Hasnain says:

This is nuts.

““They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.”

Hasnain says:

I don’t even know where to begin with this one. Not against the article, mind you, it’s very well sourced and I learnt a lot about SF crime stats and policing

““In San Francisco, VC lives matter. We’re the ones employing people, bringing business, buying properties, you know, paying property taxes,” says Ellie Cachette, one of the tech investors who wants to oust Boudin, Newsom, and other San Francisco officials, and who donated $1,000 to Calacanis’ fund. “And what are we getting in return? Nothing.””

Hasnain says:

“But with this tweet, that entire sentiment changes from “they haven’t lied” to “they haven’t lied about something germane to cloud in a way in which I’ve caught them doing so” because we’ve just seen them lie to the world when they’re facing something that they perceive to be an existential threat to one of their lines of business (i.e., unionization).

This teaches us that—when it’s a big enough deal—Amazon will lie to us. And coming from the company that runs the production infrastructure for our companies, stores our data, and has been granted an outsized position of trust based upon having earned it over 15 years, this is a nightmare.”

Hasnain says:

“A mysterious fog plunged Europe, the Middle East, and parts of Asia into darkness, day and night—for 18 months. "For the sun gave forth its light without brightness, like the moon, during the whole year," wrote Byzantine historian Procopius. Temperatures in the summer of 536 fell 1.5°C to 2.5°C, initiating the coldest decade in the past 2300 years. Snow fell that summer in China; crops failed; people starved. The Irish chronicles record "a failure of bread from the years 536–539." Then, in 541, bubonic plague struck the Roman port of Pelusium, in Egypt. What came to be called the Plague of Justinian spread rapidly, wiping out one-third to one-half of the population of the eastern Roman Empire and hastening its collapse, McCormick says.”

Hasnain says:

“I have a real love/hate relationship with SQL databases. They are incredibly powerful tools, and when used well can drastically simplify architectures and help solve entire classes of consistency and durability problems. At the same time, every time I interact with one, I feel like the experience is one of a thousand avoidable papercuts, and that the experience could be so much better without losing almost any of their strengths. SQL as an API is in many ways a relic from another era, and while it’s held up remarkably well, it also feels like it shows its age. The operational problems also terrify and enrage me. Databases are always going to be challenging and sources of complexity and danger, but it feels like SQL engines barely even try to offer predictability performance or to build reliable guard rails against accidentally taking the entire site down.

“

Hasnain says:

This is horrifying.

“We have these various women coming forward and telling very credible stories about how they've been abused," he said. "And the response shows a complete tone deafness and misunderstanding of how sexual assault and sexual trauma is now being understood and treated now. Besides being horrifying, it's also completely counterproductive for the Chinese state."

The Chinese embassy in London told the BBC that China stood by its assertions that the women's accounts of rape and sexual abuse were lies, and said it was reasonable to publicise private medical records as evidence.”

Hasnain says:

I still don’t get why the post ever thought it was a good idea to do this in the first place.

“The Newspaper Guild, which represents Post employees, hailed The Post’s change of heart in a statement. “We’re glad to see The Post reverse its harmful stance and allow our colleague Felicia Sonmez to do her job,” it said. “But this decision came only after much public criticism and at the expense of Felicia’s mental health. The Post must do better. The company still has much work to do to rebuild trust — internally and externally — and cultivate an inclusive workplace for all.””

Hasnain says:

Interesting read on profiling, benchmarking, and Rust vs Go.

“I’m here today first to say what’s new, and then to think out loud about concurrent data processing, Go vs Rust, and Amdahl’s Law, of which I have a really nice graphical representation. Apologies because this is kind of long, but I suspect that most people who are interested in either are interested in both.”

Hasnain says:

Very interesting report and data; echoes some of my personal feelings and highlights some more that I hadn’t thought about.

Might need to go and read the whole additional full report and not just this post.

“2. Leaders are out of touch with employees and need a wake-up call

Many business leaders are faring better than their employees. Sixty-one percent of leaders say they are “thriving” right now — 23 percentage points higher than those without decision-making authority. They also report building stronger relationships with colleagues (+11 percentage points) and leadership (+19 percentage points), earning higher incomes (+17 percentage points), and taking all or more of their allotted vacation days (+12 percentage points).”

“3. High productivity is masking an exhausted workforce

Self-assessed productivity has remained the same or higher for many employees over the past year, but at a human cost. One in five global survey respondents say their employer doesn’t care about their work-life balance. Fifty-four percent feel overworked. Thirty-nine percent feel exhausted.”

Hasnain says:

This was eye opening.

“What makes this story worth telling is not the drama of an editorial shakeup at one of the world’s top medical journals. Rather, it’s the content of the podcast itself. Now, don’t get me wrong. If your goal is to understand what structural racism is and how it harms health, look elsewhere. The podcast’s errors are so naive or absurd—No physician is racist? No Black or Hispanic people experience discrimination because that would be illegal?—that it doesn’t merit a rebuttal. And if you know from experience the toll that racism takes, you may have decided early on not to listen. At best, it is a distraction, a theft of energy and time; at worst, a form of gaslighting.

Yet the podcast does serve a purpose—just not the one JAMA intended: it illustrates rather than illuminates the problem of structural racism in medicine. And not just in medicine: The conversation between Livingston and Katz succinctly presents some of the most common ways well-meaning white people (an oxymoron, if we understand whiteness properly) uphold white supremacy when talking about race. Moreover, because the podcast carried the imprimatur of the American Medical Association, it shows how white supremacy remains embedded in powerful institutions—even ones that profess liberal values of equal opportunity and health for all.”

Hasnain says:

This helps explain the ruckus this weekend.

“Recode has learned that Amazon CEO Jeff Bezos expressed dissatisfaction in recent weeks that company officials weren’t more aggressive in how they pushed back against criticisms of the company that he and other leaders deem inaccurate or misleading. What followed was a series of snarky and aggressive tweets that ended up fueling their own media cycles.”

Hasnain says:

Really well written and engaging story of an ongoing effort to reverse engineer and identify a pretty complex security breach.

“We found a bunch of malware sitting in the network collecting PII information from incoming HTTPS connection after they are decoded in a GOlang app. The data is exfiltrated through the malware network and eventually is sent to the bad guys. We have more info but I am still working on it, expect another blog post in the future with more details, samples, etc’.”

Hasnain says:

This is a pretty good - and scary! recap of this whole fiasco.

“Neither Netgate's responses, FreeBSD Core's, nor the off-record responses we heard from independent FreeBSD community members lead us to believe that there was in fact any process in place that could reasonably have been expected to catch this issue prior to it going out into the world in 13.0-RELEASE.

We take some heart in the fact that FreeBSD Core team's expressed a commitment to improving processes, refining tooling, and making code reviews more effective—but it's impossible to ignore the fact that this commitment comes as an afterthought to attacking "public discourse" that highlighted the need for those improved processes, refined tools, and more effective reviews in the first place.”

Hasnain says:

I don’t get why this is super controversial. Operations are operations, you want to stop them before they can get out of hand in case it’s a “bad” “person” doing it right? It’s not like these bugs can stay hidden forever.

“Security companies regularly shut down exploits that are being used by friendly governments, but such actions are rarely made public. In response to this incident, some Google employees have argued that counterterrorism missions ought to be out of bounds of public disclosure; others believe the company was entirely within its rights, and that the announcement serves to protect users and make the internet more secure.”

Hasnain says:

This does not sound like a good sign.

“When employees tagged the Phonetool problem as "SEV1" and logged it on an internal message board, a senior human resources manager responded by saying that employees could use workarounds other than Phonetool to do their work, and then marked the issue as resolved.”

Hasnain says:

But the memes coming out of this situation have been so glorious I don’t know where to begin.

“But Peter Berdowski, CEO of Dutch company Boskalis, which is trying to free the ship, compared it to "an enormous beached whale" and said "it might take weeks" to get the vessel off, possibly necessitating "a combination of reducing the weight by removing containers, oil and water from the ship, tugboats and dredging of sand."”

Hasnain says:

““The woman got the blame as usual,” says Ozoma. “They should all be held accountable. But you know what? They can never run away from this even when their kids look their names up online. This will always be tied to them. For that, I will forever be grateful to the Internet.””

Hasnain says:

“User stories are a great way of designing features, but when you are designing community features on the web it is also useful to have user stories that start “I am an absolute arsehole and I want to…”, which in this case would be “troll a particular user every single time they posted a comment”.”

Hasnain says:

The headline says it all, really.

So disappointed - and yet, not surprised, given they have a harassment problem and blocking functionality still does not exist.

