FluxN0de a platform to prototype and explore LoRa and #LoRaWAN applications on #ESP32 based boards. The platform provides a JavaScript runtime with easy access to the LoRa radio. This was my side project in the last year. mulliner.org/blog/blosxom.cg… GH: github.com/crmulliner/fluxno…

Constant time programming is the primary defense against timing attacks, but the meaning of the term actually varies. On a key loading case study, Brumley finds BoringSSL's leak orders of magnitude stronger than OpenSSL's, despite, surprisingly, a stricter threat model.@riteslgci

If you have a better poster, we like to hear from you! Submit your poster by June 25th at usenix.org/conference/woot26…

Everyone today is a hacker in a sense but there are very few OG hackers on which shoulders we stand Oh dude, Felix “FX” Lindner you were so much a hackers hacker and you will be missed RIP my friend and thank you

Today I have a more serious topic than usual, please consider reposting for reach: My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/3]

Don't miss the culmination of AIxCC at @defcon. Some of the best in the world have spent two years to leverage AI for next generation cybersecurity wins.

Thanks @SummerC0n staff for a great con!!

SummerC0n 2025 good to be back!

Gazing across the throngs at this month’s NYSEC, all we can think is: can’t wait to see you all again in July. Summercon 2025 July 11–12 @ Littlefield, Brooklyn Tickets: eventbrite.com/e/summercon-2…

Summercon 2025 Call for Papers Since 1987, Summercon has been where serious security research meets irreverent hacker culture. We're looking for original, technically rigorous presentations that challenge assumptions and advance the state of the art. CFP: summercon.org/cfp/

The submission deadline for the 11th LangSec IEEE Security & Privacy workshop langsec.org/spw25/ is extended to January 31, 2025. Please send us your papers, research reports, posters or panel proposals! #langsec

Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click project-zero.issues.chromium…

If you are a guy in your 20s, buy a Lenovo X1 even if you have to go into debt.

The highest level of security engineering is proactively building systems that make insecure states unrepresentable, attack classes rendered extinct, vulnerabilities not exploitable, and attack paths not viable for attacker gain.

Over the past few weeks, I’ve been reinvigorating a SIM swap detection platform we originally designed and built at @tagomisystems. The underlying concept was to safeguard customer accounts—especially those reliant on SMS-based MFA—by identifying whether a phone number had undergone a SIM swapping attack. This system was designed to be an early indicator of compromised accounts, even if users were using phishing-resistant MFA on our platform. We worked closely with well known mobile network security researchers, mobile virtual network operators, and other industry intelligence sharing groups. Our goal was to ensure the solution propagated rapidly and comprehensively across the industry, given the seriousness of SIM swapping attacks. SIM swapping remains a relatively cheap yet highly effective way to circumvent MFA, especially for high-value targets. While SMS-based MFA continues to be common for banks, investment accounts, and other critical financial platforms, it is also one of the most vulnerable methods of second-factor authentication. What is a SIM swap? A SIM swap occurs when a mobile network operator (MNO) reassigns a phone number to a new IMSI (International Mobile Subscriber Identity), whether for legitimate reasons (changing carriers, upgrading devices) or malicious purposes (intercepting SMS messages). Detection mechanism: By comparing the IMSI used during previous account activity with the current IMSI, we can identify a SIM swap event. At that point, service providers can apply stricter controls, such as restricting high-risk transactions or forcing more secure authentication flows. Implementation Challenges: TMSIs (Temporary Mobile Subscriber Identities) are insufficient for detection due to their short-lived nature. Accessing IMSI information directly has become more difficult over time, largely due to expanded "privacy" concerns that limit how carriers share network-level data. Industry Solutions: Twilio integrated this idea into a commercial API, partnering with carriers that support "SIM swap status checks". Other commercial providers like Vonage have launched similar services. These solutions are valuable, but not foolproof: If a phone number is transferred to a carrier that does not support these "SIM swap status checks", commercial API providers and service providers lose visibility. Additionally, carriers strictly control historical IMSI change logs for "privacy" reasons, preventing service providers from conducting deeper investigations or retrospective analysis. While HLR (Home Location Register) and VLR (Visitor Location Register) lookups can still yield some actionable data, true SIM swap prevention/detection will require architecture improvements at the carrier level and SS7 routing attacks will require network level architecture improvements.

The 11th Language-theoretic IEEE Security & Privacy Workshop will take place on May 15, 2025. Please submit your work by January 20, 2025 and join us in San Francisco! langsec.org/spw25/ #LangSec

Our Black Friday sale is on now. Unfortunately, you won't see that on mobile just yet so here it is. Follow the bouncing robot. Please share! @nostarch

NYSEC is tomorrow! Tuesday, November 19th @ 6PM. d.b.a. 41 1st Ave. New York, NY 10003

lolooololo

This!

Apple released a hearing aids feature for the AirPods Pro a while ago. I bought a pair for grandma, but then realized that the feature was geoblocked in India So we at @_lagrangepoint decided to unblock it. It ended up involving a leaky microwave and building a Faraday cage: