vinoth

@vinoth@infosec.exchange

I am Vinoth, from San Diego. I lead the silicon security architecture and silicon security operations teams at #Google. Before this, I worked on mobile silicon security at #Qualcomm.

Much of my work is about improving the security of #Pixel and other #Android devices. I will mostly talk about #mobilesecurity, #androidsecurity and #infosec.

I sometimes invest in seed stage start-ups, primarily technology companies. My portfolio includes Modumate, Akido Labs, kia.ai, Zendoc and Zeoauto. If you are building something cool, hit me up.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

vinoth, to random

Not the onion: Justice department indicts the Nigerian prince on cybercrime charges.

"Prince Onyeoziri Odinakachi, 31, of Nigeria, was indicted by a federal grand jury in the District of Massachusetts on Jan. 30 for conspiracy to commit multiple computer intrusion offenses,"

https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales

againsthimself, to random
@againsthimself@ioc.exchange avatar

"In response to the watchdog’s report, the Office of the National Cyber Director said that performance measures don't really exist in the cybersecurity field."
https://cyberscoop.com/gao-national-cybersecurity-strategy/

vinoth,

@againsthimself I am curious how lack of KPIs are handled in the field of national defense or corporate physical security. Perhaps those fields are intuitive enough for decision makers (or they believe it is).

vinoth, to random

AI deepfakes used to scam a company out of $26M.

"Hong Kong police did not reveal the name or details of the company or the worker."

I'm guessing this is not a company listed in the US. At least, we would've seen an SEC filing disclosing the attack while reassuring that it is not a material impact to the company.

https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html

vinoth, to random

Salton sea boom and bust is a sad story. The community in the beach is a shadow of it's former self. I hope this finding will revitalize the region.

U.S. Department of Energy Analysis Confirms California’s Salton Sea Region to Be a Rich Domestic Lithium Resource | Department of Energy
https://www.energy.gov/eere/articles/us-department-energy-analysis-confirms-californias-salton-sea-region-be-rich-domestic

vinoth, to random

Canadian paediatric Association now recommends 'risky play' for kids, with citations.

I (unironically) call for a study on societal harms caused by abandoning intuitive good practices, just because the benefits haven't been formally studied and published.

https://cps.ca/en/documents/position/outdoor-risky-play

vinoth,

I'm surprised no one has yet challenged the ongoing practice of letting kids drink one of the most potent solvents in the planet, and breathe one of the most corrosive gases in the universe.

vinoth, to random

Ingenuity, the Mars Helicopter, has taken its last flight on the Red Planet. It's mission ends with an impressive record of 72 flights, exceeding the original expectation of just 5.

BTW, it was powered by a Qualcomm Snapdragon 801 mobile SoC. This is the same SoC as in Samsung Galaxy S5. What a testament to the versatility of modern SoC technology!

https://www.nasa.gov/news-release/after-three-years-on-mars-nasas-ingenuity-helicopter-mission-ends/

carnage4life, to random
@carnage4life@mas.to avatar

The FTC plans to investigate whether Microsoft’s investment and exclusive deal with OpenAI and Google & Amazon’s with Anthropic are anticompetitive.

Limiting funding options for startups that have high costs like training AI seems counterproductive.

The funding crunch facing startups will only get worse as it becomes clear that regulators will prevent profitable big tech companies from buying startups.

You can’t show a path to being a standalone profitable business?👋🏾

https://www.nytimes.com/2024/01/25/technology/ftc-ai-microsoft-amazon-google.html

vinoth,

@carnage4life To be fair, it's a 6(b) inquiry - a tool intended to gain understanding of business practices, rather than an intent to investigate. Given the unusual Microsoft/Open AI drama, it seems like a reasonable thing for a regulator to do.

https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-launches-inquiry-generative-ai-investments-partnerships

vinoth, to random

HPE is hacked by APT29/"Midnight Blizzard". The only reason we know about it is in the US "Everything is security fraud", including not reporting a cyberattack to the SEC.

https://techcrunch.com/2024/01/25/hpe-says-it-was-hacked-by-russian-group-behind-microsoft-email-breach/

vinoth,

On the one hand, I'm glad we are atleast getting this disclosure. On the other hand, such disclosures often stops at disclosing impact to business operations and shareholder value (SEC's remit). We need real cybersecurity disclosure laws that focus on disclosing impact to society at large, rather than just the shareholders.

vinoth, to random

HP CEO says

"We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network."

Sounds like he is making a case for not buying HP printers.

HP CEO evokes James Bond-style hack via ink cartridges | Ars Technica
https://arstechnica.com/gadgets/2024/01/hp-ceo-blocking-third-party-ink-from-printers-fights-viruses/

gborn, to random German
@gborn@social.tchncs.de avatar

Classic case of What the Fuck (WTF): HP claims to protect customers from "viruses" by blocking third-party ink cartridges ...

https://borncity.com/win/2024/01/23/wtf-hp-claims-to-protect-users-from-viruses-by-blocking-third-party-ink-cartridges/

vinoth,

@gborn Only first party viruses are allowed.

vinoth, to random

The framing "very small percentage of Microsoft corporate email accounts" are compromised doesn't scream transparency, when the company has 220k+ employees, and the affected includes "members of our senior leadership team and employees in our cybersecurity...functions".

That part of the post reads like a compromise between the PR person and the incident response person who were asked to collaborate on the post. And they agreed it is only fair to forgo both trust as well as PR mitigation, instead of choosing one over the other.

