653 stories
·
49 followers

Asadar ti-ai setat obiectivul: Vrei prima 100.000 in 10 ani

1 Share

Articol realizat de Tiberius Margarit – scrie articole interesante pe stapanidebani.ro şi este autorul cărţii de educaţie financiară “Legile Banilor Tăi”.

Reușitele financiare personale sunt rezervate nouă, tuturor. Celor care nu acceptă riscul agresiv, în egală măsură cu cei care își asumă riscuri. Indiferent ce tip de om ești, există o combinație care ți se potrivește…

Am fost și sunt încă fascinat de Charles Munger. Ca aplicabilitate practică, pornind de la citatul său de referință:

“Prima sută de mii este cea mai mare c..vă” – Charles Munger

(sper să treceți peste aspectul frust al ultimului cuvânt ales de autor ca licență poetică pentru echivalentul “greu”), am fost uluit să înțeleg ce înseamnă să îți setezi ca reper prima sută de mii, cu adevărat.

Apoi, am simțit nevoia să sap puțin mai adânc la ideile din jurul acestei borne și am ajuns la ideea că, funcție de cum ne raportăm la acest obiectiv, noi, investitorii ne împărțim în patru categorii, așa cum apare în acest articol, găzduit cu amabilitate de Laurențiu Mihai pe blogul lui.

Acum am vrut să merg mai departe. Dacă nu ești chiar prima dată pe SdB, probabil că știi că sunt adeptul înverșunat al unui plan financiar. Asta înseamnă că abordările din Finanțele Personale de genul “pun 5.000 de Euro pe BET-TR sau MSCI -World sau Facebook și văd ce iese” sau “Vreau randamentul cel mai mare” nu sunt pentru Stăpânii de Bani.

Așadar, vreau să știu ce trebuie să fac, dacă mi-am setat obiectivul să ating prima 100.000 în 10 ani. Și vreau să-mi schițez un mini plan!

Dacă mergi pe calea clasică, atunci te gândești că ai auzit ca poți să mergi pe  10% medie multi anuală de creștere a burselor, așa că îți calculezi un drum astfel: pun 500 de lei (de exemplu) lunar îi capitalizez anual @ 10% și atunci, conform tabelului, în 10, 29 ani ar trebui să am obiectivul atins, adică într-un cont cu numele meu pe el, după atâția ani s-a strâns prima sută de mii de lei.

Dar în 10 ani se pot întâmpla multe pe piața de capital. Mai sunt și alte opțiuni?

Dacă te uiți cu atenție pe tabelul acela, vei vedea că dacă mergi pe varianta în care economisești 600 de lei în loc de 500 pe lună și cauți să ajungi tot acolo în 10 ani și ceva, atunci poți merge pe instrumente care îți aduc 5% pe an.

Sincer mă așteptam să fie diferențe, dar nu așa de mari. Opțiunea aceasta a doua îmi arată că, dacă pun doar 100 de lei în plus pe lună pot alege instrumente mult mai sigure. Adică pentru 3 lei în plus pe zi, eu pot alege instrumente de investiții din o cu totul altă gamă. Dacă asociezi riscul cu nivelul de 10%, atunci 5% înseamnă un risc de două ori mai mic!!!

Ok, dar să zicem că eu sunt un tip temător, mă cam sperie și ideea de instrumente precum, să spunem – obligațiuni municipale, am altă variantă?

Tot uitându-ne pe tabel, vedem că, dacă mergi pe o sumă economisită de 700 pe lună pot alege instrumente care sunt mult mai aproape  de setarea mea mentală.

Așadar cu 700 de lei pe lună @ 3% anual ajungi tot la același obiectiv: 100.000 în 10 ani!

Cred că ai înțeles ce vreau să fac mai departe. Am de gând să explorez și șansele celor care nu au încredere decât în instrumentele considerate super sigure, dar care nu aduc decât 1 %. Ei bine și aceștia pot intra în posesia aceluiași premiu tot după – aproximativ – 10 ani, dacă economisesc 800 de lei lunar.

Concluzii:

  • Nu există o singură cale între punctul financiar A și punctul financiar B, pentru că, în lumea investițiilor (pe cazul dat):
  • 500 lei@ 10% = 600 lei @ 5% = 700 lei @ 3% = 800 lei @ 1%
  • La același obiectiv poți ajunge și mergând cu viteze muuult micșorate, astfel încât să poți lua curbele în siguranță, dacă vrei.
  • Absolut toate tipologiile de investitori au locul lor rezervat în urmărirea obiectivelor lor. Asta dacă ai un obiectiv! Care obiectiv este o parte a unui plan… Si nu, “Pun 10% din venitul meu lunar deoparte (urăsc acest cuvânt!) sau în (pune tu aici ce instrument de investiție vrei)”, NU ESTE PLAN FINANCIAR. Fie și pentru faptul că nu are obiectiv…
  • De aceea, prin alegerile mele, făcute pe baza profilului meu investițional, majoritatea investițiilor mele sunt atât de plicticoase (nu au pic de fior de adrenalină în ele), încât am rețineri să le expun public!

