Sorry About Computer

They were supposed to make things easier

🔥 CVE-2019-14287

A flaw in Sudo—that comes installed on almost every #Linux OS—could let users run commands as "root" even when they're restricted.

Details ➤

How? Just by specifying user ID "-1" or "4294967295" in the command instead of the root.

— The Hacker News (@TheHackersNews) October 14, 2019

It happened to me because I was plugging the charging cable on the left. It's a know issues with MacBook Pro built in 2018~2018.
Charging at the right side make the kernel_task vanish.

— Pierre 🦌 (@pierrerenaudin) October 9, 2019

Holy crap. Huge bug uncovered in computational chemistry software because different operating systems sort files differently and the published scripts don’t handle it well. If you do or rely on calculated NMR chemical shifts, this is a must-read.

— Lucas Moore (@LucasCMoore) October 8, 2019

My previous employer had a piece of software that would uninstall Arial if you removed it.
After reboot, all your computer’s interface would be in Arial Italic since it couldn’t find the main Arial file.
All your menus and windows. Nobody knew why this happened until I was hired.

— SwiftOnSecurity (@SwiftOnSecurity) October 2, 2019

How did MS-DOS decide that two seconds was the amount of time to keep the floppy disk cache valid?

From the "how the fuck did this hardware bug happen" department: Sandy Bridge GPUs cannot access the low 1MB of RAM, plus five pages.

The pages at 0x20050000, 0x20110000, 0x20130000, 0x20138000, 0x40004000.


— Hector Martin (@marcan42) September 16, 2019

That US-EAST-1 outage on AWS caused 0.5% of customers to lose their data, ouch.

— Kevin Beaumont (@GossiTheDog) September 3, 2019

i think every day about how cable internet is IP over MPEG. this is a literal fact. DOCSIS sends downstream data in MPEG frames because that's what the cable networks are optimized for and what all the switching equipment understood when cable broadband took off

— Utterly dispassionate, documentary hog slaughter (@gravislizard) September 3, 2019


— mcc (@mcclure111) March 9, 2019

"If you want a vision of the future, imagine a boot stamping on a human face - forever" so *thats* what he meant 🤔🤔

— ༻ᵏᵘᵐᵃᵛⁱˢ༄༜ (@kumavis_) February 26, 2019

Javascript is weird.

— ShadowCheetah (@shadowcheets) August 12, 2019

If you think the response time on your HTTP calls is bad, I just got a 503 via paper mail... 😂

— Shawna Scott (@shawnacscott) August 6, 2019

Files are fraught with peril

“How many kinds of USB-C™ to USB-C™ cables are there?

tl;dr: There are 6, it's unfortunately very confusing to the end user.”

— Peter Steinberger (@steipete) July 16, 2019

Verilog is a wonderful language because you find things like this in the standard (1364-2005 5.4.2)

How can you write something like this and not go "wait, go back, we fucked up"

— Luke Wren (@wren6991) July 12, 2019

I guess at least they do what all the other finalizer supporting VMs do: Offer finalizers but say "maybe we won't run them".

I can't think of another language feature, in any language, that works like finalizers. A *suggestion* to run some code. Optional. If the language wants.

— mcc (@mcclure111) July 10, 2019


— Ryan C. Gordon (@icculus) July 9, 2019

“I also found that, instead of making a regular AJAX request, this page instead loads an image from the Zoom web server that is locally running. The different dimensions of the image dictate the error/status code of the server.” 🤯

— Peter Steinberger (@steipete) July 9, 2019

Amazing, 7 Eleven launch mobile payment app: a day after launching it attackers stole half a million USD from customers, as the app had no security around password reset (any user could reset anybody else’s password)

— Kevin Beaumont 🌈 (@GossiTheDog) July 4, 2019

I am excited to have written:

“Enumerating Core Undefined Behavior”

— Shafik Yaghmour (@shafikyaghmour) June 22, 2019

Oracle fixes a bypass for a bypass fix of a bypass that was bypssed during fixing a bug that was used to bypass the bypass fix of a serialization issue in weblogic.

— Hamid K (@hkashfi) June 16, 2019

Post by @apenwarr on why we can't have nice things in networking: "The world in which IPv6 was a good design"

— Fabian Giesen (@rygorous) June 12, 2019

"We report a surprising finding that the inclusion of hyphens in paper titles impedes citation counts, and that this is a result of the lack of robustness of the citation database systems in handling hyphenated paper titles."

— John Regehr (@johnregehr) June 10, 2019

LRT, money quote from the web page:

— Fabian Giesen (@rygorous) June 11, 2019

this morning in "computer nightmares" i found the ultimate nightmare inside of Nixpkgs: purposefully crafting SHA-1 collisions to support Google Chrome's update mechanism, due to its non-deterministic download URLs. what the fuck

— Chad Blaze: Endgame (@stdlib) June 6, 2019

Me, knowing most of the house is asleep: "Alexa, set volume to 20%."

Alexa, yelling at the top of her lungs: "Sorry, you can only set the volume between 0 and 10!!!"

— Paul Annett 🇪🇺 (@PaulAnnett) June 2, 2019

This is what poor test coverage looks like

— Jess West 🐚 Vacay in Mexico 🏖️ (@jessicaewest) May 6, 2019

A discontinued insulin pump is in demand *because* it contains a security vuln that can be exploited to provide healthcare

— Ryan Naraine (@ryanaraine) May 6, 2019

From @BernsteinA: "Throwback to my favourite bug report." #gamedev #gamedevelopment #Terrorarium #why

— Terrorarium 🍄🌵 (@TerrorariumGame) April 30, 2019

I did it. I found the all-time dumbest security question answer requirement. Good job @fedex.

