Category Archives: Work

New Job for Dad

Dad has accepted a new job, at a larger salary than he is currently making.  But, he’s not likely to get any bonuses like he does for his current company.  We’ll be losing 5% of company match in our retirement accounts and 3% of his salary, but the savings of benefits/health care almost makes up for it.  Instead of the $260/mth HSA plan we’re on now, we’ll be on the $75/mth HSA plan (unfortunately, new (higher) deductibles 🙁 ).  We’re continuing the HSA plan this year to not have tax headaches next March, but the following year, we’ll have $130/mth PPO coverage – for all three of us.

We’re holding off on any budgeting decisions until I see what his first paycheck is (end of May), but we’ll likely be putting more aside into a Roth or our taxable account (with less tax advantaged money to reduce our AGI, we might be over the limit on Roths rather than just under it), and maxing out our HSA again this year.  Not sure we’ll be putting aside as much as we initially planned this year, but we might be!

His company is based in Europe, and the benefits show it.  Other than the retirement being “normal”, the remaining benefits are amazing – if it were just Dad, he wouldn’t be paying anything at all.  We’ll also remain “healthcare agnostic”, which is important in Pittsburgh thanks to the big fight between UPMC and Highmark/Allegheny Health Network (AGH).  We’ve been seeing mostly AGH doctors (because a AGH hospital is closest to us), but the option to see UPMC doctors is nice, and if we went with my healthcare, we’d be going UPMC (it’s 1/4 the cost of Highmark plans), and having to change doctors – every year as the price war rages on…

He’s going to be traveling a lot at first, but then that will settle down, and he’ll just be commuting.  I expect our gas spending will increase (he’ll be driving more), but that’s it.  We’re hoping to have plans in place to not eat out, and to have ready-made food available to avoid that.  We’re also expecting a general increase in income to more than offset that.   We just won’t have as much tax-advantaged space to work with.

PCI Nightmares

I have now seen PCI from the merchant side. I’m on the PCI team on campus, and I help get everyone ready for our normal reporting date of June 30.  Except, this year, we’re a level 2 merchant, and we’ve chosen to have a Qualified Security Assessor (QSA), come in and basically audit us.  And all the data collection starts a *lot* earlier.  I’ve spent the last 4 months working with our various departments and getting all the paperwork ready for our initial submission to our QSA – mostly involving nagging people to get things done and produce evidence, and learning that things people said were in place last year, weren’t really in place, and pushing folks to get them in place for our deadline.

Now, we wait for our QSA to do their side of the work, and tell us what we’re missing.  It’s been an interesting process, and I highly suggest that any merchant go through with a QSA, even if they’re not required to.  1) The QSA acts as an advice authority.  They’ve probably seen it all, and have suggestions on efficient ways of doing things that you wouldn’t have thought of.  2) They make sure you’ve got all your ducks in a row as it relates to PCI and that you have all of the documentation to prove it.

It has been a lot of work, and I’m looking forward to a bit more relaxing at work.  I have 300+ e-mail messages in my inbox right now because I’ve been working on this pretty much to the exclusion of everything else I also have to do.  This next week is going to be clearing out the junk – both e-mail and mental fog that’s been surrounding me the last month or so of this final push.  You should see more regular posts from me now that this is over and I have time to actually think instead of just do.

Filing Taxes Online this Year? Consider Some of these Security Safety Tips

Disclaimer: I do not (nor will I ever) file my taxes 100% online, ala TurboTax Online

Some of you may know that my day job is in information security.  As we all look at filing our taxes this year, I wanted to give you some tips if you choose to use one of the online services.  I don’t mean using the desktop version of the software and then e-filing, but using a web browser only to complete and file your taxes.  Although, some of these rules are applicable to many instances, your social security number(s) and tax information in combination make it very easy for opportunistic thieves to steal your identity.

Luckily, to my knowledge, Intuit – at least – has never had a breach of their e-filing systems – and they are a clearinghouse for e-filing, so they’ve got that information already.  (Although, I am a bit surprised, because that’s a *lot* of sensitive information just waiting to be attacked…)  Not that it can’t happen, but it hasn’t happened yet.

TL;DR Version (also the I don’t want to know what can happen, so I’ll stop here version)

  1. Don’t use a “public” computer (public library) to file your taxes
  2. Don’t use a “public” wireless connection (airport, hotel, coffee shop) to file your taxes
  3. Update your system and use anti-virus before starting on your taxes

What To Do

So, if you’ve been getting all your Internet access from the public library computers, what do you do?  If you have a good friend you trust, ask if you can use their computer and Internet access.  If you don’t have that good of a friend, ask your library (or other access point) what they are doing to make sure you are safe when using their computers.

