DML

Today Instagram had this massive exploit where hackers were just stealing rare handles left and right. Hundreds of accounts gone. People losing handles they’ve owned since 2010, some worth hundreds of thousands. I own a few rare ones so I was actually stressed watching this happen in real time, which I haven’t been in years. Obama White House account got hit. These aren’t some random new accounts, these are verified, locked down accounts and they still got compromised. The thing is the exploit is so simple it’s almost funny. Attacker goes to Forgot Password, says their account is hacked, turns on a VPN to match the target’s location (which now you can find on the about section of the page). Instagram’s AI support flow asks them to verify with a selfie. They grab a photo from the target’s profile, run it through an AI video generator to make an animation of the person’s face moving around, upload that to Meta’s AI as proof. And Meta’s AI just accepts it because it can’t tell the difference between a real selfie and an AI-generated video of someone’s face . Once verified they change the email to theirs. Password reset link goes to their email. They own it now. 2FA gets bypassed somehow in the process but honestly I don’t know exactly how, just that it did. Point is even locked down accounts went down. Then you try to recover your account and you’re talking to a chatbot that has zero ability to help. You can’t escalate to a human. You’re just stuck. Your asset is gone and there’s no one to call. The whole thing just highlighted how stupid it is to automate account security without any human in the loop. One AI fooling another AI while there’s literally no person anywhere to catch it. Meta took hours to even acknowledge it while accounts were getting stolen every minute. Now thankfully it’s patched but I don’t think it will be the last one. Stay safe!

Push-based systems come up in 90% of system design interviews. Here's the exercise you should be able to solve: Design a notification system for 100M users. Some have 50 followers. Some have 10M. The instinct is to hold a WebSocket connection open to every active user and push updates as they arrive. Clean mental model. It collapses the moment a celebrity posts. When someone with 10M followers posts, you push to 10M open connections simultaneously. Your message broker saturates. Your WebSocket servers fall over. The system fails at the exact moment it needs to work. That's the fan-out problem. And it kills more interview answers than any other mistake. The production answer: push and pull aren't binary. You pick based on follower count. Users with fewer than 1,000 followers get push fan-out. Each follower gets notified immediately. Users with millions of followers get pull fan-out. Their feed assembles on read. Nobody gets a push. Followers see the post when they open the app. Twitter built exactly this: push-on-write for small accounts, pull-on-read for large ones. But fan-out is only half the problem. Push means stateful connections. Your servers now need to know which connection lives on which machine. You can't route blindly. Most teams reach for Redis pub/sub here; the WebSocket server subscribes, the backend publishes, the message finds the right node. Add a 3-second network drop and you have another layer: what did the client miss? Now you need sequence IDs, a message buffer, and reconnect logic that replays missed events. "Push-based" became push with a pull fallback, a message broker, sticky routing, and a replay buffer. Most engineers stop at the first diagram. The ones who get the offer keep pulling the thread until the system breaks.

"Canvas" is a "learning managment system" used by around 8000 universities around the world but mostly in the United States. A million students and teachers likely saw this ransomware message when they tried to login today. This makes it a newsworthy event. This happened right at the end of term when teachers are trying to grade exams and record grades. It's going to cause pain for a million students who can't get their terms finished on time.

Most people say Doubly Linked List, and honestly it sounds logical because you think the browser needs to store the previous and next pages. Even I used to think the same. But what I learned is that browsers actually use two stacks: a Backward Stack and a Forward Stack. We prefer stacks over a DLL because browser navigation is not a simple linear list. It behaves exactly like an undo/redo system, where: >Back = undo (pop from Back stack, push to Forward stack) >Forward = redo (pop from Forward stack, push to Back stack) >Opening a new page after Back = clear the Forward stack A doubly linked list doesn’t naturally support this behavior. It still requires deleting the forward path manually, and gives no real advantage. Stacks match the exact semantics of navigation: Last In First Out, simple push/pop operations, predictable behavior, and no unnecessary pointer manipulation. So yes, even though a DLL feels intuitive, two stacks are actually the cleaner, more accurate way to model browser history.