2019-11-24

Unsigned Integers Are Dangerous

Unsigned integers are dangerous for at least two reasons:
  • Danger1: "unsigned integers are highly infectious and possibly lethal to desired arithmetic."  Unsigned integers can transform your nice signed integer math into unexpected and unwanted unsigned integer math.  Ex: the unsignedness of 1u infects the C/C++ expression -1/1u so that it yields a large unsigned integer which may go on to infect more arithmetic.
  • Danger2: "unsigned integers almost always teeter on the cliff-edge of underflow, sometimes falling and killing desired behavior."  Underflow and overflow of integers often lead to unwanted behavior, and unsigned integers often hold small values that could easily underflow after common operations like i-- or i-1.  Signed integers often hold small values that are very far away from both underflow and overflow.
Danger1 depends on how your language treats operations with mixed signedness.  C and C++ (and probably many more languages) do have the dangerous behavior of preferring to generate unsigned integers.  Danger2 is for basically all languages.

Due to the severity and generality of these dangers, I recommend the mindset of "use signed integers unless you must use an unsigned integer for a specific reason".  Some acceptable situations to use unsigned integer variables...
  • If you have some variable/constant that will only by touched by bit-wise operations and not arithmetic.
  • If you really need to be stingy with your variable sizes and need the extra positive range of unsigned integers.

2019-10-05

There Are Surprising Restrictions to Pluses and Dots In Gmail Addresses

The internet has many resources (one, two, three) that mention that for receiving emails to your gmail address...
  • Everything after plus sign (+) is ignored.
  • Dots/periods (.) are ignored
  • Example: e.x.a.m.p.l.e+asdf_1234@gmail.com will deliver to example@gmail.com
Note: many websites do not accept email addresses that include a plus sign (+), and I think basically all websites accept dots before the @.

There seems to be some restrictions on dots that are not discussed very much...
  • Dots can not be consecutive; "e..xample@gmail.com" is not usable.
  • Dot can not be the first character; ".example@gmail.com" is not usable.
  • Dot can not be the last character; "example.@gmail.com" is not usable.
  • The above dot restrictions apply even after a plus sign; "example+a..b@gmail.com" is not usable.

2019-08-16

Dollar Cost Averaging Is Ill Founded And Overrated

Scope And Purpose Of This Post

Visual metaphor for DCA's inconsistency

Dollar cost averaging (DCA) is a strategy deliberately delaying investing money.  I will argue that DCA is an ill-founded and logically inconsistent way to manage risk.  The superior way to manage risk is a well-chosen asset allocation.

I'm going to take some time to define my terms, because people use the term DCA in different ways.  I'm not arguing against all of the different flavors of DCA, just a particular flavor.

I'll point to some existing great work on how DCA has been disappointing historically, but the heart of the post is explaining on a conceptual basis why DCA is disappointing and not a coherent approach to investing.  Proper asset allocation is the superior and coherent way to manage risk.


Terminology

S/B notation: for this post, "75s/25b" is shorthand for "75% stocks, 25% bonds".  It can be shortened to "100s" for "100% stocks" and it can be extended to "70s/20b/10c" to indicate 10% cash as well.

Asset Allocation: the proportions of stocks, bonds, real estate, cash, gold, etc, that you own.  For instance, you might have a desired asset allocation of 75s/25b, or a more aggressive 100s/0b.  Your desired asset allocation should reflect the risk-and-return profile that is appropriate for you.

Cash: in investing/savings contexts, this isn't just physical dollar bills, but also very short-term interest-bearing assets, like money in a savings account, money market fund, or even 1-month treasury bills.  These are very "safe" assets in being very unlikely to lose nominal value.

Lump Sum Investing (LSI): if you receive a sum of money, you immediately invest it in accordance with your desired asset allocation.  For instance, you inherit $100K dollars and you immediately invest it in stocks and bonds in accordance with your desired asset allocation of 75s/25b.  The core goal of LSI is to invest earlier rather than later to get more growth out of your money and to keep your asset allocation in line with your desired risk-and-return profile.

