Skills

Below is a more complete, yet still partial, list of my skills and experience. Because I have been been so passionate about, and involved so long, in computing it is difficult to fully iterate the depth and breadth of my background. While there is some overlap with my resume, each document contains a significant amount of unique content and an neither should be considered “definitive” (in part because I literally can’t remember everything I’ve done!).

Quick links to topic headings:

Management/Project Management:

  • Director with over 15 years of management experience.
  • Regularly coordinate with top level IT leadership and senior business management in project delivery.
  • Regularly manage projects and directives of enterprise scope.
  • Crafted/executed numerous business cases for large network, systems, and security projects encompassing millions of dollars.
  • Written numerous RFPs for professional services, auditing engagements, and product purchases.
  • Responsible for forecasting and managing a CAPEX/OPEX budget of over $1 million annually.
  • Experienced running highly successful teams across diverse locations, using tools such as Atlassian Confluence/JIRA, WebEx, Jabber, JoinMe, Meetingplace, conference calls, email, and regular travel.
  • Negotiated numerous RFPs, contracts, and SOWs including coordinating between IT management, legal, procurement, and vendors.
  • Highly experienced in contracts involving the use sensitive data.
  • Have managed and driven to resolution many enterprise scope outages whether system, network, or 3rd party both on and off hours as well as on holidays.
  • Experienced with Change Control requirements, off-hours scheduling, and limiting user visibility with both minor and enterprise scope changes.
  • Directly and indirectly involved in the evaluation and hiring of numerous IT candidates.
  • Oversaw creation of Network and Security teams.
  • Managed a standalone office, coordinating with corporate headquarters, including the ultimate execution of all steps for the final dissolution of the office.
  • Excellent communication skills. Often used as the “go to” resource for crafting written messages to large sets of recipients, messages on sensitive topics, or messages to higher level management.
  • Experienced using Word, Excel, PowerPoint, Visio/OmniGraffle, XMind, and similar tools to create business documents and technical briefs.
  • Experienced with Markdown documentation creation and formatting.
  • Experienced with Atlassian JIRA and Confluence.
  • Experienced with Service-Now.
  • Experienced with fleshing out projects and tasks with Microsoft Project and ProjectLibre.

System Administration:

