The website you are on currently. I try to write fairly meaty Blog Posts - a good number of things I consider 'projects' ultimately just culminate in a blog post.
I just (2017) started with Mozilla, working on Firefox. Specifically: Tor Uplift, Anti-Exploitation, and security features like HPKP.
An awful lot of my time goes to keeping track of what's happening on a number of mailing lists, including a bunch of IETF and W3C lists, the various crypto ones, and a myriad of ones that deal with LibTech.
IETF Standards
I'm an author on Certificate Transparency Gossip, and I keep close tabs on OpenPGP and TLS 1.3; as well as various WebSec/PKIX/DANE-related discussions.
Now that I work at Mozilla, the time I previously begged, borrowed, or stole is actually work time! I do some tor-related things, mostly on Tor Browser and Directory Authority-related things (consensus-health, Bandwidth Authorities).
CII, OTF, LibTech
I'm on the Advisory Council for CII and OTF, and work closely with a number of other projects in the LibTech/anonymity/circumvention space (like Guardian Project). When NCC Group (nee iSEC Partners) published public reports (e.g. CryptoCat, Wikipedia, SecureDrop), I usually had a finger in the assessment.
on hold
LibTech Auditing Cheatsheet
A laundry list of things to look for and consider when auditing or designing an application with high security or privacy requirements.
Basically, we're a loose collection of folk who want to promote anonymity and privacy software, develop better versions, and run services. I'm one of the founding members (if there can be such a thing), and these days my main participation is authoring what I hope will be a ton of Blog Articles on the theory of remailers, plus irc question and answering.
Code Peer Review
This project is best explained by blurb on the project page.
I used teach a graduate course or two, or a Intro to Programming course at the engineering school I graduated from. I'd like to go back to it, but I want to free up some time, and I hate teaching with anything less than a full committment to my students.
completed & retired
I started (with Sean Devlin and Alex Balducci) and managed NCC Group's Cryptography Services for a couple years - we did (they still do) cryptographic consulting.
TrueCrypt Phase 2 Crypto Audit
I was one of the primary authors on this report.
Tor Browser Hardening Study
A report about the state of Tor Browser Bundle with regards to firefox exploitation. I was one of the primary authors on the document, and it helped guide the security slider, among other things.
De-Anonymizing Alt.Anonymous.Messages (youtube) - Defcon 2013
For about four years I downloaded archives of the anonymous usenet group, then I did some analysis, correlated some messages, and presented some findings at Defcon.
Verizon's Femtocell (youtube) - Black Hat Vegas & Defcon 2013
A team of folks that included me, Doug, Andrew, and some more hacked a Verizon Femtocell and then weaponized it, recording voice and SMS traffic, and MitMing and sslstripping data connections from the phone. And we did it live, on stage, at Black Hat and Defcon. We wound up being picked up by Reuters, CNN, and NPR.
Cryptopocalypse! (youtube) - Black Hat Vegas 2013
Myself, Alex Stamos, Javed Samuel, and Tom Ptacek gave a talk at Black Hat about some interesting possibilities from the recent advantages of discrete logs in small characteristic fields. It's not immediately applicable to RSA, but the research reminded us that advances in factoring can make RSA weak the way we use it, and if that happens, well, cryptopocalypse. This got quite a bit of press, some accurate, some not, from Schneier, Matt Green, Ars, Colin Percival, and lots more.
Open Technology Fund Audit Report
Not very technical, but dear to my heart - this project was an engagement where I worked with OTF to figure out how they can more effectively engage security auditors, get better results, use their money more wisely, and so on. A 'process' type document.
Dendritic arborization in dauer IL2 neurons
A neat data analysis project I did with some genetists that look at potential candidate genes that can affect branching in dendrites during a hibernation stage of the C. elegans lifecycle.
The Myth of Twelve More Bytes - Black Hat Vegas 2012
A presentation I did at Black Hat on IPv6, DNSSEC, and new Top Level TLDs with one of my bosses, Alex Stamos.
Separator Oracle
An adaptive ciphertext attack I developed with a friend.
Cloud & Control - RSA 2012; Ekoparty 2011
A presentation I gave about distributing any task to hundreds or thousands of computers to do stuff quickly. The canonical example I use is factoring RSA512, which I could do (back then) in about 30 hours.
My First RFC
I actually spent 3 years developing this Internet Draft, but it was finally published in April 2011.
ClickOnce MITM
I started trying to man-in-the-middle ClickOnce applications, and eventually did a write-up on it.
Just a joke site I built in a night. Only thing interesting about it is that it's in ASP.Net MVC running on mono.
On-Board Full-Disk Encryption in HDDs
This one's kind of tricky, because it may require a clean room - but I aim to verify the claims of full disk encryption in Seagates FIPS-compliant hard drives.
A simple WPF App that helps you regression test stored procedures. I got it into a working state, and kind of back burner-ed it in lieu of other projects. But I think the concept is solid, even if the implementation isn't.
Vconf is an Online Virtual Tech Talks website. I aimed for a live presentation every week, Tuesday nights. I ran it, and we had several good presentations on WinDBG, CouchDB, and more topics but it's fizzled. The presentations are still available at vconf.ritter.vg.
gentoo configs
I maintain a bunch of gentoo servers, and used to publish the scripts, config files, and patches I've made to them to keep them running, logging, and such.
Add a comment...
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"