Below, I've compiled my talks, experience, and a few other useful bits of information. If you'd like this as a full-length CV, just hit print; if you'd like a formal resume, click here for HTML or click here for a PDF.
Juris Doctor, Cum Laude
September 2011 - May 2014
The University of Wisconsin - Madison
- Concentration in International Law, With Honors
- Concentration in Criminal Law
- Dean's List: Spring 2012, Spring 2013, Fall 2013
- Pro Bono Society Member
Master of Science in Engineering in Computer Science
September 2005 - May 2009
The Johns Hopkins University
- Thesis: 'Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities'
- President, Upsilon Pi Epsilon (Computer Science Honor Society)
Bachelor of Science in Computer Science
September 2004 - May 2008
The Johns Hopkins University
- Departmental Honors
Software Engineer, Security [Staff-Level]
2023 - 2024
Render
I guided major efforts to uplift Render's security posture, including identifying and beginning remediation on a whole-of-company legal/technical compliance issue (requiring cross-functional work between legal, technical, sales, and executive staff), and rebuilding several different engineering systems to enable least-privilege access across the corporation.
Staff Security Engineer
2022 - 2023
Cedar
As a Staff Security Engineer, I was responsible for engaging in high-leverage work to improve security across Cedar to protect patients, medical providers, and our employees; I also helped educate our engineers on secure programming practices, performed code reviews, and guided technical implementations of key client-required security features. Large-scale work included rebuilding the corporate IAM and secrets management systems, compiling the first complete set of technical client contract requirements, and creating a trusted baseline and deployment tracker for our container build systems.
Senior Security Advisor
2014 - 2016, 2019 - 2022
Leviathan Security Group
I worked as a Senior Security Advisor in Leviathan's Risk and Advisory Services group, where I built security programs, advised teams on how best to meet compliance goals, and conducted large-scale architecture and security ecosystem assessments on codebases with more than ten years' engineering effort, more than 20 million end users, or both. I built SOC 2 Type II-compliant security programs and defended them during audits, and advised management at dozens of companies on HIPAA, FERPA, HITRUST, CMS ARS, ISO 27001/2/18, and PCI compliance. I also co-wrote four whitepapers on forced data localization as it affects security, and more recently, one on Kubernetes and container security.
Policy Engineer
2019 - 2019
GitHub
I was the primary technical resource for GitHub's public policy team, which advocates for laws, regulations, and judicial actions that protect the rights of software developers and promote open collaboration. As the team's first Policy Engineer, my role was to bridge the policy, security, and software development worlds to help ensure that GitHub could represent their concerns accurately in global policy discussions. I was primarily responsible for GitHub's policy efforts related to information security, supply chain protection, and international trade, and I represented GitHub Policy in broader Microsoft activities related to trade compliance.
Enterprise Security Platform Lead
2018 - 2019
RealSelf
As the head of the information security program at RealSelf, I directed the company's overall security, risk and compliance efforts. This involved close coordination with the RealSelf executive and engineering teams to align security priorities with our business goals and overall risk posture; I reported to the CTO and General Counsel. My work included developing and delivering security training, working with developers and SREs to design and implement security at all levels of our systems, building our ISO 27000-aligned information security management program, communicating with customers regarding security issues, leading security incident response efforts, working with our legal and privacy teams on vendor management, and managing our bug bounty program. I also worked on HIPAA, PCI, GDPR, and other regulatory issues to ensure that we were able to meet evolving obligations, and ultimately, that the trust our users placed in us was well-earned.
Chief Technical Officer / DSS
2010 -
Malice Afterthought, Inc.
Malice Afterthought provides information security consulting services. Some highlights of past work: I led an international nonprofit's security efforts, including both building a multi-regulated compliance program (FERPA, HIPAA, and FedRAMP) and implementing technical defensive tools; I taught at a Department of Defense information and network warfare (CNO) school; and I won and completed two DARPA Cyber Fast Track (CFT) contracts. Languages and tech stacks have included Ruby, Python, Perl, D3JS, UnityScript, Hadoop, Spark, and AWS, among many others.
Security Engineering Lead
2017 - 2017
Nuna Inc.
Nuna provides healthcare data analytics and warehousing to Medicare/Medicaid, insurance networks, and self-insured employers. I led the Security Engineering team, which was responsible for broadly-defined security throughout Nuna (from code, to architecture, to cross-cutting initiatives). I joined Nuna as a Senior Security Engineer, and became Security Engineering Lead in March 2017. Languages and tech stacks included AWS, R, Python, Bash, and Java; compliance stacks included SOC 2, HIPAA, and CMS ARS.
