> This article covers some ways I’ve gotten security bugs fixed inside a company.

> Finding bugs is a technical problem, fixing them is a human problem.

> Cupcakes. All else fails try cupcakes. Upon the 1 year birthday of bugs we delivered cupcakes to the desks of 30 or so engineers who had not fixed longstanding bugs assigned to them. About a third of them had their issues fixed within the next two weeks. SUCCESS.

> I work at Red Hat on GCC, the GNU Compiler Collection, and I spent most of the past year making GCC easier to use. Let’s look at C and C++ improvements that will be in the next major release of GCC, GCC 9.

C++ error messages that are slowly approaching useful...

source: L

> Chestnut, a Northern Californian with a placid demeanor, also stars in “The Good, the Bad, the Hungry,” a new ESPN documentary about his surprisingly complex relationship with longtime rival Takeru Kobayashi. And the ESPN marketing machine had gone into overdrive to burnish the hot-dog champion’s image. They arranged to have Chestnut arrive at Citi Field with his sausage posse to throw out the first pitch and later hand out hot dogs — presumably the nonhuman kind.

> Adding Office support to Bromium was significantly cheaper than it would be for Microsoft to fix all the vulnerabilities in the existing code base.

> This work shows that more plaintext information can be extracted from ORE ciphertexts than was previously thought.

Never used ORE, and I think I won’t.

> Writing interactive SSH applications is actually pretty easy, but it does require some knowledge of the pieces involved and a little bit of general Unix literacy

source: HN

> But the danger is that safeguards put in place to exclude this small minority of pool-pissers will wind up - to extend the metaphor - over-chlorinating the pool.

Pretty complete undergraduate course. Much more like a textbook than just “notes”.

With a special heart for union find.

> High dynamic range. First experienced by most consumers in late 2005, with Valve’s Half Life 2: Lost Coast demo. Largely faked at the time due to technical limitations, but it laid the groundwork for something we take for granted in nearly every blockbuster title. The contemporaneous reviews were nothing short of gushing. We’ve been busy making a complete god awful mess of it ever since.

source: L

> But as evidence accumulated that Facebook’s power could also be exploited to disrupt elections, broadcast viral propaganda and inspire deadly campaigns of hate around the globe, Mr. Zuckerberg and Ms. Sandberg stumbled. Bent on growth, the pair ignored warning signs and then sought to conceal them from public view. At critical moments over the last three years, they were distracted by personal projects, and passed off security and policy decisions to subordinates, according to current and former executives.

Also: https://www.washingtonpost.com/opinions/yes-facebook-made-mistakes-in-2016-but-we-werent-the-only-ones/2018/11/17/3b62b422-ea9d-11e8-a939-9469f1166f9d_story.html

source: K

> In a fundamental way, bitcoin futures manipulation would resemble those old-time squeezes: Unscrupulous traders would engage in chicanery in the underlying “physical” market for bitcoin in order to reap profits from the futures.

> I’m a person who’s only satisfied if I feel I’m being productive. I like figuring things out. I like making things. And I want to do as much of that as I can. And part of being able to do that is to have the best personal infrastructure I can. Over the years I’ve been steadily accumulating and implementing “personal infrastructure hacks” for myself. Some of them are, yes, quite nerdy. But they certainly help me be productive. And maybe in time more and more of them will become mainstream, as a few already have.

> But email, of course, has the nice feature that it’s “born digital”. What about things that were, for example, originally on paper? Well, I have been something of an “informational packrat” for most of my life. And in fact I’ve been pretty consistently keeping documents back to when I started elementary school in 1968. They’ve been re-boxed three times since then, and now the main ones are stored like this:

Meanwhile, I have trouble finding an email from last week.

source: HN

Lots of good talks.

via @solardiz

> Am I reading that right? Did someone actually argue that they were reasonable in presenting something they found on 4Chan as fact? Indeed, the court is not persuaded by reliance on 4Chan. In the context of dealing with the “wire service” privilege, the court says it is “not convinced that 4Chan is a reputable news-gathering agency.” Not surprisingly, plaintiffs are able to present a plethora of evidence on the freewheeling nature of 4Chan.

Fixed one year ago, somewhat quietly.

Good commentary: https://www.agwa.name/blog/post/thoughts_on_the_systemd_root_exploit

> Fridge-sized machines gave way to hard drives the size of your finger; complex spinning disks kept getting faster and more sophisticated; and we learned how to say the word “defrag.”

source: Dfly

> If I tell you that the central cast contains Alice, Bob, and Eve, you can probably already guess that we’re going to be talking about cryptography (that or reading the paper title 😉 ). But this isn’t cryptography as you know it, and nor is it cryptography intended to actually be used to protect any information – to criticise the paper on that front would be to miss the point in my view. Instead what we get is a really interesting twist on adversarial network training and a further demonstration of the kinds of things that such networks are able to learn.

> “We’re just baffled by why somebody would want to inflict themselves on Newport in such a way as this.”

> Noise is a framework for building crypto protocols. Noise protocols support mutual and optional authentication, identity hiding, forward secrecy, zero round-trip encryption, and other advanced features.

I thought development of Noise was paused, but there have been some recent updates.

> Suppose, for example, I wrote tool to generate a random hash function definition, then JIT compile it to a native function in memory, then execute that function across various inputs to evaluate its properties. My tool could rapidly repeat this process in a loop until it stumbled upon an incredible hash function the world had never seen. That’s what I actually did. I call it the Hash Prospector: