Vinoth Deivasigamani
@vinothd.bsky.social
I lead silicon security architecture and silicon security operations teams at #Google. Previously, silicon security at #Qualcomm.
These days I work on Tensor/Pixel and Android security
These days I work on Tensor/Pixel and Android security
China alleges the NSA mounted a cyberattack on its National Time Service Center (NTSC), the country's official timekeeper.
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread 🧵)
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread 🧵)
www.cert.org.cn
October 21, 2025 at 7:06 PM
China alleges the NSA mounted a cyberattack on its National Time Service Center (NTSC), the country's official timekeeper.
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread 🧵)
The attack reportedly attempted to compromise high-precision timing. Beijing has not stated if the attempt was successful.
(Thread 🧵)
A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
October 14, 2025 at 4:53 AM
A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
OTA update to Jeep Wrangler bricks the vehicle. No attack suspected here. Nonetheless, it exposes an often under appreciated attack vector. It is scary how easy it will be for a motivated actor to cause chaos by just bricking stuff en masse.
www.4xeforums.com/threads/wran...
www.4xeforums.com/threads/wran...
www.4xeforums.com
October 12, 2025 at 5:15 PM
OTA update to Jeep Wrangler bricks the vehicle. No attack suspected here. Nonetheless, it exposes an often under appreciated attack vector. It is scary how easy it will be for a motivated actor to cause chaos by just bricking stuff en masse.
www.4xeforums.com/threads/wran...
www.4xeforums.com/threads/wran...
This terrible event is a reminder that "Availability" is a critical goal for security and privacy systems. After all, we are in the risk mitigation business. And losing critical assets is one of the biggest risks a business faces.
koreajoongangdaily.joins.com/news/2025-10...
koreajoongangdaily.joins.com/news/2025-10...
NIRS fire destroys government's cloud storage system, no backups available
A fire at the National Information Resources Service (NIRS) Daejeon headquarters destroyed the government’s G-Drive cloud storage system, erasing work files saved individually by some 750,000 civil se...
koreajoongangdaily.joins.com
October 5, 2025 at 10:20 PM
This terrible event is a reminder that "Availability" is a critical goal for security and privacy systems. After all, we are in the risk mitigation business. And losing critical assets is one of the biggest risks a business faces.
koreajoongangdaily.joins.com/news/2025-10...
koreajoongangdaily.joins.com/news/2025-10...
Reposted by Vinoth Deivasigamani
i wrote about atproto and why it matters
Open Social — overreacted
The protocol is the API.
overreacted.io
September 26, 2025 at 3:33 PM
i wrote about atproto and why it matters
Reposted by Vinoth Deivasigamani
Imagine the shitshow we'd be in right now if ICANN hadn't been spun off from the US government
April 21, 2025 at 11:13 PM
Imagine the shitshow we'd be in right now if ICANN hadn't been spun off from the US government
Good news on mobile zero-days in 2024:
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis | Google Cloud Blog
This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits.
cloud.google.com
April 29, 2025 at 6:21 PM
Good news on mobile zero-days in 2024:
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.
My thoughts on why PUF never took off in the SoC world:
vinothd.com/blog/3-the-m...
tl;dr: PUF does not simplify the secure manufacturing trust model. Not having to generate the root private key is cool. But you cannot do much with it without extracting the corresponding public key.
vinothd.com/blog/3-the-m...
tl;dr: PUF does not simplify the secure manufacturing trust model. Not having to generate the root private key is cool. But you cannot do much with it without extracting the corresponding public key.
April 17, 2025 at 6:52 AM
My thoughts on why PUF never took off in the SoC world:
vinothd.com/blog/3-the-m...
tl;dr: PUF does not simplify the secure manufacturing trust model. Not having to generate the root private key is cool. But you cannot do much with it without extracting the corresponding public key.
vinothd.com/blog/3-the-m...
tl;dr: PUF does not simplify the secure manufacturing trust model. Not having to generate the root private key is cool. But you cannot do much with it without extracting the corresponding public key.
Xi and Trump could have been born the same day!! I have never been more curious about someone's exact time of birth.