Legal Intern (With Practice Certificate)
2013 - 2013
Wisconsin State Public Defender
I was supervised under Wisconsin SCR 50 by Anthony Rios, Forensic Practice Coordinator, working primarily on serious crimes with significant scientific evidence across the state. Under SCR 50, I represented clients in court and during trials, cross-examined expert witnesses, and wrote briefs under the supervision of Mr. Rios and other SPD attorneys.
Judicial Intern
2012 - 2012
Wisconsin Supreme Court
I served as a legal intern for Justice N. Patrick Crooks. My duties included examining cases requesting review by the Court, writing legal analyses of the issues raised by cases before the Court, and assisting the Justice's clerks.
Legal Intern
2012 - 2012
The Rutherford Institute
The Rutherford Institute is a public interest firm whose primary topics of interest are the First and Fourth Amendments as well as school 'zero-tolerance' policies. I was responsible for legal research on current cases, drafting memos and briefs, and researching and writing legislation and policy statements for TRI on electronic privacy and UAV issues.
Senior Research Associate
2009 - 2010
SET Corporation
I worked as a technical lead on software projects in a variety of areas, including natural language processing and user modeling, and a project to create an augmented reality application to add real-time data and intelligence analysis to a multi-viewpoint 3D holographic display, using the iPhone 3GS as a controller. SET worked primarily for the defense and intelligence communities. Languages included Objective C, Java, Ruby, Python, and others.
Open Platforms Group Graduate Intern
2008 - 2008
Six Apart
I worked as an engineer on the Open Platforms team, dealing with furthering the goals of data portability across technologies and corporate boundaries while maintaining a focus on user control of data. I worked as an intern full-time during the summer of 2008, and then part-time through the remainder of the year.
Solaris Security Technologies Group Graduate Intern
2007 - 2007
Sun Microsystems
I ported and integrated software to SunOS (Solaris) allowing users to authenticate using true PKCS#11 interfaces, then worked with a variety of teams and people across Sun (despite my status as an intern) to move these smartcard services into Solaris. I also had the opportunity to work with DTrace on Solaris Kerberos.
VeriSign Security Services Undergraduate Intern
2006 - 2006
VeriSign
I worked primarily with the Unified Authentication group, specifically with One-Time Passwords. I also did some work for VeriSign Labs (the Advanced Projects Research Group) on VeriSign's OpenID implementation, the Personal Identity Provider. Over the course of 12 weeks, I was responsible for major projects in C#, Ruby, and Java, as well as JSP/Struts/Spring web applications, JNI, C/C++, and various related technologies. I won the VeriSign Labs 'PIP Challenge' for integrating one-time password technology with the VeriSign Personal Identity Provider (later Apache Heraldry).
Stuffing your Cloud into your SOCs
June 15, 2020
DevSecCon 24 - The Cloud
How to use DevSecOps to do a SOC 2 audit easily---and how to use a SOC 2 to get more time to focus on infrastructure investment.
Your company is trying to sell to large enterprises and wants a SOC 2 audit. You're running a DevOps team that's 'also responsible for security' and have no time, no budget, no headcount, and no interest in redoing all your infrastructure just to please an auditor. This isn't an impasse---it's an opportunity for you to promote DevOps best practices throughout your company, using the extremely effective carrot of 'this is how we can sell more!' We'll cover what a SOC 2 audit is, what you get to decide when getting one, and the happy path for cloudy companies to pass audits using modern DevOps practices. The tools you already use provide a robust compliance framework; it just requires you to tell the story to the auditors. You'll also get with a useful list of things to start asking other teams (like IT and HR) to handle, and a cheat sheet for translating DevOps to Auditor. In 25 minutes, you'll have the knowledge you need to prepare for a SOC (or many other kinds of compliance) audit, and be ready to sell your team's hard work to an auditor (even if they ask you where your tape library is).
Security, Politics, Neutrality, and Protecting Users
February 24, 2020
Security BSides San Francisco - San Francisco, CA
Tech's alleged 'neutrality' causes security problems for our users--ranging from misinformation and propaganda to harassment and worse. Is neutrality required, or desirable? Should tech itself (as Microsoft once suggested) be sovereign? What happens to our users' security if we stop being neutral?
