Hasnain says:

Found myself generally nodding along to this.

"Because build systems are more generic than CI systems (I think a sufficiently advanced build system can do a superset of the things that a sufficiently complex CI system can do), that means that CI systems are redundant with sufficiently advanced build systems. So going beyond the section title: CI systems aren't too complex: they shouldn't need to exist. Your CI functionality should be an extension of the build system."

Hasnain says:

Bookmarking for later reference

Hasnain says:

Great read on understanding some native attack surface and walking through an exploitation chain.

Also shows how coordinating disclosure is still quite hard.

"The path from starting with zero knowledge to uncovering three vulnerabilities in the Bluetooth HCI protocol was strange and unexpected. When I first found the BadVibes vulnerability, I thought it was only triggerable by vulnerable/malicious Bluetooth chips, as the bug seemed too obvious. Since I did not have two programmable devices with Bluetooth 5, I could not verify if receiving such a large advertisement was even possible. Only after comparing the Linux Bluetooth stack with other implementations and reading the specifications, did I come to the conclusion that I had actually discovered my first RCE vulnerability, and I immediately went out to purchase another laptop (surprisingly, there are no trustworthy BT5 dongles on the market). Analyzing the overflow, it was soon clear that an additional information leak vulnerability was needed. Much faster than I thought it would take, I discovered BadChoice after just two days. While trying to trigger it, I uncovered the BadKarma vulnerability which I first deemed to be an unfortunate bug that would prevent the BadChoice vulnerability. It turned out that it was quite easy to bypass and that the bug was in truth yet another high severity security vulnerability."

Hasnain says:

Lots of insightful points here, I learned a lot about things I didn't expect to be slow, and more in depth lessons for things I knew to be slow.

The compression one in particular was quite enlightening for me.

"I'm titling this post Surprisingly Slow because the slowness was either surprising to me or the sub-optimal practices leading to slowness are prevalent enough that I think many programmers would be surprised by their existence."

Hasnain says:

Infuriating, maddening, but at the same time depressing as I realize that this isn't surprising.

"The few people who’d worked at other companies reminded us that there was nowhere better. I believed them, even when my technical lead — not my manager, but the man in charge of my day-to-day work — addressed me as “beautiful” and “gorgeous,” even after I asked him to stop. (Finally, I agreed that he could call me “my queen.”) He used many of our one-on-one meetings to ask me to set him up with friends, then said he wanted “A blonde. A tall blonde.” Someone who looked like me."

...

"Eventually, the investigators corroborated my claims and found my tech lead violated the Code of Conduct and the policy against harassment. My harasser still sat next to me. My manager told me H.R. wouldn’t even make him change his desk, let alone work from home or go on leave. He also told me that my harasser received a consequence that was severe and that I would feel better if I could know what it was, but it sure seemed like nothing happened."

Hasnain says:

“The Erdős-Faber-Lovász conjecture started as a question that seemed as if it could be asked and answered within the span of a single party. In the years that followed, mathematicians realized the conjecture was not as simple as it sounded, which is maybe what the three mathematicians would have wanted anyway. One of the only things better than solving a math problem over tea is coming up with one that ends up inspiring decades of mathematical innovation on the way to its final resolution.”

Hasnain says:

Today I learnt about this triangle of doom, which was pretty cool!

“Most of our memory bugs occur in new or recently modified code, with about 50% being less than a year old.

The comparative rarity of older memory bugs may come as a surprise to some, but we’ve found that old code is not where we most urgently need improvement. Software bugs are found and fixed over time, so we would expect the number of bugs in code that is being maintained but not actively developed to go down over time. Just as reducing the number and density of bugs improves the effectiveness of sandboxing, it also improves the effectiveness of bug detection.”

Hasnain says:

“Trillium and Open MIC organized a similar proposal in 2020 but were shot down. At the time, the board said it believed Google’s current policies were adequate.

“Our argument this year is basically the proof is in the pudding,” says Kron. “A year ago you said everything was hunky dory and in the meantime we‘ve seen what happened with Dr. Gebru and ongoing protests by Google employees, which suggests that things aren’t working well, that there are these red flags that indicate something needs to change.””

Hasnain says:

“Now, I could try to find some other site that would accept the patch, but there are some downsides to that. The patch that I made was only good for the current Steam version of CK3, on my operating system, with my cpu architecture. But I can give something more portable than that: knowledge!

So without further ado, lets go through a step-by-step guide to see how anyone with a bit of technical know-how can reverse engineer a game like Crusader Kings 3.”

Hasnain says:

I don’t see how this system can be reformed. Even after finding clear signs of terrible abuse, they’re refusing to prosecute the prosecutors who let it happen?

“Unlike Katz, some lawmakers are not buying the line that the trial prosecutors’ misconduct in this case was “inadvertent.” Like the judge who released the men, they believe this was deliberate, and was almost certainly not isolated. Now they want a review of all the cases handled by Leventhal and Testagrossa. But Katz, who kept on numerous veterans including Leventhal, has thus far refused to commit to such a review because her office did not find intentional misconduct took place.

Rachel Barkow, an NYU Law Professor, said this refusal to probe the trial prosecutors’ other cases is a “major red flag,” an indication that some in the DA’s Office are concerned about what else might be found.”