Language Experience

C++ (10 years), C (7 years), Python (4 years), Perl (7 years), SQL (3 years), x86/x86-64 assembler (3 years), Common Lisp (1 year), Bourne Shell (4 years), PHP (2 years), Java (1 year), C# (1 year)

Open Source Projects

I have written a number of libraries and tools which I have open sourced, including

• Botan is a C++ library providing cryptographic services including a variety of cipher, hash, and MAC algorithms, X.509 certificates, SSL/TLS, and a pipeline/filter message processor.
• CapOver is a Linux Security Module that allows giving extra capabilities (a shard of roots power) to particular combinations of users, groups, and programs.
• VNCcrack is a fast password cracker for the VNC authentication protocol.

Professional Experience

• 2006 - current: Consultant
  • Ported a million line C++ codebase from Windows to Linux.
  • Wrote the first version of OWASP SWAAT (Securitycompass Web Application Analysis Tool), a C# tool which scans PHP code for common security flaws. The user interacts with a GUI written in Windows Forms, while reports are written out in XML and then processed with XSLT to generate a variety of output formats.
  • Reviewed the design and implementation of the Microsoft Vista firewall for security flaws. This project included writing exploit code in C, x86 assembler, and Python, as well as decompiling and modifying binary-only modules to facilitate further analysis.
  • Reviewed the design and implementation of the cryptographic protocol underlying a commercial instant messaging system. After working with the developers to identify their needs and threat model, I identified several flaws in the existing design and assisted the developers in building a protocol more resistant to attack. I also helped the developers optimize the implementation, significantly reducing the latency of user sign-on.
• 2007 - 2008, Volant Trading (New York, NY): Developer
  • Designed and implemented price feeds for NASDAQ (ITCH3), ARCA, and NYSE Quotes. The feeds process real-time market traffic and provide price quotes via TCP or multicast to the rest of the trading system. I used Python to automate generation of message parsing routines.
  • Designed and implemented a real time profit and loss reporting service in C++ which marks all trades and positions against market and model prices. Traders view the report in a Qt GUI, and Python scripts are used to generate hourly reports for import into spreadsheets.
  • Wrote tools in C++ and Python to automate import and export of data from an in-house distributed message passing and persistence system. This allowed traders to write spreadsheets that directly manipulated system parameters.
• 2005 - 2006, Atlan Laboratories (Mclean, VA): Security Engineer
  • Performed FIPS-140 reviews of a number of hardware and software cryptographic implementations. These projects involved reviewing and analyzing large amounts of security-critical code written in C, C++, Java, and assembler, finding potential flaws, writing proof of concept exploits, and guiding the developers in remediating any problems found during review.
  • Redesigned and reimplemented Atlan's suite of proprietary test tools (written in C++), which are used to analyze implementations of cryptographic algorithms. The new version reads tests from the source files (instead of requiring a new binary for each test), and used abstraction features to make it simpler to plug in a particular unit for evaluation.
• 2004 - 2005, Cybertrust (Herndon, VA): Security Engineer
  • Performed source code review and functional testing on a variety of servers, clients, and web applications, including a check scanning machine, an in-game advertising service, a loan management system, and a distributed job control system.
  • Performed penetration tests on a variety of customer networks. In each case I then wrote up a detailed report describing the flaws found, the anticipated risk and impact, and the steps necessary for remediation.
  • Built out and administered a 22 machine Linux/OpenBSD cluster that ran a network security scanning service, as well as numerous other Linux and OpenBSD scan machines and departmental servers.
  • Gave half-day training sessions to developers on the proper use of cryptographic algorithms and protocols to ensure system security, and wrote a secure coding guide for C++ programmers.
• 2002 - 2003, JHU Information Security Institute (Systems Research Lab) (Baltimore, MD): Programmer
  • I ported OpenCM to a number of new platforms including OpenBSD/Alpha and Solaris/SPARC, and assisted in redesigning and reimplementing its internal storage architecture after the earlier design hit scaling problems.
• 2000 - 2001, Johns Hopkins University Computer Science Department (Baltimore, MD): System Administrator/Programmer
  • In the Computer Integrations with Physical Systems group, I admin'ed the labs Linux and Windows 2000 workstations and servers.
• 1999 - 2002, JHU Association for Computing Machinery (Baltimore, MD): System Administrator
  • For three years I was elected system admin by the body of the the JHU student chapter of the ACM. I was responsible for building and maintaining the chapters network and systems (Linux, OpenBSD, and NetBSD, running on a variety of x86, SPARC, PowerPC, HP-PA, and m68k systems), which were used by a number of researchers and campus groups as well as the ACM membership.

Papers and Presentations

"CUTLASS - Encrypted, Peer-to-Peer Communications for Everyone", Todd MacDermid, Jack Lloyd, Kathy Wang, and Nash Foster; ShmooCon 2005

"Cutlass - Cryptographic Protection for Everyone's Voice and Data", Todd MacDermid, Jack Lloyd, Kathy Wang; ToorCon 2004

"OpenCM: Early Experiences and Lessons Learned", Jonathan S. Shapiro, John Vanderburgh, Jack Lloyd; 2003 USENIX Annual Technical Conference, FreeNIX Track

"An Analysis of RMAC", Jack Lloyd; IACR ePrint 2002/170

Education

2003, B.Sc. Computer Science, Johns Hopkins University, Baltimore, MD