This is the fully buzzword compliant version suitable for resume bots and initial screeners. One-page version here.


Jan Schaumann
What I Do: I worry about protecting user data and privacy, about infrastructure security and integrity. In so doing, I wear many hats: Information Security Engineer, Systems Architect, System Administrator, Actual Human. I'm particularly interested in the social aspects of Information Security engineering and try my best to solve people problems with a focus on quantitative analysis, metrics, and an accurate threat model.

With 20 years of experience in both small scale deployments and academia as well as in enormous high-availability infrastructures serving millions of users, I offer an extensive background in all things Unix, enthusiasm to learn new technologies, a thorough Computer Science background, as well as high quality standards.

I implement scalable and reliable tools, design architectures and APIs, create proof-of-concept prototypes, and intuitively and quickly analyze existing architectures both for what works and what doesn't; I analyze threat landscapes and develop threat models, determine and dissect applicable metrics to derive realistic, impactful solutions focused on reducing the attack surface and eliminating attack vectors. I enjoy teaching/mentoring, offer strong interpersonal and communications skills, a curious and open mind, and very strong work ethics.

Above all, I'm driven by developing solutions that have a long-term impact and solve real issues for all users. I don't shy away from hard problems.
Current interests and ambitions I'm currently primarily interested in Secure and Scalable Infrastructure Systems Architecture on an Internet scale with special areas of interest in Internet Architecture, Anonymity & Privacy, practical application of cryptographic protocols, threat modeling with human behavioral traits and patterns. Having a long term impact and building something that lasts are as important to me as my own professional growth, academic development, and community outreach.

I'm specifically looking to take my career beyond contributing to any single company, and towards improving the industry in general.

If you are a recruiter, please read this before contacting me.

I'm also working (on-again/off-again) on a textbook for my class on System Administration. Working title: ``Principles of System Administration''

Specialties: Large scale System Administration and Infrastructure Architecture; conceptual integrity; infrastructure security; threat modeling; scalable infrastructure tools; zero trust; all things unix; automation of any thinkable task; DevOps, SRE, and hybrid cloud environments

Technical Expertise: NetBSD, FreeBSD, Linux, RHEL/CentOS... any unix-based OS; AWS/EC2; C, Go, Perl, Python, PHP, Shell... ready to pick up any new language; REST, intuitive grasp of API requirements
  LinkedIn Profile
Selected Publications/Talks: Upcoming and recent talks

(A few) Ops Lessons We All Learn The Hard Way - broadly shared on the internet since 2020-01-24

The Razor's Edge - Cutting Your TLS Baggage - given at O'Reilly Security 2017 on 2017-11-01 [slideshare link]

OpSec 101 - A Choose Your Own Adventure for Devs, Ops, and other Humans - given at ConFoo Vancouver 2016 on 2016-12-07 [slideshare link]

Know Your Enemy - An Introduction to Threat Modeling - given at ConFoo Vancouver 2016 on 2016-12-05 [slideshare link]

Crazy Like A Fox - given at O'Reilly Security on 2016-10-31 [slideshare link]

It's the people, stupid - given at Velocity NY 2016 on 2016-09-22 [slideshare link]

Things They Don't Teach You In School - given at the Stevens Institute of Technology Computer Science Club on 2016-03-14 [slideshare link]

Everything is Awful (And You're Not Helping) - given at BSidesSF 2016 on 2016-02-28 [slideshare link] [video]

Defense at Scale - given at BSidesNYC 2016 on 2016-01-16 [slideshare link]

Primum non nocere - Ethical Obligations in Internet Operations - given at Velocity NY 2015 on 2015-10-14 [slideshare link]

Protecting Data in Untrusted Locations - given at RealWorldCrypto 2015 on 2015-01-09 [slideshare link]

All Is Not Lost (But We Need Your Help) - given at OpenITP's Techno Activism 3rd Monday on 2014-01-20 [video | slideshare link]

Online Privacy Tools - given at San Francisco's One City, One Book on 2013-09-04 [slideshare link]

"We're Doing It Wrong -- What DevOps Needs To Learn In Order To Scale Up, DevOpsDays NYC, January 2013

Experience: Yahoo! Inc. (April 2015 - June 2017); Oath Inc. / Verizon Media (June 2017 - present)
New York, NY
Distinguished Paranoid Architect
Principal member and Infrastructure Security Architect of the Yahoo!/Oath/Verizon Media Paranoids, our industry-wide recognized team of information security experts. I focus primarily on infrastructure architectural design and decisions that impact all of the company's internal systems across all layers of the OSI stack and all data centers and edge locations.

