Hasnain says:

alg=none strikes again.

“Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server. 😁.”

Hasnain says:

No words

“Later, Matima alleges she learned from a colleague that she was commonly referred to by managers as a “black snake” and that her direct supervisor said that “black snake” was the “spirit animal” that he associated with her.

“I can’t stress enough how dehumanizing it was to learn of that,” she said in an interview.

After Matima formally complained again about discrimination from her manager, ByteDance earlier this year let both Matima and her supervisor go, according to the complaint. The company told her she was being fired for poor performance, according to the complaint.”

Hasnain says:

“In the first few months after quitting my job, I worked a lot. Probably 12 hours a day, or even 16 hours/day if you also count Twitter as “work”.

So when I reached $4K MRR, a decent amount considering my living cost in Vietnam, I started to slow down.

I still want to get more revenue, but I realized that this is a moving goalpost, and it will never stop. $10K, then $20K, then $50K. I knew I would never satisfied.

It’s much better to work and play at the same time.

So I traveled. I went for a trip around Vietnam.”

Hasnain says:

“Later, when talking with my girlfriend about this, I suddenly understood Steve Jobs, and others like him, much more deeply.

People often complained about Jobs: when his team showed him their work, he would say “It doesn’t feel right,” and when they asked how to fix it, he said “I don’t know, make it better and show me again, and then I’ll know.”

This confused a lot of people. He found problems but didn’t know how to fix them or why they were problems.

Now, I totally get where Jobs was coming from.”

Hasnain says:

“All of the experts I spoke with suggest people avoid storing and heating food in plastics altogether. “Without testing the entire landscape of these products, it is hard to really know” if any of them are truly safe, says Rogers.”

Hasnain says:

“"Now hold up there Herman! Won't this be triggered by valid users?" you say.

Perhaps, but it's fairly unlikely. In my tests I haven't managed to trigger it without explicitly performing a dodgy action. On top of that, it's been running in production for the past 3 months and I've only had one user report this as an issue. He was advertising online casinos.

Did it stop the spammers?

Yes!”

Hasnain says:

“The lack of available technical information from the vendors here made verification challenging, and it's questionable who this really benefits. Attackers are clearly highly motivated to track and exploit N-day vulnerabilities, and the lack of technical details being released won't significantly slow them down. On the other hand, very few defenders are resourced to be able to perform the type of technical analysis I've shared today. It's counter-intuitive, but withholding basic technical details about how these attacks are working in an asymmetry that mostly benefits attackers -- you quickly end up in a situation where attackers have access to insights about the vulnerability/exploit that defenders don't have.

This bug also shows that we have an over-reliance on fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed.”

Hasnain says:

At some point I need to sit down and write a database. This was an exciting read.

“As the DuckDB team points out, vectorized interpretation or JIT compilation seem like the future for database expression execution. These strategies seem particularly important for analytics or time-series workloads. But vectorized interpretation seems to make the most sense for column-wise storage engines. And column-wise storage normally only makes sense for analytics workloads. Still, TiDB and Cockroach are transactional databases that also vectorize execution.

And while SQLite and PostgreSQL use the virtual machine model, it's possible databases with tree-walking interpreters like Scylla and MySQL/MariaDB have decided there is not significant enough gains to be had (for transactional workloads) to justify the complexity of moving to a compiler + virtual machine architecture.”

Hasnain says:

The moves this guy has been orchestrating are amazing.

“The strategy the UAW is currently employing is led by the union’s new militant president, Shawn Fain. He was elected in March after the UAW changed its election process from a delegate system to one member, one vote in the most recent leadership election. He has assumed a new posture for the union’s leadership: for example, refusing to endorse Joe Biden for president until he supports the UAW’s efforts to unionize electric vehicle facilities, and rejecting a ceremonial handshake with auto manufacturer bosses before the start of contract negotiations.”

Hasnain says:

I’ve started playing it and liking it so far. Wish I had more time/energy to sink into it.

“In hindsight, Microsoft made a big oopsie; Baldur’s Gate 3 has no exclusivity tied to it, so its exclusion from the Xbox console was noticeable. In February, Larian Studios explained why Baldur’s Gate 3 didn’t have a planned Xbox release at the time. Vincke said on X — then Twitter — that Baldur’s Gate 3’s split-screen co-op didn’t work on Xbox Series S, Microsoft’s lower-priced console. Microsoft requires games to have feature parity across Xbox Series X and Series S, which held up the launch. By Aug. 24, after Baldur’s Gate 3’s major successes, Microsoft made a concession to let Baldur’s Gate 3 launch without split-screen co-op on Xbox Series S.

Baldur’s Gate 3 is now expected to arrive on Xbox later this year.”