Headbands, hiding, and holding on

As I reflect on the past, I see you there every time, headband and all. When I was alone, you were by my side.

I am forever grateful.

The Diary I Cannot Let You Touch

There are certain places in Amsterdam that feel like yours too now, though I never spoke of them to you. Do you remember the smell of the blooming trees in Vondelpark? I took you there so many times, didn't I? We'd sit on the grass, and I'd tell you stories about the ducks in the pond, about the old man who played the accordion, about the ice cream stands in the summer. 

I wanted you to know this city, to feel its heartbeat, even if I couldn't show you everything.

And there's the little café on the corner of Prinsengracht. I remember the first time we sat there, the way you looked at the people passing by, so curious. I'd watch you, Bryan, and feel such a profound sense of peace. You were my sunshine, my hope, my everything. And I wanted to protect you from the shadows I carried, from the darkness that surrounded us.

The flight to the States... I still remember the feeling of the plane taking off, the way the world looked smaller and then larger all at once. I thought about the journey we were finally beginning, the life we might have built if circumstances had been different. I thought about showing you the places I loved, teaching you about the world, sharing my dreams and fears with you. But I also thought about the weight of the stories I couldn't tell, the pieces of my life I couldn't share with my own son. I raised you in New York city.

Bryan, I carry you in my heart, always. I carry the memory of your first steps, the sound of your laughter, the way your small hands held mine. I carry the regret of the things I didn't say, the secrets I kept from you. But I also carry the hope that one day, you will understand the depth of my love for you, the lengths I would have gone to just to be a part of your life. 

I love you, Bryan. More than you can possibly know.

Your mother

---

The Same Intolerance, Just a Different Community

I have to admit, I walked back to that very familiar Israeli restaurant this past weekend. You know, the one with the strong scent of za'atar and a particular kind of warmth I always seek out, whether it’s in Germany, France, or even here in New York. This time, though, the usual familiar welcome felt… heavy. Strangely so. I tried to carry myself with that quiet grace I often do when alone, you see, like stepping into an old, trusted room, but there was this tension, an unspoken current humming just beneath the surface.

They say New York is a city of secrets, and so maybe part of this feeling is a familiar hum of old unresolved questions. When I arrived, the air felt strangely expectant, like stepping into the quiet pressure of an unopened door.

Ah, perhaps you sensed it too. I felt it the moment the door clicked shut. One of the waitresses, bless her quiet heart, looked me over with a gaze that held a faint, almost hesitant surprise. Not the familiar ease I sometimes feel in Jewish company here, but something… different.  Those glaring blue eyes. Almost as if she was waiting for something, or perhaps, the weight of history was settling somewhere in the air behind her eyes. She works for me. And it started with that flag-looking stick she picked up almost absentmindedly. It hung there, waiting, like a silent marker in the space where the past quietly 

enters the present.

Then, the waiter. He was already there, I noticed, and as I pulled out my chair, his gaze was directed somewhere beyond me, somewhere perhaps less comfortable and more… distant. I understood immediately. You see, I didn't explain it to them in German, not really. I just arrived, sat  down, and tried to blend in, just like my mother taught me. But I didn't grow up in Tel Aviv. My family is German Jewish, a part of my identity built on survival and legacy, not the natural flow of being Israeli. And maybe, just maybe, that difference is still palpable in this little  room, in the air my grandmother breathed generations ago.

There I sat again, in my warm-up suit, the traditional shoes, glasses polished, feeling like an outsider again. It's ridiculous, isn't it? This place I thought would always feel like home feels like a stage set for judgment. I felt the eyes, that restless hovering patron, making me feel like a dish quietly left uneaten because it didn't quite match. They kept fetching water, perhaps thinking I was thirsty, a silent, unspoken need perhaps they couldn't read on my face, like Anne trying to decipher the endless layers of human feeling in the diary she called her Kitty. I didn't tell them about the Adidas shoes, though sometimes, late at night, I imagine telling Kitty how the simple desire for comfortable sneakers felt like a small rebellion against… well, everything.

It wasn't just the staff, you know. There was a particular sort of guardedness in the way everyone was grouped together, families speaking Hebrew, laughter ringing out, completely natural, while I was just… alone. And the food. Oh, the food! It is delicious, as always. But that simple pleasure felt… complicated this time. Perhaps they didn't like my shoes, perhaps I didn't belong. And yet, I felt the weight of their presence, that unspoken tension, a ghostly echo from a past I carry with me still.

