Hasnain says:

More reporting on AirTag privacy concerns. This one stood out to me because this anecdote is just tossed in without calling this out as - IMO - a privacy violation:

“Mary Ford, a 17-year-old high school student from Cary, N.C., received a notification in late October that she was being tracked by an unknown AirTag after driving to an appointment. She panicked as she searched her car.

Ms. Ford only realized it wasn’t a threat when her mother revealed she had put the tracker in the vehicle about two weeks earlier to follow her daughter’s whereabouts.”

Hasnain says:

Great read. The fact that this was an AV vendor is really scary. I also appreciated the bit about not making bad code easily accessible even as an example.

"This code is such a bad idea, I’ve intentionally introduced errors so it won’t even compile.

...

I pointed out to the customer liaison that what the customer is trying to do is very suspicious and looks like a virus. The customer liaison explained that it’s quite the opposite: The customer is a major anti-virus software vendor! The customer has important functionality in their product that that they have built based on this technique of remote code injection, and they cannot afford to give it up at this point.

Okay, now I’m scared."

Hasnain says:

Feel good story of the day: I hope this one works out. No patent burden is huge.

“Hotez said because the Corbevax vaccine is cheap, has no patents and uses traditional protein-based vaccine technology it will be easier for other countries to mass-produce and distribute it.
"It's a similar technology used to make the Hepatitis B vaccine that's been made locally and all over the world for three or four decades," he said. "It really does check all of the boxes you would want for a global health vaccine."”

Hasnain says:

I continue to be a huge fan of SQLite and use it for all my side projects. Beyond what's discussed in this article, you can also easily implement custom functions in your app directly to implement efficient queries that would be really hard to do otherwise.

"On the whole, I think using SQLite is a good tradeoff for a lot of projects, including webapps that expect to have a potentially large number of users. As long as you don't expect to need tens of thousands of small writes per second, thousands of large writes, or long-lived write transactions, it's highly likely that SQLite will support your usecase. It significantly reduces complexity and operational burden and eases testing, with the primary downside that it's somewhat harder to get levels of availability and uptime that almost no one needs in the first place."

Hasnain says:

Great read - I learnt a bunch of history from this one.

“What stunned Manning, an Egyptologist, was that the paper recalibrated earlier chronologies by seven to eight years, so that dates of the eruptions neatly coincided with the timing of well-documented political, social, and military upheavals over three centuries of ancient Egyptian history. The paper also correlated volcanic eruptions with major 6th century A.D. pandemics, famines, and socioeconomic turmoil in Europe, Asia, and Central America. The inescapable conclusion, the paper argued, was that volcanic soot — which cools the earth by shielding its surface from sunlight, adversely affecting growing seasons and causing crop failures — helped drive those crises.

Since then, other scholarly papers relying on paleoclimatic data— most of it drawing on state-of-the-art technologies originally designed to understand climate change — have found innumerable instances when shifts in climate helped trigger social and political tumult and, often, collapses.”

Hasnain says:

This was such a good movie.

“But more importantly, they get the message of the film backwards. One reason that these reviewers think that message is an obvious one is that they miss all the parts that are not necessarily obvious. Indeed, the film does depict a media that is more concerned with celebrity relationships than with climate (or rather, comet) science. But it does not have a nihilistic view of Americans. Not in the least, and this is critically important to understand. In fact, the film depicts an idealistic, diverse group of Americans who try their best to protect the planet. Their lives are destroyed not because we are idiots but because those with power choose to delay, deny, and mislead, more interested in their own short-term gain than the future of humanity—in part because these people know that the catastrophe they have wrought will not have the same consequences for them personally. “

Hasnain says:

“That scenario needs to be confronted immediately, Snyder says: "It's right in front of our eyes. The most interesting and the most distressing thing about American news coverage right now is that we don't treat the end of democracy in America as the story. That is the story."”

Hasnain says:

Insightful read on COVID testing and vaccination programs and how it all played out behind the scenes

“The fury with which public-health experts greeted Psaki’s comments reflected their longstanding frustration with an administration that, in their view, has put almost all its focus on vaccinating the American public, at the expense of other critical aspects of the response, from getting shots into arms overseas to making high-quality masks widely available. The rapid-test push, in particular, seems to have bumped up against the peculiar challenges of fighting COVID-19 in the 21st-century United States. Difficulties include a regulatory gauntlet intent on vetting devices for exquisite sensitivity, rather than public-health utility; a medical fiefdom in which doctors tend to view patient test results as theirs alone to convey; and a policy suspicion, however inchoate, that too many rapid tests might somehow signal to wary Americans that they could test their way through the pandemic and skip vaccinations altogether. “It’s undeniable that [the administration] took a vaccine-only approach,” said Dr. Michael Mina, a vocal advocate for rapid testing who attended the October White House meeting. The U.S. government “didn’t support the notion of testing as a proper mitigation tool.””

