Security

Compliance audits are painful. Anyone who’s been through ISO 27001 certification knows the drill: weeks of documentation gathering, screenshots of configurations, evidence of change management processes, proof that what you say you do is what you actually do. But here’s something I’ve realized after running declarative infrastructure for years: systems like Talos and NixOS don’t just make infrastructure better — they make compliance dramatically easier. The same properties that make these systems reliable (immutability, reproducibility, auditability) are exactly what auditors want to see. ...

I spend my evenings doing Hack The Box challenges and CTF competitions. Not because I want to become a pentester — I’m happy in platform engineering. But because the skills I learn there make me significantly better at my day job. This isn’t obvious at first. What does pwning a vulnerable web app have to do with running Kubernetes clusters? More than you’d think. Forensics and offensive security train you to think about systems differently. You learn to investigate, to trace, to understand what’s actually happening rather than what should be happening. And that mindset — plus the tooling — is exactly what you need when debugging production issues at 3 AM. ...

“So what exactly is this zero trust thing everyone keeps talking about?” I get this question a lot. Usually from managers, executives, or anyone who has to approve security budgets without a technical background. And honestly, most explanations I’ve seen are terrible. They’re either drowning in jargon or so oversimplified they’re useless. So here’s my attempt at a metaphor that actually works. One that I’ve used successfully to explain zero trust to my parents, to executives, and to that one colleague who still thinks the firewall is “the internet box.” ...

There’s a moment when everything clicks. You plug in your YubiKey, type your PIN once, and then everything just works. SSH to servers? No password. Sign git commits? Automatic. Get a password from pass? Touch the key and done. That moment took me about three evenings of frustration to reach. But now that it works, I never want to go back. Why This Setup? I had a problem: too many authentication methods. ...

I used KeePass for years. Then 1Password. Then Bitwarden. All decent tools, but they always felt… like too much. Too much UI, too many features, too much hassle to integrate properly into my workflow. Then I discovered pass. A password manager that does exactly what the name says: store passwords. Nothing more, nothing less. What is pass? Pass is the “standard unix password manager.” It’s a shell script of ~700 lines that stores passwords as GPG-encrypted files in a directory. That’s it. No database, no proprietary format, no built-in cloud sync. ...