This is the fully buzzword compliant version suitable for
resume bots and initial screeners. One-page version here.
|What I Do:||
I worry about protecting user data and privacy, about
infrastructure security and integrity. In so doing, I wear many hats:
Information Security Engineer, Systems Architect, System Administrator,
Actual Human. I'm particularly interested in the social aspects of
Information Security engineering and try my best to solve people problems
with a focus on quantitative analysis, metrics, and an accurate threat
With 20 years of experience in both small scale deployments and academia as well as in enormous high-availability infrastructures serving millions of users, I offer an extensive background in all things Unix, enthusiasm to learn new technologies, a thorough Computer Science background, as well as high quality standards.
I implement scalable and reliable tools, design architectures and APIs, create proof-of-concept prototypes, and intuitively and quickly analyze existing architectures both for what works and what doesn't; I analyze threat landscapes and develop threat models, determine and dissect applicable metrics to derive realistic, impactful solutions focused on reducing the attack surface and eliminating attack vectors. I enjoy teaching/mentoring, offer strong interpersonal and communications skills, a curious and open mind, and very strong work ethics.
Above all, I'm driven by developing solutions that have a long-term impact and solve real issues for all users. I don't shy away from hard problems.
|Current interests and ambitions||
I'm currently primarily interested in Secure and Scalable Infrastructure
Systems Architecture on an Internet scale
with special areas of interest in
Internet Architecture, Anonymity & Privacy,
practical application of cryptographic protocols, threat modeling
with human behavioral traits and patterns. Having a
long term impact and building something that lasts are as
important to me as my own professional growth, academic
development, and community outreach.
I'm specifically looking to take my career beyond contributing to any single company, and towards improving the industry in general.
If you are a recruiter, please read this before contacting me.
I'm also working (on-again/off-again) on a textbook for my class on System Administration. Working title: ``Principles of System Administration''
Specialties: Large scale System Administration and Infrastructure Architecture; conceptual integrity; infrastructure security; threat modeling; scalable infrastructure tools; zero trust; all things unix; automation of any thinkable task; DevOps, SRE, and hybrid cloud environments
Technical Expertise: NetBSD, FreeBSD, Linux, RHEL/CentOS... any unix-based OS; AWS/EC2; C, Go, Perl, Python, PHP, Shell... ready to pick up any new language; REST, intuitive grasp of API requirements
Upcoming and recent talks
(A few) Ops Lessons We All Learn The Hard Way - broadly shared on the internet since 2020-01-24
The Razor's Edge - Cutting Your TLS Baggage - given at O'Reilly Security 2017 on 2017-11-01 [slideshare link]
OpSec 101 - A Choose Your Own Adventure for Devs, Ops, and other Humans - given at ConFoo Vancouver 2016 on 2016-12-07 [slideshare link]
Know Your Enemy - An Introduction to Threat Modeling - given at ConFoo Vancouver 2016 on 2016-12-05 [slideshare link]
Crazy Like A Fox - given at O'Reilly Security on 2016-10-31 [slideshare link]
It's the people, stupid - given at Velocity NY 2016 on 2016-09-22 [slideshare link]
Things They Don't Teach You In School - given at the Stevens Institute of Technology Computer Science Club on 2016-03-14 [slideshare link]
Everything is Awful (And You're Not Helping) - given at BSidesSF 2016 on 2016-02-28 [slideshare link] [video]
Defense at Scale - given at BSidesNYC 2016 on 2016-01-16 [slideshare link]
Primum non nocere - Ethical Obligations in Internet Operations - given at Velocity NY 2015 on 2015-10-14 [slideshare link]
Protecting Data in Untrusted Locations - given at RealWorldCrypto 2015 on 2015-01-09 [slideshare link]
All Is Not Lost (But We Need Your Help) - given at OpenITP's Techno Activism 3rd Monday on 2014-01-20 [video | slideshare link]
Online Privacy Tools - given at San Francisco's One City, One Book on 2013-09-04 [slideshare link]
"We're Doing It Wrong -- What DevOps Needs To Learn In Order To Scale Up, DevOpsDays NYC, January 2013
New York, NY
Distinguished Paranoid Architect
Principal member and Infrastructure Security Architect of the Yahoo!/Oath/Verizon Media Paranoids, our industry-wide recognized team of information security experts. I focus primarily on infrastructure architectural design and decisions that impact all of the company's internal systems across all layers of the OSI stack and all data centers and edge locations.
I work at the intersection of an over 20-year old infrastructure spanning dozens of datacenters across the globe with massive cloud-native environments and products, covering countless edge cases not usually encountered in other environments; I'm involved in cleaning up after and working to make repeats impossible of some of the internet's biggest compromises, including lessons and continuously gaining insights that cannot be learned elsewhere, yet are invaluable to be applied everywhere.
