Security

A cryptographic signature is one of the few things online that means exactly what it says. If the key is yours and the signature verifies, the content came from you. No vendor issued this identity, no CA can revoke it, no platform can suspend it. It exists because you generated the key, and it stays yours as long as you control the private half. Most of what we call “online identity” is on loan from someone else: a handle that can be banned, a checkmark that can be removed, an email address that a domain owner can reclaim. A GPG signature sits outside all of that. Either the key that signed this paragraph is yours, or it is not, and no one else gets to decide. ...

Compliance audits are painful. Anyone who’s been through ISO 27001 certification knows the drill: weeks of documentation gathering, screenshots of configurations, evidence of change management processes, proof that what you say you do is what you actually do. But here’s something I’ve realized after running declarative infrastructure for years: systems like Talos and NixOS don’t just make infrastructure better — they make compliance dramatically easier. The same properties that make these systems reliable (immutability, reproducibility, auditability) are exactly what auditors want to see. ...

I spend my evenings doing Hack The Box challenges and CTF competitions. Not because I want to become a pentester — I’m happy in platform engineering. But because the skills I learn there make me significantly better at my day job. This isn’t obvious at first. What does pwning a vulnerable web app have to do with running Kubernetes clusters? More than you’d think. Forensics and offensive security train you to think about systems differently. You learn to investigate, to trace, to understand what’s actually happening rather than what should be happening. And that mindset — plus the tooling — is exactly what you need when debugging production issues at 3 AM. ...

“So what exactly is this zero trust thing everyone keeps talking about?” I get this question a lot. Usually from managers, executives, or anyone who has to approve security budgets without a technical background. And honestly, most explanations I’ve seen are terrible. They’re either drowning in jargon or so oversimplified they’re useless. So here’s my attempt at a metaphor that actually works. One that I’ve used successfully to explain zero trust to my parents, to executives, and to that one colleague who still thinks the firewall is “the internet box.” ...

There’s a moment when everything clicks. You plug in your YubiKey, type your PIN once, and then everything just works. SSH to servers? No password. Sign git commits? Automatic. Get a password from pass? Touch the key and done. That moment took me about three evenings of frustration to reach. But now that it works, I never want to go back. Why This Setup? I had a problem: too many authentication methods. ...