Hasnain says:

“Over the last few decades, every improvement in matrix multiplication has come from improvements in the laser method, as researchers have found increasingly efficient ways to translate between the two problems. In their new proof, Alman and Vassilevska Williams reduce the friction between the two problems and show that it’s possible to “buy” more matrix multiplication than previously realized for solving a tensor problem of a given size.”

Hasnain says:

I am glad this has so many (and growing!) signatories.

There was a time when I used to respect RMS; but that went out the window a while back and I really really do not get why the foundation brought him back. The FSF has slowly been becoming more and more irrelevant, and this decision just shows how bad the board is.

“We are calling for the removal of the entire Board of the Free Software Foundation. These are people who have enabled and empowered RMS for years. They demonstrate this again by permitting him to rejoin the FSF Board. It is time for RMS to step back from the free software, tech ethics, digital rights, and tech communities, for he cannot provide the leadership we need. We are also calling for Richard M. Stallman to be removed from all leadership positions, including the GNU Project.

“

Hasnain says:

This was a really good read. I didn’t know that the origin for many of the DEI programs today lied in an act from Kennedy’s time.

“DEI efforts should answer not to those in glass-walled corner offices, but those most impacted by the policies it creates. Administrators, rank and file staff members, and service providers should dictate what it means to be represented, how it feels to belong, and what change means. Such a shift would radically alter who qualifies to work in DEI. Instead of people like scientists and business administrators, whose allegiances are to executives, the field would depend on union organizers, coalition builders, and activists. These are not easy—perhaps not even feasible tasks—but DEI is at a crossroads.”

Hasnain says:

This study had a really interesting methodology - they used police department data to first identify which officers are likely not biased and then used that baseline to look into indicators of bias. And the numbers are both higher and lower than I'd expect.

"A key strength of our setting is that the average officer writes hundreds of tickets over a several-year period. The high frequency of recorded activity allows us to adapt our empirical approach to estimate the degree of discrimination for each individual officer. Doing so, we find that 40 percent of officers practice discrimination. While this figure is not the majority of officers, it is hardly a few bad apples."

Hasnain says:

This goes far beyond COVID and is an indictment of the American healthcare system. Combine overworked doctors, a lack of trust in patients, and systemic biases against funding research into diseases that don’t commonly affect certain people and, well, this is the mess that you get.

“How could top scientists and medical professionals suffer collective amnesia about this crucial piece of information? Why weren’t we being warned about two types of potential COVID complications, acute and chronic?

The answer is simple: Our medical system is radically unequipped, practically and conceptually, to serve patients whose tests come back normal and whose chronic symptoms cannot be explained with a biological diagnosis or outsourced to a specialist.

Long COVID patients are far from the only ones in this situation. Millions of people suffer from similar chronic symptoms, many of them too debilitated to work a job or even leave their bed. They, too, have been told their symptoms are psychogenic. Those I spoke with recounted how they watched in horror as the first reports of post-COVID began to surface. They saw what was coming, even if the doctors and scientists didn’t.”

Hasnain says:

This is some pretty cool work.

“Honeybee takes only 3.5 seconds to do what Intel’s reference decoder does in two-and-a-half minutes, which is a 44x improvement! This is the difference between stepping away while the trace decodes and being able to take a sip of water while you wait.”

Hasnain says:

This whole piece is so heartbreaking and moving.

“Yesterday, after the prolonged delay, I finally did talk to my mother, and I asked her to please take extra care when leaving the house. I was trying not to cry, and of course I failed, and of course my mother immediately tried to reassure me. She listed all the reasons she felt okay going to the store—she had this list ready, she’d been thinking it through—and then she started trying to convince me, the one in less danger, not to leave my apartment. If I did leave, she proposed I talk more loudly than usual in English, the hope being that racist white people would know I belonged.”

Hasnain says:

Definitely worth reading in full, it goes into labor issues, tech, and gender discrimination.

I also don’t really understand Scalia’s statement on one case covered in the article - he tries to say that multiple individual instances of discrimination do not show bias in the aggregate, but... that does not make sense to me.

“But the Supreme Court ultimately found it didn’t matter if there was evidence that women were being paid less across the company. Writing the majority opinion, Justice Antonin Scalia denied that systematic sexism could be assumed to be the motive force behind a pay gap. “Left to their own devices most managers in any corporation,” Scalia wrote, “would select sex-neutral performance-based criteria for hiring and promotion that produce no actionable disparity at all. Others may choose to reward various attributes that produce disparate impact… still others may be guilty of intentional discrimination.” But crucially, “demonstrating the invalidity of one manager’s discretion will do nothing to demonstrate the invalidity of another’s.” As long as each manager was inflicting independent harms, there was no basis for class action status.”

