Financial websites - why not read-only access?

I've been thinking about switching from Quicken on my PC, to a web-based financial tracking site.

Something like

• Quicken Online - lousy features compared to Quicken PC, mainly for beginners
• Yodlee MoneyCenter
• Mint - apparently professional, but a bit fascist, doesn't make it easy to have user defined categories
• Wesabe - emphasizing social networking

There are many, many, others.

Motivation:

• I have too many computers. I want o be able to access from work, and from home, and from my phone, and...
• I'm tired of having to re-set things up when I switch PCs. And, no, the migration tool seldom works, usually because I can't power up the dead machine to migrate from.
• I want my wife and I to be able to simultaneously access
• Basically, I have just about given up on having a personal computer. Or is that "a single personal computer". If my company IT allowed me to use my personal machine at work, then maybe; but they don't, so I am being pushed away from the PC-centric model to the web-centric model.

The security implications are scary: one website, with access to all of your passwords and accounts for other financial websites.

Wesabe makes a point of its security model: apparently they store the passwords, etc., on your PC, and never put the passwords onto their server. I imagine they run some client side code that accesses your other financial sites, and then filters it to upload to Wesabe.

• But, then Wesabe may not allow the sort of ubiquitous access I desire. Does it?

Mint emphasizes that their access to your financial data is read-only. They also emphasize that the actual passwords, etc., are stored. not at the Mint site, but at Yodlee - which apparently provides such services to many banks already.

• One poster points out that this is all well and good, but if the hacker is inside Mint or Yodlee, then... Well, this poster says that they should at least be bonded to indeminfy the user against that risk.
• Wesabe says the developed their own screen-scraping approach to accessing finanicial websites, in part to allow them to be free as long as possible, and not to have to pay fees to Yodlee.

OK, okay, so security is an issue.

So, the thought occurs to me: why can't I give this "aggregating" sites like Mint and Wesabe read-only access to my other financial websites? Read-only access to my bank, my 401K, etc.?

Most of the things that I want to do on such a site are read-only - track my investments, look at my asset allocation and ensure that it is balanced across all of my investment accounts at different sites, etc.

I'm reasonably happy NOT to be allowed to make changes to my investments from the central site - to have to log in to my stockbroker or 401K site separately.

Sure, even read-only access to my various fnancial account websites would be a treasure trove for the ID thief. Account numbers, maybe even SSNs (although one might hope those could be filtered out). Things that a social engineering attacker could use on the customer support phone line. Nevertheless, such read-only access would be a lot less risky than allowing read-write access, with the ability to change mailing addresses, etc.

Trouble is, all of my financial services web.accounts give me one account login, and one password, that provides full access to the entire account.

It seems that this could be changed... Let's start writing letters...

---

This is just yet another example of the Principle of Least Privilege. Of how it should be possible to split a particular security role into smaller pieces.

I switched the site that I keep my resume and CV on to Google Docs: http://docs.google.com/View?docid=dcxddbtr_6dvpxg2cj

Hitherto it was on geocities. I have left the geocities site around, with forwarding: http://www.geocities.com/andrew_f_glew, but I will no longer update it. Actually, I haven't updated it in years, since it was too painful.

It's a little bit sad. The Geocities/Yahoo site gives me reasonable URLs, while the Google site gives me ugly, goobledeygook, URLs. But the Google site is much easier to use for me, the content creator.

Also, the annoyance: I retargeted links from my LinkedIn pages, but there will probably be other stale links around that I will not retarget.

---

More annoyance: as I say above, I had not updated the Geocities site in years. And, apparently, I had not read any email at the corresponding yahoo account in years. I had completely forgotten about it.

Yahoo won;t let me forward email as it comes in, or use POP, or even bulk forward a mass of email - so the email accumulated there will moulder. Pity - I saw some email from friends I had fallen out of touch with.

But at least Yahoo allowed me to put a vacation message on it. Although I will have to remember to extend the vacation once every few years.

