Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.

— Antoine de Saint Exupry

#complexity

Unrestrict the restricted mode for USB on iPhone. A first analysis @citizenlab #CVE-2025-24200 👉 https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html

Happy #nakeddiefriday folks!

Today's specimen is p/n SC13890P23A by Motorola/Freescale. This came from an embedded cellular modem I tore out of [redacted]. The die is marked ATLAS-UL.

It is the most colourful die I have ever imaged.

SiPron page: https://siliconpr0n.org/archive/doku.php?id=infosecdj:motorola:sc13890p23a

Preparing a talk on #programming an #AnalogComputer - using the wonderful #THAT from anabrid and my #Vectrex that has been modified to provide an additional #oscilloscope mode.

Really cool blog post about permissions in browsers and how they work. https://albertofdr.github.io/web-security-class/browser/browser.permissions

[RSS] Bent // Broken 2025 Worldwide Virtual Circuit Bending Festival

https://blog.adafruit.com/2025/02/13/bent-broken-2025-worldwide-virtual-circuit-bending-festival/

Today's @kagihq changelog is honestly kind of a massive deal for privacy stuff:
- Human readable privacy policy page
- Privacy pass (an open source, cryptographic verifiable way of doing searches through Kagi without them being able to see who you are)
- Official tor service

https://kagi.com/changelog#6172 #kagi

[RSS] On the Original Punched Cards

https://hackaday.com/2025/02/12/on-the-original-punched-cards/

[RSS] [Vulnerability] Unauthenticated Remote Code Execution via Known View State Secret in FieldPie

https://code-white.com/public-vulnerability-list/#unauthenticated-remote-code-execution-via-known-view-state-secret-in-fieldpie

This may be one of those leaked secrets MS warned about? No details unfortunately...

[RSS] Patch-Gapping the Google Container-Optimized OS for $0

https://h0mbre.github.io/Patch_Gapping_Google_COS/

Scoop: The databases powering doge. gov are insecure, and people outside the government have already pushed their own updates to the site to prove it:

https://www.404media.co/anyone-can-push-updates-to-the-doge-gov-website-2/

Not sure why Google's kCTF isn't more widely known (other than by all the researchers making money from it). 44 unique successful exploits in a year against Linux kernels even running Google's out-of-tree "hardening" is a big story I'd say...

Last year I gave a keynote at Vanguard VSC about the last 10 years of mainframe hacking, check it out:

https://youtu.be/IqO97oasfSI

#mainframe #hacking #mainframes #keynote

CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv()

https://seclists.org/oss-sec/2025/q1/127

POV: kernel-level anti-cheat /s

https://infosec.exchange/@lorenzofb/113997653014436378

Accelerating The Adoption of Post-Quantum Cryptography with PHP

https://paragonie.com/blog/2025/02/accelerating-adoption-post-quantum-cryptography

#PHP #crypto #cryptography #HPKE #KEMs #MLKEM #MLDSA #SLHDSA #postquantum #programming #webdev #MLS #rfc9180 #rfc9420

New court documents shed light on what a 25-year-old DOGE worker named Marko Elez did inside Treasury payment systems, including which systems he accessed, security measures Treasury IT staff took to limit his access and activity, and whether he really did have the ability to change source code on production systems as previously reported. The new documents, signed affidavits filed in court by career executives at the Treasury department not political appointees, suggest that the situation inside the Treasury department is more nuanced than previously reported. Here's my story. If you find the piece valuable, please consider becoming a paid subscriber to my Zero Day publication, which is reader supported. https://www.zetter-zeroday.com/court-documents-shed-new-light-on-doge-access-and-activity-at-treasury-department/

New #Rapid7 vuln disclosure c/o
@stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

We just opened our YouTube channel! 📹

First video is out: An introduction to LLVM IR 🐲
Check it out: https://www.youtube.com/watch?v=CDKuH7SIgdM
Let us know what you think 🙃

bring back forums

you aren't supposed to have a single identity online

communities shouldn't demand you let a vc-funded company have your mobile phone number

you don't have to pay $100/yr [or whatever it is] for features that every forum had for years, or if it didn't it's for a reason

your group of friends or multiple-thousand-people community won't disappear because of the failure of the aforementioned vc-funded company

even if the group dissolves you will still be able to find the useful tips you used to share