@_mxms profile picture
Max @_mxms

rpisec

Joined December 2010
  • Tweets 10,451
  • Following 404
  • Followers 2,370
260 Photos and videos
Max retweeted
Justin Campbell@metr0
13 May 2021
Fortunately this http.sys bug was an internal find by our team. This one thanks to @_mxms, @fzzyhd1 and everyone who contributes to our tooling and automation.
TrendAI Zero Day Initiative
@thezdi
11 May 2021
Happy Patch Tuesday! #Adobe and #Microsoft have released their regularly scheduled updates, and @dustin_childs has all the details of the bugs squashed this month - including a wormable bug in http.sys. bit.ly/33xsfxl
1
17
62
Max retweeted
yrp@yrp604
26 Sep 2020
Do you want to gamble on fat bears for charity? #FatBear2020 is here. Get your brackets in before the 30th! Details here: gist.github.com/yrp604/088bd…
6
5
5
Max retweeted
Winnona 💾@__winn
7 Aug 2020
These, combined with recent @WIRED reporting on Chinese espionage campaign Operation Skeleton Key targeting the Taiwan Semiconductor Industry (wired.com/story/chinese-hack…), suggests possibility of an explosion of new homegrown semiconductor companies in the mainland.

Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry

A campaign called Operation Skeleton Key has stolen source code, software development kits, chip designs, and more.

wired.com
This tweet is unavailable
5
8
Max@_mxms
2 Oct 2019
There’s also a format string bug going the opposite direction (when your phones name is %p%p%p...) x.com/fransrosen/status/1179…
Frans Rosén@fransrosen
2 Oct 2019
If you have an AppleTV named as an XSS-payload it will trigger when AirPlay is used in Safari on iOS. A pretty far-fetched UXSS I would say.
5
71
303
Max retweeted
yrp@yrp604
2 Oct 2019
The second annual infosec fat bear bracket is here. Let’s gamble on some fat bears for charity. Brackets due ASAP. dpaste.de/OZ1U

8
4
11
Max retweeted
Justin Campbell@metr0
13 Aug 2019
It's not obvious from the advisory, but the same code runs in RDP client. The issues have been patched in both. This would have allowed a malicious server to compromise a client without any alerting behavior, or a MitM attack with a warning confirmation.
2
8
19
Max retweeted
Justin Campbell@metr0
13 Aug 2019
August Patch Tuesday includes fixes for our internal finds in RDP, including RCE and remote info disclosure, and affecting Win 10 latest. The team successfully built a full exploit chain using some of these, so it's likely someone else will as well. Patch and enable NLA.
Microsoft Security Response Center
@msftsecresponse
13 Aug 2019
August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly. For more information, see msrc-blog.microsoft.com/2019…
1
52
89
Max@_mxms
12 Aug 2019
Did anyone find / exploit the serialization bugs in TelOoOgram during DEF CON CTF?
2
Max retweeted
Justin Campbell@metr0
14 Feb 2019
We've built tools for fuzzing based on emulation of a process snapshot captured via minidump. We're considering open sourcing the tool, and I'm curious about interest level from the rest of the world. (1/3)
11
30
167
Max retweeted
Real World CTF@RealWorldCTF
1 Dec 2018
#RealWorldCTF2018 RPISEC has successfully pwned the Safari browser and spawned a calculator on the victim host at their first attampt during the demostration!
13
70
Max retweeted
Brandon Falk@gamozolabs
15 Oct 2018
Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second gamozolabs.github.io/fuzzing…

Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second

This is the introduction of a multipart series. It is to give a high level overview without really deeply diving into any individual component.

gamozolabs.github.io
6
138
228
After Trump was elected, I felt unsafe. I thought that electing a man as president who has assaulted women would normalize that behavior, make assault seem inconsequential to a perpetrator. Right now, I feel worse. It’s normalized, all right.
1
2
10
Max@_mxms
17 Sep 2018
So what’re we supposed to be doing about the ongoing calls from numbers in our area code? It’s old...
3
1
2
Max retweeted
RPISEC@RPISEC
16 Sep 2018
Came in 1st in CSAW 2018 Quals! Kudos to all who played, it was a tough competition this year! See y'all at finals!
CSAW Cybersecurity Games and Conference@CSAW_NYUTandon
16 Sep 2018
48-hour Quals is officially done. Nicely done, @osirislab! #CTF scoreboard is frozen. Thank you so much to all the teams who participated this weekend. Check out the scores here: ctf.csaw.io/scoreboard. Official announcement of Finalists will be posted in early October.
1
8
62
Max retweeted
Winnona 💾@__winn
3 Sep 2018
Honored to be speaking at the Forbes 30 under 30 cyber security panel in Boston this October! #under30summit
7
44
Max retweeted
Hawkheart@Hwakheart
31 Aug 2018
Control my living room lightbulb: lights.hawkhe.art

2
4
9
Max retweeted
Winnona 💾@__winn
16 Aug 2018
My first technical analysis piece at @RecordedFuture! TL;DR: 1) Chinese backdoor with a daily 180 second entry-window found in Tibet 2) Qinghua University infrastructure, connected to backdoor, scanning #BeltandRoad partners/ US gov entities denouncing #USChinaTradeWar.
Recorded Future@RecordedFuture
16 Aug 2018
Recorded Future’s Insikt Group uncovers new #cyberespionage operations by Chinese attackers against potential and current trade partners worldwide, emanating from the infrastructure of a top Chinese university: bit.ly/2KXS3Hd #ThreatIntelligence #Analysis
3
3
25
Max retweeted
Giovanni Vigna@giovanni_vigna
13 Aug 2018
Replying to @oooverflow @defcon
I think the scoreboard has been sorted backwards
3
26
Max retweeted
RPISEC@RPISEC
14 Aug 2018
Excited we got 10th at #defconctf. Thanks to @oooverflow for hosting. Congrats to all the other teams, it was a hard fought battle. See you all next year!
17
54
Load more