I am a software developer based near Melbourne, Australia. Most of my days are spent coding in Python and JavaScript, commercially as an engineer at Mozilla as well as for a variety of open-source projects. I also maintain a strong interest in logic programming, mainly as a result of my doctoral thesis. Read more about me and check out my curriculum vitae if you want to know more.


Tue, 09 Oct 2018

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences.

One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one: Bug 1447452, in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store.

Continue reading...


Sat, 24 Feb 2018

Archiving my open-source projects

It's well past time that I admitted something to myself: I am no longer actively maintaining any of my personal open-source projects.

As I was staring at my inbox this morning, noticing that it was full of github issue reports and thinking "I should really make time to respond to those" and then feeling ashamed that some are now several months old, I came to a surprising realisation – it's not that I can't make time to maintain those projects these days, it's that I no longer want to. I'm not "busy with family stuff" like I've been in the habit of telling myself, and I won't "get to that sometime soon". I'm getting my software fix on the job and I'm spending my personal time on other things, and I'm surprised to find myself OK with that.

Continue reading...