activescott's Notes

Public notes from activescott

Monday, June 8, 2026

Republican Congressman Thomas Massie has called for a new investigation into Israel’s deadly attack on the USS Liberty, urging recognition for the survivors and those killed in a probe that he says is 59 years overdue.

Israeli jets and torpedo boats attacked the US ship off Egypt on June 8, 1967, killing 34 US service members and wounding more than 170. Twelve survivors watched from the gallery of the US House of Representatives.

Massie said the unarmed ship was flying a clearly visible US flag when it came under sustained attack.

“According to eyewitness accounts, the Israelis machine gunned the lifeboats that they put down,” Massie said. “They machine gunned the firefighters who were on the deck.”

Israeli officials have long claimed the attack was a case of mistaken identity, but Massie said senior officials, including former CIA figures, rejected that explanation.

The USS Liberty anniversary has renewed relevance because Massie has criticised Washington’s long-standing reluctance to hold Israel accountable, even when US citizens are killed. He has also opposed the current war on Iran, which Israel dragged the US into, and which has killed at least 13 US troops and wounded more than 380.

#

The UK Foreign Office and a group of western countries are due to announce a package of sanctions against Israel this week designed to deter companies from becoming involved in a proposed West Bank settlement that would split the territory in two and render the concept of a two-state solution near impossible.

Tenders were opened this month for the development of more than 3,000 homes between Jerusalem and the Ma’ale Adumim. The development would split the West Bank between north and south, and so in effect make a contiguous Palestinian West Bank impossible.

Last week, the UN committee on the exercise of the inalienable rights of the Palestinian people condemned an order signed by the Israeli finance minister, Bezalel Smotrich, to start displacing the Palestinian Bedouin community of Khan al-Ahmar in the occupied West Bank, saying it would “heighten the risk of forced transfer of the civilian population” and calling such a move illegal and a war crime.

The letter states: “The case for ending trade with settlements is clear. The international court of justice has directed third states not to enter into ‘trade dealings with Israel concerning the occupied Palestinian territory’, which is widely interpreted as meaning states must not trade with settlements.”

It argues that the UK would not need primary legislation to enact a ban as there is “a precedent in UK law and policy of not trading with illegally occupied lands”, including Crimea and other illegally occupied parts of Ukraine.

Sunday, June 7, 2026

This is not the first time Israel has been accused of espionage against the US – its closest ally and benefactor – with which it maintains extensive security and intelligence cooperation.

According to NBC News and The New York Times (NYT), citing anonymous current and former US officials, the Pentagon’s Defense Intelligence Agency (DIA) arm recently upgraded Israel’s counterintelligence threat level from “high” to “critical”, the most serious designation in its internal assessment system.

The warning was based on Israeli intelligence agencies intensifying efforts to collect information on US military personnel, government officials and policy discussions.

The news reports said the concern was focused on American officials involved in shaping Washington’s approach towards Iran, as the two foes continue to negotiate an end to the war that has sent global energy prices soaring.

“An intensified Israeli effort to learn about US positions in talks with Iran has crossed a line, according to some American officials,” the NYT said.

The reports also referenced incidents in which US defence personnel working in Israel allegedly discovered software on their phones “to tap their communications had been surreptitiously installed on their phones”, the NYT added.

The newspaper said the DIA reports found Israeli spying on the US, which has occurred before, surged from late 2024 onwards, coinciding with US President Joe Biden’s administration stepping up pressure on Israel over its genocide in Gaza.

Israel has previously been involved in espionage cases targeting the US, although such incidents have not been spoken about much given their close ties.

The most famous example is the Jonathan Pollard affair. The civilian intelligence analyst working for the US Navy was arrested in 1985 after passing large quantities of classified information to Israel. He later pleaded guilty to espionage and served 30 years in prison before being released on parole in 2015.

“Over decades, Israel has sought to penetrate US policymaking circles through both formal and informal networks, including intelligence and lobbying channels, in order to gain insight into American strategic thinking and decision-making,” he added.

Nevertheless, Washington has for years provided billions in military aid and weapons sales to Israel, including throughout the ongoing Israeli genocide in Gaza.

