HashGoal #❤️❤️❤️

‼️🚨 Yet another Meta fuck-up: its account recovery function allows unauthenticated access to full account PII, including emails and phone numbers, from just a username. We verified the claim and found social media and wine-app accounts belonging to several public figures. We'll start with footballer Kylian Mbappé, who has a hidden TikTok account.

Here's a teaser of our Mac-1 model. > 6.6B model > runs locally (on any Mac) > requires 7GB RAM (12GB ideal) > can use 487 MacOS native tools > perform multi-tool chained tasks > reasoning: ON > output: ~65 tok/s We built a robust application layer around the model to make UI/UX MacOS native. The "model-focused" SaaS era is here. Stay tuned for more.

Recent UK crypto sanctions seem to be a bit of an overreach. Wonder if it will ever get to the point where it’s ignored because HTX address tainting onchain has been catastrophic. In the past sanctions were done and those crypto businesses typically had a high % of illicit activity (Huione, Blender, Hydra, etc). While Justin Sun may be a controversial name HTX has a decent number of Asia retail users. Basically now I’ve had to ignore the sanctions category when tracing cases by exposure since “risk” itself has become meaningless. Also compliance tools are a bit flawed and do not differentiate pre & post sanctions activity well. Meanwhile I have a legit $1.25B laundering case by an illicit actor the UK completely failed to detect. Given UK incompetence historically in crypto cases it’s not surprising to see them sanction HTX and miss the actual violations…..

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys. Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.

Push-based systems come up in 90% of system design interviews. Here's the exercise you should be able to solve: Design a notification system for 100M users. Some have 50 followers. Some have 10M. The instinct is to hold a WebSocket connection open to every active user and push updates as they arrive. Clean mental model. It collapses the moment a celebrity posts. When someone with 10M followers posts, you push to 10M open connections simultaneously. Your message broker saturates. Your WebSocket servers fall over. The system fails at the exact moment it needs to work. That's the fan-out problem. And it kills more interview answers than any other mistake. The production answer: push and pull aren't binary. You pick based on follower count. Users with fewer than 1,000 followers get push fan-out. Each follower gets notified immediately. Users with millions of followers get pull fan-out. Their feed assembles on read. Nobody gets a push. Followers see the post when they open the app. Twitter built exactly this: push-on-write for small accounts, pull-on-read for large ones. But fan-out is only half the problem. Push means stateful connections. Your servers now need to know which connection lives on which machine. You can't route blindly. Most teams reach for Redis pub/sub here; the WebSocket server subscribes, the backend publishes, the message finds the right node. Add a 3-second network drop and you have another layer: what did the client miss? Now you need sequence IDs, a message buffer, and reconnect logic that replays missed events. "Push-based" became push with a pull fallback, a message broker, sticky routing, and a replay buffer. Most engineers stop at the first diagram. The ones who get the offer keep pulling the thread until the system breaks.