and home-buying — January 15, 2015 and home-buying

Do any of my belovèd readers a) use *and* b) own a home? I’m in the process of buying a home, so now there are these enormous checks flying around that I think Mint will just have no idea how to handle. The purchase-and-sale check was just cashed, for instance; if Mint treats this like an ordinary expense, then my net worth just dropped by tens of thousands of dollars. But in fact my net worth is the same as it ever was; I’ve just transferred that money from one pocket (checking account) into another pocket (equity).

If I’m correctly reading the official Mint answer on how to handle downpayments, the suggestion is just to ignore them. By ignoring them, the funds don’t disappear from (in this case) my checking account, so it’s like my net worth didn’t change at all. But this is obviously not right. The correct thing to do is to treat this as a subtraction from the checking account and an addition to the equity account. No disappearing transactions, no change in net worth.

If Mint suggests hiding downpayments, then it’s going to get even harder with mortgage payments. Let’s say I write a $2,000 mortgage check every month. In the beginning, maybe $500 of that will be equity and $1500 will be interest. So the mortgage check would be correctly treated as a $500 transfer from checking to equity, and a $1500 expense. Seems to me that my net worth would shrink by $1500 after every such check. But if Mint doesn’t have the capacity to treat a downpayment as a transfer to equity, then I suspect it also won’t know what to do with the equity piece of the mortgage payment.

My mortgage lender isn’t one of Mint’s partner financial institutions, and I can’t figure out how to properly register my mortgage. I can add a generic ‘loan’, but … man, is that feature undercooked. It asks me how large the loan is. I enter the amount. Then … that’s it. It doesn’t ask me for the interest rate. If it asked the interest rate, then it could compute the change in principal every month; the change in principal on a mortgage is the amount that goes to equity. But it doesn’t ask me that. So the ‘loan’ feature is, oddly, not suitable for use with mortgages.

There’s a way to add real estate, but a couple things seem wrong with that feature. First, it seems largely focused on tracking changing property values as a way to monitor the ups and downs of my net worth. And, second, it doesn’t seem to create an account of the sort that you can transfer value (e.g., a downpayment) into.

If my mortgage company were one of Mint’s recognized lenders, then I assume it would have smart backend logic to realize that when $2,000 disappears from checking and appears in the mortgage account, a fraction of that (depending upon where we are in the amortization schedule) should count as reducing my net worth, and the remainder should just be a transfer into equity.

Without the integration between Mint and my lender, I can see why it would be hard to add mortgage transactions. If I have a credit card in Mint, for instance, and I make a credit-card payment, then I assume Mint sees that $1,000 disappears from this account and appears in an account whose name looks like ‘AmEx’. But what if I have a payment to an unrecognized lender? I could put it in the ‘mortgage’ category, but Mint doesn’t know whether this is the mortgage on my first or (at this point fictional) second home. So then it can’t know the interest rate on that payment, can’t know the principal, etc.

So without integration between my lender and Mint, am I SOL? Any amount of Googling does not turn up a satisfactory solution to this.

Tiny Mac suggestion of the evening — November 30, 2014
It’s quite amazing to me — November 19, 2014

It’s quite amazing to me

…that we’re replaying the crypto wars. Terrorism and child pornography are evergreen weapons for scare mongering, it seems. If you’d like to know when I first got politicized about technology, Google for [Clipper chip].

