For hobbyist use, is this really any better than macOS' "say" command?

Once you've downloaded the Premium voices (e.g. Zoe) it's just a CLI, no API or hidden bells and whistles.

    $ say -v 'Zoe (Premium)' "This is an example of the Zoe voice for my comment on Hacker News."

You'll have to download the voice ahead of time, but Zoe (public) and Maeve (internal) are both excellent voices.

I don't have a mac, do these voices rely on a cloud component to function or do they run locally? (without internet access is the real test I guess)

Neat! Took me a while to work out how to download extra voices so in case I can save anyone else a bit of googling here's a guide: https://support.apple.com/en-gb/guide/mac-help/mchlp2290/mac

I really dig some of the voices here, they are really well done.

Zoe is good, but (to my ear) this is far superior. Zoe is still in the uncanny valley. This feels completely natural.

excellent voice yes but the voices here are superior

This is garbage tamper detection.

Take a Dremel to the phone to scratch it random and custom. Laser etch a QR code if you want, maybe a GPG signature.

Freeze the phone in a 5-gallon bucket.

FedEx overnight early AM international delivery.

Full LTE GPS tracker on the package with minute-by-minute updates.

Ensure customer tests melted water for co2 content (it will fizz) and nitrogen content (will probably also fizz) in case somebody was clever and dropped LNOX or dry ice to re-freeze.

Retrieve phone that was tampered at the factory ahead of time, despite best efforts.

None of this prevents or exposes tampering except possibly a picture of the random air bubbles in the ice, which only provides exactly the same protection as the glitter and by the same mechanism. Everything else is just a lot of silly theater.

I think the idea is that the shipping time will be too short to allow freezing the tampered-with phone into a new block of ice of such size, and the scratches prevent it from being substituted by a pre-frozen replacement.

Might be countered by supercooled water if the crystallization can be made to look natural.

^ This

Supercooled water was something I thought of later, but I didn't think about the presence / lack of bubbles from normal freezing.

That sort of all-or-nothing threat model isn't particularly useful.

You can never hope for perfect unassailable security. The best you can do is make attacks too expensive/complex for the attackers you're concerned about. From that point of view, glitter varnish produces exceedingly good results for minimal costs.

Good security is always about tradeoffs, never pie-in-the-sky solutions.

With all the effort you require it's almost easier to collect your phone personally at the OEM.

This is the dumbest thing they could do.

“Ah yes, all you hackers and crackers, please take this DRM’ed copy of IDA and please obey the licensing agreement and don’t bypass the DRM.”

I'm not in this scene so take with a grain of salt, but I've heard that in many circles cracking your own copy of IDA was considered a rite of passage long before this particular change, and the company honestly may not care if their whole intent is to target the corporate market (a bit like how Adobe benefited greatly from Photoshop being widely pirated). Of course, the dynamic may also be changed by FOSS options becoming real competitors.

Oh really? I remember reading that each customer got a customised build so that if a customer did crack their version they could see who did it based on the cracked binary.

> and the company honestly may not care if their whole intent is to target the corporate market

If their goal is to target the corporate market, then they do care about individual hobbyists cracking their product - they'd be in favor of it.

Oh no, they were sore about this like you wouldn't believe. They'd rather refuse a legitimate customer than risk a leak. I can't even say they were entirely wrong: the sensitive nature of reverse engineering makes it hard to make sure you won't get ripped off. Still, they did take this personally.

They have a reputation of being one of the most aggressively anti-piracy companies that exists.

I've heard that IDA explicitly allows licensed users to decompile IDA itself. What's stopping someone from reverse engineering it transparently and making a competitor?

> What's stopping someone from reverse engineering it transparently and making a competitor?

Mostly that Ghidra is open source and no one would be willing to go through the hassle of reverse engineering IDA when Ghidra is just sitting right there...

Decompilation isn't exactly a rocket science: just about anyone capable of hacking on clang or gcc can write a simple decompiler. The entire point of IDA was that they've done that, and also a lot of tedious, boring work on providing support for lots and lots of different CPUs. There's just no secret sauce recipe for SREs to steal - even their FLIRT tech is documented on their site.

Probably patent law, unless it’s a black-box reverse engineering, in which case you can’t use a disassembler to peek at how it works

Copyright law is what you're after.

Patent law doesn't care about how you get to the same thing - independent invention does not work as a defense.