Moral: don't use a web based service, such as a webhost or webmail, unless you can automate getting your data off,

Hmm... how hard is it to download all of my Google data? Mail? Blogs? Docs?

Apple Store account management - NOT

As mentioned in the iPod blog, I ended up signing my wife up for an Apple Store account, when she already had a different iTunes Apple ID.

Since only the latter is required, to ensure authorization of iTunes music files to a limited number of PCs, I would like to delete the other account.

Worse, while thrashing to try to get my wife's iTunes purchases authorized, I entered a credit card number into the second, bogus, account. So now I have a bogus account with a valid credit card number.

I would like to delete the bogus account, or at least the credit card number.

Apple, apparently, has no way of doing so.

Apple Store support chat says that the account should time out if unused. But they cannot answer how long that will take. And they warn me that checking the account status will reset the timeout clock.

Q: will Apple indemnify me if the account is broken into?

Apparently, once you have entered credit card info, there is no way to remove it, except by replacing it with another valid credit card number.

Hmm... perhaps I need to use a one-time credit card number that will immediately expire.

---

No need. I can garbage the login and password, and Apple seems to allow me to enter blanks for the credit card number. Not quite as confidence inspiring as a "Delete my CC info" button, but, I hope, good enough (although I have this nagging feeling...)

---

But more: there is no way to log out of the Apple store.

Sure, Apple pages are uncluttered. By omitting necessary, although perhaps rarely used, functionality.

Disabling Verisign / FingerPrint

Oh, I forgot to mention: one of the biggest timewasters while moving my wife's iPod and iTunes tioher new PC was that, somehow, the process of signing her up with iTunes resulted in Internet Expolorer going into a frenzy, forking new windows, whenever I (actually, she) signed into Google mail.

I suspect because I put Apple and Gmail into IE's "Trusted Sites" list to make Apple's iTunes password recovery email click through.

Anyway... by the time I worked through that, not only had I undone the Trusted Site settings, but I had also uninstalled the Verisign Identity software that managed the fingerprint reader, preinstalled on the PC.

I'm a little bit sad, because I really liked the fingerprint reader. It makes Vista's constant "authenticate as an administrator" tolerable.

But, the Verisign software went beyond fingerprint. It wanted to be single signon for all websites, and was quite obnoxious. Worse, while I figured out how to disable this behavior for an administrator account, it would not let my wife's non-admin account disable.

Moving an iPod between PCs

Before Christmas, as late as December 23, my wife told me that she didn't want anything for Christmas, except my help in moving iTunes friom her old PC to her new PC.

Now, I didn't believe the "not wanting anything else for Christmas" bit - we weren't married yesterday - but I did take this as a clue.

The complication: Her old PC is hardly functional. She got her new tablet PC last Christmas. Apparently she has been using her old PC for iTunes, tolerating, barely, its slowness. 6 years old, and slow even when new. Network no longer working: wired Ethernet connector broken, wireless PCMCIA card non-functional. I would not be surprised if its slowness was due to malware, although McAfee's scans found nothing.

How hard can it be to move an iPod from one PC to another? It holds all of my wife's songs, not a subset. Surely I can install iTunes on the new machine, synch up, and be done?

Not so easy. Apple has not made it easy to migrate. Of course, things ae not helped by Apple's iTunes user interface, which I find idiosyncratic, differing from standard PC applications' UIs in ways that make it hard to figure out how to do things. For example, I went looking for the UI options to put the iPod into "disk" mode, but it was not until I googled that I found it.

I'll make a long story short, by NOT going through every wrong step I made. But I'll list a few.

Googling "moving ipod between PCs" found several pages, the most useful being:

(1) Apple support, http://support.apple.com/kb/HT1329. Useful as far as it went, although it was impossible to follow the instructions (a) because some were wrong, or at least did not apply to my wife's old iPod, and (b) some could not work, because, for example, they suggested consolidating the librray on the old PC's disk under the iTunes' Music folder - but my wife's old PC disk was full, and did not have the space required for such consolidation.