Hasnain says:

“So, what could this rethinking of “The Biggest Loser” story mean for the rest of us, if we hope to keep our weight under control? First and most fundamentally, it suggests that abrupt and colossal weight loss generally will backfire, since that strategy seems to send resting metabolic rates plunging more than would be expected, given people’s smaller body sizes. When people drop pounds gradually in weight-loss experiments, he pointed out, their metabolic changes tend to be less drastic.”

Hasnain says:

“But law enforcement doesn’t always make such a request, and many survivors of crime don’t have the money for a lawyer to investigate separately, said Dodge, the California lawyer. He said for now the best way to counter tracking devices is to be aware they exist and of how they work. “

Hasnain says:

Yikes. And great read. I’m glad they went above and beyond to add more documentation here.

“We are disclosing two bugs that affect Feldman’s verifiable secret sharing within different threshold signature scheme implementations. These bugs are not a result of some novel analysis that could not have been foreseen; on the contrary, these bugs stem from one of the few known weaknesses of secret sharing. We highlight them today not only due to the number of affected vendors but also because they are representative of a whole host of critical bugs that stem from the same recurring problem in non-standard cryptography: a lack of documentation and guidance.”

Hasnain says:

There are times I read HBR articles and really enjoy the content and nod along; and then I read stuff like this which says ML and AI are extremely useful while mathematics and statistics are not. I mean…

“At Filtered, we found that constructing this matrix helped us to make hard decisions about where to focus: at first sight all the skills in our long-list seemed valuable. But realistically, we can only hope to move the needle on a few, at least in the short term. We concluded that the best return on investment in skills for our company was in data visualization, based on its high utility and low time to learn. We’ve already acted on our analysis and have just started to use Tableau to improve the way we present usage analysis to clients.”

Hasnain says:

This is from 2014, but still worth reading.

“A blind cricket match cannot be described as anything else but a vision of incredible human triumph. Bowlers and batsmen have to feel the stumps to orient themselves towards which side to bat or bowl. Yet a batsman, crouched low to the ground to better hear the rattling sound of the ball, hits a ball he cannot see, basing his stroke completely on the noise the ball makes. Fielders dive full-length to stop balls, and then, instead of throwing the ball, run to the bowlers’ end to feel for the bowler’s hand to pass the ball to.”

Hasnain says:

This was a great read on transportation, systems thinking, politics, and policing.

“But the 85th percentile rule contains a fundamental truth: Drivers respond to the road they are given. Engineers use this rule to foster a cycle of wider, clearer roads and higher speeds. But the same logic could be employed in the opposite direction, too, in places where drivers and pedestrians interact.

There are three basic changes we could make to America’s roads, cars, and drivers to address speeding at its root. First, we could design roads to keep drivers at safe speeds. In rural areas, that means replacing intersections with roundabouts—a change associated with cutting crash rates by more than 50 percent. In cities, that means narrowing streets and intersections, building out curbs and speed bumps, and changing pavements to materials like paving stones that slow drivers down.”

Hasnain says:

This was a motivating read and human interest story.

“Now, I am not ashamed to say that a sticky Heineken can holds enormous value. It is what feeds me every day and pays for my clothes. It unites my family and helps me understand the value of hard work. It represents my family’s strong values and their dreams for me of getting the opportunity to go to college and lead a stable life.

Now, when people ask me what my parents do for a living, I tell them not with embarrassment or shame, but with pride. My parents are can collectors. Because my friend is right; my family is hustling to take care of their loved ones. That is something to be admired.”

Hasnain says:

“It’s easy to get attention for sensational claims, however, particularly when they come from official sources. Rachel Michelin, president of the California Retailers Assn., told the San Jose Mercury News that in San Francisco and Oakland alone, businesses lose $3.6 billion to organized retail crime each year.

That would mean retail gangs steal nearly 25% of total sales in San Francisco and Oakland combined, which amounted to around $15.5 billion in 2019, according to the state agency that tracks sales tax.

Can that be right? In a word: no.”

Hasnain says:

Someone at work recommended this article to me as I was thinking through a cross-functional problem and this is quite insightful. There’s a number of helpful case studies, and lots of experiences have been distilled down into useful takeaways.

“Many organizations have unwittingly designed innovation processes that produce inconsistent and disappointing outcomes. They spend time and money compiling data-rich models that make them masters of description but failures at prediction. But firms don’t have to continue down that path. Innovation can be far more predictable—and far more profitable—if you start by identifying jobs that customers are struggling to get done. Without that lens, you’re doomed to hit-or-miss innovation. With it, you can leave relying on luck to your competitors.”