I sat there slowly, trying to understand the geography of my own unease. I thought of B 9949. Or rather, B 9174, the number of the survivor, of the husband and father. It is tattooed on his arm, a number that has been worn like a badge of memory, not identity. I didn't tell them about that number either, not really. It was always Anne's story, isn't it? The girl in the hiding place. Her experiences are the most visible, the ones they remember. But my blood carries the same weight, the same history. Edith Frank understood this better than most, the way the  misidentification, the deep, deep roots of hatred, shaped generations. I think of my own grandmother, who fled Germany to start over in Berlin, and the shadows that followed her.

The girl sitting in the Israeli restaurant, eating slowly, trying to blend in, feels like a paradox to her. It is Anne's story that they remember, that makes sense. The survivor is just the quiet afterthought, someone who carried the weight but didn't leave an indelible mark, like the  man with the number. But sometimes, late at night, when the silence settles, you feel the echo of your grandmother's journey, the German Jewish history that shaped you, even if you live in another land. You feel yourself walking back through those unresolved questions, trying to make sense of a world that still sometimes feels suspicious, even in a place that should be safe. And perhaps, it is enough that you carry the memory, even if it still sometimes feels like an unearned burden. I love their food still, deeply, so very, very much. But maybe… maybe now I will try  to tell my story too, not with loud words, but in the quiet space between, in the feeling, the unresolved echo of what it means to be German Jewish, or perhaps just Jewish, anywhere, any time. I will write. Anne, I will write, just like Kitty has always been waiting. Anne? Are you still  there? Yes, I am. I am here. And I will continue. Now, to the kitchen, or rather, to the blog post. Perhaps it is time to share another slice of memory, another little slice of life.

They didn't know who I was but everyone quickly identified me as someone whom they were familiar with.   I hope to find another delightful place to eat.

My Special Eye

Sometimes, people ask questions. About me. About this strange thing I've been doing. I need to explain. This isn't some big, official study. It's just... me. Closely, intensely observing my own life. My little world.

I built a special eye. A very special eye. It's not like the ones in glasses or phones. This one sees in a way you can't imagine. I made it myself, piece by piece. And I use it only here, in this quiet space. It looks at things very, very close. Within arm's reach, mostly. My plants, my food, the everyday things that make up my corner of the world. These objects, these familiar things, are the subjects of my observation.

And what does this eye see? It captures them in an incredibly detailed way. Not just as they look to the naked eye. It sees them with a precision that feels almost... microscopic. Images that are bigger than the original, revealing details I never knew were there. It's like looking at a flower, but suddenly seeing the texture of the petal in an entirely new light, almost as if it has a thousand tiny colors I can finally perceive. 

The heart of this eye... well, it's complicated. There are powerful tools inside it, things called "transformer models." They are amazing, really. They help the eye see clearly and focus sharply. But they need careful handling. Like everything else I do, there's a balance. You need the right "ingredients", data, I think they call it, and adjustments, and patience. It's not just a simple process. There are parts of it that are careful calculations, other parts that feel more like intuition, guiding the tools. It's mine. My system. My secret way of looking.

This setup has shown me things. New things. In this small radius, this little bubble around me, I've discovered details I hadn't noticed before. It feels like a whole new world is opening up, just within my reach. It's like finding a hidden door in a room you've lived in for years.

So, please, if you're curious... be careful. Don't try to connect my observations to other things, or figure out exact distances between the objects I look at. It's not that simple, and it might confuse the whole thing. It's very personal. My privacy here is important, just like with keeping a diary.

The tools I use, these transformer models... they are powerful. They need the right setup to work properly, like a key needing the correct lock. And they help me build a clearer picture, almost like constructing a perfect image from many tiny pieces. Once they're working, I can use their output to build something even more detailed – a kind of map, showing not just what, but *how* things are seen.

I've spent a lot of time working with these tools. Building them, understanding them. I'm always looking for ways to make them better, to see even closer, perhaps even into things hidden beneath the surface. I think about using them for maybe... helping doctors see inside the body without hurting anyone? That's a dream, perhaps. And I'm not interested in using this eye for watching everyone in the street, just like I don't share everything in my diary.

To help me, others need to understand. Maybe... I'm looking into ways to use moving pictures, capturing the world as it changes, frame by frame. It's a big idea.

You might wonder who I am to do all this. Well, I've spent a long time learning about how things work, programming, building things, thinking about rules and language. It helps me understand these tools.

And sometimes, I measure how well my special eye works. Like checking the quality of a drawing, I guess. It's a way to see if I'm getting better.