(2) The DIY article http://www.makeuseof.com/tag/how-to-move-music-from-your-ipod-to-your-pc-in-5-easy-steps, which gave the most important clues, although it ommitted how to transfer playlists,. Again, I suspect that some of its instructions applied to newer iPods than my wife's.

Early on, I tried iTunes ... Export, but on my wife's old iTunes this exported only an XML playlist file. Importing that onto the new PC gave me empty playlists. Apparently the new iTunes has "Export Library" versus "Export Playlist".

Early on, I tried just plugging the iPod in to the new PC. But there was no option to synch FROM the iPod TO the PC, only from the C to the iPod. I started being careful, not to lose the only easy to access copy of my wife's music.

When I plugged the iPod into the new machine, iTunes warned me that an iPod could only be hosted by one Library at a time. At first it also warned me about songs on the iPod that had been purchased from iTunes, which the new PC was not allowed to play until authorized.

My wife, of course, did not know what her Apple account was. Googling her gmail, I saw that Apple was sending email to my 9-year-old daughter, and my wife. Neither seemed to have Apple store accounts, although my wife's email did seem to have a MobileMe account. What the heck is a MobileMe account? I eventually signed my wife's email up for an Apple store account. But the warnings about unauthorized songs persisted.

Eventually, I got the old PC up enough to see that it was signing into iTunes with yet another email account. That fixed the "purchased songs" problem. But now the new PC iTunes just wanted to delete all of my wife's iPod.

I tried making a disk backup on my wife's old PC iTunes... 6 disks later, it hang. Unsure how complete the backup was, I resorted to the DIT technique.

I opened the iPod as a disk. I set folder options to view the hidden iPod files. I copied all of the iPod files, *.*, into a single flat directory on the new PC. (Actually, I searched *.m*; at first I searched *.mpg, but there were a lot of *.m4a, as well as a few MPEG-3 *.mpg downloads from NPR. *.* caught everything.) I made sure to tell the copy NOT to discard files with the same name, but to create extra versions.

I then imported these files into iTunes, using File ... Add Folder to Library. Having learned my lesson from the old PC, I had already set, per the DIY arrticle, Edit / Preferences/ Advanced / Copy files to iTunes folder and Keep iTunes Music Folder Organized.

This left me with the music files, but the playlists were messed up.

The smart playlists, e.g. "All songs by Jimmy Buffet" worked, but the manual playlists failed. I must confessed that I had hoped that the playlists would have some sort of content-ID, and would magically detect when the song was installed. Not so.

I reimported the XML playlist friom very early on. This time, they found the songs, and the playlists were populated.

This result in duplicate playlists. The smart playlists were almost identical - except for the versions that selected 100 random songs from a genre. The manual playlists had one empty playlist, and one full. Deleting the duplicates was straightforward.

Annoyingly, the "Purchased" (from iTunes) playlist was empty, and there was a manual "Purchased" playlist. But i could move the files back and forth.

Annoyingly, the "Recently Added" playlist was messed up, since all of the songs were recently added.

Wrapping up by authorizig the new computer, and de-authorizing the old PC. As you may recall, the old PC's network was dead, so that last involved minor hackery. Q: what does somebody do if their old PC is dead, dead, dead? Waste an authorization out of the limit of 5 PCs allowed to play a somg from iTunes?

Summing up:

1) I copied the music files as described in the DIY article

2) I transferred the playlists via iTunes' export XML format

3) Authorize the new PC using the iTunes account, de-authorizxe the old.

Fairly straightforward. And yet it took an embarassingly long amount of time to accomplish - many hours. I had pooh-pooh-ed my wife's request for help, but I can avow: this wasn't as straightforward as it should have been. Apple's support was incomplete and inaccurate.

Things would have been much better if there was a way to extract the playlists friom the iPod itself. The data is undoubtedly there..

Things would have been even worse if my wfe had used any of the iPod's other features - contacts or calendars or ...

Concurrent programming bug in X/VNC/sysadmin distributed config files

Below is a bug report, relating to the timing of a windowing system and window manager.

It is caused by abc in the UNIX shell,
and the fact that X and VNC do not really bind programs to a particular instance of a display.

It amuses me that, after all this time, even such a simplistic concurrent programming example can have a bug. What dos this say about the brave nw world of multicore?




There is a timing bug in eclogin - the files installed by eclogin -i -f - $HOME/.vnc/xstartup.
The file ends

( PATH-TO-WHEREVER-FVWM-IS-INSTALLED/bin/fvwm2
 twm
 mwm
 olwm
 xmessage -geometry -10-10 "FATAL ERROR - NO WINDOW MANAGER FOUND in vnc/xstartup" )

This looks innocuous.

But, if the user typs in something like the following
vnserver -kill :2; vncserver
then the fvwm2 of the OLD vncserver will fail, leading to the invoking, say, twm.
but the NEW vncserver may start up before the twm of the old vncserver starts up; indeed, it may start up before the old fvwm2 fails.
in any case, the mwm from the old vncserver may start up, and be connected to the new vncservr session.
resulting in very odd, hard to debug, behavior - like "Why am I getting mwm, or twm, or whatever, when I am trying to use the EC standard fvwm2 window manager?

I conjecture that this behavior was not seen on old machines, that were slower and/or did not have multiple processors.
I conjecture that it ois almost impossible to reproduce this behavior unless you type vncserver -kill :2; vncserver; it can happen if the machine is slow, but is much more likely.
I conjecture that only an anal retentive compuer user like me would have found this bug - particularly one who is an old sysadmin, who has seen bugs like this.

---

The fix:
A partial fix is to do:

if [ -x PATH-TO-WHEREVER-FVWM-IS-INSTALLED/fvwm2 ] ; then
    PATH-TO-WHEREVER-FVWM-IS-INSTALLED/fvwm2
elsif [ -x $PATH_TO_TWM/twm ] ; then
    $PATH_TO_TWM/twm
...

i.e. this prevents the frm falling through if the fvwm2 command was found, and executed for a while.
A better fix would be to se if fvwm2 executed. Checking exit code 0 is not sufficient, since it is usual and normal for fvmw2 to return non-zero when vncserver -kill :2 is called.
A stopgap would be to just document this in ~/.vnc/xstartup - noting something like "You either have to wait a while, or shutdwn your window manager before starting a new vncserver".
A better long term fix would be for vncserver to create a nonce, or some other identity cookie.

---

By the way: it is possible that this could be a security hole - I have not checked. E.g. an attacker could be constantly trying to attach a window manager to a vncserver he dos not own.

===

In case you do not beleve this is real, here is a shell session showing me killing such wm one after the other
I had been thrsahing, killing and creating new vncservers in a fairly tight loop, debugging a problem,when I noticed it:

/users/glew/ 86 : vncserver -kill :2 .../vnc/E4.2.5/vncserver -kill :2Killing Xvnc process ID 3471

/users/glew/ 87 : ps x grep wm
5869 ? S 0:00 twm
1593 pts/16 S 0:00 PATH-TO-WHEREVER-FVWM-IS-INSTALLED/fvwm2

3953 pts/16 S 0:00 mwm

3955 pts/16 S+ 0:00 grep wm

/users/glew/ 88 : kill -9 39533953: No such process

/users/glew/ 89 : ps x grep wm
5869 ? S 0:00 twm
1593 pts/16 S 0:00 PATH-TO-WHEREVER-FVWM-IS-INSTALLED/fvwm2

3988 pts/16 S+ 0:00 grep wm

/users/glew/ 90 : kill -9 1593

/users/glew/ 91 : ps x grep wm
5869 ? S 0:00 twm
3992 pts/16 S 0:00 twm
3996 pts/16 S+ 0:00 grep wm

