Skip to content

Instantly share code, notes, and snippets.

@lrvick

lrvick/resume.yaml

Created April 10, 2022 23:59
Show Gist options
  • Save lrvick/e7785a43ef987ca9327c96f7f47ef854 to your computer and use it in GitHub Desktop.
Save lrvick/e7785a43ef987ca9327c96f7f47ef854 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
resume.yaml
---
basics:
name: Lance R. Vick
label: Security Engineer
picture: 'https://lance.dev/img/profile.jpg'
email: [email protected]
phone: 650.686.8819
irc: [email protected]
url: 'https://lance.dev'
matrix: 'lrvick:matrix.org'
location:
countryCode: US
address: 'P.O. Box #51687'
city: Palo Alto
postalCode: CA 94303
pgp:
fingerprint: E90A401336C8AAA9
url: https://lance.dev/keys/E90A401336C8AAA9.asc
profiles:
- network: Mastodon
username: [email protected]
url: https://mastodon.social/@lrvick
- network: Git
username: [email protected]
url: https://github.com/lrvick
summary: |-
I thrive on shipping best in class strategy and implementations for
securing assets and data from theft or abuse.
Specialties of mine include general security architecture, vulnerability
assessment & mitigation, authentication schemes, hardware security modules,
supply chain attack mitigation, PII protection, web application hardening,
system architecture, and Linux/*BSD hardening/automation.
Over the past two decades I have been working in this space I have started
multiple companies, designed and deployed hundreds of projects, and solved
problems for many Fortune 500 companies.
If you have interesting security or scaling challenges, we should talk.
languages:
- language: en
fluency: Native Speaker
- language: es
fluency: Basic
work:
- name: Distrust Consulting
website: https://distrust.consulting
position: Founder, Lead Security Engineer
startDate: '2021-02-01'
summary: |-
Develop, implement and teach tools and strategies that distribute trust
away from any single person or component.
highlights:
- Linux infrastructure security auditing, design, and hardening
- Full-stack security audits
- HSM design and integrations for PII and high value key material
- Remove human and system SPOFS across every layer of a system
- Offline cold storage design, training, and tooling
- name: Polychain Labs
website: https://polychainlabs.com
position: Senior Security Engineer
endDate: '2021-03-01'
startDate: '2020-06-30'
summary: |-
Facilitate the secure asset custody and participation in novel
decentralized finance systems, and continually reduce risk in
every area practical as they mature both internally and upstream.
highlights:
- Custom firmware, OS, and ceremony development for offline signing
- Custom multisig software supply chain integrity design and tooling
- Linux infrastructure security auditing, design, and hardening
- name: BitGo
endDate: '2020-04-30'
position: Lead Security Engineer
startDate: '2017-08-31'
summary: |-
Financial services firm specializing in HSM-backed multi-sig crypto-asset
custody APIs and key management tooling used, often by white-label, by
hundreds of financial products.
highlights:
- Custom firmware, OS, and ceremony development for offline signing
- Custom multi-sig software supply chain integrity design and tooling
- Linux infrastructure security auditing, design, and hardening
- Multi-user gated bastion design and implementation
- Deployed HSMs to all employees for signing, auth, and encryption
- Designed Pub/Sub Linux/OSX workstation management via signed Git repos
- Designed tamper evident laptops, HSMs, and vaults for secure signing
- Designed and lead implementation of HSM based, e2e encrypted PII system
- Created and managed bug bounty program
- name: Fitbit
endDate: '2017-08-31'
highlights: []
position: Senior Site Reliability & Security Engineer
startDate: '2016-12-31'
website: https://www.linkedin.com/company/fitbit/
summary: |-
Surveillance capitalisim and marketing firm that collects and studies the
health and location data of more than 30 million users via custom devices
they voluntarily purchase and wear. Now owned by Google.
highlights:
- Assisted in infrastructure migration from Pebble to Fitbit
- Linux infrastructure security auditing, design, and hardening
- Deployed HSMs to prod eng team for signing, auth, and encryption
- Researched and designed production user and secret management systems
- Transitioned infrastructure acquired from Pebble
- Upgraded and maintained container orchestration systems
- name: Pebble
endDate: '2016-12-31'
highlights: []
position: Security & Web Operations Lead
startDate: '2014-06-30'
website: https://www.linkedin.com/company/allerta-incorporated/
summary: |-
A wrist-worn computing platform with an e-paper display known for long
battery life, hackability, compatibility, and a strong independent
developer ecosystem producing thousands of apps and watchfaces.
