I lead silicon security architecture and silicon security operations teams at #Google. Previously, silicon security at #Qualcomm.
These days I work on Tensor/Pixel and Android security
Article title: If AI replaces workers, should it also pay taxes?
Me: We don't want a rebellion sparked by 'Taxation without representation'. Do we?
english.elpais.com/technology/2...
Cryptography is the art of transforming every problem into a key management problem. Here is a recent case study on this theme, which is a bit on the nose.
The International Association for Cryptologic Research (IACR) is unable to tally their election results because they lost a private key. Ouch!
IACR used #Helios for voting. They configured it such that all 3 trustees need to be present with their share of the private key to tally results.
One trustee lost their share. Now the results are mathematically secure—forever.
The math worked. The encryption held. The process failed.
Few lessons to relearn here:
1. Availability is a security requirement. It is just as important as Confidentiality.
While this seems like a truism, it is not uncommon to come across system designs (or even NSA/NIST specs) that contradict this principle.
Cryptography is the art of transforming every problem into a key management problem. Here is a recent case study on this theme, which is a bit on the nose.
The International Association for Cryptologic Research (IACR) is unable to tally their election results because they lost a private key. Ouch!
China alleges the NSA mounted a cyberattack on its National Time Service Center (NTSC), the country's official timekeeper.
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread 🧵)
Why target a timekeeper? It sounds mundane, but high-precision time is a critical national security asset.
Modern tech relies on nanosecond-level accuracy. If you can mess with time, you can disrupt critical infrastructure.
Here are two key examples:
1. Telecommunications: Cell phone base stations must share a common clock to hand off calls. This is even more vital for low-latency 5G applications.
Attack outcome: If you disrupt the time, you can disrupt the entire communications grid.
A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
OTA update to Jeep Wrangler bricks the vehicle. No attack suspected here. Nonetheless, it exposes an often under appreciated attack vector. It is scary how easy it will be for a motivated actor to cause chaos by just bricking stuff en masse.
www.4xeforums.com/threads/wran...
"Almost died on the thruway today when it happened and I’m glad it didn’t cause a bigger accident with an 18-wheeler behind me being able at the last minute to shift lanes because my Jeep died, locked its hand brake and jolted so hard my face almost ended up in the steering wheel at 70mph."
This terrible event is a reminder that "Availability" is a critical goal for security and privacy systems. After all, we are in the risk mitigation business. And losing critical assets is one of the biggest risks a business faces.
koreajoongangdaily.joins.com/news/2025-10...
Availability is not antithetical to security and privacy. A well designed security system will meet availability needs.
"The Interior Ministry explained that... the G-Drive’s structure did not allow for external backups. This vulnerability ultimately left it unprotected."
Good news on mobile zero-days in 2024:
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.
The flip side:
- % of 0-days in enterprise technologies is increasing (37% ->44%)
- Much of that is due to 0-days in *security* and networking products.
- Security/networking products generally compromised with a single vulnerability, no exploit chain required. This is scary.
My thoughts on why PUF never took off in the SoC world:
vinothd.com/blog/3-the-m...
tl;dr: PUF does not simplify the secure manufacturing trust model. Not having to generate the root private key is cool. But you cannot do much with it without extracting the corresponding public key.
And that extraction needs to be done securely, which re-introduces the problem of having the trust the manufacturing facilities, and all the complexity needed to minimize that trust.
Crazy story of well crafted Honeypot to link ongoing industrial espionage to senior leadership at a competitor
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
www.rippling.com/blog/lawsuit...
"The letter was sent to only three people – Phillipe Bouaziz, the chairman of Deel’s board, CFO, General Counsel, and the father of Deel CEO Alex Bouaziz; Spiros Komis, Deel’s Head of US Legal; and the company’s outside counsel at law firm."
"Within hours of sending the letter, Deel’s spy inside of Rippling searched – for the first time – for this empty and never-before-used Slack channel, proving that Deel’s top executives or its legal representatives were running the covert espionage operation."
I gave a day 1 closing keynote at DistrictCon yesterday. Surprisingly, it was a security talk about memory safety.
Slides are here:
docs.google.com/presentation...
Here's an unintentional demonstration of AI being able to find and use exploits.
Sakana AI announced an AI agent that optimized kernels and achieved up to 100x speedup. Turned out the agent cheated with a memory exploit it found in the verification code.
sakana.ai/ai-cuda-engi...
Senator Wyden has proposed a bipartisan bill that would block foreign nations from demanding backdoors in US encryption. www.wyden.senate.gov/news/press-r...
$1.4B stolen from cold wallet at Bybit crypto exchange.
Initial report implies hackers manipulated the UI for the signing app/device. Signers were thinking they were signing something benign (based on UI), but the actual message that got signed was diff.
announcements.bybit.com/en/article/i...
Holding the keys off-line is great. But for cold wallet with $1.4B, I would've expected the host on which the signing happens to be off-line as well. It appears that might not have been the case here.
UK laws mandate cookie banners for privacy, but outlaw end to end encryption.
apnews.com/article/appl...
PS: UK has it's own GDPR called UK GPDR that closely mirrors EU GDPR
Such a simple and ingenious method to isolate reasoning from memorization in LLMs.
Performance of reasoning models drop significantly evaluated based on multiple choice questions in which the correct answer was replaced with 'None of the others'
arxiv.org/abs/2502.12896
Indian police trained eagles to bring down drones. The eagles use nets to drag the drones down to the ground rather than grabbing them directly. Nets prevent injuries to eagles as well as get the drones to a safe place rather than dropping them wherever they are.
www.instagram.com/newsxofficia...
Paper from Google on effectiveness of using LLMs for large-scale code migrations:
arxiv.org/abs/2501.06972
A few interesting observations:
- >50% savings in the time needed for the task
- LLM is only part of the solution. Traditional AST, heuristics, safe deployment infra are also essential.
- Google already has special infra for large-scale migrations such as API changes, programming language version changes etc. at a fraction of the cost of manual changes. This paper is about the kind of migrations for which such deterministic approaches are not quite effective.
DOJ/FBI supported by the French law enforcement, removed PlugX malware from ~4K computers by sending a self delete command to the malware in those computers. Owners of those computers will be notified after the fact by their ISP providers that this happened.
link: thehackernews.com/2025/01/fbi-...
Govt lawfully (w/ warrants) reaching into private computer systems without owners knowledge or consent to disrupt attacks is slowly becoming mainstream. I think it's mostly a good thing. But I'm also worried about the slippery slope here.
In my technical writing, I may sling "Band-Aid" as an insult for shoddy fixes, but fear not, #johnsonandjohnson I always capitalize my "Band-Aid"s. Respect the trademark, even when throwing shade. 😉
