Max Zinkus

I am passionate about building secure systems to make technology safer, more reliable, and easier to use. My work has included hacking web platforms, applications, and systems; architecting and developing software with security and privacy from the ground up; leading teams towards compliant, secure designs; and researching applied cryptography and security to advance the state of the art.
I am currently a PhD Candidate in Computer Science at Johns Hopkins University in Baltimore, MD. I work in the ARC and SPAR labs, and my advisor is Dr. Matthew Green.
In 2024, I passed the CISSP exam towards certification as a cybersecurity professional and leader. I earned my Masters of Science in Engineering (MSE) in Computer Science from Johns Hopkins in 2020, after completing my undergraduate studies at the California Polytechnic State University at San Luis Obispo in 2018 with a Bachelors of Science in Computer Science and a minor in Mathematics.
Outside of my work I enjoy tennis, chess, getting outdoors, and needlessly elaborate coffee-making methods.

I can be reached via email at contact [at] mzink [dot] us. If encryption is needed, I am maxzks.77 on Signal.

As I complete my degree I will be joining Anchorage Digital as a Member of Technical Staff in Security Engineering! Anchorage Digital is a crypto platform that enables institutions to participate in digital assets through custody, staking, trading, governance, and settlement, and it is home to the only federally-chartered crypto bank in the US, making it the only unequivocally qualified custodian for digital assets. I'm very excited to be joining a well-established and growing team of dedicated and talented people, and to apply the expertise I've developed throughout my PhD.

On February 15th, 2024, I passed the ISC2 Certified Information Systems Security Professional (CISSP) exam. The CISSP certification is widely considered among the most rigorous and prestigious certifications in the field. It covers the creation, management, and implementation of comprehensive enterprise information security programs for organizations of any size. As of March 14th, I am now officially certified!

I co-invented United States Patent #11837356B1 with a team of software, hardware, and biomedical engineers. Our patent covers secure Over-The-Air (OTA) firmware updates to deployed medical devices maintaining functionality and patient safety.

I was renewed as a J.L. Moore Fellow by the Computer Science department of California Polytechnic State University at San Luis Obispo. The fellowship provided an additional $12,000 award towards the completion of my Doctoral research.

Our paper on using SAT solving techniques to evaluate information leakage in secure functionalities was accepted for publication in USENIX Security! I presented the work in Anaheim, CA in August. We applied and expanded on our prior USENIX work, Delphinium, to create a tool which can evaluate the privacy (or lack thereof) of functions to be computed in secure protocols such as MPC, FHE, and ZK proofs. Given a function description, our tool will estimate leakage and even generate adversarial inputs to the protocol which maximize information leakage. A version of the paper is available here.

The Computer Science department of California Polytechnic State University at San Luis Obispo named me a J.L. Moore Fellow! This fellowship is accompanied by a $10,000 award for my ongoing research and progress through the Doctoral degree.

Our paper on creating One-Time Programs from Commodity Hardware was accepted for publication at TCC 2022. We presented it at the Chicago conference in November. The paper develops cryptographic theory for realizing one-time programs (and therefore powerful cryptographic primitives such as program obfuscation) from commodity hardware -- specifically, implementations including a tamper-resistant hardware counter, which have emerged in commodity systems ranging from iPhones to Intel SGX servers to Apple's iCloud Keychain and Google's Titan HSM-based backup system. A version of the paper is available here.

I was quoted in an article by Lily Hay Newman for WIRED on the use and implications of the App Privacy Report feature of iOS 15. In it, I discuss potential indicators of spyware based on the App Privacy Reports, and the relative value of the various sections of the report. The article can be found here.

Our Systematization of Knowledge paper SoK: Cryptographic Confidentiality of Data on Mobile Devices was accepted for publication in PETS 2022.1. A pre-print of this work can be found here.

Our recent work on the forensic security of mobile devices was featured in WIRED and Forbes! Thank you to Lily Hay Newman and Thomas Brewster for their reporting, and additionally to the DevNews podcast for hosting me and my co-author Tushar to discuss mobile data security and our work.

I released the full version and accompanying website of my report on the security and privacy of data on mobile devices, specifically iOS and Android phones. The work was co-authored by Tushar Jois and my advisor Dr. Green. To read a summary or the full report, visit the project site.

I was interviewed by Ted Bridis, who worked the University of Florida College of Journalism and Communications news service, to publish an article on the recent voter suppression campaign executed in Florida. I had performed forensic network analysis to trace the sender(s) of a bulk email which threatened voters in Florida, which turned out to be part of a larger operation reportedly by Iran to seed chaos in the US election. The article can be found here.

Gabrielle Beck and I had our first project under Dr. Green accepted for publication at the USENIX Security Symposium. In this work we delved into emerging constraint programming techniques to automated the development of padding oracle attacks before generalizing our work to arbitrary novel format oracles. The goal of the tool we created is to enable automatic development of end-to-end exploits for Chosen Ciphertext Attacks in order to strengthen arguments for systems to switch to authenticated encryption. Despite being well-accepted, authenticated encryption is neglected by a startling number of systems in production. A version of this work is available here.

Along with two of my professors at Cal Poly, Dr. Bruce DeBruhl and Foaad Khosmood, I developed an ultra-lightweight probabilistic intrusion detection system designed for IoT use cases, and performed end-to-end evaluation using a testbed of real IoT devices. As part of this work, we explored compressing non-cryptographic hash functions and their application to IDS. This work has been accepted for publication at IEEE GLOBECOM 2019. A version of the paper is available here.

Our paper introducing "Fakesbook" was accepted for publication at ACM SIGCSE 2019. Fakesbook is a platform we designed, implemented, and applied to evaluate and teach computer security and privacy concepts to middle and high school students. A version of the paper is available here.

Our work on developing, executing, and evaluating an experimental course intersecting technical privacy with policy and critical analysis was accepted for publication at JCSC 2018. This work included an exhaustive survey of almost 300 US ABET-accredited universities to demonstrate need for technical privacy education focused toward Computer Science and CS-adjacent students. A version of the paper is available here.