Technical essays on infrastructure, distributed systems, and the pleasure of understanding.
vol. 1 vol. 2A deep dive into the design of Conduit PQ — hybrid SPAKE2 + ML-KEM-768 key exchange, custodian-gated onboarding, peer-to-peer mesh, and a certificate system that requires human approval before any key is generated.
How nine servers across three continents become a self-healing private network using WireGuard tunnels, BIRD2 BGP routing, and an address scheme that encodes geography and purpose into every packet.
A five-layer hand cipher combining frequency-weighted encoding, mod-10 one-time pad, block discipline, and keyword defense. Information-theoretic security with no electronics required.
Ratchet v0.3 adds identity-authenticated key exchange — two peers need only each other's public key to establish a forward-secret session. No shared key file. No passphrase. No meeting. Also: a .deb package, systemd service templates, and a three-node mesh deployment.
Postfix, Dovecot, and mtail configuration changes made to eijo.im to sustain 50 concurrent user pairs at 0.4s p50 latency with zero message loss.
Setting up Grafana with a PostgreSQL backend to monitor a ChatMail relay — mtail mail metrics, node exporter infrastructure, Prometheus scraping, systemd hardening pitfalls, and the full Ansible role for reproducible deployment.
Documentation for the FMS mesh Ansible playbook covering all roles (firewall, fail2ban, WireGuard, PostgreSQL, pg-router, chatmail, SSH certificates), the self-rebuilding command center dashboard, and the complete site.yml deployment pipeline.
Technical write-up covering the installation, DNS, Nginx ALPN multiplexing, monitoring stack (Prometheus, Grafana, mtail, custom textfile collectors), Ansible automation, and systemd service hardening of a Delta Chat chatmail relay. Security scores dropped from 9.6 to 1.3–1.9 across all monitoring services.
A Rust binary that encrypts hand-entered text with ChaCha20-Poly1305, ratchets the key forward after every message, signs each frame with Ed25519, heals from compromise via X25519, connects peers over QUIC, and employs software TEMPEST countermeasures to resist electromagnetic and screen-scraping surveillance. How it works, why it works, and what it has in common with a notebook full of random numbers.
A post-quantum hardened peer-to-peer file transfer tool. Two words and two codes, spoken aloud, become a cryptographic tunnel that even a quantum computer cannot break.
A Rust library that wraps computation in cryptographically-gated concentric rings. Data passes inward only by proving it belongs there. Each ring produces a unique nonce that becomes the credential for the next.
How pg-router and Consort divide the work of running authoritative DNS and distributed object storage across a WireGuard mesh.
Embedding a cryptographically signed command-and-control channel inside an MKV container, synchronized across peers via gossip, with a steganographic fallback that survives platform transcoding.
Basil Stonebreaker, Isadora Hudson, and Bernard converge on a Tuesday morning in a city that doesn't know it needs them — a nine-chapter story of infrastructure, intuition, and the elegant logic of fit.
A survey of current projects spanning Snowflake ID generators, threat intelligence tools, secure messaging, bot-resistant authentication, and infrastructure helpers.
Basil's initiation into the covert world of espionage under the tutelage of veteran operative Marcus.
Three shadowy figures navigate a scorched, near-future landscape warped by environmental collapse and the lure of dark crypto-economies.
A SANS @ Night session on cyber ranges covering NATO war games, SANS NetWars, JYVSECTEC simulations, the DARPA National Cyber Range, MERIT's Michigan Cyber Range, adversary simulation tools like MITRE CALDERA and Uber Metta, and a proof-of-concept portable range built with Raspberry Pi clusters, OPNsense, WireGuard, and BGP routing modeled after dn42.
A SANS @ Night session on IoT security covering legal challenges, the explosive growth of connected devices, IoT attack surfaces from OWASP, passive and active enumeration techniques using Darkstat, Bro, ntopng, nmap, Sysmon, OSSEC, MITRE ATT&CK, and the importance of knowing what you are defending.
An updated SANS @ Night session covering the state of cyber security, the 15 Axioms of Traditional Intelligence, CybOX/STIX/TAXII standards including the new STIX 2.0 draft, YARA signatures, OpenIOC, threat intelligence platforms, and the critical importance of baselining with tools like Bro, PRADS, SGUIL, and LOKI.
An entry-level overview of the role and practice of cyber threat intelligence, covering the state of cyber security, CybOX, STIX and TAXII standards, real-world incident analysis, threat intelligence platforms like ThreatConnect and Critical Stack, and a hands-on homework lab with Bro and Security Onion.
A SANS @ Night session covering the state of cyber security in 2015, what threat intelligence is, the CybOX/STIX/TAXII standards, real-world malware analysis with the Dyreza banking trojan, and hands-on integration of Critical Stack Intel feeds with Bro and Security Onion.
Published in CSO Outlook magazine, this article explains how integrating the first five SANS/CIS 20 Critical Security Controls into organizational operations transforms security from reactive to proactive, reducing maintenance costs and detection time.
Presented at the Minneapolis Chapter Palo Alto Networks Fuel Users Group Meeting, this talk covers the 2014 breach landscape, threat intelligence sharing through ISAOs, and practical tools for operationalizing indicators of compromise.
Keynote at the Saint Paul College ACM Club Cyber Security Workshop covering the threat landscape, the defender's advantage, cybersecurity career paths, the Internet of Things, and critical infrastructure security.
Presented at the (ISC)2 Twin Cities Area Chapter, this talk covers Distributed Denial of Service attacks -- their origins on IRC, modern threat actors, attack techniques across the OSI stack, and four architectural approaches to defense.
Presented at the (ISC)2 Twin Cities Area Chapter 2013 Annual Meeting, this talk covers virtualization basics, cloud computing benefits, and the security and privacy risks of entrusting data to third-party providers.
Presented at the (ISC)2 Twin Cities Chapter, this talk examines Oracle Java vulnerabilities, exploit techniques that bypass the Java sandbox, and both technical and policy-based defensive measures.
Presented at the Nonprofit Technology & Communications Conference, this talk delivers a prioritized 18-step security checklist for resource-constrained organizations, covering everything from password management to vendor oversight.
Presented at the 30th Annual Minnesota Government IT Symposium, this talk provides a structured approach to IT risk assessments using frameworks like NIST 800-30, ISO 27005, FAIR, and OCTAVE, covering threat identification, vulnerability analysis, impact assessment, and risk treatment planning.
A SANS community presentation covering the six-phase incident response process, forensic toolkit overview, evidence handling procedures, data hiding techniques, and the forensic implications of solid state drives.
Published in ISO Focus+ magazine, this article by Matthew J. Harmon and Natascha E. Shawver examines the explosive adoption of RFID technology, its security vulnerabilities, and the international standards being developed to address them.