  • Executed hundreds of hands on bare-metal OS installs of Linux and Unix systems, including configuration of disk, OS parameters, authentication parameters, and local customizations.
  • Designed and built RPM build infrastructure used to create all internal RPMs including for stores and corporate systems. The RPM build structure provides a generic infrastructure to build repeatable installs for our cookie cutter environments.
  • Designed and build Solaris SVR4 package infrastructure used to create all packages for maintenance of Sun and Solaris systems.
  • Numerous LAMP stack based installs both for business projects and personal installs. Installations have included performance optimization and secure configuration.
  • Experience creating and managing ESXi hosts both directly and through vCenter including sizing, OS installation, VLAN assignment, disk assignment, etc.
  • Built Xen hypervisor based virtualization server to evaluate Xen vs. VMware. Installed a number of hosts and OSes to compare complexity and manageability.
  • Co-designed and implemented highly available Linux retail store install where any Linux system could take the identity of another Linux system on failure simply by a DNS renaming. As all systems were synchronized and personalization was automated, a store could restore its back office server in minutes, rather than potentially requiring days for a ship. Installs spanned 10’s of thousands of systems.
  • Co-built scripted “one button” upgrade for mass conversion of store RedHat Linux systems to SuSE SLES Linux. Script executed all phases of the conversion, including required DNS updates.
  • Built script that allows secure execution of any command or script on some or all store systems based on passed parameters. This allows expedited store-wide data collection and application of patches/fixes.
  • Designed, managed, and executed multiple large scale filesystem migrations from legacy NFS and CIFS systems to newer hardware including Hitachi BlueArc HNAS devices as well as multiple Linux and Solaris servers. These migrations comprised thousands of clients and were executed using least-intrusive methods.
  • Management of multiple NFS servers including the design of an architecture independent automount infrastructure that allows transparent moves of data from filesystem to filesystem, but also allows concurrent shared and OS/release/CPU specific objects transparently interwoven.
  • Multiple distributed “cron” solutions allowing job scheduling automation and data collection across all corporate Linux systems. Automated single occurrence or repeating jobs can be added on the fly at any time to facilitate the management of all corporate Linux systems.
  • “go to” resource for “quick and dirty” script solutions for time sensitive requirements. Extensive experience with Python, Perl, “bourne” shell (sh, bash), csh, sed, awk, grep, regular expressions, and many, many, other Unix utilities.
  • Many Windows based installations including Windows 2012 Server, Windows 10, and Windows 7.
  • Built shared portable “skeleton” environment to support a large heterogeneous host installation. The “skeleton” setup ensured a consistent login environment both for business and developers while allowing role based customization.
  • Created shared X11, X windowing system, environment that ensured consistent X Windows login environment for all users.
  • Created/modified DHCP scripts to manage DHCP both under ISC DHCP and Cisco IOS based DHCP.
  • Experience solving low level boot issues, such as “initrd” repair, custom module insertion, module customization (including code updates/compilation), handling firmware loads, etc.
  • Experience with custom kernel configuration and tuning.
  • Built numerous “rsync” based synchronization setups to keep systems in sync across both LANs and WANs.
  • Co-developed RedHat Kickstart installation for stores and corporate for repeatable cookie-cutter installs.
  • Co-developed Sun/Solaris Jumpstart installation for repeatable corporate cookie-cutter installs.
  • Implemented Google Docs for enterprise in a small auditor office environment.
  • Experience installing, configuring, managing, and backing up MySQL databases.
  • Experience with with volume management including LVM, RAID, SCSI, and disk arrays.
  • Crafted and implemented enterprise timezone configuration solution for legacy systems when new Congressional DST time changes were mandated.
  • Critical resource in Y2K initiative including identifying risk areas and remediating programs, scripts, and OS concerns.
  • Expertise in printer configuration and support including CUPS, SVR4 lp, Berkley lpr, SAMBA interaction, and Windows printer setup.
  • Physically designed and built x86 PCs from the ground up (CPU, motherboard, RAID controllers, disk, networking, peripherals, etc.).
  • Experienced in maintenance of network and system devices (eg: upgrading memory, hard drives, replacing failed components, etc.).
  • Implemented iSCSI initiator/target setup with FreeNAS and VMware to supply additional VMware datastore space.
  • Created script to auto-generate Cisco ASA “object-groups” IP location blocks based on MaxMind geoip location data.

Networking:

