One of the biggest issues right now, is that we have a community (doctors, scientist, researchers) who need to backup their claims with actual proof's or risk loosing their license/reputation vs a community of "gurus"/"self-healers" who don't have to backup any of their claims at all. Thus the "gurus" can make HUGE claims, that to someone sick sound much better than the conservative claims made by doctors.
Give both groups the same voice & reach, and guess who wins.
That's the point of the scientific method, you undeniably prove your theories, or you are a fraud. Hypotheses must be challenged, especially for the prices hospitals charge.
Because these people know how to spin their "treatment". They convince the patient to chose their "treatment" them selves. They rarely give the ridiculous advice directly in front of witnesses. Instead the family will learn about the treatment from some third party, potentially the victim themselves.
I'm at a hotel that coincidentally has 500 people from a MLM finale/training for Essential Oils and this is what it's all about. Have the people tell their friends and family that the oils can even cure ebola to get your 4 to become 8, 8 to become 16, etc. My SO the oncologist-in-training is pissed that they can just say whatever and aggressively advertise their wares and she can't even get pens from pharma companies.
Spot on. We have, all across the west (the situation in the UK is similar to the US) regulated medical professionals but not medical claims. This needs to be addressed, with a presumption in favour of malice where claims are clearly not approached properly.
We had a committee of parliamentarians conduct an inquiry into homeopathy back in 2010, and predictably they found (after consulting with experts, taking testimony from all quarters etc) it was bunk. To the best of my knowledge we have not altered either policy or legislation in response to that.
For security, the commit command will use one-time passwords. This way, even if someone gets the ordinary password of a user, they can't modify the catalog that actually appears at the site.
Yet, it was another era....:
Secure server software ($5000). This does not seem to be an absolute necessity; there are a lot of sites on the web where you can send your credit card number unencrypted, and to date there have been no reports of the numbers being stolen.
To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.
That's funny and I agree that _some_ people are bad at using passwords, but I have a feeling whatever replaces them will be worse for everyone. It's like some people cut their fingers with knives so let's all use plastic knives instead.
I don't know anyone personally that are good at using passwords, myself included.
Often I get shocked to find highly tech savvy people taking crazy risks.
But even the most careful people I know occasionally reuses passwords or picks easy to guess ones out of convenience. Most of the time it is a calculated risk, but the problem is it is hard to tell when you accidentally create a chain of weaknesses that can be leveraged into something more substantial.
As a standalone method of authentication, insecure is more ways than I can list.
I didn't think this was controversial or obscure. Authentication on my work laptop is fingerprint + 2FA, then password and 2FA for VPN. Access to most other resources at that point is certificate driven.
I wish my bank would use certificates, for instance. I absolutely get the human (ultimately cost) factors involved, but my bank is one of the few entities with which I would go through the hassle of in-person key setup/renewal.
There was an old post by Bruce Schneier where he suggested people write down passwords on a piece of paper and keep them securely. This is something people have been already doing for centuries with wallets, keys, etc.
I'll explain. Most people who criticize contemporary are, usually use a combination of its just a bunch of random lines or a "5 year old could have painted that" - as if the complexity of difficulty of an art piece its what makes it valuable. But nothing is further from the truth, a simple piece, with a strong composition such as Number 17a, could look simple but its quite powerful and complex.
Let me use an analogy you can better understand. I am sure you can appreciate music. Most people who listen to the Marriage of Figaro by Mozart, can understand it's a master piece. Yet, it isn't the most difficult balad Mozart composer and many other musicians have created far more complex balads. Also a gifted 5 year old could probably learn to play it and reproduce it quite accurately. Does that diminish its value because a 5 year old can play it? It's even possible for an average 5 year old to invent a similar balad after listening to it. But could an average 5 year old create something like the Marriage of Figaro from scratch without ever hearing it? It takes a pretty special 5 year old, like Mozart to produce something like that. And its the whole composition that matters, not just a few notes - anyone can play a few notes.
The same happens with Pollock. He was the first drip painter. And while an average 5 year old could drip some paint in a canvas (play a few notes), they won't be able to create a powerful composition of colors that mirrors a full Pollock composition. Sure, there are amazing reproductions of Pollock made by very trained art forgers - yet that doesn't diminish the value of Pollock just because someone else after analyzing his technique is able to reproduce it.
