Collin Mulliner

FluxN0de a platform to prototype and explore LoRa and #LoRaWAN applications on #ESP32 based boards. The platform provides a JavaScript runtime with easy access to the LoRa radio. This was my side project in the last year. mulliner.org/blog/blosxom.c… GH: github.com/crmulliner/flu…

Everyone today is a hacker in a sense but there are very few OG hackers on which shoulders we stand Oh dude, Felix “FX” Lindner you were so much a hackers hacker and you will be missed RIP my friend and thank you

Today I have a more serious topic than usual, please consider reposting for reach: My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/3]

Don't miss the culmination of AIxCC at @defcon. Some of the best in the world have spent two years to leverage AI for next generation cybersecurity wins.

@moyix All the best!

So, I’m not sure there is any good time to announce this, but as of August 31st I will be leaving NYU for good, to seek my fortune in industry with XBOW!

Thanks @SummerC0n staff for a great con!!

SummerC0n 2025 good to be back!

@ryanaraine @juanandres_gs @craiu When is the 5h episode?

NEW! The boys are back with a fresh Three Buddy Problem episode headlined by a Coinbase breach WITH bribes, rogue contractors, $2m ransom demands and consumer cryptocurrency theft. Plus, 0days galore... @juanandres_gs @craiu Available on all platforms securityconversations.com/episode/a-coin…

Gazing across the throngs at this month’s NYSEC, all we can think is: can’t wait to see you all again in July. Summercon 2025 July 11–12 @ Littlefield, Brooklyn Tickets: eventbrite.com/e/summercon-20…

Summercon 2025 Call for Papers Since 1987, Summercon has been where serious security research meets irreverent hacker culture. We're looking for original, technically rigorous presentations that challenge assumptions and advance the state of the art. CFP: summercon.org/cfp/

The submission deadline for the 11th LangSec IEEE Security & Privacy workshop langsec.org/spw25/ is extended to January 31, 2025. Please send us your papers, research reports, posters or panel proposals! #langsec

@lcamtuf Life was real hard

Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click project-zero.issues.chromium.org/issues/3686956…

If you are a guy in your 20s, buy a Lenovo X1 even if you have to go into debt.

The highest level of security engineering is proactively building systems that make insecure states unrepresentable, attack classes rendered extinct, vulnerabilities not exploitable, and attack paths not viable for attacker gain.

Over the past few weeks, I’ve been reinvigorating a SIM swap detection platform we originally designed and built at @tagomisystems. The underlying concept was to safeguard customer accounts—especially those reliant on SMS-based MFA—by identifying whether a phone number had undergone a SIM swapping attack. This system was designed to be an early indicator of compromised accounts, even if users were using phishing-resistant MFA on our platform. We worked closely with well known mobile network security researchers, mobile virtual network operators, and other industry intelligence sharing groups. Our goal was to ensure the solution propagated rapidly and comprehensively across the industry, given the seriousness of SIM swapping attacks. SIM swapping remains a relatively cheap yet highly effective way to circumvent MFA, especially for high-value targets. While SMS-based MFA continues to be common for banks, investment accounts, and other critical financial platforms, it is also one of the most vulnerable methods of second-factor authentication. What is a SIM swap? A SIM swap occurs when a mobile network operator (MNO) reassigns a phone number to a new IMSI (International Mobile Subscriber Identity), whether for legitimate reasons (changing carriers, upgrading devices) or malicious purposes (intercepting SMS messages). Detection mechanism: By comparing the IMSI used during previous account activity with the current IMSI, we can identify a SIM swap event. At that point, service providers can apply stricter controls, such as restricting high-risk transactions or forcing more secure authentication flows. Implementation Challenges: TMSIs (Temporary Mobile Subscriber Identities) are insufficient for detection due to their short-lived nature. Accessing IMSI information directly has become more difficult over time, largely due to expanded "privacy" concerns that limit how carriers share network-level data. Industry Solutions: Twilio integrated this idea into a commercial API, partnering with carriers that support "SIM swap status checks". Other commercial providers like Vonage have launched similar services. These solutions are valuable, but not foolproof: If a phone number is transferred to a carrier that does not support these "SIM swap status checks", commercial API providers and service providers lose visibility. Additionally, carriers strictly control historical IMSI change logs for "privacy" reasons, preventing service providers from conducting deeper investigations or retrospective analysis. While HLR (Home Location Register) and VLR (Visitor Location Register) lookups can still yield some actionable data, true SIM swap prevention/detection will require architecture improvements at the carrier level and SS7 routing attacks will require network level architecture improvements.

The 11th Language-theoretic IEEE Security & Privacy Workshop will take place on May 15, 2025. Please submit your work by January 20, 2025 and join us in San Francisco! langsec.org/spw25/ #LangSec

Our Black Friday sale is on now. Unfortunately, you won't see that on mobile just yet so here it is. Follow the bouncing robot. Please share! @nostarch

NYSEC is tomorrow! Tuesday, November 19th @ 6PM. d.b.a. 41 1st Ave. New York, NY 10003

lolooololo

This!