Statements of the alleged neutrality of tech are a recurring refrain: 'we're politically neutral' means any or all of 'we can't ban bad behavior,' 'we have to comply with foreign court orders suppressing dissent,' and 'well, the government was elected; shouldn't we help them, even when we disagree?' This neutrality leads inevitably to security and privacy problems for our users--whether it's handing their data to people who want to harm them, banning users who might be 'controversial' from sites, or preventing the use of key technology by people organizing for a better life. After all, shouldn't tech be neutral---because aren't we above politics? Should (as Microsoft's Brad Smith and the EFF's John Perry Barlow proposed, in different decades) tech be sovereign and able to ignore governments' requests? Are bad outcomes an just inevitable result of tech's place in society? Join us for a discussion of sovereignty, policy, neutrality, and how we can become ardent defenders of our users' lives and livelihoods.
CAIQ and Cookies
August 2, 2019
DEF CON SkyTalks - Las Vegas, NV
With Wendy Knox Everette and Jennifer Chermoshnyuk. Panel on vendor security management from three perspectives (vendor, principal, and consultant), covering how and why to care about vendor security, how to deal with an infinite amount of security questionnaires as a vendor, and what works and doesn't work in the security management space.
This panel brings together three master chefs with a smorgasbord of vendor security assessment experience from working with sales teams, designing questionnaires to be sent out to potential partners, to helping startups to answer them and vetting answers. Our chefs will fill your plate with answers to questions like: Is the questionnaire a painful experience to be dreaded, or an opportunity to make a sale by showcasing your security and privacy practices? How do different organizations answer or vet these forms? Is there such as thing as too much vendor transparency? What best practices can we share, and are there any improvements and scaling hints we can offer? And yes, there are questions you should be asking to better judge security posture and figure out whether security is truly baked in or just a pretty top layer of sugary, flowery icing.
Probably: an Irreverent History of the GDPR
August 10, 2018
DEF CON Crypto and Privacy Village - Las Vegas, NV
A humorous overview of the creation of the GDPR, what came before it, what it does, and why to embrace it.
If you work in privacy, technology, marketing, or the law, or if you have an email account, you've heard of the GDPR. But what is it really? Why is your in-house lawyer grumpy all the time? Why is your marketing team walking around with stickers that say 'legitimate business use of data' and trying to slap them on random objects to see if they stick? Why, legally, can't you remember anyone's names anymore? This presentation will attempt to take a look at the GDPR from the perspective of a confused outsider who can't quite believe what's going on (as opposed to a burned-out practitioner), without getting too worked up about it. We'll cover why the GDPR exists, what it does, why some people are freaked out about it, why to be concerned and/or unconcerned, and whether kittens or puppies make the better reference animal for GDPR compliance memes. Relax! It's all going to be fine! Probably.
They May Agree Like Brothers...
June 23, 2018
ToorCamp - Olga, WA
Lightning talk. The thought pattern of 'we don't need lawyers,' common recently in employment contracts and blockchains, is an attempt to further disenfranchise the powerless. Examples from the US Supreme Court and ICOs.
Jack Cade and Dick were right: if you want to gain unlimited power, the first thing you do is kill all the lawyers. 'We don't need lawyers interfering in our business' is an Overton Window-expanding refrain that helps the powerful to strip rights from employees, contractors, and even sexual partners. Using examples from 'machine-compiled contracts,' blockchain apps, and Supreme Court decisions both old and new, this talk will attempt to show that Shakespeare's 'ha ha only serious' joke is a modern shibboleth for ensuring that those with power keep it.
Meet the Hackers!
December 7, 2017
The 21st Century Lawyer CLE (Seattle Legal Tech) - Seattle, WA
Continuing Legal Education course (1 credit, Law and Legal). Panel with Wendy Knox Everette and Aaron Alva on some of the technology and security issues facing attorneys. My portion included the ongoing 'going dark' debate and the meaning of security research.
We're Seriously All Gonna Die (Lawyer Panel)
November 3, 2017
Hackers (THINK) - Santa Cruz, CA
Panel with Whitney Merrill on some of the legal issues facing the technology community. My portion included the US v. Microsoft MLAT case (now given certiorari), the EU GDPR, and the continued destruction of the attorney-client privilege.
You Can Do The Thing!
January 13, 2017
ShmooCon FireTalks - Washington, DC
Given tiny starchy vegetables, a call to action for the information security community: if you don't like where the world is going, change the world.
