linneman
labs
building
breaking
observing
content
···
verified
home
/ posts
Posts
2026.05.15
Hello, my name is Orca
Any unprivileged app can claim Orca’s D-Bus name and read raw Wayland keystrokes - passwords included.
2026.05.13
Two Hops and a Shell on Ubuntu
Ubuntu’s userns AppArmor patch checks a pointer, not a property. Two profile hops chain a confined process to host root.
2026.05.11
Porting Dirty Frag to arm64
On aarch64 the rxrpc path oopses and AppArmor blocks the exploit over SSH. A complain-mode profile transition slips it through.
2026.04.24
Detection Below the Socket Layer
Malware that hand-builds its own packets slips past socket-level monitoring so the detection drops below the socket too.
2026.04.13
The DNF Numbers Station
C2 traffic indistinguishable from DNF update checks, with tasking hidden in the microseconds of Apache ETags.
2026.04.09
Building and Detecting a Rust C2 Beacon
Dual-layer encryption and a hardening pass from 1.4MB to 388K and the YARA rules that catch the beacon anyway.
2026.03.20
Modeling hackerbot-claw Against My Own CI/CD
A single pull_request_target misstep turns a trusted GitHub workflow into a supply-chain backdoor.
2026.03.18
Running Your Own Transparency Infrastructure
The full Sigstore trust stack, self-hosted from a YubiKey CA up. No public good instance required.
2026.03.10
A Self-Hosted Observability Platform
No Helm charts, no managed services. A 118-node observability platform configured by hand from the official docs.
2026.03.02
An AI-Powered Alert Triage Engine
Claude investigates each alert by querying Mimir and Loki through tool-calling, then triages it before it pages a human.
2026.02.09
hello, world
introducing LinnemanLabs - 20+ years of breaking and building systems, now writing it down.'