Aurélien Francillon

6.4K posts

Aurélien Francillon banner
Aurélien Francillon

Aurélien Francillon

@aurelsec

Professor (full) of computer insecurity @s3eurecom. Can be seen sometimes procrastinating on Twitter. @[email protected] @aurelsec.bsky.social

In your computer already. Katılım Ağustos 2011
1.7K Takip Edilen2.3K Takipçiler
Aurélien Francillon retweetledi
Alexandre Bartel
Alexandre Bartel@software_ses·
Our paper "CFIghter: Automated Control-Flow Integrity Enablement and Evaluation for Legacy C/C++ Systems" will be presented at the 2026 ACM Secure Development Conference (SecDev '26) in July.
Alexandre Bartel tweet media
English
1
2
9
400
Oren T
Oren T@OrenTirosh·
@OwenBrakes Bluetooth uses GFSK, which is a form of frequency modulation. But variations in power consumption can leak onto the carrier as amplitude modulation. The constant envelope actually makes it easier to detect such weak amplitude modulation.
English
1
0
2
255
Aurélien Francillon retweetledi
Owen Brake
Owen Brake@OwenBrakes·
The RF world is insane. Researchers recovered AES-128 keys from a Bluetooth chip by listening to its own antenna from 10 meters away. Crypto-engine switching noise couples into the RF chain, rides the 2.4 GHz carrier, and leaks out as radio.
Owen Brake tweet mediaOwen Brake tweet mediaOwen Brake tweet media
English
109
858
6.4K
346.8K
Aurélien Francillon
Aurélien Francillon@aurelsec·
@pwalshbuilds @OwenBrakes Because the key is used by the processor, a side channel (power consumption) couples to the radio transmitter. And then you can find the key (after a lot of packet collection and statistics) in the noise of the transmission.
English
0
0
2
53
Patrick Walsh
Patrick Walsh@pwalshbuilds·
@OwenBrakes How is this possible if the key isn't even sent across? Did they already have the private key on one of the Bluetooth chips? Or did they do it purely as an observer?
English
5
0
6
5.4K
Aurélien Francillon
Aurélien Francillon@aurelsec·
@the_void_is_nil @OwenBrakes @kmcnam1 All those are related indeed. The difference with screaming channels is we show that these get amplified and transmitted further by a nearby (or integrated) radio transmitter. Rebroadcasting the side channel in a way.
English
0
0
0
12
Aurélien Francillon retweetledi
THConvention
THConvention@ToulouseHacking·
“Backdoors in your smartphones? Why? How? Not?” by @aurelsec This talk examines what backdoors really mean from a systems and protocols perspective, and discusses concrete technical proposals 📅 May 5th & 6th, 2026 🔗 Tickets: thcon.party/tickets/ Details 👇🏻
THConvention tweet media
English
1
8
12
617
Aurélien Francillon retweetledi
Zardus@DEFCON.social
[email protected]@Zardus·
Hello security researchers! Like it or not, agentic AI is here. It’s time to explore its impact on novel, academic research in cybersecurity. To this end, we’re launching the Conference for Synthetic Security Research (synsec.org). Researchers, start your agents!
English
15
68
404
37K
Aurélien Francillon retweetledi
Jonathan Brossard
Jonathan Brossard@endrazine·
Symantec killed Bugtraq in 2020 and let the domain lapse. Now it's squatted for $175k. The NVD has 120,000+ broken links pointing there. The security community's memory is being held hostage. Let's buy it back ! Please donate/spread/tag/RT 🙏 gofund.me/69b07ba83
Jonathan Brossard tweet media
English
10
11
28
7.3K
Aurélien Francillon retweetledi
Patrick Breyer #JoinMastodon
Patrick Breyer #JoinMastodon@echo_pbreyer·
The European Commission is pushing hard to extend #ChatControl 1.0 - allowing mass scanning of private messages without court orders for another two years. Contact your MEPs TODAY via https:// fightchatcontrol.eu to defend your privacy and digital rights!
Patrick Breyer #JoinMastodon tweet media
English
30
464
937
36.5K
Aurélien Francillon retweetledi
Alex Cui
Alex Cui@alexcdot·
Okay so, we just found that over 50 papers published at @Neurips 2025 have AI hallucinations I don't think people realize how bad the slop is right now It's not just that researchers from @GoogleDeepMind, @Meta, @MIT, @Cambridge_Uni are using AI - they allowed LLMs to generate hallucinations in their papers and didn't notice at all. It's insane that these made it through peer review👇
Alex Cui tweet media
English
281
1.4K
6.3K
1M
Aurélien Francillon retweetledi
Proton
Proton@ProtonPrivacy·
The GrapheneOS team has said that “France isn’t a safe country for open source privacy projects,” pointing to what it describes as the expectations of encryption backdoors. Last week, it announced it has removed all servers from France. x.com/GrapheneOS/sta… 1/5
GrapheneOS@GrapheneOS

