Seeking Alpha

keu4bike's  Instablog

Send Message
Individual investor starting over on retirement saving way too late in life and trying not to buy any more bubbles. I write and comment to give back to the community which has helped me so much. While I don't have the stock market and trading experience of so many on this site, I do think about... More
View keu4bike's Instablogs on:
  • Risk In The Mortgage Market -- One Man's Experience Shopping For A Loan.

    Based on personal experience in one small market, I have a perception that mortgage risk is being tempered more by borrowers than by lenders and a substantial quantity of risky loans are being made.

    The Story

    One day, recently, my wife and I went into the local credit union to talk about a home loan. The credit union has a reputation as a good place to do business, but every builder and real estate agent in the area as their favorite "preferred lender" who can get you a better interest rate and loan you more money for lower closing costs. We like dealing with our credit union, and the value always having somebody local we can talk to about the loan is very useful -- the credit union does sell some mortgages, but they don't sell servicing rights, so you always deal with the credit union. We've been through enough "adventures" in life with other banks that having somebody local to talk to face to face is probably worth 1/8 of a percent.

    We spoke to the bank's agent. I think her official title is has something to do with "originator". She looked at our information. Discussion ensued about how much house we wanted, etc. Upshot is the credit union will loan us a lot more money than we're willing to borrow. My wife and I both found the maximum number rather scary -- no way we would be comfortable owing that much. Yes, we'd like a house like that, but retirement is a much higher priority.

    The originator noted that she talks to two types of potential borrowers in recent months. The first group is much like us -- rather shocked at how much the credit union is willing to lend and not interested in anything near the maximum amount. The second group wants to borrow every penny and then stretch. She described it as a barbell. Apparently there is nothing she would consider a middle right now.

    We walked out of the credit union and I said to my wife something to the effect, "If that's what the conservative Credit Union is willing to loan us, I understand why the big,aggressive, banks are in trouble." My wife agreed.

    Since that time, we have spoken with some of these other local "preferred lenders". The rates are indeed 1/8 to 1/4 of a percent lower than the credit union. The maximum amounts available are greater even adjusting for the difference in payments.


    We live in North Alabama. A lot of the economy is based on Redstone Arsenal -- military logistics, military space and rocket programs, and Marshall Space Flight Center (NASA). The housing market here was overbuilt in anticipation of base relocation in 2007. However, because of that base relocation, and military employment, the housing market here probably didn't get as bad as in much of the country. At the same time, recovery here may be slower in anticipation of military budget cutting.

    Huntsville is a relatively inexpensive market. Prices here area half to a third those on the coasts. You can buy a nice -- not fancy -- 2100 sq ft home for $150-200K and 3000 sq ft homes with the works can be had under $300K.

    Production builders are building again -- slowly. We hear many stories of finally selling a previous home, often in another state, and getting out from under the double mortgage situation. This is allowing people to move out of apartments into homes, and from lower priced homes into upscale homes.

    Opinions and Conclusions

    In my opinion, the supply of newly constructed homes in the area is and will remain sufficient to prevent price appreciation of existing homes for the foreseeable future. The new homes are being built with all the bells and whistles. The resale value of an existing home is limited by the cost of building a new home and the supply of land, subdivisions, and builders is endless. Just as cars depreciate the moment you drive off the lot, homes here depreciate the moment the moving truck arrives.

    I know I'm only one person looking at a rather small sample in a small and potentially atypical market. However, I find it rather scary. My perception is there are a lot of stretch loans being made in an unstable economy. Originators are captive to the builders who want to sell as much house as possible. Many of these stretch borrowers will be fine if nothing goes wrong -- they stay employed, don't get sick, don't get divorced, etc. I've been around long enough to know things do go wrong. I also see employment in this economy as unstable -- continuous employment is not guaranteed even for those who are very employable.

    This is a cautionary tale about my experience shopping for a loan. I believe lenders are not requiring borrowers to have a margin of safety and I suspect risk is being limited by borrowers more than by lenders.

    Disclosure: The author has no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

    Additional disclosure: One man's experience in one small market.

    Jul 27 12:33 PM | Link | 2 Comments
  • Does The Recent Data Breach Reflect Cracks In TGT's Infrastructure?

    They say that in investing, you should invest what you know. On Seeking Alpha, that translates to writing about what you know. I am not an investment professional. I understand compound interest. I understand inflation. I fear not having enough money at retirement.

