The public service is non partisan

As you may know I’ve recently started at CDS. CDS is part of the Treasury Board of Canada Secretariat, making me a civil servant. While I’ve had some fun blogging random, not really useful, thoughts about the current going-ons in politics I’m going to stop. While I don’t think they were partisan in nature ( since they were pretty much all over the place ), the default go to for civil servants is to stay quiet publicly about their personal thoughts on politics. I actually think this is a good, and a very important thing. I think Canadians needs to know that the folks in the civil service are working for the country ( technically the Queen ) and not working for a political party.

When joining the public service you take an oath. Part of it reads:

I solemnly affirm that I will faithfully and honestly fulfil the duties that devolve on me by reason of my employment in the public service of Canada

That oath is no matter what the government of the day is. And I intent to uphold that oath, no matter what the government of the day is. That’s why I won’t be posting any more musings on politics for the foreseeable future.

Starting a new job

Starting a new job is always a mix of nervousness and excitement. While you can’t ever extrapolate from one day, meeting the team at CDS and chatting with many of the folks there was very enlightening. My key take away is that there’s a lot of work to be done, a lot of processes to be improved, and technical systems to be updated. I think we have our work cut out for us and I’m really excited about being able to help make it happen.

Refunds as Brand Loyalty

When I started working at Automattic I did 3 weeks of support. One thing that struck me was our refund policy. Basically, whatever the reason, if the client wanted a refund and the credit card processor would let us do it, we would refund. No trying to convince them otherwise (we did try to fix any problems they may of had first, if any), no trying to sell them on another plan etc.

I’ve noticed that when a place offers easy refunds, I’m much more likely to buy things I’m not sure about. Two of those places that come to mind are Amazon and Home Depot. Home Depot is so great with refunds that my default is to buy more and return if I have too many. Now of course, sometimes I don’t return them and Home Depot made more money. Also they’ve become my default store for anything home renovations. Same goes with Amazon. It’s so easy and hassle free to return something that I’m much more willing to take a chance on an item I’m not sure of.

All that to say, if you treat customers right when something went wrong, it’ll probably pay off in the end.

Religion as Community

I was talking to someone who was previously what I’d call a militant atheist. They were very disdainful of religion (something I’ve at times been guilty of in the past). I was talking about how I recently viewed religion in a new lens, the “community” aspect. By that I mean that, for some, the critical aspect of religion is not the specific beliefs, but rather the sense of community you get. The benefit is that you have others who share the same general values as you.

And I say “share the same general values as you” but really, those values are often common to everyone. I’ve rarely met folks who didn’t want to treat others like you’d want to be treated, who didn’t care about others, or who didn’t want to make the world a better place. Maybe I’m being idealistic but I’d attribute those values to a large majority of people.

With a religious community, you’re primed to be kind to others in it. I don’t think this is limited to religious communities. Personally I feel it’s similar to meeting other Franco-Manitobains (and even now Franco-Ontarians), and I would suspect this also extents to other minority groups.

Maybe it’s the big city, maybe it’s the atheism, I’m not sure where, but I feel like we’ve lost that sense of community. Or at least, that it’s less prominent in my life personally.

It’s strange because, let’s say 50% of folks share my values, those of being compassionate, of trying to make the world a better place for everyone, etc. Then why am I not starting from a place where I assume that’s the ones they share and treat them as part of my community?

Why is it that we’re not “primed” for doing the neighborly thing in the city? That without some (somewhat arbitrary) common ground we don’t assume the best intentions, or we don’t lead with compassion. Why are we (or maybe it’s just me) not primed for that outside of our niche community?

I don’t want this post to sound like I’m not critical of many aspects of religion. I feel that many of the religious scriptures of all religions can teach us a lot, it’s just that sometimes it seems like the ground crew implements it in ways that are sub-optimal.

But one thing religion has done well, is bring folks together. Whenever someone was going thru tough times back home, everyone would take turns cooking suppers, babysitting, help with construction after an unexpected accident, etc.

That feeling of community is something I want to focus on in the next year. Of building and fostering a community of friends. If you’re interested in joining, let me know :).

Brand Disloyalty

I still remember vividly that day at Scotiabank. I had just started university and wanted a line of credit for my small business. I had my business plan, which allegedly was important and met the manager. I was looking for $5000 and my father was willing to co-sign. He was not interested and for all intents and purposes told me to stop wasting his time.

The funny thing is now a decade later. Scotiabank really wants me as a client. Mortgage, credit cards, even lines of credit. I suspect that I make banks money now. I have a good job, have a house and some investments. But I’ll never bank with Scotia.

If you have a really big business, I think you need to be careful in not pissing off future clients. Maybe It wasn’t worth that manager’s time then, but if you didn’t care about me then, I won’t care about you now.

Mindful eating

5 years ago I started what’s basically the slow carb diet. Not really a diet, but a lifestyle change since it’s not just a temporary restriction of certain foods, but rather removing most / all processed foods, cutting out sugar as much as possible and if eating carbs, focus on things like legumes or whole grains.

It’s worked great, I’ve lost ~45Lbs since starting it and have been able to stay there.

