No Food for Thought

As a progressive and free (not to say atypical) spirit, I am nonconformist. I have always had difficulty with Protocol.
But as a computer scientist, as a champion of open standards and interoperability and as a world citizen, I love protocols. From HTTP to Kyoto's, protocols are at the center of sustainable software and sustainable development. Uncapitalized protocols are clearly capital.

So, as a green Quebecer, although I was still a baby when it was adopted, I can't refrain from feeling a little pride about the Montreal Protocol. It is remarkable that the world managed to set its course towards recovery without even fully realizing how catastrophic the situation would have become.

Hopefully, that realization and satisfaction will provide enough will to comply with the recent and future protocols or other mechanisms needed to mitigate the climate crisis (without taking the ozone's recovery as granted, in particular since some chickens may have been counted before they hatched).

2022 marks the twentieth anniversary of the Euro becoming tangible. 20 years ago, we could have hoped a lot from that experiment. Greater European unity, more countries adopting the Euro, and perhaps even an enlargement of the Union.

While a few small countries did adopt the Euro during that time, the United Kingdom did not. Instead, it recently left the Union. Those who were hoping for an unprecedented simplification in the global economy may be disappointed.

Rather than that, the currency landscape has arguably gotten even more complex, with the appearance of "cryptocurrency". Or rather - since that wasn't enough - of tens of "cryptocurrencies". Which brings me to the apologies.

In the second half of 2018, I publically declared, on this very blog, that Peak Crhypeto was over. For once, I allowed myself a bit of optimism. The world had come to its senses before losing any contact with reality.

Although statistics are highly vulnerable to manipulation, I was visibly mistaken (crhypeto trading was already full of washing in 2018).
How could I get things that wrong?

Obviously, the pandemic. With travel bans and inventory shortages, individual savings skyrocketed, boosting the stock market to unprecedented levels. With increased prices for all investment assets, investors looked elsewhere, to all investment opportunities, either real or imaginary. Crhypeto's value reached new highs.

Second, so-called stablecoins. By bridging crhypetocurrencies with actual currencies, "stablecoins" created truly valuable cryptocurrencies.

But that's only a small part of the explanation. The other impact of the pandemic was to disrupt everything. It disrupted offices, causing remote work to explode. It disrupted IT teams and law enforcement, as well as politics, causing a rise of rogue states and criminality. The damages caused by ransomware attacks reached incredible levels.

But I am not writing this to apologize for failing to predict the pandemic and the breadth of scammer imagination. I am apologizing for missing a phenomenon which was already visible in 2018. In 2018, I thought greater fool theory was the only explanation for crhypeto's value, since these "currencies" didn't store value. I knew criminals used crhypeto. What I didn't realize is that money laundering has been solving the one essential property crhypeto lacked to become an actual currency: storing value. With billions of USDs at play, laundering gives crhypetocurrencies huge value.

Crhypeto is basically Switzerland. But it's even better than. Crhypeto is Switzerland-on-demand: a way to create a credible tax haven, without any territory nor any cost. The recipe couldn't be simpler. Basically:

1. Create a new currency. No need to coin, just coin it with a credible, apparently legitimate name.
2. Create a website that justifies why Dogecoin is unlike all the others.
3. Try asking your fellow crooks to trade some Dogecoin with their variant so it looks a little better.
4. Attack organizations and demand a ransom paid in Dogecoin.
5. Sell some Dogecoin to your victims, in exchange for real currency.
6. In case you failed the last steps, offer Dogecoin at a discounted price to foolish investors.

...and if you're more technological than charismatic, you can avoid the first 3 steps and do without any marketing by hijacking another Dogecoin instead.

Do the black market and "stablecoins" alone justify a valuation of trillions of USDs? Unlikely, but what matters is that money laundering and stablecoins give crhypeto some actual value, which somewhat stabilizes its market value and brings the much-needed bridge with the real economy, attracting non-foolish investors. And that important value fuels fools. The increasing number of participants in turn brings greater credibility to the concept. So both sides build upon each other: dreamers enjoy the criminal side's laundering capacity, while criminals profit from the credibility brought by fools and backed crhypeto, multiplying the hype. The system is complete.