    My background -- what I know

    I have worked in a lot of IT departments, and I have peeked under the hood of many more. I think I have a reasonable comprehension of what symptoms in the IT department tend to indicate for companies as a whole.

    I'm not an IT security professional. My specialty is data and databases. I have, in the past, done some development where security was a major consideration. Developers need to understand security so they can build that in. I feel like I have a minimally adequate understanding of security for a developer which probably puts me ahead of 90% of the people actually doing development in the U.S. Any true black hat hacker or security professional, however, will laugh at my knowledge and skill set.

    With that said, I thought I would take a look at the question of whether security breaches indicate general infrastructure problems within an organization.

    Security and Breach Vocabulary:

    Script Kiddies: Individuals with little or no true technical skill who run pre-packaged scripts to attack. In general, organizations that pay any attention to security are not at risk from script kiddies -- see penetration testers below.

    Kiddie Scripts: Scripts used by script kiddies. They're generally available on the internet, often for free. Most people in the security community -- black hat and white hat -- have a library of these things.

    Junior Penetration Tester: A white hack hacker who is paid to run kiddie scripts against your system and tell you what gets breached.

    Penetration Tester: A white hat hacker with considerable skill who performs a few tests on your system in addition to running the kiddie scripts.

    Sophisticated Attack: Anything that breached our system. Seriously, has any company that announced a breach ever admitted they were breached by anything less than a "sophisticated" or "advanced" attack? (Even Kiddie Scripts can seem pretty sophisticated to an old school security manager with a physical view of security.)

    Definition of Security:

    Like safety in investments, all security is relative and it involves a lot of trade-offs. If you ask somebody if a system is secure, and they answer "yes", fire them on the spot. They are either incompetent or lying. If you expect to hear "yes", either educate yourself or fire yourself. No system is secure. Any system can be breached. I don't think a true security professional can ever say "yes" about a system that can be turned on and plugged in.

    Is the system secure is the wrong question to ask. The questions to ask are things like "How secure is the system?" or "Is the level of security adequate to the value of the information?". The other question is, are we implementing the usual and standard best practices?

    To the Question

    So, to our question, what can security breaches indicate about an organization? Can they offer clues to infrastructure inadequacies within an organization?

    I'm going to say the answer is it depends on the breach. Because I am of the opinion that all systems are vulnerable, I'm going to say that anybody can be breached. The fact that an organization got breached doesn't mean much to me. The headlines are going to be the fact of the breach. The headlines mean bad press and the company's stock may be down for a couple weeks. In terms of indications about company infrastructure, though, breach headlines mean nothing.

    TGTgot hit recently -- might be a good time to buy Target. Lets do some due diligence on the breach.

    You have to look at the facts of the breach. What do the security professionals say about the sophistication of the attack? How quickly was it identified? How quickly was it stopped? What was the company's response.

    Never trust the company's press release about the sophistication of the attack. The breached entity will always use terms like "sophisticated" or "advanced". Has anybody ever admitted to being cracked by a a Script Kiddie? Go to the security blogs. What do the security professionals say about the attack?

    If the security professionals are using terms like "new", "novel", "advanced", "sophisticated", or "zero-day", then it probably really is sophisticated or advanced. The fact of the breach probably tells you nothing about the organization's IT.

    If the security professionals are saying things like "patch available" or "preventable", then you know that IT security at the organization is not keeping up.

    If you see terms like "well-known", "previously identified", the simple fact of the breach may tell you something about the organization's IT, but you have to dig a little further. Look at how long it has been well known and when it was previously identified. Has the organization had time to respond? Was it identified five years ago, or was it identified last week? In general, if the organization has had a month to patch the system and failed to do so, then the simple fact of the breach tells you something.

    Basic IT security these days includes utilizing automated penetration testing tools and employing penetration testers. Basic and well known attacks simply shouldn't be able to get through. when a basic or well-known attack gets through, that speaks volumes -- negative volumes.

    In the case of the TGT breach, it seems to be a sophisticated new attack taking advantage of some known, but hard to address, vulnerabilities. The fact of the breach at TGT does not alarm me a great deal. Perhaps TGT should have had a more aggressive security stance, but their stance seems pretty standard and I don't think a pretty standard stance is going to stop this breach.

