Right now!

Innit neat?!

As you can see at the footer, it’s made with Hugo and uses a theme Hermit-V2. I’m not much of a front-end web developer, so I gravitate toward tools that let me focus on writing content in Markdown and generate static HTML/CSS as output. Because of that, this page isn’t really about front-end design—it’s about how the site is hosted and the principles behind it.

Since the website is self-hosted, my primary objectives are:

1. Minimizing attack area
2. Isolating the web-server should it get compromised

I’m trepid about giving away too many details about my security posture, but I feel confident enough in my stack that I can disclose the following:

Minimizing attack area

The website is intentionally simple. It’s a statically served HTML/CSS/JavaScript site with no server-side application logic or database. This significantly reduces the complexity and attack surface compared to a dynamic website.

Public traffic is managed by a reverse proxy that

• Hides my IP address
• provides some protection against denial-of-service and other network attacks
• minimizes the traffic I have to allow from the internet into my network

As such, the public facing part of my server does as little as possible and only as much as necessary.

Isolating and containing the server

The entire stack uses the principal of least privilege:

• The web server runs in a rootless container of an unprivileged user.
• It has only read-only access to only the files it needs.
• It also runs with OS-level mandatory access controls.

Further, the server itself is isolated from the rest of my network using VLAN-segregation and a firewall enforces minimal access to the WAN using egress filtering, and zero access to the LAN.

My design philosophy is to assume a breach will happen and minimize its impact when it does.

I tailor my resumé to the jobs I apply to, but this is broadly what I would write for a network-engineering job

Education

University of Nebraska - Lincoln, BS in Computer Science, Mathematics
Sept 2019 – May 2023 · Lincoln, NE, USA

Experience

Mutual Of Omaha
Information Services Service Desk Analyst
Oct 2025-present · Remote

• Provided first-line technical support in a large enterprise IT environment
• Troubleshooting Windows, Mac, and Linux desktops and server issues
• Created, resolved, and escalated incidents and service requests using ServiceNow
• Followed established workflows, documentation, and escalation procedures
• Collaborated with network, systems, and application teams to resolve user issues

NCR Voyix
Field Service Technician (AKA Customer Engineer)
Aug 2024–Aug 2025 · Remote in Indianapolis, IN & Minneapolis, MN

• Troubleshot and installed Windows and Linux based retail software
• Tested and terminated network twisted-pair cabling
• Maintained and repaired server, networking, and electromechanical equipment
• Communicated with stakeholders and developed relationships

Teachers’ Treasures
Warehouse associate & group leader
Sept 2023–Aug 2024 · Indianapolis, IN

• Lead groups of up to 15 volunteers in logistical tasks
• Working with diverse groups, and identifying how to tailor my communication style

University of Nebraska - Lincoln
Teaching assistant & undergraduate researcher
Jan 2021–May 2023 · Lincoln, NE

• Taught a systems engineering class and an introductory C programming class
• Communicated technical concepts to an audience ranging in technical ability
• Read, comprehended, and relayed technical documentation

Projects

OPNSense firewall
Deployed and administered an OPNSense firewall for a segmented network environment

• Configured VLAN-based network segmentation using a VLAN-aware switch
• Implemented least-privilege firewall rules to host a web service in a DMZ
• Deployed a WireGuard hub/relay server to securely tunnel between trusted devices
• Administered DNS/DHCP services for hostname-based device addressing

Network service hosting
Designed, deployed, and maintained self-hosted network services

• Configured encrypted network services, including mTLS authentication and secure NFS
• Deployed and managed web services, a website and containerized applications
• Implemented DNS configuration and service exposure for publicly accessible services
• Applied encryption, authentication, and access control to ensure secure network

C# application for USDA

• Emphasized code maintainability as development manager on a team of six
• Collaborated with a cross-functional team of stakeholders to design the application
• Developed documentation for end users and maintainers
• Database administration, automated development tasks, generating code files, and testing and deployment

Skills

• Operating Systems: Windows 10, Windows 11, Ubuntu & Fedora Linux
• Network infrastructure: Routing, switching, VLANs, DHCP, DNS resolution, firewalls, VPNs
• Cybersecurity: Data classification, authentication, secure communications
• Troubleshooting: Following procedures for routine issues, or methodically troubleshooting complex issues
• Communication: Actively listening to stakeholders, asking questions and illiciting requirements

I grew up in a town outside of Chicago, IL. In high-school, I was in cross-country, and track-and-field as a runner. I was a mathlete, going to the Illinois state math competition one year. I also played the French horn.

I knew early that I was good at and enjoyed mathematics and science. Some of my favorite classes were my biology, chemistry, physics, and calculus classes because of the content. I also greatly enjoyed my European and American history classes as the teachers were excellently engaging.

I graduated second in my class of about 350 having received and accepted a Chancellor’s Scholarship at the University of Nebraska - Lincoln.

Undergraduate studies at the University of Nebraska - Lincoln

I choose the University of Nebraska - Lincoln (UNL) for their highly accredited actuarial science program. I did one year of business school, got a 97% in accounting, but thought that it was dreadfully boring. That, combined with anxiety about taking the actuarial exams motivated me to consider jobs outside of finance.

I attended a presentation by a group of actuaries who made actuarial software instead and thought that that would be a sensible pivot for me. I took an intro to C programming class and was quickly hooked on computing. I switched to the School of Computing track with a second major in mathematics.