April 15, 2025 at 3:51 PM
Xi and Trump could have been born the same day!! I have never been more curious about someone's exact time of birth.
Crazy story of well crafted Honeypot to link ongoing industrial espionage to senior leadership at a competitor
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
www.rippling.com/blog/lawsuit...
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
www.rippling.com/blog/lawsuit...
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
In lawsuit, Rippling describes how it conclusively proved Deel’s senior leadership orchestrated the illegal activity.
www.rippling.com
March 17, 2025 at 4:05 PM
Crazy story of well crafted Honeypot to link ongoing industrial espionage to senior leadership at a competitor
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
www.rippling.com/blog/lawsuit...
Lawsuit Alleges $12 Billion "Unicorn" Deel Cultivated Spy, Orchestrated Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor | Rippling
www.rippling.com/blog/lawsuit...
"It's not a backdoor, it is an undocumented entryway in the rear of the building that is hidden from plain view"
March 9, 2025 at 3:18 PM
"It's not a backdoor, it is an undocumented entryway in the rear of the building that is hidden from plain view"
Reposted by Vinoth Deivasigamani
Three questions about Apple, Encryption, and the U.K. blog.cryptographyengineering.com/2025/02/23/t...
Three questions about Apple, encryption, and the U.K.
Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-e…
blog.cryptographyengineering.com
February 23, 2025 at 4:51 PM
Three questions about Apple, Encryption, and the U.K. blog.cryptographyengineering.com/2025/02/23/t...
Reposted by Vinoth Deivasigamani
I gave a day 1 closing keynote at DistrictCon yesterday. Surprisingly, it was a security talk about memory safety.
Slides are here:
docs.google.com/presentation...
Slides are here:
docs.google.com/presentation...
Memory Safety
Is this memory safety here in the room with us? Halvar Flake / Thomas Dullien DistrictCon 0 2025
docs.google.com
February 22, 2025 at 11:40 AM
I gave a day 1 closing keynote at DistrictCon yesterday. Surprisingly, it was a security talk about memory safety.
Slides are here:
docs.google.com/presentation...
Slides are here:
docs.google.com/presentation...
Here's an unintentional demonstration of AI being able to find and use exploits.
Sakana AI announced an AI agent that optimized kernels and achieved up to 100x speedup. Turned out the agent cheated with a memory exploit it found in the verification code.
sakana.ai/ai-cuda-engi...
Sakana AI announced an AI agent that optimized kernels and achieved up to 100x speedup. Turned out the agent cheated with a memory exploit it found in the verification code.
sakana.ai/ai-cuda-engi...
Sakana AI
The AI CUDA Engineer: Agentic CUDA Kernel Discovery, Optimization and Composition
sakana.ai
February 22, 2025 at 3:55 PM
Here's an unintentional demonstration of AI being able to find and use exploits.
Sakana AI announced an AI agent that optimized kernels and achieved up to 100x speedup. Turned out the agent cheated with a memory exploit it found in the verification code.
sakana.ai/ai-cuda-engi...
Sakana AI announced an AI agent that optimized kernels and achieved up to 100x speedup. Turned out the agent cheated with a memory exploit it found in the verification code.
sakana.ai/ai-cuda-engi...
Reposted by Vinoth Deivasigamani
Senator Wyden has proposed a bipartisan bill that would block foreign nations from demanding backdoors in US encryption. www.wyden.senate.gov/news/press-r...
Wyden Releases Draft Bill to Secure Americans’ Communications Against Foreign Surveillance Demands | U.S. Senator Ron Wyden of Oregon
The Official U.S. Senate website of Senator Ron Wyden of Oregon
www.wyden.senate.gov
February 14, 2025 at 9:18 PM
Senator Wyden has proposed a bipartisan bill that would block foreign nations from demanding backdoors in US encryption. www.wyden.senate.gov/news/press-r...
$1.4B stolen from cold wallet at Bybit crypto exchange.
Initial report implies hackers manipulated the UI for the signing app/device. Signers were thinking they were signing something benign (based on UI), but the actual message that got signed was diff.
announcements.bybit.com/en/article/i...
