Isometric illustration of data streams being corrupted with noise

Data Poisoning: Reclaiming Your Privacy Through Offence

Here is how privacy works today. You read the policy. You dismiss the cookie banner. You hunt through three settings menus for the opt-out toggle that someone deliberately buried. You do this to exercise a right that should have been the default. And while you are still on the first paragraph of the terms of service, every click, scroll, hover, and the exact timing of your keystrokes has already been harvested, packaged, and sold. We have accepted this as normal. ...

June 7, 2026 · 8 min read · Tom Meurs
Tailscale mesh network connecting devices

Tailscale for Homelab: Secure Remote Access Without Port Forwarding

My homelab cluster runs in a closet at home. I do not. I work from coffee shops, from a client office, sometimes from a hotel with WiFi that feels actively hostile. And I still want to reach my own machines while I’m out there. For years the standard answer to that was to poke holes in your own front door. Forward a port on the router, wire up dynamic DNS so the changing home IP doesn’t break everything, write firewall rules, and then sit with the quiet hope that nobody scanning the internet stumbles onto the SSH daemon you just exposed. It works, in the sense that you can reach your stuff. It also means a part of your private network is now answering questions from strangers, all day, forever. ...

May 10, 2026 · 11 min read · Tom Meurs
Isometric illustration of a central key with three identity branches shielded by a quantum barrier

Quantum-safe GPG identity with multiple aliases

A cryptographic signature is one of the few things online that still means exactly what it says. If the key is yours and the signature verifies, the content came from you. Full stop. No vendor handed you this identity, no CA can pull it, no platform can suspend it. It exists because you generated the key, and it stays yours for exactly as long as you hold the private half. Most of what we casually call “online identity” is borrowed: a handle someone can ban, a checkmark someone can strip, an email address a domain owner can take back the day they feel like it. A GPG signature lives outside all of that. The key that signed this paragraph is either yours or it belongs to someone else, and nobody gets a vote. ...

April 18, 2026 · 14 min read · Tom Meurs
cert-manager automatic TLS certificate flow

cert-manager: Automatic TLS Certificates in Kubernetes

For a long time my certificates renewed the way most people’s do: a calendar reminder, a manual certbot run, and a quiet hope that I’d remember before the thing actually expired. It worked. It worked right up until the morning a service threw cert errors at me and I had no idea why, because the renewal cron had been silently failing for weeks. That’s the part nobody tells you about manual TLS. The failure doesn’t announce itself. The cert just expires, usually at the worst possible moment, and you find out because a browser is yelling at someone. Renewal knowledge ends up living in one person’s head. Teams skip HTTPS on internal services because wiring it up by hand is annoying enough to put off. ...

April 12, 2026 · 11 min read · Tom Meurs
Cilium eBPF networking architecture

Cilium: eBPF Networking for Kubernetes

The first time a service stopped resolving in one of my clusters, I spent an evening reading iptables chains. Hundreds of rules, generated by kube-proxy, evaluated top to bottom. I never found the actual problem. I restarted a node and it went away. That bothered me more than the outage did. I was running something I couldn’t read. That feeling is why I moved to Cilium. It uses eBPF to push networking logic down into the Linux kernel and skips iptables entirely. You get better performance, you can actually see what your traffic is doing, and network policies stop being a guessing game. ...

April 8, 2026 · 10 min read · Tom Meurs