I’m a hacker, security analyst, sysadmin, and engineer.
I’m a hacker, security analyst, and sysadmin. Most importantly, I am an engineer — that means that I see problems and find solutions. My specialties are in network and systems security, administration, and engineering. I also do application security assessments and general security engineering, as well as software development, usually to create tools that support or enable my other skills. My hobbies are playing video and tabletop games, reading sci-fi and fantasy books, and dabbling in electrical engineering.
I do application, network, and systems security assessments and engineering for Independent Security Evaluators, a security consultancy. As part of my work, I publish blog posts whenever I have interesting findings or useful advice to share. You can find them on my blog. The posts that are directly relevant to my work are also published on ISE’s blog.
This is my personal site, where you can find some information about me, a list of my projects, and my contact info.
I’ve given a number of talks at various security and tech conferences. Here are some examples (newest first):
I am also a regular participant of my employer’s internal lightning talks program. While many of those talks aren’t publishable due to NDAs, here are a few that are:
While on an assessment for a client I needed a way to intercept certain HTTP API calls and dynamically generate a response while allowing other calls to go through to the real application’s servers. I came across an extension for BurpSuite that allowed the user to select specific API calls to intercept and reply with static content, but I needed the ability to dynamically generate responses, so I added that functionality to the extension and published my changes. The extension now supports redirecting any HTTP request to any other URL, or replying to the call based on the contents of a file, or generating a response either by piping the content of the call to a program or by calling the program as a CGI script.
Much of my job consists of working with BurpSuite, so I find myself regularly needing to write small custom tools for working with it. I publish the ones that I can in the hopes that someone else might find them useful. Here are the ones I’ve published so far:
My full résumé is available by request. Highlights:
Feel free to contact me with any questions about any of my projects. You can find the source code, and in some cases binaries, on my GitHub page.
I am available for ongoing and project-based consulting work; I am not currently looking for a new job, but if you think you have a particularly good offer or fit for me, please send me the details.
For sensitive communications, I have published keys on this site using the Web Key Directory standard, and on the MIT PGP Key Server. This means that for most implementations of PGP my key will be automatically discovered and used, but you can also find a local mirror of my public key here if you wish to download it manually. You can also import the key using my Keybase profile, or use Keybase Chat.
My current local time is .