highlights:
- Started and ran bug bounty program
- Linux infrastructure security auditing, design, and hardening
- Ground up rebuilt Pebble App Store decreasing load times 90%
- Migrated company to custom git based CI/CD and infa-as-code system
- Developed real-time data streaming API backend and sample apps
- Managed and enforced company security policy and technical controls
- name: Accesso
endDate: '2014-05-31'
highlights: []
position: Senior Software Engineer
startDate: '2013-02-28'
website: https://accesso.com
summary: |-
White label retail ticket sales and shipping platform embedded in the
websites and kiosks of hundreds of major tourist attractions worldwide.
highlights:
- Led rewrite of all products from Flash to HTML5/JS and Web Sockets
- Wrote and rolled out companies first CI/CD system
- Wrote first end-to-end testing suite and tests for company products
- Wrote ticket platform embedding SDK
- Frequently helped with architecture and security on IT and Infra teams
- name: Tawlk
endDate: '2013-02-28'
highlights: []
position: Founder, CTO
startDate: '2011-02-28'
website: https://www.linkedin.com/company/tawlk/
summary: |-
A free social search and analytics engine providing real-time social
media postings and their aggregate reach volume, and sentiment for any
topic across over a dozen social media services.
highlights:
- Deployed near real-time social data stats and search engine
- Wrote novel (and published) distributed social data aggregation system
- Designed and implemented ~80% accurate sentiment classification system
- Co-developed real-time "social credit score" system for any topic
- Implemented SDK and support for over a dozen social data APIs
- Wrote custom sepc and database scheme for all social data formats
- name: GoConvergence Film & Television
endDate: '2013-02-28'
highlights: []
position: Technology Director, Lead Engineer
summary:
startDate: '2009-05-31'
website: https://thegoco.com
summary: |-
Film and technology firm supporting a wide range of industries in
film production, studio buildouts, and production of custom interactive
media for theme parks, hotels, and museums worldwide.
highlights:
- Provided security reports and recommendations to advise clients on risk
- Led development of a 360 projection military combat simulator
- Led implementation of access card based health training facility
- Built websites for major finance, aircraft, hotel, and retail brands
- Developed control systems for all displays in sales showrooms
- On-site consulting and training for all clients I built for
- name: Cross-Technical, LLC
endDate: '2009-05-31'
highlights: []
position: Founder, Lead Engineer
startDate: '2008-04-30'
website: https://www.linkedin.com/company/cross-technical-llc/
summary:
Full-stack technology consulting and engineering firm.
highlights:
- Web development for local brands
- Wireless mesh networking for hotels and consenting neighbors
- PC and server repair, networking, installation, and training
- Linux and open source software deployment and training
- Security advice and planning for offices and homes
- Recycled hundreds of PCs to sell as affordable Linux workstations
- name: Tractor Factory Inc.
endDate: '2007-03-31'
highlights: []
position: IT Manager
startDate: '2006-09-30'
website: ''
summary:
Tractor manufacturing, sales, repair, delivery, and training serving most
of the continental US.
highlights:
- Obtained, maintained, and trained employees on all technology used
- Research and competitive analysis on customers and competitors
- Developed and maintained online sales showroom
- Tractor sales, marketing, delivery, and on-site training
- Mailroom and email marketing automation
- name: Budget PC
endDate: '2004-05-31'
highlights: []
position: PC Repair Technician
startDate: '2002-01-31'
website: ''
summary: |-
PC repair and technology consulting retail establishment serving central
Indiana.
highlights:
- First tech job worked during high school
- Started as intern and left as a senior repair technicion
- Assisted with sales, deployment, and training
volunteer:
- organization: 'Hashbang Community'
position: Founder, Mentor, Lead Engineer
website: 'https://hashbang.sh'
startDate: '2002-01-01'
summary: |-
Nomadic collective of curious people promoting security, privacy, and
digital sovereignty through community, mentorship, documentation,
open source software, public access unix systems, and open network
services.
highlights:
- Provides IRC, mail, and unix shell services for over 10,000 users
- Developed PostgreSQL based Unix user and SSH key management system
- Maintain public security hardening practices for debian
- Developed signed git based CI/CD for rootless community administration
- Engages in live "security unboxing" group pentesting for fun
- Promotes higher security standards in critical software supply chains
- organization: Faces Of The Homeless - National Coalition for the Homeless
position: Speaker
website: ''
startDate: '2009-11-30'
endDate: '2011-07-31'
summary: |-
Program started by Americorps VISTA to educate the public on poverty
issues through speaking engagements led by currently or formerly homeless
people.
