Cloud “shiny rocks” and your SOC
Original post for HPE Security Research Blog 5/4/2015
I love the cloud. What could be better than access to my data from a beach, my phone in Las Vegas, or just between work and home without the need for a massive laptop hard drive? What’s not to love?
Until someone mentions cloud security and reality crashes the party. Working with security operations centers (SOCs ) and SIEM implementations, companies call saying, “we are moving (some mission-critical corporate asset) to the cloud; do you know a good security provider for that?” Yes — you. Who cares more about your data than you? We know your CISO went to a meeting, and a great cloud-SOC shiny rock distracted him. But you must be strong; you’ve got this.
At RSA last month, Mark Russinovich, the CTO of Microsoft’s Azure cloud offering, gave a presentation on cloud security, citing real examples from internal users of Azure. His first example highlighted the good and the bad possibilities with cloud implementations. In the incident he described, a company VM that was compromised. Once the customer was contacted and they reviewed logs, it was discovered that the A/V had been disabled from the VM and the logs were coming into the company butnot fed into their SIEM. This oversight was why they did not notice the A/V disable event.
My focus here is on the logs and your SIEM. Most major cloud providers have mechanisms to return logs to the customer from their services. You do not need a special cloud version of a SOC; these are logs, the same logs you deal with all day, every day. Bring them into your infrastructure and feed them into your SIEM. The difference may be in your asset tagging, as the IPs may have a different destination; the source IPs, however, should be identical to current threat traffic. Once an event is identified as cloud, you may wish to manually change the event prioritization based on the cloud data type or service criticality.
What I have seen too many times is a situation in which a cloud solution chosen because it is expected to be faster and easier to implement than the on-premises solution. The danger in these deployments points to the earlier example miss. In the breakneck pace at which cloud applications are deployed, someone remembered to involve security and get the logs ported back inside. However, no one followed up with the SIEM team or the SOC to ensure someone was actively monitoring the deployment. A good cloud deployment project plan must include security steps all the way through SOC monitoring to avoid these scenarios.
A good deployment project plan for any service deployment or sensitive data should include security steps through SOC monitoring — but today is about the cloud. With new cloud directives and obvious public threat vectors, it is vital to get log monitoring buy-in. Use Mark’s example in your next cloud deployment meeting and give the SIEM a chance to right past log gathering and monitoring wrongs. I believe in a SOC/SIEM renaissance with the cloud; this is our time to shine.
Think like a bad guy: Know your environment
Original post for HPE Security Research Blog 7/29/2015
Security teams often lament the lack of support from IT or application owners in identifying critical assets. The logic statement goes something like this: if we don’t know what is important, we don’t know what to protect. This frustration is an example of the buzzword context. Without context, organizations default to an unwieldy “protect everything” stance. Consider a bad guy, he may be after targeted intellectual property in your environment, but just as often, he is fishing, hoping to get lucky. In this respect, the defender and the bad guy are on equal footing. A network exists with valuable information, and neither side knows what or where.
Reconnaissance is the first step in all attack models
The bad guy understands it is his job to mine for gold. It may take him months to stealthily scan, identify, and catalog your environment. He knows the SharePoint servers, domain controllers, database and application servers. Unfortunately, many defenders do not do the same.
Sun Tzu said, “If you know neither the enemy nor yourself, you will succumb in every battle.”
Thinking like a bad guy, starts with reconnaissance. This is your network and as a defender, it is your responsibility to learn it. If you have a vulnerability scanner or simply nmap and a web browser, you have the tools you need. Some examples of reconnaissance you can perform:
Read press releases for services, products, keywords, or technology partnerships.
Search LinkedIn or other social network sites for individuals from your company looking for specialized or common technology skills.
Review the internal company portal for information or initiatives that may not be public.
Scan and document all devices on your network.
Establish the complete list of critical infrastructure such as authentication servers, email and such, and then attempt to categorize what is left based on your research.
These activities are maturity markers; changing security to a business context conversation from burden of proof (tell me what I should care about) to the confirmation of your assessment (these items appear valuable). Network management tools, CMDB systems, and other sources can provide defenders a head start, but many settle on piecemeal or incomplete technology solutions for a problem as simple as time-consuming, messy work.
Defenders have the inside advantage, it is time to use it.
If you build it, will it be the Security Operations Center (SOC) you need?
