a compendium of half-finished projects by thomas strömberg – @thomrstrom

The birthrights of humankind are that of unexplored limits and undiscovered territories. The aim of my trip last weekend was to find a bit of both.


Before allowing my kids to ride on the back of my BMW CE 04, I wanted to drastically improve its visibility. It turns out that there is a company that specializes in doing just that: skenelights.com

The lights they sell have a unique conspicuity filter, which uses the motion-detecting characteristics of human vision to enhance visibility. It's difficult to accurately capture the appearance with a cell phone camera due to the rolling shutter, but this is what it looks like before sunset and at night:


A reposting from my Google Doc at https://tinyurl.com/readable-dd

Why bother?

Circulating a design document is like putting your idea up for code review.

Submitting ideas to the scrutiny of peer review is your team's best defense against engineering incompatible with its principles.

All humans have blind spots. Your goal as an author is to gather enough input to reveal them before execution. Issues found during design are 6X cheaper to fix than during implementation:

The questions that reviewers should have in their mind while reading the document are:

  • Does this fit with my organization's principles?
  • Could the proposed implementation be made simpler?
  • Are there alternative approaches to consider?
  • What additional concerns should be addressed?

I was recently provided a sample of the recently announced stealthier variant of bpfdoor, malware targeting Linux that is almost certainly a state-funded Chinese threat actor (Red Menshen). The sample analyzed was a8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7, detectable by 11 of 62 detectors on VirusTotal.

I was particularly curious what the bpfdoor surface area looked like, and if it was easy it was to detect using existing open-source tools and common Linux command-line utilities.

To experiment, I used my favorite VM manager on macOS or Linux for this analysis: Lima, with the default Ubuntu 22.10 image.


In the 1930s, Vinzenz Grünvogel designed the Wehrmacht-Einheitskanister: an ingenious container that was stackable, carried liquid without spilling and was easy to carry. The design was so popular that nations around the world copied it, and in the United States, it became known as a “Jerry Can” (Jerry being slang for “German”).

This project shares none of those attributes.


A few Saturdays ago, I ventured to central North Carolina to join the local ADVrider crew for lunch as part of the confusingly named “Eastern Nc Advrider Dinner” thread. I took my trusty BMW CE-04 along – a quirky urban electric scooter (and the most fun I’ve had on two wheels).

While the trip was only 138 miles of backroads (an absurd amount for any GS owner), that's a fair journey on a scoot that only averages 62 miles of range in this environment. This trip includes:

  • 4 hours of riding
  • 2 hours of charging ($0.86)



Today I will teach you how to roll your own detection of a classic Linux kernel rootkit using shell scripting (for explanation) and osquery (for production).

Your chance of encountering a Linux kernel rootkit in the wild is slim due to compatibility and distribution challenges, so this explanation is geared toward the most paranoid folks in the audience. For this demonstration, we'll use reveng_rtkit – one of the more modern examples of a Linux rootkit.

As of February 2023, this reveng_rtkit runs well on Debian, so I used lima with limactl start template://debian to create my test environment.


A couple of weeks ago, I had the misfortune of breaking the indicator light off my BMW CE 04 scooter. It was through no fault of its own, I just underestimated the amount of suspension travel when mounting a bicycle on the back of it using the 2x2Cycles Moto Bicycle Carrier.

Give yourself 3-4 hours to perform these steps as it can require the removal and reinstallation of up to 25 bolts. Even if you are generally bad at mechanical things, this is an entirely doable procedure with the correct tools.

Credit to Guru Shudamundi, who posted a summarized version in a BMW CE 04 Facebook Forum thread, which gave me the courage to fix my own bike.


As part of my duties at Chainguard, I maintain an osquery based detection pipeline. As an open-source first company, we naturally open-sourced our production queries as part of the osquery-defense-kit. When new Malware reports are released, I'll typically consume them to gather ideas for improving the effectiveness of our queries.

With the new year upon us, Objective See recently published a retrospective report on the most interesting Mac Malware of 2022. This was an excellent opportunity to review the evidence to see which queries are the most effective. I am additionally thankful that Objective See publishes Malware binaries for additional review, as some of the evidence this report relies on had to be extracted from the original binaries.


For years I’ve had New Year’s resolutions to commit to blogging. This year isn’t any different!

So, what is different? For one, I feel I have more to share with the world now. I recently moved back to North Carolina, took up motorcycling again, and have professionally refocused on computer security.

In a surprising turn of events, Twitter recently torched its community goodwill and has suffered a massive brain drain. While this has been felt most acutely in the computer security industry, other groups, such as journalists, have also moved to Mastodon. I’ve tried my hand at Mastodon too, and while it’s been a good way to connect with more local personalities, it still feels a bit empty and hollow.

The post-Twitter shift has made room for a nascent renaissance in distributed social media and even blogging. There's been a clamor for folks to Start a Fucking Blog. Feeds are back en vogue, even if they have taken on a new flavor: ActivityPub.

Now blogs such as this one have ActivityPub feeds, which means they can be followed on Mastodon (this one is @thomrstrom@unfinished.bike). Even a decade after it was declared dead, RSS is still around and Feedly is as good as ever.

It remains to be seen what will be done with this next-to-new-found-land.

Enter your email to subscribe to updates.