I originally wrote the following text (or rather an older revision of it) on request from an Openwall client company, such that they could make their prospective client aware of who would be doing the security work on a specific project, and the text was reused in a similar fashion on several occasions. This is why I wrote it in third person, and this is why I keep it written that way. I generally prefer to write about things I do (with all the technical detail) rather than about myself, which makes me a bit uncomfortable to specifically list my achievements, but doing so is needed for the business side of things. This is a bio, not a résumé. I have intentionally omitted things such as my skills, programming languages I “speak”, and so on. I am not looking for a job (and I have never been - instead, jobs would find me on their own); however, I may be interested in specifically-relevant contracts for Openwall, with ability to get the most appropriate people on our team involved. - solar
Alexander Peslyak, better known as Solar Designer, has been professionally involved in computer and network security since 1997, and he has been professionally developing software long before that. Alexander is an Open Source software author & team leader at Openwall Project and Openwall GNU/*/Linux, computer security expert, Founder & CTO at Openwall, Inc. - a professional services company with clients primarily in the US, member of informal and semi-formal computer security communities.
Alexander has presented on computer security and Open Source software topics at international conferences (HAL2001, NordU, FOSDEM, CanSecWest), served as the technical reviewer for a novel computer security book (Michal Zalewski's Silence on the Wire) and wrote the foreword for it. He is recognized in the “security community” primarily for the security tools (software) released to the public under liberal Open Source licenses, and for many contributions to other popular Open Source software (primarily Linux and related applications).
Also find Alexander on:
The vastly incomplete timeline is roughly as follows:
2008 - 2017
Advisory board member at oCERT (Open Source Computer Emergency Response Team).
2008 - present
Co-founder of oss-security (Open Source Software security initiative aimed at bringing cross-vendor coordination for publicly known vulnerabilities and post-disclosure discussions to public view) and (linux-)distros (since 2011, oss-security counterpart for private coordination and pre-disclosure discussions, with strict terms on timely making the vulnerabilities publicly known on oss-security).
2003 - present
Founder & CTO at Openwall, Inc. - a professional services company providing computer security consulting, security audits (systems and software), remote systems/security administration, software development (primarily Open Source with a focus on security), and related services.
2000 - present
Team leader at Openwall GNU/*/Linux - a security-enhanced operating system with Linux and GNU software as its core.
1999 - present
Founder and leader at Openwall Project, the primary focus of which is in development of information security related free software, information security research, publications, and community activities aimed at making existing free software safer to use.
(The development of some of the software released and maintained under Openwall Project started in 1996.)
1997 - present
Information security consultant at DataForce ISP.
1999 - 2001
Information security consultant at OXIR Internet Solutions, Inc.
1996 - 1999
Own Unix/Linux related software development and security projects, prior to “formally” starting the Openwall Project along with others on the team.
In a previous life:
1996 - “software protection” (anti-piracy) development under contract with Fukuoka Soken, Inc.
1994-1996 - software developer at Infort, JSC (developed a generic GUI toolkit capable of running on inexpensive pre-Windows PCs, which was used in the company's economics simulator “business game” sold to educational institutions)
1994-1996 - somewhat active on the demoscene and amateur computer networks
1992-1994 - software developer at NefteIntens, Ltd. (participated in implementing mathematical models of oil recovery processes such as hydraulic fracturing, created commercial-grade menu-driven user interfaces for said implementations, participated in migration and semi-automated translation of legacy software from mainframes/Fortran to PCs and contemporary development environments)
1989-… - assorted computer programming on various platforms (hobbyist)
1977 - Alexander was born
Selected achievements relevant to the “current life”:
1996-present - developed John the Ripper password cracker, which was the 10th most popular security tool out there according to an independent study conducted in 2006, and the first most popular of its kind (cross-platform and Unix password crackers); the homepage has exceeded 29 million hits
2007,2008 - the world's most deployed “web applications” (forum, blog, CMS “engines”) - phpBB3, WordPress (bbPress), Drupal - have chosen to adopt password security enhancements developed by Alexander
2000-2007 - many pieces of software originally developed for Openwall GNU/*/Linux got integrated into other major Unix-like operating systems, including major (and minor) Linux distributions, FreeBSD, and OpenBSD
2000,2001 - researched Secure Shell (SSH) vulnerability to timing analysis attacks (with Dug Song)
1999,2000 - came up with the first generic heap-based buffer overflow exploitation technique (disclosed to Netscape/AOL in 1999, won their “Bug Bounty”, public in 2000)
1999,2000 - analyzed and "broke" the cryptographic aspects of Cisco's TACACS+ protocol (disclosed to Cisco in 1999, public in 2000)
1997 - published the very first "return-into-libc" style buffer overflow exploits
1997 - enhanced the Linux kernel (2.0.x at the time) with non-execution memory protections for the first time, inspired by Casper Dik's patch for Solaris/SPARC - then others proceeded to make more elaborate patches for Linux, more elaborate changes were incorporated into OpenBSD, and many years later similar techniques even got into official Windows releases
1997 - published the very first Windows buffer overflow exploit
Back to Alexander's pseudo homepage.