Root Cause
Professional Experience
I have worked in software security since 2003. In the last two decades I've worked at US DoD, led teams large and small, and built
and sold a company. I am currently a Security Engineer at a big tech company,
and a non-resident research fellow
at the Georgetown Center For Security and Emerging Technology (CSET).
My technical background spans software engineering (C/C++, Ruby, Java, x86, ARM), vulnerability research,
and exploit mitigation development on targets ranging from web browsers, messaging apps, embedded
game consoles, and mobile devices. I have a strong interest in the intersection of cyber security policy,
emerging technology, and US national security. I've given guest lectures at US federal agencies, universities and companies.
I sat on the Black Hat review board from 2012 to 2021.
The Archives
Council On Foreign Relations - AI Code Generation and Cyber Security
Modern Memory Safety in C/C++ - Open Source Training Slides
Effective Memory Safety Mitigations - Qualcomm Mobile Security Summit May 2018
Offense at Scale - BSides NOLA Keynote 2015, Empire Hacking
Google Native Client - Analysis Of A Secure Browser Plugin Sandbox Black Hat USA 2012
Attacking Client Side JIT Compilers Black Hat USA 2011
Ruby For Pentesters Black Hat USA 2009
Bro IDS Multiple BinPac Out Of Bounds Read CVE-2014-9586
Suricata DCERPC Out Of Bounds Read/Write (2.0.7)
Firefox 3.6/4.0.1 Array.reduceRight Info Leak / Remote Code Execution (mfsa2011-22)
Firefox 3.6.9 Frameset Parsing Heap Overflow (mfsa2010-50)
Internet Explorer 8 HTML Element Memory Corruption (MS10-035)
Internet Explorer 8 Uninitialized Memory Corruption (MS10-035)
Chrome 8, Safari 5 Webkit CSS Font Face Parsing Type Confusion Info Leak (CVE-2010-4577)
Google Native Client Security Contest 2nd Place
Opera 9.5 FTP URI Parsing Heap Overflow (Opera Bug #901)
Council On Foreign Relations Podcast with Micah Zenko (link)
BankInfoSecurity Podcast with Mathew Schwartz (link)
Risky Business Podcast with Patrick Gray (link)