Hasnain says:

So this explains why everyone was logged out of GitHub the other day. Interesting technical analysis of a bug and a reminder of how hard it is to get complex code right.

“Taking a step back, a bug such as this is not only challenging from a technical perspective in how to identify complex interactions between multiple threads, deferred callbacks, and object sharing, but it is also a test of an organization’s ability to respond to a problem with an ambiguous cause and risk.”

Hasnain says:

This is a pretty cool profile of a team within the security org at Facebook. The lede sums it up well:

"IN 2019, HACKERS stuffed portable network equipment into a backpack and roamed a Facebook corporate campus to trick people into joining a fake guest Wi-Fi network. That same year, they installed more than 30,000 cryptominers on real Facebook production servers in an attempt to hide even more sinister hacking in all the noise. All of this would have been incredibly alarming had the perpetrators not been Facebook employees themselves, members of the so-called red team charged with spotting vulnerabilities before the bad guys do. "

Hasnain says:

While I’m still processing the terrible, racist shootings in Atlanta yesterday, I found this useful - not just for journalists, but for us everyday folk learning more about this so we can empathize. I’d known a bit superficially about the history of anti-Asian racism in the US but the more I learn the more horrified I get.

“Understand anti-Asian racism and invisibility. Racism against AAPIs is highly nuanced, complex, and has remained historically invisible, and includes a long history of hypersexualization of Asian women that is rooted in Westernized and colonial perceptions of Asia.

This is inextricably linked to harassment and sexualized violence against Asian women. Women of Asian descent have reported 2.3 times more incidents of violence than AAPI men, according to a new Stop AAPI Hate report of nearly 3,800 hate incidents reported since March 2020. “

Hasnain says:

I just learnt today that this is the guy that contributed a lot of the wireguard code to pfsense and is still going strong.

Also who the hell saws their tenant’s floor?!

“Eventually he and Nicole Macy were arrested at Kip Macy's parents' house in 2008 and released on $500,000 bond, for which Kip Macy's parents drained much of their retirement savings to pay. His mother Marie even sold her jewelry to help finance their release. Once free, Kip and Nicole Macy jumped bail, fleeing to Italy, leaving Kip Macy's father and mother, potentially at a loss of half a million dollars.”

Hasnain says:

“In our view, developers don’t care about the distinction between monoliths and services, and simply want the lowest-overhead way to deliver end value to customers. So we have very little doubt that a managed platform which removes operational busywork like capacity planning, while providing maximum flexibility like fast releases, is the way forward. We’re excited to see the industry move toward such platforms.”

Hasnain says:

What the actual.. This quote is not even the worst bit, it keeps getting worse

“Konikowski quit, but her managers — both white men — were eventually promoted to senior management. Van Aalten said the promotions troubled them because one of those managers had called them a Nazi, despite knowing they are Jewish. Multiple former Mailchimp employees also said that the manager questioned whether people with Down's Syndrome were "real people" because they inherit an extra chromosome.”

Hasnain says:

This attack is quite scary.

“"While text message forwarding might have legitimate applications for businesses, the particular implementation underpinning this attack is appallingly weak in security and data privacy. Telcos have different ways of authenticating their customers, obviously including text messaging. The fact that none of these authentication methods are used in this case to get consent from the owner of a forwarded phone number is shocking," Nohl added.”

Hasnain says:

“How did you spend the grant that we provided you? The grant you gave us went into our bank account, which is used to pay for everything. Disaggregating what you paid for versus what others paid for is one of those meaningless time-wasting activities you force on us that harm our work. Here’s a detailed financial report of every expense we made this year. Look through it, and if it makes you feel better to think that you paid for books for low-income children and not staff salaries or whatever, please use your own time to craft that delusion.”

Hasnain says:

“Then I started thinking about it, and realized there’s no way this happened in a vacuum. It’s unlikely that Ryan Parr saw my tweet and immediately escalated it to, “We’re sending this to our legal team.” I think it speaks a lot to their company culture that things went this far. I wonder how many people they’ve threatened with legal action like this. How many people didn’t have the time or the energy to stand up for themselves in the face of a three billion dollar company’s legal team coming after them? It honestly makes me a little sick.”

