I gave my first DEF CON talk at fourteen. Most of my life since has been spent on one side or the other of the systems built to keep people out — first breaking them, then keeping automation running against them at scale.

For the better part of a decade I built and maintained large-scale scraping and automation infrastructure — collection layers serving thousands of clients across millions of accounts, run across Google Cloud, AWS, Hetzner, DigitalOcean, Linode, a few other providers, and bare metal. Most of the work was unglamorous: reverse-engineering Akamai, PerimeterX, and Datadome, then fixing the drop in success rate whenever a vendor shipped a new challenge, and keeping the platform up as traffic grew.

I’m independent and between roles right now. These days I study those same systems more to understand how they’re built than to get around them. The full history, including a recent stint on reproducible build pipelines for regulated medical-device software, is on the work page.

What I’m digging into

Lately I’ve been going deeper into ECMAScript itself — the spec, the engines, the parts of the language most people never need to touch. I got there through reverse-engineering anti-bot scripts, which turns out to be a fast way to learn how malware hides itself and moves data around. Defenders and attackers use a lot of the same techniques; reading one side teaches you the other.

How I work

I work mostly in JavaScript, TypeScript, and shell. Somewhere in the Automatiq years I learned to read Elixir and ended up genuinely fond of functional programming — it keeps state easy to follow and makes failures predictable. I like systems built to survive: fault tolerance, backpressure, and the assumption that anything upstream can fail or send bad data at any time.

Beyond the keyboard

I love literature, history, and the liberal arts. I think a public with no grounding in them is worse off for it, and that no amount of technology is going to solve the basic problems of being human. I write about where that meets security and software on the blog — and on mindwise when the subject is purely infosec.

Selected recognition

  • Featured by Krebs on Security for identifying the point of compromise in the Jason’s Deli breach — card-fraud clustering, later cited in their reporting (2017).
  • DEF CON 20 — “Not-so-Limited Warranty: Target Attacks on Warranties for Fun and Profit,” presented at fourteen (2012).
  • 1st place, Instructables Explore Science Contest, for a high-altitude research balloon that reached 100,000 feet (2015).
  • MIT Promise of the Future Award (2012).

Certifications

Google Cloud Professional Cloud Architect · CompTIA Security+ · Burp Suite Certified Practitioner.

Reaching me

Preferred contact is Signal. Email works too, or any of the links below.

sourcehut · LinkedIn · X · Mastodon · nicomee@riseup.net