placeholder

Detecting malicious Unicode

In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts. In a later presentation, he could show us how not a single human reviewer in the team nor any CI job had spotted or remarked on one of … ...

Click to view the original at daniel.haxx.se

Hasnain says:

Unicode strikes again.

"When I flagged about this rather big omission to GitHub people, I got barely no responses at all and I get the feeling the impact of this flaw is not understood and acknowledged. Or perhaps they are all just too busy implementing the next AI feature we don’t want."

Posted on 2025-05-17T22:54:16+0000

placeholder

If nothing is curated, how do we find things?

Bjork is currently promoting a new concert film being released called . She's been releasing new photoshoots and interviews almost every day for the past two...

Click to view the original at tadaima.bearblog.dev

Hasnain says:

“Who has time to read all that? Who has the time for any of this? Technology is making our lives harder, not easier.

So I guess the next question is, "How do I fix this?" Like most people, I've been pulling back. Less time relying on algorithms to predict what I like and more time just making notes and lists in Obsidian. Any time I stumble across something that looks interesting or something I don't want to forget, I make a note of it so I can retrieve it later.”

Posted on 2025-05-17T21:22:06+0000

placeholder

Hasnain says:

“The GOOD version is good, because it avoids repeatedly re-evaluating condition, removes a branch from the hot loop, and potentially unlocks vectorization. This pattern works on a micro level and on a macro level — the good version is the architecture of TigerBeetle, where in the data plane we operate on batches of objects at the same time, to amortize the cost of decision making in the control plane.”

Posted on 2025-05-17T21:18:19+0000

placeholder

If AI is so good at coding … where are the open source contributions?

You can hardly get online these days without hearing some AI booster talk about how AI coding is going to replace human programmers. AI code is absolutely up to production quality! Also, you’re all…

Click to view the original at pivot-to-ai.com

Hasnain says:

“It’s true that a lot of open source projects really hate AI code. There’s several objections, but the biggest one is that users who don’t understand their own lack of competence spam the projects with time-wasting AI garbage. The Curl project banned AI-generated security reports because they were getting flooded with automated AI-generated “bug bounty” requests. [LinkedIn]

More broadly, the very hardest problem in open source is not code, it’s people — how to work with others. Some AI users just don’t understand the level they simply aren’t working at.

One user of the LLVM compiler complained that his AI-generated pull requests were not being taken seriously — by a compiler project, where correct computer science and knowing precisely what the heck you’re doing is quite important.

The user considered it was the unpaid volunteer coders’ “job” to take his AI submissions seriously. He even filed a code of conduct complaint with the project against the developers. This was not upheld. So he proclaimed the project corrupt. [GitHub; Seylaw, archive]

Posted on 2025-05-16T08:01:57+0000

placeholder

The Future of Crash Analysis: AI Meets WinDBG

Because manually squinting at hex dumps is so last century. Let me show you how AI-assisted debugging is leaving WinDBG's command line in the dust.

Click to view the original at svnscha.de

Hasnain says:

This was a pretty motivating read! I’ve been doing this type of work recently for learning purposes and having an MCP for eg pwndbg would make this so much easier for a noob like me

(Now I must ensure I don’t get distracted by yet another rabbit hole on side projects…)

“What Does This Mean In Practice?

Let me walk you through what this enables:

Natural language crash analysis: "Why is this application crashing with an access violation at this address?" (Instead of: "What the $%#@ is this heap corruption!?")

Contextual debugging: "Show me the stack trace for thread 5 and explain what each function is doing based on the symbols." (Instead of staring at call stacks like they're ancient hieroglyphics)

Root cause identification: "What's causing this null pointer dereference and where should I look in the code to fix it?" (Instead of playing detective with memory addresses)

Instead of typing obscure commands like !analyze -v followed by a series of manual investigations, you simply ask questions in plain language, and the AI interprets the crash data for you. It's like having a WinDBG expert whispering in your ear, except it doesn't get annoyed when you ask the same question five times.