  • Design of large scale networks and their IP addressing across many hundreds of sites, both LAN and WAN, and including Internet connectivity.
  • Designed multiple scripted interfaces for repeatable mass rollout of wireless configuration changes to Cisco APs effecting over 3,000 wireless access points. The latest iteration allowing flexible configuration using M4 macros.
  • Core router configuration including VLANs, interface configuration, VTP setup, route protocol conversion, route weighting, EIGRP, IGRP, RIP, BGP, etc.
  • Deep dive customization of wireless configuration to support VLANs, WPA2 enterprise authentication (EAP/802.1x), wireless optimization, and extended authentication methodology.
  • Have a strong knowledge of subnet masking, CIDR, and route aggregation and the pitfalls of getting it wrong.
  • Drove resolution of many high visibility circuit issues including handling escalations required from the inevitable “passing of the buck” between local LEC(s) and the WAN carrier(s).
  • Extensive hands on experience setting up Cisco routers, switches, and firewalls, (IOS, NX-OS, ASA) including base configuration, updating IOS, etc.
  • Experienced with migrations of enterprise Internet connectivity from ISP to ISP.
  • Experience utilizing BGP ASN weighted prefixing to provide load balancing with diverse (multi-homed) Internet connections.
  • Multiple WAN carrier transitions including satellite to frame-relay and frame-relay to MPLS.
  • Manage all DNS domain registrations and interactions with DNS registrars. This includes the handling of “sunrise” pre-registrations within the Trademark Clearinghouse. Work regularly with marketing and legal teams to resolve trademark disputes.
  • Primary resource on all DNS configuration, both in terms of Infoblox and ISC BIND configurations. Handle all domain and subdomain delegations.
  • Critical resource in our conversion from ISC BIND for DNS to Infoblox DNS and DHCP. Defined much of the architecture and wrote many scripts to reconcile etc. to ensure the transition was transparent.
  • Wrote multiple scripts (mostly Perl) to manage our DNS space and allow for cookie-cutter management of our complete body of stores. Hosts can be added at any time across the entire chain with no special effort. Originally written for ISC BIND, the latest script uses the Infoblox Perl API and allow large scale templated zone creation and updates without GUI interactions.
  • Researched 3rd party SOA solutions for offsite DNS management and reducing potential eCommerce latency issues.
  • Registered with ARIN all initial IP address space including a class B and 8, class C address blocks.
  • Designed, co-managed, and co-implemented multiple IP renumbering projects spanning many hundreds of stores, moving both from public to private addressing, but also renumbering within the private space. These renumbering projects were critical in removing growth limitations.
  • Wrote Perl Cisco management script using Perl Expect to allow easy automation of data collection tasks and on-the-fly updates of configuration on a mass basis.
  • Implemented VPN, ISDN, and dial backup solutions both client and server side with numerous platforms, particularly Cisco based.
  • Built and implemented a generic NTP infrastructure to simplify time management as required by such standards as PCI, including the use of secure broadcast NTP.
  • Experience with multi-site Apache configurations including virtualization and hardening.
  • Strong understanding of “sendmail” constructs including reading both “sendmail.mc” and “sendmail.cf” file syntax. Able to add custom mail rules as required.
  • Managed the infrastructure wiring and network requirements for multiple satellite sites including a modern large scale warehouse. Involved in much hands on wiring and layout.
  • Extensive experience debugging LAN/WAN issues including use of multiple tools such as WireShark, “tcpdump”, “snoop”, “ethereal”, “ping”, “traceroute”, “netstat”, “ifconfig”, LAN shooters (TDRs), interface statistics, SNMP, Scrutinizer, NetFlow, and custom self-written tools.
  • Experienced in SAMBA configuration.
  • Experienced in configuration of ISC BIND, Cisco “ip helper” setups, and resolving DHCP issues.
  • Hacked RedHat kickstart “initrd” image to support not-yet-supported Cisco Aironet wireless cards. Similarly hacked kickstart, making kernel module changes and adding firmware loading to support new Intel based wireless cards.
  • Co-built one of the first local Internet Service Providers (ISP).
  • Significant experience sizing networks for applications and users.
  • Built tools to do large scale analysis of Access Point (AP) signal strength and identify wireless clients that may be impacted by signal issues.
  • Experienced creating “WPAD” JavaScript Proxy PAC files to allow customization of client browser proxy settings based on client source, target domains, and other parameters.
  • Ordered, installed, and configured Burlington’s first Internet connections, including firewall. Burlington was very early in the adoption of Internet technologies and one of the first retailers connected to the Internet.
  • Wrote Perl script that used SNMP to recursively iterate switch hosts, allowing the Network team to identify the actual switch port of a given IP or MAC – useful for network debugging and security issues.
  • Wrote nightly “cron” Expect (TCL) script that based on a configuration file would automatically dump and archive the running configuration of Cisco routers and switches.
  • Experienced with Xylan/Alcatel switches/routers.
  • Wrote Perl discovery script to scan all address ranges and find all hosts on the network, named or not, and then use network heuristics to discover their likely functionality and OS.
  • Well versed in the SMTP protocol and debugging SMTP delivery issues.
  • Wrote Perl Expect (Perl::Expect) SMTP check script to verify SMTP services still running and responding correctly.
  • Wrote script to integrate post conversion Exchange/AD mail aliasing with Linux/Unix services allowing Unix based applications to query Exchange/AD for user aliases and distribution groups.
  • Evaluated SaltStack, installing from scratch and creating virtualized lab environment and executing multi-host updates.
  • Experienced configuring RS-232 and resolving serial connectivity issues.
  • Selected and implemented of video conferencing solutions (Polycom).
  • Wrote Perl DNS (Perl::DNS) script to pull existing DNS, compare to a past state, and send an hourly report of any DNS changes for notification/tracking purposes.

