Monthly Archives: October 2015

Book Review: ‘Money Master the Game’

Money Master the GameI just finished reading ‘Money Master the Game: 7 Simple Steps to Financial Freedom’ by Tony Robbins.  I am not a fast reader.  At over 600 pages, this book took me over two months to get through.  I stuck with the book because I want to be financially free and I’m trying to figure out how to get there.  While I was a bit disappointed in the main premise of the book – that investing in the Stock Market (bonds, stocks, treasuries, REITs, etc) was the main way to achieve financial freedom (which I hope I have stated correctly) – I loved Mr. Robbins positive admonishments throughout the book as well as his interviews with billionaire investors and his polite insistence that they share their secrets to investing success with everyone who has ears to listen.

I started this book from the fundamental belief that the U.S. Stock Market is corrupt and rigged.  I have cooled on the value of participating in the US Stock Market as an ‘average Joe’ investor – from too much manipulation by the Federal Government through Corporate bail-outs and Quantitative Easing (QE1-3) policies, to the Federal Reserve Bank and possible involvement in equity purchases, to High Frequency Traders (HFT) manipulating stock prices, etc..  Mr. Robbins book, however, is mostly about portfolio balance and diversification in equities.  While reading this book, I realized that the Stock Market cannot be ignored as at least part of an overall financial freedom strategy.

All-in-all I thought this book was extremely well researched and very good – well worth the investment of time to study and money to purchase.  It seems to be a heart-felt attempt on Mr. Robbins’ behalf to help the average investor prepare for retirement in the face of a growing retirement crisis (most Americans are not saving nearly enough money for their retirement – myself included).  While many of his recommendations for getting started toward some hope of retirement are mostly common sense steps you’d no doubt hear from any personal finance guru (i.e., save more than you spend, get out of debt and invest your savings), Mr. Robbins goes into great depth into how successful institutional investors, like Ray Dalio, Jack Bogle (Vanguard) and Charles Schwab, invest and make money (and rarely ever lose it).  I found great value in this book from the interviews Mr. Robbins shares near the end of the book with several billionaire investors, and that, I believe, is the true genius shared in this book: that we should study and emulate the behaviours, mentalities and money management practices of the truly wealthy in order to increase one’s chances of realizing financial freedom.

To that end, I realize the Stock Market cannot be ignored; however, I intend to tread cautiously in regard to these types of digital investments.  I choose to remain largely in cash right now (perhaps even in nickels, a la Kyle Bass (mostly joking)), with limited monthly investments in my 401k, and some small physical real estate investments (sorry James Altucher).

Tony Robbins, thank you for your hard work in writing this book, sharing interviews with such highly successful people, and for encouraging all people to improve their (financial) lives!  Here’s to a better (financial) future!

'Out of the Box' Rubik

‘Out of the Box’: Your COTS Products Are Not Secure

Somewhere, a CIO has just spent millions of dollars on new software licenses for new JEE Application Servers.  The DevOps Team hurriedly installs the software, probably feeling crunched by a time deadline.  The Software Development Teams hurriedly deploy custom software on top of the newly acquired JEE Container, also pressured by similar time deadlines.  All the while, no one has considered the default configuration settings for the new JEE Application Server; many don’t think they even matter.  To the contrary, however, Default Application Server Configurations are rarely what your organization wants or needs, especially when it comes to Performance Tuning and Security.  Here is one anecdote to help highlight why relying on Commercial Off The Shelf (COTS) Software, ‘Out of the Box’ and with default settings, is a usually a bad idea.

Take IBM’s Websphere 7, for example.  With a few simple mouse clicks after installing the software in your Enterprise Environment, the DevOps Team can greatly enhance the security profile of your JEE Application Server when implementing SSL/TLS.

As the SSL suite of protocols age, it is becoming a best-practice to solely implement TLS.  For example, many places will want to avoid vulnerabilities to the SSLv3 POODLE attack.

The default configuration for Websphere 7 is to allow both SSL and TLS in-bound (and out-bound) in terms of HTTPS secure channel negotiations.

Websphere 7 SSL and TLS
Websphere 7 SSL and TLS allowed by default.

You could use the configuration screen above to select either all TLS protocols or only the TLS protocol you want to allow.  But this may provide a false sense of security.  The screen above will only prevent in-bound SSL protocol exchanges for external clients trying to connect to your server.  But what if some of the Software Engineers in your organization have written Java HTTPS Client Code, which establishes HTTPS connections with external SOAP or REST Web Services, for example?  Will this code be similarly prevented from using SSL in out-bound HTTPS requests?  The answer is no.

Given the current Websphere 7 configuration above, custom Java code running in your container will still be allowed to negotiate HTTPS connections using SSL for out-bound requests.  If the external Web Service allows SSL, for example, the connection can be successfully established, even if SSLv3 is being used under the covers, from the custom Java code running in your Application Server.

One easy way to lock-down both in-bound and out-bound HTTPS secure channel negotiations to TLS is to simply enable FIPS 140-2 in the Websphere 7 Administrative Console.

Enable FIPS 140-2 in Websphere 7
Enable FIPS 140-2 in Websphere 7.  The default setting is ‘Disable FIPS’.

By simply enabling FIPS 140-2 in Websphere 7, you can effectively limit all in-bound and out-bound HTTPS secure channel negotiations to TLS.  Attempts by custom Java Client Code to use SSL will fail when run inside of the Application Server with FIPS 140-2 enabled.  This will also help you ensure that you have the proper Ciphers enabled and limited as they should be (installing the proper Ciphers is another aspect in the proper configuration of an out-of-the-box Application Server installation).

When it comes to the Security of your JEE Application Server, paying attention to default configuration settings (and changing them as necessary), can yield significant dividends in protecting the data flowing through your systems.  Common sense should prevail in grokking why this is important.