Security on Ilya Rusalowski Hubhttps://rivik.dev/tags/security/Recent content in Security on Ilya Rusalowski HubHugoen-usSat, 06 Jun 2026 00:00:00 +0000ykvault: Stop Storing API Tokens as Plaintexthttps://rivik.dev/ykvault-stop-storing-api-tokens-as-plaintext/Sat, 06 Jun 2026 00:00:00 +0000https://rivik.dev/ykvault-stop-storing-api-tokens-as-plaintext/Are you still keeping API tokens in ~/.secrets? Any app you install can read them. ykvault encrypts every secret with a YubiKey challenge-response key — each get/set requires a physical touch, and the encrypted files are useless without your key.Hardware-backed SSH keys end to end: YubiKey, PIV, software alternatives, and where SSH CAs fit inhttps://rivik.dev/hardware-backed-ssh-keys-end-to-end-yubikey-piv-software-alternatives-and-where-ssh-cas-fit-in/Sat, 09 May 2026 00:00:00 +0000https://rivik.dev/hardware-backed-ssh-keys-end-to-end-yubikey-piv-software-alternatives-and-where-ssh-cas-fit-in/A working guide to using a YubiKey for SSH on a real Linux fleet — the four knobs (resident, touch, PIN, agent), a four-mode policy for root and Ansible, software-only alternatives, and where SSH CAs fit in.SSH Tunnel Magic: Your SSH Already Is Tailscalehttps://rivik.dev/ssh-tunnel-magic-your-ssh-already-is-tailscale/Fri, 24 Apr 2026 00:00:00 +0000https://rivik.dev/ssh-tunnel-magic-your-ssh-already-is-tailscale/SSH punching for everyone who only knows <code>ssh user@host</code> — how -D replaces a corporate VPN, -R replaces a mesh VPN for NAT&rsquo;d boxes, and -L forwards Unix sockets. 3 flags, 3 bonuses, 1 man page.180 Breaches a Second: How Software Broke Its Promise, and the Radical Fix Hiding in Plain Sighthttps://rivik.dev/180-breaches-a-second/Fri, 03 Apr 2026 00:00:00 +0000https://rivik.dev/180-breaches-a-second/180 accounts are breached every second — and most of it comes down to reused passwords and missing MFA. A look at the software quality collapse behind the headlines, and why the fix is the same infrastructure-level move HTTPS once made: passkeys, on-device DLP, and capability-scoped AI agents.When TLS 1.3 Silently Dies Inside Your Android Proxyhttps://rivik.dev/when-tls-1.3-silently-dies-inside-your-android-proxy/Fri, 20 Mar 2026 00:00:00 +0000https://rivik.dev/when-tls-1.3-silently-dies-inside-your-android-proxy/A post-mortem of intermittent HTTPS failures across a mobile proxy fleet: TLS 1.3 handshakes silently dying on memory-starved Android devices — large multi-packet handshake messages, inflated by post-quantum key shares, stressing proxy buffers under memory pressure.Another Ubuntu Bug With a Stopgap Fix: apt-get update Hangs for Hourshttps://rivik.dev/another-ubuntu-bug-with-a-stopgap-fix-apt-get-update-hangs-for-hours/Fri, 13 Feb 2026 00:00:00 +0000https://rivik.dev/another-ubuntu-bug-with-a-stopgap-fix-apt-get-update-hangs-for-hours/apt-get update randomly hangs for hours on Ubuntu 24.04 LTS — known since 22.04, still not fixed. Worst part: it silently blocks unattended-upgrades, so your servers stop receiving security updates. The &lsquo;fix&rsquo; is a cron job that kills stuck apt processes.