A LinkedIn recruiter pitched me a remote "Software Engineer at a DEX" project this week. Reasonable comp range, tech stack squarely in my wheelhouse. After a couple of friendly exchanges, she asked me to "review the codebase before the technical interview" and sent me a GitHub repo link plus a Calendly invite for the call. The repo was malware. It didn't get me, but it's something developers shoul
Harbor cities understand accumulated risk. Cargo moves in quietly. Weather shifts by degrees. One bad assumption can sit unnoticed until it reaches critical mass. Halifax has lived with that kind of memory for more than a century. On December 6, 1917, a collision in Halifax Harbor triggered the largest man-made explosion prior to the atomic bomb, a disaster that directly changed the lives of over
On April 7 Anthropic published technical Mythos report,as well as announced Claude Mythos Preview and Project Glasswing. The claim was that their newest model could autonomously identify and exploit real vulnerabilities in major open-source projects at unprecedented scale. One of Anthropic's public showcase examples was the Linux kernel, which is not some toy repo but the operating system underne
In today's digital landscape, website security isn't just a best practice—it's a necessity. From protecting user data to boosting your SEO, an SSL certificate (Secure Sockets Layer) is non-negotiable. Yet, many domain registrars, including Namecheap, often push users towards paid SSL solutions, despite excellent free alternatives existing. This guide will walk you through how to implement free SSL
Hi everyone! I wanted to share a small project I’ve been working on lately. The premise is simple: every time we share a photo or a document, we inadvertently leak a massive amount of personal data — from home GPS coordinates to camera serial numbers and even the edit history of a PDF. Using "online privacy services" to clean your files always felt like a paradox to me (sending private data to a s
The "Ghost" in the Codebase We’ve all been there. You’re running a security audit on an old repository, and your scanner flags 45 "Potential Secrets." You spend the next two hours manually checking them, only to realize 44 are revoked, test strings, or old keys from a defunct project. In the industry, we call these Zombie Keys—credentials that look like a threat but are actually dead. The proble
Introduction Building a mobile application that handles sensitive financial data — crypto transactions, KYC verification, gift cards — means security is not an afterthought. It is a core deliverable. During the development of a cross-platform fintech application, one of the non-negotiables on the security checklist was runtime application self-protection (RASP). After evaluating our options, we
What if your Kubernetes cluster simply refused to run unsigned images? I spent some time experimenting with enforcing image provenance in a small Kubernetes setup using MicroK8s. The idea was simple: Only container images with valid cryptographic signatures are allowed to run in the cluster. For this I used: GitLab CI/CD (build + signing pipeline) Cosign / Sigstore (image signing) Kyverno (admissi