When people say "dollar cost averaging" (DCA), they usually mean one of two things:
  • DCA1: If you receive a large sum of money, you don't do Lump Sum Investing (LSI) where you invest it all at once.  Instead, you initially keep the money as cash and invest it gradually over time, perhaps over a period of years.  The core goal of DCA1 is to invest across time to buy in at different price levels (thus the name) and to avoid investing all of your money at an unfortunate time (like a stock market peak). This is "DCA as opposed to LSI".
  • DCA2: Continuously saving and investing (like every time you get a paycheck) over the course of years.  Just keep investing, don't try to time the market and pull out of equities before a predicted stock market crash.  The core goal of DCA2 is to invest your money as you earn it and to stick with your plan even when things looks scary.  This is "DCA as opposed to market timing".
As an example of how DCA is used in different ways.  Here's two articles from Nick Maggiulli's Of Dollars And Data site:
  • How To Invest a Lump Sum, where he argues for LSI and against DCA1: "What if the market crashes right after you invest?  Wouldn’t it be better to average-in over time (i.e. dollar-cost averaging/DCA) to smooth out any unlucky timing on your part? Statistically, the answer is no."
  •  Even God Couldn’t Beat Dollar-Cost Averaging, where he argues for DCA2 and against market timing: "You have 2 investment strategies to choose from ... Dollar-cost averaging ... Buy the Dip".
So, same guy, same blog, arguing against DCA1 and for DCA2, using the same term for both.  He's a smart guy that knows what he's talking about, but readers might confuse themselves if they mentally use the same label ("DCA") when thinking about both articles.

DCA1 is what I will argue against.  I approve of DCA2, which is really just the buy-and-hold (BAH) part of the Boglehead passive investing approach.  The next section will spend some more time distinguishing DCA1 vs DCA2 so that we don't think about "dollar cost averaging" in a confused manner.

2019-08-02

Account Recovery: Insecure And Uncertain

Summary

Account recovery procedures (ex: when someone says they lost your password and/or phone) are often the easiest way for attackers to gain access to your account, and unfortunately there is very little advice on how to deal with it, other than "turn your username, email, and security answers into unique, hard-to-guess things", in other words: make everything a password.  But account recovery procedures often make that tactic useless.

Also, I am doubtful that adding extra account recovery options (recovery phone numbers, alternate emails) is a good idea for people who are using a password manager to create and store strong, unique passwords, and have taken steps to make sure they won't lose access to their password database.  Extra account recovery options are extra ways for bad guys to get into your account and are often easier than guessing your password.

Motivation And Background

The computer security field has some things about account security pretty well settled, like use a password manager to generate and store strong, unique passwords for your accounts.  I think one of the big remaining questions is: how should users manage the risk from account recovery procedures (when someone claims to have lost your phone and/or password).

To illustrate how bad account recovery procedures from popular account providers can be, Betfair only required a username and date of birth to change someone's password, and here's the tragic story of Mat Honan from 2012:
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn't get into his Me.com e-mail – which, of course was my Me.com e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover....It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.
It also used to be that to take over an Amazon account, you only had to know was a person's name and their shipping address, and to make three calls to customer service.  You could use the name and address to find out the registered email address, then use those three things to add a phony credit card number, then use those four things to change the associated email and then trigger a password reset using the new email address..

This is extremely scary.  To continue the old Amazon example, for a long time your Amazon password (and probably 2FA if they even offered it at the time) offered no protection against someone who knew your name and physical address.  I don't really know what someone could do to guard against that.

A big part of why account recovery is insecure and will probably continue to be so for a long time is incentives faced by the account providers.  The number of legitimate customers that have lost their phones and passwords outnumber bad guys on any given day.  Businesses want to please their customers and convenience-security trade-offs are being made that are probably close to what most customers want.  The average Amazon/Apple customer does NOT wanted to be locked out of their account just because they forgot their password.

2019-02-09

ETF vs Mutual Fund (ITOT vs FZROX)

Scope And Purpose Of This Post

This post will try to help inform people about the "ETF vs mutual fund" decision, and we're going to go through some examples, most notably ITOT (ETF) vs FZROX (mutual fund).

Terminology notes:
  • Percentage points are abbreviated "pp". Percentage points are for describing absolute amounts, not relative amounts (which we use percentages for).  A tax rate increasing from 5% to 15% is an increase of 200% (relative) and is also an increase of 10pp (absolute).
  • basis points (hundredths of a percentage point) are abbreviated ‘bp’.  So 3 bp is the same as 0.03% and 0.0003



End Result For Jacob

Rule of thumb: assuming my choices are competitive, ETF (or certain Vanguard mutual funds) in taxable accounts and mutual funds in tax-advantaged accounts.

For investing in the US equity asset class, I currently purchase ITOT in my taxable account and FZROX in my Roth IRA.  I think ITOT will probably be notably better than FZROX in taxable accounts and is pretty much the same as FZROX in tax-advantaged accounts.   In tax-advantaged accounts, I go with FZROX mostly for the extra ease/convenience and making sure I don't trigger wash sales (Wiki, Fairmark, tax code).