> Mr. Cole offered the Apple team a gruesome prediction: At some future date, a child will die, and police will say they would have been able to rescue the child, or capture the killer, if only they could have looked inside a certain phone.
> His statements reflected concern within the FBI that a careful criminal can shield much activity from police surveillance by minimizing use of cellphone towers and not backing up data.
> The Apple representatives viewed Mr. Coles suggestion as inflammatory and inaccurate. Police have other ways to get information, they said, including call logs and location information from cellphone carriers. In addition, many users store copies of a phones data elsewhere.
> During the hourlong meeting, Mr. Sewell said Apple wasnt marketing to criminals, but to ordinary consumers who store growing amounts of data about themselves on smartphones and are increasingly suspicious of tech companies. Many of those customers are outside the U.S., the Apple representatives said, where phone users want to shield information from governments that are less respectful of individual rights.
> If the government wants more information from Apple, the company representatives said, it should change the law to require all companies that handle communications to provide a means for law enforcement to access the communications.
> Mr. Cole predicted that would happen, after the death of a child or similar event.
> More than once, Mr. Cole suggested there had to be a technical solutiona way to design a phone so that police, with a court order, can access information, without compromising security.
> We cant create a key that only the good guys can use, Mr. Sewell responded.

(Cached copy. Or, at least for the next few days, you can get it by going to and searching for ‘Apple and Others Encrypt Phones, Fueling Government Standoff’.)

I’m confused about what sin Amazon is supposed to have committed — October 10, 2014

I’m confused about what sin Amazon is supposed to have committed

I don’t have time to write about it right now, but Matt Yglesias’s post today on why calls to fight Amazon’s ‘monopoly’ are misguided did hit the mark. I wanted to write something the other day when John Gruber predictably snarked in favor of the Justice Department fighting Amazon’s ‘monopoly’.

There’s no there there, seriously. I’ve been waiting patiently for someone to make a good case that Amazon has done anything wrong. Seems to me that their worst sin is … negotiating very hard against publishers? And using their market power to demand lower prices? This is good for readers, isn’t it? It makes books cheaper. Maybe you could argue that something which is good for readers is bad for authors, but *that requires argument*; it can’t just be asserted. I had this same problem with George Packer’s argument against Amazon a few months back.

To put it in perhaps a few words: whatever Amazon is guilty of, Wal-Mart is guilty of too. And I don’t see anyone pushing to break up Wal-Mart. They’re both just large retailers pursuing high volume and low profit margins, perhaps at the expense of their suppliers. That’s all. What am I missing?

My paranoid backup scheme — June 11, 2014

My paranoid backup scheme

Inspired, I think, by Marco Arment, I trebly back up my computers:

1. To a Time Capsule at home.
2. Via SuperDuper to an external hard drive that sits at work. (I couldn’t really tell you how this differs from just using dd(1), other than that it has a nice UI, only copies the diffs, and seemingly makes the external disk bootable. In any case, it’s great.)
3. In the cloud to Backblaze.

I have my laptop set to automatically back up to the cloud at all times, and my girlfriend’s laptop set to do the same. Then I use the Backblaze iPhone app to periodically ensure that all my backups are up to date. It’s awesome. The best backup is the one you never have to think about, and I definitely don’t have to think about this one.

…and if you decide to use Backblaze, too, I can get a cut. It’s great. I would never recommend a product I didn’t use enthusiastically, and I wholeheartedly recommend Backblaze.

(As it happens, I also wholeheartedly recommend my Time Capsule and SuperDuper, but they offer me no way to get filthy rich, like Backblaze does.)

Of all the stupid modern tribes to belong to, the tribe of the corporation is probably the silliest — April 23, 2014

Of all the stupid modern tribes to belong to, the tribe of the corporation is probably the silliest

On the occasion of Apple’s releasing their revenue numbers, it’s fair to point out that lashing yourself to a particular company is really stupid. Daring Fireball, for instance, exists to defend Apple and lash its detractors. Which is fine as far as it goes: I read DF every day, and I like his style very much. John Gruber is very much a part of the corporate-tribalism nonsense, and he makes a good living from it: people invite him to give talks to defend and explain Apple, and there are rumors (unclear how accurate) that he makes half a million dollars a year from it. And good for him.

Of course there’s a tribe on the other side, namely the tribe of Android. Inasmuch as I use Apple products, I guess I’m not a member of the Android tribe. I like Apple products.

