I’m a hacker, sysadmin, software developer, and engineer.
I’m a hacker, sysadmin, and software developer. Most importantly, I am an engineer — that means that I see problems and find solutions. My areas of interest include network, systems, and embedded security, as well as network and systems administration/engineering. The bulk of my professional and hobby security work is done in an offensive context, with occasional software development, usually to create tools that support or enable my other skills. My hobbies are playing video and tabletop games, reading sci-fi and fantasy books, cooking and baking, and dabbling in electrical engineering.
I currently work at Google as a Senior Security Engineer performing Adversary Simulation and Red Team operations. My areas of focus include application, cloud, and hardware security.
This is my personal site, where you can find some information about me, my blog, a list of my projects, and my contact info.
I’ve given a number of talks at various security and tech conferences. Here are some examples (newest first):
I am also a regular participant at an internal lightning talks program. While many of those talks aren’t publishable due to NDAs, here are a few that are:
/dev/urandom
— The State of Randomness in Linux (2020-08)While on an assessment for a client I needed a way to intercept certain HTTP API calls and dynamically generate a response while allowing other calls to go through to the real application’s servers. I came across an extension for BurpSuite that allowed the user to select specific API calls to intercept and reply with static content, but I needed the ability to dynamically generate responses, so I added that functionality to the extension and published my changes. The extension now supports redirecting any HTTP request to any other URL, or replying to the call based on the contents of a file, or generating a response either by piping the content of the call to a program or by calling the program as a CGI script.
I spoke about and demo’d this extension at ToorCon 21. You can find my slides here.
You can find the original repository for the extension here and my updated fork on my work Github.
As a fan of DEF CON’s #badgelife, I was ecstatic to have the opportunity to contribute as part of my employment at ISE. ISE runs the IoT Village at DEF CON and at other conferences, and we wanted to have our own badge… an effort which I unfortunately couldn’t see to completion while I was there.
In the meantime, I worked with the marketing team at ISE to create this, the IoT Village official SAO. It features artwork by ISE’s talented ‘social media guy’ cum salesman Sam Levin. I worked with him to import the artwork into KiCAD, designed the rest of the PCB (it makes an LED glow, very complicated 😉), and oversaw the manufacturing process including cost optimizing the BOM and working with our PCB fabrication house to ensure the quality was up to spec.
The SAO debuted in 2018 and has seen several ‘reprints’, so keep an eye out for one if you’re at a conference with the Village.
Much of my job consists of working with BurpSuite, so I find myself regularly needing to write small custom tools for working with it. I publish the ones that I can in the hopes that someone else might find them useful. Here are the ones I’ve published so far:
My full résumé is available by request. Highlights:
Feel free to contact me with any questions about any of my projects. You can find the source code, and in some cases binaries, on my GitHub page.
For sensitive communications, I have published keys on this site using the Web Key Directory standard, and on the MIT PGP Key Server. This means that for most implementations of PGP my key will be automatically discovered and used, but you can also find a local mirror of my public key here if you wish to download it manually. You can also import the key using my Keybase profile, or use Keybase Chat.
My current local time is .