No Food for Thought

In computer science, we're often taught that security is only as strong as the weakest link in the chain. This weakest link principle is true, but looking for that weakest link is not always the best way to harden a system.

Microsoft's analysis of how China (Storm-0558) breached the email accounts of senior USA officials earlier this year is an interesting case of cumulative mistakes, where a series of limited issues results in catastrophic damage. Even though the analysis is not confirmed and some details are missing, it's interesting to have a high-quality analysis of a real-world example of an attack exploiting multiple weaknesses:

1. an unstable software component crashing
2. a race condition causing sensitive data to be included in the crash dump
3. that crash dump being moved to a wider organizational network (the debugging environment) following a failure to identify its sensitivity
4. compromission of the corporate account of an engineer with access to the debugging environment
5. an authorization bug allowing a consumer key to access "enterprise" email, apparently as a result of unclear API-s

As a senior developer having served numerous organizations for various projects, it's easy to relate to most of these weaknesses. And yet, it's easy to imagine how reporting most of these issues could have easily been brushed off by management as unlikely/alarmist, failing to see the risk from cumulative negligence.

Security is about strengthening each link, but it's also about keeping security in mind at all times.

Following a recent storm, my boss explained his Playstation was broken and said there was a power surge when power was restored. I was quite surprised since I always thought it was lightning itself which caused power surges.

This prompted me to read about power surges, which showed that while lightning is one source of surges, it is indeed far from the only one. But thankfully, I discovered not only these new risks, but a protection against surges I had never heard of: whole-house surge protectors (or surge arresters). I read a few interesting articles about surge and surge protectors. The one I'd recommend the most is the first:

• Whole House Surge Protectors: How Effective Are They?
• What are the Pros and Cons of Whole House Surge Protectors? (Schneider Electric, possibly biased)
• Is Whole House Surge Protector Installation Necessary? (Apollo Home, possibly biased)

Unfortunately, none of these gives convincing advice that one should use whole-house surge protectors. If you are aware of a cost-benefit analysis on the topic which compares average cost to how much losses using such devices prevents on average, please comment.

When people notice their bank account has been compromised, most call the bank. But even among software developers, few would ask the bank to change their code as a remedy. Yet, that's what Tulip Trading has asked their pseudo-bank (Bitcoin "developers") to do. At least, optimistically.

Those who believe "cryptocurrencies" are "decentralized" will struggle to make sense of such a request. But those of us who do see beyond the first level will appreciate that cryptomedy is well-distributed. It seems each one of its actors contributes its small share of humor.
If only the capacity to appreciate the resulting farce would be abundant and equally distributed among all adults… 🙄

Étant né en 1985, j'étais trop jeune lorsque La Petite Vie a débuté pour réaliser à quel point cette série a fait l'histoire. Et encore plus pour chercher à expliquer comment une série d'à peine une soixantaine d'épisodes a pu être aussi marquante.

C'est la lecture de l'excellent article « La grande histoire de La petite vie », publié dans L'actualité, qui m'a fait comprendre le tout. En effet, à lire l'auteur, qui semble faire remonter ce succès jusqu'en 1976, c'est une longue histoire qui aurait mené à cette réussite.

Mais finalement, les principaux ingrédients ne seraient pas tant surprenants : expérience, échecs préalables, efforts, remises en question, ressources suffisantes, et la sagesse de s'arrêter à temps.
👏🏼

The ongoing wildfire season in Canada has been unprecedented. Even though the worse has been in the West for a while, this week, we're seeing smoke in Quebec city again, and there's a new smog warning today. But how much carbon do we emit by fighting fires, bringing firefighters from other countries, evacuating towns and letting some buildings burn?

The answer is not that much―but only relatively. Unfortunately, it's trees themselves which emit the most. By far.

It's been several months since the newscast I follow (Canada's daily 45-minute The National) covers climate-related catastrophes/issues for 5 to 10 minutes on average. If we haven't already passed a tipping point, it's never felt so suffocatingly close.🥵

No Food for Thought wouldn't be complete without a rant against Canada's Phoenix pay system. This week I worked with an unfortunate former government employee who's been compensated incorrectly ever since Phoenix was deployed, in 2016.1 She is still affected by Phoenix's mess, even though she retired 5 years ago! While this post doesn't pretend to be complete―which will have to wait until this fiasco's end―as the government reveals it's already paid over 4 million compensation hours to its employees, and with costs already in the order of a billion CAD, it's high time to start that rant.

Ah, if only "conservatives" could actually be conservative. Here's hoping Phoenix will die soon, but most importantly, that we Canadians at last start valuing governance and never allow such a phoenix to regenerate.

Some people are bored enough to break the law in order to find distraction. Why not get a wild cat like a serval (even if they're illegal in Nova Scotia)? Maybe because wild animals are themselves bored, when kept in captivity, and reputed to be great at recovering their freedom.

For anyone who's owned a cat and tried to keep it inside, feline escaping skills should be little surprise. What I find slightly surprising is the transformation of courage into fear visible in this encounter between very different cats. It seems the legal cat got its daily dose of adrenaline...
Angle matters!😂

Half a decade after the famous treatise on the matter, quitting or speaking remains a constant dilemma. In particular in rogue autocratic regimes like Vladimir Putin's Russia... and about a topic as political as the Russo-Ukrainian War.

👏🏼Russian businessmen Arkady Volozh and Oleg Tinkov👏🏼 have managed to take the right decision, clearly voicing their opposition, despite a forced very costly exit.

Fast Company has written a 5-point rant against Google Maps. The first 4 points honestly don't bother me much... but as for the last one, it was quite a relief to read, about a year after realizing it and wondering if I'm going crazy for being the only one getting this behavior and going mad about it:

Slashdot's coverage of the article has lots of comments about that problem, some of which suggest the persistence of such a flaw does not result from incompetence, but rather an intentional business decision:

Unfortunately, the issue is not just limited to your surroundings. Maps fail to show road and waterway names even when exploring different regions. And no matter the explanation, I have to admit that at this time, I'm still using Google Maps.😒

Having contributed to countless projects via volunteer organizations, I know that organizational dysfunction is―if not a rule―almost a norm, in particular in organizations with little funding, no staff and no management.

There are some obvious explanations for that, including volunteer burnout, but what is more surprising is the frequency and persistence of harassment. Jeroen Camps highlights an interesting scientifically studied phenomenon called moral licensing which may help explain that.

I am skeptical about the existence and importance of moral licensing, but if it affected everyone, very few of Kohlberg's stages of moral development would remain plausible.