/users/glew/ 92 : kill -9 3992

/users/glew/ 93 : ps x grep wm
5869 ? S 0:00 twm
4024 pts/16 S 0:00 mwm
4028 pts/16 S+ 0:00 grep wm

/users/glew/ 94 : kill -9 4024

/users/glew/ 95 : ps x grep wm
5869 ? S 0:00 twm
4036 pts/16 S+ 0:00 grep wm



Code inspection reveals the problem. Of course, anyone at all familiar with concurrent programming should recognize the problem.

Automatically Deducing Build Dependencies => Cross ToolRecursive Builds Work

Recursive make sucks. As presented by the Peter's classic paper "Recursive Make Considered Harmful", http://aegis.sourceforge.net/auug97.pdf

Toolssuch as Peter's Aegis and Cons and Scons "automatically" deduce dependencies for an entire project - but only semi-automatically, since they rely on knowledge of the tools you are using. E.g. they know about C++ #include files, but not about languages that are not on their list. Not about things in your shell scripts, unless you tell them, e.g. in the SConstruct file or by writing a special scanner for your language.

I have long been a fan of truly automatically deducing dependencies: run a build, and use a tool like strace to observe the files that get read and written.

Moreover, their whole project dependency analysis only works if all of the project uses the same build tool.

Unfortunately, that is not true for large projects that have subprojects. I am working on asimulator that was originally built using Make. Later it started using Cons,but kept some make around - i.e. the project starts off as a hybrid of Make and Cons.

But now I want to import tools, libraries, I have written. Reuse, eh? But I used SCons.

Having to rewrite all of my SCons into the project-wide Cons is a barrier to reuse.
Similarly, getting the whole project to use SCons is a barrier to reuse.

Basically, any statement of the form
"All of our problems would be solved if everybody did things the same way"
(a) might be true,
but (b) is bigoted, stupid, intolerant of diversity, etc.
Such statements are the root of all evil, and the cause of much ethnic cleansing.
But, ahem, we are talking about programming, aren't we?

I just realized that true automatic generation of build dependencies
would allow projects to be built up out of different build tools.

Best if all of the build tools used "true observation of dependencies". Then tool #1 would just have to know that it should tool#2 to do the build.

But I think that it can also be used to build a true, project wide, dependency system out of
not-fully-automatic build tools. E.g. this meta-builder could call less intelligent tools such as make, or cons, or scons.

It might also be possible for such a meta-build to call another build tool, in a guaranteed-build-from-scratch situation,
and then observe the commands invoked and rerun those.

I.e. such a meta-build might make recursive make correct.


---

John Ousterhout may have created an automatic build dependency tool,
in his company Electric Cloud.
At least the whitepaper
Solving the Dependency Problem in Software Builds
implies that it has been solved.

Unfortunately, I can't click through to be paper,
so I can't really tell.

Past conversations, either with Ousterhout or with EC sales folk,
lead me
(1) unsure as to whether they have done the truly automatic thing for dependencies
but
(2) sure that they are not "diversity tolerant"
- they are yet another tool that requires everyone, the whole project, to use their build tool.

I.e. they may have invented the automatic dependency idea -although I doubt it.

They do not seem tohave realized that it can be used to allow diversity of build tools.

---

My friend Mark Charney grew frustrated with Cons and SCons, because they could not handle truly dynamic systems that create objects. Mark, therefore, wrote his own build tool that was not limited by the phase ordering restrictions of Cons and SCons.

I wonder if the automatic, diversity tolerant, approach I describe above handles such truly dynamic builds. I suspect taht it does.

(With the usual caveat of there being no time dependent behaviour. It is okay to log a timestamp, but it is not okay to create different numbers of files on different days, just because the day is different. Tools must have the property: same inputs, different day => same outputs, at least same output names - although times may be embedded in the output.)