Macklemore and Ryan Lewis are quadruple platinum with Thrift Shop and counting – I love to see the success of a local (Seattle) artist who was down and out and is now on the rebound in a big way. Conscious hip hop by this duo is a return to to music with a greater purpose for this genre. Can Sasha Frere-Jones over at The New Yorker do a piece on him already?

Inspired by a tweet linking to Bijan Sabet’s post, I thought I would reflect on those who took a chance on me.

I still vividly remember the day the big envelope showed up from Stanford. The university and some admissions officer took a chance on me and it has had such a tremendous impact on my life from the amazing people I met to the the opportunities it has created for me.

One of the amazing people I met in school who took a chance on me became my wife. We started off as dorm mates, then friends and she decided to take a chance on this slacker of a CS major that used to make fun of where she grew up. What a ride it’s been, nearly 11 years later. With the arrival of our son, it feels like we’re just getting started on a great journey.

Professionally, the first person to take a chance on me was a senior director at Aplix. When he brought me on to his team, it opened up a lot of new experiences for me. I traveled around the world to work on a standards body, learned and came to deeply understand the nuances of the mobile ecosystem and got an inside track on Android well before it hit the market.

That inside track on Android led me to T-Mobile, where I found a VP that was a fantastic mentor. He took a chance on me and supported broadening my experience by branching out from T-Mobile to working with T-Venture. The US managing director at T-Venture also took a chance on me to provide him with technical due diligence on a number of startup opportunities being reviewed while learning a bit about how venture capital works. This was critical to getting Mobilisafe off the ground.

It was early on at T-Mobile that my co-founder Dirk and I would joke about doing some kind of startup thing. While starting a company with a partner is a two way street, Dirk was taking the bigger risk. He had experience at startups shipping products, but I had never been a startup CEO, never fundraised, never done a lot of the things you need to do to get a company off the ground. And yet, he took a chance on me and we’ve had an amazing ride together.

It would be nice to say that Mobilisafe would have happened with or without investors, but at the time it was important for Dirk and me to have some investor validation. The teams at Madrona and Trilogy took a chance on me. We had something that resembled a prototype and a pitch deck when they committed to invest. With Mobilisafe’s exit, we provided a great return in a relatively short period of time.

I had been thinking about this concept a bit in the back of my mind in light of Sheryl Sandberg’s new book and some of the commentary around it regarding the importance of having sponsors. Bijan’s post really pushed me over the edge to write this post. Sponsors take a chance on you. They invest their time in you with the hope that you will be better for it, likely because someone did the same for them earlier in their career. I’m grateful for my sponsors and I hope to continue taking chances on others as well.

I was recently interviewed by USA Today about vulnerabilities recently patched in iOS that allowed for the lock screen to be bypassed:

Apple’s scramble to deal with this underscores how cyber criminals are not entirely ignoring the iPhone, despite the deluge of probing and attacks on Android smartphones and tablets. USA TODAY tapped Giri Sreenivas, Rapid7′s vice president and general manager of mobile, for context.

Q: What is the core problem?

Sreenivas: Security vulnerabilities are being discovered that evade the security policies created for mobile devices. For example, this week Apple updated its iOS software with a security fix for a lockscreen bypass flaw. Apple’s update was aimed at solving two bypass flaws that were discovered, however just a day after the patch was released there was news that yet another bypass flaw had been discovered targeting iPhone 4 devices.

I was recently interviewed by CSO Magazine on recent mobile vulnerabilities:

Another big problem for corporations is lost or stolen smartphones, added Giri Sreenivas, vice president and general manager of mobile for Rapid7.

To mitigate those risks, companies require their employees to secure their phones with a PIN. “These vulnerabilities allow those controls to be bypassed,” he said in an interview.

I was interviewed recently by USA Today on the security concerns related to unpatched devices, including risks from clickjacking:

One big security hole cybercriminals are expected to increasingly focus on is the fact that the operating systems of mobile devices are cumbersome to upgrade. A recent survey by security firm Rapid7 revealed that 67% of devices using the revered Apple iOS platform, which powers iPhones and iPads, are running without the latest feature upgrades and security patches.

“Mobile devices are typically required to be updated by employees and patches can’t be pushed by organizations,” says Giri Sreenivas, mobile vice president at Rapid7. “Because of this, there is a high percentage of devices running out-of-date firmware.”

I was interviewed recently by USA Today on the mobile adware (madware) trend that is plaguing mobile users.

Many free apps require consumers to divulge location information and personal data, which app developers and ad networks then use to concoct new ways to hook people and their contacts into a transaction. Another concern is that all of that harvested personal data can be accessed by spammers and identity thieves, says Giri Sreenivas, mobile manager at security firm Rapid7.

Last October, NIST published a draft of security guidelines that outline core security capabilities that mobile devices should have to protect the information they handle. These guidelines will inform how government agencies evaluate mobile security concerns from mobile device usage by their employees. Recently, the Telecommunications Industry Association (TIA) responded to these guidelines in a somewhat surprising way which merits investigating this topic a bit deeper.

Overview of NIST Guidelines

The guidelines boil down to the recommendation of including three key security components in every device:

• Root of Trust – The combination of the BIOS and a trusted platform module (TPM) form a root of trust.
• APIs to use the security functions of a root of trust
• Policy Enforcement Engine to process, maintain and manage policies for a mobile device

The combination of these components can help provide strong security assurances that devices are trustworthy and have not been jailbroken or otherwise compromised.

TIA Position

The Telecommunications Industry Alliance is a large and powerful industry organization that counts major handset manufacturers and carriers among its members. Just a few weeks ago, they warned that NIST’s guidelines were too detailed and prescriptive and could consequently cause a fracture between products built for consumers and solutions built for government agencies that embrace NIST recommendations. They argue that today’s mobile platforms support equivalent capabilities while not adhering to the specific requirements in NIST’s publication.

While TIA is challenging the specificity of the NIST guidelines to achieve mobile security, there have been a number of implementations of elements of trusted computing that are available in the market today. The most recent example is the Platform Integrity Architecture that is shipping with Windows 8. (We are still determining if this shipped on the Microsoft Surface device and other Windows RT devices.) What is also interesting about the availability of this software implementation is the corresponding widespread availability of hardware that can potentially support it. For several years now, the majority of ARM chipset architectures that are utilized in smartphones and tablets have a trusted execution mode known as ARM TrustZone. TrustZone may be able to help meet the requirements of NIST.

Challenges and Benefits

Earlier in my career, I spent time in the defense industry researching and building solutions for DARPA that laid the groundwork for the NSA’s High Assurance Platform Program. All of our efforts were centered around trusted computing efforts that are also at the core of the NIST guidelines. Trusted computing techniques offer an extremely high level of security, but there is a corresponding infrastructure investment to make the technology effective. From dedicated hardware shipping in a device (TPMs) to a network attestation service, the end to end requirements to support a legitimate trusted computing architecture are not trivial. While the costs of TPMs have come down dramatically, leading to their inclusion in most laptops today, mobile TPMs for smartphones and tablets are not widely available. The specificity of NIST’s guidelines should be weighed against a possible solution with the widely available TrustZone capabilities.

Conclusion

Trusted computing initiatives were ambitious when they first kicked off nearly a decade ago but today we are starting to see widespread availability of some of the core infrastructure components to make these implementations viable. NIST’s recommendations reflect the critical importance of device trustworthiness but TIA’s pushback should be a cause for concern. NIST and government agencies will need to be sensitive to buy in from organizations like TIA to ensure they are not left behind on the ever accelerating mobile technology curve.

(Cross-posted at Security Street)