Hasnain says:

Interesting take on this whole story from an HR perspective

“The core of Google’s culture is to thrust ahead and discover operational flaws as the result of execution. This “move quickly and break things” approach is at the heart of many Silicon Valley firms. The paper urges restraint, research discipline, preplanning, consideration of all stakeholders and investigation of alternative approaches.

It’s hard to imagine a more sensible approach. It’s also hard to imagine a more substantive critique of the culture at Google. It is easy to understand why the company’s leadership responded as they did.”

Hasnain says:

Today I learnt CA does this very differently from other states. I’m annoyed they left CA out of the dataset but it makes sense since the inequality here is quite different; though equally bad (damn you prop 13!)

““This is an example of structural racism,” Berry said. “African Americans and other minorities are more likely to own low-priced homes. This means that minorities are more likely to be overtaxed because they are more likely to own low-priced homes.””

Hasnain says:

Interesting historical take. It’s not 100% clear how they went from that data to this conclusion though.

“Serving richly spiced stews was no longer a status symbol for Europe's wealthiest families — even the middle classes could afford to spice up their grub. "So the elite recoiled from the increasing popularity of spices," Ray says. "They moved on to an aesthetic theory of taste. Rather than infusing food with spice, they said things should taste like themselves. Meat should taste like meat, and anything you add only serves to intensify the existing flavors."”

Hasnain says:

6.3 PeV packed into one small antineutrino is amazing

“Sheldon Glashow first proposed this resonance in 1960 when he was a postdoctoral researcher at what is today the Niels Bohr Institute in Copenhagen, Denmark. There, he wrote a paper in which he predicted that an antineutrino (a neutrino’s antimatter twin) could interact with an electron to produce an as-yet undiscovered particle—if the antineutrino had just the right energy—through a process known as resonance.”

Hasnain says:

Very long and interesting read; mix of a human interest story, tech company origin stories, and the issues behind ethical AI and misinformation.

“Near the end of our hour-long interview, he began to emphasize that AI was often unfairly painted as “the culprit.” Regardless of whether Facebook used AI or not, he said, people would still spew lies and hate speech, and that content would still spread across the platform.

I pressed him one more time. Certainly he couldn’t believe that algorithms had done absolutely nothing to change the nature of these issues, I said.

“I don’t know,” he said with a halting stutter. Then he repeated, with more conviction: “That’s my honest answer. Honest to God. I don’t know.””

Hasnain says:

This was a pretty good read on how tailscale designed a new type to represent IPs in Go and various trade offs considered.

This was quite well written - it’s hard to write things that are both technically accurate and engaging at the same time, and this did both.

“Being written almost entirely in Go, the obvious choice would be for Tailscale to use the Go standard library’s net.IP address type for individual IPs and net.IPNet type for networks. Unfortunately, the standard library’s types have a number of problems, so we wrote a new package, inet.af/netaddr (github) containing a new IP type and more.”

Hasnain says:

:| this study says 96% of women polled in the age range 18-24 had experienced some form of sexual harassment at work.

“Bates pointed to TUC/Everyday Sexism research that found 52% of women had experienced sexual harassment at work, and of the one in five who had reported it, three-quarters said nothing had changed, while 16% said they were treated worse as a result.”

Hasnain says:

Ouch.

“In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.””

Hasnain says:

This was an interesting little anecdote. I’m also surprised the SEC went after so many companies for an issue like this. Trying to leave a quote without spoilers:

“In retrospect, the only thing that kept me out of jail was some good luck and an outstanding General Counsel, and the right organizational design.”

Hasnain says:

If only more engineers were this ethical.

“The focus of the commission's investigation shifted to the booster rocket O-rings, the efforts of McDonald and his colleagues to stop the launch, and the failure of NASA officials to listen.

Morton Thiokol executives were not happy that McDonald spoke up and demoted him.”

Hasnain says:

“Workplace diversity and inclusion experts say it is common for human resource officials to use mental health and well-being as a tactic to ignore discrimination — and even participate in it.