Original post for HPE Security Research Blog 9/1/2015
Growing up, my mom used to tell me, “You get the guy you think you deserve.” Luckily, I found one who is better than I deserve, but the same principle applies to many aspects of life. During a conversation at Black Hat, an insurance organization security manager asked me about extending his SOC on a budget. Thinking back to my mom, I asked him a simple question.
Are you building the SOC you want or the one you can afford?
Needless to say, that stopped him in his tracks. There are many variables and many ways to build your security operations organization. At times, there is the temptation to stretch a budget to try and cover as many functions and security ground as possible. Unfortunately, this often leads to organizations that fail to cover anything effectively. In my experience, I see this far too often.
SOC is an important function and as much as security managers “get it”, sometimes those who control the purse strings do not understand the expenditure. High-profile breach headlines help start the security conversation, but many organizations still imagine it won’t happen to them. Alternatively, some organizations see the amount spent on a SOC without a major breach and believe the money was wasted. Having the “security talk” with those who don’t understand security can be challenging, but it is something that must be done every single day to protect the business.
Two methods to increase visibility that have worked for many SOCs are metrics and success stories.
What are you seeing in your environment? If the SOC is new and still working on hygiene issues, then tell that story, and yell it from the mountain top. Across the board, operations has a difficult time with communicating their value to an organization. But to consistently ask for and receive the funding necessary to build the SOC you want, you must convince the organization of the value. To paraphrase the bumper sticker: If you think analytics are expensive, try ignorance. There are several security metrics books — a quick search shows the most popular. There are many resources available to help get you started. I have found that those just starting a metrics program and needing to understand theory benefit from Security Metrics: A Beginner’s Guide. In addition to the higher ranked security metrics books available, another work I feel gets overlooked too often is Pragmatic Security Metrics: Applying Metametrics to Information Security. Additional SOC metric recommendations are detailed in previous HP Protect Conference presentations including this one on SOC maturity available at Protect724. Registration is open to everyone.
I won’t belabor what makes sense for your team to report – there are too many variables between differing organizations. However, don’t focus solely metrics, another beneficial tool is success stories. Some cases, such as an executive traveling who picked up a data stealing Trojan, can also be used to show value to the organization. The SOC detected it, helped him get it cleaned, and forensically verified no data was stolen. That’s a compelling story. Detecting the accounts payable group passing around a .gif cartoon that actually contained malware is another example success story. Weave a short narrative around detection and protection that shows how the SOC provides real value to the business. If you have detected something big, it is easy to convey that value, but don’t pass up small opportunities to tell your story. It’s even better if you can use the metrics you’ve collected to add a dollar amount of both real and potential losses. Executives might not be able to tell rootkit from a router, but they understand dollars, Euros, and yen.
Once you receive funding, focus. Prioritize what you believe will add the most value and spend an insane amount making your organization better at it than anyone. Detect bad things, report the results, get more funding, lather, rinse, repeat.
Build the SOC you want, because ultimately, it will be the one the organization needs. They just might not know that.
Yet.
Geeks and Cooking
It is kind of funny to see how geeks approach cooking.
I tend to follow the recipe, just like an install, step 1, then 2 etc. If you do the steps out of order, it might work, but why take the chance.
I grabbed yet another cookbook the other day, Cooking for Geeks which is a technologists’ dream. It explaines the whys of cooking, for example, why a recipe calls for baking soda instead of baking powder from a chemical perspective. The author breaks down the chemical reactions that occur in a recipe to explain why you follow the steps of a recipe and times when you can fudge it.
Of course, armed with this knowledge it is easier to experiment.
He, Jeff Potter, through his confidence building style convinced me to make Duck Confit which, much to our surprise, both Dave and I liked.
On the high end of geeks and cooking, Dave forwarded me a note on the old CTO of Microsot, Nathan Myhrvold, who has created a 5 volume set titled Modernist Cuisine , which for the low price of $477 you too can own.
In his series, he has cut cooking appliances, pans, etc in half and analysed the process of cooking with beautiful full color photos. I am really not sure how else to describe this work, it is as unique.
As interested as I am, I think I will wait until my local library gets a copy…
On another note, I am currently playing with BigOven. They have a Windows 7 phone app as well, of course, as an iPad/iPhone app and a website. You can scan your old recipe cards into it for storage and they have a built in recipe box of something like 180,000+ recipes. I haven’t played with all the options yet, but so far I like having my recipes handy via phone or iPad when cooking. More on this to come.