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

vinoth,

"The attack was not the result of a vulnerability in Microsoft products or services."

Another common framing of security incidents that grates me. "Users may have been compromised by deficiencies within our scope of work, but the product is secure." That's a distinction without a difference.

vinoth,

This framing happens both in internal discussions and external discussions. It is often a result of a conflict between these two aspects, and a lack of awareness of this conflict:

  • Organizations/teams enforce accountability based on tangible deliverables like code, service, etc. whose scope is static, bounded and can be agreed upon apriori

  • 'Product security' is an outcome oriented term, whose scope is dynamic and unbounded. Threat actors, threat motivations, attack techniques that you don't even know exist could impact product security.

vinoth,

You cannot define and agree on the scope of 'Product security' apriori, atleast not in the sense fits within the corporate accountability framework which assumes a static and bounded scope.

How can security leads navigate this:

  • Acknowledge the existence of this challenge
  • Guard against teams/organizations/companies defining the scope of product security narrowly to fit within the corporate accountability framework
  • Champion for leadership support on tailoring the accountability framework to suit product security needs

Easier said than done. I know. But that's the job.

ELLIOTTCABLE, to random

Welp, that's a first.

Xfinity won't let me pay them for Internet service, because my … last name is “not valid.”

vinoth,

@ELLIOTTCABLE Time for an RFC to standardize last names.

vinoth, to random

It was previously thought that only authors have standing to enforce free software licenses such as GPL. This sucks because which individual contributor to open source has the resources or inclination to sue violators.

Recent US/CA court ruling changes that and allows any third party beneficiary (aka "almost anyone", in the conext of free software) to sue under contract law. That opens the floodgates.

The nuance is that the court has agreed that at least some aspects of the license is a contract rather than a copyright, which means different rules apply on who can sue.

@luis_in_brief has an excellent blog post about the rulling, which came in a case between VIZIO and Software Freedom Conservancy:
https://blog.tidelift.com/will-the-new-judicial-ruling-in-the-vizio-lawsuit-strengthen-the-gpl

maldr0id, to random

Pro tip: use hashes of passwords as actual passwords so that even if the password is stored in plaintext it will still be hashed

vinoth,

@maldr0id Sprinkle some salt while you're hashing it. Don't worry about the keyboard getting dirty. One minute of cleaning the keyboard beats losing your password to an attacker.

maldr0id, to random

I’ve set the padlock on my gym locker to the same four digit code as PIN to my debit card.

Discuss.

vinoth, (edited )

@maldr0id There is a side channel information leakage when a security researcher discloses this. Assets are probably of similar value. Either he is hiding a fortune in the gym locker, or he is broke :-)

vinoth, to random

A less acknowledged risk of using ML models for security enforcement: Risk of quickly devolving into a security-by-obscurity situation where the knowledge of and access to the model helps adversaries craft effective bypasses.

Not a show stopper for many situations, if the risk is managed by proper system level/protocol level magic. But got to be careful.

vinoth, to random

My 9 year old asked me what a politician is. I found it surprisingly difficult to give an answer that is not oversimplified (a person running for political office). I settled for something around people who are elected to make rules for all of us, which I am still not totally satisfied with.

Which got me thinking what a succinct adult answer would look like. I think I would go with someone who works with other politicians to collectively allocate scare resources in the community/country/company to optimize for the common good of that community/country/company. Thoughts?

lcamtuf, (edited ) to random

deleted_by_author

    •
    vinoth,

    @lcamtuf I think I disagree with the premise that there is a globally optimal rank order of problems to attack in all of security. In reality, the rank order is different in different systems that handle different assets where compromise has different impacts. The answer is contextual.

    In my neck of the woods (Mobile security), vast majority of the exploits do involve memory safety. So fixing them all by flipping a switch changes everything.

    I can imagine more complex systems with a lot more opportunities for mitigating impact of low level issues like memory safety, where solving memory safety doesn't move the needle as much as other things we could do (Eg: increase observability, decrease reaction times etc.)

    Isn't it a classic case of 'It depends'?

    vinoth, to random

    Nothing says 'Car is a computer' than getting a promo for changing to a bad UI, and then getting another promo for changing it back by calling it a 'new approach based on customer feedback'.

    https://www.engadget.com/volkswagen-drivers-want-more-physical-buttons-instead-of-touch-controls-044931087.html?s=09

    grammargirl, to random
    @grammargirl@zirk.us avatar

    I love clever uses of incentives and tech: Cities are using traffic lights near schools that start red and turn green if an approaching car isn't speeding.

    If you're good, you get to keep driving. If you're bad, you have to stop and wait for the light to turn green.

    The average speed on the road almost immediately dropped to the speed limit as people learned the rules.

    Instead of punishing people with tickets after the fact, it creates the behavior the city wants.

    https://mass.streetsblog.org/2023/05/05/steal-this-idea-in-quebec-a-new-traffic-light-only-turns-green-for-safe-drivers/

    vinoth,

    @grammargirl I hope they aren't training people to skip the red lights, as there isn't any cross traffic that this is trying to manage.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • tacticalgear
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • Youngstown
  • everett
  • cisconetworking
  • slotface
  • GTA5RPClips
  • rosin
  • thenastyranch
  • kavyap
  • mdbf
  • Leos
  • modclub
  • osvaldo12
  • Durango
  • khanakhh
  • anitta
  • provamag3
  • ngwrru68w68
  • cubers
  • tester
  • ethstaker
  • megavids
  • normalnudes
  • lostlight
  • All magazines
    •