Max L

Blog

YubiKey SSH Authentication: Stop Trusting Key Files on Disk
I stopped using SSH passwords three years ago. Switched to ed25519 keys, felt pretty good about it. Then my laptop got stolen from a coffee shop — lid open, session unlocked. My private key was sitting right there in ~/.ssh/, passphrase cached in the agent.

That’s when I bought my first YubiKey.

Why a Hardware Key Beats a Private Key File

Your SSH private key lives on disk. Even if it’s passphrase-protected, once the agent unlocks it, it’s in memory. Malware can dump it. A stolen laptop might still have an active agent session. Your key file can be copied without you knowing.

A YubiKey stores the private key on the hardware. It never leaves the device. Every authentication requires a physical touch. No touch, no auth. Someone steals your laptop? They still need the physical key plugged in and your finger on it.

That’s the difference between “my key is encrypted” and “my key literally cannot be extracted.”

Which YubiKey to Get

For SSH, you want a YubiKey that supports FIDO2/resident keys. Here’s what I’d recommend:

YubiKey 5C NFC — my top pick. USB-C fits modern laptops, and the NFC means you can tap it on your phone for GitHub/Google auth too. Around $55, and I genuinely think it’s the best value if you work across multiple devices. (Full disclosure: affiliate link)

If you’re on a tighter budget, the YubiKey 5 NFC (USB-A) does the same thing for about $50, just with the older port. Still a good option if your machines have USB-A.

One important note: buy two. Register both with every service. Keep one on your keychain, one locked in a drawer. If you lose your primary, you’re not locked out of everything. I learned this the hard way with a 2FA lockout that took three days to resolve.

Setting Up SSH with FIDO2 Resident Keys

You need OpenSSH 8.2+ (check with ssh -V). Most modern distros ship with this. If you’re on macOS, the built-in OpenSSH works fine since Ventura.

First, generate a resident key stored directly on the YubiKey:
```
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-primary"
```
Breaking this down:
- -t ed25519-sk — uses the ed25519 algorithm backed by a security key (sk = security key)
- -O resident — stores the key on the YubiKey, not just a reference to it
- -O verify-required — requires PIN + touch every time (not just touch)
- -C "yubikey-primary" — label it so you know which key this is
It’ll ask you to set a PIN if you haven’t already. Pick something decent — this is your second factor alongside the physical touch.

You’ll end up with two files: id_ed25519_sk and id_ed25519_sk.pub. The private file is actually just a handle — the real private key material lives on the YubiKey. Even if someone gets this file, it’s useless without the physical hardware.

Adding the Key to Remote Servers

Same as any SSH key:
```
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@your-server
```
Or manually append the public key to ~/.ssh/authorized_keys on the target machine.

When you SSH in, you’ll see:
```
Confirm user presence for key ED25519-SK SHA256:...
User presence confirmed
```
That “confirm user presence” line means it’s waiting for you to physically tap the YubiKey. No tap within ~15 seconds? Connection refused. I love this — it’s impossible to accidentally leave a session auto-connecting in the background.

The Resident Key Trick: Any Machine, No Key Files

This is the feature that sold me. Because the key is resident (stored on the YubiKey itself), you can pull it onto any machine:
```
ssh-keygen -K
```
That’s it. Plug in your YubiKey, run that command, and it downloads the key handles to your current machine. Now you can SSH from a fresh laptop, a coworker’s machine, or a server — as long as you have the YubiKey plugged in.

No more syncing ~/.ssh folders across machines. No more “I need to get my key from my other laptop.” The YubiKey is the key.

Hardening sshd for Key-Only Auth

Once your YubiKey is working, lock down the server. In /etc/ssh/sshd_config:
```
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
```
Reload sshd (systemctl reload sshd) and test with a new terminal before closing your current session. I’ve locked myself out exactly once by reloading before testing. Don’t be me.

If you want to go further, you can restrict to only FIDO2 keys by requiring the sk key types in your authorized_keys entries. But for most setups, just disabling passwords is the big win.

What About Git and GitHub?

GitHub has supported security keys for SSH since late 2021. Add your id_ed25519_sk.pub in Settings → SSH Keys, same as any other key.

Every git push and git pull now requires a physical touch. It adds maybe half a second to each operation. I was worried this would be annoying — it’s actually reassuring. Every push is a conscious decision.

For your Git config, make sure you’re using the SSH URL format:
```
git remote set-url origin [email protected]:username/repo.git
```
Gotchas I Hit

Agent forwarding doesn’t work with FIDO2 keys. The touch requirement is local — you can’t forward it through an SSH jump host. If you rely on agent forwarding, you’ll need to either set up ProxyJump or keep a regular ed25519 key for jump scenarios.

macOS Sonoma has a quirk where the built-in SSH agent sometimes doesn’t prompt for the touch correctly. Fix: add SecurityKeyProvider internal to your ~/.ssh/config.

WSL2 can’t see USB devices by default. You’ll need usbipd-win to pass the YubiKey through. It works fine once set up, but the initial config is a 10-minute detour.

VMs need USB passthrough configured. In VirtualBox, add a USB filter for “Yubico YubiKey.” In QEMU/libvirt, use hostdev passthrough. This catches people off guard when they SSH from inside a VM and wonder why the key isn’t detected.

My Setup

I carry a YubiKey 5C NFC on my keychain and keep a backup YubiKey 5 Nano in my desk. The Nano stays semi-permanently in my desktop’s USB port — it’s tiny enough that it doesn’t stick out. (Full disclosure: affiliate links)

Both keys are registered on every server, GitHub, and every service that supports FIDO2. If I lose my keychain, I walk to my desk and keep working.

Total cost: about $80 for two keys. For context, that’s less than a month of most password manager premium plans, and it protects against a class of attacks that passwords simply can’t.

Should You Bother?

If you SSH into anything regularly — servers, homelabs, CI runners — yes. The setup takes 15 minutes, and the daily friction is a light tap on a USB device. The protection you get (key material that physically can’t be stolen remotely) is worth way more than the cost.

If you’re already running a homelab with TrueNAS or managing Docker containers, this is a natural next step in locking things down. Hardware keys fill the gap between “I use SSH keys” and “my infrastructure is actually secure.”

Start with one key, test it for a week, then buy the backup. You won’t go back.

Join Alpha Signal for free market intelligence — daily briefings on tech, AI, and the markets that drive them.
April 3, 2026

Browser Fingerprinting: How 12 Lines of JavaScript Identify You Without Cookies

Last month I was debugging a tracking issue for a client and realized something uncomfortable: even after clearing all cookies and using a fresh incognito window, a third-party analytics script was still identifying the same user session. No cookies, no localStorage, no URL parameters. Just JavaScript reading properties that every browser willingly exposes.

Browser fingerprinting isn’t new, but most developers I talk to still underestimate how effective it is. The EFF’s Cover Your Tracks project found that 83.6% of browsers have a unique fingerprint. Not “somewhat unique” — unique. One in a million. And that number climbs to over 94% if you include Flash or Java metadata (though those are mostly dead now).

I spent a weekend building a fingerprinting test page to understand exactly what data points create this uniqueness. Here’s what I found.

The Canvas API: Your GPU’s Signature

This is the technique that surprised me most. The HTML5 Canvas API renders text and shapes slightly differently depending on your GPU, driver version, OS font rendering engine, and anti-aliasing settings. The differences are invisible to the eye but consistent across page loads.

Here’s a minimal Canvas fingerprint in 12 lines:

function getCanvasFingerprint() {
  const canvas = document.createElement('canvas');
  const ctx = canvas.getContext('2d');
  ctx.textBaseline = 'top';
  ctx.font = '14px Arial';
  ctx.fillStyle = '#f60';
  ctx.fillRect(125, 1, 62, 20);
  ctx.fillStyle = '#069';
  ctx.fillText('Browser fingerprint', 2, 15);
  ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';
  ctx.fillText('Browser fingerprint', 4, 17);
  return canvas.toDataURL();
}

That toDataURL() call returns a base64 string representing the rendered pixels. On my M2 MacBook running Chrome 124, this produces a hash that differs from the same code on Chrome 124 on my Intel Linux box. Same browser version, same text, different pixel output.

Why? The font rasterizer (FreeType vs Core Text vs DirectWrite), sub-pixel rendering settings, and GPU shader behavior all introduce tiny variations. A 2016 Princeton study tested this across 1 million browsers and found Canvas fingerprinting alone could identify about 50% of users — no cookies needed.

AudioContext: Your Sound Card Leaks Too

This one is less well-known. The Web Audio API processes audio signals with slight floating-point variations depending on the hardware and driver stack. You don’t even need to play a sound:

async function getAudioFingerprint() {
  const ctx = new (window.OfflineAudioContext ||
    window.webkitOfflineAudioContext)(1, 44100, 44100);
  const oscillator = ctx.createOscillator();
  oscillator.type = 'triangle';
  oscillator.frequency.setValueAtTime(10000, ctx.currentTime);

  const compressor = ctx.createDynamicsCompressor();
  compressor.threshold.setValueAtTime(-50, ctx.currentTime);
  compressor.knee.setValueAtTime(40, ctx.currentTime);
  compressor.ratio.setValueAtTime(12, ctx.currentTime);

  oscillator.connect(compressor);
  compressor.connect(ctx.destination);
  oscillator.start(0);
  
  const buffer = await ctx.startRendering();
  const data = buffer.getChannelData(0);
  // Hash the first 4500 samples
  return data.slice(0, 4500).reduce((a, b) => a + Math.abs(b), 0);
}

The resulting float sum varies by sound card and audio driver. Combined with Canvas, you’re looking at roughly 70-80% unique identification rates. I tested this on three machines in my homelab — all running Debian 12, all with different audio chipsets — and got three distinct values.