Determining whether a wireless access point is secure is more difficult, and requires some technical knowledge, but it can be done.  First, make sure that you are connecting to an “Access Point (AP)”, not an ad hoc network.  When you look at the list of networks, the icons indicate whether it’s an AP or ah ad hoc network.  Ask the provider what the network name is supposed to be.  Attackers sometimes set up “fake” APs to lure you into connecting to them instead of the “real” access point.  Consider using your cell phone connection (tethering) if you’re in a public location.

If you have a VPN available to you through your job, consider using it to further protect yourself (check company policies first!).

The Reasoning

Now, for the longer version.  This gets a little technical, but I’ve tried to link to “layman’s” articles describing the possible attacks in detail.

Background

“Identity Thieves” steal credit card numbers left and right – it’s really not that big of a deal, just an annoyance.  When’s the last time you were able to open an account or take out a loan based only on one of your credit card numbers?  Generally, you need your social security number, address and phone number to open such accounts – you may or may not need your actual mother’s maiden name – that’s just setting up a (poor) shared secret.  What’s on your tax return?  Your full social security number and address – and if you’re married or have dependents, your family’s information as well.  When’s the last time you pulled a credit report on your kids to make sure no one’s opened an account in their name – without you knowing?  I thought so.  Go do it now – they get free reports every year just like adults do.

When you do your taxes 100% online, you are sending that information to the provider over a secured (SSL) connection.  But, you are using a web browser to do so.

Don’t use a “public” computer

Public computers are “dirty” (not just in a physical sense), and you don’t know where they’ve been or who has been using them.  Most places that offer computers for public use have IT staff on hand to watch for suspicious activity or hardware, but not always.  Almost all use some kind of “kiosk” software to wipe the machine back to a known state between uses – if you see other people’s documents on the desktop or downloads folder, it’s likely not running kiosk software.

An attacker can install a keylogger (physical or software) on the machine and log every keystroke you make – including usernames, passwords, and social security numbers.

An attacker can install a proxy which forces all of your web traffic through a machine they control.  Yes, you can proxy SSL traffic – very easily when you have control of the users’ endpoint/desktop.

Don’t use a “public” wireless connection

Like public computers, public wifi is “dirty”.  You are sharing all of that bandwidth with every other person using that AP.  So, anything unencrypted can be seen by anyone who can connect.  And just because there’s a password on it, doesn’t mean much – those passwords can be cracked with about 4GB of data – under 10 minutes on a very busy network.

Your machine is also available to be attacked by anyone else on the network.  Have file sharing turned on?  It’s available without much effort to anyone else on the network.  Make sure you’ve got your firewall turned on and blocking everything possible!

The general recommendation is to make sure that you are using SSL when connecting to any web site, but recent vulnerabilities make an SSL Man-in-the-Middle (MITM) attack possible – sometimes without your knowledge.  SSL depends on a trusted infrastructure of a bunch of people doing the right thing, a bunch of policies, and a bunch of technology (read more about Public Key Infrastructure).  In the last few months, attacks have weakened SSL (Heartbleed, and Poodle).  There’s quite a bit of discussion in the security community on whether SSL is still “good enough” to continue using or if we should consider another protocol (TLS is one, but very similar to SSL).

Update your system and use anti-virus

This are basic tenants of computer security.  Some of the attacks described above depend on “broken” software.  For the particular ones described above, they’ve all been patched by the respective vendors.  Keeping your system up-to-date helps alleviate the chances of an attack succeeding.  Keeping anti-virus software installed (and running!) can also detect things like keyloggers.

If your public computer provider is doing these two things, they’ve gone a long way towards making you safer online.

Settling In – Part 1

After one week at my new position, we’re starting to settle into a pattern living at my mom’s.  Although, when they say you can never go back, we’re living that at the moment.  We’re all trying to keep our distance from each other, but the house is small, so we bump into each other a lot.

I’ve been driving to a park and ride and then taking the bus into the city.  The first day, I didn’t get home until 7pm, I left campus at 5:45.  Now, I’m getting there earlier and leaving by 4:30 and getting home by 5:30, even with stopping at the local wine store 🙂   If I was driving, I’d only save about 5-10 minutes, because I’d take the same route the bus would.  But, I’d have to pay for parking whereas the bus is free for me as university staff.

Daughter Person is really liking her new daycare – she actually wants to go to school every morning.  The center is really small, but the teacher enjoys what she’s doing and it shows.  We haven’t had any potty accidents except the first day she was there (yay!), so my biggest fear hasn’t materialized.

