Security

In 2009, a vulnerability was discovered in the Linux kernel that allowed privilege escalation. The code looked perfectly reasonable—a null pointer check designed to prevent crashes. But when compiled with optimization enabled, the check simply vanished. The compiler had every right to delete it. The code contained undefined behavior, and undefined behavior means the compiler can do whatever it wants. This wasn’t a compiler bug. It was the compiler doing exactly what the C standard allows it to do. Understanding this distinction is crucial for anyone writing systems code in C or C++. ...

Place your finger on a glass surface, and within milliseconds, a decision is made: access granted or denied. No passwords to remember, no keys to lose. But behind that split-second unlock lies a sophisticated interplay of physics, electrical engineering, and pattern recognition that most users never consider. The ridges on your fingertips—formally known as dermatoglyphs—began forming during the third month of fetal development and were fully established by month six. These patterns emerge from a fascinating biological process: epithelial cells undergo a truncated version of hair follicle development, creating raised ridges without actually forming hair. The precise positioning of these ridges is influenced by factors including the mechanical forces within the womb, blood vessel patterns beneath the skin, and random developmental variations. Even identical twins, who share nearly identical DNA, have completely different fingerprints. This uniqueness makes fingerprints one of the most reliable biometric identifiers available. ...

Scan a QR code once, and your phone can generate login codes forever—no internet required. The codes change every 30 seconds, yet somehow both your phone and the server always agree on the correct value. There’s no cloud synchronization, no API calls, no real-time communication of any kind. The math just works. This isn’t magic. It’s the TOTP (Time-based One-Time Password) algorithm, defined in RFC 6238, and understanding how it works reveals one of the most elegant applications of cryptographic hash functions in everyday use. ...

In late 2017, a Reddit user with the handle “deepfakes” posted a video that would fundamentally change how we think about visual evidence. The clip showed a celebrity’s face seamlessly mapped onto another person’s body. It wasn’t the first time someone had manipulated video, but the quality was unprecedented—and the software to create it was soon released as open-source code. Within months, the term “deepfake” had entered the lexicon, representing a collision of deep learning and deception that continues to evolve at a startling pace. ...

On December 28, 2011, at the 28th Chaos Communication Congress in Berlin, Alexander Klink and Julian Wälde demonstrated something that sent shockwaves through the software industry. With just 2 megabytes of carefully crafted POST data, they kept a single CPU core busy for over 40 minutes. The attack didn’t exploit buffer overflows or SQL injection—it exploited the fundamental mathematics of hash tables. The technique, dubbed HashDoS, works because hash tables have a worst-case performance that’s dramatically different from their average case. When you understand the mathematics behind this vulnerability, you’ll see why it affected virtually every major programming language and why modern hash table implementations look very different from their predecessors. ...

In 2019, a network engineer at a major financial institution noticed something odd. Their newly deployed VPN, configured with OpenVPN over TCP, was causing a 40% drop in throughput for database replication traffic. The latency between their New York and London data centers had jumped from 75ms to over 200ms. After weeks of troubleshooting, they discovered the culprit wasn’t bandwidth or hardware—it was TCP-over-TCP meltdown, a fundamental interaction between the VPN protocol and the underlying transport layer. ...

The “Sign in with Google” button seems straightforward. Click it, authenticate, and you’re in. But behind that simple interaction lies one of the most widely deployed authorization protocols in computing history—a protocol that was never actually designed for authentication. OAuth 2.0, published as RFC 6749 in October 2012, emerged from a practical problem: how do you let a third-party application access your data without giving it your password? The solution involved a clever dance of redirects, temporary credentials, and cryptographic proofs that billions of users perform daily without understanding what’s happening. ...

On October 4, 2021, at 15:40 UTC, Facebook disappeared from the internet. Not just the social network—Instagram, WhatsApp, and even Facebook’s internal tools went dark. Engineers couldn’t access their own data centers. The outage lasted nearly six hours and affected billions of users worldwide. The cause wasn’t a cyberattack or a data center failure. It was a BGP configuration error. Someone issued a command that withdrew the routes Facebook used to announce its presence to the internet, and within minutes, the company’s entire network became unreachable. ...

The padlock icon in your browser’s address bar suggests something simple: this connection is secure. But in the roughly 100 milliseconds between clicking a link and seeing the page, your browser and the server performed one of the most sophisticated cryptographic dances in computing history. They established a shared secret over a public network, verified each other’s identities, and set up encrypted communication—all while an attacker watching every packet could learn nothing useful. ...