Legal Roundup 2016
November 4, 2016
Hackers (THINK) - Santa Cruz, CA
Panel with Whitney Merrill and Marcia Hofmann on some of the legal issues facing the technology community. My portion included the US v. Microsoft MLAT case, EU-US Privacy Shield and the EU GDPR, and the trend of countries using forced localization to require companies to comply with surveillance orders.
Security by Consent; or, Peel's Principles of Security Operations
October 18, 2016
SecTor - Toronto, ON, Canada
November 2, 2016
O'Reilly Security New York - New York, NY
November 10, 2016
O'Reilly Security Amsterdam - Amsterdam, Netherlands
How to create and maintain a security operation within a larger organization that focuses on cooperation and consent, rather than coercion, based upon the 'policing by consent' model created in 1820s England.
Are you tired of knowing everything, having people ignore 'the security person' because 'reasons,' and then having 'I told you so' as your only comfort? Sick of the hostile relationship between security and development, security and operations, security and HR, and/or security and everyone not wearing a black t-shirt? There’s a better way. Faced with the challenge of building a security function into a society that wasn’t sure it wanted one (but which nonetheless needed it), Charles Rowan and Richard Mayne set out what became known as the Peelian Principles of Policing, or Policing by Consent. They provide an effective model for running a security group that stands with its organization, rather than against it. We are, after all, 'only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare.' Join us to become a security Bobby—where a commitment to service is non-optional, but the silly hat’s only needed if you like it.
Don't Be a Hero
October 31, 2016
Ignite O'Reilly Security - New York, NY
October 29, 2016
PumpCon - Philadelphia, PA
Ignite format; presentation on the value of compliance for small and mid-sized businesses. The talk was designed to lay out the motivational case, rather than the step-by-step implementation of compliance in an organization.
Swinging swords, slaying beasts, drinking Red Bull, and coding through a weekend: the life of a startup is exciting and free from rules. When you get your first security audit and have to establish policies and compliance, you may find your sword hand itchy; are the good times over? No--something even better comes next. Stop being a hero-based organization, and build things that will outlive you.
The Other Way to Get a Hairy Hand; or, Contracts for Hackers
August 7, 2016
DEF CON SkyTalks - Las Vegas, NV
Overview of contract law for non-lawyers. This talk took the approach that large chunks of 'legalese' represent 'scar tissue' from old wounds to the legal profession--cases that have gone in unexpected directions. On that basis, the talk went through standard contract clauses (using the iTunes agreement as an example) that security professionals commonly encounter, why those exist, and when it's worth trying to push back against overbroad contracts.
What do an excessively hairy hand, a car-eating loch, a mechanical bull, and a house of ill repute in northern Montana mean for the iTunes EULA that nobody reads? 'Legalese' is the go-to term to explain (or pretend to justify) overly-complex sentences that involve weirdly-specific phrases followed by names that don't always relate (hereinafter referred to as 'duck wrangling'). While you might cringe at pages of boilerplate, the stories that gave rise to all those words are hilarious and terrifying in turns. Come join us for a discussion of why contracts got screwed up, what the words actually mean (and what they don't), what you actually need to know (without being legal advice, insert your favorite disclaimer here), and how to push back against 'the lawyers said it has to be in there' next time you're signing something. Get another beer; you're going to want it to toast the memories of all the poor suckers who gave us the law (or their leg), such as it is.
Lawyers are Killing the Internet
July 14, 2016
Lockdown - Madison, WI
An overview of six major areas in which well-intentioned politicians and lawyers, representing their nation or supranational entity's interests, are undermining some of the fundamental assumptions on what the Internet 'is.' This presentation covered the Wassenaar Arrangement, the Tallinn Manual, cross-border data restrictions (including the EU Data Protection Regulation), the Right to Be Forgotten, international legal assistance (MLAT), and forced data localization laws.
Are China, North Korea, and Ireland teaming up to hate our freedoms and our democratic way of life? What are Russia, the EU, and Canada in complete agreement on? What does the layout of undersea cables have to do with NATO, and why are people looking for cyberblood? What on earth is cyberblood? Are lawyers, inevitably, screwing up everything? (Yes.) Join us for a discussion of the current state of forced data localization, EU-US Safe Harbo[u]r, the Law of (inevitably) Cyber Conflict, and what they all mean to you. If you want to be able to create products, secure systems, live peaceably on the Internet free from military malware, or simply communicate with people who don't have the same passport as you, this is the talk you need to be at.