Our house in VA had 6 showings this weekend, but we haven’t heard any feedback yet.  *Fingers crossed* that we hear something shortly.

Money is flowing out a little more quickly than it’s flowing in due to all the moving and the registration fees and license fees, and not being able to rely on our systems for saving money (like our large freezer).  We’re limping along as best we can, and hopefully we’ll get some new systems in place to help us save money.

How have you adjusted to your new life when you’ve moved?

Temporarily Unemployed

Today was my last day at the office.  I have enough extra hours and vacation to cover until the end of July.  I’m owed about $650 in expense reimbursement, but my former boss knows how to get a hold of me, and the company has my forwarding address.  I don’t have to be at my new job until August 11, almost two weeks.

We’re “moving” to Pittsburgh on the 6th, when Daughter Person, the cats and I will begin living with my mom.  Dad will be going with us and we’ll be establishing residency on the 7th (to avoid Dad having to show up for jury duty on the 11th!) – getting our new licenses and getting the cars registered, inspected, etc.  I’m not likely to be returning to the DC area until our house here is under contract.  Dad will be going back and forth until we close.

Until then, I’m going to be doing a combination of relaxing, getting rid of things on craigslist/freecycle/facebook and packing.  I’ve had good luck getting rid of things on the local Facebook “yard sale” group.  It’s nice to not have to worry about work for a while.  I don’t have to respond to e-mails and I don’t have to go to an office – although I do have to wake up to take Daughter Person to daycare.

And the best part – I don’t have to worry about money while I’m not working!

Last Trip for Work

The rest of this week will be a little bittersweet for me – I’ll be taking my last trip for this job.  I’m going to Peru, so it’s not a “boring” trip by any means – just long flights.  I’ve been traveling for this job since 2005, and as a friend commented to me the other day, I have “more stamps in my passport than a post office has”.  I’ve flown all over the world – literally – over the last 9 years, and I’ve enjoyed it.  I’ve been to 6 continents, about 20 countries (and will be adding two this trip!), and according to TripIt, 288,157 miles since April 2008 when I started using it.

When Daughter Person was born, I started collecting dolls from each of the countries I visit – something preferably in the native dress of that area.  My father had created a similar collection for my aunt when he was in the Navy that ended up being mine, and I passed it on to a cousin – and it was damaged in a flood 🙁  Hopefully, I can take Daughter Person to see the world when she’s old enough to appreciate it and she can pick out her own dolls.

I’m not going to be making airline status in the future – not via actually flying anyway. I should have Silver status at least for next year, but after that, I’ll be on my own.  I’ll have to collect my points the “new” way of churning credit cards – after we’ve gotten our new mortgage!

Federal Security Clearances – No Thanks!

I’ve (luckily) never had one – and after this week, never plan to either.  I was asked to complete the SF86 form to get a secret clearance for a company that liked my resume, but didn’t have any active work – and anything they had would require at least a secret clearance.  So, without being employed by them, they started the process of getting me a clearance.

I have now met the SF86 form, and I will not have a federal clearance for at least 7 years.  Why?  There’s one annoying question on it that makes my life practically impossible: “Have you provided support to a foreign group or organization in the last 7 years that was not listed as a previous employer?” (Or something along those lines).  Of course, I have – I am a consultant.  I have provided a *lot* of support and time to foreign companies – it’s kinda what I do for a living.  But trying to remember each contract and each contact at the company that I helped?  Not so much.

Almost all of our direct clients are US-based companies, but they do business with foreign companies that I’ve assessed, and some of them have offices in other countries (or have acquired a foreign company).  According to the security officer I was working with, I’d have to list all of those – over the last 7 years.  My best guess is that over the last 7 years, I have visited and advised at least 200 foreign contacts at foreign (and US-based) companies.  I could probably name the companies, but not the individuals at each companies.

While it severely limits me in the job search (especially in the DC area), I will not be taking any position that requires a clearance.  There are some things that are just not worth it.

We’re Moving!

I got a job offer in Pittsburgh yesterday.  It’s conditional on me passing a background check, which I don’t see as an issue, so really, I have an offer. I’ve verbally agreed to it this morning to start the background check process.

It’s a *very* good offer too – $2k less/year than I make here in DC, but with *much* better benefits and a lower cost of living area.  I’m basically getting a 20-30% raise given the cost of living difference.  There’s only a small stipend available for moving expenses ($1,500) – not near enough to cover what it’ll cost, but it’s something – and I can deduct the rest on my taxes.