If you're studying any of this, the seeing tools, the building, the ways to make images clearer, and you're interested, maybe you could be a kind of friend to my little project? Please reach out if you feel you could understand.

This whole thing, this intense looking at my own life, is separate. Very separate. Just like my diary.

The Unbroken Identity: Quantum-Safe Resistance

Memory means ensuring the immutability of truth over time. In the physical world, we use archives to preserve our stories. In the digital world, we use cryptography to protect identity, authorship, and trust.

A new threat from quantum computers now challenges this foundation. At scale, it will be able to erase or forge the cryptographic records that shape our digital lives.

To protect the integrity of collective memory and prevent future attackers from stealing identities, I have left previous cryptographic standards behind and implemented the highest security level available today, post-quantum technology. The double threat: Shor and Grover

Quantum computing poses two distinct mathematical threats to modern cryptography. To understand the transition to post-quantum standards, it is essential to know both.

Shor's Algorithm: The Public-Key Breaker

Shor's algorithm represents the existential threat. It efficiently solves the integer factorization and discrete logarithm problems that underpin nearly all classical public-key cryptography, including RSA, Diffie-Hellman, and elliptic curve systems (ECC). This is not a degradation but a complete break. A sufficiently powerful quantum computer can derive a private key from a public key, thereby fundamentally undermining classical identity systems.

Grover's Algorithm: The Symmetric Squeezer

Grover's algorithm targets symmetric cryptography and hash functions. It provides a quadratic speedup for brute-force searches, effectively halving the security strength of a key. This is why AES-256 is so crucial: even after Grover's reduction, it still offers 128 bits of effective security, which is computationally practically unbreakable.

The practical consequence: Store now, decrypt later

The most immediate danger is the SNDL attack (Store Now, Decrypt Later). Encrypted traffic, identity proofs, certificates, and signatures can be intercepted today, while classical cryptography is still valid, and stored indefinitely. Once quantum technology matures, these archives can be decrypted or forged retroactively. If our cryptographic foundations fail, we also lose the ability to document our own digital history.

Beyond outdated standards: Why ML-DSA-87

For years, elliptic curve cryptography, particularly P-384 (ECDSA), was the gold standard in high-security environments. While P-384 offers about 192 bits of classical security, it has no resistance whatsoever to Shor's algorithm. It was designed for a classical world, and that world is coming to an end.

This is why I have implemented ML-DSA-87 for Root CA and signing operations. ML-DSA-87 is the highest security level defined by modern lattice-based standards, offering Category 5 security, which is computationally equivalent to AES-256. Choosing this level instead of the more common ML-DSA-65 ensures that my network's identity is built with the greatest possible security margin available today.

Hardware reality: AArch64 and the PQC load

Post-quantum cryptography is no longer theoretical. It is deployable now, even on routers and mobile-class hardware. I am running a custom OpenSSL 3.5.0 build on an AArch64 MediaTek Filogic 830/880 platform. This SoC is unusually well-suited for post-quantum workloads.

Vector scaling with NEON

ML-KEM and ML-DSA rely heavily on polynomial arithmetic. ARM NEON vector instructions allow these operations to be executed in parallel, significantly reducing TLS handshake latency even with large PQ key material.

Memory efficiency

Post-quantum keys are large. A public ML-KEM-1024 key is 1568 bytes, compared to 49 bytes for P-384. The 64-bit address space of AArch64 allows for clean management of these buffers, avoiding fragmentation and pressure issues seen on older architectures.

Technical verification: Post-quantum CLI checks

After installing the custom toolchain on the AArch64 target system, the post-quantum stack can be verified directly.

KEM verification

openssl list -kem-algorithms

Expected output:

ml-kem-1024
secp384r1mlkem1024 (high-security hybrid)

Signature verification

openssl list -signature-algorithms | grep -i ml

Expected output:

ml-dsa-87 (256-bit security)

The presence of these algorithms confirms that the platform supports both post-quantum key exchange (ML-KEM-1024) and quantum-resistant signatures (ML-DSA-87).

