Brasse comme un pauvre pas comme un hipster

T'imagines que quand les temps sont durs, t'as les richards qui veulent croûter l'argent sur le dos des miséreux appelant nos habitudes communes des vices. Sauf, que comme y'sont riches à mourir y paient leurs indulgences sous la forme de taxe, mais toi t'es fauché, et tu trouves ça posh. Alors tu veux ta tease à 10cents/litre/%. Bref,  moins cher et meilleur que la Villageoise ou la bavaria 8.6.

Alors tu te souviens que c'est un vieux problème et que ton arrière grand père émigré de Belgique en France l'a eu itou. Et ton grand père, il a opté pour le cidre.

En fait, pas vraiment, d'après les douanes, il a opté pour la bière de pomme.

Kss, point technique : le cidre et la bière se distinguent par la levure utilisés d'après les douanes, ce qui change les taxes. Mais si comme moi, t'as pas 2000€/3000$ à jeter dans les taxes pour faire du commerce, tu t'en câlisses des douanes, des chambres de pourris et autres.

Cidre c'est la Saccharomyces uvarum un levure qui est optimum à basse température mais chiante à obtenir,
La bière c'est la Saccharomyces cerevisiae qui est plus facile à travailller ... à haute température.

Mon boulanger m'a à la bonne, je fais du pain et j'ai la levure de boulanger (Saccharomyces cerevisiae) hyper active tant que je lui file de mon pain. Donc, je paie que le jus.

Bon je suis sympa vl'a la recette

Préparer

Bon, okay mon tourie il est pas kosher, mais il est en inox. Un poil de silicone, de tuyau d'aquarium et 3 poils d'inventivité et tu te fais un touries à pas cher.

T'as 7 litres en entrée, 1 réacteur de 7l et 7g de levure de boulanger super active et 7 bouteilles en sortie, t'es trop prêt.

Ben, tout job ça commence par nettoyer, donc, croies moi, tu nettoies tes bouteilles. Je parle pas d'acheter les trucs de hipster à 3€ pour nettoyer 20 boutanches, je te cause de pas utiliser de putain de savon à moins que t'aime avoir la chiasse et t'assurer que ta bouteille à pas de dépôt. Eau, oeil, huile de coude et narine. Moi je recycle de la bouteille d'eau de source car je sais que ça tient 140 PSI.

Prend moi pour un con, mais savoir ce qui est propre c'est 80% du savoir faire. Faire de l'alcool c'est le truc de fife. Pas (te) tuer c'est plutôt plus important. T'aime pas nettoyer, mais juste tu oublies la suite, quelque soit ton métier, codeur, mécanicien, maçon, brasseur tu sais ce qu'est nettoyer.

Donc si t'es un crado, abandonne la fabrication d'alcool.

Donc, pendant que tu embouteilles...



Tu réactives ta levure: eau chaude + levure + sucre + 10 min.



Moi c'est chaud mais pas trop avec du sucre.

Tu mélanges dans ta cuve avec du jus, du sucre des levures.

Tu vérifies que ton putain de réacteur est putain d'hermétique car tu aimes pas avoir la chiasse.

Tu ajustes à raison de 17g/l de sucre pour 1% d'alcool parce que Chaptal est ton ami. Ouais c'est du cheat, mais je tiens pas mes coûts en étant mignon. Mon jus est à 100g/l, donc 5-6% de base, pour me bourrer la gueule selon Chaptal je dois donc rajouter 100g/l. Sachant que plus tu mets de sucre, plus tes levures prennent de temps.

PS va pas mettre 10kg/l si t'atteint 20% t'es heureux, mais ça te prend du temp. Crois moi vise 12%¨.

Si t'es un pûtain de hipster tu suces tant ta propre bite à t'aimer (m'faites pas chier avec les genres, adaptez) que t'as ton densimètre, moi je juge l'alcool en utilisant des cobayes dans ma famille: frère, femme, parents, enfants, nièces et neveux (les enfants sont bons pour détecter tout ce qui est <5%).

