Isometric illustration of data streams being corrupted with noise

Data Poisoning: Reclaiming Your Privacy Through Offence

Here is how privacy works today. You read the policy. You dismiss the cookie banner. You hunt through three settings menus for the opt-out toggle that someone deliberately buried. You do this to exercise a right that should have been the default. And while you are still on the first paragraph of the terms of service, every click, scroll, hover, and the exact timing of your keystrokes has already been harvested, packaged, and sold. We have accepted this as normal. ...

June 7, 2026 · 8 min read · Tom Meurs
Isometric illustration of a central key with three identity branches shielded by a quantum barrier

Quantum-safe GPG identity with multiple aliases

A cryptographic signature is one of the few things online that still means exactly what it says. If the key is yours and the signature verifies, the content came from you. Full stop. No vendor handed you this identity, no CA can pull it, no platform can suspend it. It exists because you generated the key, and it stays yours for exactly as long as you hold the private half. Most of what we casually call “online identity” is borrowed: a handle someone can ban, a checkmark someone can strip, an email address a domain owner can take back the day they feel like it. A GPG signature lives outside all of that. The key that signed this paragraph is either yours or it belongs to someone else, and nobody gets a vote. ...

April 18, 2026 · 14 min read · Tom Meurs
Declarative infrastructure for compliance and certification

Declarative Infrastructure as Compliance Documentation: Talos, NixOS, and Audit-Ready Systems

Here’s how an ISO 27001 audit usually goes. Weeks before the auditor shows up, someone starts collecting screenshots. Configuration panels, firewall rules, a dashboard showing patches applied. Then come the Word documents describing what the systems are supposed to do. Then the change tickets, dug out of a ticketing system, each one referencing a vague “server maintenance” that nobody can fully reconstruct six months later. Everyone treats this as the cost of doing business. I did too, for years. ...

March 23, 2026 · 9 min read · Tom Meurs
CTF and forensics skills for DevOps engineers

CTF and Forensics Skills That Make You a Better DevOps Engineer

A production server is misbehaving at 3 AM. You SSH in. Now what? The engineers who stay calm here are the ones who already know the next ten commands by heart, because they have run this exact loop a hundred times before, just with the word “flag” instead of “incident.” I spend my evenings doing Hack The Box challenges and CTF competitions. I have no plans to become a pentester. I like platform engineering. The reason I keep at it is that the skills carry straight into my day job, and the carryover is bigger than it sounds. ...

February 27, 2026 · 10 min read · Tom Meurs
Zero trust security explained with hotel metaphor

Zero Trust Explained: The Hotel Key Card Metaphor

“So what exactly is this zero trust thing everyone keeps talking about?” I get this question a lot. Usually from managers, executives, or anyone who has to approve a security budget without a technical background. And most explanations I have seen are terrible. They either drown you in jargon or sand the concept down so far that nothing useful is left. So here is the metaphor I reach for instead. I have used it to explain zero trust to my parents, to executives, and to that one colleague who still calls the firewall “the internet box.” It works because it starts with something everyone has touched: a hotel key card. We will build up from there, one layer at a time, until you can see how the same idea runs all the way down to mTLS and identity-aware proxies. ...

February 19, 2026 · 8 min read · Tom Meurs