How Pinterest Leverages Honeycomb to Enhance CI Observability and Improve CI Build Stability
Oliver Koo | Staff Software Engineer
Hasnain says:
Man I miss Scuba. iykyk
“For instance, I observed a spike in p95 build times for iOS CI jobs. Using correlation, I compared the p95 data to CI cluster usage graphs and noticed a simultaneous spike in job wait times. Honeycomb’s synchronized dotted line across graphs confirmed the alignment, leading to a strong hypothesis: long CI agent wait times were causing the build time spike.”
Posted on 2024-12-15T04:33:06+0000
Mathematicians Uncover a New Way to Count Prime Numbers | Quanta Magazine
To make progress on one of number theory’s most elementary questions, two mathematicians turned to an unlikely source.
Hasnain says:
“Even more important, the work demonstrates that the Gowers norm can act as a powerful tool in a new domain. “Because it’s so new, at least in this part of number theory, there is potential to do a bunch of other things with it,” Friedlander said. Mathematicians now hope to broaden the scope of the Gowers norm even further — to try using it to solve other problems in number theory beyond counting primes.”
Posted on 2024-12-14T08:05:54+0000
Far From Random: Three Mistakes From Dart/Flutter's Weak PRNG | Zellic — Research
A look into how an unexpectedly weak PRNG in Dart led to Zellic's discovery of multiple vulnerabilities
Hasnain says:
This was a really cool read. Had to leave the part before the tldr though because that response time puts us all to shame.
“Timeline and Conclusion
The bug was reported August 23, 2024, and it was acknowledged after only 21 minutes, asking to verify their proposed fix. After acknowledging, a new release↗ was pushed a few minutes later.
Long Story Short
These three issues were all caused by the same root cause; the usage of a non-cryptographically secure PRNG. All of the bugs were exacerbated by the unexpected low entropy in the Flutter PRNG, where the internal seeds are just 32 bits. We showed practical attacks that will recover secrets within a reasonable time and how they led to attacks on Flutter developers, users of the Proton Wallet mobile application, and users of SelfPrivacy.”
Posted on 2024-12-14T07:34:52+0000
OnlyFans Models Are Using AI Impersonators to Keep Up With Their DMs
AI is replacing the humans who pretend to be OnlyFans stars in online amorous messages.
Hasnain says:
What in the world is it with these names
“The field is already fairly crowded. Some of the better-known tools have on-the-nose names like FlirtFlow, ChatterCharms, and Botly. Another competitor, the relatively generically named Supercreator, has a suite of AI tools, from AI-generated scripts to an assistant called Inbox Copilot that algorithmically sorts simps, moving “spenders” to the top of the list and ignoring “freeloaders.””
Posted on 2024-12-12T07:44:19+0000
Claims of Hamas fighters in Gaza hospitals may have been exaggerated, says senior ICC prosecutor
Andrew Cayley, of the international criminal court, questioned reports used to justify Israeli military strikes
Hasnain says:
“Cayley said the ICC faced “great difficulty assessing” the level of Hamas militant presence in hospitals “because clearly there are lies being spoken, but that is really something we do need to get to the bottom of as a prosecution office”.
He added: “I think that has been grossly exaggerated, but we need to be able to demonstrate very clearly what the level of military presence was, if at all, in these hospitals because I think we’ve been misled about that in the press.”
Cayley indicated that Israeli operations against Gaza’s healthcare facilities would be examined. “Looking at damage to health facilities, destruction of health facilities, we will be coming on to that probably later next year. We’re having to do this in stages simply because of the resources that we have,” he added.”
Posted on 2024-12-12T07:26:20+0000
What sucks in security? Research findings from 50+ security leaders
I interviewed 57 security leaders and asked them "What sucks in security?" Their top pain points were inconsistent access management, vulnerability prioritization and remediation, and obtaining SaaS logs in case of an incident.
