I’m a hacker, security analyst, sysadmin, and engineer.
I’m a hacker, security analyst, and sysadmin. Most importantly, I am an engineer — that means that I see problems and find solutions. My areas of interest include network, systems, and embedded security, as well as network and systems administration/engineering. The bulk of my professional and hobby security work is done in an offensive context, with occasional software development, usually to create tools that support or enable my other skills. My hobbies are playing video and tabletop games, reading sci-fi and fantasy books, and dabbling in electrical engineering.
I currently work at Apple as a Senior Security Engineer focusing on Application Security.
This is my personal site, where you can find some information about me, my blog, a list of my projects, and my contact info.
I’ve given a number of talks at various security and tech conferences. Here are some examples (newest first):
I am also a regular participant at an internal lightning talks program. While many of those talks aren’t publishable due to NDAs, here are a few that are:
/dev/urandom— The State of Randomness in Linux (2020-08)
While on an assessment for a client I needed a way to intercept certain HTTP API calls and dynamically generate a response while allowing other calls to go through to the real application’s servers. I came across an extension for BurpSuite that allowed the user to select specific API calls to intercept and reply with static content, but I needed the ability to dynamically generate responses, so I added that functionality to the extension and published my changes. The extension now supports redirecting any HTTP request to any other URL, or replying to the call based on the contents of a file, or generating a response either by piping the content of the call to a program or by calling the program as a CGI script.
Much of my job consists of working with BurpSuite, so I find myself regularly needing to write small custom tools for working with it. I publish the ones that I can in the hopes that someone else might find them useful. Here are the ones I’ve published so far:
My full résumé is available by request. Highlights:
Feel free to contact me with any questions about any of my projects. You can find the source code, and in some cases binaries, on my GitHub page.
For sensitive communications, I have published keys on this site using the Web Key Directory standard, and on the MIT PGP Key Server. This means that for most implementations of PGP my key will be automatically discovered and used, but you can also find a local mirror of my public key here if you wish to download it manually. You can also import the key using my Keybase profile, or use Keybase Chat.
My current local time is .