Tatís signed a contract with Big League Advance, an unusual investment fund that pays minor-league players money up front in exchange for a share of their future MLB earnings.

The Big League Advance payouts aren’t loans. If the player never reaches the majors, he doesn’t have to reimburse the money, and Big League Advance loses its stake. When a player turns into a MLB star like Tatís, Big League Advance receives a huge payout. In effect, Tatís is now funding a bunch of minor-leaguers who will never make it. It’s similar to a venture capital fund that backs lots of startups that fail, in return for a gigantic payday from getting in early on a company like Facebook or Uber.

Venture capital for all the things.

Last August, Citigroup Inc. wired $900 million to some hedge funds by accident. Then it sent a note to the hedge funds saying, oops, sorry about that, please send us the money back. Some did. Others preferred to keep the money. Citi sued them. Yesterday Citi lost, and they got to keep the money. I read the opinion, by U.S. District Judge Jesse Furman, expecting to learn about the New York legal doctrine of finders keepers—more technically, the “discharge-for-value defense”—and I was not disappointed. But I was also treated to a gothic horror story about software design. I had nightmares all night about checking the wrong boxes on the computer.

source: ML

In response to Australia’s proposed new Media Bargaining law, Facebook will restrict publishers and people in Australia from sharing or viewing Australian and international news content.

This blog post is an in-depth dive into the security features of the Intel/Windows platform boot process. In this post I’ll explain the startup process through security focused lenses, next post we’ll dive into several known attacks and how there were handled by Intel and Microsoft. My wish is to explain to technology professionals not deep into platform security why Microsoft’s SecureCore is so important and necessary.

Not exclusive to Windows systems, lots of PC platform details.

source: grugq

When one side’s receive buffer (Recv-Q) fills up (in this case because the rsync process is doing disk I/O at a speed slower than the network’s), it will send out a zero window advertisement, which will put that direction of the connection on hold. When buffer space eventually frees up, the kernel will send an unsolicited window update with a non-zero window size, and the data transfer continues. To be safe, just in case this unsolicited window update is lost, the other end will regularly poll the connection state using the so-called Zero Window Probes (the persist mode we are seeing here).

Apparently, the bug was in the bulk receiver fast-path, a code path that skips most of the expensive, strict TCP processing to optimize for the common case of bulk data reception. This is a significant optimization, outlined 28 years ago² by Van Jacobson in his “TCP receive in 30 instructions” email. Apparently the Linux implementation did not update snd_wl1 while in the receiver fast path. If a connection uses the fast path for too long, snd_wl1 will fall so far behind that ack_seq will wrap around with respect to it. And if this happens while the receive window is zero, there is no way to re-open the window, as demonstrated above. What’s more, this bug had been present in Linux since v2.1.8, dating back to 1996!

source: trivium

When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?

Interesting variation on typo squatting.

https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack

source: HN

This week’s interview features Dr. Steven Gass, the inventor of the SawStop—considered one of the best table saws (we love the one in our office!). SawStop has a unique safety feature that automatically brakes the blade if a finger touches it.

source: K

The block profile in Go lets you analyze how much time your program spends waiting on the blocking operations listed below:

source: HN

I tested how the 1000 most popular Chrome extensions affect browser performance. The main metrics I’ll consider are CPU consumption, memory consumption, and whether the extension makes pages render more slowly.

Some results are terrible. Some are worse.

source: HN

Two of the tiny lizards were discovered by a German-Madagascan expedition team in Madagascar. The male Brookesia nana, or nano-chameleon, has a body of just 13.5mm.

source: HN

Why does this matter? Okay, let’s say you have a JSON message where you pass around the unique ID of some object in your system. Let’s further say that your system “mints” IDs out of a 64 bit number space, and it spreads them around, so large numbers can turn up every now and then. What happens when you finally get an object ID with a value of 1152921504606846976 and put it into a message?

Okay let’s do payment for order flow again, because people are talking about it and that always stresses me out. Here’s an intuitive description of how it works.

source: ML

They had $19 million, a deal with Disney, and dreams of becoming the next Ben & Jerry’s. Then everything fell apart.

source: ML

This is a longer version of the piece I published in the mozilla gfx team blog where I focus on the atlas allocation algorithms. In this one I’ll go into more details about the process and methodology behind these improvements. The first part is about the making of guillotiere, a crate that I first released in March 2019. In the second part we’ll have a look at more recent work building upon what I did with guillotiere, to improve texture memory usage in WebRender/Firefox.

https://mozillagfx.wordpress.com/2021/02/04/improving-texture-atlas-allocation-in-webrender/

source: HN

Uniwidth typefaces, on the other hand, are proportionally-spaced typefaces, but every character occupies the same space across different cuts or weights. What this means in practice is that no matter which weight you set your text in, it will never change its length or cause text to reflow.

source: HN

In this post I’ll explain how I configured my AMD ThreadRipper Pro workstation with 10 PCIe 4.0 SSDs to achieve 11M IOPS with 4kB random reads and 66 GiB/s throughput with larger IOs - and what bottlenecks & issues I fixed to get there. We’ll look into Linux block I/O internals and their interaction with modern hardware. We’ll use tools & techniques, old and new, for measuring bottlenecks - and other adventures in the kernel I/O stack.

source: HN

The blog post will start with an overview of the major changes Apple implemented in iOS 14 which affect the security of iMessage. Afterwards, and mostly for the readers interested in the technical details, each of the major improvements is described in more detail while also providing a walkthrough of how it was reverse engineered. At least for the technical details, it is recommended to briefly review the blog post series from last year for a basic introduction to iMessage and the exploitation techniques used to attack it.

This approach could apply to any system.

Apple’s latest line of Macs includes their in-house “M1” system-on-chip, featuring a custom GPU. This poses a problem for those of us in the Asahi Linux project who wish to run Linux on our devices, as this custom Apple GPU has neither public documentation nor open source drivers. Some speculate it might descend from PowerVR GPUs, as used in older iPhones, while others believe the GPU to be completely custom. But rumours and speculations are no fun when we can peek under the hood ourselves!

And part II where it really takes off: https://rosenzweig.io/blog/asahi-gpu-part-2.html

source: HN

Some time ago, we noticed at Realmode Labs that Amazon Kindle has an interesting feature called “Send to Kindle”. This feature allows Kindle users to send e-books to their device as email attachments. We immediately thought of the potential security concerns of this feature: what if we can send malicious e-books to unsuspecting users?

source: R

Even with all the pieces in place, quite a bit of work to do.

The release of Apple Silicon-based Macs at the end of last year generated a flurry of news coverage and some surprises at the machine’s performance. This post details some background information on the experience of porting Firefox to run natively on these CPUs.

We’ll start with some background on the Mac transition and give an overview of Firefox internals that needed to know about the new architecture, before moving on to the concept of Universal Binaries.

We’ll then explain how DRM/EME works on the new platform, talk about our experience with macOS Big Sur, and discuss various updater problems we had to deal with. We’ll conclude with the release and an overview of various other improvements that are in the pipeline.

source: HN