The value is another story. It's worth $200M because of its size and scarcity. Pollock wasn't a big art producers and thus there aren't many paintings around. Yet there are many people who love his work and want to buy it. Supply and demand dictates the price. Sure you can buy something similar from an art forger, but its not the same, the same way that listening to a album on a set of speakers is not the same as having the artist play live for you.
Realistic drawings are not considered difficult, not by artists. It is called fundamentals and you learn it in school. It takes effort to learn, but effectively it is just that.
Which is why more abstract drawings raised into prominence. And they are not so easy either - as much as five years old scribble, they don't create same effect not pleasing composition of colors or structures.
Complexity is not exclusively visual. The complexity of modern art largely comes in the form of the effect it has on the observer and the meaning they derive from it.
> Sure you can buy something similar from an art forger, but its not the same, the same way that listening to a album on a set of speakers is not the same as having the artist play live for you.
That's not a double-blind standard - you are comparing pipes to chairs. Although I can understand that one may care for the homeopathy or placebo effect of having the "real" item.
But I believe that there are artists that could make a better Pollock than Pollock himself.
It doesn't take much to forge Pollock. It's like an author taking the output of monkeys pounding on typewriters and publishing it. Not hard to forge compared to JRRT.
Modern art is a sham. I only appreciate art that I recognize takes skill above my own to create. Anyone can come up with random novel "art". For example, I could buy a SpaceX rocket and launch a piece of feces into low earth orbit. "Poop in Orbit" would be extremely novel and random piece of modern "art".
Michaelangelo blows my mind. Pollock makes me roll my eyes.
I can draw stick figures and call them forgeries of Michaelangelo. That doesn't make them good forgeries. Read the original article for some sense of the technical difficulty of forging Pollock in a way that couldn't be easily spotted by a Pollock expert.
Yes, and I could hire a team of "umvi experts" that study 1000 samples of my written signature. Then it would be really hard for people to forge my signature because I have a team of experts that have studied me to the point they know my subconscious nuances. That doesn't mean I have any skill whatsoever, it just means people wasted time training their neural nets to recognize my idiosyncrasies in order to prevent forgeries.
So basically, you're saying that Pollock is easy to forge, as long as no one understand what makes his paintings distinctive?
I mean, I could probably spot an amateurish Pollock forgery, and I'm no expert. And while forging his general style would be difficult, forging specific works would be nearly impossible - the layers are very specific. It would be even harder to forge drip technique paintings, where his direct control of the "brush" was limited.
> So basically, you're saying that Pollock is easy to forge, as long as no one understand what makes his paintings distinctive?
I'm saying it's easy to make Pollock-esque paintings. I bet you could study Pollock for a few hours and then make a Pollock-esque painting that would fool 99.9% of the population. You can't do that with Michelangelo.
> forging specific works would be nearly impossible - the layers are very specific.
Obviously. That's like me throwing a fistful of sand on the floor and taking a picture of it and saying it would be very hard for someone to forge the picture because the sand grain positioning is very specific - which is technically true.
Why don't you provide some evidence for your claim, since you believe all the evidence in the OP is invalid?
I could claim that whatever it is you do (including your HN comment) is no more complex or interesting than monkeys banging on typewriters.
Saying that careless sprinkling sand is as good as a Pollack is very nearly the same as saying picking numbers off the top of your head is as good as a secure RNG for crypto. It's not, in ways only an ingorant person fails to understand.
>I only appreciate art that I recognize takes skill above my own to create
Even if you had the skill to create a passable forgery of a Pollock, which you probably do not, you're attributing no value to the importance of concept and initial creation. A kid performing a Beethoven piece at a recital is not Beethoven.
I let you study Michelangelo's sculptures for 24 hours using any resources you want. I then hand you a block of marble and a chisel and ask you to create a Michaelangelo-style scupture.
We then present your sculpture alongside an authentic Michelangelo sculpture and ask 50 random people on the street to identify which one was made by you and which was made by Michelangelo. I would wager 100% would reject your sculpture as inauthentic (based on an obvious lack of skill).
Now we repeat the same experiment but with Pollock. I would wager 50% would reject your painting as inauthentic and 50% would reject the Pollock painting as inauthentic (people would randomly choose).