Quand mes touries/dames jeanne arrêtent de faire des bulles, j'embouteille.

Ensuite je rajoute pour avoir un genre d'effet champagne/bière/cidre une liqueur à 3g/l pour faire des bulles avant de foutre le bouchon.

Tu veux pas mourir? 


La fermentation alcoolique est sans oxygène (anaérobie). Moi mon tuyau d'aquarium je le plonge dans une bouteille d'eau après avoir vérifié que mon tourie était étanche.

Conseil d'ami, fais de même.

Bilan

500l que ça dure pour moi, et Chaptal et Lavoisier semblent avoir raison.

Je ne pasteurise pas, car c'est cool (sauf pour ma femme enceinte qui ne peut goûter) notamment dû au changement de goût avec la garde. Pour obtenir un alcool à 6% c'est 1 mois, 12% c'est 3 mois, les rendements sont décroissants. D'après la littérature, le max obtenable c'est 23% et selon les alcools c'est jusqu'à 5ans (hydromel avec du miel peu dilué) pour ~20% sans ajout extérieur. Bref, si tu veux faire ton alcool, t'as pas mal à découvrir, car même si tout le monde fait ça depuis ~3000 ans en Europe, t'as ~0% partage.

Professionalisation vs Craftsmanship

While studying on my next topic : the cathedral builders something stroke me.

How masons were structured in order to ensure they where well paid.

Basically masons were the first unionized jobs, and were making sure to keep the knowledge and practices in the realm of the corporation.

It may seems weird to speak of a single entity when actually the masters were in competitions for chantiers, and that deadly fights were common between masons.

The masons were putting a big stress on the fact a good workers was acknowledged by his tools, and mostly by his «oeuvre».

Being a mason as defined by my great father is «the art of building a straight wall». No more no less.

As if coding was the art of making «code that works», or being a musician «musics that gathers the crowd».

Being a mason in middle age required, first a learning requiring you to be an apprentice in sometimes multiple workshop, and then validated by a «chef d'oeuvre» (master piece) validating by making something innovating validating that you both mastered the practice and understand how to make your job evolve.

Karl Marx call these two aspect the doxa (knowledge) and the praxein (practice). His theory is the captation of the knowledge by the capitalists made it possible to also get the most of the added value.

A full fledged worker had both mastery in doing and making the best practice evolve in a peer to peer relationship without centralization.

Then on a «chantier», among the other «corps de métier» masonry being the limiting factors for the others mason would often lead the coordination of the «chantier», being the first de facto architects.

Compared to our modern era, you see a «craftsman» so strong he does manage the project of building a cathedral.

If being a rockstar ninja mason has to be measured by the results, these cooperating lads where ninja masons.

So here is my scheme
Masons were both learning to learn, but also how to have a consistent future of executing, mastering, and managing teams...

Actually the working and learning looks like a lot what ISO 9001 formalize has Implementing Quality Assurance

Quality Assurance of his own work used to be the charge and the origin of a better pay for the workers. Acting being Doxein, Doing being Praxein.

Then, the industrial revolution came, and Napoleon and his successors introduced the modern school system.

Manufacturers were complaining especially in 1848 that craftsman were hard to manage: they had the knowledge, were skilled, but knowing how the value was made from the clothing they were disagreeing with the sharing of value, saying bad words such as they were robbed.

Worry not, the soldiers fired on them, their skills were studied and then taught at school. And, to prevent the craftsman to come back on the market, the only way to have the right to do your job was through the validation of a diploma.

Can a job, work, crafts be taught at school? Maybe, but bear in mind the first thing schools are teaching is a lot of knowledge in their one best way that cannot be reformed unless you chose to be a teacher without going to the working bench. Know-how -doxein- has been de facto stolen from the one who knows.

Innovation comes from making the practice evolves, nowadays, it is not the workers who are valued it is the company that is capturing the knowledge thanks to PhD, universities and funding.



