Archives For December 2009

The IRS has released the new reimbursement rate for mileage in 2010:

• 50 cents per mile for business miles driven
• 16.5 cents per mile driven for medical or moving purposes
• 14 cents per mile driven in service of charitable organizations

The new mileage rates “reflect generally lower transportation costs compared to a year ago.” (IRS)

For now, all current users will need to change their mileage rate in Settings after they have completed their last 2009 expense report. Update your expense mileage by:

  • After logging in, click on Settings
  • Scroll down to “Customize your units”
  • Click “[change]” next to mile, type in “.5″ and hit “ok.”

For the visual folks, follow along with the video below to change your mileage rate:

Done! Your expense reports will now be created using the reimbursable mileage rate for 2010.

We just launched out of Beta and in to 1.0!

Continue Reading...

Remember when Danger lost all their backups?  At that time I wrote about Expensify’s massively redundant, multi-tiered backup system (to two remote locations in realtime, and to two more remote locations nightly) in a passionate appeal to sanity.  Soon after that I turned off my Sidekick for the last time, and turned on my shiny new Palm Pre.  (And I ain’t going back!)

But now I read that RockYou has compromised the usernames and logins to 32 million social networking accounts because they didn’t encrypt a damn thing?  Come on people!  Encryption is so… I don’t know, 1942?

At Expensify, we take security incredibly seriously.  We spent pretty much the entire first year building a geo-redundant, PCI compliant datacenter that achieves… actually, now that I think about it pretty amazingly high uptime, while simultaneously remaining super secure.  It wasn’t easy.  But that’s our job.  It’s not an optional thing.  Either you do it secure, or you don’t do it at all.

In our case, we use a type of encryption called “split knowledge, dual control”.  It’s more complex than this, but we basically split our master encryption key in half, and store each half in a different safe deposit box (Witold controls one, I control the other) such that nobody ever knows the whole thing.  This means nobody can decrypt our data alone, not even me.

Additionally, this key is assembled in memory on our servers using a type of “turn two keys simultaneously” system (akin to a nuclear launch panel) and never written to disk.  So even if you physically stole the servers out of our hardened datacenters (something you’d be a fool to try), they’d be little more than really expensive paperweights.

Anyway, I understand social networking data isn’t as sensitive as financial data.  And I understand most web developers don’t know how to deploy and maintain realtime distributed transaction layers.

But I don’t find those very satisfying excuses, and I doubt you do either.