The US Congress is also currently debating a section of a new defence bill, which would integrate the two countries’ research and development for weaponry to an unprecedented degree. The US has also provided diplomatic cover to Israel at the UN and other international bodies.

“What surprises many observers is the extent to which Israel, despite being heavily dependent on American military, diplomatic and financial support, has developed the capacity to penetrate multiple layers of US policymaking and cultivate influence across key institutions involved in American statecraft.”

According to analyst and Iran expert Negar Mortazavi, Israel’s reported espionage in the current context is not new and has past precedent. Israel’s opposition to US-Iran negotiations goes back to the time of US President Barack Obama when he signed a nuclear deal with Iran in 2015, which the US under Trump withdrew from in 2018.

“The Israeli Prime Minister Netanyahu did not want any deals or serious negotiations or normalisation between Tehran and Washington, and he tried to stop it publicly and privately in any way he could,” she told Al Jazeera.

Saturday, June 6, 2026

Friday, June 5, 2026

Mastercard, in comparison, performs this validation correctly and the contrast reveals exactly where Visa fails. The over-the-limit attack succeeds against Visa for one central reason: when the attacker flips the bit in the Card Transaction Qualifiers (CTQ) telling the terminal “on-device authentication has been performed”, Visa does not cryptographically authenticate that field – nor does it cross-check it against the Issuer Application Data (IAD), which contains an independent record (in the Card Verification Results field) of whether Consumer Device Cardholder Verification Method (CDCVM) actually occurred. During the original disclosure process, Visa confirmed to the researchers the relevant data is present in the Application Cryptogram; the company simply does not validate it – whereas Mastercard does. The researchers proved this formally using the Tamarin verification tool: a Mastercard transaction cannot be approved at high value without genuine on-device authentication.

On the touch point of this exploit being one only affecting Apple’s iPhone, it is worth noting how Samsung Pay takes a different approach at the device level – authorising only zero-value transactions in transit mode, with the actual fare settled later through the transit system. This is effective, though it comes with trade-offs; like how fixed-fare transit systems requiring upfront charges are not supported. Apple could theoretically implement a similar restriction, yet doing so would break Express Transit for several transit networks worldwide. The more appropriate long-term solution requiring no compromise on device-level functionality, is simply for Visa to implement the same backend verification Mastercard already uses.

Visa’s official position, reiterated to Veritasium in 2026, is straightforward: the company does not believe the exploit is likely in a real-world setting. The attack requires physical proximity to (or possession of) the victim’s iPhone, specialised hardware, a rooted Android phone, and technical knowledge of EMV protocol manipulation. Visa further notes cardholders are covered by its ‘Zero Liability Policy’, allowing for any fraudulent transaction to be disputed and refunded. Anyone who has ever tried getting a refund from a bank for fraudulent activity will know how tedious and time consuming this process can be, and it is rather telling how Visa would rather put users through inconvenience than simply fixing the known security gap.

With that said, the company’s position is worth examining over outright dismissing. For a start, the hardware requirements are not trivial. Nefarious parties would require a Proxmark device, rooted Android phone, and laptop running custom relay software – all of which represent a higher barrier to entry than most opportunistic theft. Scaled deployment across hundreds of victims simultaneously is, indeed, impractical with current methods.

Even so, this defence has clear structural weaknesses. The existence of a known and, in this case, reproducible vulnerability in a payment network processing billions of transactions annually; cannot simply be mitigated by the argument of it being ‘difficult to exploit at scale’. Mastercard clearly agrees given how they have implemented protections against exactly this class of attack. Moreover, the equipment required is commercially available (the Proxmark, for instance, is an open-source RFID research tool), and the researchers’ methodology was published in full at a major academic conference. It also stands to reason how the barrier to replication lowers every year. Arguing a vulnerability is tolerable because exploitation is currently inconvenient is not a security posture… it is more akin to som

For anyone who regards the security of their financial data as a priority, the recommended course of action is clear and immediate: do not use a Visa card for Express Transit on an iPhone until either Apple or Visa deploys a fix.

To disable Express Transit for Visa on an iPhone, navigate to Settings, then Wallet and Apple Pay, then Express Transit Card, and select None; or assign either a Mastercard or American Express card to the feature instead. Both alternatives are, as of the publication of this article, immune to this specific Visa card vulnerability.

