This release fixes a serious under-allocation bug in regexec due to

integer overflow (CVE-2016-8859) and related issues.

Details: http://www.openwall.com/lists/oss-security/2016/10/19/1

source: solar

In trying to figure out the best reactive structure for druid, as well as how to communicate that to the world, I’ve been studying a wide range of reactive UI systems. I’ve found an incredible diversity, even though they have fairly consistent goals. This post is an attempt to find common patterns, to characterize the design space as a whole. It will be rough, at some points almost a stream of consciousness. If I had the time and energy, I think it could be expanded into an academic paper. But, for now, perhaps these rough thoughts are interesting to some people working in the space.

source: L

The Long-run Impact of Transport Infrastructure

What is the causal impact of infrastructure on economic

development?

source: MR

Ruby 2.7 is coming out this December, as with all modern releases, but that doesn’t stop us from looking for and writing about all the fun things we find in the mean time! No no no. For this article, we have something that’s very reminiscent of Bash, Perl, and Scala: Numbered parameters.

source: L

I’ve recently been writing a bit of parsing code in Rust, and I’ve been jumping back and forth between a few different parsing libraries - they all have different advantages and disadvantages, so I wanted to write up some notes here to help folks who are undecided choose what libraries and techniques to consider, and also to offer some suggestions for the future of the Rust parsing ecosystem.

source: L

Lots and lots of small buffers is still a lot of memory.

source: L

In my last post I introduced the Compiler performance roadmap for 2022. Let’s see how things are progressing.

Along the way I had to undo some optimizations I had added to this code a couple of years ago. Those optimizations turned out to be useful for one kind of expensive macro (with many rules but no metavariables) present in the html5ever benchmark. But such macros aren’t common in practice, and these optimizations were unhelpful for more typical expensive macros, which are recursive, have fewer rules, and use metavariables. This shows the value of a good benchmark suite.

source: L

Unexpectedly, about too few gadgets, not too many.

Winter is coming for gadgets. Or maybe winter has already come for gadgets. Everywhere you look, these days, gadgets seem on the rocks.

Related: Silicon Valley Stumbles in World Beyond Software http://www.wsj.com/articles/silicon-valley-stumbles-in-world-beyond-software-1481042474

In this paper I present an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. I received the messages because the spammers, whom I had described previously on my blog, decided to take revenge by putting my email address in the ‘reply-to’ field of a malicious email campaign. Many of the victims were unaware that the message they had received was fake and contained malware. Some even asked me to resend the malware as it had been blocked by their anti-virus product. I have read those 1,976 messages, analysed and classified victims’ answers, and present them here. The key takeaway is that we need to train users, but at the same time we should not count on them to react properly to Internet threats. Despite dealing with cybercrime victims daily for the last seven years I was surprised by most of the reactions and realized how little we, as the security industry, know about the average Internet user’s ability (or rather inability) to identify threats online. We need to build solutions that will protect users, without their knowledge, sometimes against their will, from their ability to harm themselves.

The fifth group is actually the most worrying. I call this group ‘MY ANTI-VIRUS WORKED, PLEASE SEND AGAIN’, as these are recipients who mention that their security product (mostly anti-virus) warned them against an infected file, but they wanted the file to be resent because they could not open it. The group consisted of 44 individuals (2.35%).

source: grugq

Math is hard, let’s shoot protons.

We have been conducting a longitudinal study of the state of cryptocurrency networks, including Bitcoin and Ethereum. We have just made public our results from our study spanning 2015 to 2017, in a peer-reviewed paper about to be presented at the upcoming Financial Cryptography and Data Security conference in February.

Here are some highlights from our findings.

source: green

This article walks through the components of a modern LZ compressor.

LZ compression has been around for a long time, but there are still major improvements being made. The deflate algorithm is perhaps the most widely used, implemented initially in PKZIP, and these days finding broad usage in gzip. Modern incarnations are much more powerful, and use a wide array of new tricks. Two examples of the next generation are zstd and lzma. For a comprehensive overview of open source LZ compressors, check out lzbench.

source: L

I didn’t answer this correctly because I focused my attention on the wrong thing.

source: HN

Writing in the journal Science, the researchers conclude that populations of more than 500 species of amphibians have declined significantly because of the outbreak — including at least 90 species presumed to have gone extinct. The figure is more than twice as large as earlier estimates.

source: HN

One disclaimer: I don’t expect anyone to appreciate all of this, and I expect quite a few will reject all of it. That’s OK.

One for each linux distro.

source: MR

The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.

https://mauronz.github.io/shadowhammer-backdoor/

source: green

Does the ratio of nouns to verbs reveal anything about our thought process?

(Spoiler: measurement error.)

Many of the debates over Chinese language issues that keep coming up on Language Log and elsewhere may be attributed to a small number of basic misunderstandings and disagreements concerning the relationship between speech and writing.

Further, there is quite a bit of nonsense out there, trying to make sweeping generalizations about how Chinese language, culture, and thinking are all interconnected, but usually relying on some weak if not entirely incorrect assumptions about the language.