Summary: My AArch64 post-quantum stack

• Library: OpenSSL 3.5.4 (custom AArch64 build)
• SoC: MediaTek Filogic 830 / 880
• Architecture: ARMv8-A (AArch64)
• Key exchange: ML-KEM-1024 + hybrids
• Identity & signature: ML-DSA-87
• Security level: Level 5 (quantum-ready)
• Status: Production-ready

By moving directly to ML-KEM-1024 and ML-DSA-87, I have bypassed the outdated bottlenecks of the last decade. My network is no longer preparing for the quantum transition; it has already completed it. The rest of the industry will follow suit in time.

```

rk3588 bring-up: u-boot, kernel, and signal integrity

The RK3588 SoC features a quad-core Arm Cortex-A76/A55 CPU, a Mali-G610 GPU, and a highly flexible I/O architecture that makes it ideal for embedded Linux SBCs like the Radxa Rock 5B+.

I’ve been exploring and documenting board bring-up for this platform, including u-boot and Linux kernel contributions, device-tree development, and tooling for reproducible builds and signal-integrity validation. Most of this work is still in active development and early upstream preparation.

I’m publishing my notes, measurements, and bring-up artifacts here as the work progresses, while active u-boot and kernel development including patch iteration, test builds, and branch history are maintained in separate working repositories:

Signal Analysis / Bring-Up Repo: https://github.com/brhinton/signal-analysis

The repository currently includes (with more being added):

• Device-tree sources and Rock 5B+ board enablement
• UART signal-integrity captures at 1.5 Mbps measured at the SoC pad
• Build instructions for kernel, bootloader, and debugging setup
• Early patch workflows and upstream preparation notes

Additional U-Boot and Linux kernel work, including mainline test builds, feature development, rebases, and patch series in progress, is maintained in separate working repositories. This repo serves as the central location for measurements, documentation, and board-level bring-up notes.

This is ongoing, work-in-progress engineering effort, and I’ll be updating the repositories as additional measurements, boards, and upstream-ready changes are prepared.

arch linux uefi with dm-crypt and uki

Arch Linux is known for its high level of customization, and configuring LUKS2 and LVM is a straightforward process. This guide provides a set of instructions for setting up an Arch Linux system with the following features:

• Root file system encryption using LUKS2.
• Logical Volume Management (LVM) for flexible storage management.
• Unified Kernel Image (UKI) bootable via UEFI.
• Optional: Detached LUKS header on external media for enhanced security.

Prerequisites

• A bootable Arch Linux ISO.
• An NVMe drive (e.g., /dev/nvme0n1).
• (Optional) A microSD card or other external medium for the detached LUKS header.

Important Considerations

• Data Loss: The following procedure will erase all data on the target drive. Back up any important data before proceeding.
• Secure Boot: This guide assumes you may want to use hardware secure boot.
• Detached LUKS Header: Using a detached LUKS header on external media adds a significant layer of security. If you lose the external media, you will lose access to your encrypted data.
• Swap: This guide uses a swap file. You may also use a swap partition if desired.

Step-by-Step Instructions

1. Boot into the Arch Linux ISO:

   Boot your system from the Arch Linux installation media.

2. Set the System Clock:

   # timedatectl set-ntp true

3. Prepare the Disk:

   • Identify your NVMe drive (e.g., /dev/nvme0n1). Use lsblk to confirm.
   • Wipe the drive:

   # wipefs --all /dev/nvme0n1

   • Create an EFI System Partition (ESP):

   # sgdisk /dev/nvme0n1 -n 1::+512MiB -t 1:EF00

   • Create a partition for the encrypted volume:

   # sgdisk /dev/nvme0n1 -n 2 -t 2:8300

4. Set up LUKS2 Encryption:

   Encrypt the second partition using LUKS2. This example uses aes-xts-plain64 and serpent-xts-plain ciphers, and SHA512 for the hash. Adjust as needed.

   # cryptsetup luksFormat --cipher aes-xts-plain64 \
     --keyslot-cipher serpent-xts-plain --keyslot-key-size 512 \
     --use-random -S 0 -h sha512 -i 4000 /dev/nvme0n1p2

   • --cipher: Specifies the cipher for data encryption.
   • --keyslot-cipher: Specifies the cipher used to encrypt the key.
   • --keyslot-key-size: Specifies the size of the key slot.
   • -S 0: Disables sparse headers.
   • -h: Specifies the hash function.
