|
Post by solicitorious on Jan 4, 2017 11:54:37 GMT
|
|
|
Post by solicitorious on Jan 4, 2017 10:23:16 GMT
As a 30 odd year IT veteran, I'd like to temper that a bit. Of course, if you are not familiar with these things, have any doubt whatsoever, do not use them. It is not work the risk. However, the contributions of a few on the forum, one in particular on this board are completely open. They include a notice of the risks, but anyone with an understanding of code can _very_ easily read what the code is doing, what might be possible and what it actually does. If in doubt, don't touch it, but I would not like a statement such as you posted to tarnish the work of a few genuine and welcome efforts here. My advice, if using code such as the one posted here for SS is to read it. If you do not understand what it is doing, do not use it. TURN OFF AUTO UPDATE. Vigilance and a healthy does of scepticism should keep you on the safe side. The "notice of the risks" was he didn't know, despite his optimistic username, what they were... Hardly encouraging, but it didn't seem to stop a lemming-like rush to install his widget. Take note also that the author is located in a far-off continent. You can dress it up however you like, but most people here are not "30 odd year IT veterans" and sometimes may need a little protection from themselves. In any case, you don't refute any of my basic contentions regarding the advisability and risk of using these "gifts".
|
|
|
Post by solicitorious on Jan 4, 2017 9:56:42 GMT
I have become aware of and very concerned about the propagation of browser extensions/helpers on the wider forum. While I have no evidence to impugn the motives of any individual who has "offered" such tools so far, it remains a fact that the mechanism of these add-ons is identical to what are known as "Man-in-the-Browser" attacks, which can bypass all security of banks and financial institutions. p2pindependentforum.com/post/160347/threadThe mods have taken note and are trying to formulate a policy. My view is NO, NOT EVER should this forum encourage the use of ANYTHING which purports to modify a platform while the user is logged in to his/her own account. The risks are too obvious, and well-documented. As P2P matures and grows it is inevitable that security threats will multiply. We should always be vigilant to such threats, which of course may include attempts to "social engineer" the acceptability of such threats, by peer pressure, adopting the guise of experts, etc by elements on the forum. I expect representatives of the platforms would also wish to add their input, as a matter of urgency.
|
|
|
Post by solicitorious on Jan 4, 2017 9:06:44 GMT
I tried but didn't find a good article about the safety of Tampermonkey/Greasemonkey scripts. You couldn't have tried too hard, "0risk", and "twoheads" may not always be better than one.... "We describe the architecture of Greasemonkey and perform a large-scale analysis of the most popular, communitydriven, script market for Greasemonkey. Through our analysis, we discover not only dozens of malicious scripts waiting to be installed by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases, the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user’s browser and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a “Man-in-the-browser” attack." [p1]www.securitee.org/files/monkey_asiaccs2014.pdf[This article goes into great detail - I've removed any direct posting per the copyright instructions] uk.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687
"Man-in-the-browser attack uses Trojan horse to manipulate the communication between the user and the browser. It is unlike the common type of web application attack in which an attacker manipulates the communication between the user and the web server. The Trojan horse takes advantage of a browser vulnerability to launch the attack against the two factor authentication. In this case of attack, the two factor authentication wouldn’t be able to protect the information of the user."
"The man-in-the-browser attack depends on the Trojan horse; so, the first step in launching the man-in-the-browser is to target the victim’s computer. An attacker may use several ways, including social engineering techniques, to target the victim’s computer. There is a difference between targeting the specific victim and creating a plan that can target a massive amount of computers (like creating a Trojan horse and spreading it via extension)"
"The bank server has received the transaction from a legitimate and authenticated user so it performs the desired task; and at the end of the transaction, the web server releases a receipt. The Trojan horse can modify the receipt, too; and then it displays the receipt of the original transaction to the user. From the user and the bank server’s point of view, everything is good; but the man-in-the-browser attack has been completed and the money successfully stolen."
"So the man-in-the-browser attack is a very dangerous attack because neither the bank server nor the user can detect it. This is the point where the powerful authentication (two factor authentication) has failed."
"The man-in-the-browser attack is a very dangerous attack because the Trojan horse that has been designed to perform the attack has a very low detection ratio."
"Your anti-virus and firewalls are not enough to protect your computer from the latest challenges, and hackers are always trying different and new techniques to hack into your computer. Security awareness and user education are important steps that really help to prevent most of the online attacks. Do not trust third party software and extensions."resources.infosecinstitute.com/two-factor-authentication/#gref
|
|
|
Post by solicitorious on Jan 3, 2017 23:18:11 GMT
There are risks, and then... there are RISKS.
Why try to accumulate them?
"Faites vos jeux, messieurs, dames!"
|
|
|
Post by solicitorious on Jan 3, 2017 18:26:52 GMT
Thanks for the effort, but accessing a large part of my life savings through something called TamperMonkey?
I think I'll pass...