highlights:
- Shared my own story of homelessness at dozens of locations in Florida
- Led lectures at local colleges on helping the homeless re-integrate
education:
- institution: '#! Community'
area: Decentralized Tech Mentorship
courses:
- "Information Security & Privacy"
- "Engineering Ethics"
- "Linux Systems Internals"
- "Computational Demonology"
startDate: '2003-01-01'
- institution: Ivy Tech
area: Informational Technology
studyType: ''
startDate: '2001-12-31'
endDate: '2002-12-31'
courses:
- A+ Certification
awards: []
publications:
- name: 'CVE-2018-9234 - GnuPG: Able to certify public keys without a certify key
present when using smartcard.'
publisher: Mitre
releaseDate: '2018-04-03'
website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9234
summary: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification
requires an offline master Certify key, which results in apparently valid certifications
that occurred only with access to a signing subkey.
- name: 'CVE-2018-9057 - Terraform: Weak password generator for AWS IAM roles'
publisher: Mitre
releaseDate: '2018-03-27'
website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9057
summary: aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon
Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm
and seeding, which makes it easier for remote attackers to obtain access by leveraging
an IAM account that was provisioned with a weak password.
- name: Hybrid Browser / Server Collection of Streaming Social Media Data for Scalable
Real-Time Analysis
publisher: Association for the Advancement of Artifical Intelligence
releaseDate: '2012-06-02'
website: http://www.aaai.org/ocs/index.php/ICWSM/ICWSM12/paper/view/4787
summary: Inexpensive method for acquiring social media data by distributing workload
between browsers and servers as appropriate to drastically reduce infrastructure
needs.
skills:
- name: Digital Security
level: 'Proficient'
keywords: [Linux Hardening, Firewalls, HSMs, Code Review, Reverse Engineering, Software Supply Chain Integrity]
- name: Physical Security
level: 'Moderate'
keywords: [Covert Entry, Lock Picking, Rekeying, Alarm Systems, Tamper Evidence, NSA TEMPEST, NATO SIDP-27, FF-L-2740]
- name: Applied Cryptography
level: 'Proficient'
keywords: [E2E Encryption, Threshold Signing, Multi Party Computation, Ceremony Design, Measured Boot, Notary, GnuPG, Gemalto, Yubico, PKCS#11]
- name: Software Engineering
level: 'Proficient'
keywords: [Unit Testing, End-to-End Testing, Architecture, Access Controls, Documentation]
- name: Web Development
level: 'Proficient'
keywords: [Angular, Django, Rails, Flask, Express, Koa]
- name: Embedded Development
level: 'Proficient'
keywords: [Arm, RISC-V, Arduino, ESP32, Platform.IO, Buildroot, Android]
- name: System Administration
level: 'Proficient'
keywords: [Linux, Arch, Alpine, NixOS, CoreOS, Flatcar, Debian, RedHat, Gentoo, QubesOS, FreeBSD, OpenBSD, pfSense, TrueNAS, Nginx, RabbitMQ, haproxy, SystemD, OpenLDAP]
- name: Databases
level: 'Proficient'
keywords: [PostgreSQL, MySQL, Sqlite, Redis, Memcache, Etcd, Zookeeper]
- name: Codified Infrastructure
level: 'Proficient'
keywords: [Docker, Ansible, Chef, Puppet, Kubernetes, Helm, Kustomize, Aurora, Terraform, AWS Cloud Formation]
- name: Continuious Integration
level: 'Proficient'
keywords: [Gitlab CI, GitHub CI, Lambci, Jenkins, Git Hooks]
- name: Cloud Computing
level: 'Proficient'
keywords: [AWS, Digital Ocean, Google Cloud Platform, OVH, Hetzner, Softlayer, Atlantic.net, DreamHost, Rackspace, Media Temple, Heroku]
- name: Shell Scripting
level: 'Proficient'
keywords: [Bash, Zsh, Make, Awk, Sed, Curl, Jq]
- name: Programming
level: 'Proficient'
keywords: [Bash, Python, JavaScript, CSS, HTML]
- name: Programming
level: 'Moderate'
keywords: [Go, PHP, Ruby, Tcl, Perl, Lua]
- name: Programming
level: 'Functional'
keywords: [Rust, C, C++]
- name: Compliance
level: 'Moderate'
keywords: [SOC2, PCI]
interests:
- name: Digital Soverignity
keywords: [Self Hosting, Supply Chain Integrity, Decentralization, Federation, Crypto Assets, Data Rights, Web Of Trust]
- name: Teaching
keywords: [Hackerspaces, Workshops, Mentoring, Documentation]
- name: Homesteading
keywords: [Egg Farming, Gardening]
- name: Engineering
keywords: [Audio, Robotics, Multirotors, Mechanical, Puzzles, Ham Radio, Machine Learning, Home Automation]
- name: Making
keywords: [CAD, Robotics, Multirotors, 3D Printing, Laser Cutting, Woodworking, CNC, PCB Fabrication]
- name: Research
keywords: [Security Anthropology, History, Law, Ai]
- name: Entertainment
keywords: [Locksport, Ranting, Cardistry, Yo-Yoing, Magic, Bad Humor]
- name: Biohacking
keywords: [Tech Implants, Wearable Electronics, CRISPR]
- name: Pets
keywords: [Birds, Amphibians, Fish, Reptiles]
- name: Music
keywords: [Punk, Screamo, Electronic, Folk]
- name: Transport
keywords: [Electric Skateboards, Motorcycles]
references:
- name: Jansen McQuivey
reference: I've worked with Lance extensively during our overlapping tenure at BitGo.