There is a tax-deferred plan with an 8% contribution and it vests in 3 years.  I don’t have to contribute a dime (although I plan to). Health insurance will cost us about $200 less per month than it is under Dad’s plan, which we’re currently under.

Dad has already talked to his boss and his boss’ boss about it, and he may continue to work at his current job, just remotely – coming down to DC once every few months or so.  They are OK with it (they like him – and there is some precedent), but they have to check with higher-ups to confirm that it’s OK within the company. That’d continue to get us his DC-level salary and he’d be able to vest in his 403(b).

I’d start mid-August, so there’s time to get everything ready, and maybe even sell the house before I start.  I haven’t told my boss yet – but he’s on vacation for the next two weeks.  If I tell him when he returns, that will be two-week’s notice.  “Hi, how was vacation? – here’s my resignation”. More notice than the 24 hours he gave us on the company sale/acquisition.

Now to turn my efforts to getting the house ready and put together for sale!

Job Hunting and Financial Independence

These past few weeks have been a reminder to both Dad and I about how much we would like to not have to work for someone else any longer.  We’ve both been applying for jobs and interviewing (at multiple places for me).  Trying to do so while working full time has been interesting – I’ve had a lot of slightly longer than usual lunches, or picking up Daughter Person early a few times.  I’ve only applied for 5 positions – and I’ve gotten responses on all of them – phone interviews for 4 already and in person interviews for 2 after tomorrow – but no offers yet.

I’m only applying for positions that are interesting to me, which is why I’ve applied to so few.  I’ve got a well-paying job, that theoretically I like (still not bad after a month, except the whole lacking a 401k thing), so getting me to jump ship is more difficult than it would be if I didn’t have a job.  I have the “luxury” of picking and choosing which offer (if any) I take.

We don’t *have* to work, but that’s only sustainable for one month at most, then at least one of us would need to find something, so we continue to work and make excuses when we need to get away for an interview.  If we had a fully funded emergency fund, we could take off for a bit longer, and not have to work while searching.  One of the primary reasons it’s our first goal now that we’re done putting all of our extra money towards debt (we’re not debt free though). We’re shooting for 3 months of expenses at first (same rate as paying off debt), then 6 months of expenses while contributing more to investments at a 50/50 rate.

Next time something like this happens (because it’s likely), we’ll be ready to walk if we need to.

Opportunities

I’ve made mention of this a few times in comments, but our lives are a bit upside down at the moment.  While I accepted the position at the company that bought out mine, I have been looking.  And I found a position that sounds perfect for me.  It’s in Pittsburgh, at my alma mater of Carnegie Mellon University.

I’ve applied, and based on conversations, it’s practically mine.  I have a formal in-person interview on Monday with the other departments I’d be working with to make sure personalities mesh.  I gave them a salary number and they didn’t blink, and they’re putting together a relocation package for me to look over.  And they offered to send Dad’s resume to the campus HR group to help him find a position in Pittsburgh as well (at the university or nearby).

There’s a lot to think about.

It’s one thing to uproot yourself and move when you’re single.  There’s a lot more to consider when you’d be uprooting your entire family.

I wouldn’t start work until mid-August, so there’s time to consider it and get our house ready to sell, and do all the other stuff that’s needed to move – like find a house/rental in Pittsburgh.  We’d also have to work around a few (local DC) concerts we already have tickets for, and our trip to New York to see The Last Ship.  And our big 2-week vacation in October – we’ll just have to take leave without pay for both of us in new positions.  But all those things are down here in DC or start from here.  It’s a 4 hour drive to get here and we’ll have a place to stay (with Dad’s Dad), so it’s not unreasonable to come back.

This job sounds almost exactly what I was looking for – of course, I’ll find out more at the interview, but you never really know until you’re there.  I’m guessing that the environment is casual (it is a university!), and they have great benefits (8% into Vanguard – I don’t need to contribute to get it, it’s just there with a vesting schedule). 17 days vacation plus holidays – to start with.  Sounds great!

Dad would have to find another job – we’d lose about $17,000 in our retirement accounts as we lose Dad’s unvested balance.  Not the end of the world, and we can make it up with contributions, but still a “cost”.  The cost-of-living isn’t as high in Pittsburgh (it’s about 80% of DC), so we don’t expect the salaries to be as high either – I asked for under my current salary, which is “more” relatively.

Until we make a decision, we’re not paying off the mortgage any earlier, or spending a lot of money on anything.  I don’t particularly like being so unsettled.  The other option is to remain where I am and hope for the best…