A direct email from Zero Motorcycles to owners probably as a result of this blog post:

SUBJECT: Firmware Release & Ongoing Security Measures

Dear Zero Owners,

March 25th Firmware Update (BMU V20)

On the morning of March 25th, as part of our ongoing improvements, we released a firmware update for select 2022+ Zero models that improves the accuracy of the battery state-of-charge and range display. This update addresses a condition where, over time, the system could overestimate available charge, which in rare cases could lead to the motorcycle shutting down before the display reaches 0%. Following installation, some riders may notice a lower battery percentage or reduced range estimate. This is expected and reflects corrected, more accurate readings — actual riding range is not affected.

See details at zeromotorcycles.com/firmware.

Ongoing Security Enhancements

Separately, we recently became aware of potential issues in our motorcycles’ firmware and are taking steps to address them with your safety and security in mind. This work is ongoing, and we remain committed to strengthening system protections across our platform.

We understand how important trust and dependability are when you ride. Thank you for your continued support.

Sincerely,

The Zero Motorcycles Team

Hilarious that someone would go to the length of creating 134 anonymized email addresses, but all of them using the same Apple account. Might as well have put in the effort for actual anonymous email addresses.

I know software developers complain about forced compliance due to the security theatre aspects, but I would like to charitably ask from someone who has technical understanding of FIPS-compliant cryptography. Are there any actual security advantages on technical grounds for making WireGuard FIPS-compliant? Assume the goal is not to appease pencil pushers. I really want to know if this kind of effort has technical gains.

Crypto wise, fips is outdated but not horrible.

Actual fips compliant (certified) gives you confidence in some basic competence of the solution.

Just fips compatible (i.e. picking algos that could be fips compliant) is generally neutral to negative.

I'm not 100% up to date, so that might have changed, but AEAD used to be easier if you don't follow fips than fips compatible. Still possible, but more foot guns due to regulatory lag in techniques.

Overall, IMO the other top-level comment of "only fips if you have pencil pusher benefit" applies.

FIPS-140 allowed encryption using 3DES up until Jan 1 2024, and allowed certification of modules containing SHA-1 through the end of 2025. There is some transition-timeline nuance involved, but those examples are in general pretty horrible from a security perspective.

There is no security advantages or technical grounds for using FIPS algorithms in a WireGuard clone instead of Chacha / Blake2. It's purely a compliance move. ChaPoly, Blake2, etc, are not known to be broken and we have every reason to believe they are strong.

No.

Getting a crypto module validated by FIPS 140-3 simply lets you sell to the US Government (something something FedRAMP). It doesn't give you better assurance in the actual security of your designs or implementations, just verifies that you're using algorithms the US government has blessed for use in validated modules, in a way that an independent lab has said "LGTM".

You generally want to layer your compliance (FIPS, etc.) with actual assurance practices.

My limited understanding is that issues like being vulnerable to side channel attacks are very difficult to detect. So you have to have shown that the entire development process is safe. From the code to the compiler to the hardware to the microcode, it all needs to be checked. That said it does seem like compliance is a bigger priority than safety.

If you're considering whether to use a FIPS 140-3 module for your cryptography, consider that FIPS 140-3 is really only for specific compliance verticals. If you don't know whether you need it, you probably don't need it.

So, along those lines, if you wonder whether a package's cryptography should be FIPS 140-3 compliant, then the real question is whether you are a vertical that needs to be compliant. Again, if you aren't sure, the answer is likely NO.

>Again, if you aren't sure, the answer is likely NO.

Likely no, I agree. But I think there are probably a lot of companies selling enterprise software that later attempt to solicit a FedRAMP authorization that would benefit from planning ahead and building a compliant version from the jump. Worth considering and having a conversation internally.

No, there are not.

And you want to add an unreliable, non-deterministic LLM into the flow too?

And this sounds like something you absolutely wouldn’t want an ai agent trying to figure out.

> Have you seen how bad flight booking sites can get?

Claude is pretty amazing, but it still goes down rabbit holes and makes obvious mistakes. Combining that with "oops I just bought a non-refundable flight to the wrong city" seems... unfun.

That is never happened to me once.

So the solution to bad design and enshittification is to have an horde of agents to throw at tasks now?

I'm with you and feel your anger. So tired of California's useless virtue signaling about housing and homelessness while no progress is made for decades. California, stop messing around and start living up to your virtue signals! It's infuriating to live in California, hear all day about caring about poor people, then do nothing at all for the bottom line and in fact endeavor to make it harder and discriminate against poor people as much as possible.

And then they'll act so surprised when the populists without a plan show up and win the national elections.

Some of the problem in California is that the population of want-to-buyers is all focused on a small number of extremely geographically constrained areas.

Their answer is always "more density" but more density isn't going to solve it - the demand is not fixed and density will not alleviate it, so there is natural pushback on ruining the area and not actually solving the problem.

The real answer here is that the valley needs to extend further south, as in the 1990s plans for companies to start building campuses in Silver Creek or further, which would require the government to incentivize such moves.

Had the dotcom lasted another two years or so, IBM, Cisco, and many others would have done the capital investment in campuses further out, and the viable housing area would have increased dramatically, but it didn't work out that way.

Kagi also supports Gen Z: I hope you log out early fr

Xerxes had a victory at Thermopylae

You say po-ta-to, I say po-tat-o!

I just want to say that despite the AI negativity in other places, this highlights the positive aspect of it. I'm sure this could have been done without it, but I'm glad OP could get it out faster for a low-risk use case, shared it with us, and in the process taught a little bit of refining to others. It's a fun minigame.

Thank you, almost like you read my manifest for this haha. I was concerned the learning would get overshadowed by the LLM use. Hope you learned some interesting facts that help you understand the why of refining a little bit more. I started developing this before the conversation around oil became mainstream media again.

What did the videos originally link to? It just shows "Sorry, this post is no longer available."

That’s you ad blocker. They’re still up.

Sometimes it'll show that while the embed is still loading.

Is it really worth going after a market known for people who buy things? Do companies like money?

I mean they can add Linux developer friendly features. This way they can sell literally dozens of iPads for hardcore developers.

They sell them to hardcore Apple developers.

Developers isn't synonymous with Linux, or UNIX like for that matter.

I think you missed the implied /s in the parent post.

I guess I have seen UNIX === Developer too much around some social media places.