Brief items

To help solve these issues the OSS-Fuzz team is launching FuzzBench, a fully automated, open source, free service. FuzzBench provides a framework for painlessly evaluating fuzzers in a reproducible way. To use FuzzBench, researchers can simply integrate a fuzzer and FuzzBench will run an experiment for 24 hours with many trials and real world benchmarks. Based on data from this experiment, FuzzBench will produce a report comparing the performance of the fuzzer to others and give insights into the strengths and weaknesses of each fuzzer. This should allow researchers to focus more of their time on perfecting techniques and less time setting up evaluations and dealing with existing fuzzers.

Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.

Disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable client device or access point can easily send disassociation frames to trigger the vulnerability because these frames aren't authenticated.

A sysctl is just a way of blaming the sysadmin for us not being very good at programming. [...]

Just look how long stale information stays around about how to tune your Linux system. Here's an article from 2018 suggesting using the 'intr' option for NFS mounts: I made that a no-op in 2007. Any tunable you add to Linux immediately becomes a cargo-cult solution to any problem people are having.

I wrote an alternative Debian installer as a toy, called v-i. One of the following two bullet points is correct:

• v-i can install a very rudimentary Debian onto exactly one computer in the world: my very own spare Thinkpad x220 laptop. It might not work on your x220. v-i almost certainly won't work on any other kind of computer. If you try, it will probably delete all your data. Make sure your backups work.
• v-i is perfect in every way. There are not even any typos in the manual. There are no bugs, and all features are fully implemented. Every possible use case is supported. Not only is there no danger to your data, v-i will prevent it from ever disappearing. Even your hardware will never break again. Your laptop will have infinite battery life, and your screen resolution will require 64 bit integers to express.

In the world of software, the C programming language clearly stands out as the single most important and influential programming language. Everything forming the critical, foundational parts of your computer is written in it: kernels, drivers, compilers, interpreters, runtimes, hypervisors, databases, libraries, and more are almost all written in C. For this reason, any programming language which wants to get anything useful done is certain to support a C FFI (foreign function interface), which will allow programmers to communicate with C code from the comfort of a high-level language. No other language has the clout or ubiquity to demand this level of deference from everyone else.