Hasnain says:

Did not know this. This is super scary and eye opening.

“As underlined by Innocence Project cofounder Barry Scheck in the book’s foreword, it is essential that the public and all professionals involved in these cases comprehend the forensic unreliability of determinations of SBS/AHT. That does not mean that suspicions of child abuse shouldn’t be reported, that cases of children with unexplained traumatic injuries shouldn’t be investigated, that intentional head trauma does not occur or does not cause severe injuries. However, healthcare professionals should recognize that child abuse is a legal determination, not a medical one. While physicians have a duty to report suspicions of child abuse, asserting the “certainty” of a hypothesis without disclosing to the courts the unreliability of its scientific foundations is unethical and unacceptable.”

Hasnain says:

Some great benchmarking and database insights here.

“Insert speed games are revealing of database performance characteristics, but are themselves impractical. The fastest tests all involve insertion into unindexed tables. As soon as indexes are applied, their costs dominate.
Rapidly inserting millions of unindexed rows is only useful when later read sequentially, perhaps as part of a data pipeline. A SQLite format does add some conveniences for this role, but if you are trying to emit rows as fast as possible, consider the database only sinks integer rows at a rate of about 40 MiB/s; In comparison the same computer's unremarkable SSD has a sustained write rate of 454 MiB/s for regular files.”

Hasnain says:

alg=none strikes again.

“Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server. 😁.”

Hasnain says:

No words

“Later, Matima alleges she learned from a colleague that she was commonly referred to by managers as a “black snake” and that her direct supervisor said that “black snake” was the “spirit animal” that he associated with her.

“I can’t stress enough how dehumanizing it was to learn of that,” she said in an interview.

After Matima formally complained again about discrimination from her manager, ByteDance earlier this year let both Matima and her supervisor go, according to the complaint. The company told her she was being fired for poor performance, according to the complaint.”

Hasnain says:

“In the first few months after quitting my job, I worked a lot. Probably 12 hours a day, or even 16 hours/day if you also count Twitter as “work”.

So when I reached $4K MRR, a decent amount considering my living cost in Vietnam, I started to slow down.

I still want to get more revenue, but I realized that this is a moving goalpost, and it will never stop. $10K, then $20K, then $50K. I knew I would never satisfied.

It’s much better to work and play at the same time.

So I traveled. I went for a trip around Vietnam.”

Hasnain says:

“Later, when talking with my girlfriend about this, I suddenly understood Steve Jobs, and others like him, much more deeply.

People often complained about Jobs: when his team showed him their work, he would say “It doesn’t feel right,” and when they asked how to fix it, he said “I don’t know, make it better and show me again, and then I’ll know.”

This confused a lot of people. He found problems but didn’t know how to fix them or why they were problems.

Now, I totally get where Jobs was coming from.”

Hasnain says:

“All of the experts I spoke with suggest people avoid storing and heating food in plastics altogether. “Without testing the entire landscape of these products, it is hard to really know” if any of them are truly safe, says Rogers.”

Hasnain says:

“"Now hold up there Herman! Won't this be triggered by valid users?" you say.

Perhaps, but it's fairly unlikely. In my tests I haven't managed to trigger it without explicitly performing a dodgy action. On top of that, it's been running in production for the past 3 months and I've only had one user report this as an issue. He was advertising online casinos.

Did it stop the spammers?

Yes!”

Hasnain says:

“The lack of available technical information from the vendors here made verification challenging, and it's questionable who this really benefits. Attackers are clearly highly motivated to track and exploit N-day vulnerabilities, and the lack of technical details being released won't significantly slow them down. On the other hand, very few defenders are resourced to be able to perform the type of technical analysis I've shared today. It's counter-intuitive, but withholding basic technical details about how these attacks are working in an asymmetry that mostly benefits attackers -- you quickly end up in a situation where attackers have access to insights about the vulnerability/exploit that defenders don't have.

This bug also shows that we have an over-reliance on fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed.”

Hasnain says:

At some point I need to sit down and write a database. This was an exciting read.

“As the DuckDB team points out, vectorized interpretation or JIT compilation seem like the future for database expression execution. These strategies seem particularly important for analytics or time-series workloads. But vectorized interpretation seems to make the most sense for column-wise storage engines. And column-wise storage normally only makes sense for analytics workloads. Still, TiDB and Cockroach are transactional databases that also vectorize execution.

And while SQLite and PostgreSQL use the virtual machine model, it's possible databases with tree-walking interpreters like Scylla and MySQL/MariaDB have decided there is not significant enough gains to be had (for transactional workloads) to justify the complexity of moving to a compiler + virtual machine architecture.”