Perusing glossy magazines,¹ I was made aware of CVE-2024-2912 which describes how a POST request can lead to Remote Code Execution (RCE) in BentoML servers. A feature most users would rather live without. Bugs happen and I don’t want to criticise the developers unjustly, but knowing the root of the issue was Python’s pickle module, I can only wonder: How the fuck is this still happening?

pickle is insecure by design

import pickle
pickle.loads(b'cos\nsystem\n'
             b'(S"echo evil"\ntR.')

pickle serialisation uses a stack-based virtual machine with a ‘reduce’ operation which allows calling arbitrary Python functions (as shown in figure on the right). It’s no surprise it keeps popping up in security vulnerabilities. It’s been known for years using picule invites trouble.² The documentation highlights the dangers quite clearly, but that’s apparently not enough.

Call to action

I call upon you to stop this madness. There are easy steps you can take to make everyone safer:

• If you see a junior developer type import pickle, mentor them and explain the module must never be used due to security holes.
• If you see +import pickle line during a code review, reject the patch.
• If you write code yourself, use an alternative serialisation method, e.g. one listed below.
• And finally, if you’re Python project member, deprecate pickle. Many features have been deprecated already, so backwards compatibility is not a valid excuse. C managed to get rid of gets, I believe it’s possible to heal Python as well.

No. But yes. But no. It’s complicated, let me explain.

Greenwich Mean Time (GMT) is the local mean time in Greenwich, London. Local indicates it tracks the position of the Sun on the sky.¹ However, because Earth’s rotation speed varies, a second according to GMT has different lengths on different days.

Meanwhile, Coordinated Universal Time (UTC²) is based on atomic clocks which guarantee constant length of a second. Unfortunately, Earth refuses to conform to human standards. To account for that, leap seconds are occasionally applied to UTC. As necessary, one second can be added (resulting in time 23:59:60) or removed (resulting in day ending at 23:59:58) at the end of June or December.³

While GMT and UTC use different methods for tracking time and adjusting to the Earth’s irregular rotation, they are synchronised to within 0.9 s and for everyday purposes they are the same.

Unfortunately things can get more convoluted. Someone may incorrectly use GMT to refer to time zone in London which is UTC+1 during daylight saving time. Furthermore, throughout history there were additional conflicting definitions of GMT.

Conclusion

All in all, it’s best to use UTC to avoid ambiguity.

In ‘Your Screen is Secretly 30 Years Old’ video on The Science Asylum channel, Nick Lucid argues that 7-bit colour depth is sufficient for screens, claiming that 2 million colours (vs 16 million at 8-bit colour depth) ‘would be more than enough for most people’:

Can screens make fewer [than 16 million] colours without us noticing? The answer is absolutely yes. 16 million is an overkill. 2 million would be more than enough for most people. It’s just that controlling a screen with 16 million colours costs the same as the screen with 2 million because they use the same number of bytes.

This article interrogates that statement. To provide a visual baseline, Fig. 1 compares two grey gradients: one uses 8 bits per component (bpc) while the other uses 7 bpc. Fewer colour discrete levels lead the 7 bpc gradient to exhibit clearly visible banding (where rather than smooth transition between colours, places where colours change can be identified) immediately undermining the premise that 7-bit colour depth is perceptually indistinguishable from higher bit-depths.