Loading...
 

No Food for Thought

Food is something you should provide to your brain long before coming to this blog. You will find no food recipes here, only raw, serious, non-fake news for mature minds.

FOSS Security, and Transparency at the Linux Foundation

admin Saturday March 13, 2021

In December, the Linux Foundation released a report on its 2020 FOSS Contributor Survey. The most important and discussed takeaway was weakness in security (Need to Increase Security). At the core of that finding is that section's very first paragraph, which starts as follows.

Linux Foundation wrote:
One of the survey goals was to understand the state of security in FOSS, and indeed it found that respondents report spending very little of their time on responding to security issues (an average of 2.27% of their total time spent). Moreover, the respondents do not report a desire to increase this significantly; in fact, the average of percent of time reported they would like to spend on security was only 0.06% higher.


These figures are obviously eyebrow-raising. The flagrant error in the figure number right after in that same paragraph surely doesn't help trusting, so I checked. Unfortunately, the report gives no explanation at all about how these figures were computed. And I couldn't reproduce these figures interpreting survey data.

But my third surprise would be even greater. I checked what others were saying about the topic - and found nothing. Not because no one questioned or challenged, but because the Linux Foundation provides no means at all to report an issue in that report.

That is right. The report indicates it was updated to fix errors, but suggests no way to report remaining errors. And that's
just the tip of the iceberg; the Linux Foundation, in general, does not offer any system to track its issues. Nor does it even offer any forum to discuss such matters. Its tens of mailing lists are all project-specific. That, from an organization which suggests greater transparency, no further than in that very report… if FOSS is short on security, it sure isn't on irony!

The ultimate surprise would take a little longer. Having no other option, I questioned the foundation in the only possible way, via its contact form:

Regarding the Report on the 2020 FOSS Contributor Survey, how do you translate survey data into the figures in the first paragraph of section 2. Need to Increase Security (High-Level Takeaways & Suggested Actions, page 31)?

The form didn't even send me a copy of my message. But it said I would get a reply within 2 business days.

I have been waiting for 3 business weeks.

I will of course update this as soon as the Linux Foundation replies. But until the foundation is built on stronger foundations, none of its publications should be taken at face value.

The Hacktivist's ABCD

admin Saturday February 27, 2021

This week I witnessed an exchange on KDE's community mailing list. Someone made a reasonable request, quite decently formulated. Someone else, who visibly didn't appreciate that request, sent a reply which could easily have sparked a heated debate.

Thankfully, one respected elder intervened before the discussion degenerated.

Eike Hein wrote:
Come on everyone, we can do this much better.


So far, this may seem boringly familiar to those into online social production projects. In fact, the problematic reply wasn't even particularly inflammatory.

What I found striking is that the diskussion didn't involve random people. All of the 3 previously mentioned participants master the discussion's language (English) and are recipients of Akademy Awards. In fact, as recipient of a 2013 Akademy Award, Eike Hein was one of the judges who awarded the problematic participant with his own award the following year. The problematic participant is neither particularly young, nor new to social production or even KDE, with over a decade of involvement in KDE. The most striking was to see that this fairly experienced kontributor, who was rhetorically but clearly complaining about excessive load, had−ironically−replied not even a ½-hour after the request.

But a small research showed that my surprise could be partially rooted in a cultural difference. French-speaking kids are taught to "turn their tongue 7 times" before speaking. But the Anglosphere having apparently no equivalent proverb, perhaps it is less surprising to see an adult New Zealander without such a notion. So I thought Hein's reaction could be specified.

The Art of Boringly Calm Discussion

While the following initially felt too childish to share, I remembered I developed my current habits through years of experience. So I thought sharing the more elaborate−although still obvious−following approach, applied to the context of online collaboration (on free software), could speed up that development for some readers.