Hasnain says:

This is horrifying and amazing at the same time. Honesty would be quite exciting to work on the quoted part for a coding challenge.

On a more serious note though - glad this was caught and patched before more human rights abuses could happen.

“JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.

The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.”

Hasnain says:

This is a felony, right?

“Supervisors and team leaders told employees that leaving would probably jeopardize their jobs, the employees said.

“If you leave, you’re more than likely to be fired,” Emery said she overheard managers tell four workers standing near her who wanted to leave. “I heard that with my own ears.””

Hasnain says:

From a few of the authors on the recent committee investigating the Supreme Court and providing recommendations to the president.

“Though fellow commissioners and others have voiced concern about the impact that a report implicitly criticizing the Supreme Court might have on judicial independence and thus judicial legitimacy, we do not share that concern. Far worse are the dangers that flow from ignoring the court’s real problems — of pretending conditions have not changed; of insisting improper efforts to manipulate the court’s membership have not taken place; of looking the other way when the court seeks to undo decades of precedent relied on by half the population to shape their lives just because, given the new majority, it has the votes.”

Hasnain says:

The story coming out over the weekend has been so heart breaking. And as more details come out, just infuriating.

““It could just as easily have been us. We would not have been ready,” an employee at the Indiana facility said of the tornado. “They put out an internal memo that says we’re rebuilding, but what are we doing to prevent this in the future? It’s always profit over employees.””

Hasnain says:

#hugops to all the oncalls responsible for patching things this weekend.

“Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.”

Hasnain says:

Learnt a lot about history, politics, and contemporary affairs from this one. This quote though… (Baradar is the Taliban’s deputy PM)

“Two days later, Trump called Baradar. According to an official who listened to the exchange, Trump told him, “You guys are tough fighters.” Then Trump asked, “Do you need something from me?”

“We need to get prisoners released,” Baradar said, adding that he had heard Ghani would not coöperate. Trump said that he would tell Pompeo to press Ghani.”

Hasnain says:

This was an absolute delight to read, I was grinning throughout. So well written and hilarious, even though I feel quite bad for the author.

“I’m not talking about a meal that’s poorly cooked, or a server who might be planning your murder—that sort of thing happens in the fat lump of the bell curve of bad. Instead, I’m talking about the long tail stuff – the sort of meals that make you feel as though the fabric of reality is unraveling. The ones that cause you to reassess the fundamentals of capitalism, and whether or not you’re living in a simulation in which someone failed to properly program this particular restaurant. The ones where you just know somebody’s going to lift a metal dome off a tray and reveal a single blue or red pill.”

Hasnain says:

“With no timetable on the horizon for the end of a pandemic that has upended lives and killed over 788,000 in the United States, the surgeon general’s advisory calls for rapid action, encouraging more resources and urging a greater acknowledgment of mental health as a vital component in overall well-being.

For Prinstein, the “moment to demand change,” as Murthy’s report implores, necessitates the focus to shift from acknowledging mental health problems at their onset to preventing them in the first place.”

Hasnain says:

Very well written human interest story on what it feels like to get famous without your consent and the associated baggage - and avalanche of internet sleuths.

“Certainly, noncelebrities have long unwillingly become public figures, and digital pile-ons have existed in some form since the dawn of the digital age—just ask Monica Lewinsky. But on TikTok, algorithmic feedback loops and the nature of the For You page make it easier than ever for regular people to be thrust against their wishes into the limelight. And the extent of our collective power is less obvious online, where pile-ons are delivered, as journalist Jon Ronson put it, “like remotely administered drone strikes.” On the receiving end of the barrage, however, as one finds their reputation challenged, body language hyperanalyzed, and privacy invaded, the severity of our collective power is made much too clear.”

Hasnain says:

Hash functions are always interesting.

“After all this, my appreciation for FxHasher has grown. It’s like a machete: simple to the point of crudeness, yet unbeatable for certain use cases. Impressive!”

Hasnain says:

Gotta love math. This was an interesting analysis of some number theoretic puzzles

“I hope you enjoyed the heavy dose of transcendence from this most fascinating and fundamental constant. The Quanta Insights award for this month goes jointly to Michel Nizette, for clarity of exposition, and Lazar Ilic for the usual mathematical mastery. Congratulations to both!”

Hasnain says:

Looking at the pay disparities highlighted in the article, the numbers are staggering. $9500 a week for some postings, contrasted against $74,000 annual salaries. Yikes.

“The nation’s largest nurse union maintains that hospitals are suffering the consequences of the just-in-time staffing model they created to cut costs by keeping the number of full-time staff nurses as small as possible.

“This current staffing crisis is one of the hospital industry’s making,” Deborah Burger, president of National Nurses United, said in a written statement. “They need to take a long hard look at how their treatment of permanent staff and exploitation of the nursing ethos has inevitably led to this unsustainable model of staffing hospitals.””

