Donald T. Davis 148 School St., Somerville, MA 02143 (617) 629-3010 H don@mit.edu http://world.std.com/~dtd (857) 259-7101 C objective Hard problems in network security and cryptography. skills Large-scale network security, secure protocol design, cryptography, P2P, Unix kernel internals, compiler design. C, C++, Perl, Python, R, S+; Windows, Linux, BSD, Lisp, assemblers, DBMS apps. Clear design, performance-tuning, thorough debugging; good written & oral commun- ication. Strong mathematical skills, including Statistics, Fourier Analysis and Queuing Theory. experience 2013-2014 Yottaa Boston, MA Software Engineer: Security & performance improvements for a web-optimization network. 2010-2013 IBM Atlanta, GA Advisory Software Engineer: Designed and implemented a high-speed packet-filter algorithm for a new firewall product. This filter extended a research result, so as to match 12 packet fields. My packet-filter is also faster than expected, and exceeds future performance requirements. 2009 Red Hat Westford, MA Tech Lead for integrating MIT's Kerberos with Samba4, a Unix-based Open-Source replacement for Win2003 Server Active Directory. Extended the python-KrbV module. 2006-2008 Cisco Systems Boxborough, MA Senior technical lead (one of four) for Cisco Security Agent, an intrusion-prevention product. Designed & built (in C++) a new Data Leakage content-scanner for the CSA product, with a 1- ppm false-positive rate for SSNs & credit-card numbers, that is very fast (avg. 30 msec per file). 2004-2006 Intrusic Burlington, MA Security Programmer: Conceived, designed, and built (in C) a real-time data-mining system for network-security forensics. My system analyzed packet-captured network sessions in real- time, identifying each session's network protocol with 99% accuracy, so as to detect tunneled protocols in malicious network sessions. Designed cryptographic sys-admin protocols. 2002-2004 Network Security Consultant / Cryptographer Cambridge, MA Various Startups: Security reviews, designs, and advice for product features, security protocols, and system implementations. Clients included a file-encryption vendor, two wireless-network- ing vendors, an email-filtering vendor, and a European cryptography vendor. 2000-2002 Curl Corp. Cambridge, MA Corporate Architect Technical lead for all security decisions about a new applet language. Developed a new applet-security system for the language and runtime system (see patents, below). Designed Curl's cryptographic protocol for micropayments and license-enforcement. '99-2000 Shym Technology Needham, MA Security Architect Responsible for security decisions, for Shym's PKI middleware products. Designed Shym's cryptographic protocols. Wrote low-level cryptographic code in C++. Found and repaired a cryptographic flaw in several secure-email standards specifications (pub. [01a,01b], next page). Prepared and taught an in-house crypto course for junior programmers. '94-2000 Network Security Consultant / Cryptographer Boston, NYC, Chicago Perfectway: Lead developer for a large-scale intrusion-detection system, written in Perl. System Experts: Memory-leak cleanup in MIT's Kerberos distribution. Repaired the Kerberos protocol's reliance on synchronized clocks [95a]. Prepared network security analyses & designs for large corporate & financial clients, including: very-large-scale security systems for ISPs, single-sign-on for PC networks, TCP/IP security, & WWW security [95b]. Designed a scalable & secure ACL-mgt system for a 1M-user national network. Analyzed electronic-trading protocols. Open Market: Designed and implemented a high-performance, cryptographic RNG as a kernel- level pseudo-device driver [94] (Linux's /dev/random RNG uses my approach). Analyzed key-management flaws in the public-key infrastructure [96a]. Prepared security analyses for e- commerce products, including access-control, transaction-handling, and key-management services. Designed a smartcard-mediated transaction protocol [96b]. '91-'94 Geer Zolot Associates / OpenVision Technologies Cambridge, MA Network Security