Initial report implies hackers manipulated the UI for the signing app/device. Signers were thinking they were signing something benign (based on UI), but the actual message that got signed was diff.
announcements.bybit.com/en/article/i...
announcements.bybit.com
February 22, 2025 at 1:33 AM
$1.4B stolen from cold wallet at Bybit crypto exchange.
Initial report implies hackers manipulated the UI for the signing app/device. Signers were thinking they were signing something benign (based on UI), but the actual message that got signed was diff.
announcements.bybit.com/en/article/i...
Initial report implies hackers manipulated the UI for the signing app/device. Signers were thinking they were signing something benign (based on UI), but the actual message that got signed was diff.
announcements.bybit.com/en/article/i...
UK laws mandate cookie banners for privacy, but outlaw end to end encryption.
apnews.com/article/appl...
PS: UK has it's own GDPR called UK GPDR that closely mirrors EU GDPR
apnews.com/article/appl...
PS: UK has it's own GDPR called UK GPDR that closely mirrors EU GDPR
Apple drops encryption feature for UK users after government reportedly demanded backdoor access
Apple says it will stop offering an advanced data security option for British users after the government reportedly demanded that the company provide backdoor access for any data those users have stor...
apnews.com
February 22, 2025 at 12:50 AM
UK laws mandate cookie banners for privacy, but outlaw end to end encryption.
apnews.com/article/appl...
PS: UK has it's own GDPR called UK GPDR that closely mirrors EU GDPR
apnews.com/article/appl...
PS: UK has it's own GDPR called UK GPDR that closely mirrors EU GDPR
Such a simple and ingenious method to isolate reasoning from memorization in LLMs.
Performance of reasoning models drop significantly evaluated based on multiple choice questions in which the correct answer was replaced with 'None of the others'
arxiv.org/abs/2502.12896
Performance of reasoning models drop significantly evaluated based on multiple choice questions in which the correct answer was replaced with 'None of the others'
arxiv.org/abs/2502.12896
None of the Others: a General Technique to Distinguish Reasoning from Memorization in Multiple-Choice LLM Evaluation Benchmarks
In LLM evaluations, reasoning is often distinguished from recall/memorization by performing numerical variations to math-oriented questions. Here we introduce a general variation method for multiple-c...
arxiv.org
February 21, 2025 at 8:11 PM
Such a simple and ingenious method to isolate reasoning from memorization in LLMs.
Performance of reasoning models drop significantly evaluated based on multiple choice questions in which the correct answer was replaced with 'None of the others'
arxiv.org/abs/2502.12896
Performance of reasoning models drop significantly evaluated based on multiple choice questions in which the correct answer was replaced with 'None of the others'
arxiv.org/abs/2502.12896
Indian police trained eagles to bring down drones. The eagles use nets to drag the drones down to the ground rather than grabbing them directly. Nets prevent injuries to eagles as well as get the drones to a safe place rather than dropping them wherever they are.
www.instagram.com/newsxofficia...
www.instagram.com/newsxofficia...
NewsX on Instagram: "Telangana's Garuda Squad has introduced a groundbreaking security measure by training eagles to pursue and capture rogue drones using specialized nets.
This innovative approach ...
281 likes, 0 comments - newsxofficial on January 30, 2025: "Telangana's Garuda Squad has introduced a groundbreaking security measure by training eagles to pursue and capture rogue drones using specia...
www.instagram.com
January 31, 2025 at 4:17 PM
Indian police trained eagles to bring down drones. The eagles use nets to drag the drones down to the ground rather than grabbing them directly. Nets prevent injuries to eagles as well as get the drones to a safe place rather than dropping them wherever they are.
www.instagram.com/newsxofficia...
www.instagram.com/newsxofficia...
Paper from Google on effectiveness of using LLMs for large-scale code migrations:
arxiv.org/abs/2501.06972
A few interesting observations:
- >50% savings in the time needed for the task
- LLM is only part of the solution. Traditional AST, heuristics, safe deployment infra are also essential.
arxiv.org/abs/2501.06972
A few interesting observations:
- >50% savings in the time needed for the task
- LLM is only part of the solution. Traditional AST, heuristics, safe deployment infra are also essential.
