Cars, servers, and GPUs — what to worry about today

Practical privacy and security moves: physically silencing car telemetry, urgent NGINX patching, plus hardware hacks and local‑AI fingerprints you should know.

Editorial note

Two big themes today: hardware-level choices are becoming the threat surface, and the fixes are equally physical — unplug, patch, or rethink where you trust computation. Below are quick takes on three stories, then deeper reads on a privacy DIY that literally rips radios out of a car and a newly public NGINX RCE you should treat as urgent.

In Brief

RTX 5090 and M4 MacBook Air: Can It Game?

Why this matters now: High-end desktop GPUs like an NVIDIA RTX 5090 can unlock orders-of-magnitude faster local LLM inference and playable gaming on an M4 MacBook Air — but only with serious engineering and cost overhead.

ScottJG wired an RTX 5090 over Thunderbolt to an M4 MacBook Air, passed the card to an ARM Linux VM, and fought drivers, DMA/IOMMU quirks, and emulation to get games and local LLM inference working. According to the write-up, prompt prefill times for a 4k-token LLM prompt dropped from ~17 seconds on the M4 to ~150 ms on the RTX — roughly a 100x speedup. The project is an engineering showcase, not a consumer product: it costs a lot in complexity and performs worse than a native PC with the same GPU by ~2–4x, but the real takeaway is the clear win for local AI inference if you’re willing to tinker.

"So: can it game? Yes, with enough elbow grease."

Mullvad exit IPs are surprisingly identifying

Why this matters now: Mullvad users relying on WireGuard for unlinkability can be correlated across servers if they reuse keys; a simple key rotation breaks the mapping.

Researcher tmctmt showed that Mullvad’s WireGuard exits choose exit IPs deterministically from your key, producing a limited set of cross-server IP combinations rather than a huge random space. The mapping comes from a seeded RNG percentile derived from your WireGuard key; that makes correlations possible across servers if an operator has logs. Mullvad says some aspects were intended and some were not, and a patch is being tested, but practical mitigation today is obvious: rotate keys (log out of the app) when you need fresh unlinkability or use multi‑hop/Tor for stronger anonymity. See the full analysis here.

DS4 and the quasi-frontier local model moment

Why this matters now: DS4 makes near-frontier local inference practical on beefy, well-equipped machines, moving serious work off the cloud for those who can afford the hardware.

Antirez reports that DwarfStar 4 (DS4) plus an aggressive 2/8-bit quantization recipe made high-quality local inference usable on machines with 96–128GB of RAM. For people with that hardware, the feeling is notable: a local model that handles production-style prompts without constant cloud fallbacks. The project is still early — tooling, CI, and cross-platform ports are next — but DS4 is another sign that "good enough" local models are eroding the exclusive advantage of paid frontier services. Read the update here.

Deep Dive

Removing the modem and GPS from my 2024 RAV4 hybrid

Why this matters now: Privacy-focused drivers can stop a 2024 RAV4 Hybrid from sending telemetry by physically removing the car’s DCM and disconnecting GPS, but doing so sacrifices cloud services, SOS, OTA updates, and may affect warranty coverage.

The author walked through a do-it-yourself teardown to remove the Toyota DCM (data communication module) and disable built-in GPS. The post includes a parts list, step-by-step photos, and a DCM bypass kit that preserves the in-car microphone so voice features don’t break the stereo wiring. The project is precise and pragmatic: remove the radio trim, unbolt the DCM, and use simple wiring to leave the car functional while killing its cellular link.

This is effective "stop the data at the source" thinking, but the tradeoffs are substantial. You’ll lose cloud features and automatic updates, emergency SOS, and likely remote diagnostics — and Bluetooth tethering or wired CarPlay/Android Auto behavior can still leak vehicle context if you aren’t careful. Hacker News pushed this further: one commenter reported mileage still uploaded despite disabled services, and others warned that phones and platform vendors (Apple/Google) can act as alternate telemetry bridges unless you change those device settings.

There are two broader policy angles here. First, this kind of guide is a reminder that market fixes for in-vehicle telemetry are patchwork at best; not everyone will be comfortable literally opening plastic trim to regain digital privacy. Second, manufacturers could make opt-out meaningful — hardware killswitches or legally enforceable data minimalism — which would be a far simpler fix than hobbyist surgery.

"Modern cars are computers on wheels," the author writes, framing the project as a practical privacy provocation.

If you try this: document what you do, expect to lose remote safety features, and check warranty and local laws. If you want silence without surgery, the community discussion suggests spectrum analysis or physically removing RF modules as more thorough (and more invasive) options. Full how-to and photos are available in the original post: removing the modem and GPS from my RAV4.

New Nginx Exploit (CVE‑2026‑42945)

Why this matters now: Servers running NGINX with certain rewrite/set combinations are exposed to a remote heap overflow and potential RCE; upstream patches exist and should be applied immediately.

Researchers published a proof-of-concept for an 18‑year‑old heap overflow in NGINX’s ngx_http_rewrite_module that can lead to unauthenticated remote code execution or DoS when specific rewrite patterns are present. The bug stems from a two-pass script engine mismatch: the first pass zeroes a sub-engine for length calculation, but the second pass expands escapable bytes (like '?') and overflows an undersized heap buffer. The PoC chains heap layout manipulation into a corrupted ngx_pool_t cleanup pointer that can be steered to call system().

Mitigation and risk need calm precision. The published PoC disables ASLR (address space layout randomization) to make exploitation reproducible, which limits immediate mass exploitation risk. But ASLR is not a panacea — exploit developers frequently chain primitives or find bypasses — so you should assume an exploitable path could be found. The practical steps for operators are straightforward: upgrade to the patched NGINX releases (the upstream fixes are in 1.30.1/1.31.0 and respective vendor branches), or apply the cited workaround of using named capture variables instead of numeric $1/$2 references in rewrites.

"use named captures instead of unnamed captures"

If you run any public-facing NGINX instances, treat this as urgent: patch, apply config workarounds, and audit rewrite/set usage in your configs. The full disclosure and PoC are on GitHub; tracking vendor patches and backports is important because many environments run vendor-tied builds like OpenResty or NGINX Plus. See the research and PoC at the DepthFirst disclosure: Nginx‑Rift.

Closing Thought

Hardware and software are converging into attack surfaces that demand physical thinking. Whether you unplug a car radio, rotate a WireGuard key, or patch an 18‑year‑old NGINX bug, the urgent theme is the same: small, local actions now prevent big, cross-system problems later.