WebGL: GPU Model Exposed

WebGL goes further than Canvas. It exposes your GPU vendor, renderer string, and supported extensions. Most browsers serve this up without hesitation:

function getWebGLInfo() {
  const canvas = document.createElement('canvas');
  const gl = canvas.getContext('webgl');
  const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
  return {
    vendor: gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL),
    renderer: gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL),
    extensions: gl.getSupportedExtensions().length
  };
}

On my machine this returns Apple / Apple M2 / 47 extensions. That renderer string alone narrows the pool considerably. Combine it with the exact list of supported extensions (which varies by driver version) and you’ve got another high-entropy signal.

The Full Fingerprint Stack

A real fingerprinting library like FingerprintJS (now Fingerprint.com) combines 30+ signals. Here are the ones that contribute the most entropy, based on my testing:

Signal	Entropy (bits)	How It Works
User-Agent string	~10	OS + browser + version
Canvas hash	~8-10	GPU + font rendering
WebGL renderer	~7	GPU model + driver
Installed fonts	~6-8	Font enumeration via CSS
Screen resolution + DPR	~5	Monitor + scaling
AudioContext	~5-6	Audio processing differences
Timezone + locale	~4	Intl API
WebGL extensions	~4	Supported GL features
Navigator properties	~3	hardwareConcurrency, deviceMemory
Color depth + touch support	~2	display.colorDepth, maxTouchPoints

Add those up and you’re at roughly 54-63 bits of entropy. You need about 33 bits to uniquely identify someone in a pool of 8 billion. We’re at nearly double that.

What Actually Defends Against This

I tested four approaches on my fingerprinting test page. Here’s my honest assessment:

Brave Browser — Best out-of-the-box protection. Brave randomizes Canvas and WebGL output on every session (adds noise to the rendered pixels). AudioContext gets similar treatment. In my tests, Brave generated a different fingerprint hash on every page load. The tradeoff: some sites that rely on Canvas for legitimate purposes (online editors, games) may behave slightly differently. I haven’t hit real issues with this in daily use.

Firefox with privacy.resistFingerprinting — Setting privacy.resistFingerprinting = true in about:config spoofs many signals: timezone reports UTC, screen resolution reports the CSS viewport size, user-agent becomes generic. It’s effective but aggressive — it broke two web apps I use daily (a video editor and a mapping tool) because they relied on accurate screen dimensions.

Tor Browser — The gold standard. Every Tor user presents an identical fingerprint by design. Canvas, WebGL, fonts, screen size — all normalized. But you’re trading performance (Tor routing adds 2-5x latency) and compatibility (many sites block Tor exit nodes).

Browser extensions (Canvas Blocker, etc.) — Ironically, these can make you more unique. If 0.1% of users run Canvas Blocker, and it alters your fingerprint in a detectable way (which it does — the blocking itself is a signal), you’ve just moved from “one in a million” to “one in a thousand who runs this specific extension.” I stopped recommending these after seeing the data.

A Practical Test You Can Run Right Now

Visit Cover Your Tracks (EFF) — it runs a fingerprinting test and shows exactly how unique your browser is. Then visit BrowserLeaks.com for a more detailed breakdown of each signal.

When I ran both tests in Chrome, my fingerprint was unique among their entire dataset. In Brave, it was shared with “a large number of users.” That difference matters.

What Developers Should Do

If you’re building analytics or auth systems, understand that fingerprinting exists in a gray area. The GDPR considers device fingerprints personal data (Article 29 Working Party Opinion 9/2014 explicitly says so). California’s CCPA covers “unique identifiers” which includes fingerprints.

My recommendation for developers:

Don’t roll your own fingerprinting for tracking. If you need fraud detection, use a service like Fingerprint.com that handles consent and compliance.
Test your own sites with the Canvas fingerprint code above. If you’re embedding third-party scripts, check what data they’re collecting. I found three tracking scripts on a client’s site that were fingerprinting users without disclosure.
For your own browsing, switch to Brave. It’s Chromium-based so everything works, and the fingerprint randomization is on by default. I moved my daily driver six months ago and haven’t looked back.

If you’re working from a home office or homelab and want to take your privacy setup further, a dedicated mini PC running a DNS-level blocker like Pi-hole or AdGuard Home catches a lot of the fingerprinting scripts at the network level before they even reach your browser. I run one on my TrueNAS box and it blocks about 30% of tracking domains across my whole network. Full disclosure: affiliate link.

If you want to test what your browser reveals, I built a set of privacy-focused browser tools that run entirely client-side — no data ever leaves your machine. The PixelStrip tool handles EXIF/metadata stripping, and the diff checker compares text without uploading to a server.

The uncomfortable truth is that cookies were the easy privacy problem. The browser itself — its GPU, its fonts, its audio stack — is the harder one. And most people don’t even know they’re being identified.

📡 Join Alpha Signal for free market intelligence — I share daily analysis on tech sector moves and trading signals.

April 3, 2026

Privacy-Focused Diff Checker: No Text Upload Required
I spent last weekend comparing two config files — a 400-line nginx setup where I’d made changes across multiple servers. I opened Diffchecker.com, pasted both files, and immediately ran into the same frustrations I’ve had for years: the page uploaded my text to their server (privacy issue for config files), there were no keyboard shortcuts to jump between changes, and the character-level highlighting was either nonexistent or buried behind a Pro paywall.

So I built my own.

The Problem with Every Online Diff Tool

Here’s what bugs me about existing text comparison tools. I tested the top three before writing a single line of code:

Diffchecker.com — The default recommendation on every “best tools” list. It works, but your text gets sent to their servers. For comparing code, configs, or anything with credentials nearby, that’s a non-starter. They also paywall basic features like “find next difference” behind a $10/month subscription.

TextDiffViewer.com — Claims client-side processing, which is good. But the UI feels like it was built in 2012. No character-level highlighting within changed lines, no unified diff view, no keyboard shortcuts. If I’m comparing 2,000 lines, I need to jump between changes, not scroll manually.

DevToolLab’s Diff Checker — Clean UI, but limited. Only side-by-side view, no way to ignore whitespace or case differences, and no file drag-and-drop. Fine for small comparisons, frustrating for real work.

The pattern is clear: either the tool uploads your data (privacy problem) or it’s missing features that developers actually need (navigation, views, options). It’s the same reason I built RegexLab — Regex101 sends your patterns to their server, which is a deal-breaker when you’re testing patterns against production data.

What I Built: DiffLab

DiffLab is a single HTML file — no server, no dependencies, no uploads. Everything runs in your browser. Close the tab and your data is gone. Here’s what makes it different:

Three View Modes

Most diff tools give you side-by-side and call it a day. DiffLab has three views you can switch between with keyboard shortcuts:
- Side-by-side (press 1) — The classic two-column layout. Changed lines are paired, and character-level differences are highlighted within each line so you can see exactly what changed.
- Unified (press 2) — Like git diff output. Removed lines appear with a - prefix, added lines with +. Compact and scannable.
- Inline (press 3) — Shows old → new on the same line with character highlighting. Best for reviewing small edits across many lines.
Keyboard Navigation Between Changes

This is the feature I wanted most. In a long file with changes scattered throughout, scrolling to find each difference is painful. DiffLab tracks every change “hunk” and lets you:
- Press J or ↓ to jump to the next change
- Press K or ↑ to jump to the previous change
- A floating indicator shows “Change 3 of 12” so you always know where you are
The current change gets a visible highlight so your eye can find it instantly after scrolling.

Character-Level Highlighting

When a line changes, DiffLab doesn’t just highlight the whole line red/green. It finds the common prefix and suffix of the old and new line, then highlights only the characters that actually changed. If you renamed getUserById to getUserByName, only Id and Name get highlighted — not the entire function call.

Comparison Options

Two toggles that matter for real-world comparisons:
- Ignore whitespace (W) — Treats a b and a b as identical. Essential for comparing code with different formatting.
- Ignore case (C) — Treats Hello and hello as identical. Useful for config files where case doesn’t matter.
Both options re-run the diff instantly when toggled.

How It Works Under the Hood

The Diff Algorithm

DiffLab uses a Myers diff algorithm — the same algorithm behind git diff. It finds the shortest edit script (minimum number of insertions and deletions) to transform the original text into the modified text.

For inputs under 8,000 total lines, it runs the full Myers algorithm. For larger inputs, it switches to a faster LCS-based approach with lookahead that trades perfect minimality for speed. In practice, both produce identical results for typical comparisons.

The algorithm runs in your browser’s main thread. On my laptop, comparing two 5,000-line files takes about 40ms. The rendering is the bottleneck, not the diff calculation.

