Browsers do all sorts of things to keep https connections secure. Most other clients do not. Why can’t we all just get along?

source: L

> he took me to the local Soviet to listen to Lenin’s speeches

source: grugq

I can imagine any of these things happening through negligence or laziness. The responses after being called out are more worrisome. Simply being defensive or actually misguided?

source: HN

Start a business with just one click! OK, maybe a few more, but Stripe’s trying to streamline the process.

> We have 3 very well-known algorithms (currency arbitrage, Q-learning, path tracing) that independently discovered the principle of relaxation used in shortest-path algorithms such as Dijkstra’s and Bellman-Ford. Remarkably, each of these disparate fields of study discovered notions of hard and soft optimality, which is relevant in the presence of noise or high-dimensional path integrals.

source: HN

> Established, traditional order is under assault from freewheeling, networked disrupters as never before. But society craves centralized leadership, too.

I think the idea is to stop before going full French Revolution. Just a touch of change, please.

> Mr. Ferguson’s new book, “The Square and the Tower: Networks and Power, from the Freemasons to Facebook,” will be published by Penguin Press on Jan. 16.

> Quinto is basically Scrabble, except with numbers instead of letters.

source: trivium

How to autopatch a game without a patching feature?

> Takeaways: Include patching code in your shipped game, and don’t use unbounded strcpy.

Two other tales of low level mayhem included as well.

Writeup of previous Tor/Firefox vuln and exploit from November.

> This blogpost describes a way to exploit a Linux kernel bug (CVE-2018-17182) that exists since kernel version 3.16. While the bug itself is in code that is reachable even from relatively strongly sandboxed contexts, this blogpost only describes a way to exploit it in environments that use Linux kernels that haven’t been configured for increased security (specifically, Ubuntu 18.04 with kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37). This demonstrates how the kernel configuration can have a big impact on the difficulty of exploiting a kernel bug.

> The bug was fixed by changing the sequence numbers to 64 bits, thereby making an overflow infeasible, and removing the overflow handling logic.

The miracle cure for all your overflow ailments, the bigger int.

> The policy of only printing a warning even when the kernel has discovered a memory corruption is problematic for systems that should kernel panic when the kernel notices security-relevant events like kernel memory corruption.

That does seem problematic.

> Not all neural network architectures are created equal, some perform much better than others for certain tasks. But how important are the weight parameters of a neural network compared to its architecture? In this work, we question to what extent neural network architectures alone, without learning any weight parameters, can encode solutions for a given task. We propose a search method for neural network architectures that can already perform a task without any explicit weight training. To evaluate these networks, we populate the connections with a single shared weight parameter sampled from a uniform random distribution, and measure the expected performance. We demonstrate that our method can find minimal neural network architectures that can perform several reinforcement learning tasks without weight training. On supervised learning domain, we find architectures that can achieve much higher than chance accuracy on MNIST using random weights.

Some fun demos.

source: L

One for each linux distro.

source: MR

Good rundown of how paging and CPUs work, too.

source: grugq

> This also means that the compiler is vulnerable to what is colloquially known as the “Trusting Trust” attack, an attack described in Ken Thompson’s acceptance speech for the 1983 Turing Award. This kind of thing fascinates me, so I decided to try writing one myself.

> It’s the end of an era — finally.

There was something pleasantly archaic about using tokens, provided you had one ready and weren’t in a scramble to find it.

Maybe, if you make the sausage yourself. Good luck.

source: green

> Constructions of zk-SNARKs involve a careful combination of several ingredients; fully understanding how these ingredients all work together can take a while.

Ongoing series.

source: green

> Why can’t we mark these scripts and execute them all at the end, after the parsing is done? This is because of an old, ill-thought out Document API function called document.write(). This function is a pain point for many developers who work on browsers, as it is a real headache implementing it well enough, while working around the many idiosyncrasies which surround it.

source: HN

> We reverse-engineered a program written for a completely custom, unknown CPU architecture, without any documentation for the CPU (no emulator, no ISA reference, nothing) in the span of ten hours.

source: HN

> People tend to be visual: we use pictures to understand problems. Mainstream programming languages, on the other hand, operate in an almost completely different kind of abstract space, leaving a big gap between programs and pictures. This piece is about pictures drawn using a text character set and then embedded in source code. I love these! The other day I asked around on Twitter for more examples and the responses far exceeded expectations (thanks everyone!). There are a ton of great examples in the thread; here I’ve categorized a few of them. Click on images go to the repositories.