No Food for Thought

Food is something you should provide to your brain long before coming to this blog. You will find no food recipes here, only raw, serious, non-fake news for mature minds.

FLOSS Fall? Security reality catching up with free software

admin Sunday October 2, 2022

A couple decades ago, free software was the target of much FUD, notably regarding its security. But free software evangelists could easily reply to Microsoft and other vendors that Mozilla's browser had much less flaws than Internet Explorer.

In fact, the reality was that many more flaws were being discovered in MSIE than in Firefox. Mostly because people had much less interest in finding flaws in Firefox than in MSIE. Firefox's rise would prove in just a few years that Mozilla was far from immune to security flaws.

The continued flood of free software has meant free software vulnerabilities now have an impact similar to those in proprietary software. Catastrophic flaws from the last decade in OpenSSL and Log4j have started to show some of the FUD was quite accurate.

KNP has been decrying software mediocrity for years, but things don't change overnight. I was involved in projects for which quality, including security, is - at best - an afterthought. Even (internally) known security flaws can remain for years, while fresh ones are being added.

There are lots of free software components which vary a lot in quality and in so many aspects, but most have something in common: either their quality is mediocre, or they don't exist. And while many users may be willing to put up with mediocre quality in many ways, organizations may have difficulty ignoring bad security track records.

Research suggesting some 40% of professionals have already scaled back their use of OSS may be worrying, but the timing matters, and the importance of that decline was not measured.
Better late than never. It's still time to react, and OpenSSF's promises are good reason for hope, but many open source projects need to perform a fundamental reprioritization.

Pavel Filatyev and the courage to oppose and die

admin Friday September 16, 2022

When you hear about Ukraine's invasion, you can't help but wonder why some Russian soldiers won't quit and denounce. Pavel Filatyev may be the first one to quit completely, and have the courage and fortune to denounce successfully. And by doing so, he helps understand why so few will manage to do the same.

Pavel Filatyev had the fortune to get sick during the invasion and to be evacuated. He then managed to contact dissident organizations for help fleeing, and only succeeded to reach France after going through Tunisia. Western countries demonize suicide, but everything is relative. Filatyev's account makes me admire those of his comrades who—perhaps unable to leave the battleground—had the courage to shoot themselves instead.

Man can choose to become a monster, and Man can be raised as a monster. But even those made into monsters can turn into heroes. For following that path, Pavel Filatyev is my Hero of the month.

Filatyev's life may not resist the long-reaching arms of Russia's powerful secret services. But the reconciliation facilitated by his memoir Zov, and the inspiration of his bravery will always remain.

Atypical commuting

admin Sunday September 11, 2022

There are several ways to commute. By foot, by subway, by car, by bicycle, by bus, or by a mix of these. By tramway or boat, by skateboard, by motorcycle or scooter too.

As a resident of Quebec City who usually commutes by bicycle, I am often qualified as courageous for sticking to bicycle even in our cold and icy winters. And I got to admit that in a sense, winter cycling here does unfortunately require important determination.

Commuting by bicycle during winter used to be rare here back when I started, 20 years ago. Still, I don't feel so original if I compare myself with Brent Hobbs. Swimming wouldn't accelerate my current commute, but even if it did, I highly doubt I would be courageous enough for that.

Congratulations M. Hobbs!

Celsius : Une douche froide pour la CDPQ. Mieux vaut s'y habituer

admin Sunday September 11, 2022

Je n'ai pas de problème à ce que certains fassent rouler SETI@home sur leur PC. Ni à ce que certains plus tournés vers eux-mêmes utilisent toute l'électricité qu'ils veulent pour chercher des pièces de crhypeto. Tant qu'ils la paient. Chacun a droit à ses illusions, et on sait bien qu'on apprend beaucoup mieux en faisant des erreurs.

Le problème devient réel quand des gens qu'on présumerait informés comme des banquiers choisissent d'investir dans le secteur crhypeto. Là, les illusions commencent à se transmettre à l'économie réelle. Et quand une institution publique investit des millions de dollars dans le secteur, ça devient sérieux. On me force à sacrifier mon capital.

Malheureusement, le Québec a nettement atteint ce stade. La Caisse de dépôt et placement du Québec annonçait en août des pertes d'environ 200 M CAD, suite à la faillite de Celsius Network. Eh oui, la CDPQ a directement placé des millions de dollars dans une société basée sur la crhypeto.

Si la nouvelle peut être difficile à digérer, la réaction du président Charles Emond semble rassurante :

Charles Emond wrote:
les équipes de la Caisse qui ont procédé aux analyses et à la vérification diligente requise pour un tel investissement seront imputables de leurs décisions

À première vue, on reconnaît l'erreur et on s'assure d'éviter de la répéter. Mais les choses se gâtent par la suite :

Charles Emond wrote:
On est arrivés trop tôt dans un secteur qui était en transition avec une entreprise qui avait à gérer une croissance extrêmement rapide, même une crise de croissance, qui était en développement, qui s'est fragilisée financièrement juste avant la crise et tout ça a été trop rapide pour que la nouvelle direction puisse exécuter le plan [de redressement].