Security/IdM:

  • Primary driver of corporate Information Security program including governance structure, interaction with executive teams, policy development, guidelines and standards development, multiple 3rd party audits, awareness programs, incident response program, retention, and compliance efforts.
  • Expert knowledge on PCI security requirements and how they apply to a large tier PCI “level 1” merchants. Experienced addressing internal compliance requirements, generating policy, enforcing policy, and ensuring PCI compliance extends to 3rd party vendor relationships.
  • Driven PCI audit end-to-end, both brick-and-mortar and eCommerce.
  • Experienced in payment P2PE and E2EE payment transitions for POS (Point of Sale) devices and eCommerce realms along with strong understanding of scope reduction benefits and caveats.
  • Experienced in hardening systems, including eliminating unnecessary services, using Nessus scans to baseline, adding local firewalls, limiting user access, configuring network protocols securely (SSH, FTP, sendmail, Apache, NTP), configuring file monitoring, utilizing centralized logging, patching, following best practice guidelines, etc.
  • High level resource on multiple SOX (Sarbanes-Oxley) audits including having to drive timely reconciliation and/or mediating controls on issue areas.
  • Expert knowledge of MA201 and strong understanding of other state and federal privacy initiatives.
  • Experience with the research and mitigation of large scale DDoS attacks, including understanding the availability of external tools and resources, web server constructs, and application firewall (F5 ASM, FORTINET) mitigation.
  • Evaluation and selection of multiple security products including firewalls, IPS/IDS, DLP, anti-virus/anti-malware, WIDS, VPN servers, disk encryption, database monitoring,  file integrity monitoring (FIM), anti-spam, email encryption, web application firewalls (WAF), and log management.
  • Selected and implemented key management platform to replace current in-house home grown key management and encryption infrastructure.
  • Evaluated Dropbox alternatives leading to the purchase and install Accellion MDM secure mobile device storage solution.
  • Co-implemented multiple iterations of an Oracle OID LDAP databases, including heavy scripting to reconcile discrepancies and ensure the data was clean. Also drove and implemented the associated networking requirements including firewalling and DMZs.
  • Maintain all SSL certificate authority (CA) contracts, relations, and configuration. Have significant experience with both Verisign (Symantec) and Entrust managed PKI solutions.
  • Built internal certificate authority (CA) utilizing “openssl” and designed to sign any number of internally trusted certificates.
  • Created numerous internal and external DMZs to protect both Internet facing systems and systems holding sensitive information. Extensive experience creating firewall rules using stateful and non-stateful firewall rules, including ASA, PIX, IOS zone, IOS ACL, and Linux “iptables”.
  • Created complex “iptables” firewall rules for protection of production web sites and other services.
  • Well experienced in end-user malware and virus disinfections. Strong understanding of how viruses/malware works and spreads and how to prevent and clear those infections.
  • Multiple Perl LDAP scripts to synchronize records from divergent LDAP stores, including from LDAP to local password files, and from LDAP to NIS.
  • Build Perl based LDAP script that automatically creates new local Linux users based on role when provisioned into the LDAP identity store.
  • In depth work on PAM (Pluggable Authentication Module) for both Linux and Solaris. Built customized PAM configuration to support centralized LDAP logins. Configured and installed PADL LDAP PAM modules on Solaris systems to make them integrate into the new LDAP environment.
  • Wrote Perl LDAP script to detect aging users and notify, and nag them, to change their password in a timely fashion.
  • Executed highly complex reconciliation process using advanced scripting and fuzzy matching to reconcile multiple diverse identity stores into a single monolithic identity store, including HR records, Oracle OID records, OpenLDAP records, Active Directory (AD) records, Unix password stores, Exchange aliases, NIS/YP records, and application user stores. This was used to ultimately build a common Oracle OIM identity store to allow a single point of identity management (IdM).
  • Co-designed, planned, and implemented corporate-wide conversion from NIS/YP authentication to LDAP authentication.
  • Experienced in recovering failed LDAP databases.
  • Evaluated two-factor solutions for PCI compliance.
  • Co-designed Oracle Portal systems infrastructure design and secure firewalling.
  • Co-designed Oracle OIM systems infrastructure design and secure firewalling,
  • Research, selected, and drove the implementation of a Symantec eVault solution to address retention, FRCP requirements, and Legal/HR research. Experienced in retention requirements and concerns.
  • Experience managing AIDE and Tripwire FIM (File Integrity Monitoring) tools.
  • Configured VPN services including integrating with Radius servers.
  • Wrote login script to add extra layer of protection by denying or allowing users access based on network security level information.
  • Implemented SPAM controls through Spamassassin, DCC, Razor, Pyzor, DNSBL, clamav-milter, and accessdb
  • Evaluation and selection of a wide variety of networking solutions including routers, switches, firewalls, hubs, cabling products, terminal concentrators, carriers, WAN compression, and satellite connectivity.

