Patrick’s Rants

As the last hours of 2009 fade into memory, the pundits are talking about the stock market recovery from the Great Recession. And to hear them tell it 2009 was remarkable in the 64% bounce from the market bottom in early March. As I look over what I’ve done in my own retirement account I see that I managed to do better than the markets as a whole. And that’s the way it should be; managed accounts should do better than unmanaged accounts or the index. If you didn’t do at least better than the market overall (or your portfolio didn’t double in value like mine if you want to get really daring) it might be time to take over management of your account. I’m considering a newsletter of sorts for investors who might be interested in what I’m looking at or investing in. Actually it’s far more like trading but it’s not day trading – I’ve only had one trade that took place in one day. I know. Everybody and his brother has a newsletter or a financial blog. I’m not really trying to compete with that. I suppose that I can just get feedback here to see how many of my regular readers think I might have something valuable to add. Anyone can write they had a great idea and made a bunch of money. Just look at Madoff or Enron. And to write that I bought several stocks and sold them for an average of 10% return per trade – some of them more than once – is easy. I could very well fake a great hindsight history so that’s no proof either. An email newsletter, another blog perhaps, text message updates?

Let me know and see you in 2010.

Anyone who runs anything online has had to deal with bots. Wordpress has plugins to fight spam of all kinds, bulletin boards and mailing lists have to remain vigilant and firewalls have to be erected on personal computing and company networks. This last week the district closed up shop for two days to get the place cleaned up after a heavy snowfall on Monday. I took the opportunity to do a little reading and to try to fortify my web server. I started out trying to get my Apache logs cleaned up and found perishablepress.com to have a nice beginning. I don’t have everything working the way Jeff writes about over there, but let me tell you what I have been able to do. First, I’m using a simple add on to httpd.conf that looks like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|/|\\\.\.\\).* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}|\~).* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC]
RewriteRule ^(.*)$ - [F,L]

RedirectMatch 403 \/\/(.*)


To be honest I think the biggest work horse is the double slash redirecting to 403 “Forbidden”. I’m not even sure that the rewrite stuff is even working (I’m going to spend some time on it in the future to crank up the logging on it to see if it truly is working). Now all the danged bots looking for vulnerabilities on my web server hit those 403s. I set up a simple script to look for 403 and 404 failures. It takes those failures and adds a rule to iptables to drop the host if it happens to hit too many times. I screen out the requests for the favicon.ico file, robots.txt and even other image types and I’m left with small list of hosts that try to pound away at my server. I currently have it configured to look at the current Apache server logs for the 403 and 404 errors. It then (hourly) inserts a simple drop rule for that host into iptables, which then logs additional attempts to connect. And by additional attempts I mean on any port. So if somebody’s Windows computer is compromised and they have a bot that tries to compromise my server, I block any future attempts to connect to my server via email, IRC, etc. And those attempts are logged while my server looks like it dropped off the face of the earth to the infected machine. So I won’t be getting spam from those infected hosts either.

Now if infected (or mis-configured – msn search is hitting a lot of 404s – stupid bot) machines try connecting after getting the firewall treatment they will stay blocked for a month. Otherwise hosts that are cleaned up will only be in the block list for a couple of weeks the way it’s all configured. Then they can be back reading my rants. I also added a twist. I have a script that dumps the addresses of the stupid bots where my home firewall can grab the list nightly and add those IPs to a squidGuard blacklist. So if those hosts happen to be running rogue web servers, at least no one here will try to connect to them.

I’m sure there are much better solutions – and I might add hosts that run ssh connection sweeps to a block list – but I’m having fun thinking about all the ways I can make something like this work and cut down on the break-in attempts on the web server.

I guess I’m not the only person who thinks that CEOs are overpaid and that compensation needs to be fixed. Will Ashworth writes Executive Bonuses Must Go over on Investopedia.com and his arguments are compelling. Pay CEOs a decent rate of pay, say $4 million/yr and let them buy shares of the company with their own damn money if they want stock.

Over on Yahoo, Robert Kiyosaki writes,
The Biggest Scam Ever an article about 401(k)s. This in response to the Time article Why It’s Time to Retire The 401(k). He cites statistics on balances and averages.

