> moving here should be a well thought out decision and preferably not based on a single not-entirely-correct HN post. There are trade-offs and there's more to a country and to life than low taxes...
While I definitely agree with that (and in fact my own reasons to move to Bulgaria back in the day were not about taxes at all), could you elaborate on the not-entirely-correct part? What exactly is not correct?
> Is this really how it works? They're taxing people with 0 income? I guess it isn't relevant to the target audience of the article but it must suck for the unemployed.
No no, the social security min base 710 BGN is only relevant if you declared that you're actively working, but in fact getting no income. If one decides to e.g. take a break for a year, they can declare that they don't actively working anymore, and thus they'll be paying a lot less (I don't know exact amounts though)
And also, unemployment is a whole lot different story, but I don't know details about that.
> This seems really high. Why do you need an accountant every month instead of once a year?
As already mentioned by phoronixrly, yes it's because of the VAT registration. Having that registration, accountants have to do some paperwork every month.
Could you elaborate? Of course I do have a local accountant, and if what you're saying is true, I am disappointed she didn't mention that; they just said, paying salary will end up being more expensive than dividends.
By paying yourself with a salary via your company, you'd pay 10% revenue tax + health insurance (ЗО) + social insurance (ДЗПО, ДОО)... except the insurance part is capped on a maximum revenue of 3000 BGN or something like that... so as you make more money, your total tax rate converges to 10%.
Take these numbers with a grain of salt because I'm no accountant, but I know for sure your accountant is wrong, because I know how much tax I pay, and that's close to 11.5% total.
If we take a gross income of 20K BGN (which is not a bad income for a software engineer), then with dividends, net income will be roughly this:
20000*0.9*0.95-710*(0.148+0.05+0.08) = 16902, which means taxes are 15.59%.
And if it all goes as a salary, then net is roughly this:
20000*0.9-3000*(0.148+0.05+0.08) = 17166, which means taxes are 14.17%. It's lower than dividends, but still far from the 11.5% that you mentioned.
To get to 11.5%, the gross income has to be around 50K:
50000*0.9-3000*(0.148+0.05+0.08) = 44166, so the taxes are around 11.67%.
Could you clarify in which range your gross income is, is it closer to 50K BGN than 20K BGN?
I guess there can be some bonuses which aren't taxed, and this way one could reduce the tax, but paying large bonuses to myself smells too much to me since it's clearly done just to pay less taxes.
In the meantime, I clarified in the article that as long as a company is concerned, the article only focuses on the dividends option, and added the link to your comment.
I'm not from Bulgaria but I think what was said is that you depending on profitability of your company you can pay out a part of the profit as a dividend (using the lower tax rate until the cutoff) and then the rest as a salary.
It's not one or the other. As a company owner you can use both the dividend and pay yourself a salary.
While I def agree that those are not mutually exclusive and I considered paying myself a salary, but paying a salary still involves a bunch of extra taxes, which end up being more than the dividend's 5%. At least that's what I had from my accountant, but I'd be happy to know details of how to make the combination of salary+dividends to require less taxes than just dividends.
It seems weird you are forced to distribute the dividend in BGN. Pay the withholding tax, yes. But the dividend itself? Most accountants can calculate the corresponding currency equivalent for the dividend being declared on the payout day. Worth looking into.
Also, does Bulgaria support interim dividends? The loan set-up, while not an issue, can perhaps be avoided by use of interim dividends.
This was confirmed by at least two reputable accountants, so yeah, I'm 100% sure I didn't have to pay 8% health insurance while being a long term resident (and not an EU citizen).
Actually, I _did_ pay some health insurance, but it had nothing to do with the business and it wasn't 8% or anything like that. It's like the same kind of health insurance that even tourists have to get.
Ah, I see where the confusion comes from. I assumed you meant you don't have to pay any. Though, I'm curious, how much is it? I went to check in the "Ordinance on the General Terms and Conditions, the Minimum Insurance Amount, the Minimum Insurance Premium and the Procedure for the conclusion of the mandatory medical insurance of foreigners who reside shortly or prolonged in the Republic of Bulgaria or transit through the country" (such a title), it says the price of the premium is determined according to article 65 of the insurance code, but that one is referring to something else. Oh, well.