Architecture:

  • Go to resource for Infrastructure design/architecture questions across all subject areas – networking, systems, security.
  • Worked directly under CIO, Mike Prince, one of the earliest adopters and evangelists of Open Source technologies including being one of the first major customers of Cisco, Oracle, and Sun. I and others worked hand in-hand with Mike, augmenting and facilitating his vision, with our teams winning numerous industry awards in the process.
  • Extensive experience in the design of enterprise scope networks, systems infrastructure, and applications.
  • Designed, coordinated, and co-executed multiple sensitive large volume payment switch installations, including supervising system installation, hardening, networking, firewalling, processor coordination, and certifications. These include both in-house written authorization switches and third party products such as ACI/ISD switches. All installs were driven under strict PCI adherence requirements.
  • In depth experience in implementing VISA, MasterCard, AMEX, Discover, Stored Value, eFunds, and EBT transaction setups, including a strong understanding of the underlying protocols used implementation, particularly ISO 8583 and VISA VIP protocol.
  • High level technical and architectural involvement in multiple DR projects including primary lead on initial design implementation and regular subject expert consultation on current Sungard DR development.
  • Core member of the IT Architecture Team.
  • Heavily involved in the design and implementation (and maintenance) of our eCommerce infrastructure.

Programming:

  • Extensive experience writing client and server socket code, including using TLI vs. Berkley based sockets, socket options, keepalives, network vs. host order, “inet_addr()” functions, “gethostbyX()” functions, and use of “poll()” and “select()” to multiplex sessions.
  • Extensive experience writing low level systems code utilizing system calls such as “fork()”, “exec()”,”wait()”, “pipe()”, “dup()”, “fcntl()”, “signal()”, “stat()”, “lockf()”, “flock()”, “readdir()”, “chmod()”,  “umask()”, unbuffered I/O (eg: “read()”, “write()”, “send()”, “recv()”), asynchronous I/O, etc.
  • Experienced in threaded programming in C, C++, and Java including avoiding traps like deadlocks and livelocks. Well versed in the various IPC structures such as mutexes, semaphores, and conditions.
  • Experienced writing multi-process code handling fork()ing, reaping (wait()), delegation of transaction processing, status collection, multi-directional pipes, shared memory, interrupt handling (signal()), etc.
  • Wrote Python code to do streaming backups and restores to/from Dropbox using the Dropbox API. Code parses configuration and backup lists from flat file, opens a chunked file session to Dropbox, and runs “tar” in a pipe writing its output to the target Dropbox file.
  • Wrote Python script to handle aging out of OpenLDAP origined VPN password entries. Scans LDAP for matching records, locking records that have either aged out or unlocking records that had previously aged out and have now been changed.
  • Wrote multi-threaded C++ credit card authorization daemon using Sun RPCs and VISA VIP/ISO format messaging to service enterprise-wide authorization requirements. Serviced over 3000 registers with an average response time of less than 2 seconds. Designed to work over unstable networks – gracefully handled timeouts, retries, backoffs, WAN/LAN failures, and transaction reversals. Wrote both client and server code, including Unix and MS-DOS support.
  • Wrote C mail (MBOX) parsing libraries for handling programmatic mail input.
  • Wrote C printcap parsing libraries to enable the management of Unix printer parameters from C programs.
  • Wrote C SunRPC based “rotate number” daemon to support unique network based tokens.
  • Significant ETL experience converting data formats including credit card settlement, printed ticket generation, various identity store formats, etc.
  • Built pipe and PTY based printer daemon that simulates Unix “/dev” devices to allow lpr/CUPS to print to networked printers without needing to understand the underlying network protocols.
  • Wrote blue book based secure encryption routines to be used in transmittal and storage of sensitive data.
  • Extensive experience with “make”, “Makefile”s, and Makefile customizations. Created numerous hierarchical Makefile configurations to support complex projects.
  • Built substitute Unix “shell” using PTYs that surreptitiously and transparently catches keystrokes of unauthorized users.
  • Wrote program used in login scripts to send TTY polling sequences with timeouts to determine the terminal type being used for access (prior to all terminals being VT100 compatible).