We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now. Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection. Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too. Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming. Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr+BuyVM locations. We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term. France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries. We were likely going to be able to release experimental Pixel 10 support very soon and it's getting disrupted. The attacks on our team with ongoing libel and harassment have escalated, raids on our chat rooms have escalated and more. It's rough right now and support is appreciated.

English
46
632
4.2K
235K
Aurélien Francillon retweetledi
GrapheneOS
GrapheneOS@GrapheneOS·
France is one of the strongest supporters of Chat Control and law enforcement is acting as if that's already law. We're protecting our users in France and elsewhere against GrapheneOS being treated similarly to SkyECC or Encrochat. We have many users in France and will continue to provide GrapheneOS and our services to people there from servers in Germany, Switzerland, Luxembourg, etc. not at a French hosting provider. Read what law enforcement has said about it. Here are 2 articles heavily quoting law enforcement: archive.is/AhMsj contains many inaccurate claims about GrapheneOS features, marketing, distribution and usage directly quoted from law enforcement. Le Parisien cannot be blamed for what French law enforcement says, only the fact that they presented it as factual information and did not give us the opportunity to review the specific claims and respond to them. archive.is/UrlvK also contains comparisons to SkyECC and Encrochat by law enforcement with a clear threat of similar action if we don't cooperate with providing device access. franceinfo.fr/faits-divers/n… is French state media with more inaccurate claims about it from law enforcement presented as fact. There's much more than this and we haven't read all of the other coverage ourselves. None of this is the fault of OVH but we cannot trust France-based providers anymore. OVH was forced to cooperate in actions against SkyECC and Encrochat, both brought up in comparisons by French law enforcement. Call it fearmongering if you want but that is actually what French police and the national government are doing about encryption and secure devices. It has negative consequences for French businesses like OVH who are subject to their demands.
English
2
20
104
9.4K
Aurélien Francillon retweetledi
GrapheneOS
GrapheneOS@GrapheneOS·
We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now. Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection. Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too. Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming. Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr+BuyVM locations. We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term. France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries. We were likely going to be able to release experimental Pixel 10 support very soon and it's getting disrupted. The attacks on our team with ongoing libel and harassment have escalated, raids on our chat rooms have escalated and more. It's rough right now and support is appreciated.
English
200
1.4K
9.2K
1.9M
Aurélien Francillon retweetledi
FuzzingLabs
FuzzingLabs@FuzzingLabs·
@Cloudflare just learned the hard way that .unwrap() in Rust can be dangerous, especially in security-critical code. At @FuzzingLabs, we’ve been teaching this for years in our Rust Security: Audit & Fuzzing training. If you want your engineers to avoid these bugs before they hit production, here’s your chance: 🎓 Rust Security Training - Special CLOUDFLARE Discount 👉 academy.fuzzinglabs.com/rust-security-…
English
0
12
66
3.7K

Keşfet

@OrenTirosh @OwenBrakes @nSinusR @GioCamurati @poeplau @pwalshbuilds @the_void_is_nil @kmcnam1