The yet another external dependency is way more than Now() though. Mocking just Now() is trivial, but most of the time it's by far not the only function which I personally use from the time package.
Correct. In my use case, I just need a simple replacement for time.Now(). If I needed more (time.After, for example), there's a point that bringing in an external dependency makes sense.
Ok cool, so whenever you register on a new service, you have to add all 4 of them, which means going to "other safe places", picking tokens, adding them, and placing them back. Also I doubt your safe places are as safe as bricking them into the wall. Apparently it's okay for you, so, keep it up then. I personally hate this.
Also having 4 tokens does feel kinda too much to me. Each additional device does open a new attack vector, and if your token at home or in other places suddenly disappears, you're unlikely to even notice that quickly, while an attacker could use that time having a token.
Also, if the service doesn't support having multiple tokens (as mentioned in comments, Twitter is such an example), then having 4 tokens doesn't help much.
Yes sure, once the primary token is lost, the backup should be used to login into all of the services we used the primary one for. But it's not worse than if we had a regular U2F token as a backup: we'd have, again, to login to all services and revoke the primary token manually.
> If the primary is lost or stolen, the key should be invalidated
Exactly.
> and thus the backup device is useless.
The article mentions multiple times that the backup is set up in such a way so that right after we use the backup token on some service, the primary token becomes immediately invalidated for this service. Read the article for the details on how it's implemented.
An attacker in possession of the primary device can increment the counter, making the primary still working, and invalidating the backup. In crypto, keys are secrets, the rest can’t be relied on for security.
> In crypto, keys are secrets, the rest can’t be relied on for security.
First, there's no 100% security in the world: it's all about time and resources, and a proper security consists of many layers. The counter is one of them; after all, it does exist in U2F protocol for a reason (to prevent clones).
And if you've read an article, you'd notice that it mentions: the backup token should only be used to log into accounts, add a new key, and invalidate the old one. Of course it would be a bad idea to keep using backup token. To avoid waiting for the new pair of tokens to arrive, I keep them together with my backup: my backup consists of the backup token itself, and also a brand new pair of tokens (new primary and new backup), which aren't used anywhere yet. So if something terrible happens and I lose my primary token, I go all the way down to get the backup, use the backup token to login to each service, add a new primary token, and revoke the old one.
I don't think we understand each other. If a device gets in the hands of the attacker, I won't assume he/she's going to use your code and obey to your restrictions. The primary device contains the key, that the attacker can possibly extract and use, setting any arbitrary counter he/she wants.
I see your point on the limited usage of the backup while you buy a new device. This goes back to my initial comment... you basically always need 2 active security devices, so I don't really see any big benefit in having a backup vs a secondary device.
> The primary device contains the key, that the attacker can possibly extract and use, setting any arbitrary counter he/she wants.
Again, not saying it's impossible, but with the existing implementation, it takes considerable amount of time. I should be able to get the backup token faster.
> I don't really see any big benefit in having a backup vs a secondary device.
A big benefit for me is not having to add my backup token to every single service. It's both more convenient and more reliable (since I can't forget), and also more secure, because I can take my backup token and brick it into the wall. If this benefit is not a benefit for you, then, fine, we're not going to agree.
Got it, this makes sense to me. And sorry, I was rereading the thread, I don't want to think I'm dismissing your whole article, I really appreciate you writing about it.
I think the time is a big advantage. As I mentioned, I'm working with Conor on the FIDO2 security key (actually, update [1]), and we were thinking to an option to create backups, maybe for advanced users. I'll keep you posted if we end up doing something in the space.
Thanks! Yeah Conor mentioned that to me; I think the real benefit (at least personally for me) would be not being able to buy pre-made matching pairs of tokens, but being able to easily write my own key material plus the counter boost value. You know, yubikeys do have this functionality for OTP: their utility allows to program OTP keys. I actually expected the same for u2f, but alas.
While I definitely agree with that (and in fact my own reasons to move to Bulgaria back in the day were not about taxes at all), could you elaborate on the not-entirely-correct part? What exactly is not correct?