The Pulse #128: Mishandled security vulnerability in Next.js
Cloudflare stepped up to deliver a fix for the vulnerability, following unexpected silence from the Next.js team. Also: OpenAI’s new image generation feature shows how Japan has lax copyright laws
The Pulse is a series covering insights, patterns, and trends within Big Tech and startups. Notice an interesting event or trend? Send me a message.
Today, we cover:
Industry pulse. Meta cuts CPU usage by 20% with one minor change, Google buys Wiz for $32B, Microsoft drops data center expansion, Google could bring back in-person interviews, AI is not helping Salesforce get more sales, and more.
Mishandled security vulnerability in Next.js. A vulnerability allowed bypassing of authentication at the middleware layer in the popular React framework. Cloudflare stepped in with a security fix after no meaningful communication from Vercel, which led to the respective CEOs bumping heads online. It’s fixed now, and we have learnings about how to better handle critical security vulnerabilities.
OpenAI’s image generation and lax Japanese copyright laws. Social media has been flooded with Japanese anime-style images, after ChatGPT added image generation. OpenAI’s executives seem to be encouraging the creation of images in the Studio Ghibli style. Japanese copyright laws make this legal, but is it unethical, given the Studio Ghibli founder calls AI an “insult to life itself?”
1. Industry Pulse
Meta cuts CPU usage by 20% with minor change
The headline: Meta cut CPU utilization across its ads infrastructure 20%, with a one-character change, adding a “&” character.
Details from Meta’s eng blog:
“A seasoned performance engineer was looking through Strobelight [Meta’s profiling service] data and discovered that by filtering on a particular std::vector function call (using the symbolized file and line number) he could identify computationally expensive array copies that happen unintentionally with the ‘auto’ keyword in C++.
The engineer turned a few knobs, adjusted his Scuba [Meta’s data store] query, and happened to notice one of these copies in a particularly hot call path in one of Meta’s largest ads services. He then cracked open his code editor to investigate whether this particular vector copy was intentional… it wasn’t.
It was a simple mistake that any engineer working in C++ has made a hundred times.
So, the engineer typed an “&” after the auto keyword to indicate we want a reference instead of a copy. It was a one-character commit, which, after it was shipped to production, equated to an estimated 15,000 servers in capacity savings per year!”
The bigger story is that all this was possible due to Meta investing time, energy, and thought, into building Strobelight, its internal profiling orchestrator. Strobelight is several tools combined, so engineers can profile a variety of internal services. Read more in this interesting blog by Meta.
With such wins available, it’s no surprise that larger companies invest so much in internal tooling. And it’s also a good reminder that even mature systems and services might have low-hanging performance optimizations lying around, waiting to be found!