Character Diffing

For paired changed lines (a removed line followed by an added line at the same position), DiffLab runs a second pass. It finds the longest common prefix and suffix of the two strings, then wraps the changed middle section in highlight spans. This is simpler than running a full diff on individual characters, but it’s fast and catches the common case (a word or variable name changed in the middle of a line) perfectly.

Rendering Strategy

The diff output renders as an HTML table. Each row is a line, with cells for line numbers and content. I chose tables over divs because:
1. Line numbers stay aligned with content automatically
2. Column widths distribute properly in side-by-side mode
3. Screen readers can navigate the structure
Changed lines get CSS classes (diff-added, diff-removed) that map to CSS custom properties. Dark mode support comes free through prefers-color-scheme media queries — the custom properties switch automatically.

Real Use Cases

I’ve been using DiffLab daily since building it. Here are the situations where it’s genuinely useful:
1. Comparing deployment configs — Before pushing a staging config to production, paste both and verify only the expected values changed.
2. Code review diffs — When a PR is too large for GitHub’s diff view, copy-paste specific files for focused comparison.
3. Database migration scripts — Compare the current schema dump with the new one to make sure nothing got dropped accidentally.
4. Documentation updates — Writers comparing draft versions to see what an editor changed.
5. API response debugging — Compare expected vs actual JSON responses. The character-level highlighting catches subtle differences in values. For formatting those JSON responses first, JSON Forge does the same client-side-only trick.
Privacy and Offline Use

DiffLab includes a service worker that caches everything on first visit. After that, it works completely offline — airplane mode, no internet, whatever. Your text never leaves the browser tab, and there’s no analytics tracking what you compare.

It also passes Chrome’s PWA install requirements. Click “Install” in your browser’s address bar and it becomes a standalone app on your desktop or phone.

Try It

DiffLab is live at difflab.orthogonal.info. Single HTML file, zero dependencies, works offline.

The keyboard shortcuts are the selling point: Ctrl+Enter to compare, J/K to navigate changes, 1/2/3 to switch views, W for whitespace, C for case, S to swap sides, Escape to clear.

If you compare text files regularly, give it a try. DiffLab is part of a growing set of free browser tools that replace desktop apps — all client-side, all offline-capable. If you build developer tools, I’d love to hear what’s missing — reach out at [email protected].

If you spend hours comparing code and config files, a good ergonomic keyboard makes the typing between comparisons much more comfortable. I switched to a split keyboard last year and my wrists thank me daily.

For monitor setups that make side-by-side diffs actually readable, check out these ultrawide monitors for programming — the extra horizontal space is worth it.

And if you’re doing serious code reviews, a monitor arm to position your screen at the right height reduces neck strain during long sessions.
April 2, 2026
Citrix NetScaler CVE-2026-3055 Exploited: What to Do Now
Last Wednesday I woke up to three Slack messages from different clients, all asking the same thing: “Is our NetScaler safe?” A new Citrix vulnerability had dropped — CVE-2026-3055 — and by Saturday, CISA had already added it to the Known Exploited Vulnerabilities catalog. That’s a 7-day turnaround from disclosure to confirmed in-the-wild exploitation. If you’re running NetScaler ADC or NetScaler Gateway with SAML configured, stop what you’re doing and patch.

What CVE-2026-3055 Actually Does

CVE-2026-3055 is an out-of-bounds memory read in Citrix NetScaler ADC and NetScaler Gateway. CVSS 9.3. An unauthenticated attacker sends a crafted request to your SAML endpoint, and your appliance responds by dumping chunks of its memory — including admin session tokens.

If that sounds familiar, it should. This is the same class of bug that plagued CitrixBleed (CVE-2023-4966) — one of the most exploited vulnerabilities of 2023. The security community is already calling this one “CitrixBleed 3.0,” and I think that’s fair.

The researchers at watchTowr Labs found that CVE-2026-3055 actually covers two separate memory overread bugs, not one:
- /saml/login — Attackers send a SAMLRequest payload that omits the AssertionConsumerServiceURL field. The appliance leaks memory contents via the NSC_TASS cookie.
- /wsfed/passive — A request with a wctx query parameter present but without a value (no = sign) causes the appliance to read from dead memory. The data comes back Base64-encoded in the same NSC_TASS cookie, but without the size limits of the SAML variant.
In both cases, the leaked memory can contain authenticated session IDs. Grab one of those, and you’ve got full admin access to the appliance. No credentials needed.

The Timeline Is Ugly
- March 23, 2026 — Citrix publishes security bulletin CTX696300 disclosing the flaw. They describe it as an internal security review finding.
- March 27 — watchTowr’s honeypot network detects active exploitation from known threat actor IPs. Defused Cyber observes attackers probing /cgi/GetAuthMethods to fingerprint which appliances have SAML enabled.
- March 29 — watchTowr publishes a full technical analysis and releases a Python detection script.
- March 30 — CISA adds CVE-2026-3055 to the KEV catalog. Rapid7 releases a Metasploit module.
- April 2 — CISA’s deadline for federal agencies to patch or discontinue use. That’s today.
Four days from disclosure to active exploitation. Six days to a public Metasploit module. This is about as bad as the timeline gets.

Are You Vulnerable?

You’re affected if you run on-premise NetScaler ADC or NetScaler Gateway with SAML Identity Provider configured. Cloud-managed instances (Citrix-hosted) are not affected.

Check your NetScaler config for this string:
```
add authentication samlIdPProfile
```
If that line exists in your config, you need to patch. If you use SAML SSO through your NetScaler — and plenty of enterprises do — assume you’re in scope.

Affected versions:
- NetScaler ADC and Gateway 14.1 before 14.1-66.59
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS before 13.1-37.262
- NetScaler ADC 13.1-NDcPP before 13.1-37.262
The Exposure Numbers

The Shadowserver Foundation counted roughly 29,000 NetScaler ADC instances and 2,250 Gateway instances visible on the internet as of March 28. Not all of those are necessarily running SAML, but the attackers already have an automated way to check — that /cgi/GetAuthMethods fingerprinting technique Defused Cyber spotted.

A quick Shodan check shows the US, Germany, and the UK have the highest exposure counts. If you’re running NetScaler in any of those regions, you’re likely already being probed.

What watchTowr Calls “Disingenuous”

This is the part that bothers me. Citrix’s original security bulletin didn’t mention that the flaw was being actively exploited. It described CVE-2026-3055 as a single vulnerability found through “ongoing security reviews.” watchTowr’s analysis showed it was actually two distinct bugs bundled under one CVE, and the disclosure was incomplete about the attack surface.

watchTowr explicitly called the disclosure “disingenuous.” I tend to agree. When your customers are running edge appliances that handle authentication for their entire organization, underplaying the severity of a memory leak bug — especially one with clear echoes of CitrixBleed — isn’t great.

Patch Now — Here Are the Fixed Versions

Upgrade to these versions or later:

Product Fixed Version

NetScaler ADC & Gateway 14.1 14.1-66.59

NetScaler ADC & Gateway 13.1 13.1-62.23

NetScaler ADC 13.1-FIPS 13.1-37.262

NetScaler ADC 13.1-NDcPP 13.1-37.262

If you can’t patch immediately, at minimum disable the SAML IDP profile until you can. But really — patch. Disabling SAML probably breaks your SSO, and your users will notice. Patching and rebooting during a maintenance window is the better path.

Post-Patch: Check for Compromise

Patching alone isn’t enough if attackers already hit your appliance. Here’s what I’d check:
1. Review session logs — Look for unusual admin sessions, especially from IP ranges that don’t match your admin team.
2. Rotate admin credentials — If session tokens leaked, changing passwords invalidates stolen sessions.
3. Check for persistence — Past CitrixBleed campaigns dropped web shells and created backdoor accounts. Run a full config diff against a known-good backup.
4. Inspect NSC_TASS cookies in access logs — Unusually large Base64 values in this cookie are a red flag.
5. Use watchTowr’s detection script — They published a Python tool specifically for identifying vulnerable instances. Run it against your fleet.
Why This Pattern Keeps Repeating

This is the third major Citrix memory leak vulnerability in three years (CitrixBleed in 2023, CitrixBleed2 in 2025, now CVE-2026-3055 in 2026). Each time, the exploitation timeline gets shorter. CitrixBleed took weeks before widespread exploitation. This one took four days.

The problem is structural: NetScaler sits at the network edge, handles authentication, and touches sensitive data by design. A memory leak in an edge appliance is categorically worse than one in an internal service because the attack surface is the public internet. If you’re running edge appliances from any vendor, you need a patching process that can turn around critical updates in under 48 hours. Not weeks. Not “the next maintenance window.”

Resources

Here are the reference books I keep on my desk for situations exactly like this:
- Network Security Assessment by Chris McNab — the go-to for understanding how attackers probe network appliances. The chapter on SAML/SSO attack surfaces is worth reading right now. (Full disclosure: affiliate link)
- Hacking Exposed 7 by McClure, Scambray, Kurtz — if you want to understand the attacker’s perspective on edge infrastructure exploitation, this is the classic. (Affiliate link)
- Practical Cloud Security by Chris Dotson — good coverage of identity federation and why SAML misconfigurations create exploitable gaps. (Affiliate link)
For hardware-level defense, I’m a fan of YubiKey 5C NFC for hardening admin access. Even if an attacker steals a session token, hardware-backed MFA on your admin accounts adds a second layer they can’t bypass remotely. (Affiliate link)

What I’d Do This Week
1. Patch every NetScaler instance. Today, not Friday.
2. Rotate all admin credentials on patched appliances.
3. Run the watchTowr detection script against your fleet.
4. Review your edge appliance patching SLA — if it’s longer than 48 hours for CVSS 9+ flaws, that’s your real vulnerability.
5. Check whether your SIEM is alerting on anomalous NSC_TASS cookie sizes. If not, add that rule.
The CISA deadline for federal agencies is today (April 2, 2026). Even if you’re not a federal agency, treat that deadline as yours. The attackers certainly aren’t waiting.