I work at the intersection of an over 20-year old infrastructure spanning dozens of datacenters across the globe with massive cloud-native environments and products, covering countless edge cases not usually encountered in other environments; I'm involved in cleaning up after and working to make repeats impossible of some of the internet's biggest compromises, including lessons and continuously gaining insights that cannot be learned elsewhere, yet are invaluable to be applied everywhere.

Recent projects included:
  • leadership in architecture, design, and strategy for all infrastructure security aspects of merging, combining, and creating anew two of the internet's oldest and most respected brands: as Yahoo is merged with AOL and various other brands, we focus on raising our defenses, increasing security across the board, and reducing our attack surface while expanding our footprint and global impact
  • function as subject matter expert in the company's efforts to drive tech excellence and unification of a modern stack
  • develop, champion, communicate, and guide implementation of the company's Zero Trust strategy for the entire company, including both corporate enterprise environments as well as production networks
  • strategy, initiative, and planning of reproducible builds, trustworthy artifacts, and attestation and assurance of integrity in the continuous integration and continuous deployment cycle
  • setting direction for Edge security, including technical stack, TLS standards, secure boot, and trusted computing
  • moving Yahoo's 22 year old infrastructure forward to disrupt the attacker life cycle at each strategic phase; this includes developing strategy on what to focus on, how to resolve the biggest issues, and working with dozens of teams to fundamentally change how our services are operated, while minimizing business impact
  • in-depth analysis of network layer encryption technologies deployed at Yahoo; recommendations of operational improvements and requirements within a threat model that includes the most advanced, capable, and persistent adversaries
  • analysis of SSL and TLS technologies, stacks, ciphers, and protocols across all of Yahoo and across time, producing trend-lines and other detailed findings leading to company-wide recommendations and improvements
  • threat-modeling of infrastructure deployed in edge locations within and without Yahoo owned and operated data centers and colocations
  • HSTS, HPKP, and similar HTTP security enhancements; addition of HPKP preloaded pins for Yahoo's key domains in Chrome and Firefox to protect end-users from TOFU/MitM vulnerabilities
  • support of the incident response team during major vulnerabilities such as DROWN, ImageTragick etc.
I provide research and meticulous analysis of the threat landscape and develop and report on company-wide metrics that help our team reduce our attack surface by making difficult decisions and prioritizing the most impactful work. At the same time, I enable our developers and engineers to improve productivity and move roadblocks out of their way, making Security their partner.

New York, NY
January 2013 - March 2015
Staff Infrastructure Security Engineer
Senior member of the Information Security team, team lead for security operations and infrastructure security. We coordinate incidence response for company-wide security issues such as Heartbleed, Shellshock, POODLE etc; we maintain all of Twitter's SSL/TLS certificates; we perform internal and external security reviews, consult on internal and external facing feature development and infrastructure changes or planning.

Rolled out Kerberos at Twitter and drove migration of Subversion, SSH, sudo(8), Git, and misc. services to use Kerberos; maintenance of monitoring and auditing around TLS certificates and supported cipher suites; wrote and maintained a tool to allow for user-friendly asymmetric encryption of secrets; helped designed key distribution system; wrote system software for and designed end-to-end solution around bootstrapping trust using TPMs in untrusted locations; regular end-user training to reduce risk of phishing and just general education of all engineers on security related issues.

New York, NY
April 2012 - December 2012
Senior Network Security Engineer

New York, NY
January 2012 - April 2012
Senior Infrastructure Architect

Yahoo! Inc.
Sunnyvale, CA
May 2011 - December 2011
Principal Paranoid
Member of Yahoo!'s small central security team in charge of all aspects of product-, infrastructure-, network- and all other security related issues. My main focus there is currently on secure system architecture, conceptual integrity, vulnerability assessment and analysis, intrusion detection, as well as review of existing or new projects with particular focus on scalability and (data and service) integrity.

