The website you are on currently. In the past I have written short and then eventually longer blog posts - a good number of things I consider 'projects' ultimately just culminated in a blog post. These days I tend to blog very infrequently.
I started with Mozilla in Jan 2017, working on Firefox. These days I help lead security strategy, mostly focusing on anti-exploitation. Lots of things fall under that banner including securing dependencies, making code memory-safe (or safer), static analysis, mitigations, and lots of other stuff. I also help run the Bug Bounty program, write Security Advisories, and manage security bug uplift and release. I also work or volunteer at the intersection of Tor Browser and Firefox, usually on Resist Fingerprinting or First Party Isolation. If you're really, really curious, you can stalk me on Bugzilla.
emails & standards
While I do this less than I did, I still try to keep track of what's going on in various standards bodies (mostly IETF and W3C) and crypto and privacy-related project mailing lists. I'm an author on the dormant Certificate Transparency Gossip draft, and have participated in Certificate Transparency, TLS 1.3 (and other TLS drafts), HSTS, HPKP, and several other standards. I proposed (and experimentally implemented) a 'Require-CT' mechanism for HTTP that inspired the current draft and have advocated for a Must-Staple header (to complement the x509 extension).
I've been a volunteer for Tor for a long time, and a relay operator for a while befoe that. Now that I work at Mozilla, some of this time is now work time! I do various things, mostly on Tor Browser and consensus-health. I run one of the four Bandwidth Authorities, and ran some experiments on that system. Thankfully the bwauth code is now someone else's problem =)
Occasionally I do small-hours consulting for projects, mostly review cryptographic protocols and helping them get their initial plans solid before they move on to more typical consulting firms with a larger minimum job size.
Other Stuff
I'm on the Advisory Boards/Councils of CII, OTF, MOSS (now dormant), IFF (also dormant) and the Black Hat Guest Board. I also work closely with a number of other projects in the LibTech/anonymity/circumvention space (like Guardian Project).
completed & retired
old-work (2012-2017)
I started (with Sean Devlin and Alex Balducci) and managed NCC Group's Cryptography Services for a couple years - we did (NCC group still does) cryptographic consulting. While at NCC Group (nee iSEC Partners), I was one of the pioneers of public audit reports by third parties, something I'm very proud of and is now a regular and often expected thing. When we published public reports (e.g. CryptoCat, Wikipedia, SecureDrop), before 2017 - I almost always had a finger in the assessment.
TrueCrypt Phase 2 Crypto Audit (2015)
I was one of the primary authors on this report.
Tor Browser Hardening Study (2014)
A report about the state of Tor Browser Bundle with regards to firefox exploitation. I was one of the primary authors on the document, and it helped guide the security slider, among other things.
De-Anonymizing Alt.Anonymous.Messages (youtube) - Defcon 2013
For about four years I downloaded archives of the anonymous usenet group, then I did some analysis, correlated some messages, and presented some findings at Defcon.
Verizon's Femtocell (youtube) - Black Hat Vegas & Defcon 2013
A team of folks that included me, Doug, Andrew, and some more hacked a Verizon Femtocell and then weaponized it, recording voice and SMS traffic, and MitMing and sslstripping data connections from the phone. And we did it live, on stage, at Black Hat and Defcon. We wound up being picked up by Reuters, CNN, and NPR.
Cryptopocalypse! (youtube) - Black Hat Vegas 2013
Myself, Alex Stamos, Javed Samuel, and Tom Ptacek gave a talk at Black Hat about some interesting possibilities from the recent advantages of discrete logs in small characteristic fields. It's not immediately applicable to RSA, but the research reminded us that advances in factoring can make RSA weak the way we use it, and if that happens, well, cryptopocalypse. This got quite a bit of press, some accurate, some not, from Schneier, Matt Green, Ars, Colin Percival, and lots more.
crypto.is (2011-2013
Basically, a loose collection of folk who want to promote anonymity and privacy software, develop better versions, and run services. I was one of the founding members (if there can be such a thing). The project has since falled into disrepair, but I keep the website running (which has, I think, a number of good blog articles). I hope some day crypto.is revives itself actually. You can find us in #cryptodotis on OFTC.
Code Peer Review
The goal was to aggregate relevant open source projects, watch their commits, and deliver personalized information via RSS, email, and a web interface to people to perform distributed peer review on individuals subject-matter-expertise - all to encourage poeple to get involved with projects and audit and improve the code. While the implementation there doesn't scale, I still think this project was a good concept that could be re-implemented and produce a community and good results.
Open Technology Fund Audit Report (2013)
Not very technical, but dear to my heart - this project was an engagement where I worked with OTF to figure out how they can more effectively engage security auditors, get better results, use their money more wisely, and so on. A 'process' type document.
LibTech Auditing Cheatsheet (2013)
A laundry list of things to look for and consider when auditing or designing an application with high security or privacy requirements. It was eventually used as the basis of a number of organizations auditing plans
Dendritic arborization in dauer IL2 neurons (2013)
A neat data analysis project I did with some genetists that look at potential candidate genes that can affect branching in dendrites during a hibernation stage of the C. elegans lifecycle.
The Myth of Twelve More Bytes - Black Hat Vegas 2012
A presentation I did at Black Hat on IPv6, DNSSEC, and new Top Level TLDs with one of my bosses, Alex Stamos.
Separator Oracle (2012)
An adaptive ciphertext attack I developed with a friend.
Cloud & Control - RSA 2012; Ekoparty 2011
A presentation I gave about distributing any task to hundreds or thousands of computers to do stuff quickly. The canonical example I use is factoring RSA512, which I could do (back then) in about 30 hours.
On-Board Full-Disk Encryption in HDDs (2011)
I aimed to verify the claims of full disk encryption in Seagates FIPS-compliant hard drives. This was pre-OPAL standard, which AIUI has improved things a bit. I still think there's a lot of bugs to be found in this area though, and a lot of 'secure' encryption to be broken.
My First RFC (2011)
I actually spent 3 years developing this Internet Draft, but it was finally published in April 2011.
ClickOnce MITM (2010)
I started trying to man-in-the-middle ClickOnce applications, and eventually did a write-up on it. This was the very first 'security' thing I did, before I had started in the security field and was just trying to build up my resume and experience.
sprocket (2010)
A simple WPF App that helps you regression test stored procedures. I got it into a working state, and kind of back burner-ed it in lieu of other projects. But I think the concept is solid, even if the implementation isn't.
vconf (2009)
Vconf is an Online Virtual Tech Talks website. I aimed for a live presentation every week, Tuesday nights. I ran it, and we had several good presentations on WinDBG, CouchDB, and more topics but it eventually fizzled out.
teaching (2007-2009)
I used to teach a couple graduate courses, and a Intro to Programming course at the engineering school I graduated from. I eventually stopped once I planned to spend an extended period of time away from home, and then never got back into it.
Add a comment...
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"