Hello, my name is Orca

Fri, 15 May 2026 00:00:00 +0000

Any unprivileged app can claim Orca’s D-Bus name and read raw Wayland keystrokes - passwords included.

Two Hops and a Shell on Ubuntu

Wed, 13 May 2026 00:00:00 +0000

Ubuntu’s userns AppArmor patch checks a pointer, not a property. Two profile hops chain a confined process to host root.

Porting Dirty Frag to arm64

Mon, 11 May 2026 00:00:00 +0000

On aarch64 the rxrpc path oopses and AppArmor blocks the exploit over SSH. A complain-mode profile transition slips it through.

Detection Below the Socket Layer

Fri, 24 Apr 2026 00:00:00 +0000

Malware that hand-builds its own packets slips past socket-level monitoring so the detection drops below the socket too.

The DNF Numbers Station

Mon, 13 Apr 2026 00:00:00 +0000

C2 traffic indistinguishable from DNF update checks, with tasking hidden in the microseconds of Apache ETags.

Building and Detecting a Rust C2 Beacon

Thu, 09 Apr 2026 00:00:00 +0000

Dual-layer encryption and a hardening pass from 1.4MB to 388K and the YARA rules that catch the beacon anyway.

Modeling hackerbot-claw Against My Own CI/CD

Fri, 20 Mar 2026 00:00:00 +0000

A single pull_request_target misstep turns a trusted GitHub workflow into a supply-chain backdoor.

Running Your Own Transparency Infrastructure

Wed, 18 Mar 2026 00:00:00 +0000

The full Sigstore trust stack, self-hosted from a YubiKey CA up. No public good instance required.

A Self-Hosted Observability Platform

Tue, 10 Mar 2026 00:00:00 +0000

No Helm charts, no managed services. A 118-node observability platform configured by hand from the official docs.

An AI-Powered Alert Triage Engine

Mon, 02 Mar 2026 00:00:00 +0000

Claude investigates each alert by querying Mimir and Loki through tool-calling, then triages it before it pages a human.

hello, world

Mon, 09 Feb 2026 00:00:00 +0000

introducing LinnemanLabs - 20+ years of breaking and building systems, now writing it down.'

About Me

Mon, 01 Jan 0001 00:00:00 +0000

░▒▓██████████████████████████████████████████████████████████████████████████▓▒░

 ██▓ ██▓ ███▄ █ ███▄ █ ▓█████ ███▄ ▄███▓ ▄▄▄ ███▄ █
 ▓██▒ ▓██▒ ██ ▀█ █ ██ ▀█ █ ▓█ ▀ ▓██▒▀█▀ ██▒▒████▄ ██ ▀█ █
 ▒██░ ▒██▒▓██ ▀█ ██▒▓██ ▀█ ██▒▒███ ▓██ ▓██░▒██ ▀█▄ ▓██ ▀█ ██▒
 ▒██░ ░██░▓██▒ ▐▌██▒▓██▒ ▐▌██▒▒▓█ ▄ ▒██ ▒██ ░██▄▄▄▄██ ▓██▒ ▐▌██▒
 ░██████▒░██░▒██░ ▓██░▒██░ ▓██░░▒████▒▒██▒ ░██▒ ▓█ ▓██▒▒██░ ▓██░
 ░ ▒░▓ ░░▓ ░ ▒░ ▒ ▒ ░ ▒░ ▒ ▒ ░░ ▒░ ░░ ▒░ ░ ░ ▒▒ ▓▒█░░ ▒░ ▒ ▒
 ░ ░ ▒ ░ ▒ ░░ ░░ ░ ▒░░ ░░ ░ ▒░ ░ ░ ░░ ░ ░ ▒ ▒▒ ░░ ░░ ░ ▒░
 ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░
 ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░

 ██▓ ▄▄▄ ▄▄▄▄ ██████
 ▓██▒ ▒████▄ ▓█████▄ ▒██ ▒
 ▒██░ ▒██ ▀█▄ ▒██▒ ▄██░ ▓██▄
 ▒██░ ░██▄▄▄▄██ ▒██░█▀ ▒ ██▒
 ░██████▒▓█ ▓██▒░▓█ ▀█▓▒██████▒▒
 ░ ▒░▓ ░▒▒ ▓▒█░░▒▓███▀▒▒ ▒▓▒ ▒ ░
 ░ ░ ▒ ░ ▒ ▒▒ ░▒░▒ ░ ░ ░▒ ░ ░
 ░ ░ ░ ▒ ░ ░ ░ ░ ░
 ░ ░ ░ ░ ░ ░
 ░