Recent projects included:
New York, NY
January 2013 - March 2015
Staff Infrastructure Security Engineer
Senior member of the Information Security team, team lead for security operations and infrastructure security. We coordinate incidence response for company-wide security issues such as Heartbleed, Shellshock, POODLE etc; we maintain all of Twitter's SSL/TLS certificates; we perform internal and external security reviews, consult on internal and external facing feature development and infrastructure changes or planning.
Rolled out Kerberos at Twitter and drove migration of Subversion, SSH, sudo(8), Git, and misc. services to use Kerberos; maintenance of monitoring and auditing around TLS certificates and supported cipher suites; wrote and maintained a tool to allow for user-friendly asymmetric encryption of secrets; helped designed key distribution system; wrote system software for and designed end-to-end solution around bootstrapping trust using TPMs in untrusted locations; regular end-user training to reduce risk of phishing and just general education of all engineers on security related issues.
New York, NY
April 2012 - December 2012
Senior Network Security Engineer
New York, NY
January 2012 - April 2012
Senior Infrastructure Architect
May 2011 - December 2011
Member of Yahoo!'s small central security team in charge of all aspects of product-, infrastructure-, network- and all other security related issues. My main focus there is currently on secure system architecture, conceptual integrity, vulnerability assessment and analysis, intrusion detection, as well as review of existing or new projects with particular focus on scalability and (data and service) integrity.
I routinely (try not to) break things, fix them and implement and design long term solutions. And I worry.
May 2007 - April 2011
I create secure and scalable infrastructure solutions, ranging from configuration management over centralized and decentralized syslog deployments to massive host scanning, IPv6 implementation and strategy and everything in between, focussing on quality, correctness and the long term impact. The results are used to service over half a billion people every month.
September 2006 - May 2007
Senior System Administrator
Extended and maintained configuration management system deployed on nearly 100K hosts; wrote rapid deployment system to reduce inventory-to-ready-to-serve turnaround time; wrote miscellaneous tools to automate regular workflow and processes; instituted best software engineering practices.
Summer 2003 - May 2006, September 2008 - present
Adjunct Professor of Computer Science
Teaching Graduate level class `` Advanced Programming in the UNIX Environment'', based on the well-known book by W. Richard Stevens, covering such topics as the user/kernel interface, fundamental concepts of UNIX, user authentication, basic and advanced I/O, fileystem, signals, process relationships, and interprocess communication.
This class has now been added as a requirement to the Master's degree in Computer Science.
Developed from scratch and am currently teaching graduate level class ``Aspects of System Administration'', covering topics such as hardware configuration, operating system installation, shell programming, security policies, backup deployment and disaster recovery, network design, software installation and maintenance, operating system tuning. (This class played an important role in the certification of Stevens's Computer Science Department as an NSA Center of Academic Excellence in Information Assurance Education; it is now part of the Master's degree requirements.)
In this class, I pioneered the use of Amazon EC2/AWS cloud services for teaching system administration.
September 2001 - July 2006
Administration of the Imperatore School of Sciences and Arts Scientific Computing resources (infrastructure and desktops), supporting some 3000 users (students, professors, staff alike) and their varying software needs.
|Technical Skills:||I'm always willing and able to quickly understand and learn other
programming languages, software skills, protocols etc.
based on solid Computer Science background, years of
work experience and general enthusiasm and personal
interest in the area.
NetBSD, FreeBSD, Linux (RHEL and various other distributions), IRIX, MacOS X, Solaris; x86, sparc, mips, PowerPC, amd64
Xen, Amazon Web Services (AWS), Amazon Elastic Compute Cloud
Completely fluent in all common unix userland tools including shell-scripting (sh, csh, ksh, sed, awk, regular expressions etc.), cvs, ssh, etc.;
C, Perl, shell, Go, Java, PHP, Python, C++, SQL, some Tcl/Tk
TCP/IP, UDP, SNMP, HTTP, SMTP, NIS/YP, NFS, FTP, CVS, SVN, Git
Solid understanding of SUSv3
Familiarity with routing and switching (Cisco, Extreme hardware).
SSH, SSL, TLS, Certificate Management, asymmetric and symmetric key cryptography, PGP, authN/authZ, Kerberos (krb5), HSM, TPM
LaTeX, HTML, some XML, some *roff
English (fluent), German (native), bits and pieces of Spanish and French
Cisco Certified Network Associate / CCNA (2005)
Master of Science in Computer Science (2004)
B.S in Computer Science (2001)
M.A. studies in Contemporary German Literature and American Studies (1996-1998)
Presentations / Talks
NetBSD developer since 2002: