Principles

Gandhian Principles in Kannada
Gandhian Principles in Kannada

Today I was talking with a vegan friend (I’m vegan as well) who mentioned that she had received a casual offer of work at a food truck. She said that she was considering doing it, because it would mean some extra income and she is tired of doing what she is now.

I asked her if the food truck served meat products, and she said that yeah, it does. It struck me as odd. For the non-vegan people reading this, a statement like that from a vegan is kind of disconcerting.

The vegan lifestyle is characterized by non-consumption of all animal products or by-products, up to and including all meat, fish, eggs, milk, cheese… anything that comes from an animal (even honey).

So I was a bit stunned that my vegan friend had so casually mentioned that she was considering working at a food truck which serves meat.

For me personally, as an ethical vegan, I could never support any business which explicitly supported the harm or exploitation of animals for any reason, especially one that requires killing them (obviously meat requires the death of the animal supplying it).

I automatically correlated her vegan-ness with the standard vegan principles. Having strong principles is so important to me, that someone claiming to be something, then nonchalantly considering violating the principles of that something just for a bit of quick cash really confused me.

Maybe she doesn’t have principles, or consider them when making decisions.

It occurred to me then just how important it is to have a defined set of principles, and to stand solidly on them, even be willing to stake your life on them, because if not, then it’s just too easy to be blown whatever direction the wind takes you at the time.

In Principles, Ray Dalio defines them thusly:

1) What are principles?

Your values are what you consider important, literally what you “value.” Principles are what allow you to live a life consistent with those values. Principles connect your values to your actions; they are beacons that guide your actions, and help you successfully deal with the laws of reality. It is to your principles that you turn when you face hard choices.

His next statement on why they are important is also apropos to the situation:

2) Why are principles important?

All successful people operate by principles that help them be successful. Without principles, you would be forced to react to circumstances that come at you without considering what you value most and how to make choices to get what you want. This would prevent you from making the most of your life. …

It’s possible that my friend hadn’t considered operating by principles at all — that she was just reacting to the circumstance … without considering what she (maybe?) values most. Or it’s possible that I’m just wrong — and she values money, and experience working at a food truck more than animal welfare. I do tend to see things as all-or-nothing, so maybe I should just get used to seeing things along a spectrum instead. Maybe she’s not quite as hardcore along the “vegan hardcority” spectrum. Maybe I just made up that spectrum.

Really I just think it was a good example to write about the importance of having principles and living life by them.


photo by balu

Open Financial eXchange (OFX) is Broken (Online Banking Security is a Joke)

Hacker Rene

Am I the only person in the world who thinks that it’s utterly ludicrous that we have to give our passwords to sites like Mint.com so they can help us keep track of our spending habits? Surely I can’t be the only one. It’s like giving away the keys to the kingdom.

It kind of irks me a little that if I want to use a site like Mint.com to track my spending habits and help me keep my budget in line, I have to give my username and password over to them.

In fact, the way the underlying technology works, Mint.com must keep our passwords stored in their system. Not just a hash, but the passwords themselves, since that’s what they have to use in order to access our bank account info. They are stored encrypted, no doubt, but the have to be decrypted in order to be used (see below).

Mint.com has worker programs, “robots”, if you will, which log in to our bank accounts the same way we do (well, not really, but I’m simplifying for the general public), so they have to be able to authenticate as ‘us’. But the problem is, those username/password combos aren’t read-only. Mint.com may tell you that they have read-only access, but that’s just not true. Anybody who hacks Mint.com’s database, and is able to decrypt those passwords, has full access to the corresponding bank accounts.

The technology which enables this log-in that Mint.com and other financial websites use, is called OFX, which is short for Open Financial Exchange.

The part that requires the username and password for every transaction is described in the OFX ‘security’ page (emphasis mine, and BTW, what a fucking joke):

Authentication enables the recipient of a message to verify the identity of the sender. For example, a financial institution or third party processor authenticates a customer by requiring the use of a password and user ID with each transaction. A customer’s application authenticates a financial institution or third party processor by verifying the institution’s digital certificate.

That technology was developed about 10 years ago. (The website looks about 10 years old too — just take a look.) We’ve evolved since then. Technology has evolved. Why the hell has the banking system not caught up yet? (Hint: it’s not in their best interests to improve the security of your bank account. They would have to pay the cost of securing your account, while not seeing any reward for it.)

This should immediately set off red flags for any information security professional. An obvious way to mitigate this risk is to simply enable customers to generate a read-only API key on the bank end, then give out that read-only API key to any party that they wanted to share their info with, on a read-only basis. This would be true read-only access. But that is something that banks themselves would have to implement, and they’re too busy raping the general public with ridiculous fees for things like debit cards, and simply having a deposit account in the first place.

The Solution

The solution? A successor protocol to OFX which requires banks to implement read-only API key access, and which can be controlled by customers, e.g. by allowing depositors to generate their own unlimited number of API keys, read-only or not (depositor’s choice).

A standard has to first be put in place. It would specify that usernames/passwords are no longer allowed, period. All account access would be via API keys, which would be generated on the bank end, controlled by the clients (depositors), and either read-only, read-write, or other combinations. They could be extensible so as to plan for the future.

Then, make all the banks follow the standard. Fines of $XX,XXX,XXX per day after a X-year grace period which allows all banks ample time to convert from OFX to the new standard, NOFX (New OFX).

Hell, I don’t know. Just something. But please, do something to protect the people, instead of just considering the up-front cost of implementation. (There are hidden costs of not implementing something like what I’ve suggested, but most individuals and businesses won’t see them until it’s too late).

Note: This solution isn’t going to happen. This is just an ideal scenario. The banking system is going to be transformed, but not from the inside, not by anyone who had anything to do with this. Technologies like Bitcoin and other cryptocurrencies and trustless systems are going to render insecure protocols like OFX useless. The funny thing is, it’s because the current system will never change which is the reason why it’s going to be pre-empted and destroyed. The market will find a solution.