His father is a sales consultant and his mother is a historian and a former high school social studies teacher. Hoffman created StripeSnoop, an application which analyzes data on magnetic stripes. He also created tinyDisk, a file system that runs on top of tinyURL.
For several years Hoffman published and presented under the handle Acidus about web and computer security issues. He first became famous when, as a student at Georgia Tech, he discovered a security flaw in the campus magnetic ID card system called "BuzzCard." He gave a talk about the security flaw at the Atlanta hacker conference "Interz0ne" in Fall of 2002.
At Interz0ne2 in April 2003 he attempted to give an updated version of the talk with Virgil Griffith, a student from the University of Alabama, but he and Griffith were served with a cease and desist letter a few hours before giving the presentation, and then within two days of that this was followed up by a lawsuit from Blackboard Inc, alleging that Griffith and Hoffman had violated the DMCA, the Espionage and Sedition Act, and that they had stolen trade secrets. The lawsuit was eventually settled.
In 2005, Hoffman graduated from Georgia Tech, with a degree in computer science. He has given talks on multiple subjects at such conferences as Interz0ne, Interz0ne2, Outerz0ne, SkyDogCon, Toorcon, Black Hat Federal, PhreakNIC, FooCamp, O'Reilly Media, Emerging Technology Conference, and ShmooCon. He was also invited to speak at the FBI. Hoffman is the author of the book Ajax Security, published in December 2007 by Addison Wesley. Hoffman worked as a security researcher for Atlanta start-up SPI Dynamics Inc, and then for Hewlett-Packard, which purchased SPI Dynamics on 1 August 2007. He now works as the Chief Technology Officer at the web performance company Rigor.
- "Deconstructing a Fortres", Fall 2001, 2600 Magazine
- "Campuswide, Wide Open", Spring 2002, 2600 Magazine
- "NCR ATMs: Aurem X Machina", Summer 2002, 2600 Magazine
- "XM, the flawed future of radio", Fall 2002, 2600 Magazine
- "Magstripe interface", Summer 2004, 2600 Magazine
- "Building your own magstripe reader", O'Reilly's Make magazine, Fall 2004
- "Understanding Web Security", Spring 2007, 2600 Magazine
- "Ajax Security", December 2007, Addison Wesley
- Cailloux, Tim (2003-04-18). "BuzzCard maker silences student". The Technique. Archived from the original on 2006-12-05. Retrieved 2007-04-10.
- Foster, Andrea L (2003-04-16). "At Blackboard's Request, Judge Prevents Students From Discussing Security of Debit-Card System". The Chronicle of Higher Education. Archived from the original on 2007-04-07. Retrieved 2007-04-10.
- Modine, Austin L (2007-06-19). "HP buys web security firm SPI". The Register. Retrieved 2010-09-15.
- "Web 2.0 As A Story To Be Destroyed by Hackers", Wired News, February 7, 2007
- "Covert crawler descends on the web", Wired News, January 14, 2006
- "Blackboard Gets Gag Order Against Smart-Card Hackers" Washington Post, April 18, 2003
- "Blackboard Erases Research Presentation with Cease-and-Desist", Case analysis by the Electronic Frontier Foundation