Malice Afterthought provides software and security consulting services to a range of clients, from small businesses to large corporations, in addition to creating and releasing its own commercial and open source software. From January - July 2011, I taught at a Department of Defense information and network warfare (CNO) school. In January, 2012, I won a DARPA Cyber Fast Track research proposal to fund research entitled 'Reticle: Leaderless Command and Control,' and in November, 2012 an additional CFT proposal entitled 'NOM: Novel Object Mapping.' That research, culminating in the CreepyDOL platform, continued through 2014. In 2016, I began a new R&D effort for a flexible IoT platform. Languages and tech stacks have included Ruby, Python, Perl, D3JS, UnityScript, Hadoop, Spark, and AWS.
Security Engineering Lead
2017 - 2017
Nuna provides healthcare data analytics and warehousing to Medicare/Medicaid, insurance networks, and self-insured employers. I led the Security Engineering team, which was responsible for broadly-defined security throughout Nuna (from code, to architecture, to cross-cutting initiatives). I joined Nuna as a Senior Security Engineer, and became Security Engineering Lead in March 2017. Languages and tech stacks included AWS, R, Python, Bash, and Java; compliance stacks included SOC 2, HIPAA, and CMS ARS.
Senior Security Advisor
2014 - 2016
Leviathan Security Group
I worked as a Senior Security Advisor in Leviathan's Risk and Advisory Services group, where I advised enterprise clients on risk and compliance (GRC), security strategy, technical security, and policy, including responding to their clients' and vendors' security assessments and audits, and assisting with security questions for client engineering teams. I also took one client through a first-time SOC 2 Type II audit process, including designing internal controls, identifying necessary remediation activities before the audit period, and eventually working with the on-site audit team. In addition, I co-wrote four whitepapers on forced data localization as it affects security, available at http://www.valueofcloudsecurity.com. From 2014 until mid-2015, I worked as a Senior Security Consultant on Leviathan's Technical Services team. Languages spanned a wide array; compliance stacks included SOC 2, ISO 27001/2, HIPAA, CMS ARS, and PCI.
Senior Research Associate
2009 - 2010
I worked as a technical lead on software projects in a variety of areas, including natural language processing and user modeling, and a project to create an augmented reality application to add real-time data and intelligence analysis to a multi-viewpoint 3D holographic display, using the iPhone 3GS as a controller. SET worked primarily for the defense and intelligence communities. Languages included Objective C, Java, Ruby, Python, and others.
Security by Consent; or, Peel's Principles of Security Operations
How to create and maintain a security operation within a larger organization that focuses on cooperation and consent, rather than coercion, based upon the 'policing by consent' model created in 1820s England.
Are you tired of knowing everything, having people ignore 'the security person' because 'reasons,' and then having 'I told you so' as your only comfort? Sick of the hostile relationship between security and development, security and operations, security and HR, and/or security and everyone not wearing a black t-shirt? There’s a better way. Faced with the challenge of building a security function into a society that wasn’t sure it wanted one (but which nonetheless needed it), Charles Rowan and Richard Mayne set out what became known as the Peelian Principles of Policing, or Policing by Consent. They provide an effective model for running a security group that stands with its organization, rather than against it. We are, after all, 'only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare.' Join us to become a security Bobby—where a commitment to service is non-optional, but the silly hat’s only needed if you like it.
Xenophobia is Hard on Data
October 21, 2015
SecTor - Toronto, ON, Canada
With James Arlen. Examination of forced data localization laws, their nature, their origins, and their effects on confidentiality, availability, and integrity of data, as well as the cost of doing business in a global marketplace.
'Our data is only safe within our borders!' '(The US|China|New Zealand|Vanuatu) is spying on our citizens!' 'Don't ship our citizens' data overseas!' These rallying cries are calling for the same solution: forced data localization laws, where a country requires that all its citizens' and corporations' data be kept within the territory of that country. What's so bad about data localization? Is it good for security? Is it good for business? Is it good for protecting your data from Three- or Four-Letter Agencies? We'll answer these questions and more as we discuss forced localization, international education policy, unlikely anchor placement, catastrophic dripping, and how it affects your business' goals in the short and long term.
Endrun—Secure Digital Communications For Our Modern Dystopia
October 17, 2014
Black Hat Europe - Amsterdam, Netherlands
With Grant Dobbe. Censorship-resistant communications based on the Delay-Tolerant Networking concept.
The Internet is no longer trustworthy, having been compromised by bad actors across the globe. Current proposals to work around a compromised Internet rely upon encrypted transport links, mesh networks, or harassing users for being unable to use GPG safely. Each of these strategies fails in different ways that inevitably lead to information leakage or -- in the extreme case -- death. Endrun, by contrast, takes NASA's Disruption-Tolerant Networking project from a laboratory experiment to a functional system that supports user-friendly encryption in hostile environments. Endrun embraces the nearly-unlimited throughput of a disk-laden station wagon and creates a reliable, eventually-consistent communications system ideal for activists, refugees, and trolls.
Stalking a City for Fun and Frivolity
August 3, 2013
DEF CON - Las Vegas, NV
October 24, 2013
LASCON - Austin, TX
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system, as well as the implications for global surveillance states and engineering as a profession.
Tired of the government being the only entity around that can keep tabs on a whole city at once? Frustrated by dictators du jour knowing more about you than you know about them? Fed up with agents provocateur slipping into your protests, rallies, or golf outings? Suffer no more, because CreepyDOL is here to help! With open-source software, off-the-shelf sensors, several layers of encryption, and a deployment methodology of 'pull pin, point toward privacy insurance claimant,' it allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa. For just four easy hardware purchases of $131.95, you, too can move up from small-time weirding out to the big leagues of total information awareness: deploy CreepyDOL today!
CreepyDOL: Cheap, Distributed Stalking
August 1, 2013
Black Hat USA - Las Vegas, NV
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system.
Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.
Juris Doctor, Cum Laude
September 2011 - May 2014
The University of Wisconsin - Madison
Master of Science in Engineering in Computer Science