avatar

Lance R. Vick
Security Engineer

About

I thrive on shipping best in class strategy and implementations for securing assets and data from theft or abuse. Specialties of mine include general security architecture, vulnerability assessment & mitigation, authentication schemes, hardware security modules, supply chain attack mitigation, PII protection, web application hardening, system architecture, and Linux/*BSD hardening/automation. Over the past two decades I have been working in this space I have started multiple companies, designed and deployed hundreds of projects, and solved problems for many Fortune 500 companies. If you have interesting security or scaling challenges, we should talk.

Work Experience

Distrust
February 2021 – Present
Founder, Security Engineer
Develop, implement and teach tools and strategies that distribute trust away from any single person or component.
Highlights
  • Linux infrastructure security auditing, design, and hardening
  • Full-stack security audits
  • HSM design and integrations for PII and high value key material
  • Remove human and system SPOFS across every layer of a system
  • Offline cold storage design, training, and tooling
Turnkey
March 2022 – Present
Founding Security Engineer
Provide general purpose APIs for remotely controlled, enclave backed, and quorum managed private keys with configurable usage policies.
Highlights
  • Architected and prototyped first multi-party controlled cloud enclave
  • Implemented deterministic full source bootstrapped builds for enclaves
  • Threat modeling and risk advisory on most major product initiatives
  • Offline cold storage design, and tooling support
  • Bug-fixes and general security improvements across the platform
  • Bug-bounty policy lead, triage, and response
Unit 410
June 2020 – March 2021
Senior Security Engineer
Facilitate the secure asset custody and participation in novel decentralized finance systems, and continually reduce risk in every area practical as they mature both internally and upstream.
Highlights
  • Custom firmware, OS, and ceremony development for offline signing
  • Custom multisig software supply chain integrity design and tooling
  • Linux infrastructure security auditing, design, and hardening
BitGo
August 2017 – April 2020
Lead Security Engineer
Financial services firm specializing in HSM-backed multi-sig crypto-asset custody APIs and key management tooling used, often by white-label, by hundreds of financial products.
Highlights
  • Custom firmware, OS, and ceremony development for offline signing
  • Custom multi-sig software supply chain integrity design and tooling
  • Linux infrastructure security auditing, design, and hardening
  • Multi-user gated bastion design and implementation
  • Deployed HSMs to all employees for signing, auth, and encryption
  • Designed Pub/Sub Linux/OSX workstation management via signed Git repos
  • Designed tamper evident laptops, HSMs, and vaults for secure signing
  • Designed and lead implementation of HSM based, e2e encrypted PII system
  • Created and managed bug bounty program
Fitbit
December 2016 – August 2017
Senior Site Reliability & Security Engineer
Surveillance capitalisim and marketing firm that collects and studies the health and location data of more than 30 million users via custom devices they voluntarily purchase and wear. Now owned by Google.
Highlights
  • Assisted in infrastructure migration from Pebble to Fitbit
  • Linux infrastructure security auditing, design, and hardening
  • Deployed HSMs to prod eng team for signing, auth, and encryption
  • Researched and designed production user and secret management systems
  • Transitioned infrastructure acquired from Pebble
  • Upgraded and maintained container orchestration systems
Pebble
June 2014 – December 2016
Security & Web Operations Lead
A wrist-worn computing platform with an e-paper display known for long battery life, hackability, compatibility, and a strong independent developer ecosystem producing thousands of apps and watchfaces.
Highlights
  • Started and ran bug bounty program
  • Linux infrastructure security auditing, design, and hardening
  • Ground up rebuilt Pebble App Store decreasing load times 90%
  • Migrated company to custom git based CI/CD and infa-as-code system
  • Developed real-time data streaming API backend and sample apps
  • Managed and enforced company security policy and technical controls
Accesso
February 2013 – May 2014
Senior Software Engineer
White label retail ticket sales and shipping platform embedded in the websites and kiosks of hundreds of major tourist attractions worldwide.
Highlights
  • Led rewrite of all products from Flash to HTML5/JS and Web Sockets
  • Wrote and rolled out companies first CI/CD system
  • Wrote first end-to-end testing suite and tests for company products
  • Wrote ticket platform embedding SDK
  • Frequently helped with architecture and security on IT and Infra teams
Tawlk
February 2011 – February 2013
Founder, CTO
A free social search and analytics engine providing real-time social media postings and their aggregate reach volume, and sentiment for any topic across over a dozen social media services.
Highlights
  • Deployed near real-time social data stats and search engine
  • Wrote novel (and published) distributed social data aggregation system
  • Designed and implemented ~80% accurate sentiment classification system
  • Co-developed real-time "social credit score" system for any topic
  • Implemented SDK and support for over a dozen social data APIs
  • Wrote custom sepc and database scheme for all social data formats
GoConvergence Film & Television
May 2009 – February 2013
Technology Director, Lead Engineer
Film and technology firm supporting a wide range of industries in film production, studio buildouts, and production of custom interactive media for theme parks, hotels, and museums worldwide.
Highlights
  • Provided security reports and recommendations to advise clients on risk
  • Led development of a 360 projection military combat simulator
  • Led implementation of access card based health training facility
  • Built websites for major finance, aircraft, hotel, and retail brands
  • Developed control systems for all displays in sales showrooms
  • On-site consulting and training for all clients I built for
Cross-Technical, LLC
April 2008 – May 2009
Founder, Lead Engineer
Full-stack technology consulting and engineering firm.
Highlights
  • Web development for local brands
  • Wireless mesh networking for hotels and consenting neighbors
  • PC and server repair, networking, installation, and training
  • Linux and open source software deployment and training
  • Security advice and planning for offices and homes
  • Recycled hundreds of PCs to sell as affordable Linux workstations
Tractor Factory, Inc.
September 2006 – March 2007
IT Manager
Tractor manufacturing, sales, repair, delivery, and training serving most of the continental US.
Highlights
  • Obtained, maintained, and trained employees on all technology used
  • Research and competitive analysis on customers and competitors
  • Developed and maintained online sales showroom
  • Tractor sales, marketing, delivery, and on-site training
  • Mailroom and email marketing automation
Budget PC
January 2002 – May 2004
PC Repair Technician
PC repair and technology consulting retail establishment serving central Indiana.
Highlights
  • First tech job worked during high school
  • Started as intern and left as a senior repair technicion
  • Assisted with sales, deployment, and training