New Developments in Consumer Privacy: From Spokeo, Inc. to Apple
March 18, 2016
American Bar Association Section of Civil Rights and Social Justice - Teleconference
ABA Teleconference, with Alan Butler (Electronic Privacy Information Center). Overview of the issues (both technical and legal) involved in Spokeo v. Robins (currently pending before the US Supreme Court) and the Apple encryption case currently pending before the US Magistrate for the Central District of California.
This program will provide an overview of two significant developments related to consumer privacy in the United States. The discussion will be helpful to lawyers across the spectrum who deal with both compliance (reviewing policies and procedures) and litigation. First, we will discuss the much-anticipated decision of the U.S. Supreme Court in Spokeo, Inc. v. Robins, concerning Article III standing requirements and consumer privacy claims. Next, we will discuss the ongoing fight between Apple and the FBI over the use of strong encryption. One case, currently pending before a federal magistrate judge in California, will be heard later his month. Please join us to learn more.
It Only Matters If (You Use Computers)
March 12, 2016
New Leaders Council - Montana - Helena, MT
Invited talk. Overview for policymakers and activists across different fields of the specific policy challenges facing the Internet. This talk covered five major areas: the Wassenaar Arrangement, the Tallinn Manual, data localization and the end of EU-US Safe Harbor, Apple and the encryption debate, and expansive Computer Fraud and Abuse Act interpretations and the US v. Auernheimer case.
Security in Practice
March 11, 2016
Montana State Bar CLE - Anaconda, MT
Continuing Legal Education course (3.5 credits, ethics). An overview of the field of information security, including an introduction to cloud computing, the encryption debate, legal ethics opinions on technology issues (in Montana, from other state bars, and from the ABA), software selections for secure attorney-client interactions, litigation-related problems in technology, and risk-based decisionmaking.
Prisoners in Cybertown (It's a Dirty Little War)
November 7, 2015
Hackers (THINK) - Santa Cruz, CA
As part of the panel on legal issues at Hackers (THINK), I gave a twenty minute presentation on data localization laws, the Data Protection Directive (and its associated international agreements) and the collapse of EU-US Safe Harbo[u]r due to the Schrems case and the forthcoming US Second Circuit Microsoft Ireland case.
Xenophobia is Hard on Data
October 21, 2015
SecTor - Toronto, ON, Canada
With James Arlen. Examination of forced data localization laws, their nature, their origins, and their effects on confidentiality, availability, and integrity of data, as well as the cost of doing business in a global marketplace.
'Our data is only safe within our borders!' '(The US|China|New Zealand|Vanuatu) is spying on our citizens!' 'Don't ship our citizens' data overseas!' These rallying cries are calling for the same solution: forced data localization laws, where a country requires that all its citizens' and corporations' data be kept within the territory of that country. What's so bad about data localization? Is it good for security? Is it good for business? Is it good for protecting your data from Three- or Four-Letter Agencies? We'll answer these questions and more as we discuss forced localization, international education policy, unlikely anchor placement, catastrophic dripping, and how it affects your business' goals in the short and long term.
Buyer Beware! Cyber-Security’s Impact on M&A Due Diligence & Valuations
June 25, 2015
Merrill DataSite Panel Series - Seattle, WA
Panel presentation. Presentation by attorneys, dealmakers, and executives on security as a high-priority part of due diligence activity. I was the sole technologist on this panel, which was offered for CLE and CPE credit.
High profile security breaches at Sony, Target and Visa have shined the spotlight squarely on the fact that no company is immune from cyber-attacks; not even the White House is secure against hackers. For deal professionals, security concerns are not isolated to the sharing of information during the due diligence process; it is paramount to understand the underlying strength of a company’s technology platform, potential exposure to security threats, and ultimately, how it plays an important role in determining valuations.
All That Cybers (Is^Is Not) War
May 28, 2015
SOURCE Boston - Boston, MA
With Dr. John Linwood Griffin. Conference debate on the proper role of the military on the Internet, given the following resolution: 'This Conference Stands Resolved that there are (de facto) wars taking place on the Internet, and that it is the role of governments to prosecute such wars.'
Join John and Brendan, two doctors both improbable and ineffable, as they debate the following resolution: 'This Conference Stands Resolved that there are (de facto) wars taking place on the Internet, and that it is the role of governments to prosecute such wars.' We'll touch on the proper role of the military on the Internet, whether individuals and companies harassing foreign entities online can be treated as acting on their country's behalf, and cyberwar versus rampaging squirrels in this freewheeling debate. Each speaker will be asked to stake out a vision for what the future of the Internet will look like, and then to defend it both from the other speaker and the audience. By the end, we may not have cleared up your confusion as to what cyberwar is, but you'll have a great time: audience participation is strongly encouraged, and you'll be able to decide who won this combination of talk and argument.