— Luke Millar (@ltm) April 28, 2019

last week i got to witness an engineering department lose a full day's work because if you put an emoji in a git commit message, Atlassian Bamboo chokes on it forever and you're forced to rebase master, like you should NEVER DO. this was of course referred to as The Emojiency

— Chaos (@chaosprime) April 21, 2019

Fun JavaScript quirk I ran into: a really large setTimeout() delay makes the delayed function execute (almost) immediately. 🤦‍♂️

Basically, don't setTimeout() for longer than ~25 days.

— David K. 🎹 (@DavidKPiano) April 20, 2019

Feeling down? iOS jailbreak you've been working on for a year got patched? Fuzzer not finding any bugs? Miss the 90s where everything crashed? Change your time format on Windows to 90 characters! Watch everything fall over as they get 90 character formats from Windows APIs!

— Brandon Falk (@gamozolabs) April 20, 2019

She just straight up started naming random people who live in Michigan.

— ashe dryden (@ashedryden) April 19, 2019

this episode has a funny implication: to write a C or C++ compiler that is taken seriously, you must implement a language that is not specified or defined anywhere other than "it must produce the expected results on this small collection of dusty deck codes"

— John Regehr (@johnregehr) April 15, 2019

"...the user agent string for the latest Dev Channel build of Microsoft Edge: "... Edg/" We’ve selected the “Edg” token to avoid compatibility issues that may be caused by using the string “Edge,”..."

We are now deliberately misspelling words in the User-Agent string.

— Nathan Froyd (@froydnj) April 9, 2019


— Peter Steinberger (@steipete) April 3, 2019

the immaculate joy of writing standard libraries

— iximeow (@iximeow) April 6, 2019

CONDUCTOR: we’re stopping the train so we can reboot the engine computer

— bletchley punk (@alicegoldfuss) December 14, 2018

If you told me that setting a sprite’s color in Unity couldn’t happen off the main thread, I would already be angry at you, but nevertheless I was not emotionally prepared to find out the reason why

— Christine Love (@christinelove) January 22, 2019

Valid C, invalid C++:
for (int i = 0; ;) {
int i = 1;
return i;

Valid C and C++:
for (int i = 0; ;) {{
int i = 1;
return i;

— Stephen Checkoway (@stevecheckoway) January 27, 2019


to increment some counter on the page,

  node.innerText += 1

doesn't work (0 → 01 → 011 → ⋯), but

  node.innerText -= -1

works fine (0 → 1 → 2 → ⋯)

— Lynn (@chordbug) February 5, 2019

"Ⱥ" and "Ⱦ" are Unicode characters, which increase in length (from 2 to 3 bytes) when lowercased. Nasty.

Found them from the "Big List of Naughty Strings" - list of strings which have a high probability of causing issues when used as user-input data.

— @mikko (@mikko) November 5, 2018

This is hell

— BooDoo (@BooDooPerson) November 5, 2018

them: is 10 the highest CVE score you can have?
me: ?
them: a website has unauthenticated, remote access via a single get request
me: seems like a 10.
them: which returns select * on a quarter million unencrypted credit card #'s.
me: okay, maybe 11.

— Kenn White (@kennwhite) September 25, 2018

Stories from Antivirus land: clamav uses libmspack, libmspack had vuln in 2012, libmspack fixed it+adds regression test, clamav detects regression test as malware, libmspack can't be distributed any more because webhost of libmspack uses clamv...

— hanno (@hanno) August 9, 2018

Be careful when reversing #unicode strings. You may be surprised…

>>> s = "Welcome in 🇬🇧”
>>> s[::-1]
'🇧🇬 ni emocleW'

(thanks @piskvor for the inspiration!)

— Daily Python Tip (@python_tip) August 6, 2018

ask me how my day is going

— zach (@ztellman) August 11, 2018

I thought this was a joke.

It wasn't a joke.

— Hector Martin (@marcan42) June 19, 2018

how and why would you even build a system that behaved like this

— 100% clean soup (@vogon) June 19, 2018

Javascript and the blockchain: The gift that keeps on giving

You keep using the word 'fsync', I do not think it means what you think it means... If you manage data on Linux, you don't want to miss this popcorn worthy debugging on the #Postgres hackers list:

— xzilla (@robtreat2) April 2, 2018


Load-bearing optimization, n.

A performance-related change (for example adding a cache) that accidentally becomes required for correctness

— David Smith (@Catfish_Man) May 24, 2016

"Tonight I was using my iPhone to airplay a March Madness game to our Apple TV. When I misplaced my phone, I used my Apple Watch to ping it. The ping noise played through the Apple TV… Thanks a lot 🙄"

"Hey Alex why are you so hard on American railways?"

— Alex "Bloomer" Forrest 🚉🌸 (@380kmh) March 21, 2018

*Halved* render time with @appleseedhq on a particular scene using OSL (Windows, VS 2015, exception handling enabled) by replacing `float4() {}` by C++11's `float4() = default` in OIIO. The former disabled __forceinline, among other things. Details:

— François Beaune (@franzbeaune) March 16, 2018

The long tail of fixing Meltdown and Spectre

It's just a cube, how hard could it be
A texture mapped cube, except the textures are all wrong