Readit News logoReadit News
emidln commented on Using Python for Scripting   hypirion.com/musings/use-... · Posted by u/birdculture
simonw · 5 days ago
This works really well in my experience, but it does mean you need to have a working internet connection the first time you run the script.

  # /// script
  # dependencies = [
  #     "cowsay",
  # ]
  # ///
  import cowsay
  cowsay.cow("Hello World")
Then:

  uv run cowscript.py
It manages a disposable hidden virtual environment automatically, via a very fast symlink-based caching mechanism.

You can also add a shebang line so you can execute it directly:

  #!/usr/bin/env -S uv run --script
  #
  # /// script
  # dependencies = ["cowsay"]
  # ///
  import cowsay
  cowsay.cow("Hello World")
Then:

  chmod 755 cowscript
  ./cowscript

emidln · 5 days ago
I wish env -S was more portable. It's a newer feature of the coreutils env implementation and isn't supported elsewhere afaik.
emidln commented on Amazon EC2 M9g Instances   aws.amazon.com/ec2/instan... · Posted by u/AlexClickHouse
Kwpolska · 6 days ago
Why is that needed, and how would you know if it’s out of spec?
emidln · 6 days ago
How: You've ran the test on a bunch of hosts and create a spec from ranges.

Why: you might be concerned with network connectivity (you don't get to choose which data center you launch in and it might not be exactly equal), noisy neighbors on shared hosts, etc. if you're measuring for networking, you probably are spinning ups separate accounts/using a bank of accounts and something in every az until you find what you're looking for.

emidln commented on Stop Hacklore – An Open Letter   hacklore.org/letter... · Posted by u/zdw
emidln · 16 days ago
I'm not a CISO just a random dog on the internet, but this open letter seems to assume that privacy is not a part of your security posture and that spear phishing isn't common these days. (Is 'spear phishing' still the term for targeted electronic scams to steal credentials/access?)

I realize not everyone is using a physically stripped burner, a graphene os install, etc and not everyone works at a high value financial, govt, or infra target but for those of us who need to deal with opsec or are commonly targeted by spear phishing this advice seems abysmal.

In the current political climate of the US, if you are living or traveling here and the current party isn't cheering for you personally, you really should be considering both state-sponsored attacks and no longer have the luxury of assuming good faith by the state. Telling people to enable cheap drive by attacks that are in active use by certain government agencies is irresponsible malpractice at best and actively evil at worst.

Source: I've worked at analytics companies that actively deanonymized users using cookies when available. We used wifi and Bluetooth details when available. We built "multi channel marketing" which was just taking any information we could scrape from the user to fingerprint them and cross reference and deanonymize them so we could sell interactions to businesses like geofenced price discrimination, value of users, and could offer cross website information on shopping habits/financial profile. The shit I did 15 years ago didn't go away and no matter how much I wish I didn't write that, it was the tip of the iceberg and relatively benign.

emidln commented on Modern cars are spying on you. Here's what you can do about it   apnews.com/article/auto-c... · Posted by u/MilnerRoute
hdgvhicv · 16 days ago
“Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)

Forward collision warning has misfired on 2 occasions on me in the last 3 years

The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.

This automation shit should stop, but it won’t.

parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.

emidln · 16 days ago
> Forward collision warning has misfired on 2 occasions on me in the last 3 years

My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.

emidln commented on Modern cars are spying on you. Here's what you can do about it   apnews.com/article/auto-c... · Posted by u/MilnerRoute
mindslight · 17 days ago
It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.

I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.

(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))

emidln · 17 days ago
If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.
emidln commented on Modern cars are spying on you. Here's what you can do about it   apnews.com/article/auto-c... · Posted by u/MilnerRoute
M95D · 17 days ago
> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board

And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)

emidln · 17 days ago
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.
emidln commented on Modern cars are spying on you. Here's what you can do about it   apnews.com/article/auto-c... · Posted by u/MilnerRoute
emidln · 17 days ago
My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.

The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.

emidln commented on The Journey Before main()   amit.prasad.me/blog/befor... · Posted by u/amitprasad
liqilin1567 · 2 months ago
I'm sick of glibc compatibility problems. Are there any recommended replacements?
emidln · 2 months ago
.interp to a glibc/libc you ship or static linking. These days it’s probably faster (in dev time) to just run a container than setting up a bespoke interp and a parallel set of libraries (and the associated toolchain changes or binary patching needed to support it).
emidln commented on Bzip2 crate switches from C to 100% Rust   trifectatech.org/blog/bzi... · Posted by u/Bogdanp
eru · 6 months ago
Static linking also produces smaller binaries and lets you do link-time-optimisation.
emidln · 6 months ago
Static linking doesn't produce smaller binaries. You are literally adding the symbols from a library into your executable rather than simply mentioning them and letting the dynamic linker figure out how to map those symbols at runtime.

The sum size of a dynamic binary plus the dynamic libraries may be larger than one static linked binary, but whether that holds for more static binaries (2, 3, or 100s) depends on the surface area your application uses of those libraries. It's relatively common to see certain large libraries only dynamically linked, with the build going to great lengths to build certain libraries as shared objects with the executables linking them using a location-relative RPATH (using the $ORIGIN feature) to avoid the extra binary size bloat over large sets of binaries.

emidln commented on Root shell on a credit card terminal   stefan-gloor.ch/yomani-ha... · Posted by u/stgl
stgl · 6 months ago
The binary that decides whether to boot or go into tamper mode is the "loadercode", which is integrity-protected (I think by a Boot ROM or similar).

The secure firmware can be updated, but it is signed as well.

emidln · 6 months ago
If the integrity protection is like any of the TPM implementations I've seen, it often doesn't apply once the thing is already in memory, just that when it first loads that it (and everything before it) was attested. This matters a lot once you get into the userland, esp with an older system, since any random off the shelf exploit can be chained into modifying kernel memory with the intention of modifying the binfmt loader for loadercode (or anything else). Of course, if the loadercode is just a thin shim to prod the secure firmware and that's what has the tamper mode rather than being two separate firmwares for controlling the display, you probably can't progress very far.

I'm essentially skeptical that if you have the ability to control the linux root filesystem for a very old linux distro that any other security measures for the linux binaries themselves matter.

e

u/emidln

KarmaCake day3001November 7, 2011
About
I mostly use eBPF/C/C++ these days but I used to write lots of Clojure, Python, Java, and SQL, with smatterings of Lisp, Ruby, and Javascript where need be.

I'm attached to a tmux session. gdb is probably running in a split with vim.

My views are not necessarily those of my employer.

I live in the Chicago burbs, but I work in the loop. I'd love to buy you a tea, coffee, or a beer to talk about start ups, Clojure, C++, Lisp, Python, toolchains, Bazel or other tech.

github: https://github.com/emidln

bsky: https://bsky.app/profile/emidln.com

email: emidln@gmail.com

View Original