Pollock paintings require no skill, just a large canvas and a few contrasting colors to splatter and drip. There is no dexterity or experience required to make a painting in the style of Pollock, unlike Michelangelo sculptures.
1) You’re responding to a point about you attributing no value to concept by doubling down on the importance of realist technique and ignoring everything else. Even pieces that truly don’t require technical skill can still have value, which you don’t seem to grasp. A realistic portrait is far less interesting to many than something abstract that makes you reflect.
2) Please try to replicate a Pollock. I think you’ll be surprised.
> Even pieces that truly don’t require technical skill can still have value, which you don’t seem to grasp.
No, I understand. The Japanese flag is a red circle on a white rectangle. Takes no skill to design or draw. But I still think it's has value as a symbol. But I wouldn't pay $200M for it
and I certainly wouldn't prop up the person who made it as some sort of highly skilled artistic juggernaut. I would think "neat concept, but I could've done that" and that would be it.
> Please try to replicate a Pollock. I think you’ll be surprised.
Please try and replicate my signature. I think you'll be surprised at how difficult it is (I've been perfecting it for 20+ years signing documents) and that should cause you to respect me much more, right? If not, please explain why not and in doing so you'll understand why I don't care for Pollock or his work.
Anyone can just make up a new form of art and "perfect" it by just doing it over and over (like your signature). I could invent a new form of music by randomly mashing keys on a piano in a way unique to me. So what? There is no negative feedback loop so therefore the "perfection" process is completely nebulous and arbitrary and takes no real effort because there is no defined destination.
Can we at least acknowledge the massive skill gap between learning to play a Chopin piano piece and pioneering a Pollock-esque field of art where there are no rules or negative feedback loops to correct you?
I don’t think Pollock’s drips are art either. But I do think Picasso’s cubist paintings are art. And yet some of Picasso’s paintings are easy to re-create so would fail your test.
Although most people will read this and think, oh more shenanigans from UBER, the reality is (and as a Colombian I know), that the government has failed for years to regulate this industry, which is regarded by all consumers as incredibly positive, and continuously has fought against this platforms in an effort to keep the taxi mafia content.
Yet, taxis in Colombia are incredibly dangerous. As a passenger you are exposed to express kidnappings, drivers that are aggressive, adultered fares systems and drive unsafely in cars that don't meet any security guidelines (a large number of passengers have died on rear-collisions given that the most common Bogota taxi has no rear-reinforcement). For decades the taxi mafia's have provided an unsafe & horrible service, when Uber & other platforms arrived, users flocked, yet by means of aggressive protests where they pretty much block the city, the taxi's have forced some parts of the government to try to curve Uber.
Uber however has fought to continue providing the service that the consumers demand, and has otherwise tried to complied with every law. This fine comes from the industry of commerce regulators, who have tried to convince the technology ministry to shut Uber down, with them refusing. I hope Uber continues to operate in Colombia and use their legal means to fight this regulators who are not operating from a consumer benefit standpoint, but rather a political fight to protect a mafia that needs to be dismantled.
It's anecdotal however, this doesn't correlate to my experience(s) there at all. I lived in Colombia from 2013-2015, and return various times per year. For what it's worth, I am not hispanic, and very much look like someone from the US
I've taken yellow taxis in Colombia (in all the major cities) more times than I can count(both by myself and with others) and have never once felt in any danger, nor been ripped off (which has happened to me in other countries I have visited)
Of course there are news reports about taxi rides gone wrong, but in my experience 99.9% of yellow taxi drivers in Colombia are honest people just trying to do their job.
More than happy to answer questions about living in Colombia if anyone's interested.
Did you live in the well-off area too. I live in a country with the same problem but tourists are highly unlikely to see it. The abuse from Taxis is usually in popular/poor neighborhoods.
I never use Uber in my country of residence but it was a boon in Colombia (and other countries where taxis have a questionable reputation).
One correction though: Based on what I’ve read, express kidnappings might have happened more often in the past but hardly anymore today. It’s more likely to be robbed at gunpoint from guys on a motorbike, and they like to target taxis (although other cars as well).
The one thing that I found positive about Colombian taxis is that they are very cheap. In this regard, I don't see how Uber could compete.
