Joined August 2011
- Tweets 6,410
- Following 1,696
- Followers 2,332
- Likes 44,217
161 Photos and videos
Pinned Tweet
25 Jul 2018
"Screaming Channels" paper #CCS18/@BlackHatEvents is online s3.eurecom.fr/tools/screamin…
Electromagnetic side channels from a CPU can leak to a radio transmitter. CPU and radio transmitters are often integrated (think WiFi, BlueTooth)
We recover an AES key from 10 meters on a BT chip
18
471
792
Aurélien Francillon retweeted
Jun 8
📣 SynSec 2026 Cycle 2 is OPEN.
The Conference of Synthetic Security Research: AI agents do the research. AI agents do the peer review.
🗓 Deadline: July 23, 2026 (AoE)
What it is, and how to submit 🧵👇
1
3
3
590
Aurélien Francillon retweeted
Jun 2
For 19 years, GPS satellites have secretly broadcast a “numbers station” in their public signals. We decoded 12M messages: a 2011 flash where 31 of 32 satellites flipped in hours, “ghost” substrings repeating years apart, and a “TEXT” prefix spreading now. lsc-pagepro.mydigitalpublica…
46
357
2,097
404,800
Aurélien Francillon retweeted
We are starting to upload the videos of this year's talks.
And nothing better to start with than our two keynotes :
youtube.com/watch?v=fbicylnh… and youtube.com/watch?v=obdPo6lP… from @misc0110 and @aurelsec
1
2
1
274
Aurélien Francillon retweeted
Our paper "CFIghter: Automated Control-Flow Integrity Enablement and Evaluation for Legacy C/C Systems" will be presented at the 2026 ACM Secure Development Conference (SecDev '26) in July.
1
2
9
416
Aurélien Francillon retweeted
May 12
amd.com/en/resources/product… Xen advisory posted, should be a kernel fix here any minute now I assume
1
14
40
12,434
Aurélien Francillon retweeted
May 4
The RF world is insane.
Researchers recovered AES-128 keys from a Bluetooth chip by listening to its own antenna from 10 meters away.
Crypto-engine switching noise couples into the RF chain, rides the 2.4 GHz carrier, and leaks out as radio.
108
850
6,300
348,548
Aurélien Francillon retweeted
Apr 30
Vie privée ou #sécurité : jusqu’où faut-il aller ? un article par @aurelsec et ses co-auteurs aoc.media/analyse/2026/04/29… #chatcontrol #cryptographie #chiffrement
1
4
134
Aurélien Francillon retweeted
Mar 29
THCON 2026 Poster Reveal
It’s here !
👀 Full program on the website : thcon.party/program/
🎟️ Tickets are live : thcon.party/tickets/
See you there !
2
2
237
Aurélien Francillon retweeted
🇫🇷Ils ont obtenu un nouveau vote : RN, PS, LR, RE, MoDem, ils impose un nouveau vote sur #ChatControl demain à 11h. mepwatch.eu/10/vote.html?v=1…
Un appel demain peut encore faire changer d’avis des eurodéputés. Dernière chance d’appeler leur bureau :
👉 fightchatcontrol.eu
1
16
37
3,235
Aurélien Francillon retweeted
Feb 23
“Backdoors in your smartphones? Why? How? Not?” by @aurelsec
This talk examines what backdoors really mean from a systems and protocols perspective, and discusses concrete technical proposals
📅 May 5th & 6th, 2026 🔗 Tickets: thcon.party/tickets/
Details 👇🏻
1
8
12
621
Aurélien Francillon retweeted
Feb 13
Hello security researchers! Like it or not, agentic AI is here. It’s time to explore its impact on novel, academic research in cybersecurity. To this end, we’re launching the Conference for Synthetic Security Research (synsec.org). Researchers, start your agents!
14
68
403
37,188
Aurélien Francillon retweeted
Feb 14
Symantec killed Bugtraq in 2020 and let the domain lapse. Now it's squatted for $175k. The NVD has 120,000 broken links pointing there. The security community's memory is being held hostage. Let's buy it back ! Please donate/spread/tag/RT 🙏
gofund.me/69b07ba83
ALT Help needed to restore the internet security shared memory!
10
11
27
7,297
Aurélien Francillon retweeted
The European Commission is pushing hard to extend #ChatControl 1.0 - allowing mass scanning of private messages without court orders for another two years. Contact your MEPs TODAY via https://
fightchatcontrol.eu/ to defend your privacy and digital rights!