IANAL, I'm a random on HN, if you take this as legal advice I don't know what to tell you :D

No it doesn't, it also has a level of protection built in to stop decompiling itself

Because reverse engineered code is usually a mess, unmaintainable and takes a lot of effort to make even small improvements. Also, you run the risk of being accused of copyright infringement.

You mean decompiled code? Reverse engineered code is just code that someone wrote to match the existing functionality of something else.

Yeah, right. I mixed up things. Clean-room reverse engineering is, AFAIK, legal.

If I had to guess, they probably don't care about home usage of Hex-rays. Businesses have more to lose when using cracked versions of Hex-rays.

Right click on the dock → Turn hiding on

I also prefer: ... → Position on screen → Left

Yes.

Interesting, I had a very well-done phone attempt against my American Express card two weeks ago.

I have to wonder if all that data came from the TMobile hack.

* The caller ID was spoofed (not just the name, the actual number on my phone bill and phone app logs are a real AMEX number).

* The caller claimed to be reporting a fraudulent attempt on my account

* In order to verify my identity, please read back the six-digit PIN they're sending me (~ALARM BELLS GO OFF~)

* SMS 2FA shows up, "Enter this code to add your card to Apple Pay" (Oddly, this message doesn't carry the "WE WILL NEVER CALL YOU FOR THIS CODE" all previous SMS 2FA carried)

* I ask for a call-back number, for security purposes. I'm told "This is AMEX. This is AMEX." every time I ask.

I hung up, and froze the card. Then I called AMEX with the number listed on the back of the card. They acknowledged they did NOT call me at any point that day, that a transaction WAS attempted AFTER I froze the card, and issued a new card.

The caller was calm, call-centery, had my full name, credit card number, expiration, 4-digit CVV, and phone number.

I also learned that AMEX doesn't actually cancel the old card... my regularly billed transactions and new online purchases went through just fine with the old card info. I called AMEX to ask them to unambiguously reject all attempts for all previous card numbers, they acknowledged. Tried a few days later, the old number still works...

I had a very similar pattern happen a year or so ago on one of my bank debit cards. The difference in my case was that they made one fraudulent charge on the card beforehand to lend authenticity to the "we're the fraud team" claim. They knew the card number, and the details about the charge (presumably because they were the ones who made the charge). Then they tried to reset the password for my online banking login and asked me to read the security code I received via SMS to confirm my identity. Luckily the code sent to me was clearly labeled as a password reset code (though not with the "we won't ask for this code over the phone" line), so I froze the card and went down to my bank to talk about it. Apparently it had happened to a lot of my bank's members, and I was one of the few to not fall for it.

This is the correct answer!

Coffee is for closers^W quoters. ABQ.

Always. Be. Quoting.

Also, you should be checking your Bash scripts with shellcheck, which will tell you when to do this with ~99% accuracy.

(For the uninitiated: https://www.youtube.com/watch?v=GrhSLf0I-HM)

If you're using ZSH, this will give you a Python-style backtrace showing the specific line of each failure, even with nested function calls.

https://gist.github.com/zachriggle/8574964d2e3078cdfae84b574...

e.g.

    An error occurred on ./test:18
    Frame 1 (./test:21)
    18           false
    19       }
    20
    21   >>> a

    Frame 2 (./test:6)
    3        source TRAPERR.zsh
    4
    5        a() {
    6    >>>     b
    7        }
    8
    9        b() {

    Frame 3 (./test:10)
    7        }
    8
    9        b() {
    10   >>>     c
    11       }
    12
    13       c() {

    Frame 4 (./test:14)
    11       }
    12
    13       c() {
    14   >>>     d
    15       }
    16
    17       d() {

    Frame 5 (./test:18)
    15       }
    16
    17       d() {
    18   >>>     false
    19       }
    20
    21       a

I can do this in bash too (partially), with `set -eE` and bash-modules:

  #!/bin/bash
  . import.sh strict log
  a() {
    b
  }
  b() {
    c
  }
  c() {
    d
  }
  d() {
    false
  }
  
  a

Result:

  $ ./test.sh
  [test.sh] PANIC: Uncaught error.
  at d(./test.sh:13)
  at c(./test.sh:10)
  at b(./test.sh:7)
  at a(./test.sh:4)
  at main(./test.sh:16)

However, it stops to work at some point, e.g. in `for` loop, or in a subshell. zsh is better in this regard.

I wonder if they used Monodraw[1] to create their diagrams?

Looks like they did!

[1]: https://monodraw.helftone.com

Can Monodraw produce the animation as well, as seen on the webpage?

YES we did :)