[@mods, do you have a policy on these things? I'd get one, pronto...]
|
|
|
Post by solicitorious on Dec 31, 2016 1:08:35 GMT
The more time I spend in P2P, I think it's really down to 4 things, in roughly descending order of importance. a) Diversification, across loans (and platforms, to a lesser extent). Spread your investment thinly. Of course, sometimes I take a chance in getting a (somewhat) larger sum invested, rather than have dead funds sitting about, but always with a view to selling down as soon as practicable to a more trivial level for any particular loan. After being burnt a little in the early days, my own rule of thumb now is:- not much more than £100 in any unsecured loan, and not much more than £500 in any secured loan. For reference, these would equate to around a 20th of 1% and a 5th of 1% respectively of my total P2P investments. [SS is a special case, where I am happy to go many times this, at least during the initial life of (some of) the secured, interest paid up-front, provision-fund-backed loans] b) LTV. Understand it, particularly for 2nd charges and tranches. Figure out your comfort level and try to stick to it. If you must break your own rule, only do it with a trivial amount of investment. There will always be a more attractive loan along soon, and a couple of days lost interest is negligible compared to a loss in an over-invested loan that subsequently goes south... I'm happy to share my LTV calculator docs.google.com/spreadsheets/d/1poGF5j1MLNd-QV9zB4rhNuOuisZI5RVYjjqBFRjHkt0/edit?usp=sharing
c) If possible, try to sell-out completely, say 30 days, before the end of term. Some platforms actively encourage this with a tax break! d) I don't get too hung up on doing my own DD. Life's too short, time is money, and the initial proffered info is usually rosy/vague enough for most secured loans to pass muster in any case. But, keep an eagle-eye on the forum for subsequent nasties that others may discover down the line... If in doubt, sell out early. General advice. Stay disciplined, get organised with spreadsheets. Never get "emotionally attached" to a loan, and... Focus on minimising your losses, and the profits will look after themselves.
|
|
|
Post by solicitorious on Dec 30, 2016 13:29:00 GMT
great minds, etc (see my edit, which crossed with your post!)
|
|
|
Post by solicitorious on Dec 30, 2016 13:18:12 GMT
I suspect it's the use of "gain" and "loss" (especially just below the "Capital loss" line) that's causing some confusion. Most lenders wouldn't regard the purchase of rights to accrued interest as a "loss" (until / unless an actual loss crystallises at completion). How about changing the description to " Secondary Market trading (net)" or similar? ps. I think the addition of the "Earnings to date" summary is excellent. I would eschew the word "trading", lest Hector thinks we are actually trading, which (we are led to believe) we are not ! Maybe "SM net transactions"...
|
|
|
Ablrate (ABL) in Administration
Tax 2015/2016
Dec 5, 2016 18:18:56 GMT
Post by solicitorious on Dec 5, 2016 18:18:56 GMT
No, I hadn't... Thanks. Although I've just lost the will to live, reading it. Can anyone simplify it?
|
|
|
Ablrate (ABL) in Administration
Tax 2015/2016
Dec 5, 2016 17:53:56 GMT
Post by solicitorious on Dec 5, 2016 17:53:56 GMT
as the January deadline looms, can anyone summarise which bits of our transactions are taxable?
|
|
|
Post by solicitorious on Nov 23, 2016 9:22:43 GMT
OK, a slight fly in the ointment I had overlooked. If you could list the loans that are affected by GDV calculations, with their "true" LTVs, I will run it again. Someone might like to create a sticky list of the GDV-based loans, so lenders are always aware of the difference...
|
|
|
Post by solicitorious on Nov 22, 2016 18:25:41 GMT
Bi-annual update, for the current loan book for D=50%, L=50% (uniform), T=0.10% (1 in a 1000 chance of a total loss) Model says: Chance of any loss 100.00%, no loss 0.00% loss <0.5% 0.00% loss >0.5% 100.00% loss >1% 100.00% loss >2% 99.92% loss >3% 98.91% loss >5% 76.95% loss >10% 0.66% loss >15% 0.01% loss >20% 0.00% loss >30% 0.00% loss >40% 0.00% loss >50% 0.00% overall loss 6.04%, including times when there's no loss average loss 6.04%, if there is a loss Comparison with when there's no PF Chance of any loss 100.00%, no loss 0.00% loss <0.5% 0.00% loss >0.5% 100.00% loss >1% 100.00% loss >2% 100.00% loss >3% 100.00% loss >5% 98.91% loss >10% 7.96% loss >15% 0.04% loss >20% 0.00% loss >30% 0.00% loss >40% 0.00% loss >50% 0.00% overall loss 8.04%, including times when there's no loss average loss 8.04%, if there is a loss A significant positive change since 7 months ago. I would put this down to the repayment of some 2nd charge loans, so now only three remain, a general lowering of LTVs (weighted average down from about 61% to 56%) and the ballooning of the PF to a shade below £3 million. The risk of a significant capital loss on a fully-diversified portfolio has all-but been eliminated (according to this model, its assumptions and parameters...) Congratulations savingstream !
|
|
|
Post by solicitorious on Jun 19, 2016 13:02:17 GMT
Around 40% of my wealth, a moderately large six figure sum.
4 'active' platforms, comprising around 285 loans in total. I also have some frozen/in recovery funds in 3 other sub-optimal platforms, comprising together about 9% of my total.
Projected gross annual returns comfortably in excess of £20k.
|
|
|
Post by solicitorious on Jun 18, 2016 9:24:28 GMT
I notice we're getting newbie questions. Time for a dedicated thread. Mods perhaps you can merge the two recent questions here, and someone can start compiling a FAQ?
|
|