Related posts:
Join https://t.me/alphasignal822 for free market intelligence.
April 2, 2026
Git Worktrees: The Feature That Killed My Stash Habit
Last Tuesday I was deep in a refactor — 40 files touched, tests half-green — when Slack lit up: “Production’s returning 500s, can you look at main?” My old workflow: git stash, switch branches, forget what I stashed, lose 20 minutes reconstructing state. My current workflow: git worktree add ../hotfix main, fix the bug in a separate directory, push, delete the worktree, and I never left my refactor. Total context-switch cost: zero.

Git worktrees have been around since Git 2.5 (July 2015), but I’ve met maybe three developers who actually use them. Everyone else is still juggling git stash or cloning the repo twice. That’s a shame, because worktrees solve a real, daily problem — and they’re already on your machine.

What Git Worktrees Actually Are

A worktree is a linked checkout of your repository at a different branch or commit, in a separate directory, sharing the same .git data. One repo, multiple working directories, each on its own branch. No duplicate clones, no extra disk space for the object database.
```
# You're on feature/auth-refactor in ~/code/myapp
git worktree add ../myapp-hotfix main
# Now ~/code/myapp-hotfix has a full checkout of main
# Both share the same .git/objects — no duplicate data
```
The key constraint: each worktree must be on a different branch. Git won’t let two worktrees check out the same branch simultaneously (that would be a recipe for corruption). This is actually a feature — it forces clean separation.

Three Workflows Where Worktrees Save Real Time

1. Code Reviews Without Context Switching

I review 3-5 PRs a day. Before worktrees, reviewing meant either reading diffs in the GitHub UI (fine for small changes, terrible for architectural PRs) or stashing my work to check out the PR branch locally.

Now I keep a persistent review worktree:
```
# One-time setup
git worktree add ../review main

# When a PR comes in
cd ../review
git fetch origin
git checkout origin/feature/new-payment-flow

# Run tests, inspect code, check behavior
npm test
npm run dev  # boot the app on a different port

# Done reviewing? Back to my branch
cd ../myapp
# My work is exactly where I left it
```
The time savings are measurable. I tracked it for two weeks: stash-and-switch averaged 4 minutes per review (stash, checkout, install deps, run, switch back, pop stash). Worktrees averaged 40 seconds. With 4 reviews a day, that’s ~13 minutes saved daily. Not life-changing alone, but it compounds — and the cognitive cost of interrupted focus is way higher than the clock time.

2. Hotfixes While Mid-Feature

This is the classic case. You’re mid-feature, things are broken in your working tree (intentionally — you’re refactoring), and production needs a patch. With worktrees:
```
git worktree add ../hotfix main
cd ../hotfix
# fix the bug
git commit -am "fix: null check on user.profile (#1234)"
git push origin main
cd ../myapp
git worktree remove ../hotfix
```
No stash. No “was I on the right commit?” No dependency reinstall because your lockfile changed between branches. Clean in, clean out.

3. Running Two Versions Side-by-Side

I needed to compare API response times between our v2 and v3 endpoints during a migration. With worktrees, I had both versions running simultaneously on different ports:
```
git worktree add ../api-v2 release/v2
cd ../api-v2 && PORT=3001 npm start &
cd ../myapp && PORT=3002 npm start &

# Now hit both with curl or your HTTP client
curl -w "%{time_total}\n" http://localhost:3001/api/users
curl -w "%{time_total}\n" http://localhost:3002/api/users
```
Try doing that with stash. You can’t.

The Commands You Actually Need

The full git worktree subcommand has plenty of options, but in practice I use four:
```
# Create a worktree for an existing branch
git worktree add ../path branch-name

# Create a worktree with a new branch (like checkout -b)
git worktree add -b new-branch ../path starting-point

# List all worktrees
git worktree list

# Remove a worktree (cleans up the directory and git references)
git worktree remove ../path
```
That’s it. Four commands cover 95% of usage. There’s also git worktree prune for cleaning up stale references if you manually delete a worktree directory instead of using remove, but you shouldn’t need it often.

Gotchas I Hit (So You Don’t Have To)

Node modules and build artifacts. Each worktree is a separate directory, so you need a separate node_modules in each. For a big project, that first npm install in a new worktree takes time. I mitigate this by keeping one long-lived review worktree rather than creating/destroying them constantly.

IDE confusion. VS Code handles worktrees well — just open the worktree directory as a separate window. JetBrains IDEs can get confused if you open the same project root with different worktrees. The fix: open the specific worktree directory, not the parent.

Submodules. If your repo uses submodules, you need to run git submodule update --init in each new worktree. Worktrees don’t automatically initialize submodules. Annoying, but a one-liner fix.

Branch locking. Remember: one branch per worktree. If you try to check out a branch that’s already active in another worktree, Git blocks you with:
```
fatal: 'main' is already checked out at '/home/user/code/myapp-hotfix'
```
This is intentional and correct. If you need to work on the same branch from two directories, you have a workflow problem, not a Git problem.

My Worktree Setup

I keep my projects structured like this:
```
~/code/
├── myapp/          # main development (feature branches)
├── myapp-review/   # persistent review worktree (long-lived)
└── myapp-hotfix/   # created on-demand, deleted after use
```
I added a shell alias to speed up the common case:
```
# ~/.zshrc or ~/.bashrc
hotfix() {
  local branch="${1:-main}"
  local dir="../$(basename $(pwd))-hotfix"
  git worktree add "$dir" "$branch" && cd "$dir"
}

# Usage: just type 'hotfix' or 'hotfix release/v3'
```
And a cleanup alias:
```
worktree-clean() {
  git worktree list --porcelain | grep "^worktree" | awk '{print $2}' | while read wt; do
    if [ "$wt" != "$(git rev-parse --show-toplevel)" ]; then
      echo "Remove $wt? (y/n)"
      read answer
      [ "$answer" = "y" ] && git worktree remove "$wt"
    fi
  done
}
```
When Worktrees Aren’t the Answer

I’m not going to pretend worktrees solve everything. They don’t make sense when:
- You’re working solo on a single branch. No context switching means no need for worktrees.
- Your project has a 10-minute build step. Each worktree needs its own build, so the overhead might not be worth it for infrequent switches.
- You need the same branch in two places. Worktrees explicitly prevent this. Clone the repo instead.
For everything else — code reviews, hotfixes, comparing versions, running multiple branches in parallel — worktrees are the right tool. I’ve been using them daily for about a year now, and git stash usage in my shell history dropped from ~15 times/week to maybe once.

Level Up Your Git Setup

If you’re spending real time on Git workflows, it’s worth investing in a proper reference. Pro Git by Scott Chacon covers worktrees alongside the internals that make them possible — understanding Git’s object model makes everything click. (Full disclosure: affiliate link.)

For the terminal setup that makes all this fast, a solid mechanical keyboard actually matters when you’re typing Git commands dozens of times a day. I’ve been using a Keychron Q1 — the tactile feedback on those Brown switches makes a difference over an 8-hour session. (Affiliate link.)

And if you want more developer workflow content, I write about tools and techniques regularly here on orthogonal.info. Check out my regex tester build or the EXIF parser deep dive for more hands-on dev tool content.

Join Alpha Signal on Telegram for free market intelligence and developer insights.
April 2, 2026
TrueNAS Setup Guide: Enterprise Security for Your Homelab
Last month I rebuilt my TrueNAS server from scratch after a drive failure. What started as a simple disk replacement turned into a full security audit — and I realized my homelab storage had been running with basically no access controls, no encryption, and SSH root login enabled. Not great.

Here’s how I set up TrueNAS SCALE with actual security practices borrowed from enterprise environments — without the enterprise complexity.

Why TrueNAS for Homelab Storage

TrueNAS runs on ZFS, which handles data integrity better than anything else I’ve used at home. The killer features for me:
- ZFS snapshots — I accidentally deleted an entire media folder last year. Restored it in 30 seconds from a snapshot. That alone justified the setup.
- Built-in checksumming — ZFS detects and repairs silent data corruption (bit rot). Your photos from 2015 will still be intact in 2035.
- Replication — automated offsite backups over encrypted channels.
I went with TrueNAS SCALE over Core because I wanted Linux underneath — it lets me run Docker containers (Plex, Home Assistant, Nextcloud) alongside the storage. If you don’t need containers, Core on FreeBSD works fine too.