How is Google using AI for internal code migrations?
In recent years, there has been a tremendous interest in using generative AI, and particularly large language models (LLMs) in software engineering; indeed there are now several commercially available...
arxiv.org
January 17, 2025 at 5:10 PM
Paper from Google on effectiveness of using LLMs for large-scale code migrations:
arxiv.org/abs/2501.06972
A few interesting observations:
- >50% savings in the time needed for the task
- LLM is only part of the solution. Traditional AST, heuristics, safe deployment infra are also essential.
arxiv.org/abs/2501.06972
A few interesting observations:
- >50% savings in the time needed for the task
- LLM is only part of the solution. Traditional AST, heuristics, safe deployment infra are also essential.
DOJ/FBI supported by the French law enforcement, removed PlugX malware from ~4K computers by sending a self delete command to the malware in those computers. Owners of those computers will be notified after the fact by their ISP providers that this happened.
link: thehackernews.com/2025/01/fbi-...
link: thehackernews.com/2025/01/fbi-...
FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
FBI’s PlugX operation cleans over 4,250 infected computers, targeting malware spread by PRC-linked hackers.
thehackernews.com
January 16, 2025 at 7:33 PM
DOJ/FBI supported by the French law enforcement, removed PlugX malware from ~4K computers by sending a self delete command to the malware in those computers. Owners of those computers will be notified after the fact by their ISP providers that this happened.
link: thehackernews.com/2025/01/fbi-...
link: thehackernews.com/2025/01/fbi-...
In my technical writing, I may sling "Band-Aid" as an insult for shoddy fixes, but fear not, #johnsonandjohnson I always capitalize my "Band-Aid"s. Respect the trademark, even when throwing shade. 😉
January 14, 2025 at 4:40 PM
In my technical writing, I may sling "Band-Aid" as an insult for shoddy fixes, but fear not, #johnsonandjohnson I always capitalize my "Band-Aid"s. Respect the trademark, even when throwing shade. 😉
#Bitcoin community is rooting for soverign ownership,. But they better be careful what they wish for. I predict that govts will stack those sats through seizures, not by open market purchases. Siezures are not a bad thing. BTC economy must be subject to the law of the land.
Governments Now Hold 2.2% of All Bitcoin | CoinGecko
Governments now hold 471,380.6 BTC, accounting for ~2.2% of all bitcoin. Which countries hold the most BTC?
www.coingecko.com
January 14, 2025 at 4:39 PM
#Bitcoin community is rooting for soverign ownership,. But they better be careful what they wish for. I predict that govts will stack those sats through seizures, not by open market purchases. Siezures are not a bad thing. BTC economy must be subject to the law of the land.
Court declines Coinbase's demand to order SEC to engage in rulemaking. Also says: SEC's refusal to Coinbase's rulemaking petition is "insufficiently reasoned, thus arbitrary and capricious". Remands to SEC for a proper explanation.
www2.ca3.uscourts.gov/opinarch/233...
#coinbase #cryptocurrency
www2.ca3.uscourts.gov/opinarch/233...
#coinbase #cryptocurrency
January 14, 2025 at 4:38 PM
Court declines Coinbase's demand to order SEC to engage in rulemaking. Also says: SEC's refusal to Coinbase's rulemaking petition is "insufficiently reasoned, thus arbitrary and capricious". Remands to SEC for a proper explanation.
www2.ca3.uscourts.gov/opinarch/233...
#coinbase #cryptocurrency
www2.ca3.uscourts.gov/opinarch/233...
#coinbase #cryptocurrency
For the first time ever, a US Federal agency (CISA) publicly and in plain language, advises folks to use end-to-end encrypted communications apps like Signal. There are other agencies who say end-to-end encryption is not 'responsible encryption'. Don't mind them. You do need it.
December 20, 2024 at 3:55 PM
For the first time ever, a US Federal agency (CISA) publicly and in plain language, advises folks to use end-to-end encrypted communications apps like Signal. There are other agencies who say end-to-end encryption is not 'responsible encryption'. Don't mind them. You do need it.