Greetings and welcome to today's #nakeddiefriday installment.

Today's guest is a smartcard chip, for which I do not know the actual p/n -- only it's die marking: M7690-G1, by Infineon. This came from a SIM card. The chip had polyimide on top which had to be stripped off, hence the damage on some top metal.

Unfortunately, power distribution routing and CMP dummy fill obstructs the majority of the detail. 🧵

#electronics #reverseengineering #icre #smartcard

2026, the year of the AI-driven attacker that could do back flips, they said.

Meanwhile, there's a magic number that allows Auth Bypass against Ivanti EPM (CVE-2026-1603)

something about a pledge 🙄

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology

NEW: A few weeks ago, @PogoWasRight and I ran a survey asking security researchers and journalists about the legal and criminal threats they have received for doing their jobs.

Over 100 people responded, and we now have our results.

One of our key findings is that while legal threats and criminal threats are common, most researchers & journalists stood their ground and did not give in to threats.

More: https://this.weekinsecurity.com/new-survey-reveals-how-security-researchers-and-journalists-experience-legal-and-criminal-threats/

Results: https://databreaches.net/2026/02/02/under-pressure-exploring-the-effect-of-legal-and-criminal-threats-on-security-researchers-and-journalists/

PDF: https://databreaches.net/wp-content/uploads/security-researcher-journalist-threats-survey-2026.pdf

Hello! It has been a little while, but #nakeddiefriday is back in town.

Today's exhibit is an old PIC1650A. Yes, one of *the* PIC series of microcontrollers. Note it was designed by General Instrument in 1980. It was fabbed in a single metal layer, metal-gate NMOS process. The image is about 4.3x3.8 mm.

No full-res link as SP is still borked.

#electronics #reverseengineering #icre

“The uncomfortable truth: every #phone with a SIM card is a tracking device that happens to run apps.”

https://fumics.in/posts/2026-02-01-phone-gps-carrier-tracking.html

@pinkflawd
Add some nice AT&T syntax over it and

movl    %eax, (%esp)

AAAAaaaaaaaaaaaaaAAAAAAah.

A small rant:

The State of Art in Red Team is whatever you want to believe

https://x-c3ll.github.io/posts/Rant-Red-Team/

Publication de la stratégie nationale de cybersécurité 2026-2030

https://www.sgdsn.gouv.fr/publications/strategie-nationale-de-cybersecurite-2026-2030

#anssi #sgdsn #infosec #cybersecurity

📣 Call for proposals for the 2026 edition.

We are looking for talks and workshops about security and open-source software.

Offensive or defensive security, low level, systems or CI management, tooling, we welcome any security subject as long as it related to a free software or provide an open-source tool!

👉 https://2026.pass-the-salt.org/

📩 A question, doubt? Our support team is listening to you: speaker-support@pass-the-salt.org

⏰ The deadline is March, 31 2026!

In the early days of personal computing CPU bugs were so rare as to be newsworthy. The infamous Pentium FDIV bug is remembered by many, and even earlier CPUs had their own issues (the 6502 comes to mind). Nowadays they've become so common that I encounter them routinely while triaging crash reports sent from Firefox users. Given the nature of CPUs you might wonder how these bugs arise, how they manifest and what can and can't be done about them. 🧵 1/31

OMG. -froot bug resurfaced. https://seclists.org/oss-sec/2026/q1/89

I see the headlines, "10 years old bug".

My friends, this bug is older. Much older. Not this particular instance, but it is a classical mistake to make. It's a command line injection when calling the login executable.

Some people point to CVE-2007-0882. Solaris had that, almost 20 years ago.

But it's even older than that. It's so old it predates the CVE system. I don't remember exact dates, but we popped Linux and AIX boxes with that, mid 90s.

But it is *even older* than that. Have a look at System V R4, ©1990, getty calling login with unsanitized input:

https://github.com/calmsacibis995/svr4-src/blob/7dabeda6fc10bd1bbd1a84d502f05642b1bf0c9e/cmd/getty/getty.c#L526

But how deep does the rabbit hole go? When was this bug introduced?

Getty called login with user input since the dawn of time (UNIX V2, 1972):

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/getty.s

But this predates command line arguments in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/login.s

So, when did this particular command line feature of login appear?

In the BSD universe, -f was introduced with POSIX compatibilitiy in 4.3BSD-Reno:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/login/login.c

But someone paid attention and filtered out user names starting with - in getty:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/libexec/getty/main.c

RCS timestamp says 6/29/1990, so same age as SysV R4.

The original 4.3BSD (1986) doesn't filter the user name:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/getty/main.c

And it does have a -r option in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/bin/login.c

Exploitable? No idea, argv processing might be a problem. I'll find out another day.

In conclusion: bug existed since 1990, it's so easy to make when implementing POSIX that it keeps resurfacing, and at least one person in Berkeley knew since day 0.

Giving University Exams in the Age of Chatbots

How I managed to give an exam while giving the students the choice to use a chatbot or not.

And what I learned in the process.

https://ploum.net/2026-01-19-exam-with-chatbots.html

This is absolutely awesome! The @leavex campaign now has their website up an running, so we can see exactly which members of the EU parliament still support Musk's disinformation platform X, and avoid voting for them.

I hope @leavex expands to add every national parliament — the disinformation has to end.

Se their excellent overview here:
https://leavex.eu/politicians/

Please boost this to support the campaign.

@raptor I initially thought someone made a joke about the infamous Solaris' "-froot" telnetd bug (https://www.spinics.net/lists/bugtraq/msg28395.html)
Ooops. no.

L’appel à soumission pour le #sstic2026 est étendu jusqu’à vendredi 23 janvier, 23h59.

https://www.sstic.org/2026/news/cfp_2026_plus/

#sstic #sstic2026

On the Coming Industrialisation of #Exploit Generation with #LLMs by @seanhn

https://sean.heelan.io/2026/01/18/on-the-coming-industrialisation-of-exploit-generation-with-llms/

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.

https://projectzero.google/2026/01/pixel-0-click-part-1.html

Slides from another conference:

https://media.githubusercontent.com/media/PeterSommerlad/talks_public/refs/heads/main/CPPonline/CPPonline2024/TalkVulnerableCpp_cpponline2024.pdf