Zero-Trust

Every secret has to live somewhere. The only real questions are where, and for how long. I recently wired up automated pushes to this blog’s repo — a coding agent that commits and pushes on my behalf (more on why I trust an agent with that another time). That meant a GitHub Personal Access Token had to be available to a git push command running on my machine. What it did not mean was scattering that PAT across .env files and shell profiles. I wanted it managed: stored once, fetched at runtime, scoped, and revocable on demand. ...

Zero Trust gets thrown around as a marketing term so often that it’s easy to lose sight of what it actually changes architecturally. At its core, it’s a shift in where you place trust: instead of the network edge (is this traffic coming from inside the VPN?), you trust identity (who is making this request, and can they prove it?). That shift puts three things at the center of your architecture: an Identity Provider (IDP), OAuth2, and JWTs. They are distinct tools that get conflated constantly. Here’s how they actually fit together. ...

The Backstory and Where We All Come From Passwords, private keys, and API keys are spread across systems and easy to compromise — that’s the normal situation in many environments. Most have rogue credentials scattered across servers, and the workforce still relies on passwords rather than moving toward Zero Trust IAM. This must change, and fast. We all know this problem exists somewhere in our environment. It’s easier in cloud or PaaS; even OpenShift or Kubernetes make it more manageable. But a broad, system-wide architecture with support for a wide selection of runtimes, operating systems, and cloud or on-prem server farms makes it hard. So hard, in fact, that I regularly stumble upon servers with plaintext files containing passwords, API keys, and certificates. ...

77% of breaches involve stolen credentials. Passwords are the problem, and we’ve known it for decades. Passkeys are the fix — and unlike previous attempts, they’re actually taking hold. What a Passkey Is A passkey is a cryptographic key pair that replaces your password. When you register with a service, your device generates two keys: Public key — sent to and stored on the service’s server. Not sensitive. Useless on its own. Private key — stays on your device, inside dedicated secure hardware. Never leaves. Ever. No shared secret. No password in a database to steal. No breach list to check your credentials against. ...

Anthropic announced Claude Mythos Preview on April 7, 2026. They described it as “a step change” and “the most capable model we’ve built to date.” That’s standard launch language. What isn’t standard is everything that came after. Here’s what the model actually does, why governments are paying attention, and what defenders can do now. What Mythos is Mythos is a general-purpose language model — 1M token context window, 128K max output, knowledge cutoff December 2025. On most benchmarks it performs as you’d expect from a frontier model at this scale. ...

SASE — Secure Access Service Edge — pronounced as “sassy” (/ˈsæsi/), is a word invented by a Gartner analyst to sell enterprise contracts. It worked. But the underlying ideas are genuinely useful, and the tools to implement them are now free. If you run a home lab, self-host services, or have workloads scattered across Cloudflare Workers, Railway, or Fly.io, this is for you. What SASE Actually Means SASE combines two things that traditionally lived in separate products: ...