Architect Prepared network security analyses for large financial firms. Designed a Kerberos-compatible access-control system. Designed an integration of the Kerberos and SecurID authentication systems. Analyzed encryption algorithms for weaknesses. '87-'91 MIT / Project Athena Cambridge. MA Systems Programmer III Large-scale distributed systems design: Designed a novel key- distribution protocol [90b]. Designed the peer-to-peer and rkinit protocol for the Kerberos authentication system [90a] (the P2P protocol is part of Globus, a distributed computing system used by various U.S. National Labs, and is used by the Xbox gaming system). Designed and built a cryptographically secure RNG, also for Kerberos [94]. Designed & built an early system for networked software update [89]. Built network tools. Fixed kernel bugs. Managed software releases for two Unix source-trees. [89]. '82- '86 Intermetrics, Inc.: Compiler Programmer Cambridge, MA '81- '82 Iotron Corp.: System Mother/Toolsmith Bedford, MA '80- '81 MITROL : DBMS QA Toolsmith Burlington, MA '78- '80 Prime Computer: Compiler Maintenance Framingham, MA education '73-76, '84-86 Massachusetts Institute of Technology '86 Cambridge, MA B.Sc. in Mathematics, Linguistics minor. Most of my Math coursework was graduate-level. publications My research articles are cited in Schneier's Applied Cryptography, the CRC Handbook of Applied Cryptography, Internet RFCs, Internet Drafts, and other well-known articles and books about computer security. Further, various of my papers have been taught in computer-security courses in the U.S. and around the world, including: CMU, Stanford, Yale, UIUC, NYU, U.Penn, Syracuse, the U.S. Naval Postgraduate School, and in Germany, at the Universities of Mainz, Paderborn, and Eindhoven. Abstracts, PDF, and PostScript for my papers are available at: http://world.std.com/~dtd . [03] "Privacy and Security Issues in E-Commerce" Chapter 39 in: Derek C. Jones (ed.), New Economy Handbook, San Diego: Academic Press/ Elsevier, 2003, pp. 911-930. (With Mark S. Ackerman.) [01b] "Defective Sign-and-Encrypt," Dr. Dobb's Journal, Nov. 2001. [01a] "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML," Proc. USENIX Tech. Conf. 2001 (Boston, MA, 2001), pp. 65-78. [96b] "Token-Mediated Certification and Electronic Commerce" (with Daniel Geer.) USENIX Workshop on Elec. Comm. (Oakland, CA, 1996), pp. 13-22. [96a] "Compliance Defects in Public-Key Cryptography" USENIX Security Symp. (San Jose, CA, 1996), pp. 171-178. [95b] "Kerberos Plus RSA for World Wide Web Security," USENIX Workshop on Elec. Comm. (NYC, 1995), pp. 185-188. [95a] "Kerberos With Clocks Adrift: History, Protocols, and Implementation," USENIX Comp. Sys. 9:1 (Jan. 1996), (with D. Geer and T.Y. Ts'o.) Also in USENIX UNIX Security Symp. (Salt Lake City, 1995), pp. 35-40. [94] "Cryptographic Randomness from Air Turbulence in Disk Drives," In Advances in Cryptology CRYPTO '94 Conf. Proc., ed. by Yvo Desmedt, pp. 114-120. Springer-Verlag Lecture Notes in Computer Science 1994. (with R. Ihaka and P.R. Fenstermacher.) [90b] "Network Security via Private-Key Certificates" ACM Op. Sys. Rev., (Oct. '90), pp. 64-67, (with Ralph Swick). Also in Proc 3rd USENIX Sec. Symp., (Baltimore, 1992) pp. 239-242. [90a] "Workstation Services and Kerberos Authentication at Project Athena," MIT Lab. for Comp. Sci. Tech. Memorandum (Feb. 1990), (with R. Swick.) Presented as LCS Seminar, 5/15/89. [89] "Project Athena's Release Engineering Tricks," Proc. USENIX Software Mgt. Workshop, (New Orleans, 1989), pp. 101-106. patents 2014 U.S. Patent Application 20140282830 A1 "Firewall Packet Filtering" (with Michael Evans). 2008 U.S. Patent 7,424,550 "System and method for specifying access to resources in a mobile code system" (with David Kranz, Elizabeth Martin, and Matthew Hostetter). 2006 U.S. Patent 6,993,588 "System and methods for securely permitting mobile code to access resources over a network" (with David Kranz and Elizabeth Martin). 2003 U.S. Patent Appl. 20030167350 "Safe I/O through use of opaque I/O objects" (with D. Kranz).