Articol realizat cu ajutorul lui Tiberius Margarit. Scrie articole interesante pe stapanidebani.ro şi este autorul cărţii de educaţie financiară “Legile Banilor Tăi”.

Read the whole story
afita
266 days ago
reply
Cluj-Napoca, România
Share this story
Delete

Free, Like a Puppy

1 Share

I’ve found that things that are free of charge are often not a good deal. TANSTAAFL, or “There ain’t no such thing as a free lunch.” You’re always paying in some way. Maybe the piece of hardware is marked up more to cover the development cost of the “free” software that comes with it. Perhaps […]

The post Free, Like a Puppy appeared first on The Lone Sysadmin. Head over to the source to read the full post!

Read the whole story
afita
270 days ago
reply
Cluj-Napoca, România
Share this story
Delete

Tidelift Doubles Down On Supporting Open Source Enterprise Application Development

1 Share

EnterpriseAppsToday: As open source software continues to become increasingly important for enterprise application development, there is a need to help fund developer efforts.

Read the whole story
afita
283 days ago
reply
Cluj-Napoca, România
Share this story
Delete

Restricting Processes

1 Share
A summary of means to restrict Unix processes and the different approaches ultimately leading to containers.
Read the whole story
afita
317 days ago
reply
Cluj-Napoca, România
Share this story
Delete

Leaving "gifts" behind on dedicated server hosts

1 Comment and 2 Shares

I used to work in a place that had a bunch of machines that other people would pay to use. You might call it "dedicated" or "managed" or even "enterprise" hosting. A lot of it was just "whitebox" machines sitting on bread racks, but some of it was actually in proper racks (or "cabinets") with machines which were actually built for it.

Regardless of the hardware used, the model was about the same: you'd pay the company some amount of money for the right to do whatever you wanted with the machine, more or less. Obviously, if you screwed it up too badly, or installed some unsupported OS, you might not get much support beyond hardware replacement or reimaging it with a supported system, but it worked for most people.

I also became a customer of this world way back then, and have been ever since. This page is coming to you from the latest incarnation of this kind of server, for instance: just a box hanging in a rack somewhere in Dallas.

Recently, my mind turned to nefarious ideas. It was probably after writing that post about bad hardware getting into loops a couple of weeks back. That post was about hard drives being used by multiple distinct customers, but what about the rest of the machine? Are there parts that don't get "wiped"? Could you leave behind a little "gift" for the next customer?

This is where I put the "evil hat" on. So, I have root on the box, right? I also have out-of-band access to it so I can mess around with the console and/or "BIOS" settings. Basically, I can do all kinds of stuff on here. Reflashing it probably wouldn't be terribly difficult if I really wanted to.

That brings up a whole new bag of hurt: what are the odds that the hardware is going to enforce some kind of signed integrity check on that firmware? Maybe the main board itself will, but what about things like the NIC? Is it all that paranoid? What if it isn't? Could I put my own code on there? How about the BMC? There's a lot of goofiness out there, so I bet there's at least one hole on a lot of popular hardware.

Let's say I do that. Then I "return" the machine. It goes back into the pool, and then some other customer gets a hold of it. Meanwhile, my evil firmware is still on the box, right? Who actually checks that kind of stuff before they reuse hardware for another customer? I'm guessing the number is effectively zero.

Once the machine goes back online with a new customer, then I exploit the hole I left behind, and boom, it's mine again. Maybe I get lucky and find something particularly tasty and interesting. Maybe not.

I don't have an easy solution for this one. Building your own box and doing the co-lo thing is just far too annoying for a lot of people.

Read the whole story
afita
555 days ago
reply
Cluj-Napoca, România
Share this story
Delete
1 public comment
acdha
554 days ago
reply
This is a big problem: the answer is a trusted boot process like iOS uses but that has, not without reason, been resisted for also making things like perfect DRM possible and preventing users from installing open source operating systems. Limited demand means most vendors do a terrible job on the implementation, testing, and documentation and that means fewer people use it.
Washington, DC
chrishiestand
553 days ago
The big cloud providers are also getting pretty good at this: https://cloud.google.com/security/infrastructure/design/

Subprocesses are generally bad news

1 Share

Yesterday, I wrote about a confluence of well-meaning features which can create a serious disaster. It's what happens when you have a flag library, a means to change those flags by way of unauthenticated networks, and programs that run subprocesses. I glossed over a bunch of possible tangents in order to focus on that particular hat trick.

