TECHNICAL

I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.

Due to the stresses of travel I am not currently accepting any invitations to do anything outside of New England. I am very flattered every time someone puts me so high on their list, but I cannot make it.

Nothing motivates me as much as spite. Do not send me your privacy product pitch or your patented cryptography. The pink and ✧sparkles✧ are nothing but a protective veil over the spinning power core of my bitter hatred.

Public Research

I presented at DEF CON 21 (2013) with an introduction to unintentional radio emissions produced by electronics and how to get started measuring and observing them with ten dollars of equipment. Video - Slides

My conclusions in broad terms are that we should include auditing the emissions of our devices as part of our protections against sufficiently advanced adversaries of various sorts.

I realize I look like a total dork. The stage crew opined that I was too short for the podium and the block they gave me to stand on induced the opposite problem. It was my first big presentation and I can't bear to watch it.

Commercial Research

I work on/with/in the binary static analysis engine at Veracode. It's basically cheating at the halting problem as a career. I see bad code every day that could kill a bear from twenty paces. Trivial buffer overflows from the network. Executing the contents of $_GET. Currency stored in floats. XSS and SQLi by the millions. My frequent commentary on security engineering is informed by seeing literally thousands of distinct programs written by many different companies and organizations and the bugs therein.

Hating PHP As A Service

I write an entire blog based around my ongoing hate affair with PHP. It's very vitriolic. Surely you don't want any of that.

Articles

Sometimes I write stuff for edutainment.

Do Not Pass QA, Do Not Goto Fail A review of how not to ship this bug.

Executable Archaeology - The Case Of The Stupid Thing Eating All My RAM My all-time second most popular article, exploring how a simple debug feature shipped in production tanked my machine.

Analyzing Binaries With Hopper's Decompiler is starting to age due to Hopper still being under active development.

Is the Vibe messaging app safe for protestors? This is that spite-driven research I warned you about.

Our Enemy The Optimizer an introductory look at the unspeakable horrors visited on your source code by the unfeeling machine.

How Sally Got Owned a hand-illustrated explanation of how techniques used by mobile game pirates open your device to being hacked.

Privacy Is Hard, Let's Go Shopping A beta feature in Ubuntu opens up users to serious privacy breaches.

That time I had to use a VAX

Several years ago as a student I had a shell on a real, actual VAX, and discovered a critical shortage of documentation on the internet. I actually resorted to rescuing the user manual from my university library's back room to find the information I needed. What I learned is distilled in this textfile for assembly programming the machine, which I have left totally unedited from its (embarrassing) original form: VAXHAX

Formal Credentials

I have a bachelor's degree in computer science from a small private university. Far more impressive is my twenty four thousand reddit comment karma, don't you think?

And as an aside

Like everyone in infosec, I have a few haters. Some have gone so far as to forge texts in my name. Please apply common sense in determining whether I would post my real-world mailing address to full-disclosure for no apparent reason. (Also, any further hatemail directed to that address will reach strangers.)

If I ever lose control of my Twitter account, I will authenticate the new one, or prove my having recovered the old one, by decoding the hash 96a21b9d18e011bfc960e55d31f1695411013d83aaadb9b699bb2d845fa2c627 (tweet) which is also now here in the git history.

CREATIVE

Listen. None of that stuff on the left is important. Hacking, radio waves, whatever. I WROTE A NOVEL. It's called Glory in the Thunder and it's actually just the first volume of a story I have been working on for years. It's gaslamp fantasy which is sort of like steampunk. ↬You should buy it.↫ It's really cheap FREE and it's my life's work.

I fancy myself a chiptune composer but in truth I'm only kinda sorta competent at music. As far as chiptunes go, I work in 2A03 (the 6502-based chip inside the original Nintendo) with no expansions using the PP-MCK text-based compiler. I also do more "normal"-sounding music with orchestra soundfonts. It's basically all just theme-music for my own novel characters though. It all goes on my soundcloud. I'm not really involved with the chip scene. Some people there have been encouraging but I encountered hostility towards beginners one too many times and bailed.

That being said, I will totally call you out if you call anything vaguely chip-sounding or pixelated-looking "eight-bit" without reference to a real eight-bit computing platform. There's nothing wrong with these retro-inspired works of art, but oftentimes "eight-bit" is a wildly misapplied label. Since I actually program in assembly on 8 and 16-bit platforms I'm kinda picky about this.

My NES Font

A long time ago I wrote a simple text editor program for Famicom (NES) with the obscure keyboard peripheral. (The typing keyboard, not the piano one - which I actually own!) I couldn't find anyone with an actual keyboard to test it with so I had to rely on some rudimentary support in an emulator and hope it was right. However I ended up doing a complete font for it with ANSI extended characters and some people asked to reuse it. You may use it for whatever with attribution. You can grab the PNG or the NES rom file editable with YY-CHR.

That trivial demo I'm still proud of


An IRC channel called #io had a contest to do a boot sector demo, the only real rule was it had to feature their name. I came up with this really weird/cool infinite melting effect. Binary - Source (with instructions) - Video

My Avatar

The pink girl in my Twitter avatar is called Kasane Teto. She is essentially a parody of Hatsune Miku, the Japanese "pop star" character developed to market voice synthesis. The artwork I use originates here. (It will bring you to the artist's profile rather than directly to the artwork unless you have signed in.) Contrary to widespread rumor, my favorite color is actually orange.

Things I Like

I like Dwarf Fortress, an absurdly complex simulation game for all three major desktop operating systems. I donate once a year to encourage the madman behind it.

I like to shamelessly advocate for action adventure comic Drowtales.

I like human rights. I advocate for feminism (and get really sad at people who think feminism is some sort of kill-all-menism), orientation rights, gender identity rights, freedom of/from religion, etc. I am anti-mass-surveillance and do not draw an ethical distinction between my fellow American citizens and the ~94% of human beings who are not my fellow American citizens.

I like Dutch. I can more or less read it. Just don't ask me to write it!

Last updated Nov 27 2013