“The broader pattern of HR not being supportive, continuing to make the person who was discriminated against the problem in some way rather than the discrimination and the perpetrator of the discrimination as the problem — those are patterns that we have seen in our research,””

Hasnain says:

“There’s a very simple moral to this story, which Americans won’t want to hear. Capitalism destroyed their lives. It has destroyed their kids in so, so many ways. Making them suffer the trauma of “active shooter drills,” Making little seven year old girls set up lemonade stands to pay for brain cancer operations. Making little kids pay “lunch debt” — or go hungry. But perhaps the worst way of all that capitalism has hurt America’s kids is by making it impossible to have kids. Yesterday’s kids, who are today’s millennials, are on the cusp of an adulthood they can never reach. Their jobs don’t pay enough, they can’t afford homes of their own, where is there decent to work anyways — so who can have kids? Capitalism exploited yesterday’s kids so badly that today’s can’t have them, should they want them.”

Hasnain says:

Pretty good read on systems research and one person’s journey through their PhD.

“Although eRPC builds on top of many research results, I could have in theory built eRPC in my first year. For several years, I mistakenly—but for good reason—believed that RDMA and/or lossless networks were necessary for good performance. I and other researchers did not consider end-to-end designs that do not rely on in-network support because we believed that such designs would not perform well, in part because we had not found all the required optimizations. In the end, we re-discovered an essential lesson from the end-to-end arguments paper: “Using performance to justify placing functions in a low-level subsystem must be done carefully. Sometimes, by examining the problem thoroughly, the same or better performance can be achieved at the high level.” “

Hasnain says:

This is short and depressing - but worth reading; and please try to avoid going “WTF” at the end (you have been warned)

“The good news: after a year of planning and writing, I got the grant.

The bad news: both faculty co-chairs of the Climate Action Group are now among those losing their jobs as a consequence of Academic Program Prioritization, which, as far as I can see, is disaster capitalism for higher education.”

Hasnain says:

This attack is amazing - need to read the paper more in depth later. The tool recognizes an apple properly, but if you write “iPod” on it the model suddenly thinks it’s an iPod.

“We refer to these attacks as typographic attacks. We believe attacks such as those described above are far from simply an academic concern. By exploiting the model’s ability to read text robustly, we find that even photographs of hand-written text can often fool the model. Like the Adversarial Patch,22 this attack works in the wild; but unlike such attacks, it requires no more technology than pen and paper.”

Hasnain says:

This is horrible - I hope the fight for employees rights succeeds here.

“The success of the Model S project was the top priority at Tesla in April 2014, when Balan was walked into that security office. According to Balan’s recollection, the HR manager strongly suggested she drop her complaints about the supplier contracts. Balan said no. “OK, this is your exit interview,” Balan recalls being told. She was handed resignation papers and asked to sign them. When she protested, she said, a Tesla official threatened to have her led outside in handcuffs and told her, “This is what happens if you don’t know how to keep your mouth shut.””

Hasnain says:

This whole thing has been blowing up on Twitter, and I agree with this take here. This seems like a fairly straightforward way to provide evidence of an extraordinary claim.

“Show Me the Factors

According to the claims in Schnorr’s paper, it should be practical to set significant new factoring records. There is a convenient 862-bit RSA challenge that has not been factored yet. Posting its factors, as done for the CADO-NFS team’s records, would lend credence to Schnorr’s paper and encourage more review of the methodology.”

Hasnain says:

This was a pretty engaging read (/ podcast, but I read the transcript), from folks who are doing industry leading work in this space.

“You know, if you're not coming to a small team, working on a small project, most of the time you're looking at this huge code base with so many different components and you don't necessarily have a great big picture understanding of what actually it does, plus how it behaves.”

Hasnain says:

Very insightful, I learnt a bunch from this perspective.

“When someone is telling me they are or have been poor and I’m trying to determine how poor exactly they were, there’s one evergreen question I ask that has never failed to give me a good idea of what kind of situation I’m dealing with. That question is: “How many times have they turned off your water?”.”

Hasnain says:

This paper will be fun to read when it’s out...

“We follow a line of research that perform website fingerprinting attacks. We develop a sequence of attacks with progressively decreasing dependency on JavaScript features, culminating in the first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS), and therefore works even when script execution is completely blocked.”

Hasnain says:

This is really cool! I also learnt something new today about why vaccinating against malaria has been so tough before.

Hasnain says:

Very good take on open source ecosystems; support; and the whole Rust fiasco going on with python’s cryptography package.

“I put this one last because it’s flippant, but it’s maybe the most important one: outside of hobbyists playing with weird architectures for fun (and accepting the overwhelming likelihood that most projects won’t immediately work for them), open source groups should not be unconditionally supporting the ecosystem for a large corporation’s hardware and/or platforms.”