But here’s the thing: this has nothing to do with me as a person. Yet the weird stupid modern tribalism requires that your choice of technology have something to do with you as a person. If you use Android, you probably have a neck beard, for instance. If you use Apple, you’re probably effete and eat kale. Or whatever. (Turns out I eat a lot of kale, you guys.)

Starting from this base of letting the technology determine your personality, the next step is to care very much about the companies that make them. I am supposed to be personally invested in the success or failure of Apple Inc. Turns out I’m not, though. I like their products. I will keep buying their products because I like them. If they go out of business, I will be sad, because then I will have to use products that I wouldn’t otherwise have chosen. Only, it seems really hard to imagine Apple’s going out of business, so … I guess I have no reason to be sad. Problem solved!

Apple doesn’t need your support. Neither does Google. Apple and Google will do just fine even without bands of true believers furtively tossing grenades at the other side. Use their products if you like them; don’t use them if you don’t like them; lobby the company to change things (in its dealings with Chinese manufacturers, for instance) if that’s what you want. But defining yourself as an “Apple person” or an “Android person” is just pathetically demeaning to your stature as a human being.

Does Heartbleed mean that C should die? — April 12, 2014

Does Heartbleed mean that C should die?

The “Does that pretty much wrap it up for C?” piece (via my man Jamie Forrest) is interesting, but I think he needs to talk it out a bit more. I mean, at *some* level, *someone* is going to have to do memory allocation on bare metal. And what do we do then? And there are always going to be functions that need high performance, because they’re in the middle of some tight inner loop. Or in the SSL case, *someone* is going to need to do very specific things with memory, like making sure it’s not holding any sensitive data.

My understanding of modern malloc implementations is that they include all kinds of sophisticated ways to prevent buffer-overflow attacks. When you request a block of memory, they set it up such that requests past the end of your block cause a segfault. Or they randomize the blocks they give you, so that you can’t just grab the next few bytes and expect there to be anything there.

I’m not a C programmer (I really need to know it, I think, to be a complete programmer), but all of this says a couple things to me:

1. If you use the right libraries, you should be protected against a lot of stupid behavior. Makes you wonder, for instance, why the OpenSSL team wasn’t using tcmalloc or ptmalloc. I’m sure there’s a reason; I just don’t know the problem space well enough to say.
2. Any serious software system, whether down at the bare metal like C or higher up like Python, is going to require lots of testing, regardless of whether it’s got compile-time type safety. There should be lots of unit tests. Ideally, the unit tests would also be able to simulate other components, using mock objects and whatnot. And then you need integration tests to see how well your component integrates with others. And then, in the case of a secure system, you probably need to bombard it with very focused buffer-overflow attacks, written by dudes who know the code inside and out. (Sort of like penetration testing within a company, on the assumption that you’re most vulnerable to your own employees.) And for performance reasons, you should also test it by bombarding it with millions of requests per second and seeing where it breaks. Testing is hard. QA is hard, and is very often not respected as a peer of engineering. Engineering is sexier. If you’re really good at QA, you’re spending your time writing systems to test many thousands of cases rather than just grinding out the same manual test over and over, and you’d probably rather be off building something new. Engineers also feel this way: they’d rather be writing new versions of the code than maintaining the old stuff.
3. An ideal team will learn from its mistakes and build systems that prevent the same bug — or similar bugs — from reappearing.
4. Building good software requires a good organization and good management (whether by “management” we mean someone who’s controlling the work product of his direct reports, or something broader like “group structure”). This is a variant of Conway’s Law: “Organizations which design systems are constrained to produce systems which are copies of the communications structures of these organizations.”

Let me be clear that I say all of this with absolutely no understanding of the OpenSSL code base, much less an understanding of the OpenSSL team’s structure. But it just strikes me that blaming an OpenSSL bug on the C language doesn’t really get at the problem. A successful software system will fix this mistake and ensure that it never happens again. A successful *open-source* software system will take community direction to build such a resilient system, and will do it all with a fully open process. That goes beyond narrow issues of language choice.