If you haven’t been to ThinkGeek lately, the cooking search will show you many fun cooking related things, a few of my favorites:
The Molecular Cuisine Starter Set – which is a cooking chem lab in a kit. Now you can find out how to make your own Bacon Salt.
The Corn Dog Factory – REALLY?
The Cheat Sheet Kitchen Apron – contains cooking guides, measures and conversions written upside down (so you can read while wearing) – how handy is that?
ThinkGeek has the Cooking for Geeks cookbook as well.
At least I know as a Geek learning and expanding my cooking abilities, it is nice to know there are others out there blazing a geek trail to follow.
Up-day down-day eating
Those of you that know me might say I can be a bit fanatical. Focusing on something, getting completely absorbed, etc.
I am on a new diet and I have to say I love it. (Disclaimer one…Obviously I am not advocating everyone try it, and before you start any diet please consult your physician- isn’t that what the standard disclaimers say…)
How I got to this diet starts with SPAM. Yep, you heard me, SPAM (no, not the canned meat product-the junk email).
I am on about 20 email newsletter lists for diet/exercise stuff, which is ironic based on my absolute disdain for all things exercise. Regardless, a new SPAM email showed up marketing the One Day Diet. Apparently this is a plan where you buy their wafer things and eat one every half hour for one day and then you can eat whatever you want the next day. The tagline for the diet is “anyone can be on a diet for one day”.
Yes, I know it sounds absurd…but what if they had a point?
So I started researching it and came across a Dr. Johnson who wrote a book in 2008 called the Alternate Day Diet. Well, I’ll be darned he starts pointing out research on the health benefits of this type diet. Yep, the hook is sunk and they are reeling me in.
In his version, you eat a subset of your recommended daily calories one day and, to lose weight, your recommended calories the next or for just the health benefits, you can eat whatever the next day. The research shows the health benefits are not based on a calorie restricted diet by rather by the act of limiting the calories every other day. I will leave the details of this eating plan to his book. No, I don’t get a kickback.
Obviously I don’t know if this is hogwash or not, animal studies, asthma studies, yada yada.
Here is what I do know:
1) I feel good
2) My appetite seems to be shrinking
3) I have dropped about 12 pounds in 3 weeks (during which I had a Vegas trip in the middle)
Here is my second disclaimer, I also started back on my Thyroid medicine, which will account for some of the incidental weight lose and potentially some of the “feel good” (at least that is what the Dr.’s always tell me).
I do think there is some mental thing to dieting for one day, if I know I can have that Oreo cookie tomorrow, I can avoid it today. It isn’t like I have to give it up forever.
Does it work? I don’t know
Will I keep doing it? Yep, I think so.
If you would like more information check out the website, http://www.johnsonupdaydowndaydiet.com/html/diet-landing.html.
Really, though, do the reading and the research to see if you feel this is a plan you are comfortable with; everyone is different.
Geek Post Alert: LulzSec aka Hacker group of the month
I have been pretty quiet on the whole LulzSec fiasco. Mostly because I feel like the traffic cop shouting “Nothing to see here, move along…”
This is the hacking group du jour. That’s it, nothing special. They claim they have done some things that should set them apart (did they really hack the CIA)?
Here is the rub, the really good crackers don’t tell anyone what they have cracked. (Crackers are bad guys, hackers are really people who find vulnerabilities and flaws, the media has chosen to use the name hackers for everyone good and bad.)
I am always suspicious when I see a group publicizing their amazing skills. Think about it, if you broke into a government computer system would you:
a) brag to everyone about how clever you are
b) see what data you could get on government contracts or pretty much anything you could turn into valuable stock purchases
c) since these folks don’t seem to be American citizens, download whatever intel you could and sell to the highest bidder and try to keep your presence a secret for as long as possible to continually grab more data
Uh, HELLO! That really wasn’t a hard question, was it? It isn’t like you can turn around and add this to a resume, not a legitimate one anyway.
Regardless of what it may look like in movies or on TV, breaking into stuff is hard, it takes patience, a tremendous amount of trial and error and it takes time. This is not something you wake up one morning to do and have completed by lunch. The larger and more secret the target the more difficult the task, the CIA piece looks to be just public web nuisance stuff anyway.
