For every human in a modern enterprise there are somewhere between forty and a hundred non-human identities. Service accounts, API keys, OAuth tokens, certificates, and now AI agents. The industry has spent twenty years hardening the human identity perimeter and almost no time on the larger half. The breaches of the last year are the bill arriving.
tag: #security
After writing about Sally O'Malley's tank-os in June, the question that kept bothering me was the practical one. How do I actually run Claude Code and Gemini CLI on my own laptop without giving the agent access to the corporate VPN, the company Git server, the cloud metadata endpoint, or anything else on RFC 1918 space? The answer I built is a small Docker Compose configuration that wraps tank-os, installs both agents, and enforces a default-deny network perimeter through iptables. This post is the writeup of what I built and why each piece earns its place.
Sally O'Malley at Red Hat Emerging Tech published tank-os in April 2026, a Fedora bootc image that runs AI agents as rootless Podman workloads. The architecture is small, the disciplines it composes are obvious in retrospect, and it is the cleanest available demonstration of what an agent host should look like in 2026.
Between late April and late May 2026, a single threat actor compromised more than four hundred package versions across npm and PyPI, leaked source code from two AI labs and one widely-used SDK vendor, exfiltrated thousands of internal repositories from a major code-hosting platform, and open-sourced their worm under an MIT license on the same platform they attacked. The interesting question is not how. The interesting question is why the blast radius keeps reaching this size, and the answer points at a structural feature of how engineering organizations grant access to source code.
Modern pull request review is built on a clean trust boundary. Code in the PR is untrusted until reviewers approve it. Configuration in the PR is treated as ambient context, more or less along for the ride. The Gemini CLI hook CVE that landed in May 2026 made it
Copy Fail, Dirty Frag, Fragnesia, ssh-keysign-pwn - four Linux kernel root exploits in three weeks. The kernel is fine. The admins are not.
When CVE-2026-31431 dropped on April 29 with a public proof-of-concept and no vendor patches available, every Linux machine in the homelab was affected. Two weeks later the OpenSSH GSSAPIKeyExchange flaw shipped as DSA-6204-1 and the question arose again. This post is the short writeup of how Ansible turned both incidents into routine work.
The FortiGate 100F arrived this week and slots into the homelab between the Fritz!Box modem and the MikroTik core router, adding real next-generation firewall capability to a routing-strong but inspection-light architecture.
Running endlessh-go as a Docker container on Strato VPS, deployed via Ansible
Exploring base and bound memory protection