Peak Crhypeto may only come at Peak Ransomware, or even Peak Crime. I can only hope that time will come soon.

The approach I used to advocate towards crhypeto was laissez-faire. At some point, the bubble would burst, providing a learning opportunity to all those involved.

I assume most of the market value of unbacked crhypetocurrencies still comes from hype, so I still think valuing economic education should be our first protection. But in light of these evolving dynamics, the proper response needs to be reevaluated. Each unbacked crhypetocurrency should probably be treated like a country which facilitates money laundering.

Wishing the next decades will see more Euro and less crhypeto,
Mea culpa, and happy 2022

Democratic societies value free speech. But how much free speech is valued varies in each society.

The USA is probably the greatest champion of free speech, to the point where it no longer has a value, but rather a holy status, which may only envy the right to self-defence. It may then not be a great surprise to notice that the public in the USA has become so misinformed. The right to speak freely cannot come without the condemnation to be misinformed by unimputable actors.

One famous source of profitable misinformation is advertisement. But advertisement promoting the health benefits of cocaine drinks and - cough - cigarettes - cough - is long gone, so can the advertisement industry remain such a problem today?

The poorest half of the world's population may only possess 2% of global wealth, but it still earns more than 8% of income. That may not be much, but the advertisement industry cannot neglect that revenue source... in particular when its low education is taken into account. If the public is easy to disinform in the USA, imagine the situation in the Third World. With a much higher informational vulnerability, the Third World can offer a more interesting benefit-to-cost ratio for disinformation than the First World, in particular if these countries struggle to control misinformation.

Flagship corporations of the First World like Facebook and Alphabet could not be blind to such opportunities, and have been exploiting these flaws for years. Oh, not directly. The burden of creating (or even just plagiarizing) disinformation is left to clickbait operators and other disposable publishers. Tech giants do nothing more than funding them and pretending ignorance. Until sometimes opening an eye when the resulting chaos threatens their own country and shareholders.

The first defence again disinformation should be to create and promote quality information. But given that nuance and complexity will never be as inflammatory and evocative as disinformation can be, regulation of the information market is also necessary at some point. When an entity uses a business model allowing it to profit from disinformation, the state must ensure that minors are protected. And unless that's enough, adult victims - just like cigarette smokers - need to be warned about the threat disinformation consumption poses to their health. Properly disincentivizing disinformation won't be easy, but there's no way around such a market failure.

Découverte est depuis déjà quelques décennies une de mes émissions préférées. Mais côté divertissement pur, les œuvres qui m'ont le plus fasciné et marqué sont probablement la série de jeux Civilization et la série télévisée Les Mystérieuses Cités d’or. Peut-être est-ce que parce que j'ai toujours eu un esprit découvreur.

Ou peut-être est-ce juste que la recette pour réaliser une séquence titre qui m'impressionne était simple!
Introduction des Mystérieuses Cités d'or
Introduction de Civilization II

Heartbleed was more than 7 years ago. This year, the new Heartbleed is Log4Shell, which is in no way less severe than Heartbleed. I lost several hours of work due to Log4Shell, and it cost way more for many of my colleagues. Will such ridiculous flaws keep being revealed ad vitam æternam?

Following Heartbleed, myself and others started a reflection which would result in the CII, which is being replaced by the OpenSSF. Last time I blogged about OpenSSF, it wasn't even one year old, and was still incubating. After a year and a half, how close was OpenSSF to avoiding Log4Shell?

The short answer is far. The practical part of OpenSSF, Project Alpha-Omega, has secured 5M USD which can partially be invested in identifying vulnerabilities. While this amount is significant, it is obviously far from being enough to secure even the critical open source components in a reactionary mode. The project's current scope is to get involved in the approximately 100 most critical open source components. Is Log4j part of these?

