Josh

The short version

From 2016 to 2021 I ran HeheStreams, a subscription operation against MLB, NBA, NFL, NHL, and a dozen other platforms. It wasn't a piracy site in the traditional sense—no encoding farms, no re-streams. It operated on top of the official infrastructure of the platforms it exploited, by defeating their authentication and session controls and reverse-engineering their APIs. It survived five years of active countermeasures against ~33,000 customers. The Southern District of New York called it "sophisticated, calculated, and brazen" and asked for 72 months. I was released in 2025 after 18. That's its own story.

I now advise platforms on the other half of the problem: what abuse looks like from inside the operation, where controls work, where they don't, and what the threat-actor frame misses. I write and speak about how cybercriminal reputations get constructed through the threat-intelligence pipeline, why takedowns don't accomplish what law enforcement wants them to, and what platforms can do that actually moves the needle. Some of this work is with collaborators in academia and former federal law enforcement.

I still do offensive security research and disclose critical-severity CVEs. The skills don't change much; the targets do.

The day job

I write Ruby. I've been building software since 2004, professionally since 2008, kind-of-good-ish since 2014. Mostly Rails-based web applications. I care about code that's easy to read, easier to delete, and doesn't make the next person's life miserable—only mine.

These days I'm deep in the internals of Postgres: query planners, storage engines, strategies for multi-zillion-row tables. Most of what's going on under the hood isn't documented anywhere useful, which is half the appeal.

I maintain a handful of open-source libraries—Caffeinate for scheduled sequences, Ahoy Captain for analytics dashboards. More recently I've been building Luster, a drop-in telemetry toolkit (with dashboards) for Ruby applications, which I hope to release. I make things that solve problems I have; others may just have them too.

Writing

When I was in trouble as a child—often—my mother would have me write about it. She's not around anymore to see that I'm still writing.

I write here when I have something worth saying, or think I might. Most of it splits between the two halves: platform abuse and threat intelligence on one side, software patterns and Rails architecture on the other. Occasionally something else—the criminal justice system, late-diagnosed autism, whatever else is rattling around.

Origin story

One of my earliest memories is fixing the sound output in Commander Keen when I was four. At six I went to Chili's for my birthday and became fascinated by the point-of-sale system (Micros, if you're wondering). The manager showed me how it printed tickets to the kitchen and tracked items, and let me add my own menu item. I was in heaven and I'm still there.

If not for the internet I'd probably be working in branding or architecture. Branding because I like distilling something complex into something immediate—a name, a mark, a feeling. Architecture because I like systems that have to work in the real world, where constraints are physical and consequences are literal. Software sits between both.

Otherwise

When I'm not at a keyboard: canoeing, cooking, adventuring. I co-own a horse ranch in Mexico that does ecotours, which is exactly the kind of sentence that sounds made up but isn't. I was born in Minnesota, bounced around, ended up coming back. Hard to leave an abusive relationship with weather.

I'm bad at being bored. Not in a hustle-culture way—my brain doesn't idle well. If I'm not making something, I'm thinking about making something. Downtime means I'm in the kitchen wondering why there aren't more hours in a day. Diagnosed autistic in 2022, which explained a lot but isn't the whole story.

Contact

If you want to reach me, you'll figure it out. I'm not hard to find.