Thursday, December 2, 2010

Worlds Colliding (running nerd v. infosec geek)

So, about a month ago, I went to the race expo for the Marine Corps Marathon.  I had already decided not to run the 10K, since I was still getting over a cold/flu thing, but I wanted to grab my goody bag anyway.

[For non-runners: a goody bag is a bag that you get at many races that contains free samples, coupons, race advertisements, and similar.  Stuff like cliff bars, lipbalm, etc.  A few things find a second life as cat toys.]

[And, for those of you keeping score at home, this was the same expo where General Electric tested my foot with a fancy machine and declared my bone density to be excellent.  This was also 4 days before my foot went pop.  And now I've made this post tangentially relevant to the subject matter of my blog.  So there.]

In my MCM goody bag, a gift card caught my eye -- it was for $500 in sunglasses from Red Star Eyewear -- a sunglasses manufacturer I'd never heard of.  I typed the website address into Google in Firefox, and the search results confirmed that the site was likely safe, so I visited it.  Digging through it, it looked like the terms of the deal were that you might get a free pair or two of sunglasses (of dubious quality), but that you paid a decent amount in shipping and handling.  So not a full out scam, but definitely a bad deal -- on a par with those old Columbia House Record memberships (apparently Red Star tries to trick you into committing to some sort of "sunglasses club" too).

Brian and I laughed, and I tossed it.   But it got me thinking.  Race participants are really a huge, untapped market for scammers.

[I do realize that there's an opportunity here to take a shot at the Competitor Group, or Devine Racing.  I leave that to y'all]

Just think about it -- we get our goody bags, and act under the assumption that everything in there is somehow vetted and approved by the race management.  And it's very easy to get access to those goody bags -- at most of the bigger races, my understanding is that those bags are stuffed by volunteers.   Paid race staff are limited to the harder, more specialized tasks -- pretty much anyone can stuff and hand out a bag, and so anyone does.

So here's how you do it:

A) set up a website for some product, including a way to take credit card info;
B) go to a printer, and print a set of fancy fliers promoting your site/product;
C) volunteer for a major marathon or other race, and get yourself a slot filling/distributing goody bags, or even better, manage to get a box of your fliers mixed in with all the other stuff to be stuffed by volunteers;
D) ????
E) Profit!!!!!!

A bit concerning, don't you think?  I can't believe this hasn't happened yet, now that I think about it.


  1. Well, now I know what I'm doing this weekend.

  2. Runners already pay tons of money for stuff of no value. We can get someone we know in Colorado to send cases and cases of "Rocky Mountain Air: How to get altitude training in the comfort of your own home." I would feel less guilty, and we'd probably make a lot more, though, if we marketed it to triathletes instead.

  3. Joe - I imagine the triathletes pay for top end security guards to watch over every aspect of their race prep/expo -- must be what those entry fees go to.

  4. Greg and I found those in our Memphis bags but I remembered your blog and told Greg not to get excited. Thanks for doing the research!