blog.lizzie.io

Hey, I'm Lizzie Dixon. I'm a computer security researcher living in San Francisco and writing about vulnerabilities and software projects.

Like what I write? Interested how I could help with your company or project? I do consulting work, typically for growing startups. Here's what that usually looks like:

A one- or two-week-long engagement to get you off on the right foot security-wise. I'll explore your codebase for vulnerabilities and help your team understand the kinds of issues that threaten your company and product.
A periodic engagement, often quarterly or monthly, where I review particular areas of code, read pull requests, and address outstanding concerns.

We'll also schedule longer, one-off engagements as bigger projects come up. Throughout this all I'll work to document my findings and recommendations and help you build a strong, security-aware team and culture.

I'd love to discuss any of this over coffee. You can reach me at _@lizzie.io. ☕

2018-07-18 Clickjacking Chrome Extensions: a year-old bug in PrivacyBadger.
2018-07-13 Preventing USB Attacks with linux-hardened: an update for a post-Grsecurity world.
2017-03-27 Breaking KASLR with perf: sampling addresses with PERF_SAMPLE_IP.
2016-12-12 Preventing USB Attacks with Grsecurity: BadUSB, poisontap, et al.
2016-11-03 CVE-2016-6321 notes: "pointyfeather", a logic bug in GNU tar.
2016-10-22 Using userfaultfd: sample code!
2016-10-17 Linux containers in 500 lines of code: …and 3000 lines of text.
2016-10-14 Exploiting CVE-2016-8606: a cross-protocol attack from browsers to Guile Scheme repls!
2016-10-06 Notes about CVE-2016-7117: a use-after-free in the Linux kernel, in recvmmsg.