Look at China, everyone is pretty sure they have one of the largest cyber warfare divisions out there. They deny it. The truth is; coming out of China are some of the more consistent, invasive attacks across the Internet, and again no one is admitting anything, success or failure.
According to The Washington Post this morning, the LulzSec timeline looks something like this:
Early May: LulzSec arrives on Twitter and claims its first series of attacks, leaking what it says is a database of contestants on the show “X Factor.”
May 30: LulzSec breaks into the Web site of PBS and posts a fake story saying rappers Tupac Shakur and Biggie Smalls are alive (both are dead). The hack is seen as a response to a PBS documentary critical of WikiLeaks founder Julian Assange.
June 2: The hackers attack Sony Pictures Entertainment, posting the usernames, passwords, e-mail addresses and phone numbers of tens of thousands of people. Sony enlists help from the FBI.
June 3: Unperturbed by the FBI’s involvement, LulzSec steals 180 passwords from the Atlanta chapter of an FBI partner organization called InfraGard. LulzSec says the attack is in response to reports that the Pentagon may classify some cyberattacks as tools of war. The hackers also say they have used one of the passwords to steal nearly 1,000 e-mails from Unveillance LLC, an Internet surveillance company in Delaware, including an e-mailed report about how Libya’s oil industry could be compromised by computer viruses.
June 7: LulzSec says it has hit Sony again, this time on the company’s developer network and music entertainment division.
June 10: LulzSec leaks what it says is a database of e-mail addresses and passwords of pornography Web site users, including some belonging to U.S. Army members.
June 13: LulzSec says its has stolen information from 200,000 video game users, but doesn’t release much of it because it says it likes the company. The hackers also attack the U.S. Senate Web site by accessing a public-facing server.
June 16: The CIA’s public Web site faces problems, and LulzSec claims responsibility. The hackers also release a “grab bag” of e-mail addresses and passwords.
June 17: LulzSec insists they are not attacking Anonymous, another hacker group.
June 20: InfraGard is attacked again, with several hundred accounts compromised at a Connecticut branch of the company. The U.K.’s Serious Organized Crime Agency Web site is also brought down and the group claims responsibility. Game company Sega is hit with a cyber attack that breaches 1.3 million users’ personal information.
June 21: A 19-year-old British man is arrested and later charged with attacking the Serious Organized Crime Agency. LulzSec says his involvement with the group was only tangential.
June 24: LulzSec claims credit for an attack on the Arizona Department of Public Safety, posting internal documents, manuals, e-mail correspondence, names, phone numbers, addresses and passwords taken from the department. The group said it released the documents because it opposes Arizona’s immigration enforcement law.
June 25: LulzSec announces it is quitting its attacks and releases one final package of hacked data, including internal documents from AOL and AT&T.
The time has come to say Goodbye to Jed and all his Kin…LulzSec thanks for keeping us entertained through the month of June, I wonder who we’ll talk about in July…
Birthday thoughts
I would be the first to admit I have been floundering and way behind on posting anything.
To that end, I decided, if you don’t consider a birthday, kind of a watershed moment much like New Year’s Eve we would only get to right our deficiencies once a year. Now, I don’t know about you but my bad habits really need to find some monthly occasion to reset. 😉
I am going to buck the trend and tell my age, 43, along with my reflections on the subject.
43, not bad, not great, but livable.
My neck looks double even when I lose weight, lucky for me though Groupon had a neck tightening discount from some “non”invasive muscle tightening procedure in Scottsdale. What did I do before Groupon?
Feeling pretty healthy and blessed for that, actually blessed enough by that I feel more than a bit guilty for the floundering and dare I say touch of depressed that has bounced around my brain lately.
Cailin is doing terrific. She just continues to grow and spread her wings, her personality grows more independent and funny every day. I love this age the 10/11 age when they are transitioning from kid to a person all their own BUT before the hormones kick in. That I can certainly wait for.
I am blessed with a good man. A kind man. A VERY, VERY, VERY patient man. Okay, well he may be getting a little less patient so we’ll cut that back to a VERY, VERY patient man.
I am blessed with good friends. I would name them, but a couple of them don’t particularly like their name mentioned. Personally, I think they just want to keep plausible deniability. But it is very difficult to put up with me and my weird idiosyncracies. You know that only eating white vegetables, maybe green beans on the third thursday of the month..ok, so I am really not that bad, but they might say close.