Volunteer

Hashbang Community
January 2002 – Present
Founder, Mentor, Lead Engineer
Nomadic collective of curious people promoting security, privacy, and digital sovereignty through community, mentorship, documentation, open source software, public access unix systems, and open network services.
Highlights
  • Provides IRC, mail, and unix shell services for over 10,000 users
  • Developed PostgreSQL based Unix user and SSH key management system
  • Maintain public security hardening practices for debian
  • Developed signed git based CI/CD for rootless community administration
  • Engages in live "security unboxing" group pentesting for fun
  • Promotes higher security standards in critical software supply chains
Faces Of The Homeless - National Coalition for the Homeless
November 2009 – July 2011
Speaker
Program started by Americorps VISTA to educate the public on poverty issues through speaking engagements led by currently or formerly homeless people.
Highlights
  • Shared my own story of homelessness at dozens of locations in Florida
  • Led lectures at local colleges on helping the homeless re-integrate

Contact

650.686.8819
lance@vick.house
P.O. Box #51687
Palo Alto CA 94303 US
https://lance.dev
PGP
E90A401336C8AAA9
Matrix
@lrvick:matrix.org
IRC
lrvick@irc.libera.chat
Mastodon
lrvick@mastodon.social
Git
lrvick@codeberg.org

Skills

Digital Security Proficient
Linux Hardening Firewalls HSMs Code Review Reverse Engineering Software Supply Chain Integrity
Physical Security Moderate
Covert Entry Lock Picking Rekeying Alarm Systems Tamper Evidence NSA TEMPEST NATO SIDP-27 FF-L-2740
Applied Cryptography Proficient
E2E Encryption Threshold Signing Multi Party Computation Ceremony Design Measured Boot Notary GnuPG Gemalto Yubico PKCS#11
Software Engineering Proficient
Unit Testing End-to-End Testing Architecture Access Controls Documentation
Web Development Proficient
Angular Django Rails Flask Express Koa
Embedded Development Proficient
Arm RISC-V Arduino ESP32 Platform.IO Buildroot Android
System Administration Proficient
Linux Arch Alpine NixOS CoreOS Flatcar Debian RedHat Gentoo QubesOS FreeBSD OpenBSD pfSense TrueNAS Nginx RabbitMQ haproxy SystemD OpenLDAP
Databases Proficient
PostgreSQL MySQL Sqlite Redis Memcache Etcd Zookeeper
Codified Infrastructure Proficient
Docker Ansible Chef Puppet Kubernetes Helm Kustomize Aurora Terraform AWS Cloud Formation
Continuious Integration Proficient
Gitlab CI GitHub CI Lambci Jenkins Git Hooks
Cloud Computing Proficient
AWS Digital Ocean Google Cloud Platform OVH Hetzner Softlayer Atlantic.net DreamHost Rackspace Media Temple Heroku
Shell Scripting Proficient
Bash Zsh Make Awk Sed Curl Jq
Programming Proficient
Bash Python JavaScript CSS HTML
Programming Moderate
Go PHP Ruby Tcl Perl Lua
Programming Functional
Rust C C++
Compliance Moderate
SOC2 PCI

Press

Cryptoasset Wallet Entropy
CoinDesk - Fredrick Munawa
Bitcoin Magazine - Van Wirdum Sjorsnado
Supply Chain Attack Awareness
The Register - Thomas Claburn
Trend Micro - Trend Micro Research
Japanese Robot Hotel Room Robot Spying
Boing Boing - Cory Doctorow
Gizmodo - Whitney Kimball
The Register - John Oates
Vice News - Lia Savillo
Undermining School Surveillance
Gizmodo - Whitney Kimball
Teen Vouge - Zach Schermele
Schneier - Bruce Schneier
Github Author Spoofing Protest
ZDNet - Catalin Cimpanu
Bleeping Computer - Sergiu Gatlan
The Next Web - Ivan Mehta
Thermoelectric Axolotl Cooling
Hackaday - Bryan Benchoff
Biohacking
Orlando Business Journal - Abraham Aboraya
Orlando Sentinel - Redacted

Publications

CVE-2023-39910 - Libbitcoin: Critically insufficient entropy
Mitre
07 August 2023
https://milksad.info

The widely trusted cryptocurrency library libbitcoin was found to generate keys with only 32 bits of entropy, which enabled real world theft of millions of dollars in value across several major blockchains.

