Build Log
Week 3 of building X: what broke, what changed, what I am trying next.
Notes
Build logs, deep dives, and things I learned the hard way.
I use this section as a technical notebook: experiments, wrong turns, reversals, and occasional wins.
Post templates Formats I use when writing in public
Deep Dive
A technical rabbit hole worth mapping end-to-end.
Teardown
I reverse engineered X to understand Y.
Failure Post-mortem
What failed, why it failed, and how I changed the system.
Learning Journal
Things I was wrong about this month.
TIL
Short, fast discoveries worth remembering.
Featured
Representative posts
A few notes across security, systems, and engineering practice.
May 11, 2026 Essay
Why most security platforms collapse under operational complexity
Security platforms rarely fail at the threat model. They fail at telemetry cardinality, retention math, shard debt, and the support load no demo accounts for.
Apr 27, 2026 Essay
Defaults are the only security control that scales
Every checkbox on the paved road taxes traffic off it. The real product of a platform team is the default every team inherits by doing nothing.
Apr 20, 2026 Essay
The unit economics of deception
Deception is a rare defense where each detection burns attacker resources at near-zero defender cost. A week of data from my site, and why few programs use it.
Apr 11, 2026 Essay
WireGuard Crypto, FIPS, and the AES-NI Tax
WireGuard chose modern primitives that are fast in software. FIPS pushes VPNs toward validated AES modules. Can mainline WireGuard ever fit that world?
Apr 9, 2026 Essay
Why prompt injection is architecturally hard to solve
Prompt injection is not a bug you patch with better prompting. It is structural in any system that mixes instructions and untrusted data in one context.
Apr 6, 2026 Deep Dive
FHE and LLM inference: the hardest open problem in private AI
Running LLMs on fully encrypted data is theoretically sound and practically brutal. Here is where the research stands and what actually works today.
Archive
All notes
May 27, 2026
Eleven Ways My OpenWrt Mesh Broke (and What Each One Taught Me)
A field postmortem from a two-router OpenWrt network: circular routes, a silent driver bug, hardware-locked radios, and other production-only failures.
Failure Post-mortem Infrastructure
Read the note
May 25, 2026
An Encrypted Wi-Fi Mesh Backbone with 802.11s, WireGuard, and VXLAN
Bridge two OpenWrt routers into one Layer 2 network over an untrusted wireless backhaul, stacking 802.11s for transport, WireGuard for encryption, and VXLAN.
Deep Dive Infrastructure
Read the note
May 18, 2026
The gap between red team findings and engineering fixes
Red teams find vulnerabilities. Engineering teams ship features. The gap between finding and fixing is where security programs quietly fail.
Read the noteMay 11, 2026
Why most security platforms collapse under operational complexity
Security platforms rarely fail at the threat model. They fail at telemetry cardinality, retention math, shard debt, and the support load no demo accounts for.
Read the noteApr 27, 2026
Defaults are the only security control that scales
Every checkbox on the paved road taxes traffic off it. The real product of a platform team is the default every team inherits by doing nothing.
Read the noteApr 20, 2026
The unit economics of deception
Deception is a rare defense where each detection burns attacker resources at near-zero defender cost. A week of data from my site, and why few programs use it.
Essay Security
Read the note
Apr 15, 2026
Block Cipher Modes and Why They Matter
GCM for TLS, XTS for disk encryption, GCM-SIV when nonce management is hard. Block cipher modes are not interchangeable, and the wrong one has consequences.
Deep Dive Cryptography
Read the note
Apr 11, 2026
WireGuard Crypto, FIPS, and the AES-NI Tax
WireGuard chose modern primitives that are fast in software. FIPS pushes VPNs toward validated AES modules. Can mainline WireGuard ever fit that world?
Read the noteApr 9, 2026
Why prompt injection is architecturally hard to solve
Prompt injection is not a bug you patch with better prompting. It is structural in any system that mixes instructions and untrusted data in one context.
Read the noteApr 6, 2026
FHE and LLM inference: the hardest open problem in private AI
Running LLMs on fully encrypted data is theoretically sound and practically brutal. Here is where the research stands and what actually works today.
Read the noteMar 26, 2026
LiteLLM Got Backdoored. Here Is What I Built Instead.
A supply chain attack on LiteLLM showed the risk of a privileged AI proxy. Butler fills a similar role for Ollama with a smaller footprint and a static binary.
Read the noteMar 24, 2026
Why Memory Safety Is a Language Property, Not a Compiler Feature
Why Rust and Go are memory safe and type safe while C is not, and why you cannot simply fix this with a better C compiler.
Read the noteMar 23, 2026
Encryption, biometrics, and forced updates: convenience is not security
Why default encryption, biometric authentication, and forced updates are convenience features mistaken for security features, and why the distinction matters.
Read the noteMar 20, 2026
The xz backdoor is an argument for open source, not against it
The xz incident is a strong argument for visibility and public scrutiny in supply chain security, not a proof that open source prevents compromise.
