Email: mock at obscurity dot org

I am a developer with a broad background in every level of the software
development process and I understand the fundamentals of building secure
scalable software applications.  I have presented at numerous conferences
on my tools and research, and I have released several open source modules
which are freely available.

Technical Skills

  programming with Perl since 1997
  recent experience with: Catalyst, POE, mod_perl 2.0 and Template Toolkit
  programming and sysadmin experience on most UNIX variants
  experience with: 
    Flex/ActionScript, C, python, php, javascript, x86 assembler
  experience with low level network programming (raw sockets, DNS
    implementations, apache bucket brigades)
  good grasp of XML, YAML, Unicode, RDF, SOAP, JSON and web 2.0 technologies
  experience with SQL, ORMs and reorganizing database schemas

Employers

  2007 to present Enquisite
    Senior Developer

    Designed and built a scalable web analytics data collector using 
    asynchronous frameworks (STOMP, POE, MogileFS).  I also built several RIA
    products using the Adobe Flex framework that used the collected data to
    detect fraud and increase customer ROI on pay-per-click ad buys.

  2004 to 2005 MailChannels
    Founder, CTO, Lead developer

    Designed and developed prototype of second generation anti spam software,
    using apache/mod_perl.  You can read what one of my team wrote about it
    here: http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html
 
    Recruited and managed team of world class developers

  2002 to 2004 SimplyMarketing Inc.
    CTO, Senior software developer

    Designed and developed custom e-commerce engine, search engine
    optimization software and supply chain management software using mod_perl
    and mysql on unix servers.

    Recruited and managed IT and development team

  2001 Strategic Profits Inc.
    Developer, Sysadmin, Security Officer

    Audited internal code for security and drafted company security policy

    Worked on implementation of VISA 3dsecure secure payment system

  1998 to 2001 ActiveState Tool Corp.
    Sysadmin, Developer

    Managed many different flavours of servers, including NT 4.0 cluster,
    4 distributions of Linux, Solaris, HP-UX, FreeBSD and OpenBSD.  Did
    essential system administration tasks such as backups, security patches,
    server deployment, and support of a large group of developers and QA
    people on those systems as well as a high traffic web server (ASPN).

    Wrote first anti-spam/anti-virus filter for PerlMX (which became
    Sophos PureMessage)
    
    QA and testing of all ActivePerl and ActivePython builds

Conferences

  Organizer of CanSecWest (2001 to present), PacSec (2003 to present)
  EuSecWest (2006 to present), BA-con (2008).
    Wrote all registration and management software using Catalyst MVC
    framework and mod_perl.  Registration works in three languages and
    three currencies.

    Wrote perl module for SOAP interface to credit card processor (available
    on CPAN)

    Wrote first perl module to interface with PayPal (available on CPAN)

  2007 YAPC::Europe
    "Building Scalable Data Collection" revealed some of our techniques for
    scaling our data collection system, the differences between some of the
    asynchronous frameworks, and how to re-use common web scaling techniques
    for purposes they were never intended for.
    "How to Find Vulnerabilities in Perl Code" a talk on how to successfully
    audit perl software for security flaws, and some common 
    anti-patterns which can lead to vulnerabilities.

  2006 YAPC::Europe
    "MVC: More Vulnerable Code" a talk about security vulnerabilities in
    Web 2.0 frameworks and technologies.  Includes the CGI param injection
    attack, CSRF and XSS vulnerabilities in Plagger and SQL injection in
    DBIx::Class.  Slides are available at:
    http://sketchfactory.com/static/mvc.pdf

  2005 YAPC::Europe
    "Serving DNS with mod_perl and Apache" further work on extending the
    mod_perl to serve new protocols.  Allowing it to serve UDP and act as
    a DNS server.

  2004 YAPC::Europe
    "Building a Mail Server with Apache and mod_perl" how to use the
    apache bucket brigade features to implement an SMTP server on top of
    Apache/mod_perl.  This code can be found on CPAN and some of it is
    used in the MailChannels product.

    "Multiplexing Business::OnlinePayment" explanation of a module hack
    which allows multiple credit card processors to be used at the same
    time (or in fail over) while preserving the standard API.  Code can
    be found on CPAN for this module.

  2003 YAPC::Europe
    "Network Security Tricks with Perl" a talk about rewriting the low
    level socket functions in perl so as to be able to manipulate raw
    socket headers while still using high level network protocol libraries.

  2000 O'Reilly Open Source Conference
    "Automation of Code Auditing for Security" a lint like tool for finding
    common vulnerabilities in perl code, and a spider and bruteforcer for
    discovering unknown vulnerabilities in web applications.

Other Publication

  In October 2006 I released a security advisory on a new class of 
  vulnerability in perl web applications.  While the writing style is very 
  tongue in cheek, the vulnerability is quite serious - and wide spread in
  production code, as revealed by a google code search for the relevant
  pattern.  You can read it at:
  http://sketchfactory.com/static/perl-param-injection.txt

Example Code

  My CPAN code can be found here: http://search.cpan.org/~mock/