The workers have all been literally emptied of the core value of their job: being able to craft, recognized for their work and making their practice evolve. They don't have a know-how that belongs to them, they just basically learn to follow orders.

Management have also removed the autonomy of the workers, while job announcement all search for these autonomous, flexible, able to make decision workers.

That's what the debate of professionalization vs craftsmanship is all about: who is valuable: the worker as a member of a company or as a member of a craftsman?

In my opinion doing a work of quality is learning the whole process, Doxa and Praxein cannot be separated.  

I am not a professional coder, I am a craftsman coder.



Of treason and and costs: security companies are threat 0

Before you should make security policy one is said to always make a threat model.

Basically it is a cost analysis, like if you make a measure system you put loss/benefits on both side of securing, not securing.

For instance, protecting .25$ non cumulative coupons with a 50$ protection per coupon is stupid if it applies to items costing 15$.

But the problem of a threat model analysis is it is centered around the one who pays, that may have interest in betraying the other stakeholders.

Take the case of Carlos Ghosn, the head of Renault. Since he his french most people think is loyalty is to his country thus Renault. However, his pride is Nissan recovery. And he led the merger of equals in disguise called the Renault Nissan Alliance. In Fusacq culture merge of equals often results either in split after culture clash or one company absorbing the other through strategic leverage.

If I was asked to secure the Renault infrastucture by Carlos Ghosn, I would take great care to firewall him. Because, there is the man and the function. He can sign as a person, but he is the head of Nissan and Renault and of the Renault Nissan Alliance, and according to the success of any of the 3 distinct entities he may have different financial incentives.

And which one of the 3 positions will be paying you?

He has an obvious win to make in a N-Turn betrayal game (Nash).

It seems kind of crazy, but your biggest threat might be the one asking for the audit. We all are incentivized and given ease of access to certain analysis according to who pays. And the one who pays can also turn down your analysis.

I know conforming to auditing best practices, if ever another audit company can argue your plan is biased, then you may loose your certification.


The problem in France is Renault has proven to be above the laws with a great power of lobbying (Usine Nouvelle, fr). Making an enemy of Renault's boss, is a sure way to have a lot of troubles, and eventually loose your precious audit certification.

However, what itches me is that he is mandated, as such, he should be seen as a less than permanent stake holder. Less permanent than all the workers having an incentive to trust the company and needing the company to work.

In fact the case can be made for every CTO mandated by a share holder. And also made about share holders when we live in a time of high turnover of shares.

A temporary major share holders can totally have interests in other companies because diversification in a sector you understand is a common financial strategy or fructifying costly expertise.

So you may also want to firewall share holders. But, then you have a big headache: share holders by ownership are having a legal liability on the action of the company also must ensure their droit de regard. Well in fact, when I see the DieselGate of VolksWagen I notice it is not the share holders that are being sued but the company itself. And that even though computer security is supposed to make sure to have an enforcement of responsibility, it has turned into a vast joke of deniability.

As you see my point, is computer security always at my opinion have a caricature of a vision of the organisation as a model. Hence the threat model does too.

At my opinion, a good threat model should always  put on top of the threat the one who pays.

The one that will have the more of control (defined by the number of action he can make others do  but others won't be able to do) is a systematic threat.

Power that is asymmetric lower the costs of treason systematically, hence someone wishing for a secure system should always be safe guarded from violating the system.

Most -if not all- the security model I experienced in my life are hierarchical as if centralized hierarchical system mimicking the Catholic Church (the origin of the word coming from this orginzation (hieros = holy, archein = ruling) is an obvious cultural bias in security corporation. And the idea that one stakeholder have the True right to dictate the direction of an organization.

Some idiots, think the peer 2 peer decentralized model is better. The decentralized anarcho libetarian model is prone to net split aka balkanisation with local decentralized networks spinning off.

Is there an alternative?

Well, of course there is: it is called pokemon.

Pokemon creators used the complex overlapping symmetries of particle physics to ensure a shifumi with strong types without guarantying any creatures a total advantages, just like a complex shi-fu-mi mexican stand off.