Read the noteMar 20, 2026
The SolarWinds Supply Chain Attack
How attackers compromised a closed-source build pipeline, shipped a backdoor to 18,000 organizations via a routine update, and hid for nine months.
Read the noteMar 18, 2026
mntctl: A Modular Mount Manager with systemd Integration
Tired of maintaining mount scripts for SSH, NFS, SMB, and rclone, I built mntctl: a systemctl-style CLI with persistent systemd units and pluggable backends.
Build Log Linux
Read the note
Mar 17, 2026
Why Rust Is the Right Language for eBPF
eBPF has meant writing C and fighting the verifier. Rust and the aya framework change that: type safety, no libbpf, one cargo build for kernel and userspace.
Read the noteFeb 26, 2026
Wazuh RBAC Regression After Upgrade: Why Your Admins Can't See Anything
After upgrading the Wazuh manager, OpenSearch-authenticated admins silently lose all permissions. Here is why it happens and how to fix it permanently.
Read the noteFeb 13, 2026
CVE-2014-6271: Shellshock
How a 25-year-old Bash parsing bug allowed remote code execution through environment variables, and why it took multiple patches to fix.
Read the noteFeb 6, 2026
CVE-2024-3094: The xz/liblzma Backdoor
How a multi-year social engineering campaign embedded a backdoor in xz Utils that hijacked OpenSSH authentication on Linux systems.
Read the noteJan 23, 2026
CVE-2021-44228: Log4Shell
How a message interpolation feature in Log4j turned every Java app into an unauthenticated RCE target, and what the response revealed about supply chains.
Read the noteDec 5, 2025
What Linux vs. Hurd Teaches Us About Leadership, Engineering, and Life
A reflection on why Linux won and what it teaches about leadership, engineering, and product momentum. Practical lessons for builders who ship and iterate.
Read the noteNov 21, 2025
10 Custom Wazuh Rules Every SOC Should Deploy
A curated set of custom Wazuh decoders and rules for the detections that built-in rules miss, with MITRE mappings and ready-to-deploy XML.
Deep Dive Security
Read the note
Nov 14, 2025
When Your Kernel Panics but You Don't: Lessons from a Linux Recovery
A kernel panic recovery story and the engineering mindset that makes Linux failures fixable.
Read the noteOct 3, 2025
The hidden cost of 'just one more exception'
Exceptions feel harmless in the moment. Over time they become the slow leak that drains security programs.
Essay Security
Read the note
Sep 19, 2025
Productizing Infrastructure: what surprised me most
Turning infrastructure into a product is less about technology and more about clarity, ownership, and trust.
Read the noteSep 5, 2025
Security Architecture vs Security Operations: the gap that breaks teams
Security architecture defines the promises; security operations keeps them. When those two drift, the organization pays the bill.
Read the noteAug 29, 2025
Shellcode Under Constraints
Techniques for crafting exploit payloads when buffer space is limited, bad characters are abundant, and mitigations restrict your options.
Read the noteAug 22, 2025
Writing x86 Shellcode Without Null Bytes
Techniques for crafting position-independent shellcode that avoids null bytes and other bad characters.
Read the noteAug 11, 2025
Private AI in Your SOC: How to Run LLMs Locally
Operating LLMs locally can help analysts summarize and triage sensitive telemetry without shipping data to third-party services.
Read the noteNov 1, 2024
Why is it so slow? Troubleshooting DNS, SSH
A practical workflow for isolating slow SSH sessions by separating DNS, TCP, and authentication latency.
Deep Dive Infrastructure
Read the note
Oct 24, 2024
Pre-commit hooks: fast local checks before CI
Pre-commit hooks catch formatting, lint, and secret issues before code leaves a laptop, but only if they stay fast and consistent.
TIL Infrastructure
Read the note
Oct 18, 2024
Debugging Kubernetes Service routing: selectors, endpoints, DNS
A stepwise method to debug broken Kubernetes Services by validating selectors, endpoints, DNS, and kube-proxy routing.
TIL Infrastructure
Read the note
Jul 8, 2024
Fully homomorphic encryption: compute on encrypted data
Fully homomorphic encryption allows computation on encrypted data, but performance and model constraints still define where it is realistic.
Read the noteJun 14, 2024
Overcoming Challenges in Upgrading to Wazuh 4.8.0
Upgrading Wazuh 4.8.0 is mostly about compatibility, index management, and keeping agents aligned with the manager and indexer.
Read the note2024
Why 'Zero Trust' fails without automation
Zero Trust is a systems promise, not a slogan. Without automation, the model collapses under its own operational weight.
Read the noteDec 29, 2023
MFA rollout checklist: factors, enrollment, and recovery
MFA is table stakes, but the details matter: phishing resistance, enrollment flow, recovery, and policy enforcement.
TIL Security
Read the note
Aug 23, 2023
Verifying FIPS 140-2 with OpenSSL 3
FIPS compliance with OpenSSL 3 is about enabling the FIPS provider and proving it is actually in use, not just installed.
Read the note
No notes match the selected topic.