Today, however, is about the specific case of running subprocesses. In short, if you can make your system work without them, then do so! "Shelling out" to something else is a fantastic way to open incredibly bad holes in your system and potentially give the entire game away to whoever happens to find it first.

There are too many ways this can go wrong. I will attempt to describe a few of them.

First off, system(). This is a C library call which looks mighty tempting. It lets you run processes just by constructing a string. They run by way of a shell, and so respect PATH. This means you don't even need to worry about exactly where the binary lives. You can just system("git commit -m update") and it'll work well enough to make you think it's safe and good to leave like that forever.

The biggest problem here is that yes, it runs via a shell. Shells love to take all kinds of flexible input and do marvelous things with them. With that in mind, what if I can get you to put certain magic characters into the command? Going based on our git example from above, maybe instead of saying "update" as the commit reason, I can get you to say something I define. What if I tell you the commit reason is this?

foo ; touch /tmp/0wned;

What's going to happen? It's going to call out to this, isn't it?

/bin/sh -c git commit -m foo ; touch /tmp/0wned;

Congratulations, you just ran my payload.

"I'll just escape it" is a typical and yet unacceptable response to this. Odds are good that this will get screwed up, and someone will find yet another clever way to inject some command that would benefit them.

Maybe you use popen() instead. Assuming we're talking about the C library version here, guess what? You are also going through a shell, and are just as vulnerable. If you build up a command line and allow me to send you arguments, I can probably make you run my payload.

Python has variants on this. The usual popen-alike you find on Python doesn't usually run through a shell, but it can totally be done if you explicitly enable it. This means it might be vulnerable to this kind of injection if someone switched that feature on.

This is the point where you start grepping through your code base for calls to system() and popen() and whatever flag(s) Python uses to send it through a shell. Maybe you'll find something and can close the holes before someone else drives a truck through it. Maybe they already have.

Something like execve() is somewhat better, since you get to specify the target executable separate from all of the arguments, and there's no shell involved. It actually replaces your process with the new thing, so you have to figure out all of the stdin/out/err business, potentially closing outstanding fds, not running afoul of "things to not run after fork and before exec", and all of that fun stuff. It also means you control the environment of the new process, and can exclude a bunch of nasty stuff that might otherwise be provided by an attacker.

Still, if you can swing it, the only way to win this game might be to not play at all. If a program is just calling into a library, maybe you can do that yourself. Besides avoiding the possibility for command injection, and having to deal with forking and execing and doing that correctly, you can just call into it and call it done.

Obviously, this isn't always an option. It's not like you can call into some magic library that'll do what a call to gcc or g++ would otherwise do. There are many more examples of programs which don't exist in terms of user-facing libraries and will only deal with you through their human-facing CLI tools. In those realms, all you can do is wrap the programs and hope for the best.

One thing to consider is the possibility of explicit separation of responsibilities. Maybe you're stuck having to run some other program for some reason. You have no choice in the matter. Well, nothing says you necessarily have to do it inside the same process, right?

To abuse the earlier mention of gcc, one really bizarre approach would be to have something sitting there waiting for the call over loopback (or a Unix domain socket), which would then accept a few well-specified parameterized requests and would then run gcc in a really sparse environment (chroot, "container", that sort of thing) and kick back the results. It could run as a totally different account, too, so if something truly bad happened, it wouldn't have access to much else.

A cheeky name for it might be "RCE as a service".

Of course, now you have a dispatch problem, and a bunch of lurking processes waiting to be discovered and mistreated, and the matter of authenticating/authorizing requests to those dispatchers, and so on. You might wind up trading one set of problems for another.

In any case, take a few things away from this.

First, subprocesses are a code smell. Avoid them whenever possible.

Second, popen() and system() are really hard to use safely.

Third, if you don't need to allow modifying the environment and/or arguments handed to a subprocess, don't let it anywhere near user-supplied data! Make those things run from hard-coded constant strings or something to that effect. Don't substitute, concatenate or otherwise "taint" the future program's argv[] with data from a potential attacker.

Finally, if you can, wall this stuff off in some sort of jail.

Read the whole story
afita
556 days ago
reply
Cluj-Napoca, România
Share this story
Delete
Next Page of Stories