I am spending a lot of time now hacking eBPF.

Zero trust says verify everything. Ken Thompson says trust nothing. SBOMs say trust us. Something has to give.

We demand zero trust across our infrastructure, yet accept SBOMs on faith alone. Our software supply chain deserves better. How can I verify what was built was what was provided as SBOM?

Fun time! Building GrapheneOS from scratch and pushing the CPU.

Friday paper reading. Over the past 6 months, I've explored eBPF, which has been humbling and mind-blowing. Read an interesting, well-written, clear paper on eBPF about dentry path walking: github.com/mevasude/ebpf-…

This book is one I’d reread often to navigate the world.

Zero to One. I reread this every six months to grasp its deeper meaning.

Intense workouts and healthy eating.

Running MCP clients is a security nightmare. They should be pinned to SHA (containerize them). Run them behind a proxy like Envoy to allow and deny traffic. Running in containers makes it harder for them to siphon env variables and RSA keys.

Code is leverage. Review is refinement. Use both minds and machines.

Watching eBPF track how a process inherits permissions from its parent while adding its own is surprisingly similar to genetic inheritance. Except we use OR operations instead of Punnett squares.

One thing to teach an LLM is which Mermaid diagrams work. They're terrible! Lofty goals like replacing engineers are great.

This was my coding streak before the bot coding craze. Many late nights. github.com/naveensrinivas… github.com/naveensrinivas…

If you struggle to understand what you read and want to take notes or action items, I use ChatGPT's voice mode for research and comprehension. Then, I use Notion's record mode to summarize my understanding and create action items.

The best code is no code. The best review comment makes you delete everything you wrote. Shipping is the only truth that matters.

I printed Paul Graham's essays as a book for reading.

If you're using eBPF LSM, a newer, safer method for handling d_path is available.

Read this book often. Balaji

Protect the agent first no attach, no `/proc/*/mem`, no peeks. Starve the attacker’s feedback loop.

TIL - Blocked LD_PRELOAD in eBPF and found `k3d` stopped working. LD_LIBRARY_PATH=/var/lib/rancher/k3s/agent/containerd/lib: When containerd-shim runs infrastructure binaries, they inherit: - /bin/runc (container runtime) - /bin/cni (network plugins)