I am not sharing my exact program, which−having to run on a ridiculously old host−required highly dirty micro-optimizations, but the pseudo-Java code for my generator of boring replies, hereby released in the public domain. Sometimes, the generator saves time by saving from having to write at all, but its main benefit is to improve communication quality.

import HumanEmulation.Feeling;
import HumanEmulation.Judgment;
import Life.*;
import Internet.Message;

// FIXME: Unlikely to build without --leniency=max

public class FingerSaver {
    public static void main(String args[] ) throws Exception {
        Message incoming = Message.getLatest();
        incoming.read();
        if (! incoming.replyWarranted()) {
            System.exit(Feeling.HAPPY);
        }
        if (incoming.isUrgent()) {
            incoming.processRegular();
            System.exit(0);
        }

        Thread thought = new DeepThinker(incoming);
        thought.start();

        // If we use Thunderbird with XNote++, we could store quick ideas about what to reply as a note.
        String skeleton = thought.getFirstReplyIdeas();

        Message initialVersion = null, previousVersion = null, latestVersion = null; // Reply versions
        do {
            if (latestVersion != null) {
                previousVersion = latestVersion;
                if (initialVersion == null) {
                    initialVersion = latestVersion;
                }
            }

            Integer tongueTurns = 7;

            feeling = Feeling.getCurrent();
            tongueTurns = tongueTurns + feeling.getAnger();

            /* Increase quality proportionally to the number of readers
            Also reduce collision risk
            TODO: Make logarithmic rather than linear */
            tongueTurns *= Message.getPeopleInDiscussion();

            if (Message.isEmail()) {
                // We won't be able to delete or modify our message if we send it too fast, so better play safe.
                tongueTurns *= 2;
            }

            // Let our deep thinking thread do its magic while we're eating, showering, training, commuting, etc.
            thought.ponderForHours(tongueTurns);

            wait(); // It may take some more time before HumanEmulation wakes us up if we're busy or not feeling good.

            Array<Message> repliesFromOthers = incoming.getReplies();
            if (! skeleton.worthWriting(repliesFromOthers)) {
                throw new Exception("We're exceptionally smart; we managed to let someone else do the job!");
                Life.enjoy();
                if (Life.getFreeTime()) {
                    /* If we saved so much time that we're now feeling guilty about having some free time,
                    use it to attract new recruits in our team.
                    This should be easier now that our team has quality communication
                    and looks like a growth opportunity for prospects,
                    rather than an immature and overwork-frustrated crew. */
                    recruitNewColleagues();
                }
                Feeling.stress--;
                System.exit(Feeling.HAPPY);
            }

            incoming.read(); // WARNING: moving this out of the loop will NOT optimize!

            /* To be truly evil, if others already made some of our points, remember to thank them,
            to encourage them to keep doing our job in the future! */
            // We usually store a reply as a draft in an MUA.
            if (latestVersion == null) {
                latestVersion = incoming.generateReplyFromIdeas(skeleton, repliesFromOthers);
            } else {
                latestVersion.readCarefully();

                /* If the sender discussed a valid problem and it's necessary to discuss timeframes,
                we can use this opportunity to try enticing them to help
                mentioning that more *skilled* manpower would speed up. */
                latestVersion = incoming.reviewReply(latestVersion, repliesFromOthers);
            }
        } while (previousVersion == null || ! Judgment.areSimilar(previousVersion, latestVersion));
        Message reply = latestVersion;

        if (reply.getValueToReaders() < reply.getCostToRead()) {
            System.out.println("Aborting due to negative net value");
            System.exit(1);
        }

        /* We ended up having to reply anyway, but at least, if others replied first,
         we have less to write, and we let them do some research and practice their writing skills,
         so we get left with even less on our plate next time.

         And the best part is that with all these tongue turns, we're more likely replying during the weekend,
         which means it's more likely recipients will read us on a weekend and will have a cooler reaction,
         even if they're lacking FingerSaver! */
        reply.send();

        /* If we're lucky, our reply was exhaustive and boring.
         We won't need to answer follow-up questions or clarify/justify what we wrote.
         So we shouldn't be back here for a while, but play safe. */
        sleep(A_BIT);

        /* Wow, we managed to write an incredibly insightful reply,
         which makes us look much more brilliant than the stupid program we're using!
         With all the time we saved, we can integrate the people who will volunteer to help us.
         And in case these take some time to show up, while they're digesting the full extent of our genius,
         we can validate that our issue tracker properly reflects our load level,
         and if it's really urgent, call for help. */

        Feeling.stress--; // We won't have to defend having said something stupid.