Hardware: What Actually Matters

You don’t need server-grade hardware, but a few things are non-negotiable:
- ECC RAM — ZFS benefits enormously from error-correcting memory. I run 32GB of ECC. If your board supports it, use it. 16GB is the minimum for ZFS caching to work well.
- CPU with AES-NI — any modern AMD Ryzen or Intel chip has this. You need it for dataset encryption without tanking performance.
- NAS-rated drives — I run WD Red Plus 8TB drives in RAID-Z1. Consumer drives aren’t designed for 24/7 operation and will fail faster. CMR (not SMR) matters here.
- A UPS — ZFS hates unexpected power loss. An APC 1500VA UPS with NUT integration gives you automatic clean shutdowns. I wrote about setting up NUT on TrueNAS separately.
My current build: AMD Ryzen 5 5600G, 32GB Crucial ECC SODIMM, three 8TB WD Reds in RAID-Z1, and a 500GB NVMe as SLOG cache. Total cost around $800 — not cheap, but cheaper than losing irreplaceable data.

Network Isolation First

Before you even install TrueNAS, get your network right. Your NAS has all your data on it — it shouldn’t sit on the same flat network as your kids’ tablets and smart bulbs.

I use OPNsense with VLANs to isolate my homelab. The NAS lives on VLAN 10, IoT devices on VLAN 30, and my workstation has cross-VLAN access via firewall rules. If an IoT device gets compromised (and they will eventually), it can’t reach my storage.

The firewall rule is simple — only allow specific subnets to hit the TrueNAS web UI on port 443:
```
# OPNsense/pfSense rule example
pass in on vlan10 proto tcp from 192.168.10.0/24 to 192.168.10.100 port 443
```
If you’re running a Protectli Vault or similar appliance for your firewall, this takes maybe 20 minutes to set up. No excuses.

Installation and Initial Lockdown

The install itself is straightforward — download the ISO, flash a USB with Etcher, boot, follow the wizard. Use a separate SSD or USB for the boot device; don’t waste pool drives on the OS.

Once you’re in the web UI, immediately:
1. Change the admin password to something generated by your password manager. Not “admin123”.
2. Enable 2FA — TrueNAS supports TOTP. Set it up before you do anything else.
3. Disable SSH root login:
```
# In /etc/ssh/sshd_config
PermitRootLogin no
```
Create a non-root user for SSH access instead. I use key-based auth only — password SSH is disabled entirely.

Create Your Storage Pool
```
# RAID-Z1 with three drives
zpool create mypool raidz1 /dev/sda /dev/sdb /dev/sdc
```
RAID-Z1 gives you one drive of redundancy. For more critical data, RAID-Z2 (two-drive redundancy) is worth the capacity trade-off. I run Z1 because I replicate offsite daily — the real backup is the replication, not the RAID.

Enterprise Security Practices, Scaled Down

Access Controls That Actually Work

Don’t give everyone admin access. Create separate users with specific dataset permissions:
```
# Create a limited user for media access
adduser --home /mnt/mypool/media --shell /bin/bash mediauser
chmod 750 /mnt/mypool/media
```
My wife has read-only access to the photo datasets. The kids’ Plex account can only read the media dataset. Nobody except my admin account can touch the backup datasets. This takes 10 minutes to set up and prevents the “oops I deleted everything” scenario.

Encrypt Sensitive Datasets

TrueNAS makes encryption easy — you enable it during dataset creation. I encrypt anything with personal documents, financial records, or credentials. The performance hit with AES-NI hardware is negligible (under 5% in my benchmarks).

For offsite backups, I use rsync over SSH with forced encryption:
```
# Encrypted backup to remote server
rsync -avz --progress -e "ssh -i ~/.ssh/backup_key" \
  /mnt/mypool/critical/ backup@remote:/mnt/backup/
```
VPN for Remote Access

Never expose your TrueNAS web UI to the internet. I use WireGuard through OPNsense — when I need to check on things remotely, I VPN in first. The firewall blocks everything else. I covered secure remote access patterns in detail before.

Ongoing Maintenance

Setup is maybe 20% of the work. The rest is keeping it running reliably:
- ZFS scrubs — I run weekly scrubs on Sunday nights. They catch silent corruption before it becomes a problem. Schedule this in the TrueNAS UI under Tasks → Scrub Tasks.
- Updates — check for TrueNAS updates monthly. Don’t auto-update a NAS; read the release notes first.
- Monitoring — I pipe TrueNAS metrics into Grafana via Prometheus. SMART data, pool health, CPU/RAM usage. When a drive starts showing pre-failure indicators, I know before it dies.
- Snapshot rotation — keep hourly snapshots for 48 hours, daily for 30 days, weekly for 6 months. Automate this in the TrueNAS snapshot policies.
Test your backups. Seriously. I do a full restore test every quarter — pull a snapshot, restore it to a test dataset, verify the files are intact. An untested backup is not a backup.

Where to Go From Here

Once your TrueNAS box is running securely, you can start adding services. I run Plex, Nextcloud, Home Assistant, and a Gitea instance all on the same SCALE box using Docker. Each service gets its own dataset with isolated permissions.

If you want to go deeper on the networking side, I’d start with full network segmentation with OPNsense. For monitoring, check out my post on open-source security monitoring.

📋 Disclosure: Some links in this article are affiliate links. If you purchase through them, I earn a small commission at no extra cost to you. I only recommend gear I actually run in my own homelab.

Get daily AI-powered market intelligence. Join Alpha Signal — free market briefs, security alerts, and dev tool recommendations.
April 1, 2026
UPS Battery Backup: Sizing, Setup & NUT on TrueNAS
Last month my TrueNAS server rebooted mid-scrub during a power flicker that lasted maybe half a second. Nothing dramatic — the lights barely dimmed — but the ZFS pool came back with a degraded vdev and I spent two hours rebuilding. That’s when I finally stopped procrastinating and bought a UPS.

If you’re running a homelab with any kind of persistent storage — especially ZFS on TrueNAS — you need battery backup. Not “eventually.” Now. Here’s what I learned picking one out and setting it up with automatic shutdown via NUT.

Why Homelabs Need a UPS More Than Desktops Do

A desktop PC losing power is annoying. You lose your unsaved work and reboot. A server losing power mid-write can corrupt your filesystem, break a RAID rebuild, or — in the worst case with ZFS — leave your pool in an unrecoverable state.

I’ve been running TrueNAS on a custom build (I wrote about picking the right drives for it) and the one thing I kept putting off was power protection. Classic homelab mistake: spend $800 on drives, $0 on keeping them alive during outages.

The math is simple. A decent UPS costs $150-250. A failed ZFS pool can mean rebuilding from backup (hours) or losing data (priceless). The UPS pays for itself the first time your power blips.

Simulated Sine Wave vs. Pure Sine Wave — It Actually Matters

Most cheap UPS units output a “simulated” or “stepped” sine wave. For basic electronics, this is fine. But modern server PSUs with active PFC (Power Factor Correction) can behave badly on simulated sine wave — they may refuse to switch to battery, reboot anyway, or run hot.

The rule: if your server has an active PFC power supply (most ATX PSUs sold after 2020 do), get a pure sine wave UPS. Don’t save $40 on a simulated unit and then wonder why your server still crashes during outages.

Both units I’d recommend output pure sine wave:

APC Back-UPS Pro BR1500MS2 — My Pick

This is what I ended up buying. The APC BR1500MS2 is a 1500VA/900W pure sine wave unit with 10 outlets, USB-A and USB-C charging ports, and — critically — a USB data port for NUT monitoring. (Full disclosure: affiliate link.)

Why I picked it:
- Pure sine wave output — no PFC compatibility issues
- USB HID interface — TrueNAS recognizes it immediately via NUT, no drivers needed
- 900W actual capacity — enough for my TrueNAS box (draws ~180W), plus my network switch and router
- LCD display — shows load %, battery %, estimated runtime in real-time
- User-replaceable battery — when the battery dies in 3-5 years, swap it for ~$40 instead of buying a new UPS
At ~180W load, I get about 25 minutes of runtime. That’s more than enough for NUT to detect the outage and trigger a clean shutdown.

CyberPower CP1500PFCLCD — The Alternative

If APC is out of stock or you prefer CyberPower, the CP1500PFCLCD is the direct competitor. Same 1500VA rating, pure sine wave, 12 outlets, USB HID for NUT. (Affiliate link.)

The CyberPower is usually $10-20 cheaper than the APC. Functionally, they’re nearly identical for homelab use. I went APC because I’ve had good luck with their battery replacements, but either is a solid choice. Pick whichever is cheaper when you’re shopping.

Sizing Your UPS: VA, Watts, and Runtime

UPS capacity is rated in VA (Volt-Amps) and Watts. They’re not the same thing. For homelab purposes, focus on Watts.

Here’s how to size it:
1. Measure your actual draw. A Kill A Watt meter costs ~$25 and tells you exactly how many watts your server pulls from the wall. (Affiliate link.) Don’t guess — PSU wattage ratings are maximums, not actual draw.
2. Add up everything you want on battery. Server + router + switch is typical. Monitors and non-essential stuff go on surge-only outlets.
3. Target 50-70% load. A 900W UPS running 450W of gear gives you reasonable runtime (~8-12 minutes) and doesn’t stress the battery.
My setup: TrueNAS box (~180W) + UniFi switch (~15W) + router (~12W) = ~207W total. On a 900W UPS, that’s 23% load, giving me ~25 minutes of runtime. Overkill? Maybe. But I’d rather have headroom than run at 80% and get 4 minutes of battery.