You could totally give balanced power to every stake holders with partial access of information necessitating for a total view the cooperation of the actors under a reciprocal scrutiny so that even the watchers are being watched.

The problem, I guess is cultural: I don't see a security company thinking that giving an underpaid worker that can be easily corrupted the power to fire a boss. But, if the worker was paid close to his boss wages it would ensure more loyalty and less risks of treason.

But, given most security consultants are way more paid than underpaid workers, by those with interests being overpaid, they have an incentive not not propose a pokemon kind of mexican standoff. And so does the industry as a whole submitted by regulations influenced by lobbies.


And finally we identify the priority 0 threat absent from any threat model: the whole incentivization of the security business that is biasing the security model towards a systemic positive bias given to the one who pays... whereas he may be the one with the most incentive to betray.


Security vulnerability #1 is hubris

Once upon a time there was an amoeba, and zap millions of years later with have human beings.

Not the greatest living being but very good at adapting making tools.

And funnily enough we are not perfect; since our brain has limited capacity of memory and analysis, most our reasoning is made by simplifying, abstracting, forgetting details to focus on the big picture, and sometimes doing the opposite.

In doing so we get very proud of our creation, and maybe too proud. Humans logic is strongly biased by emotions with the biased person strongly ignoring them.

Human are imperfect, so are our tools and abstraction.

We are easily confused, but due to Moore law we are required to remember increasingly long and numerous credentials.

We are so proud of our tools that we think better than us that we entrust mechanical turks with our secrets, bank account number, IDs. But remember that there are humans having physical access to the computers, the RAM, hard drives, the screen. Yes, screen can be photographed and leaked without triggering a single alarm in software. A cam can be used to watch you type your pin code...

And also, at one moment trading require a physical delivery. What is the use of a globalized economy if your expensive electronic gadget made in a sweat shop does not get delivered to your house?
Delivered by someone so poor he/she has incentive to steal it because it worth more than days of her own wages. This is also part of the surface of vulnerability.

Still we are bad at seeing the world. Most security threats are about software, but most efficient attacks are coming from human.

When passwords will be too long to remember, people will write them, and physical attack will be worthy.

When software are too complex, the dev/integrator may discard a complex stuff, because their project manager also did so under the pressure of the time to market. Solving a problem by ignoring its complexity is not incompetence, it is just we have imperfect knowledge on which we base engaging business decisions. Or the person in charge maybe over confident and trusting the project manager obviously wrong claim a NP problem can be solved easily.

Compared to the rest of the population, coders are living in a bubble of both insane work conditions (don't start me on this one), lack of diversity and economical security. Having a correct mental picture of who your users are is important: they can be blind, death, colour blind, poor, old, not sharing the exact same understanding of your culture...
Users can misuse a software not by malignity but by being like everyone of us: different from what the coder imagined. Exposing themselves to threats, and indirectly the environment in which your software run.
Coders can be interrupted all the time, over-loaded with noise (like meetings, bike shedding), technological religious wars distracting them from the problem at hand. He might be experiencing a crunch and a lack of sleep.
The maniac and busy industry standard of the work places do not help, it is toxic.


Our complex software often requires workarounds. Degraded behavior of software is the norm. Imagine if plane where like software: it would be as if we casually expected engine to take fire while on board. Our concerns in terms of quality are slipping because we have always experienced poorly working software as the norm.

Thus we overpromise, underdeliver in a virtuous circle of something we call progress. Making a huge industry of patching broken software on the fly. Security business being one of this kind. Imagine you'd buy a non functioning car, and you'd find normal to pay an external company to add extra soldering and firewall for it to be safe.

In computer industry, this is the normal state!

Our excessive pride reinforced by our commercial successes due to network effects and natural lock in that we see as a proof of our natural genius.