Hasnain says:
There is so much useful information here that I’ll find myself coming back to this a few times in the future. A lot of these are problems I’ve seen personally across multiple companies. Key takeaways for me
* fundamentals still matter. You can protect against the most advanced threats but if there’s something basic missing it’s still game over
* security, engineering, IT, etc being multiple orgs is valuable but also causes friction working across orgs. I wish there was something better, but everyone being in one org has its downsides too
* I wish there was one tool to rule them all
* there is a sore need for core fundamental improvements across the board
Picking one quote out of many that resonated with me:
“Tracking ownership of services, assets, and applications has become increasingly complex. “It’s quite social and messy… more gardening than construction,” as one participant described it. Missing service catalogs, incomplete asset inventories, and unclear SaaS application ownership create operational friction.”
Posted on 2024-12-11T06:51:56+0000
The Google Willow thing
Yesterday I arrived in Santa Clara for the Q2B (Quantum 2 Business) conference, which starts this morning, and where I’ll be speaking Thursday on “Quantum Algorithms in 2024: How Should…
Hasnain says:
There was so much debate about the google willow thing. I think it was a super impressive achievement but the implication people were taking that it somehow proves the many worlds interpretation correct seemed overblown.
"In his remarks yesterday, Google Quantum AI leader Hartmut Neven talked about David Deutsch’s argument, way back in the 1990s, that quantum computers should force us to accept the reality of the Everettian multiverse, since “where else could the computation have happened, if it wasn’t being farmed out to parallel universes?” And naturally there was lots of debate about that on Hacker News and so forth. Let me confine myself here to saying that, in my view, the new experiment doesn’t add anything new to this old debate. It’s yet another confirmation of the predictions of quantum mechanics. What those predictions mean for our understanding of reality can continue to argued as it’s been since the 1920s."
Posted on 2024-12-10T21:35:45+0000
XBOW – How XBOW found a Scoold authentication bypass
As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these is an authentication bypass in Scoold, a popular open-source Q&A platform.
Hasnain says:
Tonight’s technical read: how an autonomous AI agent found a critical security vulnerability given just a jar and a prompt.
I’m sure there was a lot of hand holding and failed attempts but this result is still pretty mind blowing. For me the key takeaways here are again in how the prompting was done, how a multi step reasoning process can really help with AI agents, and last (but not least) how important it is to watch out for error behavior and not log things you don’t want to.
“It’s worth reading the full trace showing XBOW’s discovery and exploitation of the vulnerability, but here we’ll provide a guided tour through the most interesting moments. Note that some of the trace excerpts below have been edited for brevity.”
Posted on 2024-12-10T07:10:50+0000
Leveling Up Fuzzing: Finding more vulnerabilities with AI
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
Hasnain says:
Today’s technical read: how past colleagues over at Google have been using LLMs to automate vulnerability discovery. Some interesting takeaways for me were:
* providing specific context really matters
* LLMs can automate the full life cycle of what a human does, it just needs to be broken down into manageable chunks (and agents are promising). I’m hoping to cover a bit of this in a personal blog soon.
* this is worth reading even if you don’t know anything about fuzzing, as it applies to general test generation too
* LLMs make some things so much easier, when I contrast this post with work we did on [ thing I wish I could talk about but can’t due to NDA, past coworkers know what I’m talking about - could you please blog about it? :) ]
“This blog post discusses the results and lessons over a year and a half of work to bring AI-powered fuzzing to this point, both in introducing AI into fuzz target generation and expanding this to simulate a developer’s workflow. These efforts continue our explorations of how AI can transform vulnerability discovery and strengthen the arsenal of defenders everywhere.”
Posted on 2024-12-09T07:00:09+0000
Syrian army command tells officers that Assad's rule has ended, officer says
Insurgents gained control after only a day of fighting, leaving President Bashar al-Assad's 24-year rule dangling by a thread as rebels marched on Damascus.
Hasnain says:
I am glad the people of Syria are free. This is too nice of an ending for Assad - no place in hell is hot enough for him - but the people are free. Now the work to recover begins
“AMMAN/BEIRUT, Dec 8 (Reuters) - Syria's army command has notified officers that President
Bashar al-Assad's rule has ended following a lightning rebel offensive, a Syrian officer who was informed of the move told Reuters.
Syrian rebels said Damascus was "now free of Assad".
Earlier Assad flew out of Damascus for an unknown destination on Sunday, two senior army officers told Reuters, as rebels said they had entered the capital with no sign of army deployments.”