activescott's Notes
Public notes from activescott
Sunday, June 7, 2026
Corsi–Rosenthal Box - Wikipedia
The Corsi–Rosenthal Box is a design for a do-it-yourself air purifier that can be built comparatively inexpensively. It consists of four[1] or five[2][3] HVAC particulate air filters that form a cube and a box fan to draw air through the filters. The seams of the cube are sealed with duct tape.
Saturday, June 6, 2026
Uncrewed Aerospace | Drone Training & Consultancy
Trump: U.S. stake in AI giants "could be a beautiful thing"
How about you give me my share and let me invest it myself?
Friday, June 5, 2026
Visa Card Vulnerability Continues to Put iPhones at Risk - Vamers
Mastercard, in comparison, performs this validation correctly and the contrast reveals exactly where Visa fails. The over-the-limit attack succeeds against Visa for one central reason: when the attacker flips the bit in the Card Transaction Qualifiers (CTQ) telling the terminal “on-device authentication has been performed”, Visa does not cryptographically authenticate that field – nor does it cross-check it against the Issuer Application Data (IAD), which contains an independent record (in the Card Verification Results field) of whether Consumer Device Cardholder Verification Method (CDCVM) actually occurred. During the original disclosure process, Visa confirmed to the researchers the relevant data is present in the Application Cryptogram; the company simply does not validate it – whereas Mastercard does. The researchers proved this formally using the Tamarin verification tool: a Mastercard transaction cannot be approved at high value without genuine on-device authentication.
On the touch point of this exploit being one only affecting Apple’s iPhone, it is worth noting how Samsung Pay takes a different approach at the device level – authorising only zero-value transactions in transit mode, with the actual fare settled later through the transit system. This is effective, though it comes with trade-offs; like how fixed-fare transit systems requiring upfront charges are not supported. Apple could theoretically implement a similar restriction, yet doing so would break Express Transit for several transit networks worldwide. The more appropriate long-term solution requiring no compromise on device-level functionality, is simply for Visa to implement the same backend verification Mastercard already uses.
Visa’s official position, reiterated to Veritasium in 2026, is straightforward: the company does not believe the exploit is likely in a real-world setting. The attack requires physical proximity to (or possession of) the victim’s iPhone, specialised hardware, a rooted Android phone, and technical knowledge of EMV protocol manipulation. Visa further notes cardholders are covered by its ‘Zero Liability Policy’, allowing for any fraudulent transaction to be disputed and refunded. Anyone who has ever tried getting a refund from a bank for fraudulent activity will know how tedious and time consuming this process can be, and it is rather telling how Visa would rather put users through inconvenience than simply fixing the known security gap.
With that said, the company’s position is worth examining over outright dismissing. For a start, the hardware requirements are not trivial. Nefarious parties would require a Proxmark device, rooted Android phone, and laptop running custom relay software – all of which represent a higher barrier to entry than most opportunistic theft. Scaled deployment across hundreds of victims simultaneously is, indeed, impractical with current methods.
Even so, this defence has clear structural weaknesses. The existence of a known and, in this case, reproducible vulnerability in a payment network processing billions of transactions annually; cannot simply be mitigated by the argument of it being ‘difficult to exploit at scale’. Mastercard clearly agrees given how they have implemented protections against exactly this class of attack. Moreover, the equipment required is commercially available (the Proxmark, for instance, is an open-source RFID research tool), and the researchers’ methodology was published in full at a major academic conference. It also stands to reason how the barrier to replication lowers every year. Arguing a vulnerability is tolerable because exploitation is currently inconvenient is not a security posture… it is more akin to som
For anyone who regards the security of their financial data as a priority, the recommended course of action is clear and immediate: do not use a Visa card for Express Transit on an iPhone until either Apple or Visa deploys a fix.
To disable Express Transit for Visa on an iPhone, navigate to Settings, then Wallet and Apple Pay, then Express Transit Card, and select None; or assign either a Mastercard or American Express card to the feature instead. Both alternatives are, as of the publication of this article, immune to this specific Visa card vulnerability.
AI, Crypto, and AIPAC’s New Strategies to Obscure Campaign Spending
AIPAC used a complicated web of political committees to influence the Illinois primary elections in March. Whether or not it is using the same tactics in Michigan — the group did not respond to a request for comment — observers expect it to continue to hide its campaign spending in the months to come, as primary candidates battle over AIPAC’s influence.
New York Comptroller’s Trip to Israel Raised Ethical Concerns, State Commission Said
A NEW YORK state oversight board raised ethics concerns about a trip by state Comptroller Tom DiNapoli to Israel that a local pro-Israel Jewish group sponsored.
The revelation comes amid renewed scrutiny of DiNapoli’s spending spree on Israel Bonds, a financial instrument that directly funds the state of Israel.
The trip was paid for by the Jewish Community Relations Council of New York, which has a financial relationship to Israel Bonds, the organization that issues Israeli government debt securities in the U.S.