Posted on 2025-05-13T03:49:46+0000

placeholder

Hasnain says:

This was a great read - will probably come back to it periodically.

"Competitors don't really matter
You might have noticed I haven't mentioned anything about competitors here, despite operating in a highly competitive market.

The truth is I don't think they change much.

Sure, there are more "table-stakes" features that customers need before they'll even consider using you, but the real competitor is a lack of awareness of your product, more than anything."

Posted on 2025-05-12T04:45:10+0000

placeholder

Closing A Back Door In Illinois FOIA

I Went To SQL Injection Court 9 February 2025 Should public bodies in Illinois, like cities and school districts and sheriff’s departments, be allowed to hide information from Freedom of Information requests by keeping them in databases? That question is before the 104th Illinois General Assembly,...

Click to view the original at sockpuppet.org

Hasnain says:

"Obviously, we should have won on appeal to the Illinois Supremes. If you sit on that court, call me, we can straighten this out.

That said: today, Illinois public bodies can refuse to divulge database schemas.

This is problematic, because more and more data is finding its way out of file cabinets and shared drives and Word documents and into specialized applications, where the only way to get at the underlying data is to FOIA a database query.

Databases shouldn’t be a safe harbor for municipalities to conceal information from the public."

Posted on 2025-05-11T22:39:22+0000

placeholder

The surgeon who used F1 pitstop techniques to save lives of babies

Professor Martin Elliott reflects on how watching a Formula 1 race two decades ago led to an unlikely partnership with Ferrari that transformed practices at Great Ormond Street and other hospitals

Click to view the original at thetimes.com

Hasnain says:

This is why we need more cross-pollination of ideas across disciplines and a willingness to learn.

"After implementing the learnings they had been given by Ferrari, the average number of technical errors per handover fell by 42 per cent and “information handover omissions” fell by 49 per cent. After initial resistance, these steps were rolled out at many hospitals across the country and remain to this day.

“It was very interesting talking to Ferrari in Zandvoort. They’ve been approached by lots of hospitals to say, oh, they don’t believe it, but when they’ve redone the work, the same thing happens,” Elliott adds.

Posted on 2025-05-11T22:26:19+0000

placeholder

The Guardian view on Israel and Gaza: Trump can stop this horror. The alternative is unthinkable | Editorial

Editorial: The US president has the leverage to force through a ceasefire. If he does not, he will implicitly signal approval of what looks like a plan of total destruction

Click to view the original at theguardian.com

Hasnain says:

I wonder what’s finally changing behind the scenes so that major publications are coming out and finally calling a spade a spade. Pleasantly surprised to see this as a full editorial from the guardian.

I hope it results in real change.

“The legal bar for proving genocide is exceptionally high. Washington has declared genocides four times in the last decade – in Iraq and Syria, Myanmar, Xinjiang in China and Sudan – without waiting for judges. International law moves slowly, and signatories to the convention, including the US and UK, are required not only to punish but to prevent genocide. The court of public opinion is reaching its own conclusion. Supporters of Israel often argue that it is held to an unfair standard. But Israel has international protection not only because of the history of the Holocaust, but also as a democracy and a western ally. Its actions are enabled by vast US military aid and political cover. Now it plans a Gaza without Palestinians. What is this, if not genocidal? When will the US and its allies act to stop the horror, if not now?”

Posted on 2025-05-11T22:00:03+0000

placeholder

Hasnain says:

This was great and now I’m looking forward to the next piece.

“This blog post described my journey into the world of MacOS vulnerability research and fuzzing. I hope I have shown how a knowledge-driven fuzzing approach can allow rapid prototyping and iteration, a deep understanding of the target, and high impact bugs.
In my next post, I will perform a detailed walkthrough of my experience attempting to exploit CVE-2024-54529.”

Posted on 2025-05-11T19:20:20+0000