We're programmers. Programmers are, in their hearts, architects, and the first thing they want to do when they get to a site is to bulldoze the place flat and build something grand. We're not excited by incremental renovation: tinkering, improving, planting flower beds.

— Joel Spolsky

#programmers

Hello and welcome to this week's installment of #nakeddiefriday !

The guest of today is the TIBPAL16R4 by TI, a programmable array logic chip made with bipolar logic. The die has 2 metal layers, its maskwork produced in 1985. A short thread follows.

More info and hi-res pano at: https://siliconpr0n.org/archive/doku.php?id=infosecdj:ti:tibpal16r4

#electronics #reverseengineering #microscopy #icreverseengineering

It’s disheartening to see AI reactionism lead my community to a 180° on copyright.

Everyone is merrily attacking LibGen now. If it didn’t exist, big tech companies would still find training data, it just wouldn’t be accessible to regular people.

[RSS] Discourse Backup Disclosure: Rails/nginx send_file Quirk

https://projectdiscovery.io/blog/discourse-backup-disclosure-rails-send_file-quirk

This is CVE-2024-53991

[RSS] Last barrier destroyed, or compromise of Fuse Encryption Key for Intel Security Fuses

https://swarm.ptsecurity.com/last-barrier-destroyed-or-compromise-of-fuse-encryption-key-for-intel-security-fuses/

TIL of the bad.horse traceroute

Rejoice! 🎉

My idalib-based vulnerability research tools are now fully compatible with Windows 🪟

Please test them and report any bugs 🪲

https://security.humanativaspa.it/streamlining-vulnerability-research-with-ida-pro-and-rust/

(PS. Ya like my GPT writing style? 🚀)

Project: golang/go https://github.com/golang/go
File: src/cmd/compile/internal/abt/avlint32.go:175 https://github.com/golang/go/blob/refs/tags/go1.23.4/src/cmd/compile/internal/abt/avlint32.go#L175

func (t *T) Intersection(u *T, f func(x, y interface{}) interface{}) *T

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcompile%2Finternal%2Fabt%2Favlint32.go%23L175&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcompile%2Finternal%2Fabt%2Favlint32.go%23L175&colors=light

she is all of us

canonical mode

https://wizardzines.com/comics/canonical-mode/

"But Ryan, the C preprocessor isn't a programming language!"

Skill issue.

The official website of zero-day broker Zerodium has been updated in December of last year. There are no price lists nor any information anymore, just an email and a PGP public key.

🤔

If you know what's happening there...let me know.

https://zerodium.com

@cR0w something something Steven Segal?

New Project Zero issue:

msm_npu: Race between npu_host_unload_network and npu_host_exec_network_v2 leads to memory corruption

https://project-zero.issues.chromium.org/issues/380081941

CVE-2025-21424

[oss-security] [kubernetes] CVE-2024-7598: Network restriction bypass via race condition during namespace termination

https://seclists.org/oss-sec/2025/q1/234

"The order in which objects are deleted
during namespace termination is not defined, and it is possible for network
policies to be deleted before the pods that they protect." whoops :)

@nbourdais @cR0w @greynoise It'd be actually interesting to see the distribution of HTTP response codes if that data is collected, because it is a straightforward signal for one of the requirements (read-only=false).

@mcc @oblomov This sounds fun, you should get some VC funding!

@cR0w @greynoise "GreyNoise observed exploitation attempts as early as March 11" -> Please note that PoC was publicly available since that way:

https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html

Also note that even with HTTP response data it's not straightforward to conclude that:
- file based session management was configured
- there were useful gadget chains available

@oblomov @mcc VibeLang? As in execution order depends on how the interpreter feels and all errors are handled somehow just to keep the thing going :)

Up-to-date fork of Sourcetrail:

https://github.com/petermost/Sourcetrail

h/t @brk