        /* We're bad judges of our own emotivity, but we can at least see how much we improved
         to estimate the minimum emotivity we were under. */
        Float climateChangeReductionFactor =
                Judgment.getFlammability(initialVersion) / Judgment.getFlammability(latestVersion);

        /* In case our initial reaction turned out excessively inflammatory,
        adjust our system's balance between longevity and performance. */
        System.throttleByFactor(climateChangeReductionFactor);
    }
}
// TODO: Expand to help truly healing from burnout. At this point, this only aims to help with overwork.

Crash

admin Wednesday February 17, 2021

4 crashes in 1 year
In this millennium, that's most likely the cost of a somewhat rushed software development. But in 1944, that was apparently the cost one could pay to survive war. And for a pilot to get a lifelong legacy, including a well-deserved nickname.
Thanks to the CBC for the incredible story of Reg "Crash" Harrison, and for relativizing my crashes

New Nova Scotia Law Gives Hope North America Could Heal Itself

admin Wednesday January 20, 2021

5 years ago, I started a dangerous boycott of Quebec's organ donation system. Thankfully, I am still alive, and did not kill anyone yet.

And more importantly, the chances my death won't kill anyone else are increasing, now that a new tissue and organ donation law went into effect in a neighbour province. Since January 18th, donation has been opt-out in Nova Scotia.

Unfortunately, that news taught me that this is a first in North America. This world may have a deadly addiction to egoism, yet according to CBC, there is already talk about following Nova Scotia's lead in another province, no other than Alberta.

Here's hoping Quebec can stop deifying individualism just like it is doing with the SARS crisis and show it has enough hearth not to finish last in this marathon.

New Religion

admin Sunday January 3, 2021

Most religions appeared during history, but not recently. We do have accounts of how that happened, like the Bible, but it's not so clear who wrote what when, nor what exactly was written before time and translations altered the texts.

The birth of a third millennium religion constitutes a great opportunity to study how religions were designed and adopted. The Internet and all of today's technological means make its deities much clearer. Technology also gives many more high-quality records of how it spread. But analyzing these still requires skilled historians.

That's where Jesse Frederik, economics correspondent at De Correspondent, comes in. His mission?

Jesse Frederik wrote:
I want to show how seemingly minor policies have the biggest impacts, while examining overhyped narratives in politics and the news.

And delivering on this promise, Frederik offers Blockchain, the amazing solution for almost nothing. As I couldn't have written it better myself, I am happy to designate it as the third and final episode of No Food for Thought's crhypeto trilogy.

"Pilot Error"

admin Sunday December 20, 2020

The crash of Lion Air Flight 610 and the resulting 189 deaths raised quite a few questions. Understandably, a lot of suspicion went towards the plane's manufacturer. But Boeing had much luck in those circumstances; what better target for deflecting blame than dead pilots? And indeed, this crash was initially blamed on pilot error.

Unfortunately for Boeing, the flight had a few survivors: its flight recorders ("black boxes"). And with hundreds more equally flawed planes, 5 months later, when an equivalent failure caused a second "737 Max" crash, Boeing's cover-up blew up. In March 2019, an article by the New York Times already made the existence of MCAS (the Margins and Casualties Augmentation System?) public, and the technical causes of these catastrophes were already mostly known.

Ultimately, it's clear these catastrophes are attributable to governmental failure, after the FAA outsourced safety verifications... and not to independent parties, but to parties paid by manufacturers. Thankfully, Canada's government hasn't given up on all its responsibilities yet, as a remarkable The Fifth Estate episode shows. Congratulations to Terence McKenna and the CBC for managing to deliver such a remarkably both technical and emotional picture in just 24 minutes.

The episode from The Fifth Estate is a little too short to fully cover the technical issues, but I recommend others who are curious about these causes and who are passionate about software and security to read the IEEE Spectrum's How the Boeing 737 Max Disaster Looks to a Software Developer, a detailed explanation of the surreal design failures which culminated in these catastrophes. It would be sin not to thank Gregory Travis for writing an accessible explanation which is nevertheless comprehensive in all aspects, either technical (mechanics, redundancy, autopilot, user interface and engineering), historical, social, economic or political. Even though The Fifth Estate's episode had brought me to tears, Travis's careful writing and - having seen quite a few times in my own experience the same patterns he describes - his description of the accumulation of mistakes managed to give me a good laugh.