On Sunday, DiNapoli and other state and local electeds marched in the parade again, joined by an array of extremist Israeli political figures including Bezalel Smotrich, the current finance minister and a far-right champion of illegal settlements.
In his 18 years as comptroller — and particularly in the months and years following October 7 and the launch of Israel’s genocide in Gaza — DiNapoli has turned the state’s pension fund into one of the largest holders of Israel Bonds nationwide. Since the February 2024 trip, Dinapoli has invested $120 million of the state’s common retirement fund in the instruments, bringing the total investment of state pension funds in Israel Bonds to $332.5 million.
Critics of the investments also point to a fiscally responsible argument against the bonds. Unlike traditional foreign-debt assets, Israel Bonds cannot be sold on a secondary market and instead must be held until they mature. That makes them a potentially unsound bet, especially considering the rapid decline of Israel’s credit rating in recent years.
Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer
Allow for network traffic audits Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com
New to Pi Hole why is mask.icloud.com blocked as standard? - General - Pi-hole Userspace
iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.
Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.
Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.
Thursday, June 4, 2026
Gemma 4 12B : Run Locally, Fine-Tune, Benchmark Performance
Because vision, audio, and text inputs share the exact same weights, you no longer need to co-tune separate frozen encoders. Downstream adapter fine-tuning (such as LoRA) or full fine-tuning naturally updates the entire multimodal token loop in a single pass.
Google's new open source Gemma 4 12B analyzes audio, video — and runs entirely locally on a typical 16GB enterprise laptop | VentureBeat
While many AI open source model providers are pursuing larger and more powerful models, Google is still giving attention to the smaller, more local side of the market. Today, the tech giant released Gemma 4 12B, an 11.95-billion-parameter open-weights model with permissive Apache 2.0 license optimized to execute locally on a standard enterprise laptop using just 16GB of VRAM or unified memory.
Traditional multimodal systems typically utilize discrete, separate encoders to translate audio waveforms and visual data into representations that the core language model can process.
This conventional approach inherently increases both inference latency and total memory consumption.
Gemma 4 12B radically alters this pipeline by functioning entirely without these secondary encoders. Instead, visual patches and raw audio waveforms are projected directly into the core large language model's embedding space through lightweight linear layers.
The vision encoder is replaced by a 35-million-parameter module utilizing a single matrix multiplication, while the audio encoder is eliminated entirely.
For enterprise engineering teams, this unified architecture delivers distinct operational advantages: lower latency for multimodal tasks, reduced VRAM requirements (down to 16GB — typical for laptops), and the ability to fine-tune the entire multimodal system in a single, cohesive pass.
Google has ensured that Gemma 4 12B is not an isolated experiment; it is ready for production. Weights are available on Hugging Face and Kaggle, and the model integrates seamlessly with industry-standard deployment frameworks such as vLLM, SGLang, MLX, and llama.cpp.
Tuesday, June 2, 2026
docs: add Phase-A porting guide · oven-sh/bun@46d3bc2
Interesting prompt for porting zig to rust in bun.
Bun’s Zig to Rust Rewrite: Anthropic’s AI Code Experiment | byteiota
Meanwhile, Bun’s relationship with the Zig community has soured. Zig Software Foundation maintains a strict “no AI code” policy and previously rejected Bun’s attempts to upstream performance improvements as “technically unsound.” WinBuzzer reported on May 1 that “Anthropic-owned Bun is already paying the cost” of Zig’s LLM ban. The friction is accelerating the Rust exploration.
Bun Rewrites from Zig to Rust — Why a Fast Runtime Is Starting Over | StartupXO
Zig was a deliberate choice in 2022. Its comptime evaluation and zero-runtime design minimized overhead when calling JavaScriptCore’s C++ interfaces. But Zig’s ecosystem remains narrow: no central package registry comparable to crates.io, a small hiring pool, and slow open-source contributor growth.
Rust is now the practical standard for systems programming. AWS Firecracker, Cloudflare’s Workers runtime (workerd), and Linux kernel drivers are built in Rust. The White House ONCD and NSA have formally recommended Rust for memory safety. As of 2026, choosing Rust means choosing a contributor pool orders of magnitude larger than Zig’s.
Bun’s Rust move is about ecosystem integration, not raw performance gains. More contributors, better security tooling, and more hireable engineers.
OAK-D Lite
Docs for the OAK-D Lite.
oak-hardware/DM9095_OAK-D-LITE_DepthAI_USB3C/Datasheet/OAK-D-Lite_Datasheet.pdf at master · luxonis/oak-hardware
Luxonis OAK-D Lite datasheet.
Luxonis Documentation
Telnyx—Voice AI Agents with Built-In Global Telco Infrastructure
Kinda like twilio.
Monday, June 1, 2026
E.164 - Wikipedia
E.164 defines a general format for international telephone numbers. Plan-conforming telephone numbers are limited to only digits and to a maximum of fifteen digits. The specification divides the digit string into a country code of one to three digits, and the subscriber telephone number of a maximum of twelve digits.