    In terms of what it says about TGT's management or TGT as an investment, I don't think it really says much. The industry standard security profile is a little lax and TGT is not out of line.

    The real key to looking at an attack is the identification of and response to the breach. How long was it going on? How difficult or easy was it to identify that the breach had happened? Did it last past one password change cycle? Were any hints or suggestions ignored?

    Sometimes organization press releases are helpful here, particularly if you have an IT background. Again, the security blogs are the place to look. Since all breaches are different, it's hard to quantify or provide guidelines. A very subtle breach may, reasonably, go undetected for six months, while a more obvious breach should be identified and shut down in minutes or hours. Many should be identified in daily or weekly log monitoring cycles. You will have to depend on the security blogs to get clues as to what the security professionals think about the response.

    In the case of the TGT data, the fact of the breach may have been hard to recognize, but the data being sent out of the organization was not. TGT should have recognized that somebody was sending huge volumes of data outside the firewall to unusual destinations. Yes, it happened on Black Friday when a data spike is expected. However, my opinion is that an organization like TGT probably should have noticed the data flow was above and beyond what was expected for Black Friday within 24 hours and identified that data flow as a threat within an additional 24 hours. From everything I have read, they completely missed the outbound data flow, and I fault them very heavily for that.

    Simply identifying the outbound data flow doesn't identify the vector. TGT would still have had a lot of work to do to figure out where the data was coming from. However, there is a good chance the data can be contained within the TGT firewall and no further information compromised. From what I have read, there is no indication this sort of reaction happened. I'll fault TGT heavily for that.

    There are suggestions -- I don't know if it is fact or speculation -- that TGT had information about an increased frequency of compromised cards somehow associated with TGT. Even if they did know they were likely the source of the breach, knowing where to look is hard. I've been there, "Yes boss, I believe we are the source of the leak. I have no idea where it's coming from." Very frustrating. You simply have to make a plan to check everything you can think of and you have to work the plan systematically. The outbound data volume was there to see. I think it's a lack of attention to detail. However, since this notification may be rumor rather than fact -- hard to say what TGT knew and when -- it's hard to say this indicates an issue with TGT's infrastructure.

    In summation

    If you want to steal credit cards, you go where the credit cards are -- and retailers are the weak link in the chain right now. Retailers are going to get hacked. I don't fault TGT for being a target (no pun intended). I don't know how much you can say about a company for being a (lowercase) target.

    The entry and data collection was sophisticated. I don't fault TGT for the attack getting in. In general, I don't think you can fault organizations for entry of cutting edge attacks, but you can fault them for entry of lower-level and preventable attacks.

    The data exit from TGT was reportedly brute force and obvious. Apparently, this is something TGT should have identified and responded to much faster than they did. This raises questions in my mind about TGT's it. It always raises questions when an organization fails to respond to an attack or doesn't even know they have been attacked.

    TGT's technical response to the breach raises questions in my mind about their infrastructure. These questions may or may not be valid, but they are enough that I wouldn't sleep well at night if I held the stock.

    Not all breaches are a negative indicator for the breached organization, and some, in fact, may create buying opportunities. The recent TGT breach -- at least for me -- is not.

    Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

    Additional disclosure: No direct holdings in TGT or intent to buy any time soon. Probably long some ETF or fund that holds TGT.

    Jan 19 11:47 AM | Link | 5 Comments
  • Seeking Farmland REIT For My 401(K)

    I am looking for a publicly traded REIT or ETF that earns most of it's money through owning and leasing agricultural land. I want something I can put in my 401(k). Are there any such REITs and if so, where do I find them? Either Google hasn't been particularly friendly or I've been using the wrong terms.

    Generally, I get two suggesions when I ask this question. The first is an agricultural commodity fund. The second is MOO. While there is nothing wrong with either of these suggestions, neither one is what I'm looking for. I want to own a diversified portfolio of agricultural land.

    I'm looking for something where a large fraction of the income comes from relatively high-value farmland. I perfer geographic and crop diversification. I have no objection to minority positions in grazing lands and timber lands. I prefer a fund that is largely North American in nature, but I have no objection to a minority international position.

    Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

    Sep 19 1:41 PM | Link | 20 Comments
Full index of posts »
Latest Followers


More »

Latest Comments

Posts by Themes
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.