I routinely (try not to) break things, fix them and implement and design long term solutions. And I worry.

Yahoo! Inc.
Sunnyvale, CA
May 2007 - April 2011
System Architect
I create secure and scalable infrastructure solutions, ranging from configuration management over centralized and decentralized syslog deployments to massive host scanning, IPv6 implementation and strategy and everything in between, focussing on quality, correctness and the long term impact. The results are used to service over half a billion people every month.
  • Member of the Engineering Standards Group setting direction for all technological aspects of the company
  • Repeatedly nominated for the internal yearly Superstar Award
  • single owner of one of our configuration management systems deployed on nearly 100K hosts
  • intricately involved in setting the company's IPv6 direction and strategy
  • design and architect scalable solutions in the area of syslogging, massively parallel host scanning, industry breakthrough solutions such as L3DSR load balancing etc.

Yahoo! Inc.
Sunnyvale, CA
September 2006 - May 2007
Senior System Administrator
Extended and maintained configuration management system deployed on nearly 100K hosts; wrote rapid deployment system to reduce inventory-to-ready-to-serve turnaround time; wrote miscellaneous tools to automate regular workflow and processes; instituted best software engineering practices.

Hoboken, NJ
Summer 2003 - May 2006, September 2008 - present
Adjunct Professor of Computer Science
Teaching Graduate level class `` Advanced Programming in the UNIX Environment'', based on the well-known book by W. Richard Stevens, covering such topics as the user/kernel interface, fundamental concepts of UNIX, user authentication, basic and advanced I/O, fileystem, signals, process relationships, and interprocess communication.
This class has now been added as a requirement to the Master's degree in Computer Science.

Developed from scratch and am currently teaching graduate level class ``Aspects of System Administration'', covering topics such as hardware configuration, operating system installation, shell programming, security policies, backup deployment and disaster recovery, network design, software installation and maintenance, operating system tuning. (This class played an important role in the certification of Stevens's Computer Science Department as an NSA Center of Academic Excellence in Information Assurance Education; it is now part of the Master's degree requirements.)
In this class, I pioneered the use of Amazon EC2/AWS cloud services for teaching system administration.

Hoboken, NJ
September 2001 - July 2006
System Administrator
Administration of the Imperatore School of Sciences and Arts Scientific Computing resources (infrastructure and desktops), supporting some 3000 users (students, professors, staff alike) and their varying software needs.
Technical Skills: I'm always willing and able to quickly understand and learn other programming languages, software skills, protocols etc. based on solid Computer Science background, years of work experience and general enthusiasm and personal interest in the area.

NetBSD, FreeBSD, Linux (RHEL and various other distributions), IRIX, MacOS X, Solaris; x86, sparc, mips, PowerPC, amd64

Xen, Amazon Web Services (AWS), Amazon Elastic Compute Cloud

Completely fluent in all common unix userland tools including shell-scripting (sh, csh, ksh, sed, awk, regular expressions etc.), cvs, ssh, etc.;

Programming Languages:
C, Perl, shell, Go, Java, PHP, Python, C++, SQL, some Tcl/Tk

Protocols, Services and Standards:
Solid understanding of SUSv3
Familiarity with routing and switching (Cisco, Extreme hardware).

Information Security
SSH, SSL, TLS, Certificate Management, asymmetric and symmetric key cryptography, PGP, authN/authZ, Kerberos (krb5), HSM, TPM

Markup Languages
LaTeX, HTML, some XML, some *roff

Spoken Languages:
English (fluent), German (native), bits and pieces of Spanish and French

Cisco Certified Network Associate / CCNA (2005)

Hoboken, NJ
Master of Science in Computer Science (2004)

Hoboken, NJ
B.S in Computer Science (2001)

Marburg, Germany
M.A. studies in Contemporary German Literature and American Studies (1996-1998)
Other: Blog
Presentations / Talks

NetBSD developer since 2002:
  • type man 1 stat on any OS X system
  • ported NetBSD's pkgsrc tools to IRIX
  • maintain several packages
  • maintenance of the NetBSD website
  • member of Communication Executive Committee
  • management of project's participation in Google's ``Summer of Code'' program