Professional Experience
- 2009 - current: Independent Consultant
- Ported a million line C++ codebase from Windows to Linux.
- Wrote tools to analyze and canonicalize survey data.
- Designed, built and deployed a website for a local farmers
market.
- 2007 - 2008,
Volant Trading (New York, NY): Developer
- Designed and implemented price feeds for NASDAQ (ITCH3),
ARCA, and NYSE Quotes. The feeds process real-time market
traffic and provide price quotes via TCP or multicast to
the rest of the trading system. I used Python to automate
generation of message parsing routines.
- Designed and implemented a real time profit and loss
reporting service in C++ which marks all trades and
positions against market and model prices. Traders view
the report in a Qt GUI, and Python scripts are used to
generate hourly reports for import into spreadsheets.
- Wrote tools in C++ and Python to automate import and
export of data from an in-house distributed message
passing and persistence system. This allowed traders to
write spreadsheets that directly manipulated system
parameters.
- 2006 - 2007,
Independent (Washington, DC): Consultant
- Wrote the first version of OWASP
SWAAT
(Securitycompass Web Application Analysis Tool), a C# tool
which scans PHP code for common security flaws. The user
interacts with a GUI written in Windows Forms, while
reports are written out in XML and then processed with XSLT
to generate a variety of output formats.
- Reviewed the design and implementation of the Microsoft
Vista firewall for security flaws. This project included
writing exploit code in C, x86 assembler, and Python, as
well as decompiling and modifying binary-only modules to
facilitate further analysis.
- Reviewed the design and implementation of the cryptographic
protocol underlying a commercial instant messaging system.
After working with the developers to identify their needs
and threat model, I identified several flaws in the existing
design and assisted the developers in building a protocol
more resistant to attack. I also helped the developers
optimize the implementation, significantly reducing the
latency of user sign-on.
- 2005 - 2006,
Atlan Laboratories (Mclean, VA):
Security Engineer
- Performed FIPS-140 reviews of a number of hardware and
software cryptographic implementations. These projects
involved reviewing and analyzing large amounts of
security-critical code written in C, C++, Java, and
assembler, finding potential flaws, writing proof of concept
exploits, and guiding the developers in remediating any
problems found during review.
- Redesigned and reimplemented Atlan's suite of proprietary
test tools (written in C++), which are used to analyze
implementations of cryptographic algorithms. The new version
reads tests from the source files (instead of requiring a new
binary for each test), and used abstraction features to make
it simpler to plug in a particular unit for evaluation.
- 2004 - 2005,
Cybertrust (Herndon, VA): Security Engineer
- Performed source code review and functional testing on a
variety of servers, clients, and web applications, including
a check scanning machine, an in-game advertising service, a
loan management system, and a distributed job control system.
- Performed penetration tests on a variety of customer
networks. In each case I then wrote up a detailed report
describing the flaws found, the anticipated risk and impact,
and the steps necessary for remediation.
- Built out and administered a 22 machine Linux/OpenBSD
cluster that ran a network security scanning service, as well
as numerous other Linux and OpenBSD scan machines and
departmental servers.
- Gave half-day training sessions to developers on the proper
use of cryptographic algorithms and protocols to ensure
system security, and wrote a secure coding guide for C++
programmers.
- 2002 - 2003,
JHU Information Security Institute (Systems Research Lab) (Baltimore, MD):
Programmer
- I ported OpenCM to a
number of new platforms including OpenBSD/Alpha and
Solaris/SPARC, and assisted in redesigning and reimplementing
its internal storage architecture after the earlier design
hit scaling problems.
- 2000 - 2001,
Johns Hopkins University Computer Science Department (Baltimore, MD):
System Administrator/Programmer
- In the Computer Integrations with Physical Systems group, I admin'ed
the labs Linux and Windows 2000 workstations and servers.
- 1999 - 2002,
JHU Association for Computing Machinery
(Baltimore, MD):
System Administrator
- For three years I was elected system admin by the body of
the the JHU student chapter of the ACM. I was responsible
for building and maintaining the chapters network and
systems (Linux, OpenBSD, and NetBSD, running on a variety of
x86, SPARC, PowerPC, HP-PA, and m68k systems), which were
used by a number of researchers and campus groups as well
as the ACM membership.
Open Source Projects
I have written a number of libraries and tools which I have
open sourced, including
- Botan is
a C++ library providing cryptographic services including a
variety of cipher, hash, and MAC algorithms, X.509
certificates, and a pipeline/filter message processor.
- CapOver is
a Linux Security Module that allows giving extra capabilities
(shard of root's power) to particular combinations of users,
groups, and programs.
- VNCcrack is
a fast password cracker for cleartext VNC challenge/response pairs
Open source projects I have contributed to include
- opencm is
a configuration management system built to support the distributed
development of an EAL7-rated secure operating system
- cutlass
was a secure P2P network for file transfer, chat, and VoIP
Languages
C++ (9 years),
C (7 years),
Python (3 years),
Perl (7 years),
SQL (3 years),
x86/x86-64 assembler (3 years),
Bourne Shell (4 years),
Java (1 year),
Scala (6 months),
Common Lisp (1 year),
C# (6 months),
IA-64, Alpha, MIPS, and SPARC assembler (6 months each)
Papers and Presentations
"CUTLASS - Encrypted, Peer-to-Peer Communications for Everyone",
Todd MacDermid, Jack Lloyd, Kathy Wang, and Nash Foster; ShmooCon 2005
"Cutlass - Cryptographic Protection for Everyone's Voice and Data",
Todd MacDermid, Jack Lloyd, Kathy Wang; ToorCon 2004
"OpenCM: Early Experiences and Lessons Learned",
Jonathan S. Shapiro, John Vanderburgh, Jack Lloyd;
2003 USENIX Annual Technical Conference, FreeNIX Track
"An Analysis of RMAC", Jack Lloyd;
IACR ePrint 2002/170
Education
2003, B.Sc. Computer Science, Johns Hopkins University, Baltimore, MD