  • Wrote Perl based DNS templating parser to generate per store DNS records. DNS RR (resource records) are read from a template file and then converted to DNS forward and reverse files. Templating is hierarchical allowing for per store overrides of generic templates. Later updated code to push to InfoBlox API.
  • Wrote numerous Perl scripts to manage Oracle OID and OpenLDAP LDAP stores, including comparing LDAP directories, syncing directories, sending account aging warnings, global changes of attributes, and reports on non-compliant accounts.
  • Wrote numerous configuration parsers to support various programs, scripts, and servers.
  • Wrote Discover and AMEX settlement tape creation programs.
  • Extensive experience writing portable code (compiled) and scripts to support a large heterogeneous environment. Handled endians, word sizes, unions/structs, compiler differences, link paths, and pre-processor requirements.
  • Co-designed and implemented numerous shell settings and tools to hide the complexity of the heterogeneous environments from users and developers.
  • Created low level C library to properly daemon-ize code, closing descriptors, cleaning up environment, fork()ing properly, etc.
  • Created low level C library to create TCP/IP session by hostname/IP and port to abstract socket creation for developers.
  • Provided C programming consulting for DoD helicopter component status monitoring executing on an embedded RPX using MPC823 based ARM processor running Linux.
  • Wrote bourne shell based tools to manage edits of DNS and NIS edits, handling source code control, automatic notification of changes, checking of file formats (lint-ing), and pushing updates.
  • Strong debugging skills even when access to underlying code base is unavailable. Have successfully identified bugs and their locations on multiple occasions in 3rd party “black box” compiled code using tools like “strace”, “trace”, “truss”, “tcpdump/ethereal”, “lsof”, “fuser”, “strings”, log correlation, etc.
  • Numerous C programs to handle developer issues around real vs. effective user ID, resource limits, and other miscellaneous “gotchas” inherent to running code on Unix systems.
  • Significant experience with SunRPC, NIS/YP, and NFS programming.
  • Wrote SunRPC based PLU (Price LookUp) services that allow real-time querying of SKU/class price data for POS registers and other applications. Interface also allowed a timed based synchronization process to update PLU information as it reached stale data, including remote delivery and insertion.
  • Experience with writing (now defunct) Sun Net Manager agents.
  • Wrote C based authorization server utilizing X.25 and multi-processing to service credit card authorization on a satellite network. Code was designed to be self-limiting due to memory/CPU consextremely robust given instability of satellite network.
  • Wrote C program utilizing “DND” (Dartmouth Name Daemon”) to allow fuzzy email address matching. Integrated into “sendmail” using “sendmail.cf” language. Designed, coded, and implemented generic “sendmail.cf” rules to be applied to all systems for consistent mail delivery.
  • Wrote C based SMTP based client and server setup that gatewayed from TCP/IP to X.25 to allow automated delivery of data from modern Unix systems to (now defunct) Honeywell DPS8 mainframe.
  • Wrote fully functional graphical Java “CD player” for Solaris using “native methods”.
  • Wrote extensive code in PL/I for Honeywell DPS8 to support standard retail operations including handling SKU management, inventory control, transfers, etc. As code was prior to RDBMs and lacked widely available reusable code bases, all data structures algorithms had to be self- implemented, including custom databases, queuing, sorting, etc.
  • Wrote code in PL/I for Honeywell DPS8 to mimic Unix functionality such as “cp”, “mv”, “ls”, argument handling, wildcarding, etc. This provided a consistent environment for our operations teams and simplified many of their efforts.
  • Significant experience optimizing code for small memory and/or limited CPU.
  • Experience with assembly coding.

Miscellaneous:

  • Comfortable with 24×7  “on-call”.
  • Willing to travel both domestically and internationally.
  • “go to” resource for “last resort” debugging for systems, network, and application issues.
  • Have sponsored and run multiple internal training initiatives including:
    • Java classes
    • C classes
    • Perl classes
    • Network fundamentals
    • Security awareness
  • French language (B1 – Independent user)
  • Automatic access to EU and Swiss work permits via marriage to Swiss/Italian national.
  • (Very) advanced amateur photographer, with experience shooting 35mm, medium format, large format, and digital. Experienced both with digital and physical darkroom, lighting, composition, DoF, etc., etc.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *