Interactive Brokers for dummies

OK, I see your point. I guess I will consider ditching lastpass for keepass. But that’s what 2FA is for. Password is relatively easy to steal, so for crucial accounts there has to be the second factor.

But if you want to safely use keepass, you need to have the right approach, right? Like, not installing the freshly released version right away? It is open source, which means people can have a look into the source code. But between the release and somebody being able to verify in the thousands of lines of code, if a malicious change hasn’t been made, it will take some time. What’s your approach on this one?

And if you put your encrypted file with passwords on dropbox, is it safe? You can’t have your passwords physically around you at all times, but sometimes you may need to access your account away from home. And if you don’t store your file in the cloud, then you need to take care of backup and synchronisation. One copy on the laptop, another on the pendrive? Then after you change the password, remember to update all backups? Is this the alternative to cloud storage?

And about not trusting a proprietary company: do you run your keepass on an open source OS? Is all the software that you use open source? Do you login to your online banking and broker through an open source browser? If not, what guarantee do you have that Microsoft, Apple, Google, or that torrent app running in the background is not scanning your keyboard input? Don’t get me wrong, I’m not questioning your choices, I’m just getting a bit paranoid and trying to figure out the best approach to online security.

Like I said, I have a permanently-offline android device where all my more sensitive passwords are stored. It has no data connection after initial setup - there’s no sim, it doesn’t remember my wifi password, it’s even permanently in airplane mode, saves battery too. I transfer data to/from it via its SD card when I rarely have to do it, for backups mainly. So I don’t have to worry much about malicious software in it - it has nowhere to leak my data to. It just works, doesn’t need updates, it’ll last until the hardware dies. I also run all various authenticator apps on it (google authenticator, symantic, IB, crontosign, etc) - because they don’t need internet either and it’s an android phone, it can run them. Needless to say, the device itself is encrypted too.

On my phone and desktop I keep separate keepass databases for less sensitive stuff which I manually sync. I could put it on dropbox or something, but really syncing is not much work since I don’t create new password every day

Dropbox might get compromised, but your password database on it is still encrypted, so that’s not enough to gain access to it - the attacker would also need to get ahold of your password to it. With 2-in-1 solutions like lastpass just the lastpass itself needs to get compromised, make a maliciuous code change, push it to users or something like that and you’re owned.

I carry my android security token all the time

Hardly really remember the last time I had to change a password. When you have a unique password per website it’s not such a big concern to change them regularly. Keepass database however has a field with modification time so it can merge the changes properly on a sync, and it can also keep a history of previous passwords.

Android obviously is not exactly open source, there’s enough proprietory patent covered shit in it, even though most parts are open source, but on desktop yes run all open source. Closed source and random downloads strictly in a virtual machine.

Alright, I see. So you rely on this Android device for both passwords and 2FA. I only see a few problems:

• You need to trust the developers of LineageOS, because theoretically the OS could activate WiFi by itself and the connect to some unprotected network
• Keepass is not officially supported on Android, you need to use an unsupported port. Of course, the phone is always offline so I guess there’s not much possible harm
• You can only login to your account when you have this device with you. I assume it never leaves your home
• You need to have a backup of the passwords from the android device. Preferably more than one. How do you do it? Copy the password file to multiple SD cards?
• You need to type in the password by hand.

What’s a security token? You mean your phone or something else? It seems pretty drastic! And what if you get mugged or sth? What if you’re going to the beach or the swimming pool?

Wow you really seem to take security very seriously. I could not really ditch some proprietary software, like MS Office or some games or other apps. I guess in this case you should keep one PC just for the bank stuff, where some linux is running, and then your normal PC where you can do what you want. BTW, which distro of Linux are you running then? Trisquel?

It’s a small potential risk, yes

The Original Keepass was a Windows C# program. It has since been reimplemented numerous times, some versions even themselves got forked - like KeepassX and KeepassXC. It doesn’t really matter which fork you consider official. The important thing between all of them is just the common database format.

Exactly. It’s offline so it ain’t going to leak nothing to noone and as long as it can read/write keepass database in the format that other forks can read I don’t really care that much about the particular fork I’m using.

I carry it with me all the time in my backpack. I do have however backups of everything on it should it get lost or stolen to be able to restore everything on another device.