My siblings and spouses are doing well as are their kids, another blessing.
I am worried about my son, it is tough being 20 today. He isn’t in trouble he is just a member of the isolation set, existing virtually. Don’t get me wrong, I am all about my computers, iPad, cell phone, etc etc. But at the end of the day, we need people. Even introverts. A terrible job market doesn’t help, where else do we tend to make friends after school is over?
I am worried about my country. Probably, really, for the first time in my life. I feel very much like we are rudderless and the absurdity of the press and the lack of sincerity frightens me. Maybe I just miss Ronald Reagan. The country may not be in any worse shape now than it was then, but I certainly felt better about it. I felt like someone was in charge. Oh, and I was 13. Nothing outside of boys and well, boys was particularly worrisome at 13.
All in all, the positive column leads which takes me back to… 43, not bad, not great, certainly livable.
Geek Post Alert: Security Info for Consumers
In the last couple of weeks several things have come out that directly apply to consumers. So I thought I would point out a few of them for your awareness.
1) iPhone iOS Update: A couple of weeks ago Apple released an update for your iPhones. One of the fixes is the location tracking item I wrote about last month. The fix reducing the location information to the last 7 days (not indefinitely), it no longer automatically backs up the data to iTunes and it will delete the cache – all of it, if you turn off location services.
If you haven’t had a chance yet to update your phone, now is as good a time as any.
2) Fake Free Mac AntiVirus: The first fake free A/V for Mac has finally appeared. Mac Defender is fake and works to convince Mac owners to enter their credit card data. As always, please double-check internet purchases, just a simple Google search with epinions or reviews from reputable sources can make a huge difference. Another thing to look for from the Google search are dates on comments. If all the reviews or documents are recent that is a red flag. Buyer beware.
3) Aaron’s Rent to Own Spyware Lawsuit: On the buyer beware front an interesting story came out on a software product called PCRental Agent. The Byrd family, back East, has filed a lawsuit against Aaron’s after they completed a rent-to-own contract on a Dell laptop. Apparently the final payment was incorrectly applied and the Manager showed up at their home with a photo of the husband using the laptop taken remotely from the built-in webcam. After the police were called and an investigation launched, Aaron’s confirmed they install the software PCRental Agent which apparently allows remote webcam monitoring, screen shot capabilities, key logging and traffic interception. There are reports the software has been installed on Aaron’s Rental PC’s since 2007. WOW.
I am not even sure where to start here. As a company, I can certainly see the desire to ensure you can collect or recover assets should your renters default. Apparently the intent was to allow Aaron’s to lock the system from usage until a payment is made if customer falls behind.
From a consumer standpoint, it is terrifying. I do have to admit, I am paranoid enough, I won’t even buy a PC that the GeekSquad has nicely setup for me at Best Buy. Do I think they are installing things I don’t want? No, but I want to start from a fresh install screen and build up. I have also been known to delete all the vendor “add-ons” that HP, Dell and everyone else adds to a system. Trust no one.
What do you think the odds are that Aaron’s remotely uninstalls the software once the PC is paid off?
You know as well as I do, it doesn’t happen. If this is all true, they have spying capabilities on customers for the life of the device. Yikes!
Most security researchers thought shutters built onto webcams in laptops would become standard after the Lower Marion Township school district spying incident last year where school employees where spying on students from loaner laptop webcams. But it hasn’t happened yet.
What can you do?
A post-it note over your camera is a low-tech shutter. If you don’t really use a webcam, don’t buy a laptop with one. If you are not worried about this, at least stick something over your kids laptop, they may be more likely to download some remote control/spying software anyway.
If you are concerned about key-logging or tracking software, I would recommend speaking with a professional. The PC Rental agent software and most of this class, are designed to be invisible to the user and would be difficult for most folks to find and remove. If you don’t have an A/V or if you are like me and run several, install Microsoft Security Essentials, it is a free anti-virus for Windows with malware detection included. www.microsoft.com/securityessentials
4) Playstation Network Breach: Without going into the boring details, this was bad. Sony feels they have solved the problem. PSN users must change their passwords to the network and I would put a monitor on your credit cards/credit file if you are a PSN subscriber. I do believe they have learned a hard lesson here and worked to address the issues. They were certainly quick to pull the system back down a few days ago when they found a flaw in the password reset practices.
I could go on and on, and usually do but these topics are important and can be serious to you, your privacy and credit.