Setting Up NUT on TrueNAS for Automatic Shutdown

A UPS without automatic shutdown is just a really expensive power strip with a battery. The whole point is graceful shutdown — your server detects the outage, saves everything, and powers down cleanly before the battery dies.

TrueNAS has NUT (Network UPS Tools) built in. Here’s the setup:

1. Connect the USB data cable

Plug the USB cable from the UPS into your TrueNAS machine. Not a charging cable — the data cable that came with the UPS. Go to System → Advanced → Storage and make sure the USB device shows up.

2. Configure the UPS service

In TrueNAS SCALE, go to System Settings → Services → UPS:
```
UPS Mode: Master
Driver: usbhid-ups (auto-detected for APC and CyberPower)
Port: auto
Shutdown Mode: UPS reaches low battery
Shutdown Timer: 30 seconds
Monitor User: upsmon
Monitor Password: (set something, you'll need it for NUT clients)
```
3. Enable and test

Start the UPS service, enable auto-start. Then SSH in and check:
```
upsc ups@localhost
```
You should see battery charge, load, input voltage, and status. If it says OL (online), you’re good. Pull the power cord from the wall briefly — it should switch to OB (on battery) and you’ll see the charge start to drop.

4. NUT clients for other machines

If you’re running Docker containers or other servers (like an Ollama inference box), they can connect as NUT clients to the same UPS. On a Linux box:
```
apt install nut-client
# Edit /etc/nut/upsmon.conf:
MONITOR ups@truenas-ip 1 upsmon yourpassword slave
SHUTDOWNCMD "/sbin/shutdown -h +0"
```
Now when the UPS battery hits critical, TrueNAS shuts down first, then signals clients to do the same.

Monitoring UPS Health Over Time

Batteries degrade. A 3-year-old UPS might only give you 8 minutes instead of 25. NUT tracks battery health, but you need to actually look at it.

I have a cron job that checks upsc ups@localhost battery.charge weekly and logs it. If charge drops below 80% at full load, it’s time for a replacement battery. APC replacement batteries (RBC models) run $30-50 on Amazon and take two minutes to swap.

If you’re running a monitoring stack (Prometheus + Grafana), there’s a NUT exporter that makes this trivial. But honestly, a cron job and a log file works fine for a homelab.

What About Rack-Mount UPS?

If you’ve graduated to a proper server rack, the tower units I mentioned above won’t fit. The APC SMT1500RM2U is the rack-mount equivalent — 2U, 1500VA, pure sine wave, NUT compatible. It’s about 2x the price of the tower version. Only worth it if you actually have a rack.

For most homelabbers running a Docker or K8s setup on a single tower server, the desktop UPS units are plenty. Don’t buy rack-mount gear for a shelf setup — you’re paying for the form factor, not better protection.

The Backup Chain: UPS Is Just One Link

A UPS protects against power loss. It doesn’t protect against drive failure, ransomware, or accidental rm -rf. If you haven’t set up a real backup strategy, I wrote about enterprise-grade backup for homelabs — the 3-2-1 rule still applies, even at home.

The full resilience stack for a homelab: UPS for power → ZFS for disk redundancy → offsite backups for disaster recovery. Skip any layer and you’re gambling.

Go buy a UPS. Your data will thank you the next time the power blinks.

Free market intelligence for traders and builders: Join Alpha Signal on Telegram — daily macro, sector, and signal analysis, free.
April 1, 2026
Insider Trading Detector with Python & Free SEC Data
Last month I noticed something odd. Three directors at a mid-cap biotech quietly bought shares within a five-day window — all open-market purchases, no option exercises. The stock was down 30% from its high. Two weeks later, they announced a partnership with Pfizer and the stock popped 40%.

I didn’t catch it in real time. I found it afterward while manually scrolling through SEC filings. That annoyed me enough to build a tool that would catch the next one automatically.

Here’s the thing about insider buying clusters: they’re one of the few signals with actual academic backing. A 2024 study from the Journal of Financial Economics found that stocks with three or more insider purchases within 30 days outperformed the market by an average of 8.7% over the following six months. Not every cluster leads to a win, but the hit rate is better than most technical indicators I’ve tested.

The data is completely free. Every insider trade gets filed with the SEC as a Form 4, and the SEC makes all of it available through their EDGAR API — no API key, no rate limits worth worrying about (10 requests/second), no paywall. The only catch: the raw data is XML soup. That’s where edgartools comes in.

What Counts as a “Cluster”

Before writing code, I needed to define what I was actually looking for. Not all insider buying is equal.

Strong signals:
- Open market purchases (transaction code P) — the insider spent their own money
- Multiple different insiders buying within a 30-day window
- Purchases by C-suite (CEO, CFO, COO) or directors — not mid-level VPs exercising options
- Purchases larger than $50,000 — skin in the game matters
Weak signals (I filter these out):
- Option exercises (code M) — often automatic, not conviction
- Gifts (code G) — tax planning, not bullish intent
- Small purchases under $10,000 — could be a director fulfilling a minimum ownership requirement
Setting Up the Python Environment

You need exactly two packages:
```
pip install edgartools pandas
```
edgartools is an open-source Python library that wraps the SEC EDGAR API and parses the XML filings into clean Python objects. No API key required. It handles rate limiting, caching, and the various quirks of EDGAR’s data format. I’ve been using it for about six months and it’s saved me from writing a lot of painful XML parsing code.

Here’s the core detection script:
```
from edgar import Company, get_filings
from datetime import datetime, timedelta
from collections import defaultdict
import pandas as pd

def detect_insider_clusters(tickers, lookback_days=60,
                            min_insiders=2, min_value=50000):
    # Scan a list of tickers for insider buying clusters.
    # A cluster = multiple different insiders making open-market
    # purchases within a rolling 30-day window.
    clusters = []

    for ticker in tickers:
        try:
            company = Company(ticker)
            filings = company.get_filings(form="4")

            purchases = []

            for filing in filings.head(50):
                form4 = filing.obj()

                for txn in form4.transactions:
                    if txn.transaction_code != 'P':
                        continue

                    value = (txn.shares or 0) * (txn.price_per_share or 0)
                    if value < min_value:
                        continue

                    purchases.append({
                        'ticker': ticker,
                        'date': txn.transaction_date,
                        'insider': form4.reporting_owner_name,
                        'relationship': form4.reporting_owner_relationship,
                        'shares': txn.shares,
                        'price': txn.price_per_share,
                        'value': value
                    })

            if len(purchases) < min_insiders:
                continue

            df = pd.DataFrame(purchases)
            df['date'] = pd.to_datetime(df['date'])
            df = df.sort_values('date')

            cutoff = datetime.now() - timedelta(days=lookback_days)
            recent = df[df['date'] >= cutoff]

            if len(recent) == 0:
                continue

            unique_insiders = recent['insider'].nunique()

            if unique_insiders >= min_insiders:
                total_value = recent['value'].sum()
                clusters.append({
                    'ticker': ticker,
                    'insiders': unique_insiders,
                    'total_purchases': len(recent),
                    'total_value': total_value,
                    'earliest': recent['date'].min(),
                    'latest': recent['date'].max(),
                    'names': recent['insider'].unique().tolist()
                })

        except Exception as e:
            print(f"Error processing {ticker}: {e}")
            continue

    return sorted(clusters, key=lambda x: x['insiders'], reverse=True)
```
Scanning the S&P 500

Running this against individual tickers is fine, but the real value is scanning broadly. I pull S&P 500 constituents from Wikipedia’s maintained list and run the detector daily:
```
# Get S&P 500 tickers
sp500 = pd.read_html(
    'https://en.wikipedia.org/wiki/List_of_S%26P_500_companies'
)[0]['Symbol'].tolist()

# Takes about 15-20 minutes for 500 tickers
# EDGAR rate limit is 10 req/sec — be respectful
results = detect_insider_clusters(
    sp500,
    lookback_days=30,
    min_insiders=3,
    min_value=25000
)

for cluster in results:
    print(f"\n{cluster['ticker']}: {cluster['insiders']} insiders, "
          f"${cluster['total_value']:,.0f} total")
    for name in cluster['names']:
        print(f"  - {name}")
```
When I first ran this in January, it flagged 4 companies with 3+ insider purchases in a rolling 30-day window. Two of them outperformed the S&P over the next quarter. That’s a small sample, but it matched the academic research I mentioned earlier.

Adding Slack or Telegram Alerts

A detector that only runs when you remember to open a terminal isn’t very useful. I run mine on a cron job (every morning at 7 AM ET) and have it push alerts to a Telegram channel:
```
import requests

def send_telegram_alert(cluster, bot_token, chat_id):
    msg = (
        f"🔔 Insider Cluster: ${cluster['ticker']}\n"
        f"Insiders buying: {cluster['insiders']}\n"
        f"Total value: ${cluster['total_value']:,.0f}\n"
        f"Window: {cluster['earliest'].strftime('%b %d')} - "
        f"{cluster['latest'].strftime('%b %d')}\n"
        f"Names: {', '.join(cluster['names'][:5])}"
    )

    requests.post(
        f"https://api.telegram.org/bot{bot_token}/sendMessage",
        json={"chat_id": chat_id, "text": msg}
    )
```
You can also swap in Slack, Discord, or email. The detection logic stays the same — just change the notification transport.