My permanently offline android phone

You don’t really have to do this. It’s amazing what virtualization software can do these days. You can passthrough your whole GPU to the guest OS and you’ll have like 99% native performance. You just need a decent enough CPU with vt-d support, that’s all, modern high end cpu should all have it. But if you’re not gaming and don’t need 4k, even without the relatively complicated GPU passthrough, the stuff just works amazingly fast, it’s totally possible to work all from within virtual machines these days. I have one VM for porn, one for banking, one for cryptocurrencies, a couple for web surfing, I can pop a new one by cloning a template to test out a random software download or build whenever I want, takes a just a few moments…

Debian.

You have to trust someone in the end who packages and builds your software for you and I choose to trust the biggest player there is out there. It’s also got much more polished than it used to be in recent years, for me it’s even better than Ubuntu - recent Ubuntu releases crash way too much on my machine. It also works perfectly as a rolling release with Debian Testing unlike Ubuntu which you have to reinstall every f’ing time

OK, that makes sense to me. But why do you carry that android device all the time with you? You don’t think it’s safer at home or you want to have the possibility to use it whenever you want?

I’m wondering if your strategy is not a bit of an overkill. When you type in the password, the software on your PC could log your keyboard input. Even if everything is open source, they also have security holes that some malware could exploit. And even if everything fully safe on your side, the bank/broker could do a shit job and not protect your password well enough. The whole chain is only as strong as the weakest link. You keep your password very safe, but it could get stolen by typing or directly from the server.

To have a possibility to log in from wherever I want. Also all my second factor authenticators are on it instead of my main phone and I need them regularly.

To protect against the risk of theft, I’m relying on android’s full disk encryption, lock screen and keepass manager itself asking for a password/pin on access, and I also have backups of everything from the device.

Yes, that’s why I also enable second factor everywhere it’s possible

Well that’s been an interesting discussion. Thanks. Now I will try to fall asleep without getting paranoid

As a conclusion and food for thought, I have this comic:

The only advice I can make with regards to that is to keep a low profile. If noone knows you had any wealth to begin with, it’s hard to get wrenched for it

I also don’t plan on declaring my bitcoin holdings, partly for this reason too - noone needs to know about them, even the tax people

Oh, so you also hold bitcoin? Can you share your reasons behind investing in bitcoin? Do you hold other cryptocurrencies? Do you invest a large portion your portfolio in crypto? How to buy and store bitcoin that it’s safe? How would you interpret the current $4000 price, do you think it is still undervalued in the long term? And finally, any other significant investments than the stock market and crypto? Sorry for the series of questions, I’ve been battling with the idea of bitcoin for some time and still don’t know what to think about it.

Please keep this topic on topic, and shift to another thread when needed.

Thank you,
D

I guess this is more useful if you usually set market orders? I usually set limit orders a bit below the current price.

It looks kind of like a hybrid solution to me (internally it pretty much seems to be doing what you do but readjusting to market conditions).

I am not sure if it is better or worse.

In the test account you can buy shares only in minimal amounts of 100, which could make rebalancing difficult. Is there also this minimum purchase limit with the real IB account?

yes, it is 1 share, so no half shares or such

Yes, usually there is no minimum imposed by IB on the integer quantity of shares you buy.
For some markets however (ex : Japan), the market imposes a minimum amount of shares, on a per company basis.
Ex : On the Tokyo Stock Exchange, company A will be bought/sold by packs of 100, Company B by packs of 200, and I even cam across a company where the mnimum package size is 1000 shares.

You make research and ask a lot of questions, which is smart, but why don’t you just buy VT and you will have no need to rebalance? Also it would be funny if you made a month-long research, tens of posts, and then you finally write, that you invested 1’000 CHF

You can’t fault him/her for doing their homework!

Yes, that’s exactly my situation. I am not yet clear about many things (just started learning about stocks and ETFs a month ago), that’s why I ask so many questions, but I read a lot and it’s getting better. I hope to join the passive investors club soon

yes it takes some effort and time until you get to the point where you con make well balanced and concious decisions. It took me half a year until I finally bought some shares. you can take the shortcut - but it’s going to be more expensive and you’ll have less peace with it

feel encouraged to go on asking. maybe you can even write a blog or a story of your journey from “what is stocks?” to “I am inveted in XYZ becasue of ABC”

VT is now worth about 80 USD, with the minimal quantity of 100 on ARCA that makes 8000 CHF. An expensive experiment… I’ll keep learning till I’ll know what I’m doing.

Good idea about a blog, I’ll start one in the Share your story section.