With the high number of components, that's a hard question to answer. And the OpenSSF's answer to these questions are based on the Open Source Project Criticality Score, which estimates Log4j as the 2543th most critical open source project, with a criticality score of 0.6231. Are there really 2542 projects more critical than Log4j? That might still not be a trivial question, but what is clear is that OpenSSF's ordering makes no sense. According to the list, the 355th most important is Zcash. If you don't know Zcash, you're excused; it is ‘an implementation of the "Zerocash" protocol’. An exception? Way above that, we find at #43 the Bitcoin Core project, which is dedicated to an alternative "currency". Zcash and Bitcoin Core respectively have a criticality score of 0.75 and 0.87.
2024 Update: I removed the link to the list, since it is a moving target and now points to a whopping 100 MB file. The scores have changed widely since this was posted, but remain unusably unreliable.

In short, OpenSSF is mostly at the same point as it was last year: incubating. There are positive aspects:

• OpenSSF recognizes its scoring is immature (it's qualified as beta)
• the Foundation has managed to raise significant funding.

But turning that funding and further resources into results will take a long time. OpenSSF's reaction to Log4Shell is interesting, but when we're still at an early stage of prioritization, we should refrain from wearing rose-colored glasses and acknowledge it will take more years to see real results.

So, here's hoping for a 2025 and beyond with fewer fires

Update

Brian Behlendorf's article has sparked controversy. I agree with Behlendorf in the sense that increasing the general funding of an open source project would be far from an efficient way to specifically help secure it. But the controversy is understandable in the sense that the way Behlendorf describes his stance is exaggerated:

Any senior programmer knows that the only perfect code is the one which doesn't exist. No program can be perfectly functional, performant and secure. Security is one quality, and as for any quality, aiming for (guaranteed) perfection would require infinite resources. All professional senior programmers have at some point been under pressure to deliver, which causes us at times to ship without being entirely convinced by quality, and we know very well that security is one of the first aspects many neglect under too much pressure.

More money/resources definitely helps with all qualities, including security.

If your tracking of Canadian politics focuses on the Parliament's composition, you might not have noticed anything particular in September. If you also pay attention to the budget though, you may have realized we're now 600 million CAD deeper in the red. Yes, Canada had a superfluous federal election last month, which concluded with a surreal gem in Trudeau's speech:

It may break our heart to think most votes in this election were cast "for" parties which have no plan to fix Canada's governance. But rather than accepting cynicism, we can choose hope by looking at a very similar election, in a country which simply uses a much less disproportional system.

L'Afghanistan passe incontestablement à travers une période désastreuse. Il n'est pas facile de voir du positif dans ce gaspillage monumental.

Sans diminuer le cauchemar vécu par les Afghans, au moins, un remarquable reportage de Fabrice de Pierrebourg publié dans L'Actualité permet aux francophones de mettre un baume sur la plaie en nous donnant l'impression de comprendre, en quelques pages seulement.

En espérant qu'on se souvienne

Some people think of "alternative currencies" as wonderful solutions to economic problems. But obviously, no currency can have any significant impact without becoming legal tender.

So what would happen if a country actually adopted an "alternative currency" as legal tender? Well, unless you're in El Salvador, you're in luck: it's already been tried.

December 2021 Update: There's even better news (that is, unless you still haven't fled El Salvador). If you were waiting for the occasion to test your great idea of building a city next to a volcano, someone else might do the job for you.

Nombre de femmes jeunes (moins de 36 ans) que je connais qui font du développement logiciel et sont nées...

• au Maghreb : Au moins 4
• au Canada : Zéro

Certes, le Maghreb est bien plus populeux que le Canada. Certes, le Québec a une grande diaspora maghrébine. Mais des conclusions semblent quand même s'imposer. Soit :

• le Canada vieillit dangereusement
• ou il n'a plus tant de leçons à donner en matière d'égalité des sexes!

Mise à jour 2022-06-01

• au Maghreb : Au moins 6
• au Canada : Toujours zéro!