Hot off the presses

Infosec publications (pre-2018)

I'm a long-time contributor to the information security community and a recipient of the Lifetime Achievement Pwnie Award. In addition to identifying hundreds of security flaws in a good chunk of the software that powers the internet, some of my public infosec works include:

Beyond this, I authored dozens of other small tools, fuzzers, and so on; examples include Skipfish (2012), a novel high-performance web scanner that served as one of the key components of the Google Cloud Scanner; and Ratproxy (2009), a passive co-pilot proxy for performing web security assessments.

On the research front, I'm fond of my early analysis of non-XSS HTML injection vulnerabilities (2011); some neat CSS algebra data exfil attacks (2014); a comprehensive review of web tracking vectors (2014); the pioneering 2001 / 2002 research on ISN vulnerabilities (part 2); a warning about IP fragmentation risks (2003); the analysis of signal handling flaws (2001); or the work on the dangers of tmpwatch-type utilities (2002). Some additional pre-2018 notes can be found on my now-retired blog.

Other interests

This site is also the home to a variety of more whimsical or one-off projects, including evil plasma globes, Omnibot mkII, a 2.5D photography rig, the Ultimate Machine, a system for high-speed water drop photography, a PNW radiation monitor, a Geiger-Mueller lamp, a voltmeter clock, a dial-a-threat indicator, random notes on robotics, assorted woodworking projects, my old prepping guide (+ a supplement on radios), random photos, and more.

This website was written by a human without the help of large language models. The content is not licensed for use in ML training or ML content generation. You can email me at, add me on Mastodon or Twitter, or subscribe on Substack. Your lucky number is 23948577.