M. Emond, on n'arrive jamais trop tôt dans une pyramide de Ponzi. On y arrive, tout simplement. Y « arriver tard », c'est encore pire que d'y entrer tôt.
On essaie même de jouer aux sauveurs :

Charles Emond wrote:
Ce qui nous intéressait, c'était de saisir le potentiel de la technologie des chaînes de bloc et de contribuer également à réglementer ce secteur.

À la lumière de ces commentaires, on peut réellement douter de la CDPQ. Est-ce du simple orgueil? A-t-on apprit de notre erreur? Quelles autres sommes la CDPQ a-t-elle déjà englouties en crhypeto? À quel coût viendra le réveil?

Violent video games: significant distractions

admin Friday June 24, 2022

I played several violent video games during my childhood and early adulthood, and wasted several more person-weeks playing them. Despite playing America's Army, I was never recruited by any army, and besides sometimes wishing violent tyrans would taste their own medicine, I do not consider myself particularly violent.

If violent video games were a costly distraction for me, it seems they may have been a very different kind of distraction at a political level. For an even longer time, and at a much higher cost: human lives, as politicians blame games instead of focusing on efficient ways to reduce gun violence.

Thankfully, it seems that ignoring NRA-funded groups, this side of the distraction may be coming to an end.

Complicating complications: TFSA contribution limit

admin Saturday June 18, 2022
In the early 21st century, some Canadian politicians were worried that the federal government's debt was only a few hundreds of billions of CAD-s. The conservatives—perhaps also worried about unemployment among accountants—had the great idea of creating tax-free savings accounts, accessorily succeeding in making an excessively complicated personal income tax system even more complicated.1

A few years later, the conservatives—probably worried that the federal debt would fall under a trillion dollars—increased the yearly contribution limit from 5500$ to 10 000$. When they finally lost power, the liberals brought it back to 5500$. Unfortunately, no other government with enough courage to do the right thing has come after, so TFSA has persisted to this day. If you don't want to be the one financing stupid governments, you still need to understand TFSA rules and continuously know your contribution limit.

1: Unless, of course, they would simply have been trying to leave their mark, by reminding us forever of how good the PPC CPC is at taking populist measures.

Some may track their limit manually, but after a while, this usually gets quite complicated. Thankfully, WOWA's page on the topic helps in 2 ways. It first provides a calculator, which will unfortunately be inconvenient for many. But as the page then explains, you can also get (somewhat) that information directly from the CRA!

That is, of course, if you've already used the CRA's My Account... or if you're willing to go through an Insane (and half-broken) process involving some 15 minutes of wondering how a national G7 government can make such a simple thing so complicated, in 2022. I for one have been lucky enough to survive the resulting head-banging and get access to the precious amount.

I suppose simplifying a complicated complication will always be somewhat complicated.

Update: Once you receive - of course by paper mail - you CRA security code, you can go back to the website. Once you will manage to remember how you connected, and once that authentification method starts to work again, you will be able to enter your security code. But not before entering again all of the same strange information CRA asked you hoping to authenticate you before you signed up. For the last time, hopefully... until your security code's expiry, not even 1½ year after you signed up!

Open Source Security Foundation gains recognition... and funding?

admin Saturday May 28, 2022

8 years ago, Heartbleed was estimated to have cost at least 500 million USD. Since then, many more vulnerabilities were granted infamous names, including a few whose damages are estimated at the same magnitude. And yet, despite everything which was written about EU-FOSSA and the Core Infrastructure "Initiative", only roughly 10 million € were spent on all these projects.

For some time, hope in OpenSSF has started appearing, thanks to its approach and reasonable orientations. When Log4Shell erupted, OpenSSF's future was quite questionable. But this year, while some big challenges remain, it is acquiring an unprecedented credibility, with involvement from the White House, and a plan whose ambition would have been unthinkable prior to Heartbleed.

The main question now is whether it can find enough funding for these ambitions. Tens of millions of USDs would have been miraculous before the advent of crhypetocurrencies, but we remain far from the short-term target.

148 M USD may be little in comparison to the costs of the ongoing software chaos, yet the tragedy of the commons will most likely prevent even reaching that, once again. Unless - perhaps - the EU and the USA can join and demonstrate what collaboration can make possible?

2024-04-02 Update

How far have we come to that, almost 2 years later? OpenSSF's website doesn't even prominently list its contributors. Wikipedia's article only mentions the initial 30M $ in pledges. OpenSSF's 2023 annual report merely mentions that Alpha-Omega was "awarded over $4.9M in grants toward securing open source in 2023".

As OpenSSF's efforts remain mostly a plan, reality has started hitting, with professionals scaling back on FLOSS.