Hot Topics in Information Security Law 2015
April 21, 2015
RSA - San Francisco, CA
Panel. The officers of the American Bar Association's Information Security Committee gather to discuss interesting developments in information security law. Offered for CLE credit.
A panel of technology-savvy lawyers discuss recent developments in technology law with Q&A to follow.
Information Governance: Security, Not Fear
March 13, 2015
Montana State Bar CLE - Anaconda, MT
Continuing Legal Education course (1 credit, ethics). An introduction to computer security concepts as they relate to the Rules of Professional Conduct, including small, meaningful steps to improve a law firm's communications strategies.
Endrun—Secure Digital Communications For Our Modern Dystopia
October 17, 2014
Black Hat Europe - Amsterdam, Netherlands
With Grant Dobbe. Censorship-resistant communications based on the Delay-Tolerant Networking concept.
The Internet is no longer trustworthy, having been compromised by bad actors across the globe. Current proposals to work around a compromised Internet rely upon encrypted transport links, mesh networks, or harassing users for being unable to use GPG safely. Each of these strategies fails in different ways that inevitably lead to information leakage or -- in the extreme case -- death. Endrun, by contrast, takes NASA's Disruption-Tolerant Networking project from a laboratory experiment to a functional system that supports user-friendly encryption in hostile environments. Endrun embraces the nearly-unlimited throughput of a disk-laden station wagon and creates a reliable, eventually-consistent communications system ideal for activists, refugees, and trolls.
This is Not a War. You Are Not a Soldier.
August 8, 2014
DEF CON SkyTalks - Las Vegas, NV
The application of international law to digital warfare, and a detailed refutation of the idea that 'The Geneva Conventions don't apply to the Internet.'
Are you concerned by all the FUD about a 'war in cyberspace?' Are you anxious because the heads of major security firms are saying hackers might be a legal military target for the 'other guys' to drop bombs on? Fear no more! We'll talk about the cool bits of the law of war---from Deuteronomy to Tallinn, and from Counter-Strike to actual counterstrikes---while we discuss how a 120-year-old prohibition on the use of hot-air balloons in warfare should reassure you about a military making a 'kinetic response' to your DDOS. International war law is neither international nor law in a traditional sense, but it's full of literal war stories, as well as an occasional bit of helpful advice even for those who aren't planning on killing two or three million people.
The Perfectly Legitimate Project
April 25, 2014
ThotCon - Chicago, IL
With Grant Dobbe. Cryptographically-sound user-friendly darknet designs.
When we can't use the Internet anymore---either because it's gone, or because we can't trust it---how can we share our cat GIFs, tear gas remedies, or recipes for Roasted Rodent Ratatouille? The Perfectly Legitimate Project creates a decentralized, Internet-optional system of sharing data among a group of nodes without relying on easy-to-locate mesh networks. PLP uses whatever’s available to move heavily-encrypted payloads around, including short-range wireless communications (on license-free VHF, UHF, ZigBee, or WiFi), sneakernet, or tasty (and nutritious!) carrier pigeons. PLP has four components: NATASHA and MOOSE provide user-friendly services (such as email, wikis, and blogs) to any end-user without a need for specialized hardware or customized software, while BORIS and SQUIRREL let couriers use any means necessary to ship data with a derivative of the interplanetary Disruption-Tolerant Networking protocol. The end result is a system that's OPSEC-capable, easy to use, and can be deployed when zombies attack---or when you're just tired of having your adversaries listen through the fillings in your teeth.
Tyvlytting På Lufta (Voyeurism in the Air)
March 27, 2014
Paranoia - Oslo, Norway
July 10, 2014
Lockdown - Madison, WI
New updates to the CreepyDOL system, including a large-scale deployment in Montezuma, NM with 755 devices.
War Crimes as a Service
October 26, 2013
PumpCon - Philadelphia, PA
With Dr. John Linwood Griffin. Introduction for non-lawyers to the Tallinn Manual, why security experts should care, and a modest proposal for how to stop unlawful digital warfare.
Three years of international negotiations and deliberations by eleven lawyers, two academics, a bunch of editors, and an Estonian dog named Terry gave us the 'Tallinn Manual'---a.k.a., cover for the world’s militaries to blow up the Internet. This talk will explain why international law matters, why it’s important that a bunch of non-hackers defined 'attack' to only mean dead bodies, and how we can prevent certain nations from clogging the tubes with the blood of the innocent. The international law of war isn’t dead---it’s just sleeping. Come help wake it up.