AIPAC used a complicated web of political committees to influence the Illinois primary elections in March. Whether or not it is using the same tactics in Michigan — the group did not respond to a request for comment — observers expect it to continue to hide its campaign spending in the months to come, as primary candidates battle over AIPAC’s influence.

A NEW YORK state oversight board raised ethics concerns about a trip by state Comptroller Tom DiNapoli to Israel that a local pro-Israel Jewish group sponsored.

The revelation comes amid renewed scrutiny of DiNapoli’s spending spree on Israel Bonds, a financial instrument that directly funds the state of Israel.

The trip was paid for by the Jewish Community Relations Council of New York, which has a financial relationship to Israel Bonds, the organization that issues Israeli government debt securities in the U.S.

On Sunday, DiNapoli and other state and local electeds marched in the parade again, joined by an array of extremist Israeli political figures including Bezalel Smotrich, the current finance minister and a far-right champion of illegal settlements.

In his 18 years as comptroller — and particularly in the months and years following October 7 and the launch of Israel’s genocide in Gaza — DiNapoli has turned the state’s pension fund into one of the largest holders of Israel Bonds nationwide. Since the February 2024 trip, Dinapoli has invested $120 million of the state’s common retirement fund in the instruments, bringing the total investment of state pension funds in Israel Bonds to $332.5 million.

Critics of the investments also point to a fiscally responsible argument against the bonds. Unlike traditional foreign-debt assets, Israel Bonds cannot be sold on a secondary market and instead must be held until they mature. That makes them a potentially unsound bet, especially considering the rapid decline of Israel’s credit rating in recent years.

Allow for network traffic audits Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com

iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.

Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.

Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.

Thursday, June 4, 2026

While many AI open source model providers are pursuing larger and more powerful models, Google is still giving attention to the smaller, more local side of the market. Today, the tech giant released Gemma 4 12B, an 11.95-billion-parameter open-weights model with permissive Apache 2.0 license optimized to execute locally on a standard enterprise laptop using just 16GB of VRAM or unified memory.

Traditional multimodal systems typically utilize discrete, separate encoders to translate audio waveforms and visual data into representations that the core language model can process.

This conventional approach inherently increases both inference latency and total memory consumption.

Gemma 4 12B radically alters this pipeline by functioning entirely without these secondary encoders. Instead, visual patches and raw audio waveforms are projected directly into the core large language model's embedding space through lightweight linear layers.

The vision encoder is replaced by a 35-million-parameter module utilizing a single matrix multiplication, while the audio encoder is eliminated entirely.

For enterprise engineering teams, this unified architecture delivers distinct operational advantages: lower latency for multimodal tasks, reduced VRAM requirements (down to 16GB — typical for laptops), and the ability to fine-tune the entire multimodal system in a single, cohesive pass.

Google has ensured that Gemma 4 12B is not an isolated experiment; it is ready for production. Weights are available on Hugging Face and Kaggle, and the model integrates seamlessly with industry-standard deployment frameworks such as vLLM, SGLang, MLX, and llama.cpp.

Tuesday, June 2, 2026

Meanwhile, Bun’s relationship with the Zig community has soured. Zig Software Foundation maintains a strict “no AI code” policy and previously rejected Bun’s attempts to upstream performance improvements as “technically unsound.” WinBuzzer reported on May 1 that “Anthropic-owned Bun is already paying the cost” of Zig’s LLM ban. The friction is accelerating the Rust exploration.

Zig was a deliberate choice in 2022. Its comptime evaluation and zero-runtime design minimized overhead when calling JavaScriptCore’s C++ interfaces. But Zig’s ecosystem remains narrow: no central package registry comparable to crates.io, a small hiring pool, and slow open-source contributor growth.

Rust is now the practical standard for systems programming. AWS Firecracker, Cloudflare’s Workers runtime (workerd), and Linux kernel drivers are built in Rust. The White House ONCD and NSA have formally recommended Rust for memory safety. As of 2026, choosing Rust means choosing a contributor pool orders of magnitude larger than Zig’s.

Bun’s Rust move is about ecosystem integration, not raw performance gains. More contributors, better security tooling, and more hireable engineers.