I completely disagree with both arguments. Here’s the simple truth: the 401(k), Keogh, 403(b) and the multitude of IRAs are probably not going anywhere. When most people set up these plans at work, they meet for a few minutes with their HR person who doesn’t know anything about investing and just wants to get all the check marks done for the new hire. Retirement accounts are not a Ronco product – you cannot, cannot just “set it and forget it”. If that’s the way you plan your retirement fugetaboutit. You won’t retire, you’ll be like Robert Shivley in the Time article working on the golf course or greeting people at Walmart. The biggest problem with defined contribution plans like a 401(k) is there is no one to hold your hand, walk you through it and keep you on track. Sure there’s the HR weasel but their job is just to get you to fill out the paperwork. They don’t care if you should be more heavily allocated to stocks or bonds and by law they really can’t give you investment advice. And the investment firm that handles your 401(k) usually is not all that interested in sitting down with you to determine the right balance for your personal account. They usually get paid for the dollars contributed after that it’s a tiny commission amount on the total invested dollars.

It’s not the 401(k) or the IRA that need to be tossed, it’s the idea that you can Popeil your retirement. Wherever your money goes, if you have the opportunity and can allocate your own funds, sit down with a planner of some type. If your 401(k) is sitting at a local firm have a one hour review with your broker. If not and it’s one of those “follow the line” firms call them up. The people answering the phone at those firms want to keep your money and are paid salary to talk to you. There’s nothing in it for them(except keeping the account), it’s all about you. If it’s a local broker remember any decent broker will sit down with you and if they won’t fire them and move your money – assuming you can.

If you can’t move your money and your broker doesn’t have time for you – after complaining to your HR department about the lack of service – sit down with a fee based planner (as opposed to commission based planners). You can take all of your options to a fee based planner who charges you by the hour and has no vested interest in which investments you actually hold. The only vested interest an hourly planner has is to give you decent advice that makes you want to come by next year to pay them for another hour of their time – oh and the referrals of your co-workers who can’t get advice any other way helps.

While the statistics cited by Time are pretty scary not knowing what the statistics are based upon is even scarier. An average is just that, an average. More new accounts with lower balances, more older (presumable larger balance) accounts that have been rolled from 401(k)s out to IRAs, more people regularly withdrawing from their accounts all contribute to the average, just as much as a stock market downturn. Without the underlying numbers averages are just statistics. As has oft been quoted, “there are three types of lies: lies, damn lies and statistics”.

I don’t think the 401(k) needs to go away. I think people need to start planning more for their 20+ years in retirement than next summer’s vacation. They need to start looking at what they are invested in. Ron Popeil isn’t your retirement plan. He might be able to get a chicken done just right, but you have to set it and then reset when it comes to retirement planning. And just because Warren Buffett knows that a stock is a great value and will be worthwhile 40 years down the road doesn’t mean you can buy and hold forever. Even Warren sells once in a while. You still have to periodically look at your retirement plan. You have to take a vested interest in how much you have to retire on, no one else cares about your retirement – really.

The other night my wife received a text message from Verizon that told her that one of our phones had gone over its allotted minutes for the month. If I recall it was the day before Thanksgiving. Of course it was my daughter’s phone (the phone we allow her to use, not that she purchased it). My first reaction was to snatch the phone away from her, which I did. Of course I over reacted and the correct thing to do is to lock the phone down during the peak hours – which one can do with Verizon. So the phone is locked down until the first day of the next billing cycle December 7.

A few weeks ago, S asked if I would help her with her Economics class coming up next semester and I told her I would. And now she has learned the first lesson, scarcity of resources.

The commercial introduces us to “Sophie” who wants a touch screen computer. She flies to Tokyo and states that Windows 7 is her idea. Really? The touch screen is over 30 years old according to James Walker on ehow.com. And guess what? The touch screen has been around longer that Microsoft. She didn’t need to fly to Japan or wherever, she could have just gone to Starbucks and seen that flat screens are in use.
Windows 7 was my idea, heh. Your “idea” has been around longer than you (“Sophie” looks to be in her 20s) and it’s more likely that IBM – the absolute king of retail touch screens – had its patent slide into the public domain.

As for the guy who says, a computer that doesn’t crash, that was my idea. Haha. Really. A computer that doesn’t crash? Anyone who has booted a Microsoft operating system has that idea. Windows 7 might be better, but it’s still a crap shoot. I have a Windows 2008 (based on Vista/Windows 7) server that has failed updates and I have to work around critical vulnerabilities. How about updates that don’t fail to install, no reboots required (oh yeah, you better believe they are still required), a company that doesn’t treat its paying customers like thieves and a secure by default operating system. That’s my idea. And it’s not Windows 7.