Professional Experience
- 2006 - current: Consultant
- Ported a distributed object platfrom, roughly a million lines
of C++, from Windows to Linux.
- Wrote the first version of OWASP
SWAAT
(Securitycompass Web Application Analysis Tool), a C# tool
which scans PHP code for common security flaws. The user
interacts with a GUI written in Windows Forms, while
reports are written out in XML and then processed with XSLT
to generate a variety of output formats.
- Reviewed the design and implementation of the Microsoft
Vista firewall for security flaws. This project included
writing exploit code in C, x86 assembler, and Python, as
well as decompiling and modifying binary-only modules to
facilitate further analysis.
- Reviewed the design and implementation of the cryptographic
protocol underlying a commercial instant messaging system.
After working with the developers to identify their needs
and threat model, I identified several flaws in the existing
design and assisted the developers in building a protocol
more resistant to attack. I also helped the developers
optimize the implementation, significantly reducing the
latency of user sign-on.
- 2007 - 2008,
Volant Trading (New York, NY): Developer
- Designed and implemented price feeds for NASDAQ (ITCH3),
ARCA, and NYSE Quotes. The feeds process real-time market
traffic and provide price quotes via TCP or multicast to
the rest of the trading system. I used Python to automate
generation of message parsing routines.
- Designed and implemented a real time profit and loss
reporting service in C++ which marks all trades and
positions against market and model prices. Traders view
the report in a Qt GUI, and Python scripts are used to
generate hourly reports for import into spreadsheets.
- Wrote tools in C++ and Python to automate import and
export of data from an in-house distributed message
passing and persistence system. This allowed traders to
write spreadsheets that directly manipulated system
parameters.
- 2005 - 2006,
Atlan Laboratories (Mclean, VA): Security Engineer
- Performed FIPS-140 reviews of a number of hardware and
software cryptographic implementations. These projects
involved reviewing and analyzing large amounts of
security-critical code written in C, C++, Java, and
assembler, finding potential flaws, writing proof of concept
exploits, and guiding the developers in remediating any
problems found during review.
- Redesigned and reimplemented Atlan's suite of proprietary
test tools (written in C++), which are used to analyze
implementations of cryptographic algorithms. The new version
reads tests from the source files (instead of requiring a new
binary for each test), and used abstraction features to make
it simpler to plug in a particular unit for evaluation.
- 2004 - 2005,
Cybertrust (Herndon, VA): Security Engineer
- Performed source code review and functional testing on a
variety of servers, clients, and web applications, including
a check scanning machine, an in-game advertising service, a
loan management system, and a distributed job control system.
- Performed penetration tests on a variety of customer
networks. In each case I then wrote up a detailed report
describing the flaws found, the anticipated risk and impact,
and the steps necessary for remediation.
- Built out and administered a 22 machine Linux/OpenBSD
cluster that ran a network security scanning service, as well
as numerous other Linux and OpenBSD scan machines and
departmental servers.
- Gave half-day training sessions to developers on the proper
use of cryptographic algorithms and protocols to ensure
system security, and wrote a secure coding guide for C++
programmers.
Open Source Projects
I have written a number of libraries and tools which I have
open sourced, including
- Botan is
a C++ library providing cryptographic services including a
variety of cipher, hash, and MAC algorithms, X.509
certificates, SSL/TLS, and a pipeline/filter message processor.
- CapOver is
a Linux Security Module that allows giving extra capabilities
(a shard of roots power) to particular combinations of users,
groups, and programs.
- VNCcrack is
a fast password cracker for the VNC authentication protocol.
Papers and Presentations
"CUTLASS - Encrypted, Peer-to-Peer Communications for Everyone",
Todd MacDermid, Jack Lloyd, Kathy Wang, and Nash Foster; ShmooCon 2005
"Cutlass - Cryptographic Protection for Everyone's Voice and Data",
Todd MacDermid, Jack Lloyd, Kathy Wang; ToorCon 2004
"OpenCM: Early Experiences and Lessons Learned",
Jonathan S. Shapiro, John Vanderburgh, Jack Lloyd;
2003 USENIX Annual Technical Conference, FreeNIX Track
"An Analysis of RMAC", Jack Lloyd;
IACR ePrint 2002/170
Education
2003, B.Sc. Computer Science, Johns Hopkins University, Baltimore, MD