Stuff I read last week

2017-11-05

• Splitting Strings How and why splitting and empty string is different across programming languages.
• How I hacked Google’s bug tracking system

  Creating a bogus @google.com address using one bug, and then getting rights to access the details of all (most?) bugs in the system.

  There's a funny thing where for most software vulnerabilities a writeup like this can explain exactly what happened why. But then for web-based services all you see is a bug that looks totally braindead. It's user accounts! how hard can that possibly be?

  I work on stuff related to security of account systems at the moment; turns out that just like in every other area of modern computing, it's incredibly complicated.

• ‘I forgot my PIN’: An epic tale of losing $30,000 in bitcoin

  You've forgot the PIN and passphrase of your hardware bitcoin wallet. Must be out of luck, those things can't possibly have trivial vulnerabilities. I mean, surely those sophisticated cryptocurrency enthusiasts would be able to spot the snakeoil a mile away. Oh... No?

• Hotswapping Haskell Live code reloading in Haskell for a counter-abuse system at Facebook. The HN comments are predictable in a sad way: why would anyone want to do that? Surely there must be better ways, and all the engineers working on this were total morons.
• My VM is Lighter (and Safer) than your Container

  Rewriting the Xen control plane to optimize the boot time of thousands of tiny VMs. Benchmarked against Docker, which seems just absurdly bad at this one.

  (Not impressed by the numbers outside of booting with regard to "lightness". E.g. the throughput and scaling numbers for the personal firewall application are just miserable.)

• More Taste: Less Greed? > I decided to discover why the system was so much larger and (apparently) complicated than previous UNIX systems. I thought that a good way to do this was gradually to replace parts of it, and compare the size and complexity of the old and new versions.