Security Engineer
October 2016 - research, security, cryptography, reverse engineering
In December 2015, Juniper Networks announced multiple security vulnerabilities from unauthorized code in ScreenOS. I worked with Stephen Checkoway, Matt Green, Nadia Heninger, and others to reverse engineer the ScreenOS firmware and demonstrate the vulnerabilities. We determined that the passive VPN decryption issue was a result of a series of intentional design choices based around the Dual EC random number generator.
August 2014 - research, security, TLS
I worked with Steve Checkoway, Matt Green, DJB, Hovav Shacham, and others to demonstrate the exploitability of a potential backdoor in NIST’s Dual EC random number generator. Provided that a server uses Dual EC to supply its TLS connections with randomness, my proof of concept program, given a single passive network capture of a HTTPS handshake, is able to retrieve the server’s long-lived ECDSA private key.
August 2014 - research, security, reverse engineering, firmware
I worked with Ben Ellis, James Mouradian, and Hovav Shacham to demonstrate an end to end firmware exploitation of a gaming mouse. Although many users are aware of the threats that malware pose, users are unaware that malware can infect peripheral devices. Many embedded devices support firmware update capabilities, yet they do not authenticate such updates; this allows adversaries to infect peripherals with malicious firmware. We present a case study of the Logitech G600 mouse, demonstrating attacks on networked systems which are also feasible against air-gapped systems.
May 2016 - present
application security, product infrastructure, privacy
Facebook’s Secure Application Frameworks team develops and maintains frameworks to make building applications and services at Facebook “secure by default”. I work on our authentication/privacy frameworks, and the developer experience of setting up new applications in our infrastructure (with secure defaults). I also lead our privacy incident management program through the incident management oncall rotation and the incicident review process.
authentication, cryptography
The Core Infra Security team maintains Facebook’s cryptographic infrastructure, including our internal certificate authority and cryptography services and libraries. I was the primary maintainer of our application signing service, which manages keys and signing for user-facing applications as well as internal packages and device firmware.
application security, web security, privacy
As part of the Product Security team, I worked on security code/design reviews for many products, including Messenger Secret Conversations (end-to-end encryption). I also built and maintained tooling for our bug bounty program.
June 2015 - September 2015 - security, vulnerability research, mobile
Raytheon SI is a research group at Raytheon focused on software and hardware security research. While there, I worked on mobile vulnerability research with a focus on fuzzing low-level OS functions.
June 2014 - September 2014 - graphics, multiplayer, xbox one, game engines
I worked on the Xbox HEMI team to integrate Xbox Live Compute, the platform running dedicated servers on Azure for games such as Forza 5 and Titanfall, into leading game engines. As part of this integration effort, I worked closely with first party game developers such as Lionhead on their game Fable: Legends, and third party engine developers such as Epic on their Unreal Engine 4. Additionally, I worked on graphics features, such as a depth of field effect using compute shaders, and optimized them for Xbox One.
April 2014 - June 2014 - graphics, networking, game engines
In spring quarter of my third year at UC San Diego, I enrolled in the CSE 125: Software System Design and Implementation course. My 7 student team 5 Second Rule, spent 10 weeks building Vein: Rivers of Blood, a 3D networked real-time multiplayer video game without the use of any game engines or large libraries. I was responsible for overall engine architecture, graphics, and some gameplay. At the end of the quarter, I presented our game to professors, friends, and family at a large final event.
June 2013 - September 2013 - windows, azure, .net, c#
As part of Windows Azure’s move to a more distributed API management system, I worked with the Core Runtime team to create a data replication consistency checking tool. This tool verifies that internal subscription data was properly replicated across various data centers. This tool was integrated into the code base as both a single-subscription troubleshooting tool and a long-running process that can generate quality of service reports.
June 2012 - September 2012 - ruby, selenium-webdriver, objective-c, iOS, oracle, sql
I worked as an engineering intern for Cisco in the summer of 2012 in the Cloud Collaboration Application Technology Group on the WebEx Meetings Collaboration system. In addition to fixing various Oracle database issues in the on-premise version of the system, I developed a series of black box UI tests using Ruby and the Selenium framework, and then went on to develop the prototype iOS application for our product.
August 2011 - June 2012 - php, mysql, javascript
I was hired in Summer 2011 part time to help develop sites in Variable Action’s content management system, Zesty. My job was to develop brand new Zesty websites, and to convert existing websites to Zesty. I worked with PHP and MySQL on a remote server and focused on page load times and site usability. I also helped maintain the Zesty Front End and its documentation to make sure that new developers could learn the system quickly.
June 2010 - December 2011 - matlab, maximally-informative-dimensions, statistical-analysis
I was selected out of hundreds of applicants to work in the Computational Neurobiology Lab, under Dr. Tatyana Sharpee as part of the Salk High School Scholars program. I worked in Matlab processing large amounts of visual, auditory, and neural data, and then ran various algorithms on the data. My project was to participate in the UC Berkeley Neural Prediction Challenge, using our lab’s neural analysis algorithm, Maximally Informative Dimensions (MID) to predict neural response to natural stimuli. After completing this project, I worked to prepare various data sets for further analysis by my team’s researchers.
Class of 2015/2016 - Security, Graphics, Operating Systems, Networks, Compilers
I graduated from the five-year BS/MS program in Computer Science in Winter 2016. I completed my undergraduate study as a Computer Science major in Winter 2015. I was a recipient of the Jacobs Engineering Scholarship, which is a full scholarship (tuition, housing, food, books, etc.) awarded to only eleven students in my class.