I appreciate the attempt at irony, and regret that I replied off list my mistake. Apologies if this thread is confusing people.
On Wed, Oct 6, 2010 at 12:16, Justin Dugger [email protected] wrote:
What I like is OFX, which is basically a network protocol for your screen scraping tools. GNUcash does a good job importing my OFX transactions from Discover, for example. In this manner I don't have to care about how much they like Flash on their website. Supposedly Capitol Federal has an OFX gateway, but I've never seen it work in GNUcash. But neither of these places are one stop banking. But it's better than the wtf-are-you-thinking Mint website.
OFX looks neat. Too bad it's existed 10+ years now and this is the first I've heard of it. It also sounds like most financial institutions only peer with each-other with it, and don't expose it to customer use. And it also sounds like it is massively over-engineered for what I want, which is basically to aggregate a table of transactions that the bank can insert, but never update or remove; and to maintain a local bank-independent cache of every statement document.
I'll read up some more on OFX. I'll even try to use it when I pick my next bank, but I'm not holding my breath that they'll allow it. Man it would be nice to be able to send a check from a cron job, or have each transaction matching X criteria forward to my email.
We need a 'Geek Savings and Loan' that would support regex filters and actions like this.
Here's the deal: you live in America, land of the business deal. OFX has been around for ages, so long as you used Microsoft or Quicken products. You've heard of those, right? To have free and open systems, you'd have to live in communist Europe, where they built a platform known generally as HCBI/FinTS.
Frankly, regex is dramatically underengineered for this stuff. XSLT would be a bit saner, as would having a bayesian importer (such as GNUcash has) to classify transactions.
As far as messages go you'll never find a bank that sends financial documents to you via email, as it's not encrypted and you'd have a hard time convincing the auditors of public key encryption. If you do find one, think twice about it.
I never said I'd withhold my gpg public key from them.
Banking insurance mandates auditors and it's these people you must convince. GPG encrypted statements would probably work, but for ~0.1 percent of the population, half of which would implement it wrongly.
When was the last time you received a document containing sensitive information that was encrypted? Now how many of those documents came through the USPS unencrypted? I have more confidence in the reliability and secrecy of email than USPS mail.
I've received lots of documents via HTTPS that were encrypted. None from email or USPS. Frankly, it's a false equivalence, since USPS documents are a liability; you have to trust both the chain of posession, including postal inspectors, mail carriers, and an unlocked postbox, and the shredder to destroy the junkmail credit card offers people can steal out of your trash if you're not careful. In an ideal world, we wouldn't be trusting USPS.
I would appreciate the right to choose. And I would gladly choose to forfeit the secrecy SSL provides in exchange for the convenience of email. I think I'd prefer RSS over that even since I could easily script an encrypted feed catcher.
They could deliver statements via https rss feed with authentication. Heck, a feed of every individual transaction (debit/credit) on every account I have with them would be DAMN handy. You could do that over SSL, with a client having to provide username and password.
That's a winner. Of course, it relies on browsers and SSL, but it's at least standardized. It's too bad it won't happen, but maybe the Bank of Geek can pull it off.
Fundamentally, they prepare the document. They know first when it is ready. It is their duty to transmit it to me without my involvement. Email fits that profile well. What I want is every midnight of the first day of the month, the statement for the last month gets saved in all of my replicated servers, and pops up in evince on all of my desktops. I should not have to click links or enter passwords or fore-go secrecy.
Their duty is to protect your money and your privacy. If you're following proper security procedures, your PGP key is encrypted on disk, requiring you to decrypt it before passing it to evince (really, your ideal world involves PDF?!?)
Emailing me to tell me that I can come get it pisses me off. To help demonstrate how fucked up that is, you're reading my reply off my webserver.
Thanks. Good thing the privacy of this conversation is not subject to regulation, law or insurance.
Justin
On Wed, Oct 6, 2010 at 1:08 PM, Billy Crook [email protected] wrote:
On Wed, Oct 6, 2010 at 12:16, Justin Dugger [email protected] wrote:
What I like is OFX, which is basically a network protocol for your screen scraping tools. GNUcash does a good job importing my OFX transactions from Discover, for example. In this manner I don't have to care about how much they like Flash on their website. Supposedly Capitol Federal has an OFX gateway, but I've never seen it work in GNUcash. But neither of these places are one stop banking. But it's better than the wtf-are-you-thinking Mint website.
As far as messages go you'll never find a bank that sends financial documents to you via email, as it's not encrypted and you'd have a hard time convincing the auditors of public key encryption. If you do find one, think twice about it.
A reply to your message is now available. For your convenience, securely sign in to retrieve it at http://bcrook.com/.reply.txt
On Thu, Oct 7, 2010 at 14:56, Justin Dugger [email protected] wrote:
Here's the deal: you live in America, land of the business deal. OFX
The world is what you make of it. I live in the Land of the Free.
