This week’s reading was short. It includes a technical deep dive into some zero-day Safari exploits, FiveThirtyEight on why it’s hard to build a good COVID-19 model, and reflections on the lockdown.
I also spent a fair amount of time reading the book Everybody Lies by Seth Stephens-Davidowitz. See my initial thoughts, followed by more abstract posts where I reflected on what data science means and the dangers of big data.
Authors: Maggie Koerth, Laura Bronner and Jasmine Mithani (at FiveThirtyEight)
This is a fantastic post about the difficulties in modeling the spread of COVID-19 (and also a reason for why FiveThirtyEight isn’t even going to try, which I agree is the right decision).
The post starts simple: the number of people who will die is a function of how many people the virus is capable of infecting, how many people it does infect, and how many people it kills. Well, none of those numbers are none, and it turns out you have to model each of them, too.
The number of people the virus will infect is a function of how much it spreads by cough and fluids, how long it lives on surfaces, what the incubation period is, how long people can spread the virus to others, whether or not people can get reinfected, how many people act as “superspreaders,” how much various social distancing measures work (which itself varies by country, state, and city), how dense cities are, how good people’s immune systems are, which people we test, how many people we test, how accurate the tests are, what happens when people receive a positive result, how long they isolate for, and several dozen other things that I didn’t account for.
All of those go into estimating R0 (the reproduction number). The other parts of any model are equally complicated. Modeling any of these without deep epidemiological experience is asking for disaster, and it’s why I think data scientists need to sit this one out and let the actual experts handle this.
Author: Ryan Pickren
Apple recently paid out $75,000 to a white-hat hacker who uncovered 7 zero-day exploits in Safari, three of which could be used to gain control of a user’s webcam. The author details the exploits and the discovery process in this blog post.
The final process is pasted here. It’s incredibly specific, and that’s why I appreciate this article. It showcased a combination of methodical, reasoned debugging with strong intuition to create surprising results.
Open evil HTTP website
HTTP website becomes a data: URI
data: URI becomes a blob: URI (with magic blank origin)
Manipulate window.history (in 2 parts!)
Create an about:blank iframe and document.write to it
Dynamically give this iframe the sandbox attribute
Attempt an impossible frame navigation using X-Frame-Options
From within the iframe, window.open a new popup and document.write to it
This was a great read; there were a few things that went over my head, but on the whole the author explained the process of discovering these vulnerabilities quite clearly. Honestly, while reading this, I was simply amazed at the level of detective work going on. Pickren was digging through specs trying to find inconsistencies and ambiguities, then seeing how Safari implemented them. There’s a screen-recorded demo at the bottom, and it’s pretty wild.
Author: Abby Ohlheiser (from MIT Technology Review)
On Thursday night, I had a Google Hangouts game night with my friends. We played some Jackbox party games (Push the Button was pretty difficult online, but Split the Room was very fun!) and chatted for a while. But I noticed that joining the video call and taking part in this was oddly tiring, and I’ve thought about this for a little while.
Ohlheiser puts into words this feeling that I’ve become increasingly aware of: that lockdown is making social activities feel more draining, not less. For me, this is the result of the lack of separation between “work space” and “life space” (both my bedroom—yes, my desk vs. my bed, but that’s not that different). There’s also a feeling that anything “scheduled” is work now, because communication has (had to) become so planned and intentional.
Turning down invitations to talk to people during a global pandemic can simultaneously be needed self-care and something that makes you feel like a bad friend. After all, how do you tell your group chat of college friends that you just need a night alone at home when you’re alone at home all the time?
Everything, when happening on Google Hangouts or Zoom, feels like a meeting. In normal happy hours, here are typically a few conversations happening at a time. I can move between them at will or talk to a small group on the side. Virtual happy hours do not have this affordance: everyone is part of the same conversation, which is precisely the dynamic that makes them feel so meeting-like.
There are other issues I’ve noticed, too: there’s no natural end to conversations because no one has any plans. Virtual hangouts, which in my experience are rarely timeboxed, can feel like I’m staring down an indefinite tunnel of forced large-group interaction.