Information security doesn’t have to be hard, simple things, Google searches, credit monitoring and the mentioned post-it notes are simple. You don’t have to be a computer whiz or genius to protect yourself, just be aware.
We all want to feel safe in our home with our computer, but it is a door into our lives. How much and how often we open it is completely within our control.
Entertainment & Netflix
My hairdresser is famous.
Ok, well, maybe famous is pushing it. He has done work in Hollywood for many years, including on my favorite TV series as the principle hair stylist. I only tell you this to set the stage (haha get it). 😉
He was working on my hair Sunday, yes he works Sundays and is doing so in the large metropolis of Heber, AZ, go figure, but I am not looking a gift horse in the mouth.
Anyway, we got into our typical discussion on TV and movies.
That was the passion of my youth, yes, I went to New York looking to make a career in broadcasting; only to realize at the tender age of 19 that if you weren’t Diane Sawyer or Connie Chung (yep I am really that old) broadcasting was a tough way to earn a living.
But Jeffrey and I share a passion for TV and movie consumption and he commented that he needed to get a DVR to get Netflix.
I said, Jeffrey you don’t have to get a DVR for that, you can get just about any BlueRay Player, they almost all have Netflix loaded into them.
Really, he said, with the wonder of a child.
Yep, although I want to caution you, if you are running satellite internet, you need to be careful.
I bought a Roku box right before Christmas and in one evening catching up on 9 episodes of House I consumed enough of my monthly bandwidth that the following day I was placed in rate-limit jail.
As if satellite internet isn’t slow enough, it took a month to get out of rate-limit jail.
As we spent some more time discussing Netflix and all the other streaming options, I said, do you remember how we used to watch TV?
We would rush around to make sure that if a favorite show was on Wednesday night at 7 pm, well that was exactly where you were and heaven help you if you missed it. You had to wait until it was on in re-runs to catch it again.
Honestly, I haven’t watched one of my favorite shows on its original broadcast day/time in a couple of years.
Between Netflix, Hulu Plus, Amazon Prime, DVRs and even having TV on my phone playing episodes on demand, I can watch while waiting at the oil change place, Dr.’s office or the parking lot of Mathnesium. Who needs to be tied to a TV guide!
This seems like a paradigm shift but as a bit of a geek, maybe it isn’t really as widespread as I think.
I remember signing up to have Netflix DVD’s delivered with no late fee and thinking that was awesome 7 or 8 years ago.
This technology reminds me of that Carl Sandberg poem a lot of us had to study in high school, The Fog, with the line The fog came in on little cat’s feet.
These technologies come creeping in quietly until one day you are fighting with your iPad trying to get Netflix up to watch the old BBC series you are currently hooked on blogging about the entertainment necessity of Netflix, when you really should just go to bed.
Jeffrey, on reconsideration, maybe a Kindle is a better choice for your next technology purchase…
Just a thought.
Have you seen these?
I live under a rock. Really.
Those Geico people are my neighbors and if it doesn’t have something to do with technology or infosec or recently cooking then I haven’t heard.
CNN needs a service where they text you stuff going on, new slang words, the latest designers with links to their logos so if you see them you would know you are supposed to be impressed. I am really, THAT BAD.
Anyway, when I was in Texas Marsh’s daughter wanted to go to the store to buy a box of cake to make these things called Cake Pops.
Ewwwwwwwwwww
Ok, as a texture purist, or fanatic, take your pick, the thought of someone mushing my cake around into a ball.
Sooooo very wrong.
Marsh even produced a book, showing all the different ways people have desecrated the cake, one of bakings’ sacred creations.
Fast forward, to today, I grabbed my pizza at lunch deciding a nice vanilla milkshake would be just the thing to wash down the jalapenos then realized the closest thing to a vanilla shake would be a vanilla bean creme at the Starbucks next to the pizza place. Imagine my shock when I see these crazy cake pops at Starbucks.
Ok, I give up. If cake pops are at Starbucks then they must be on the verge of world domination and I am gonna have to try one of the things.
Master Chief action shot.
So after grabbing it and reluctantly taking a bite, can I just say…
Ewwwwwwwww
I was right the first time. It was mushy in the middle and hard on the outside. What were “those people” thinking?
This is definitely one trend, I am going to let pass me by.
Now I have to find some ice cream to erase this trauma from my mouth. 😉