CVE-2018-9234 - GnuPG: Bypass certification key
Mitre
03 April 2018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9234

GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

CVE-2018-9057 - Terraform: Weak AWS password generation
Mitre
27 March 2018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9057

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

Bypass API rate limiting with client browser distribution
Association for the Advancement of Artifical Intelligence
02 June 2012
http://www.aaai.org/ocs/index.php/ICWSM/ICWSM12/paper/view/4787

Inexpensive method for acquiring social media data by distributing workload between browsers and servers as appropriate to drastically reduce infrastructure needs.

Languages

  • enNative Speaker
  • esBasic

Interests

Digital Soverignity
Self Hosting Supply Chain Integrity Decentralization Federation Crypto Assets Data Rights Web Of Trust
Teaching
Hackerspaces Workshops Mentoring Documentation
Homesteading
Chickens Bees Gardening
Engineering
Audio Robotics Multirotors Mechanical Puzzles Ham Radio Machine Learning Home Automation
Making
CAD Robotics Multirotors 3D Printing Laser Cutting Woodworking CNC PCB Fabrication
Research
Security Anthropology History Law Ai
Entertainment
Mechanical Puzzles Locksport Ranting Cardistry Yo-Yoing Magic Bad Humor
Biohacking
Tech Implants Wearable Electronics CRISPR
Pets
Birds Amphibians Fish Reptiles
Music
Punk Screamo Electronic Folk
Transport
Electric Skateboards Motorcycles

Education

  • 2003 Present

    #! Community

    Decentralized Tech Mentorship

    Courses
    • Information Security & Privacy
    • Engineering Ethics
    • Linux Systems Internals
    • Computational Demonology
  • 2001 2002

    Ivy Tech

    Informational Technology

    Courses
    • A+ Certification

References

I've worked with Lance extensively during our overlapping tenure at BitGo. From the get go, I could tell that Lance knows security. His passion is palpable; beyond concerning himself with the well-being of company systems, he preoccupied himself with the personal security of each of his coworkers. He is also very aware of the vulnerability landscape, and helped steer the company in the right direction multiple times when picking technologies. Security threats are constant, but Lance is even more tenacious.

As Lance's team member for the past year, I've benefited from his creativity and aptitude for solving hard technical problems. Lance was directly responsible for handling incoming requests and delegating company wishes to the team. Thanks to Lance's expertise and commitment, the company was a much more safe and secure working environment. He would never pass a chance to see if he could poke security holes in any side-project someone would set up. As a colleague, Lance is extraordinary generous with his time and sharing expertise. He will never tell you the answer, but rather guide you along the way so you can learn how to get to the answer yourself. His humor, colorful past and unique personality make Lance one of the best people I have ever had the pleasure of working with. I'd be happy to answer any questions you might have about his specific skills and experience.

Lance is a security conscious, production engineer with great communication skills. I worked with Lance at Pebble for over two years with him at first as a direct report of mine and and later as my peer, during which time he tackled a wide variety of challenges from an Angular mobile app to developing our deployment platform to being our hands-on production engineering lead. Lance was confident yet not cocky, had a positive can-do attitude and excelled with Linux, Docker, shell scripting and AWS. I would gladly work with Lance again.

Lance is a very self-motivated developer capable of taking extremely hard problems and solving them quickly and efficiently. He has immense logical and analytical skills coupled with an amazing creativity which creates the perfect combination needed for a successful developer or any position in the technology field. I worked with him in a major version milestone of our company's software that required a complete gutting of the system, and his knowledge and understanding of both development and systems helped immensely in our communications to swiftly and successfully complete the project.

Upon meeting Lance three years ago I've always known him as a fun, spontaneous guy who excels at what he does. He is proficent in computer security, multiple programming and scripting languages, and is an all around tech guru. He's a great motivator and has encouraged me in my programmers-walk multiple times. I'd recommend him for any computer-related task and would be confident in doing so, to this day I still look up to Lance and seek his advice.

Lance demonstrates a drive few IT professionals possess and has a large amount of technical knowledge to back it up. I would trust him to adequately handle any project given to him and likely surpass any expectations. He is an excellent contact to have and the right guy to put on your most critical job.

Lance is very charismatic, able to work very well with clients and help them understand. He's very good at making sure everyone is on the same page, and goes out of his way to ensure clients are happy with his work. When he's on a project, he will work with a single-minded focus. He is extremely clever, often combining many different techniques to arrive at a better solution. In web design, he has an eye for layout, but doesn't sacrifice browser compatibility or standards in order to create what he wants. He spends much time with clients, helping narrow down what it is they want, and then creates, making sure they are satisfied with the end result.