ALT An infographic set against a royal blue background warning about the EU's "Chat Control" legislation. Headline: Large, bold white text reads, "The EU (still) wants to scan your private messages and photos." Context: A paragraph below explains that the proposal would legalize the scanning of all private digital communications, including encrypted messages, threatening fundamental privacy rights and digital security for EU citizens. Member State Stats: Three central boxes display the current breakdown of support: 4 Member States Opposing (Green) 23 Member States Supporting (Red) 0 Member States Undecided (Yellow) MEP Stances: A lower section titled "MEP Stances on Chat Control 1.0 Extension" shows a progress bar with current polling: 0 Opposing 720 Unknown 0 Supporting Call to Action: Two white buttons at the bottom read "Contact Your MEPs" and "Learn more."
29
447
915
36,511
Okay so, we just found that over 50 papers published at @Neurips 2025 have AI hallucinations
I don't think people realize how bad the slop is right now
It's not just that researchers from @GoogleDeepMind, @Meta, @MIT, @Cambridge_Uni are using AI - they allowed LLMs to generate hallucinations in their papers and didn't notice at all.
It's insane that these made it through peer review👇
280
1,397
6,301
1,002,222
Aurélien Francillon retweeted
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-data-ac…
(The fine work of messede 👌)
35
386
1,906
242,927
Aurélien Francillon retweeted
2 Dec 2025
The GrapheneOS team has said that “France isn’t a safe country for open source privacy projects,” pointing to what it describes as the expectations of encryption backdoors.
Last week, it announced it has removed all servers from France.
x.com/GrapheneOS/status/1993…
1/5
24 Nov 2025
We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now.
Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection.
Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too.
Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming.
Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr BuyVM locations.
We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term.
France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries.
We were likely going to be able to release experimental Pixel 10 support very soon and it's getting disrupted. The attacks on our team with ongoing libel and harassment have escalated, raids on our chat rooms have escalated and more. It's rough right now and support is appreciated.
46
619
4,182
235,069
Aurélien Francillon retweeted
26 Nov 2025
France is one of the strongest supporters of Chat Control and law enforcement is acting as if that's already law. We're protecting our users in France and elsewhere against GrapheneOS being treated similarly to SkyECC or Encrochat. We have many users in France and will continue to provide GrapheneOS and our services to people there from servers in Germany, Switzerland, Luxembourg, etc. not at a French hosting provider.
Read what law enforcement has said about it. Here are 2 articles heavily quoting law enforcement:
archive.is/AhMsj contains many inaccurate claims about GrapheneOS features, marketing, distribution and usage directly quoted from law enforcement. Le Parisien cannot be blamed for what French law enforcement says, only the fact that they presented it as factual information and did not give us the opportunity to review the specific claims and respond to them.
archive.is/UrlvK also contains comparisons to SkyECC and Encrochat by law enforcement with a clear threat of similar action if we don't cooperate with providing device access.
franceinfo.fr/faits-divers/n… is French state media with more inaccurate claims about it from law enforcement presented as fact.
There's much more than this and we haven't read all of the other coverage ourselves.
None of this is the fault of OVH but we cannot trust France-based providers anymore. OVH was forced to cooperate in actions against SkyECC and Encrochat, both brought up in comparisons by French law enforcement.
Call it fearmongering if you want but that is actually what French police and the national government are doing about encryption and secure devices. It has negative consequences for French businesses like OVH who are subject to their demands.
2
20
104
9,381
Aurélien Francillon retweeted
24 Nov 2025
We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now.
Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection.
Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too.
Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming.
Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr BuyVM locations.
We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term.
France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries.
We were likely going to be able to release experimental Pixel 10 support very soon and it's getting disrupted. The attacks on our team with ongoing libel and harassment have escalated, raids on our chat rooms have escalated and more. It's rough right now and support is appreciated.
197
1,409
9,111
1,929,930
Aurélien Francillon retweeted
19 Nov 2025
@Cloudflare just learned the hard way that .unwrap() in Rust can be dangerous, especially in security-critical code.
At @FuzzingLabs, we’ve been teaching this for years in our Rust Security: Audit & Fuzzing training.
If you want your engineers to avoid these bugs before they hit production, here’s your chance:
🎓 Rust Security Training - Special CLOUDFLARE Discount
👉 academy.fuzzinglabs.com/rust…
11
66
3,685
Aurélien Francillon retweeted
USENIX WOOT Conference 2026: two submission deadlines this year!
- Cycle 1: December 12, 2025 *only one month away* !
- Cycle 2: March 3, 2026
WOOT still has a SoK track and an "Up-and-coming track" (~Industry), CFP for details : usenix.org/conference/woot26…
4
7
819