No bugs, but no design

Despite what the Times article and others may suggest, there is no real "error" which contributed to these crashes. Clearly no pilot error. But also, no defective line of code, nor any kind of software bug. The software behaved as it was intended to behave. All there is are a couple predictable sensor failures, and more importantly, systemic negligence. The wrong engineers influenced by the wrong managers, blind to the few who did manage to foresee what would happen. The wrong people managing critical systems, all under the watch of clueless (or partial) supervisors.

To make a parallel with wheeled vehicles, the "737 Max" is a motor vehicle with a single brake. There is nothing broken in cars which have a single brake. In 1900, owning one would surely have been a great privilege. In 2016 though, there were few ambulances relying on a single brake. And if a hospital was forced to rely on one, you'd expect paramedics driving it to be warned and trained to use it as a last resort only.

Lessons

As outrageous and irresponsible as all this may be, I am not an advocate of market intervention. Governments don't necessarily have to inspect and certify planes themselves. It is unavoidable for airlines to cause negative externalities at times. But if they do, those flying need to accept to internalize these risks. Airlines and governments should warn each passenger and crew member about the risk flying represents. And possibly prevent minors from flying on ridiculously unsafe planes.

Something needs to be done quickly to stop such patterns. Lives fly when you're crashBoeing.

2021-01 Update: Boeing Charged with 737 Max Fraud Conspiracy and Agrees to Pay over $2.5 Billion USD

Open Source Security Foundation

admin Sunday December 13, 2020

A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.

That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:

OpenSSF FAQ wrote:
The CII was funded largely by grants, OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives. The CII’s ongoing work is being transitioned to the OpenSSF, and we expect that the CII will eventually be dissolved as the OpenSSF replaces it.


A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.

Here's hoping for truly organic security (which doesn't prevent external security assessments)

Update

Wanting to become more universal than the CII, OpenSSF is facing a serious challenge: prioritization. By trying to become neutral, it appears it's so far risking its auditing efforts to be irrelevant, with its current method computing Qt's criticality as way lower than... some Bitcoin software cry And beyond noting that the current metrics are broken, I don't see an easy fix without completely changing the approach.
Here's hoping common sense prevails

Preventing Corporate Success

admin Sunday December 6, 2020

Lack of supply is a problem Western states take very seriously. A lot more than the weight of excessive regulation.

So when a market is lacking suppliers and failing to satisfy consumer expectations, what are governments to do? Increasing supply would of course address the issue, but come with challenges and take time. The better (or at least much more popular) option is attacking existing suppliers. Obviously, doing so, the issue is worsened. But using anti-competition legislation, at least, the "solution" is simple, quick, and puts pressure on suppliers rather than on those who could help. It goes without saying, the best part is giving the impression that the government is doing something about the problem... and the ultimate bonus: stealing funds from the most successful suppliers and moving them to the state!

If you thought excessive regulation would at some point trigger a move towards balance, you must resist wishful thinking. In reality, excessive governmental regulation is causing businesses to create even more regulation in response.

Now let's be clear - it is obvious that Google expected the existence of “Five Rules of Thumb for Written Communications” to become public. But is that reason enough not to take the occasion to pause and reevaluate our direction?

Congratulations, Google, for this unsurpassed valuable move to not only alleviate the impact on you, but also try to kill dominant fallacies enhance the environment for the interest of all markets best

Fully Free

Kune ni povos is seriously freethough not completely humor-free:

  • Free to read,
  • free to copy,
  • free to republish;
  • freely licensed.
  • Free from influenceOriginal content on Kune ni povos is created independently. KNP is entirely funded by its freethinker-in-chief and author, and does not receive any more funding from any corporation, government or think tank, or any other entity, whether private or public., advertisement-free
  • Calorie-free*But also recipe-free
  • Disinformation-free, stupidity-free
  • Bias-free, opinion-free*OK, feel free to disagree on the latter.
  • Powered by a free CMS...
  • ...running on a free OS...
  • ...hosted on a server sharedby a great friend for free