When was the last time you received a document containing sensitive information that was encrypted? Now how many of those documents came through the USPS unencrypted? I have more confidence in the reliability and secrecy of email than USPS mail.
I've received lots of documents via HTTPS that were encrypted.
No. You have not. You can not receive documents over HTTPS. You may retrieve them over HTTPS, and the difference betewen retrieve and receive is significant. I tried to illustrate that difference when I made you retrieve my earlier reply from http://bcrook.com/.reply.txt I guess it wasn't clear enough.
They could deliver statements via https rss feed with authentication.
That's a winner.
The reason it is less than ideal is that the recipient has to poll the sender. Ideal is senders pushing to recipients.
Fundamentally, they prepare the document. They know first when it is ready. It is their duty to transmit it to me without my involvement. Email fits that profile well. What I want is every midnight of the first day of the month, the statement for the last month gets saved in all of my replicated servers, and pops up in evince on all of my desktops. I should not have to click links or enter passwords or fore-go secrecy.
Their duty is to protect your money and your privacy. If you're following proper security procedures, your PGP key is encrypted on disk, requiring you to decrypt it before passing it to evince (really, your ideal world involves PDF?!?)
Their duty is to satisfy me more than their competition can, or I will go somewhere else, like I am doing now. An individual's 'proper security procedures' are whatever they decide is the best balance of security and convenience. Mine do actually include storing keys exclusively on encrypted storage, because using Free Software, the effort required is trivial.
Sorry I used the word 'evince' btw. I didn't mean to distract you from the point. s/evince/viewer/g
However, I'm actually not 100% against PDF. So long as PDFs are generated by parties whom you trust not to have interests averse to your own, they're not that dangerous. Most people probably think of account statements as paged documents that they never edit, and PDF is the most common format with the slimmest viewer software that fits the bill, but I'll consider your suggestion if you have a better alternative document format.
I'll take PDF over paper any day, and it's the best multi-page format, that the best Free Software document scanning program I could find, can use, so it already makes up the majority of my records. When I retain statements from a website I typically do [ctrl]+[s], and save HTML rather than printing to PDF, and if I can get the data from which that statement was generated, I'll do that.
The bank could send you an email with a custom URL that, after you've entered your login credentials, sends you the PDF. That removes the requirement that you poll for new bills, but still retains the security model that the bank has designed, tested, and the bank regulators have signed off on.
Yes, it's still actively retrieve instead of passively receive. But it's probably the closest you'll get an actual bank to do.
--- On Thu, 10/7/10, Billy Crook <billycrook> wrote:
Subject: Re: Bank websites Cc: "KCLUG" [email protected] Date: Thursday, October 7, 2010, 1:44 PM On Thu, Oct 7, 2010 at 14:56, Justin wrote:
When was the last time you received a document
containing sensitive information that was encrypted? Now how many of those
documents came through the USPS unencrypted? I
have more confidence in the reliability and secrecy of email than USPS mail.
I've received lots of documents via HTTPS that were
encrypted.
No. You have not. You can not receive documents over HTTPS.
Yes you can! It's called push technology or HTTP push. Just because most documents are pull doesn't mean you can't push documents. I do it all the time, in a document generation web service I wrote for a client. That's also part of what makes Ajax work. Any CGI service can do it.
http://en.wikipedia.org/wiki/Push_technology
I regularly receive documents in email through a a secure HTTPS webmail interface. I haven't analyzed the code to say whether it uses push or pull technology. So can't speak to that application. But it is certainly possible. But it probably is using polling to make a pull.
HTML5 has added more features to the push technology.
Jack
My Favorite bank is www.digitalfederalcreditunion.com or simply dcu.org
On Sat, Oct 16, 2010 at 9:44 PM, Jack [email protected] wrote:
--- On Thu, 10/7/10, Billy Crook <billycrook> wrote:
Subject: Re: Bank websites Cc: "KCLUG" [email protected] Date: Thursday, October 7, 2010, 1:44 PM On Thu, Oct 7, 2010 at 14:56, Justin wrote:
When was the last time you received a document
containing sensitive information that was encrypted? Now how many of those
documents came through the USPS unencrypted? I
have more confidence in the reliability and secrecy of email than USPS mail.
I've received lots of documents via HTTPS that were
encrypted.
No. You have not. You can not receive documents over HTTPS.
Yes you can! It's called push technology or HTTP push. Just because most documents are pull doesn't mean you can't push documents. I do it all the time, in a document generation web service I wrote for a client. That's also part of what makes Ajax work. Any CGI service can do it.
http://en.wikipedia.org/wiki/Push_technology
I regularly receive documents in email through a a secure HTTPS webmail interface. I haven't analyzed the code to say whether it uses push or pull technology. So can't speak to that application. But it is certainly possible. But it probably is using polling to make a pull.
HTML5 has added more features to the push technology.
Jack _______________________________________________ KCLUG mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
-
Billy Crook -
Jack -
Justin Dugger -
Mark Gardner -
Monty J. Harder