Jonathan M.

I have always just been an outright geek. I am a self-taught penetration tester, and a self-taught programmer. I also have a degree in computer forensics. For ~10 years I was fortunate enough to work on security for several interesting projects for FAANG companies, banks, military, large gambling organisations, etc. where I ended up specialising in code review, social engineering, and thick client testing/reverse engineering.

For the most recent ~10 years, I have worked as a programmer – but have always kept current/passionate about security. I program predominantly in C# with .NET Core, but also have written projects in Golang, Rust, Java, C++, etc. I enjoy backend programming work, and writing code to solve difficult problems, quickly.

I have worked as the technical lead for exaprojects for several years. This includes all aspects of design, programming, infrastructure creation, monitoring, and maintenance, as well as leading a small team of programmers and QA testers.

Experience/Education

2018 – Current – exaprojects (construction industry project management startup), UK

- Technical Lead.

2015 – 2018 – DirectLine Group (FTSE 100 insurance company), UK

- Senior Penetration Tester. Note: I was technically self-employed, but worked a long term

contract for 3 years here.

2015 – 2018 – PentestPartners (penetration testing services), UK

- Senior Penetration Tester. Note: self-employed, overlapping/working as a contractor doing

predominantly secure code review.

2007 – 2015 – NCC Group (penetration testing services), UK/Global

- Senior Penetration Tester.

2005 – 2007 – eLINIA (web hosting), UK

- Network engineer/cable monkey.

2006 – 2007 – University Of Wales (formally University of Glamorgan)

- Studied for a Master’s in Computer Security (Scholarship)

2003 – 2006 – University Of Wales (formally University of Glamorgan)

- B.Sc. Computer Forensics (1st class honours)

Misc: Have the Offensive Security Certified Professional (OSCP) qualification.

Interesting Projects (Programming)

- Distributed File Server

o Golang/C – backend for exaprojects. Does absolutely everything, deduplication, encryption, reedsolomon/erasure coding, directIO, self-healing bitrot protection, “enhanced” zip downloads

(meaning we are able to generate zip files of thousands of files on the fly at 100s MB/s by hacking

at the golang zip internals/crc32 magic/zlib spec). Based on the Facebook haystack storage model

and optimized for efficient storage of millions of smaller files.

- Distributed Realtime Collaboration

o TypeScript/C# - using webRTC in conjunction with websockets and pdf.js, was able to make a

custom “annotation” layer so that multiple participants can annotate the same document in

realtime together, whilst broadcasting any changes to all parties instantly. Annotations were then

“burned in” on the backend so that a PDF of the photo/document, etc. could be downloaded.

Extremely fast/all cryptographically secure. Lots of maths, wouldn’t recommend it. Also plugged in

with realtime voice/voice transcription using google’s speech engine. Ie. during a meeting, notes

would automatically be taken based on the contents of the call.

- Full text search engine

o Rust – a plugin for Postgres which allowed for a distributed full text search to be carried out in

conjunction with a standard db query. Postgres has some real problems with its full text search

engine, which this aimed to fix. Used in conjunction with a custom DSL I created, allowing users of

exaprojects’ advanced search to do stuff like “files uploaded last 2w and ‘electric’ within 200 of

(‘safety’, ‘certificate’) and user = xxx and ……..” included stemming (ie. “electric” would return

results for “electricity”, “electrical”, etc. etc.)

- Version Control System

o C#/SQL magic - Design and implementation of a file tree system which would be able to record

“snapshots” of hundreds of thousands of files/folders to allow for offline browsing easily and

viewing what a file/folder structure looked like a specific point in time, and showing all subsequent

changes.

- High throughput authorization

o C# - custom authorization layer to replace .NET Core’s user model. Able to handle tens of

thousands of auth requests on a single server, a lot faster than the standard.

- High throughput database inserts framework

o C# - a generic library to take a list of objects and use Postgres’ binary copy (in conjunction with

optionally locking/reserving IDs) to allow for pre-calculated bulk inserts of ~70k rows/s (vs ~3k with

a standard bulk insert).

- World of Warcraft bot

o C# – A pixel-based bot which used novel methods to determine player location, etc. which had not

been thought of before. Designed to play against other players in battlegrounds in WoW Classic.

The methods used here actually became the fundamentals for a document diffing piece of

software, which incorporated pathfinding and pixel-based comparisons to draw boxes around

areas of change (as opposed to the traditional colour overlay)

- Misc – have found some interesting bugs in .NET core and some popular libraries by being an early

adopter.

Interesting Projects (Security)

- WinShareEnum (https://github.com/nccgroup/WinShareEnum)

o C#/WPF – tool to enumerate SMB shares, and their contents in large organisations.

Presented at defcon.

- VCG (https://security.web.cern.ch/recommendations/en/codetools/vcg.shtml)

o VB/Winforms – tool to perform static code analysis for a wide array of languages where it is

not possible to fully compile the application.

- WCFer-ngng/JDSer-ngng/AMFer-ngng (https://github.com/nccgroup/WCFDSer-ngng)

o Java – a burp suite plugin to allow for automated SQL injection (etc.) inside WCF/Java

Object/AMF serialized objects over-the-wire. Included as a default plugin now for burpsuite.

- JMBSoft Password Management

o C++ - hooking into various win32 APIs on domain controllers/local desktops during the

password changing process. Ie. Pressing ctrl+alt+delete -> change password -> type new

password would provide realtime feedback if the password typed into the rdp/client screen

was in a list of compromised passwords, was too short, lacking complexity, var1ati0n of a

b4nn3d word, etc.

- Random Hooking tool

o C++/C#/WPF – hooking into various internal win32 crypto functions and allowing for

modification of things (ie. WSASend) before being sent out. Similar to

https://www.rohitab.com/apimonitor but worse.

- Exploit dev

o C/Python/Misc – have found/sold several remote code execution vulnerabilities in various

pieces of software.

- eDiscovery Project

o C#/golang – was approached as a contractor by a UK construction company which needed to

present evidence against malpractice for a recent cladding scandal. Involved reverse

engineering a common application (mailstore) and optimising the extraction process for

several TB of emails (which would have taken months) to complete in a reasonable

timeframe, include deduplication, and index results for offline analysis.