On May 22, June 3, and June 8, 2026 , Anthropic published three cyber research posts that looked like different stories. One was about exploit benchmarks. One mapped malicious AI use to the MITRE…

This may sound far-fetched, but I already found that iCloud remotely triggers iMessage sign-in and sync (as well as FaceTime sign-in). I have circumstantial evidence that iCloud also remotely enabled…

Escape the silo with hot, warm & cold backups for your privacy tools. Learn redundancy, data portability, and resilient strategies to stay in control.

It’s audit season. And if you’re a SaaS startup, you know exactly what that means.The dreaded “Change Management” evidence request. Some auditor sends you a list of 15 random commit SHAs…

virsh list --all; # show all available vms (if the list is empty check this article) virsh start vmname; # start the vm virsh dominfo vmname; # get info on vm Id: 2 Name: vmname UUID:…

Oracle quietly halved its Always Free Ampere A1 tier to 2 OCPU and 12GB RAM. What changed, whether you'll be billed, and how to resize your instance.

hostnamectl; # tested on Operating System: Debian GNU/Linux 13 (trixie) Kernel: Linux 6.12.74+deb13+1-amd64 Architecture: x86-64 # as non root user virsh uri qemu:///session # as root user su - root…

Generate 100GbE line-rate traffic (142 Mpps) with TRex 3.06 on a Mellanox ConnectX-5: hardware, the frame-size math, config, streams, and tuning. Continue reading →

This site runs on WordPress on a cheap hosting plan, with W3TotalCache and Cloudflare in front of it to hopefully make it a bit faster. It turns out my quick setup of bundling this all together…

One of my favorite visuals for known vulnerabilities in curl is the mountain. It shows how many currently known vulnerabilities were present in the code through-out curl’s history. In the end…

Daytona went closed source yesterday, and the reasoning was security. Look at these moves through the lens of business instead, and a different and more honest story shows up.

You might have read recently on this blog that my procurement preferences for hank.parts are basically EU,(self hosted) open source, UK/CH,Rest of the world,in this order. This article is a…

In the first part – LiteLLM: AI Gateway for LLMs – features overview we got familiar with what LiteLLM can do in general – now we can run it in Kubernetes and connect clients. At…

WireGuard quickly became a popular VPN protocol: simple, fast, cleanly designed, and free of heavy legacy baggage. It stood out against monsters like IPsec and OpenVPN. But, as often happens, its…

beorg supports a number of ways of syncing your files. One of these is WebDAV. WebDAV isn’t owned by a company, but is an open standard that anyone can build services around. Many of the…

A user calls GET /invoices/4471 and gets back an invoice. The gateway in front of the service did its job: it checked that the request carried a valid token, that the user was authenticated, and that…

I am a core maintainer of testcontainers-go and a Docker employee. That overlap is what makes this post possible. As the maintainer I know exactly how the library identifies itself when it talks to a…

I think there’s only really A: Do not trust anybody who cold contacts you. However, I guess there’s a B, meaning a refinement of the first rule: Do not trust anybody who cold contacts you…

Connected to WiFi but no login page? It's almost always DNS, in one of two moods. Here's how to force the captive portal and stay secure on public WiFi.

A series of unfortunate agents.

Today I am taking a look at the weird world of multicast, where packets get delivered more than once, and we route using a backwards routing table. But, once you understand how it works, a whole…

﷽

Oops, I didn’t do my due diligence, and the new place I’ve moved into has a terrible Internet connection with no port forwarding allowed. Guess it’s time to dig through memory lane to figure out my…

How Drydock uses npm staged publishing and GitHub release gates to review the package artifact before it can ship.

Most people gamble on success — they assume the thing will work, and they're genuinely surprised when it doesn't. A tiny, birdlike kung fu master taught me to gamble on failure instead. Expect every…

A focused review for teams shipping LLM, RAG, and agent systems: trace coverage, evaluation gaps, token cost visibility, failure modes, and OpenTelemetry instrumentation plan.

After one year working around AI security and governance, I trust flashy AI demos less and pay more attention to data, permissions, discovery, and the boring systems around AI.

Traditional page caches reference-count every page access — two atomic operations per page, per transaction, on counters that bounce between cores. Typhon replaces counting with epoch-based…

A migration retro: forking Langfuse to swap its analytics store from ClickHouse to GreptimeDB, run mostly by two AI agents. Most of the work was paying down the debt of one decision — make a single…

Two months ago I wrote down my baseline for hardening a fresh Linux install. Non-root user, SSH lockdown, UFW, fail2ban, unattended-upgrades, the Docker firewall hole. It was fine as far as it went.…

On Linux what does networking? What parts are implemented in the kernel and what parts require userspace tools or daemons? How much of networking is inherent to the kernel and how much is up to…

This is a demo of how I use Lima for Docker and NixOS virtual machines on MacOS and Linux:

I use Linux, specifically NixOS, for the majority of my gaming, so I wanted to compile a list of references for anyone interested in replicating my setup.

Nobody in Canberra has stood up and said “we’re banning VPNs.” They don’t have to. If you’ve watched how this government operates, you already know where this is…

I tried to spin up a vanilla mailcow-dockerized setup but couldn’t get it to come up. Logs said that the DNS checks for unbound were failing I tried all sorts of things to no avail. Querying…

Tyler Hoffman returns to the show to discuss diagnostics and observability data in embedded systems. We catch up on his life after startup acquisition, explore the hows and whys of keeping product…

Serious Ubiquiti Vulnerabilities, My Advice for Hosting Public Services, Reversing Binaries with Ghidra MCP, My Meta-Prompt Recommendation, New Dario and Sam Websites, and more...

On June 19 we released systemd v261 into the wild . In the weeks leading up to that release (and since then) I have posted a series of serieses of posts to Mastodon about key new features in this…

A Chrome DevTools Protocol toolkit for browser-based post-exploitation and surveillance.

A modular engine that runs real vendor detection logic from reverse-engineered EDR components against live or replayed Windows telemetry.

Polymarket customers have lost around $2.97 million to an attacker who then swapped stolen Polymarket USD (pUSD) to ETH. Polymarket, a crypto-based prediction markets platform, quickly made an…

Aggregarr did three jobs on Plex for me: collections, artwork, and home screen rows. Here's how that splits across Posterizarr, Maintainerr, and what Moonfin already does natively, plus where Seerr…

I had to sign and notarize the Posh TUI Mac app. The problem is that our household moved away from Apple. My last MacBook (Intel-based) was converted into an Omarchy machine for my son. But all the…

Optimizing code starts with measuring it, and a measurement is only useful if it is repeatable: a 2% improvement is invisible under 5% of noise. Yet on an untuned machine the same binary can easily…

There are two natural ways to lock an agent’s MCP tool calls down to least privilege. The agent can carry a narrow token scoped to the action, or the server can decide each call as it happens.…

Two AI assistants went dark in forty-eight hours last week. In neither case did the model break. The thing that broke was the wire in front of it, and we built that fragility back on purpose.

The same adaptive loop, two fates: with one knob negative each failure makes the system stronger; flip its sign and failures spiral to certain breakdown.