smoldering piece of dung. No one loves being told their baby is ugly. Sadly, ugly is putting it politely.

We cracked open the mailbag curious to see what’s left of the ashes, and we found no phoenix. Only more scathing letters. We’re adding another one from Will this week.


Sharing my Story
By Will D.

So nearly a decade ago I logged into my first vBulletin and helped a friend run a forum.  It was slick, it did it’s job exceptionally well.  Around the time vBulletin 4 came out I purchased and configured my first vBulletin forum and ran it for several years without problems.  Regular updates went smoothly, bugs were few and far between and in general the product was simply excellent. I’ve since moved in from that community and shut it down, but it was an exceptional experience.

When I started seeing vBulletin 5 Connect advertisements hit my mailbox I checked out the Beta and saw what I expected to be a huge leap forward in the CMS/Forum software.  Recently I found myself needing to setup a CMS and Forums for a non profit and wanted something I was relatively familiar with and would be rock solid.  Without a thought I advised we purchase vBulletin 5 Connect assuming it would be vBulletin 4’s feature set improved/expanded…
The product having been released for nearly a year, with the current version of 5.0.5, I assumed most of the early adoption pains would be absent, and that I’d be dealing with a rock solid product that was going to make my life easy.
Imagine my disappointment when I find out that two key features, Calendar and CMS were simply left out of the release.  The CMS was expected for 5.1.0… which had a very loose ETA of ‘End of 2013’.  The Calendar isn’t even planned at this point!  I was stunned.
I took a good look and realized I could limp along with their existing features until 5.1.0 released and went ahead setting up my forums.  What I didn’t know is the number of ‘bugs’ I’d run into that would qualify as ‘major’ in my mind that vBulletin support simply accepts as facts of life.
Images have no configuration options in posts… they are supposed to, but it will be fixed in 5.1.1… maybe…
Insert a table and it ignores settings you configure in the UI… it looks fine in the WYSIWYG editor and when you click post goes to the most basic table without any options.  vBulletin support’s answer to this?  They simply say it’s the way CSS and HTML interact and I need to advise users to use the advanced tab and apply formatting that way… yea, good answer.
At present my forums just went live with a small community of users and I’m frankly looking for an alternative that will give me CMS options with a solid Forum backend… once I find this I’ll be buying it out of my own pocket and migrating away from vBulletin forever.


vBulletin – Not fit for purpose (or use) – By TheDevil666

vbulletin-5-homepageAs a vBulletin user for many many years I just wanted to take the time to say how disappointed and cheated I feel with my recent purchase of vB5.

I run many forums and use vBulletin 4.x, IP Board and Xenforo, for my latest forum which I have invested a lot of time and money into I wanted the latest forum software and decided on vB5. I had not read any reviews which is obviously a mistake on my part and solely went on the fact that up until now vBulletin have been by far the market leader, I was comfortable using it and to be honest vB4 was pretty good, surely vB5 would be an improvement?

So I paid the $399!!! …within a week or so I could see that there were lots of changes and that lots (and I mean lots) of functions literally didn’t work. Now this was a fresh install of vB5 so not an upgrade so the optimal conditions really.

I decided pretty quickly that this software was not fit for purpose and asked for a refund, where I was told that as I had downloaded the software this was not possible and that I could sell the licence to someone else if I wanted, but obviously I wouldn’t get my full money back and who in their right mind would buy it?

As I didn’t have much choice I decided to persevere as I thought the next update would fix a lot of the problems I was having, in all honesty the latest update caused more problems than the initial version and this time when I tried to contact technical support I was literally a few days out of the ‘free month of support’ and told to post on the forum or pay for additional support.

Now to be honest I don’t have much spare time and didn’t want to create multiple threads on the problems I was now having so paid for an extra months support where I could detail all the issues in 1 email, hoping they would be fixed. This was a complete waste of money and time as all they do is direct you to JIRA!!! …and rarely actually fix any of the problems there and then.

My issue with JIRA is I have to spend the time either searching for someone else with the same problem and vote for the issue to be fixed or take the time to explain the problem I am having in multiple new posts hoping someone will also have this issue in order for it to actually be fixed. There is never a quick solution and no guarantee that my problems will ever be fixed.

Wait a minute didn’t I just pay $399 for this software and an additional $40 odd dollars for support? Why the hell am I having to spend time pointing out all these problems in the hope that someday they will be fixed? Wasn’t this software extensively tested before being released or is that now my job after spending a fortune on it? vBulletin know of all these problmes yet the product is still for sale.

One day when all the bugs are ironed out Vbulletin will have a great platform once again and reap the rewards, but it is at our cost as we are the people having to point all these problems out and struggle by with software that doesn’t work at the moment.

In my opinion this software was released waaaaaay before it should have been, it is nowhere near as good as vB4, IP Board or Xenforo which would have been a start and has endless bugs and issues that should have been fixed before release. Some of the issues literally stop users from using my forum so in my opinion it is not fit for purpose.

Just simple things that should just work, MARK CHANNELS READ button not working, seriously how hard can that be to fix? Site Maps not working, not that that’s an important function, it’s not like Google ask for a Site Map or anything. Errors when members post. No RSS feed, lots of forums like to post out to their twitter feed, not with vB5!!!!

vBulletin should be ashamed of the whole situation and the position they have left myself and many many other people in, I literally feel like I have been ripped off!

I am sure if this post is allowed to stay that I will get the obligatory ‘I am sorry you feel this way’ but that doesn’t fix any of the problems I have had and currently have.

vBulletin 5 – The World’s Most Disappointing Forum Software by BUSA

vbulletin-5-homepageI made the biggest mistake ever to trust vBulletin. I was using VB 4 with minor issues but having faith in the company, I upgraded to VB 5. It’s been down the road since then. Been a big fan of VBulletin since 2004, but really disappointed with the latest VB 5. I have upgraded to all latest versions of the software (VB5) and all are having some error or the other. So many issues, it’s baffling. If you can’t make a trouble free software, why launch it in the first place?

Even after using the latest version of VB 5, I have following problems –

  1. In-line image addition does not work.
  2. User gets pop up when posting a reply -“You did not answer the question correctly”.
  3. Upload more than 3 images, they won’t show in the post.
  4. Start a new thread and the title changes to the title of the last picture uploaded.
  5. Open (not start but open in a browser) multiple posts and some posts won’t have the comment box below.
  6. and many more..

So thanks to VB5, I have spent so much time, energy and money on it. Needless to say, my web designer has given up after having spend hours (for which I had to pay). I will make sure others don’t face this issue but telling them not to buy VB 5, at least not till the issues are resolved.