░▒▓██████████████████████████████████████████████████████████████████████████▓▒░
┌───────────────────────────────────────────────────────────────────────────────
│
│ ::: presents ::: about · the · operator [release 2026]
│
└──[ keith@linnemanlabs:~/about$ ]──────────────────────────────────────────────┐
 │
 $ whoami │
 keith linneman │
 │
 $ uptime │
 09:08:59 up 20+ years, load average: build, operate, attack │
 │
 $ file /etc/localtime │
 /etc/localtime: symbolic link to ../usr/share/zoneinfo/America/Los_Angeles │
 │
 $ id │
 uid=1001(k) gid=1005(ops) groups=1006(research),1007(blue-team),1008(red-team)│
 │
 $ history | tail -21 | head -20 │
 980 ./build infrastructure --aws --accounts_total=12 --node_count=200+ │
 981 ./build ansible --roles=20+ --zero-lint-failures --handwritten │
 982 ./deploy observability --prometheus --loki --mimir --pyroscope --tempo │
 983 ./build go-libraries --observability --instrumentation --http │
 984 ./build ebpf-exporters --kernel-telemetry --prometheus │
 985 ./build pki --yubikey-root --intermediates=3 --p384 --tuf --cosign │
 986 ./perform key-ceremony --air-gapped --tails --offline-root │
 987 ./build kms-csr-tool --go --hardware-backed-signing │
 988 ./deploy sigstore --rekor --tesseract --tsa --fulcio │
 989 ./deploy spiffe-spire --workload-identity --every-service │
 990 ./build trust.linnemanlabs.com │
 991 ./build app-build-system --github --sigstore --keyless-signing --oidc │
 992 ./deploy wazuh --agents=164 --ossec --osquery --yara --suricata │
 993 ./build linnemanlabs.com │
 994 ./build vigil --alerts --llm-triage --notify=slack │
 995 ./build glimmer --c2 --beacon --raw-sockets --af_packet --dbus │
 996 ./run purple-team-exercises --emulate=adversary --verify=detection │
 997 ./migrate cloudformation --to=terraform --start=trust-account │
 998 ./build switchboard --v1 --grpc --spiffe --runbook-proposal │
 999 ./build hardened-workstation --ebpf --lsm --selinux --secure-boot │
 │
 $ ps -u k │
 PID STAT COMMAND │
 0001 R switchboard --version=1 │
 0002 S vigil --version=1 --deployed │
 0003 R terraform-migration --account=trust │
 0004 R improve-workstation --research --attack --harden --document │
 R = Running(building), S = Sleeping(deployed), Z = Zombie(dormant) │
 │
 $ goodbye │
 goodbye: Command not found. │
 │
 ^] │
 telnet> q │
 Connection closed. │
 │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└─[ methodology ]───────────────────────────────────────────────────────────────┐
 │
 > detect ........... see what is actually happening │
 > instrument ....... make it visible to anyone │
 > correlate ........ connect signals across layers │
 > verify ........... prove the conclusion, end to end │
 > document ......... leave the trail for next time │
 │
 "every bit, every packet, every syscall." │
 │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└─[ now playing ]───────────────────────────────────────────────────────────────┐
 │
 · vigil ........... AI alert triage engine (go) .......... shipped │
 · switchboard ..... AI orchestration platform ............ in progress │
 · trust ........... sigstore + spire chain ............... phase 4 of 6 │
 · clauditor ....... eBPF audit daemon (AI agents) ........ planned │
 · leash ........... eBPF LSM-based AI containment ........ planned │
 · glimmer.......... adversary emulation, C2 framework..... in progress │
 · prism............ detection engineering verifier........ planned │
 │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└─[ stack ]─────────────────────────────────────────────────────────────────────┐
 │
 cloud ............. aws (us-east-2) · 200+ nodes · 12 accounts │
 config ............ cloudformation → terraform · ansible · zero modules │
 observability ..... prometheus · mimir · loki · tempo · pyroscope │
 identity .......... custom pki · spire · sigstore · yubikey root │
 defense ........... wazuh · ossec · suricata · yara · tetragon · ebpf │
 languages ......... go · rust · shell · sql │
 │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└─[ greetz ]────────────────────────────────────────────────────────────────────┐
 │
 to: the people still reading source 3 layers below the abstractions │
 │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└─[ contact ]───────────────────────────────────────────────────────────────────┐
 │
 www ..........: linnemanlabs.com │
 trust ........: trust.linnemanlabs.com │
 github .......: github.com/linnemanlabs │
 github .......: github.com/keithlinneman │
 email ........: hello@linnemanlabs.com │
┌───────────────────────────────────────────────────────────────────────────────┘
│
└───────────────────────────────────────────────────────────────────────────────
░▒▓██████████████████████████████████████████████████████████████████████████▓▒░
 · LinnemanLabs · est. 199x · 
░▒▓██████████████████████████████████████████████████████████████████████████▓▒░

Keith Linneman

I’ve been doing this since the mid-90s - over 25 years of building, breaking, and operating systems. I started by breaking into them as a kid, living on IRC, learning how networks and operating systems actually worked by taking them apart. That offensive background shaped everything that came after. I moved into infrastructure and operations, bringing an attacker’s perspective to how I design, harden, and monitor production systems. Now I’m circling back to offensive security with deep infrastructure and operations experience behind it.

Application Provenance

Mon, 01 Jan 0001 00:00:00 +0000

Provenance for the currently running server binary - source information, build attestations, vulnerability scans, SBOMs, licensing, and container metadata. The application is a custom Go binary built with security and observability as primary concerns.

Source: linnemanlabs-web on GitHub

Source: build-system on GitHub

This page currently covers application-level provenance. I’m working toward extending attestations down through the full trust hierarchy - OS-level integrity (IMA/EVM), dm-verity verified filesystems, kernel lockdown, UEFI Secure Boot, and TPM-based hardware attestation - so that every layer is cryptographically anchored to the one below it.

Content Provenance

Mon, 01 Jan 0001 00:00:00 +0000

Provenance for the content bundle currently being served - source information, build tooling with checksums, and file inventory. The content bundle is a signed artifact containing all static HTML, CSS, JavaScript, and assets generated by Hugo. The server verifies bundle integrity at load time before serving any content.

Source: linnemanlabs-site on GitHub

LinnemanLabs Infrastructure

Mon, 01 Jan 0001 00:00:00 +0000

This site runs on the full LinnemanLabs platform - the same multi-account AWS organization, observability stack, supply chain security, and hardened images behind every project. Everything described here applies to what’s serving this page.

I build and manage all of this myself. No Terraform modules, no managed platforms, no abstraction layers I don’t own. Every CloudFormation template, every Ansible role, every pipeline is hand-written because I want to understand exactly what’s running and why.