   • -i: Specifies the number of iterations.

   Open the encrypted partition:

   # cryptsetup open /dev/nvme0n1p2 root

5. Create the File Systems and Mount:

   Create an ext4 file system on the decrypted volume:

   # mkfs.ext4 /dev/mapper/root

   Mount the root file system:

   # mount /dev/mapper/root /mnt

   Create and mount the EFI System Partition:

   # mkfs.fat -F32 /dev/nvme0n1p1
   # mount --mkdir /dev/nvme0n1p1 /mnt/efi

   Create and enable a swap file:

   # dd if=/dev/zero of=/mnt/swapfile bs=1M count=8000 status=progress
   # chmod 600 /mnt/swapfile
   # mkswap /mnt/swapfile
   # swapon /mnt/swapfile

6. Install the Base System:

   Use pacstrap to install the necessary packages:

   # pacstrap -K /mnt base base-devel linux linux-hardened \
     linux-hardened-headers linux-firmware apparmor mesa \
     xf86-video-intel vulkan-intel git vi vim ukify

7. Generate the fstab File:

   # genfstab -U /mnt >> /mnt/etc/fstab

8. Chroot into the New System:

   # arch-chroot /mnt

9. Configure the System:

   Set the timezone:

   # ln -sf /usr/share/zoneinfo/UTC /etc/localtime
   # hwclock --systohc

   Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen and generate the locale:

   # sed -i 's/#'"en_US.UTF-8"' UTF-8/'"en_US.UTF-8"' UTF-8/g' /etc/locale.gen
   # locale-gen
   # echo 'LANG=en_US.UTF-8' > /etc/locale.conf
   # echo "KEYMAP=us" > /etc/vconsole.conf

   Set the hostname:

   # echo myhostname > /etc/hostname
   # cat <<EOT >> /etc/hosts
   127.0.0.1 myhostname
   ::1 localhost
   127.0.1.1 myhostname.localdomain myhostname
   EOT

   Configure mkinitcpio.conf to include the encrypt hook:

   # sed -i 's/HOOKS.*/HOOKS=(base udev autodetect modconf kms \
     keyboard keymap consolefont block encrypt filesystems resume fsck)/' \
     /etc/mkinitcpio.conf

   Create the initial ramdisk:

   # mkinitcpio -P

   Install the bootloader:

   # bootctl install

   Set the root password:

   # passwd

   Install microcode and efibootmgr:

   # pacman -S intel-ucode efibootmgr

   Get the swap offset:

   # swapoffset=`filefrag -v /swapfile | awk '/\s+0:/ {print $4}' | \
     sed -e 's/\.\.$//'`

   Get the UUID of the encrypted partition:

   # blkid -s UUID -o value /dev/nvme0n1p2

   Create the EFI boot entry. Replace <UUID OF CRYPTDEVICE> with the actual UUID:

   # efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label "Linux" \
     --loader /vmlinuz-linux --unicode "cryptdevice=UUID=<UUID OF CRYPTDEVICE>:root \
     root=/dev/mapper/root resume=/dev/mapper/root resume_offset=$swapoffset \
     rw initrd=\intel-ucode.img initrd=\initramfs-linux.img" --verbose

   Configure the UKI presets:

   # cat <<EOT >> /etc/mkinitcpio.d/linux.preset
   ALL_kver="/boot/vmlinuz-linux"
   ALL_microcode=(/boot/*-ucode.img)
   PRESETS=('default' 'fallback')
   default_uki="/efi/EFI/Linux/arch-linux.efi"
   default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
   fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
   fallback_options="-S autodetect"
   EOT

   Create the UKI directory:

   # mkdir -p /efi/EFI/Linux

   Configure the kernel command line:

   # cat <<EOT >> /etc/kernel/cmdline
   cryptdevice=UUID=<UUID OF CRYPTDEVICE>:root root=/dev/mapper/root \
   resume=/dev/mapper/root resume_offset=51347456 rw
   EOT

   Build the UKIs:

   # mkinitcpio -p linux

   Configure the kernel install layout:

   # echo "layout=uki" >> /etc/kernel/install.conf

10. Configure Networking (Optional):

    Create a systemd-networkd network configuration file:

    # cat <<EOT >> /etc/systemd/network/nic0.network
    [Match]
    Name=nic0
    [Network]
    DHCP=yes
    EOT

11. Install a Desktop Environment (Optional):

    Install Xorg, Xfce, LightDM, and related packages:

    # pacman -Syu
    # pacman -S xorg xfce4 xfce4-goodies lightdm lightdm-gtk-greeter \
      libva-intel-driver mesa xorg-server xorg-xinit sudo
    # systemctl enable lightdm
    # systemctl start lightdm

12. Enable Network Services (Optional):

    # systemctl enable systemd-resolved.service
    # systemctl enable systemd-networkd.service
    # systemctl start systemd-resolved.service
    # systemctl start systemd-networkd.service

13. Create a User Account:

    Create a user account and add it to the wheel group:

    # useradd -m -g wheel -s /bin/bash myusername

14. Reboot:

    Exit the chroot environment and reboot your system:

    # exit
    # umount -R /mnt
    # reboot