And you call that educated? The USA's overestimated education ROI

admin Wednesday May 11, 2022

I grew up strongly rooted in the economy. My father was a merchant, I worked in his store, and I knew his employees earned 6 CAD per hour. For me, this minimum wage was generous.
A few years later, I got a first job. Thanks to some good fortune, I always found my wages generous, and even more when I started working in IT.

It turns out my story may not be the norm. A recent survey confirms an old phenomenon: highly distorted economical expectations by some of the people which we could think of as most educated, i.e. students of colleges in the USA. Even students in psychology − yes, psychology − overestimate their starting salary by more than 100%!

I find the amplitude of this distortion puzzling, and am curious about its causes. Is this a case of exceptionalism? Would students better estimate the starting salary of their peers? Is the USA's private education system to blame for this perception? Or are we encouraging education so much that we overvalue it?
Hopefully, research on this can help mitigating student debt.

If you think you have answers, thanks for commenting.

Crise d'adolescence ou pic démocratique?

admin Thursday April 28, 2022

Le monde évolue. Enfin... certes, il change, mais depuis quelques temps, on se demande si c'est pour le mieux. Déjà, la crise environnementale a débuté il y a bien des décennies. Depuis quelques années, c'est la démocratie elle-même qui est menacée. Et ne parlons même pas de la pandémie...

Tout cela est-il une simple crise? Une crise dont on pourra apprendre pour en sortir renforcés? Ou sera-t-il trop difficile de se relever?

Si nul ne le sait, admettons que notre confiance est au plus bas. Selon le baromètre de confiance Edelman, en ce moment, nous nous fions beaucoup plus aux compagnies qu'au gouvernement et aux médias (page 5). En plus, la fracture s'agrandit entre la population favorisée et les moins informés (p. 16). Peut-être le plus inquiétant : la confiance est plus basse dans les États démocratiques que dans les autocraties (p. 21), et le premier monde a beaucoup moins confiance en l'avenir que les second et tiers mondes (page 22).

Ironiquement, Edelman étant une société privée, je ne me fie pas aveuglément à ces résultats. Mais même s'ils étaient inexacts, l'ampleur du phénomène reste inquiétante. D'un autre côté, l'optimisme n'est pas interdit. Une baisse de la confiance en l'avenir pourrait être considérée comme un indicateur rassurant d'une prise de conscience. Les pays développés se rendent peut-être enfin compte que nous sommes en crise. Et peut-être cette réalisation nous permettra-t-elle de réagir, et d'ainsi éviter que cette crise ne se transforme en pic démocratique... voir en pic civilisationnel. Encore faut-il éviter une réaction pressée.

Méfions-nous de nos manières actuelles, et optons pour une remise en question posée... mais ne perdons pas confiance en notre capacité d'évoluer en une humanité consciente, unie et prête à se réguler elle-même, avant que la nature n'ait à faire tout le travail. Il est encore temps de faire de cette situation un simple creux, que nos descendants regarderont comme une phase de l'histoire à laquelle nous aurons su réagir brillamment. Tous ensemble, relevons ce test de volonté.

Vladimir Putin's Undeclared Wars

admin Sunday March 27, 2022

3 weeks ago, shortly after Russia expanded its invasion of Ukraine, I wondered how Russians would react. And I wondered if they could react, given how bad repression is getting. I wondered what would happen if a citizen was to go out with a sign reading "I am not protesting against anything."

It turns out I was quite naive, as others have now proven. While Vladimir Putin never declared war on free speech, his war against it has reached such a terrifying point that Russians can no longer hold a blank, letter-sized sheet of paper in public. No need for the sheet to be blue and yellow to be arrested.

In 2014, Vladimir Putin did not declare war on Ukraine when he "secretly" invaded it. Nor did he declare war in 2022, when he launched his "special military operation".

It turns out Putin has been skilfully exploiting democracy's worst flaws to weaken his opponents for a long time, with grave effects in the last decade. While our media focus on covering refugees and dead children, Putin has managed to legalize theft without even getting democracy's attention, discretely adding yet another colossal weapon to his arsenal for future wars. Putin knows better than to trigger a conventional war against NATO. Putin prefers to target democracy's weakest, corrupting or manipulating them with just enough discretion to avoid full-scale war.

Unfortunately, if Putin will not declare war on democracy, democracy still has to stop pretending there is no conflict. Putin's undeclared war against Ukraine may be our last occasion to acknowledge his war against democracy. And finally react accordingly.

Fully Free

Kune ni povos is seriously freethough not completely humor-free:

  • Free to read,
  • free to copy,
  • free to republish;
  • freely licensed.
  • Free from influenceOriginal content on Kune ni povos is created independently. KNP is entirely funded by its freethinker-in-chief and author, and does not receive any more funding from any corporation, government or think tank, or any other entity, whether private or public., advertisement-free
  • Calorie-free*But also recipe-free
  • Disinformation-free, stupidity-free
  • Bias-free, opinion-free*OK, feel free to disagree on the latter.
  • Powered by a free CMS...
  • ...running on a free OS...
  • ...hosted on a server sharedby a great friend for free