Hasnain says:

Unicode strikes again.

"When I flagged about this rather big omission to GitHub people, I got barely no responses at all and I get the feeling the impact of this flaw is not understood and acknowledged. Or perhaps they are all just too busy implementing the next AI feature we don’t want."

Hasnain says:

“Who has time to read all that? Who has the time for any of this? Technology is making our lives harder, not easier.

So I guess the next question is, "How do I fix this?" Like most people, I've been pulling back. Less time relying on algorithms to predict what I like and more time just making notes and lists in Obsidian. Any time I stumble across something that looks interesting or something I don't want to forget, I make a note of it so I can retrieve it later.”

Hasnain says:

“The GOOD version is good, because it avoids repeatedly re-evaluating condition, removes a branch from the hot loop, and potentially unlocks vectorization. This pattern works on a micro level and on a macro level — the good version is the architecture of TigerBeetle, where in the data plane we operate on batches of objects at the same time, to amortize the cost of decision making in the control plane.”

Hasnain says:

“It’s true that a lot of open source projects really hate AI code. There’s several objections, but the biggest one is that users who don’t understand their own lack of competence spam the projects with time-wasting AI garbage. The Curl project banned AI-generated security reports because they were getting flooded with automated AI-generated “bug bounty” requests. [LinkedIn]

More broadly, the very hardest problem in open source is not code, it’s people — how to work with others. Some AI users just don’t understand the level they simply aren’t working at.

One user of the LLVM compiler complained that his AI-generated pull requests were not being taken seriously — by a compiler project, where correct computer science and knowing precisely what the heck you’re doing is quite important.

The user considered it was the unpaid volunteer coders’ “job” to take his AI submissions seriously. He even filed a code of conduct complaint with the project against the developers. This was not upheld. So he proclaimed the project corrupt. [GitHub; Seylaw, archive]

“

Hasnain says:

This was a pretty motivating read! I’ve been doing this type of work recently for learning purposes and having an MCP for eg pwndbg would make this so much easier for a noob like me

(Now I must ensure I don’t get distracted by yet another rabbit hole on side projects…)

“What Does This Mean In Practice?

Let me walk you through what this enables:

Natural language crash analysis: "Why is this application crashing with an access violation at this address?" (Instead of: "What the $%#@ is this heap corruption!?")

Contextual debugging: "Show me the stack trace for thread 5 and explain what each function is doing based on the symbols." (Instead of staring at call stacks like they're ancient hieroglyphics)

Root cause identification: "What's causing this null pointer dereference and where should I look in the code to fix it?" (Instead of playing detective with memory addresses)

Instead of typing obscure commands like !analyze -v followed by a series of manual investigations, you simply ask questions in plain language, and the AI interprets the crash data for you. It's like having a WinDBG expert whispering in your ear, except it doesn't get annoyed when you ask the same question five times.

“

Hasnain says:

This was a great read - will probably come back to it periodically.

"Competitors don't really matter
You might have noticed I haven't mentioned anything about competitors here, despite operating in a highly competitive market.

The truth is I don't think they change much.

Sure, there are more "table-stakes" features that customers need before they'll even consider using you, but the real competitor is a lack of awareness of your product, more than anything."

Hasnain says:

"Obviously, we should have won on appeal to the Illinois Supremes. If you sit on that court, call me, we can straighten this out.

That said: today, Illinois public bodies can refuse to divulge database schemas.

This is problematic, because more and more data is finding its way out of file cabinets and shared drives and Word documents and into specialized applications, where the only way to get at the underlying data is to FOIA a database query.

Databases shouldn’t be a safe harbor for municipalities to conceal information from the public."

Hasnain says:

This is why we need more cross-pollination of ideas across disciplines and a willingness to learn.

"After implementing the learnings they had been given by Ferrari, the average number of technical errors per handover fell by 42 per cent and “information handover omissions” fell by 49 per cent. After initial resistance, these steps were rolled out at many hospitals across the country and remain to this day.

“It was very interesting talking to Ferrari in Zandvoort. They’ve been approached by lots of hospitals to say, oh, they don’t believe it, but when they’ve redone the work, the same thing happens,” Elliott adds.

Hasnain says:

I wonder what’s finally changing behind the scenes so that major publications are coming out and finally calling a spade a spade. Pleasantly surprised to see this as a full editorial from the guardian.

I hope it results in real change.

“The legal bar for proving genocide is exceptionally high. Washington has declared genocides four times in the last decade – in Iraq and Syria, Myanmar, Xinjiang in China and Sudan – without waiting for judges. International law moves slowly, and signatories to the convention, including the US and UK, are required not only to punish but to prevent genocide. The court of public opinion is reaching its own conclusion. Supporters of Israel often argue that it is held to an unfair standard. But Israel has international protection not only because of the history of the Holocaust, but also as a democracy and a western ally. Its actions are enabled by vast US military aid and political cover. Now it plans a Gaza without Palestinians. What is this, if not genocidal? When will the US and its allies act to stop the horror, if not now?”

Hasnain says:

This was great and now I’m looking forward to the next piece.

“This blog post described my journey into the world of MacOS vulnerability research and fuzzing. I hope I have shown how a knowledge-driven fuzzing approach can allow rapid prototyping and iteration, a deep understanding of the target, and high impact bugs.
In my next post, I will perform a detailed walkthrough of my experience attempting to exploit CVE-2024-54529.”