How to Fight a War Without Actually Starting One
September 28, 2013
DerbyCon - Louisville, KY
International war law, including the Tallinn Manual, as it pertains to computer security and the Internet.
A NATO affiliate spent three years with some of the finest academic lawyers on the planet trying to figure out how to define 'cyberwar' better than the US Senate. It's a shame they never asked any hackers, though, because the only thing the definition includes is 'black ice' straight out of Neuromancer, which we're pretty sure isn't real. Join us for an introduction to international law, war law, the Tallinn Manual, and the reason it matters that twelve academics in Estonia can't define a word.
Stalking a City for Fun and Frivolity
August 3, 2013
DEF CON - Las Vegas, NV
October 24, 2013
LASCON - Austin, TX
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system, as well as the implications for global surveillance states and engineering as a profession.
Tired of the government being the only entity around that can keep tabs on a whole city at once? Frustrated by dictators du jour knowing more about you than you know about them? Fed up with agents provocateur slipping into your protests, rallies, or golf outings? Suffer no more, because CreepyDOL is here to help! With open-source software, off-the-shelf sensors, several layers of encryption, and a deployment methodology of 'pull pin, point toward privacy insurance claimant,' it allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa. For just four easy hardware purchases of $131.95, you, too can move up from small-time weirding out to the big leagues of total information awareness: deploy CreepyDOL today!
CreepyDOL: Cheap, Distributed Stalking
August 1, 2013
Black Hat USA - Las Vegas, NV
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system.
Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.
The Global 'Gamification' of Online Gaming
October 1, 2012
Annual Conference of the International Bar Association - Dublin, Ireland
Panel on digital security and legal issues that affect the international online gambling industry.
Gamification, and online gambling, are among the booming global phenomena of the past decade. Given the highly polarised reactions to gambling across different jurisdictions, yet the boost it can provide to governmental coffers in these trying economic times, few are surprised that online gambling has generated both political controversy and a plethora of cross-border regulatory and legal issues. This session initially explores these critical issues through the eyes of major online gambling companies. The second segment will be interactive and include a debate between an online gaming hacker and a representative of a gaming / gambling company.
Reticle: Dropping an Intelligent F-BOMB
July 26, 2012
Security BSides Las Vegas - Las Vegas, NV
Software to control ad-hoc networks of disposable computers.
F-BOMB is a disposable computing project, and Reticle is its software brain: a distributed, leaderless system for transferring data and commands to and from the tiny, distributed, dirt-cheap little boxes. Together, these two systems form a botnet-styled sensor network that can be deployed the same way as a smoke grenade by a field agent, but with intelligent encryption, plausible deniability, and a peer-to-peer command network to ensure that an enemy can't compromise your goals-- whether you're providing Internet access to an Occupy group, or playing distributed hide and seek for cell phones. We discuss the design and implementation of Reticle, which was intended to take some of the networking ideas from modern botnets and apply them in a more useful context. Reticle was created with support from DARPA Cyber Fast Track, and the code, utilities, and documentation created under that project will be released with the talk.
Hack the Law
July 15, 2012
Hackers on Planet Earth - New York, NY
Why security researchers should go to law school.
Recent bills such as ACTA, COICA, and SOPA in legislatures worldwide demonstrate that there exists a fundamental disconnect between hackers and politicians. Worse, the people charged with dealing with law on the ground, the lawyers, rarely have any significant technical background obtained within the last few decades. This must change. It's all well and good to write your congressperson or donate to the EFF, but it's not enough; we need hackers to go to law school. Lawyers-- whether they work as attorneys, or bring their knowledge of the law back to other fields-- are uniquely situated to effect direct change on politics, social issues, and the law on the ground (where they arrest poor hackers), and unlike many fields, it's not enough to be self-taught. This presentation will focus on the utility of the hacking ethos within the law, as well as the 'law school experience,' technical bits about actually getting in, and how to keep yourself from going nuts while spending three years surrounded by those who can't tell their megabytes from their overbites (and are terrified by Wireshark, let alone the more subtle tools in existence). Expect stories, humorous anecdotes, and terrifying lapses in judgment.
Sacrificial Computing for Land and Sky
January 27, 2012
ShmooCon - Washington, DC
Hardware design for very-low-cost sensor nodes.
