I'm currently a (computer) security analyst for Riscure, which basically means I break systems. (This is my personal website, and does not reflect any views or opinions of my employer.)

I sometimes also break things in my free time; occasionally I write about that.


You can e-mail me at (my first name) at zall.org. (key)


I'm narcoleptic. Please let me stand when possible; sitting down makes me sleepy.

My native tongue is English; I also speak Dutch. (In fact, I am Dutch.)


SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities (to appear) (PDF)
Alyssa Milburn, Cristiano Giuffrida and Herbert Bos
In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS '17),
San Diego, CA, USA, February 2017

stuff I like

I enjoy low-level computing, particularly compilers (including working with LLVM/gcc), kernel-level work and embedded platforms.

Did I mention breaking stuff? As well as boring ol' web security stuff (please don't use Wordpress), I've reported vulnerabilities in open source projects ranging from low-level memory overflow/disclosures (CVE-2013-1861 in MySQL) through simple TOCTOU problems (CVE-2015-8239 in sudo). I occasionally do writeups about interesting vulnerabilities.

ScummVM logoI'm fascinated by old computer games. I'm involved in various open source projects in this vein, in particular ScummVM, GemRB and openc2e.

I love explaining stuff. I like giving talks! In 2015/2016, I helped teach a few CS bachelor program courses, and helped TA others.

Reverse engineering is great fun too; as well as taking apart old computer games, I've also applied my skills for analyzing embedded firmware, and for security work.

You, if you read all of that without closing your browser tab. Have a stroopwafel!