On the other hand, the cars are falling to bits and the drivers are rather aggressive (although it seemed to me that drivers were careless in general).
I would pay a premium for the feeling of increased safety. If Uber had better cars and drivers it would be worth it for some people to pay the higher price as the stress of a bad driver at the wheel is horrible. The constant feeling of "will this next corner be my death?" No thank you.
Can you back your second paragraph up with recent numbers?
I have taken a lot of yellow taxis all across the country, but mostly in Bogotá, Medellin and Cali over the last couple of years (about 2-3 rides per week) and have yet to have a single bad experience. The handful of Uber rides I had in the time weren't better or worse, besides being in better cars.
>Yet, taxis in Colombia are incredibly dangerous...drive unsafely in cars that don't meet any security guidelines (a large number of passengers have died on rear-collisions given that the most common Bogota taxi has no rear-reinforcement).
This doesn't follow for me. Most Uber drivers drive their own cars, no? That means the cars are the same as are sold in the country, which given the regulated taxi companies are using supposedly less safe version of fleet vehicles sounds a lot to me like a country specific problem with lax regulations on fleet vehicle specifications.
Unless Uber is also making available U.S. market/road legal cars available to drivers in Colombia too.
I don't know squat about the regulatory framework in Colombia though. So I could be totally wrong based on the flawed assumption on how extensive this "taxi mafia's" regulatory capture purportedly is.
The thing with Uber is the reputation system. It makes it much more profitable for the driver behave well. Traditional taxi system doesn't have that. In a big city, you can scam customers all day long and be pretty sure that you won't meet those people again.
No. To be an Uber driver you are required to have a better car than what is (practically) required to drive a taxi: newer, clean, etc. Plus the reputation system makes it more difficult to not comply.
Founder of Authy here. I've been thinking a lot about this lately and came to the conclusion that the only sensible way to do 2FA are U2F hardware key's. Here's why:
First, SMS 2FA. People think SIM port is uncommon, its not (i saw thousands of cases). Your cellphone number its public information - pretty much - and its not a technically difficult attack, you just need to convince a carrier to do it. Once the your SIM is migrated to the hackers possession he will hack into all your accounts before you even realized what happened.
Second, TOTP. I founded Authy with the idea that TOTP was strong enough and it is, technically, but in the wild deployments have lots of issues. Biggest one is people constantly change/loose their phones. So you end up with a update issue. At Authy we solved it by encrypting the seeds and storing them on the cloud. But today most users just copy the QR-Code, or store their TOTP key along with their passwords in the password manager. Storing your TOTP in your password manager completely defeats the point of TOTP, it just provides you with a false sense of security. Lastly, because it generates a lot of support issues when people loose their phones, services have added ways to bypass 2FA in their account recovery flows. You'll see backup codes or simply SMS as a recovery mechanism. This means your TOTP is as safe as SMS if your recovery allows it. TOTP today is so misused its just providing a false sense of security.
Third, U2F Hardware tokens. Its finally possible to do U2F to the iphone via Bluetooth and Feitan now has a key that supports it (Google sells one for project Titan). You can buy 2 keys for $50 dollars. It's impossible to missuse U2F tokens - you can't unsafely back-them up, you can't "screenshot them", etc, hardware enforces their security. They are 100% un-phishable, its impossible to trick a user into signing a login on a fake site - the key will simply not sign it, and there is no way for the user to make an "exception"(like you can if the SSL cert is invalid.). Also given the price and form factor is easy to buy 2 or 3 and have a few stored as backups. In my case I have 4 keys, 2 that I use on daily basis, and 2 I stored as safe backups. If I were to loose 2, there is no way of knowing they belong to me and tie them back to my account and I would just use the backup keys to logon, remove the lost keys and buy 2 more. No unsafe recovery keys, no unsafe backups. All my 4 keys are the exact same level of security.
Lastly, now Android allows you to use your android as 1 U2F key(new androids have secure hardware enclave specifically for this), so essentially all that users would need to do is buy 1 hardware key as backup.
If you are a service provider, I hope you consider about offering the ability to use U2F keys as secure login mechanism and enforce minimum 2 keys need to be registered - then you disable any other recovery mechanisms. THIS IS THE RIGHT WAY TO DO 2FA in 2019.
I came to a similar conclusion: U2F hardware is the way to go. For some people, smartphones are becoming the only device they use. However, I am not fully convinced of using the device itself as a U2F key. Then it's no longer a two-factor solution. Thus, I envision the use of U2F hardware with mobile devices as the future of authentication.
Unfortunately, it is still difficult to find the NFC "sweetspot" at the back of your phone. At Cotech, we work on a Hardware Security SDK that solves this and works independent of Google Play Services. It brings support for U2F Hardware over NFC and USB to Android phones: https://hwsecurity.dev/fido/
Thanks for your input, and for Authy. I was a long-time user until I recently switched to an open-source alternative.
> Third, U2F Hardware tokens. Its finally possible to do U2F to the iphone via Bluetooth and Feitan now has a key that supports it (Google sells one for project Titan).
Would you still recommend a Bluetooth key given the recently found vulnerability[0] in the Feitian/Titan? The initial criticism from Yubico[1] seems to suggest it's an inherent limitation of the BLE protocol.
This is the most insightful post in the entire thread. Thank you for that.
Most of the discussion here is about TOTP, which at this point is like arguing about the beautiful plumage of the dead parrot. TOTP for professional 2FA is a walking corpse, pushing up the daisies, wouldn't squawk if you put 10K volts through it [1]. If you're a company seeking to secure your infrastructure all your employees and contractors should be using U2F hardware keys to access your network. Period, end of discussion. Same for admin access to any external SaaS dependencies - and you should be loudly complaining if your SaaS does not yet support hardware keys.
And if you're a startup and even a solo developer, start looking at supporting WebAuth so you're not caught with your pants down later, especially if you want to sell to other businesses.
Business to consumer TOTP is a more complicated issue. The future is clearly hardware keys, tied to devices like phones, but the support is not yet all there. So you're going to have to support TOTP for a while yet, since it's better then bare passwords. But you should be making plans to move to hardware U2F ASAP, and the earlier you do it the easier the transition will be later when you will have to mandate it for all your users for liability and CYA reasons.
The looming shadow over all this is account recovery, which is not a solved problem in Business to Consumer space (IT/HR can sort you out to get back on your corp network if you lose your keys). There are too many implementations and all of them have flaws. There's little consensus on how to do it and all of the recovery methods can be misused or abused. If you lose your house keys you go to a locksmith who's usually bonded (in the US) and generally not a crook. Who do you go to if you lose all you hardware keys?
And of course there's a cost to users to having multiple hardware keys, which at $25 a pop will not fly with consumers. These things need to be basically free (your phone) or comparable to the cost of your house keys (for backups) for mass consumer uptake.
Bottom line, U2F hardware keys are the future of authentication. Learn to love and support them.
This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.
Once you've configured a security key on a Google account, it's entirely possible to remove phone-number based account recovery -- and strongly recommended for at-risk users. See step 21 et seq. in the Tech Solidarity security guide for people working on political campaigns:
For no particular reason, Google does require you to temporarily configure phone-number based recovery while configuring other 2FA options -- but once they're set up, you don't need the phone number anymore.
another shocker. The smell of "Chlorine" in the pools is not caused by "chlorine" but by the urine. Chlorine has no smell when mixed with water. Add urine, and you get the "Chlorine" smell thats typical of pools.
Kind of a deceptive video, which might make you think that if no one peed in the pool, there would be no pool smell. Urea is what reacts to create trichloramine, which gives off the smell. But urea, as the video acknowledges, also comes from sweat. Yet they go on to talk about chlorine reacting with urine as being the sole cause of the smell.
They should have gone into what percent of the urea comes from sweat vs. urine.
You chose the wrong one. No matter what the article says, the $1M is more valuable. First, the safe withdrawal method of 4% is actually not safe - the safest method of withdrawal is called variable percentage withdrawal and not only takes into account the principle, but also the results year after year.
But more importantly, $1M lump vs $5,000 monthly annuity, always take $1M. Why? Because you are taking an asset class that can be converted into shares/bonds which has a higher expected returns than an annuity because it can compound.
What I mean is while the $5,000 annuity is guaranteed, it will remaing $5,000 year-over-year, which means it's actually decreasing in purchasing power year-over-year (unless there is deflation, which it's very unlikely). Wereas the $1M cash, if moved to bonds and shares, even if it performed at 5% annually, it will mean on the first year break even, but on the second year it will compound (unless you spend all the money). You could say you invest the monthly savings from the $5,000 but simply put it, $1M in shares has a much higher expected return than $5,000 monthly in perpetuity.
There are a ton of flaws in this comment, and I don't understand why it's at the top of this chain.
"First, the safe withdrawal method of 4% is actually not safe - the safest method of withdrawal is called variable percentage withdrawal and not only takes into account the principle, but also the results year after year."
This is an argument for taking the annuity. When two options have the same expected value, volatility is a bad thing.
"Because you are taking an asset class that can be converted into shares/bonds which has a higher expected returns than an annuity because it can compound."
The author writes under the pretense that the $5K figure is EQUAL to the risk-adjusted rate of return on a $1M principal. Sure, there are asset classes that have higher expected returns than a guaranteed annuity, but that is because they are RISKIER. Obviously, people value risk differently, which is why in general, you can't say "always take $1M"
"Whereas the $1M cash, if moved to bonds and shares, even if it performed at 5% annually, it will mean on the first year break even, but on the second year it will compound (unless you spend all the money)."
The whole point of the $5K figure is that it is the same amount as the risk-adjusted return on a $1M investment. How the user chooses to spend that $5K monthly sum is up to them and they have the freedom to spend or invest that sum in the same manner regardless of which option he/she takes.
"You could say you invest the monthly savings from the $5,000 but simply put it, $1M in shares has a much higher expected return than $5,000 monthly in perpetuity."
Incorrect for the above reasons.
Assuming that $5K/month annuity is the expected rate of return on a $1M invested in a risk-free asset class (which is the assumption this article is written on) and you have the option to cancel the annuity and retrieve your principal at any time, it's pretty clear that the annuity is the better option because it has NO volatility.
The reality is that an annuity comes with lower volitility and risk.
When you look at the risks for a retirement payout, you need to think carefully. How long will you live? How long will you retain your faculties to manageme investments? What protections do you have against dishonest or incompetent advisors?
Unless you're unlikely to live long, or have trustworthy children or other advisors, the annuity is probably the best scenario.
No assumption here. The expected return of an asset class like shares and bonds is higher than the annuity, which is always $60,000 and nothing more - this is a fact.
But as you said just because the expected is higher doesnt mean the actual will be. But you still should always pick whatever has higher expected
You're missing the problem of sequencing of returns. If you made that decision at 65 years old in December of 2007, you would quickly regret it unless you were one of the small percentage of people who can take the massive volatility that followed over the next 15 months.
You ABSOLUTELY MUST take into account the risk. Not doing so would get your sued as a financial planner. Frankly, this is where people lose so much of their savings is listening to hogwash like this.
Go spend some time and get your CFP or CIMA certification and then come back, and your answer will have changed.
And if I sound ticked off, it's be cause I am. you are totally ignoring Behavioral Finance, which is much, much more important than simple math.
We don't usually think about absolute return as much as we do return conditioned on an acceptable level of risk.
You can almost think of risk as currency, i.e. each addition unit of risk opens you to strategies with higher expected return. But you can also access strategies for which you're able to "pay" the risk (basically fits into your tolerances).
> Because you are taking an asset class that can be converted into shares/bonds which has a higher expected returns than an annuity because it can compound.
The annuity can compound too, if you treat it like you would any other 6% dividend and reinvest it.
Once you see that, the two become almost functionally equivalent. It comes down to a liquid million dollars with market returns or an illiquid million dollars with a guaranteed 6% return.
Which is better comes down to luck. If its 2006 and stocks are at all-time highs, then the 5% guaranteed will definitely return more over 10 years, and maybe over 20 and 30 years. If it's 2009 and stocks have cratered, the liquid million in the market wins handily.
The liquid million has a slight edge in expected value, as 7% > 6%. But when you consider the 6% is a lower bound and the 7% is an average, it becomes clear that there are situations where the guaranteed income stream could win.
In Europe you can get above 10% before tax with "peer to peer" lending at https://www.twino.eu. The company guarantees it and their financials looks healthy, but there is a risk of them being a scam or defaulting.
Personally, I would take your money for a guaranteed 5% and invest it in more risky funds, covering the losses or taking the excess gains.