Hasnain says:

Long and scary read.

“Conspicuously missing from Biden’s speech was any mention even of filibuster reform, without which voting-rights legislation is doomed. Nor was there any mention of holding Trump and his minions accountable, legally, for plotting a coup. Patterson, the retired firefighter, was right to say that nobody has been charged with insurrection; the question is, why not? The Justice Department and the FBI are chasing down the foot soldiers of January 6, but there is no public sign that they are building cases against the men and women who sent them. Absent consequences, they will certainly try again. An unpunished plot is practice for the next.”

Hasnain says:

“In October, the reddest tenth of the country saw death rates that were six times higher than the bluest tenth, according to Charles Gaba, an independent health care analyst who's been tracking partisanship trends during the pandemic and helped to review NPR's methodology. Those numbers have dropped slightly in recent weeks, Gaba says: "It's back down to around 5.5 times higher."

The trend was robust, even when controlling for age, which is the primary demographic risk of COVID-19 mortality. The data also reveal a major contributing factor to the death rate difference: The higher the vote share for Trump, the lower the vaccination rate.”

Hasnain says:

This was a great and thought provoking read.

“This maxim holds true for other areas of your life as well. When you get a good night’s sleep, you’re better at basically everything. When you take rest days, you’re a better athlete. The restoration we find in hobbies can make us better partners, better friends, better listeners and collaborators—just overall better people to be around. Hobbies help cultivate essential parts of us that have been suffocated by productivity obsessions and proliferating obligations. The hobby itself ultimately matters far less than what its existence provides: a means of tilting your identity away from “person who is good at doing a lot of work.””

Hasnain says:

I hate self promotion but since I’ve been asked a few times about what I work on - I’m glad to be able to share a bit of it.

I recently got a chance to speak on a podcast about some of my work - in particular, experience building services and rewriting things in Rust. It’s kinda off the cuff and not super polished, but the content comes across fine I’d hope. The other speakers had much better advice / experience in this domain, so it’s worth a listen either way.

Happy to take any questions here!

(excuse the incorrect title, the share scraper seems to be off, the link is right)

Hasnain says:

Great read on societal trends through a systems lens. I don’t agree with everything but I do agree with a majority of the stuff said here.

“Even the fanciest pantsed distributed databases, with all the Rafts and Paxoses and red/greens and active/passives and Byzantine generals and dining philosophers and CAP theorems, are subject to this. You can do a bunch of math to absolutely prove beyond a shadow of a doubt that your database is completely distributed and has no single points of failure. There are papers that do this. You can do it too. Go ahead. I'll wait.

Okay, great. Now skip paying your AWS bill for a few months.

Whoops, there's a hierarchy after all!

You can stay in denial, or you can get serious.”

Hasnain says:

Terrible bug aside, this was a great postmortem and actionable set of follow-ups.

inb4 rust rewrite though.

"The maximum size signature that this structure can handle is whatever the largest union member is, in this case that’s RSA at 2048 bytes. That’s 16384 bits, large enough to accommodate signatures from even the most ridiculously oversized keys.

Okay, but what happens if you just....make a signature that’s bigger than that?

Well, it turns out the answer is memory corruption. Yes, really.

The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data."

Hasnain says:

This is some really cool stuff.

“This is the best of both worlds: it is at once dynamic and general purpose with respect to what the system can run, but also entirely static in terms of the binary payload of a particular application — and broadly static in terms of its execution. Dynamic resource exhaustion is the root of many problems in embedded systems; having the system know a priori all of the tasks that it will ever see liberates it from not just a major source of dynamic allocation, but also from the concomitant failure modes. For example, in Hubris, tasks can always be safely restarted, because we know that the resources associated with a task are available if that task itself has faulted! And this eliminates failure modes in which dynamic task creation in response to load induces resource exhaustion; as Cliff has quipped, it is hard to have a fork bomb when the system lacks fork itself!”

Hasnain says:

Well this is really cool.

“Scientists discovered that the cancer does not always originate in the mature bone marrow cells where it is found and where textbooks say it originates.

…

The results are too new to have led to patient therapies. But they are leading to provocative discoveries that are expected to inspire novel methods for treating diseases.”

Hasnain says:

This was a great technical read.

"We hope hearing how we managed our Kafka-based telemetry ingest pipeline is helpful to you in scaling your own Kafka clusters. We’ve grown 10x in two years while TCO1 for Kafka has only gone up 20%—in other words, an 87%2 cumulative reduction in cost per MB of incoming data. We do not have any engineers dedicated full time to the care and feeding of Kafka, and have preserved about the same number of engineers fluent in Kafka debugging as needed through training with incidents. This means our toil has not significantly increased even as the data scope increased."