Projects such as the incredible Wireless Aerial Surveillance Platform give you the ability to monitor or attack networks far from accessible areas, but are limited by their deployment characteristics: $6000+ buys you just 10-30 minutes on target, and you have simultaneously to do your work and defend the physical plane from Bad Men With Projectile Weapons, lest they take exception to your plans. Disposable computing designed for just one use can provide massive reductions in cost and time to deployment without sacrificing flexibility; we show how $50-$75 can give you upwards of 24 hours to work on a task, while using only off-the-shelf hardware, and leaving no data onsite for an adversary to analyze after the operation. These computers can then be planted manually, or even dropped from unspecialized UAVs (such as the Parrot Drone) to allow your expensive plane to return to safety while you do your work.
Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities
November 13, 2009
5th ACM Workshop on Digital Identity Management - Chicago, IL
With Dr. John Linwood Griffin. Stock-market-like construction of computer-readable human-mediated reputation scores. Selected as the best paper at the workshop.
Reputation forms an important part of how we come to trust people in face-to-face interactions, and thus situations involving trust online have come to realize that reputation is an important characteristic in the digital age. We propose a new holistic and context-free approach to quantifying reputation on the Internet, based upon a stock exchange where users can trade reputation shares of other users and obtain goodwill dividends, including new algorithms for identifying and creating digital identities not inherently tied to a user’s personally identifiable information. We developed such a system, named Mnikr, and deployed our system on the Internet for a month to demonstrate and evaluate this approach. Our results suggest that existing public data sources can indeed be used to create an overarching social network whose utility is greater than its number of users would indicate, and in which reputation measurements are generated that are actually indicative of each user’s standing in society.
Kubernetes and Containerized Security
2021-08-02
Leviathan Security Group
An overview of what 'securing Kubernetes,' a common client request, really entails: not just security of the control plane, but more critically, of the containerized software, and how to achieve that.
Quantifying the Cost of Forced Localization
2015-06-24
Leviathan Security Group
With James Arlen. Focused on the direct costs to companies of forced localization laws--the actual economic disadvantage inflicted by a country on its businesses when it chooses to require that all data be stored within its borders.
Value of Cloud Security: Vulnerability
2015-02-11
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges around setting up local data storage, for small, medium, and large enterprises, and a comparison of price data between major local and cloud storage vendors.
Analysis of Cloud vs. Local Storage: Capabilities, Opportunities, Challenges
2015-02-11
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges of hiring sufficient cybersecurity expertise given the current talent pool and educational programs available.
Comparison of Availability Between Local and Cloud Storage
2015-02-11
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges of securing the integrity and availability of data stored in datacenters and the cloud in the face of disasters and other large-scale events.
Whoops! Broadcasting Your Secrets for Convenience
2014-05-01
GP Solo (American Bar Association)
Volume 31, Number 3, May/June 2014 of GP Solo. A summary of the article previously published in the SciTech Lawyer.
Whoops! How Your 'Convenience' Broadcasts Your Secrets
2014-01-30
The SciTech Lawyer (American Bar Association)
Volume 10, Issue 2, Winter 2014 of The SciTech Lawyer. Wireless technology v. the duties of confidentiality and privilege.
Brief of Amici Curiae in U.S. v. Auernheimer
2013-07-01
United States Court of Appeals for the Third Circuit
I wrote a Brief of Amici Curiae to the Third Circuit in U.S. v. Auernheimer, on behalf of Meredith Patterson, myself, and eleven other notable security researchers. The brief is available at https://github.com/ussjoin/weevamicus/releases. This brief was not written on behalf of or with the support of any group beyond the individual amici.
Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities
2009-11-13
5th ACM Workshop on Digital Identity Management
With Dr. John Linwood Griffin. Stock-market-like construction of computer-readable human-mediated reputation scores. Selected as the best paper at the workshop.
September 21, 2015
State Bar of Montana, Washington State Bar Association
June 6, 2023
May 10, 2023
January 11, 2016
December 14, 2015
International Association of Privacy Professionals
February 6, 2020
August 12, 2016
Information Systems Audit and Control Association
February 20, 2016
Cloud Security Alliance
International Information Systems Security Certification Consortium (ISC(2))
FEMA Professional Development Certificate, IS-{1, 100, 120, 130, 139, 200, 230, 235, 240, 241, 242, 244, 250, 288, 700, 800, 802}
January 7, 2011
United States Federal Emergency Management Agency
Public Service and Emergency Communications Management for Radio Amateurs
May 1, 2011
American Radio Relay League (ARRL)