Performance Reality Check

I want to be honest about what this tool can and can’t do.

What works:
- Catching cluster buys that I’d otherwise miss entirely. Most retail investors don’t read Form 4 filings.
- Filtering out noise. The vast majority of insider transactions are option exercises, RSU vesting, and 10b5-1 plan sales — none of which signal much. This tool isolates the intentional purchases.
- Speed. EDGAR filings appear within 24-48 hours of the transaction. For cluster detection (which builds over days or weeks), that latency doesn’t matter.
What doesn’t work:
- Single insider buys. One director buying $100K of stock might mean something, but the signal-to-noise ratio is low. Clusters are where the edge is.
- Short-term trading. This isn’t a day-trading signal. The academic alpha shows up over 3-6 months.
- Small caps with thin insider data. Some micro-caps only have 2-3 insiders total, so “cluster” detection becomes meaningless.
Comparing Free Alternatives

You don’t have to build your own. Here’s how the DIY approach stacks up:

secform4.com — Free, decent UI, but no cluster detection. You see raw filings, not patterns. No API.

Finnhub insider endpoint — Free tier includes /stock/insider-transactions, but limited to 100 transactions per call and 60 API calls/minute. Good for single-ticker lookups, not for scanning 500 tickers daily. I wrote about Finnhub and other finance APIs in my finance API comparison.

OpenInsider.com — My favorite for manual browsing. Has a “cluster buys” filter built in. But no API, no automation, and the cluster definition isn’t configurable.

The DIY edgartools approach wins if you want customizable filters, automated alerts, and the ability to pipe results into other tools (backtests, portfolio trackers, dashboards). It loses if you just want to glance at insider activity once a week — use OpenInsider for that.

Running It 24/7 on a Raspberry Pi

I run my scanner on a Raspberry Pi 5 that also handles a few other Python monitoring scripts. A Pi 5 with 8GB RAM handles this fine — peak memory usage is under 400MB even when scanning all 500 tickers. Total cost: about $80 for the Pi, a case, and an SD card. It’s been running since November without a restart.

If you’d rather not manage hardware, any $5/month VPS works too. The script runs in about 20 minutes per scan and sleeps the rest of the day.

Next Steps

A few things I’m still experimenting with:
- Combining with technical signals. An insider cluster at a 52-week low with RSI under 30 is more interesting than one at an all-time high. I wrote about RSI and other technical indicators if you want to add that layer.
- Tracking 13F filings alongside Form 4s. If an insider is buying AND a major fund just initiated a position (visible in quarterly 13F filings), that’s a stronger signal. edgartools handles 13F parsing too.
- Sector-level clustering. Sometimes multiple insiders across different companies in the same sector all start buying. That’s a sector-level signal I haven’t automated yet.
If you want to go deeper into the quantitative side, Python for Finance by Yves Hilpisch (O’Reilly) covers the data pipeline and analysis patterns well. Full disclosure: affiliate link.

The full source code for my detector is about 200 lines. Everything above is production-ready — I copy-pasted from my actual codebase. If you build something with it, I’d be curious to hear what you find.

For daily market signals and insider activity alerts, join Alpha Signal on Telegram — free market intelligence, no paywall for the daily brief.
April 1, 2026
I Built a Regex Tester Because Regex101 Sends Your Data
Last week I was debugging a CloudFront log parser and pasted a chunk of raw access logs into Regex101. Mid-keystroke, I realized those logs contained client IPs, user agents, and request paths from production. All of it, shipped off to someone else’s server for “processing.”

That’s the moment I decided to build my own regex tester.

The Problem with Existing Regex Testers

I looked at three tools I’ve used for years:

Regex101 is the gold standard. Pattern explanations, debugger, community library — it’s feature-rich. But it sends every keystroke to their backend. Their privacy policy says they store patterns and test strings. If you’re testing regex against production data, config files, or anything containing tokens and IPs, that’s a problem.

RegExr has a solid educational angle with the animated railroad diagrams. But the interface feels like 2015, and there’s no way to test multiple strings against the same pattern without copy-pasting repeatedly.

Various Chrome extensions promise offline regex testing, but they request permissions to read all your browser data. I’m not trading one privacy concern for a worse one.

What none of them do: let you define a set of test cases (this string SHOULD match, this one SHOULDN’T) and run them all at once. If you write regex for input validation, URL routing, or log parsing, you need exactly that.

What I Built

RegexLab is a single HTML file. No build step, no npm install, no backend. Open it in a browser and it works — including offline, since it registers a service worker.

Three modes:

Match mode highlights every match in real-time as you type. Capture groups show up color-coded below the result. If your pattern has named groups or numbered captures, you see exactly what each group caught.

Replace mode gives you a live preview of string replacement. Type your replacement pattern (with $1, $2 backreferences) and see the output update instantly. I use this constantly for log reformatting and sed-style transforms.

Multi-test mode is the feature I actually wanted. Add as many test cases as you need. Mark each one as “should match” or “should not match.” Run them all against your pattern and get a pass/fail report. Green checkmark or red X, instantly.

This is what makes RegexLab different from Regex101. When I’m writing a URL validation pattern, I want to throw 15 different URLs at it — valid ones, edge cases with ports and fragments, obviously invalid ones — and see them all pass or fail in one view. No scrolling, no re-running.

How It Works Under the Hood

The entire app is ~30KB of HTML, CSS, and JavaScript. No frameworks, no dependencies. Here’s what’s happening technically:

Pattern compilation: Every keystroke triggers a debounced (80ms) recompile. The regex is compiled with new RegExp(pattern, flags) inside a try/catch. Invalid patterns show the error message directly — no cryptic “SyntaxError,” just the relevant part of the browser’s error string.

Match highlighting: I use RegExp.exec() in a loop with the global flag to find every match with its index position. Then I build highlighted HTML by slicing the original string at match boundaries and wrapping matches in <span class="hl"> tags. A safety counter at 10,000 prevents infinite loops from zero-length matches (a real hazard with patterns like .*).
```
// Simplified version of the match loop
const rxCopy = new RegExp(rx.source, rx.flags);
let safety = 0;
while ((m = rxCopy.exec(text)) !== null && safety < 10000) {
  matches.push({ start: m.index, end: m.index + m[0].length });
  if (m[0].length === 0) rxCopy.lastIndex++;
  safety++;
}
```
That lastIndex++ on zero-length matches is important. Without it, a pattern like /a*/g will match the empty string forever at the same position. Every regex tutorial skips this, and then people wonder why their browser tab freezes.

Capture groups: When exec() returns an array with more than one element, elements at index 1+ are capture groups. I color-code them with four rotating colors (amber, pink, cyan, purple) and display them below the match result.

Flag toggles: The flag buttons sync bidirectionally with the text input. Click a button, the text field updates. Type in the text field, the buttons update. I store flags as a simple string ("gim") and reconstruct it from button state on each click.

State persistence: Everything saves to localStorage every 2 seconds — pattern, flags, test string, replacement, and all test cases. Reload the page and you’re right where you left off. The service worker caches the HTML for offline use.

Common patterns library: 25 pre-built patterns for emails, URLs, IPs, dates, UUIDs, credit cards, semantic versions, and more. Click one to load it. Searchable. I pulled these from my own .bashrc aliases and validation functions I’ve written over the years.

Design Decisions

Dark mode by default via prefers-color-scheme. Most developers use dark themes. The light mode is there for the four people who don’t.

Monospace everywhere that matters. Pattern input, test strings, results — all in SF Mono / Cascadia Code / Fira Code. Proportional fonts in regex testing are a war crime.

No syntax highlighting in the pattern input. I considered it, but colored brackets and escaped characters inside an input field add complexity without much benefit. The error message and match highlighting already tell you if your pattern is right.

Touch targets are 44px minimum. The flag toggle buttons, tab buttons, and action buttons all meet Apple’s HIG recommendation. I tested at 320px viewport width on my phone and everything still works.

Real Use Cases

Log parsing: I parse nginx access logs daily. A pattern like (\d+\.\d+\.\d+\.\d+).*?"(GET|POST)\s+([^"]+)"\s+(\d{3}) pulls IP, method, path, and status code. Multi-test mode lets me throw 10 sample log lines at it to make sure edge cases (HTTP/2 requests, URLs with quotes) don’t break it.

Input validation: Building a form? Test your email/phone/date regex against a list of valid and invalid inputs in one shot. Way faster than manually testing each one.

Search and replace: Reformatting dates from MM/DD/YYYY to YYYY-MM-DD? The replace mode with $3-$1-$2 backreferences shows you the result instantly.

Teaching: The pattern library doubles as a learning resource. Click “Email” or “UUID” and see a production-quality regex with its flags and description. Better than Stack Overflow answers from 2012.

Try It

It’s live at regexlab.orthogonal.info. Works offline after the first visit. Install it as a PWA if you want it in your dock.

If you want more tools like this — HashForge for hashing, JSON Forge for formatting JSON, QuickShrink for image compression — they’re all at apps.orthogonal.info. Same principle: single HTML file, zero dependencies, your data stays in your browser.

Full disclosure: Mastering Regular Expressions by Jeffrey Friedl is the book that made regex click for me back in college. If you’re still guessing at lookaheads and backreferences, it’s worth the read. Regular Expressions Cookbook by Goyvaerts and Levithan is also solid if you want recipes rather than theory. And if you’re doing a lot of text processing, a good mechanical keyboard makes the difference when you’re typing backslashes all day.