From the get go, I could tell that Lance knows security. His passion is palpable;
beyond concerning himself with the well-being of company systems, he preoccupied
himself with the personal security of each of his coworkers. He is also very aware
of the vulnerability landscape, and helped steer the company in the right direction
multiple times when picking technologies. Security threats are constant, but Lance
is even more tenacious.
- name: Chase Sillevis
reference: As Lance's team member for the past year, I've benefited from his creativity
and aptitude for solving hard technical problems. Lance was directly responsible
for handling incoming requests and delegating company wishes to the team. Thanks
to Lance's expertise and commitment, the company was a much more safe and secure
working environment. He would never pass a chance to see if he could poke security
holes in any side-project someone would set up. As a colleague, Lance is extraordinary
generous with his time and sharing expertise. He will never tell you the answer,
but rather guide you along the way so you can learn how to get to the answer yourself.
His humor, colorful past and unique personality make Lance one of the best people
I have ever had the pleasure of working with. I'd be happy to answer any questions
you might have about his specific skills and experience.
- name: Aaron Heckmann
reference: Lance is a security conscious, production engineer with great communication
skills. I worked with Lance at Pebble for over two years with him at first as
a direct report of mine and and later as my peer, during which time he tackled
a wide variety of challenges from an Angular mobile app to developing our deployment
platform to being our hands-on production engineering lead. Lance was confident
yet not cocky, had a positive can-do attitude and excelled with Linux, Docker,
shell scripting and AWS. I would gladly work with Lance again.
- name: Geoff Scott
reference: Lance is a very self-motivated developer capable of taking extremely
hard problems and solving them quickly and efficiently. He has immense logical
and analytical skills coupled with an amazing creativity which creates the perfect
combination needed for a successful developer or any position in the technology
field. I worked with him in a major version milestone of our company's software
that required a complete gutting of the system, and his knowledge and understanding
of both development and systems helped immensely in our communications to swiftly
and successfully complete the project.
- name: Titus Soporan
reference: Upon meeting Lance three years ago I've always known him as a fun, spontaneous
guy who excels at what he does. He is proficent in computer security, multiple
programming and scripting languages, and is an all around tech guru. He's a great
motivator and has encouraged me in my programmers-walk multiple times. I'd recommend
him for any computer-related task and would be confident in doing so, to this
day I still look up to Lance and seek his advice.
- name: Henry Timm
reference: Lance demonstrates a drive few IT professionals possess and has a large
amount of technical knowledge to back it up. I would trust him to adequately
handle any project given to him and likely surpass any expectations. He is an
excellent contact to have and the right guy to put on your most critical job.
- name: David Pflug
reference: "Lance is very charismatic, able to work very well with clients and help
them understand. He's very good at making sure everyone is on the same page, and
goes out of his way to ensure clients are happy with his work.\r\n\r\nWhen he's
on a project, he will work with a single-minded focus. He is extremely clever,
often combining many different techniques to arrive at a better solution.\r\n\r\nIn
web design, he has an eye for layout, but doesn't sacrifice browser compatibility
or standards in order to create what he wants. He spends much time with clients,
helping narrow down what it is they want, and then creates, making sure they are
satisfied with the end result."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment