David E. Thiel San Francisco, CA lx-jobs2012@redundancy.redundancy.org Experience Principal Security Consultant $\rightarrow$ VP, iSEC Partners, Inc. July 2006 - Present • White box and black box penetration testing of a wide variety of high-profile web applications, desktop software, server software, embedded devices and network environments. • Security architecture review of production infrastructure and software, as well as embedded device architecture, communication and encryption schemes. • Extensive writing and typesetting of technical documentation. • Research in the areas of media technologies, rich web content, and mobile devices. • Management of security consultants. • Source review of applications in C, C++, Java, C# and Objective-C. • Development work in Python on public and private internal tools. • Debugging and exploit development for software in C/C++. Security Architect, Shopping.com$\rightarrow$eBay December 2004 - July 2006 • Designed, implemented, and wrote tools to support a Kerberos/LDAP-based centralized authentication and authorization system, for both UNIX systems and in-house applications. • Implemented host-based intrusion detection and centralized logging for 2000+ UNIX and Windows machines, creating custom tools for HIDS event reporting and host management. • Deployed and performed daily maintenance and monitoring of a Sourcefire-based Network Intrusion Detection System for corporate offices and multiple production hosting facilities. • Conducted application penetration testing against in-house applications, reporting security weaknesses and risk analyses to engineering groups for correction. Used both automated and manual means for vulnerability detection. • Defined access control policies for role-based authorization and privilege escalation in production and development environments, using sudo, cfengine, and LDAP-based access control. • Instrumental in Sarbanes-Oxley compliance efforts, owner of the majority of systems, network and information security controls. Wrote internal security policies and standards, worked to identify potential areas of deficiency, and led efforts to correct them. • Managed vendor selection, security product evaluation, and dedicated security budget. IT Manager (Part-time Contract), Jigsaw Data Corporation October 2004 - June 2005 • Conducted penetration testing on in-house developed applications, production networks, and production systems and devices. Assisted in resolution of exposed security weaknesses. • Responsible for purchase, configuration, testing and administration of production x86 Linux systems, Cisco PIX clusters, switches, Cisco LocalDirectors, RAID arrays, and corporate development/QA labs. • Managed equipment selection and purchasing to expand datacenter environment, adding in full network and system redundancy, load balancing, and network segmentation. • Worked with engineering team to identify and eliminate performance bottlenecks and plan for future capacity requirements. Systems/Security Architect, NetEnrich, Inc. November 2004 - May 2005 • Designed and built prototype KVM/Datacenter management appliance in an early-stage startup environment. • Designed secure architecture and for encrypted communications between client, management appliance, and KVM controllers. • Performed OS customization/hardening/minimization, webserver configuration, and application reliability testing. • Worked with hardware vendors to design x86-based appliance prototypes meeting cost and performance requirements. • Wrote user interface and back-end for OS and application configuration. Security Administrator, WagerWorks, Inc. August 2002 - July 2004 • Designed and applied security policies to production OSes and applications, including the hardening of Solaris, Linux, Apache, WebLogic, remote access, DMZ design, proxy architecture, firewall security, and DNS and mail services in an online gaming ASP environment serving several high-profile casinos. • Designed mechanisms and network devices to mitigate DDoS attacks on customer sites, worked with backbone providers and law enforcement to combat organized attacks. • Conducted comprehensive penetration testing program, exposing and correcting weak points in both public and corporate network security. • Implemented centralized intrusion detection with Snort, MySQL and Samhain, collecting data over secure channels from local and remote locations to a central database and display system for analysis. Sr. Hosting Operations Engineer, NexPrise, Inc. June 2000 - June 2002 • Design, administration and maintenance of Solaris, FreeBSD, and Linux server environment in a 3-tier ASP architecture, with a focus on redundancy, reliability, and security. Clients primarily Fortune 100 companies. • Security auditing and enhancement of the product and hosting offerings, including active and passive intrusion detection, cryptographic authentication, penetration testing, and DoS resistance. Developed and implemented policies to improve production site security. • Configuration, hardening, and maintenance of Oracle, Apache-SSL/Jserv/ Tomcat, IPF-based firewalls, qmail, POP3, IMAP/SSL, and sendmail. Computer Specialist, US Department of the Interior, USGS July 1999 - May 2000 • Administered Solaris, FreeBSD, Linux, DG/UX, Windows NT, and WinNT Terminal Server Edition servers in a datacenter environment. • Implemented server and network security best practices, including extensive use of encryption, BSD login classes, chrooted server applications, host and router-based packet filtering, TCP wrappers, intrusion detection, and proactive security auditing. • Assisted and instructed other districts nationwide implement similar security procedures as part of the national WRD Security Team. Systems Administrator/HW Technician, DCWI, Inc. June 1995 - May 1999 • Assisted in configuration and maintenance of FreeBSD servers, Cisco routers, and modem banks for a local ISP of approximately 1000 customers. • Performed troubleshooting, repair, and upgrading of third-party manufactured systems, peripherals, and software. Installation and maintenance of corporate LANs. Publications and Software • Ports committer, http://www.freebsd.orgFreeBSD • Author/Presenter, https://www.isecpartners.com/storage/docs/presentations/ iOS_Secure_Development_SOURCE_Boston_2011.pdfSecure Development on iOS (Mobicase 2010, SOURCE Boston 2011, PacSec 2011) • Co-author/Presenter, https://www.isecpartners.com/files/ RIA_World_BH_2008.pdfLiving in the RIA World (Black Hat Vegas 2008, DEFCON 16, PacSec 2008, SyScan HK 2009) • Author/Presenter, https://www.isecpartners.com/files/ iSEC_Thiel_Exposing_Vulnerabilities_Media_Software_Presentation.pdfExposing Vulnerabilities in Media Software (Black Hat Vegas 2007, Black Hat EU 2008) • Author, https://www.isecpartners.com/fuzzbox.htmlFuzzbox • Author, http://redundancy.redundancy.org/nihongobot.htmlNihongobot • Author, Mobile Application Security, 2010 McGraw Hill Skills Application and network penetration Security: testing, protocol analysis, fuzzing, architecture review, source code review, anti-DDoS, IDS Python, L^ATEX, Objective-C/C/C++, Languages: Bourne and Java. Mildly conversational in Japanese. FreeBSD 2.x-8.x, Solaris 2.6-10, MacOS X, Linux (RedHat, Fedora, Operating Systems: Ubuntu), OpenBSD, Windows XP/Vista/ 7, Citrix Metaframe, Cisco IOS, DG/ UX PGP: http://redundancy.redundancy.org/lx.gpg Fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 http://redundancy.redundancy.org/resume.pdf http://redundancy.redundancy.org/resume.html http://redundancy.redundancy.org/resume.txt ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ David E. Thiel, lx-jobs2012 [@at@] redundancy.redundancy.org