Being used to anticipate catastrophes -I did left linux 3 years ago because of systemd and I am glad of it- I also notice that the IT crowd is the weakest link in security: their intuition is wrong, they are so proud of their work they over-trust over people's work. They are back patting themselves so much, and shutting down all the pessimists that they are taking poor decisions for complex infrastructural choices trusting themselves and everything new. They think they are over-informed. They are over-exposed to noise, they live far away from the population.

The it's new, thus it must be good has became a mantra since web 2.0. Valid approach are being discarded as too old. A rush forward on immature technology thinking that unknown risks are equivalent to no risks, trusting the process of growing and patching endlessly.

This is hubris.

IT industry is the biggest security threat to our world since physical locks, physical security, economical transactions, medical devices, cars depends increasingly on people that deny any legal and financial liabilities for the result of their actions and rush forward like headless chickens.

This is insane, we should begin to finally make laws to demand software industry to be liable for their work, and ease the class actions of software users to let the market get rid of the bad apples. Let the market be a free market, and in a free market we get rid of the bad apples by making them financially liable for the loss they induced.

That is the only way we will not head for a second internet bubble explosion.

How to systemize corruption in practice?

I used to live in proximity with Syrians emigrant that were bright persons. A decade ago they were telling us on the process of slowly growing corruption that was happening in Syria.

Syria in their eyes was slowly rotting due to it and for them it was problematic that no one could stop the rot grow before it couldn't be reversed. So as opponents to the regim they told to the unbelieving French we were the story of their country that used to be a place of well living that could happen to anyone.

It begins did they say by underpaying the public servants so that they have to either do a second job during their days or accept bribes. Hence, there cannot be any whistle blowers. Because else they would be jailed ... for corruption. Putting people in the tu quoque mii fili position...

Then with a dysfunctional public service, citizens rely on either bribing or calling on the political authority to solve problems. The citizens helped by the authority owe them in return a favor like voting for the right persons, and become themselves corrupted, hence part of the corruption system.  And now that they are relying on a corrupted system to solve their problem, they cannot be whistle blowers anymore.

And newspapers/governments where cheerleading the institution and telling any critics where an attack against the country and meritant workers/institutions.

Step by step a slow silent growth of corruption will rot the State did they say.

That's the moment you make fun of Syrians and say it will never happen in your country, won't it? We are the glorious râleur immortalized by Asterix.

Except today for me.

I am back as an expatriated since almost one year from Canada in France. Since once year I try to have a social security number for my wife.

Since one year I raise early in the morning to meet under paid over worked public servants in dired conditions.

Since one year I have been submitting 5 times her birth certificate, the official one and once the unified European.

Every time refused because ... Poland uses coloured stamps, and they do not archive or examine the original papers they receive (and never send back) they check according to a poorly made scan that systematically erase the stamps. And they demand that the stamp be visible after the scan.

So I went to other administrative entities that are helpless in face of what they call a Kafkaian situation. But where does this psycho rigidity every Polish complain in the public forums?

Well, administration in my local place is having orders from the politics. My own MP who is very silent has also made a report on «white weddings» to the assembly and have been very adamant the administrations should be held responsible for them, and should maniacally scrutinize the documents.

On the other hand, they have shitty tools to enforce the rules. Their network is often failing, their scanners are shit, and the overwork has induced the hiring of more managers to measure efforts instead of actual workforce for the task.

They are held in a condition where they cannot do their work correctly. I am also told some persons whose political opinions are leaning for xenophobic formations have seen these new measures has an encouragement to make more zealous work resulting in slowly congesting the administration. A classical snowball effect.

So now, I have to beg the favor indirectly of having a bypass to a situation from the same person who is the origin of my very own problem.

Needless to say, it pisses me like hell. And, it is not the only place where I have these kind of situations appearing. But I think a single well exposed point worth more than a hundred petty claims.

So, I am now living in a country turning into Syria. I will have to be indebted of a favor to a politician turning the country in a corrupted regim, and in order to have my situation being resolved I will not be able to open my mouth or else I my situation will become worse. It sucks to be a Syrian from 10 years ago.

Happily, French are bad at speaking english, so I use a foreign language hoping it will not be noticed.