More Privacy-First Browser Tools
- JSON Forge: Privacy-First JSON Formatter
- HashForge: Privacy-First Hash Generator
- I Benchmarked 5 Image Compressors — which browser tool actually wins
March 31, 2026
Docker Compose vs Kubernetes: Secure Homelab Choices
Last year I moved my homelab from a single Docker Compose stack to a K3s cluster. It took a weekend, broke half my services, and taught me more about container security than any course I’ve taken. Here’s what I learned about when each tool actually makes sense—and the security traps in both.

The real question: how big is your homelab?

I ran Docker Compose for two years. Password manager, Jellyfin, Gitea, a reverse proxy, some monitoring. Maybe 12 containers. It worked fine. The YAML was readable, docker compose up -d got everything running in seconds, and I could debug problems by reading one file.

Then I hit ~25 containers across three machines. Compose started showing cracks—no built-in way to schedule across nodes, no health-based restarts that actually worked reliably, and secrets management was basically “put it in an .env file and hope nobody reads it.”

That’s when I looked at Kubernetes seriously. Not because it’s trendy, but because I needed workload isolation, proper RBAC, and network policies that Docker’s bridge networking couldn’t give me.

Docker Compose security: what most people miss

Compose is great for getting started, but it has security defaults that will bite you. The biggest one: containers run as root by default. Most people never change this.

Here’s the minimum I run on every Compose service now:
```
version: '3.8'
services:
  app:
    image: my-app:latest
    user: "1000:1000"
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
    networks:
      - isolated
    logging:
      driver: json-file
      options:
        max-size: "10m"

networks:
  isolated:
    driver: bridge
```
The key additions most tutorials skip: read_only: true prevents containers from writing to their filesystem (mount specific writable paths if needed), no-new-privileges blocks privilege escalation, and cap_drop: ALL removes Linux capabilities you almost certainly don’t need.

Other things I do with Compose that aren’t optional anymore:
- Network segmentation. Separate Docker networks for databases, frontend services, and monitoring. My Postgres container can’t talk to Traefik directly—it goes through the app layer only.
- Image scanning. I run Trivy on every image before deploying. One trivy image my-app:latest catches CVEs that would otherwise sit there for months.
- TLS everywhere. Even internal services get certificates via Let’s Encrypt and Traefik’s ACME resolver.
Scan your images before they run—it takes 10 seconds and catches the obvious stuff:
```
# Quick scan
trivy image my-app:latest

# Fail CI if HIGH/CRITICAL vulns found
trivy image --exit-code 1 --severity HIGH,CRITICAL my-app:latest
```
Kubernetes: when the complexity pays off

I use K3s specifically because full Kubernetes is absurd for a homelab. K3s strips out the cloud-provider bloat and runs the control plane in a single binary. My cluster runs on a TrueNAS box with 32GB RAM—plenty for ~40 pods.

The security features that actually matter for homelabs:

RBAC — I can give my partner read-only access to monitoring dashboards without exposing cluster admin. Here’s a minimal read-only role:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: monitoring
  name: dashboard-viewer
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: viewer-binding
  namespace: monitoring
subjects:
- kind: User
  name: reader
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dashboard-viewer
  apiGroup: rbac.authorization.k8s.io
```
Network policies — This is the killer feature. In Compose, network isolation is coarse (whole networks). In Kubernetes, I can say “this pod can only talk to that pod on port 5432, nothing else.” If a container gets compromised, lateral movement is blocked.

Namespaces — I run separate namespaces for media, security tools, monitoring, and databases. Each namespace has its own resource quotas and network policies. A runaway Jellyfin transcode can’t starve my password manager.

The tradeoff is real though. I spent a full day debugging a network policy that was silently dropping traffic between my app and its database. The YAML looked right. Turned out I had a label mismatch—app: postgres vs app: postgresql. Kubernetes won’t warn you about this. It just drops packets.

Networking: the part everyone gets wrong

Whether you’re on Compose or Kubernetes, your reverse proxy config matters more than most security settings. I use Traefik for both setups. Here’s my Compose config for automatic TLS:
```
version: '3.8'
services:
  traefik:
    image: traefik:v3.0
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
      - "[email protected]"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    volumes:
      - "./letsencrypt:/letsencrypt"
    ports:
      - "80:80"
      - "443:443"
```
Key detail: that HTTP-to-HTTPS redirect on the web entrypoint. Without it, you’ll have services accessible over plain HTTP and not realize it until someone sniffs your traffic.

For storage, encrypt volumes at rest. If you’re on ZFS (like my TrueNAS setup), native encryption handles this. For Docker volumes specifically:
```
# Create a volume backed by encrypted storage
docker volume create --driver local \
  --opt type=none \
  --opt o=bind \
  --opt device=/mnt/encrypted/app-data \
  my_secure_volume
```
My recommendation: start Compose, graduate to K3s

If you have fewer than 15 containers on one machine, stick with Docker Compose. Apply the security hardening above, scan your images, segment your networks. You’ll be fine.

Once you hit multiple nodes, need proper secrets management (not .env files), or want network-policy-level isolation, move to K3s. Not full Kubernetes—K3s. The learning curve is steep for a week, then it clicks.

I’d also recommend adding Falco for runtime monitoring regardless of which tool you pick. It watches syscalls and alerts on suspicious behavior—like a container suddenly spawning a shell or reading /etc/shadow. Worth the 5 minutes to set up.

The tools I keep coming back to for this:
- Kubernetes in Action, 2nd Edition — best K8s book I’ve read. Goes deep on security chapters. (affiliate link)
- Hacking Kubernetes — threat-focused analysis of K8s attack surfaces. Changed how I think about cluster security. (affiliate link)
- GitOps and Kubernetes — if you want ArgoCD or Flux for your homelab deployments. (affiliate link)
Related posts you might find useful:
Get daily AI-powered market intelligence. Join Alpha Signal — free market briefs, security alerts, and dev tool recommendations.

📦 Disclosure: Some links above are affiliate links. If you buy through them, I earn a small commission at no extra cost to you. I only recommend stuff I actually use. This helps keep orthogonal.info running.
March 31, 2026

Product	Fixed Version
NetScaler ADC & Gateway 14.1	14.1-66.59
NetScaler ADC & Gateway 13.1	13.1-62.23
NetScaler ADC 13.1-FIPS	13.1-37.262
NetScaler ADC 13.1-NDcPP	13.1-37.262

Blog

Why a Hardware Key Beats a Private Key File

Which YubiKey to Get

Setting Up SSH with FIDO2 Resident Keys

Adding the Key to Remote Servers

The Resident Key Trick: Any Machine, No Key Files

Hardening sshd for Key-Only Auth

What About Git and GitHub?

Gotchas I Hit

My Setup

Should You Bother?

The Canvas API: Your GPU’s Signature

AudioContext: Your Sound Card Leaks Too

WebGL: GPU Model Exposed

The Full Fingerprint Stack

What Actually Defends Against This

A Practical Test You Can Run Right Now

What Developers Should Do

The Problem with Every Online Diff Tool

What I Built: DiffLab

Three View Modes

Keyboard Navigation Between Changes

Character-Level Highlighting

Comparison Options

How It Works Under the Hood

The Diff Algorithm

Character Diffing

Rendering Strategy

Real Use Cases

Privacy and Offline Use

Try It

What CVE-2026-3055 Actually Does

The Timeline Is Ugly

Are You Vulnerable?

The Exposure Numbers

What watchTowr Calls “Disingenuous”

Patch Now — Here Are the Fixed Versions

Post-Patch: Check for Compromise

Why This Pattern Keeps Repeating

Resources

What I’d Do This Week

What Git Worktrees Actually Are

Three Workflows Where Worktrees Save Real Time

1. Code Reviews Without Context Switching

2. Hotfixes While Mid-Feature

3. Running Two Versions Side-by-Side

The Commands You Actually Need

Gotchas I Hit (So You Don’t Have To)

My Worktree Setup

When Worktrees Aren’t the Answer

Level Up Your Git Setup

Why TrueNAS for Homelab Storage

Hardware: What Actually Matters

Network Isolation First

Installation and Initial Lockdown

Create Your Storage Pool

Enterprise Security Practices, Scaled Down

Access Controls That Actually Work

Encrypt Sensitive Datasets

VPN for Remote Access

Ongoing Maintenance

Where to Go From Here

Why Homelabs Need a UPS More Than Desktops Do

Simulated Sine Wave vs. Pure Sine Wave — It Actually Matters

APC Back-UPS Pro BR1500MS2 — My Pick

CyberPower CP1500PFCLCD — The Alternative

Sizing Your UPS: VA, Watts, and Runtime

Setting Up NUT on TrueNAS for Automatic Shutdown

1. Connect the USB data cable

2. Configure the UPS service

3. Enable and test

4. NUT clients for other machines

Monitoring UPS Health Over Time

What About Rack-Mount UPS?

The Backup Chain: UPS Is Just One Link

What Counts as a “Cluster”

Setting Up the Python Environment

Scanning the S&P 500

Adding Slack or Telegram Alerts

Performance Reality Check