While that really helped me get to a healthy weight, I still have a few problematic eating habits. Mostly around eating for no reason. By that I mean, overly snacking on food when I’m not really hungry. I was able to shift my snacking from eating large amounts of nuts or fruit to eating large amounts of vegetables (peas, pickles, salsa, etc). Now that’s much healthier but didn’t really deal with the deeper issue.

That’s fine as I’m a big fan of incrementalism and think it’s unrealistic to try to break all your bad habits at once. Now that I’m at a better place I’ve joined Nerd Fitness and my current focus is on mindful eating.

The idea is that now instead of just going for the fridge when bored, I ask myself, “Am I actually hungry? Or is it just that I’m not so full I could stuff more things in my stomach?”. I then also don’t multi task when eating. No listening to a podcast, no watching a youtube video, no working or reading emails, all I do is focus on eating.

It’s interesting and I still have lots of progress to make. I just ate a bunch of pickles and I’m pretty sure I wasn’t hungry, just looking to procrastinate.

I think I’ve set some good systems in place to help me (and a reward if I stick to this for 3 months). Hopefully in a few months time I’ll be able to understand my hunger better and react better to it.

If you’re interesting in nutrition, particularly the psychology of it, I’d strongly recommend reading Xi Zhang’s blog on the matter: https://ithinkthereforeiovereat.blogspot.com/ she actually has qualifications to talk about this, as opposed to me who just rambles about things that have worked for me.

Phone Notifications

I’ve decided to disable all audio notifications on my phone. No more beeps for anything except calendar appointments. Chat, text, email, slack, apps, etc.

All that stuff should really be asynchronous. I don’t need to stop what I’m doing every time someone posts a comment, sends a message etc.

I get distracted way too easily by a beep and it breaks my flow. If something is really time sensitive people can call me (I feel old writing this).

So, if I don’t reply to your message quickly, I’m not ignoring you, I’ve just chosen to shut off all notifications.

If you see suffering, don’t feel sorry

I’ve straight up copy pasted that title from Maria here. I really enjoyed the blog post. I recommend reading all of it, but the tl;dr is this:

If you see someone go through a hard time, don’t feel sorry for them. It deprives them of agency. If you say you’re sorry, you’re saying they’re unable to deal with what is happening.

People are much wiser and stronger than we think. They have the power to use whatever challenge they’re facing as a tool for growth. The best you can do is to be their cheerleader. Say, I know it is hard, but I know you can make it.


WordPress Security (Or why you should code like a paranoid squirrel)

When I was at VIP we always argued for a very tough stance on security. To the point that we’ve been criticized for being over-zealous on escaping, permissions checking and nonce checks.

I understand many of the arguments made against enforcing late escaping. The one I understand and can empathize with the most is the one that goes something like: “If we just enforce rules without understanding the context, folks won’t understand why and when they really need to escape”. That’s a valid point, but I think it doesn’t work in terms of a large scale project. Be it your plugin or theme or even the WordPress project itself.

There’s often talk about two models of security. I’m sure they have better names but I call them the “Fortress” and the “Onion” model. The fortress being, that there is this one “moat” that protects the code. So internal functions for example can rely on the code being passed to them as being safe. The Onion model is kinda like if a paranoid squirrel wrote code. Every function should be suspicious of what it gets passed and doesn’t trust any other functions. I’m not sure where the squirrel fits in with my analogy to be honest, but I liked the thought of picturing a paranoid squirrel.

With that in mind, I would argue that the WordPress code base is currently not resilient enough to attacks as it often makes assumption about the data passed to it’s functions. A good example of this is the latest security release (5.1.1) that patches this: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

The offending code is this:

foreach ($atts as $name => $value) {
     $text .= $name . '="' . $value . '" ';
}

Anyone who’s done work with the VIP team will quickly see that this code violates the policy of “Always Escape Late”.

We would of had you rewrite that as:

foreach ($atts as $name => $value) {
     $text .= esc_attr( $name ) . '="' . esc_attr( $value ) . '" ';
}

So you would think this is an easy fix right? Just replace all the instances where we’re not late escaping to escape late. But I suspect that if I were to go thru the codebase and change all instances flagged by the PHPCS WordPress ruleset (and the VIP ruleset). The patches would be rejected.

The thinking, from my experience and my assumptions, would be that this could break backwards compatibility. A noble cause indeed. There is something to be said to not touching code that doesn’t “need” to be touched. It’s quite easy to introduce bugs or unintended consequences when adding escaping. It’s also possible that the escaping wouldn’t help or, in a small subset of circumstances, would make things vulnerable.

All this being said, I know from having seen how the sausage is made that it’s much more complicated than what may be interpreted from reading this blog post. I want to make sure it’s clear that what I’m suggesting in regards to WordPress security is not actually as easy a solution as this brief post may make it out to be.

There are many smart people who are working on this and they have a challenging task. I suspect my experience with enterprise clients has coloured my opinion in preferring security over backwards compatibility. Very good arguments could be made that if folks do not have confidence in the automatic updates (because of broken backwards compatibility) it would leave more users at risk than patching code that _may_ be a problem in the future.

But one thing I think is clear. If the code proactively was written to late escape, no matter where the data is from, we wouldn’t be in this situation. Hence, for all new code that you write, think of being like a paranoid squirrel. It’ll make your job way easier in the long run.