I’m Spencer. This is my site where I post things about stuff. You probably came to this site either looking for an answer to a question or looking for me. If you are looking for an answer I hope you find one. If you are looking for me I’m not here right now, leave a message.

• More info about me, Spencer.
  • Personally.
  • Professionally.
  • Disclaimer.
  • Email me, Spencer.

Meanderings About Me

Personally

I’m Spencer Shimko and this is my server & site. Most of the time I’m off doing other things. I enjoy music, power tools, golf, disc golf, gadgets, games, Android development, craft brewed beer, wine, cooking, destroying and re-creating things (eg walls in my house), reading, and hanging out with family and friends. I enjoy debating about pretty much anything. I’m not always right. I’m color blind (Deuteranopia or strong Deuteranomalia). I love being challenged intellectually. What really surprises me is how little I know about the things I know the most about. I’m interested in pretty much all aspects of computer security and that spills over into my job.

I was pretty much raised in Catonsville, Maryland, outside of Baltimore City. I went to high school at Mount Saint Joe in Baltimore. I spent five years in North Carolina. I now live and work in Columbia, Maryland. My job has taken me all over the place. Internationally I’ve been to Australia three times, the UK four times, and Canada. For pure pleasure I’ve been to Spain, Morocco, and the Bahamas. I’ve been all over the US visiting every major region, but I haven’t been everywhere. Last count I was up to around 30 states or something.

Professionally

I started learning DOS when I was old enough to type back in the early 80s. When I was four I knew all of the cool stuff ended in .exe, .com, or .bat. I spent hours tweaking config.sys and autoexec.bat to squeeze out every bit of memory so I could play games.

I got my first UNIX shell account on one of JHU’s Solaris servers in the early 1990s. I quickly learned the details of shadow files, wiping login and log artifacts, and other basics. Back in 1994 or 1995 I downloaded and installed Slackware (remember when Slack disk sets were actually floppy disks?!) and I’ve been using Linux in one way or another ever since. Got into the normal script kiddie stuff, security scanning, IRC bots, etc. Took my first programming classes in high school, BASIC and Pascal were taught back then. My C experience was self-taught at that point. Went to college. Continued building on security experience. Graduated college. Got a job in computer security field.

I worked in the IT field for awhile at CCBC. I learned a good bit there regarding the “real world” from admin and user’s perspectives. This knowledge continues to be valuable today. Then came Tresys.

I’ve had the pleasure of work with Tresys Technology for over seven years. We contribute to the open source security community, do some (light) research and (heavy) development, we are deeply involved in the development of SELinux, and have a few products we’ve developed along the way.

Working in a small company offers great role flexibility and has exposed me to amazing variety of tasks. On any given day I could be working on security architecture development, research, coding, technical writing, security consulting and assessments, and I even get out of the office and do a decent bit of technical sales since I’m rather sociable. I was one of the managers of our internship program for about two years and I’m technical lead (systems engineer) on a few projects.

With the great folks at Tresys I’ve done a good bit of security architecture design. In my role as a systems engineer I contribute to the development of requirements and design of security architectures. Then I also get to lead the technical team implementing the design and I work the QA team ensuring the requirements are met. This is also true of the other non-security architecture projects I’ve worked on, such as compilers and tool sets.

I’ve discovered one of my passions, in addition to security, is the build and integration process. There are numerous reasons for this. I like seeing everything come together. I think well thought out build and integration systems reduce the burden on developers, testers, and all involved. And I think designing and creating an elegant build and integration system that works for many contributing developers is incredibly challenging.

My knowledge is often leveraged for other security issues such as basic best practices and tips-n-tricks I’ve learned along the way.

While not everything I’ve worked on has been or will be made public here are some things I’ve been participating in at Tresys that have been put in a public forum:

• 2005

  • CDS Framework – I developed a compiler for a domain-specific language focused on cross-domain solutions and SELinux security policies.
  • Cross-Domain Collaborative Information Environment (CDCIE) – I contributed to the security architecture design and development of supporting SELinux security policies.

• 2006-2007

  • Certifiable Linux Integration Platform – At one point this was my baby. I wanted an SELinux policy baseline for cross-domain solutions. But it blew into and open source project much larger and more successful than I could have imagined (thanks to Brandon Whalen et al.) It now handles STIGS/SRRs, SCAP, etc.
  • Razor for DB2 and WebSphere – A project focused on generating cooperative SELinux security policies for enterprise applications. Eg, you want your WebSphere app servers to communicate with each other and with your database servers and vice versa. Once again, a security architecture focused project.
  • Secure Inter-Process Communication Library – A bit of research into the Linux IPC mechanisms and the associated side-channels and back-channels yielded a simple library for minimizing back channels.

• 2008

  • VM Fortress – Virtualization Security – I shifted focus from enterprise applications to desktop virtualization. This solution generates complete desktop environments using SELinux to separate VMware Workstation virtual machines. It has been utilized to ease deployment and ease the development of security architectures of several products at Tresys.

• 2009

  • File Sanitization Tool – A USB thumbdrive filtering solution. This one holds a lot of personal pride between my friends and myself (Brandon Whalen, Joshua Brindle, David Sugar). We worked tirelessly (read->multiple 40 hour “work days” over a several week period) to get the prototype implemented in response to a customer’s pressing need. It has taken off and now lives a life of its’ own.

• 2010

  • SETools – Led the development and release of an incremental update to this existing tool suite used to analyze SELinux security policies.
  • SCC – SCC is a compiler for a domain specific language for generating OVAL content. I contributed to and led the development team in the initial release of this tool.
  • Several non-public projects in the cross-domain space.
  • Security architecture development for a set of embedded network routing devices for the commercial sector. Can’t say much more than that though.
  • Led a project to replace the crypto stack for the userspace IPSec tools component “racoon” in Android devices.

• 2011

  • Mobile device device security analysis and penetration testing. Can’t be more specific.
  • Certifiable Linux Integration Platform (again)
  • Led development of a fiber diode-based cross-domain solution called XD Bridge. In addition to the usual technical lead tasks I got to write a new build system and this project was the first time I had a chance to lock down a system that has no interactive user logins.
  • Security architecture development for a set of embedded network routing devices for the commercial sector. Can’t say much more than that though (continuing…)

• 2012

  • Develop requirements, design, and lead implementation of a secure analysis environment. Can’t be more specific.
  • Certifiable Linux Integration Platform (continuing…)
  • Security architecture development for a set of embedded network routing devices for the commercial sector. Can’t say much more than that though (continuing…)

Disclaimer

• Keep in mind that it is my personal site. It is not endorsed, sanctioned, reviewed, or enjoyed by my employer.
• These thoughts are mine and mine alone.
• I will post about things I am interested in here.
• Some of this may be on the subject of computer security in which I have both a personal and professional interest.

• I enjoy the color that four letter words add to a post.
• If you don’t appreciate four letter words feel free to fuck off and write your own blog post but leave my employer out of it.
• If you’re going to respond to a post or rant that appears here remember the this is my site and my content.

• For fuck sake don’t run home and cry to your employer about my postings.

Whatever you choose to do is of course up to you. For example, an employee of Sun/Oracle complained about my blog entries to his employer and a mutual customer. The choice was his to make, and he chose to act like a child. I digress, the choice remains yours, act like an adult or go his route and act like a 3 year old.