I was a teaching assistant for the same intro to C programming class and later a systems engineering class TA for Dr. Bohn. I was also a math resource center counselor and private tutor for a data structures and algorithms class. I greatly enjoyed all of those roles; it was fun working with the other students and sharing my passion for computers. I enjoyed low-level programming most, with the nitty-gritty of C being my favorite followed by C# for its simplicity in designing program architectures and Python as a good scratch-pad language for drafting ideas.

My second major at UNL was mathematics. The two favorite classes I took were elementary analysis and group theory. I really enjoyed my analysis class, but broadly I like discrete math better than analytical, perhaps because of the closer overlap with computer science. I also took a great deal of statistics classes in combination of my actuarial studies.

Outside of classes, I enjoyed climbing at the gym, where I was in the university climbing club before the pandemic paused the club. I also was and still am an avid board gamer. I was a regular attendee at the board game club’s weekly meetings where I enjoyed overly complex strategy games.

Senior design capstone with the USDA

My capstone project in the UNL school of computing was implementing an ArcGIS Online add-in for the United States Department of Agriculture, Natural Resource Conservation Service (USDA NRCS). One of the functions of the Nebraska NRCS is protecting wetlands. My five colleagues and I made an ArcGIS add-in for the USDA to assist in collating water, soil, and plant samples to generate wetland surveying, determination, and delineation documentation.

On the team I was the project’s development manager and was tasked with assuring the team’s product was technically sound. I architected the program with an emphasis on code extensibility and maintainability. We had to change the database backing the tool and a future database change was anticipated, so the allowing future developers to easily adapt the application to organization needs was critical.

(See the project’s year-end review document on page 29)

Research with Dr. Variyam

My last year of university I received a National Science Foundation grant to do undergraduate with Dr. Variyam and his research on Weak Derandomizations in Time and Space Complexity. Our research was expanding on the work of Jakub Pawlewicz and Mihai Pătraᶊcu’s “Order Statistics in the Farey Sequences in Sublinear Time and Counting Primitive Lattice Points in Polygons” Algorithmica 55 (2009): 271-282.

Pawlewicz and Pătraᶊcu’s work developed an algorithm to compute order statistics in the Farey sequence using the Merten’s function. This connection reveals the Farey order-statistic function’s close connection with a host of other fundamental number-theory functions including the Möbius, Merten’s, Euler’s totient, prime-count, square-free, and Riemann’s Zeta functions. Dr. Variyam and I worked on developing a reduction complexity hierarchy between these functions.

I was also exploring a novel algorithm for approximating and computing the Farey sequence’s rank and order using it’s discrepancy—that is, the measure of the deviation of the Farey-sequence from being uniformly distributed. To this day, I am convinced the discrepancy function can be modeled as a fractal, eluding to a recursive algorithm to compute or approximate it. Much of my work was exploratory, using a Python to generate and plot Farey sequence and transformations of them. However, I was blocked from developing any concrete proofs about the Farey sequence by not knowing complex analysis, which is needed to understand and expand on much of the existing work on the subject.

After undergraduate

I graduated in 2023 with a bachelors in science from the University of Nebraska - Lincoln, with majors in mathematics and computer science. For a time, I considered pursuing a PhD at UNL under the guidance of Dr. Variyam. I applied to the PhD program, was accepted and received a research assistantship for funding. Ultimately, however, I decided that it was neither the right time or opportunity for me. My work with Dr. Variyam was about as theoretical as one can get on the continuum of applied to theoretical computer science research. From my experience as systems engineering class teaching assistant and as development manager on my team with the USDA, I felt myself drawn more to applied computer science. While I still feel drawn to pursue a graduate degree in the future, I would prefer to do so after some time working in industry. I instead moved to Indianapolis seeking working as a software developer.

Working at non-profit Teachers’ Treasures

After a few months of unemployment in 2023 after graduation while seeking work, one day I decided “I’d rather work for free than not at all!” and looked around for volunteering opportunities in Indianapolis. I felt drawn to one in particular Teachers’ Treasures, an organization that collects and distributes school supplies to teachers of low-income schools in Marion county. After volunteering for a short time, I was offered paid, full-time work at Teachers’ Treasures as a warehouse associate. In addition to warehouse work, I also lead out volunteer groups in logistical tasks, ranging from stocking the store, and sorting donations, and operation during our shopping hours. During my time at Teachers’ Treasures from 2023-2024, we helped distribute approximately $13 million in school supplies free of charge to teachers in the Indianapolis metropolitan area.

Working at NCR Voyix

Seeking a career more closely aligned with my goal of working in IT, I started work at NCR Voyix in 2024 as a customer engineer—essentially a retail technology field service technician. There, I installed and repaired a variety of hardware, including networking equipment (switches, routers, access points, and cabling), self-checkout kiosks (coin and bill recyclers, computer head units, and peripherals), and general use computers. I also worked closely with our customers to deliver exceptional service, prioritizing timely response times, one-call resolution, and availability during business critical emergencies. At NCR, my passion for computer networking started to emerge. In Minnesota, I was one of a subset of technicians able to work on networking equipment. As such, a significant portion of my work was on diagnosing, fixing, or replacing cabling, routers, switches, and access points in our customers’ retail locations.

What’s OPNSense?

OPNSense is an open-source, Free BSD-based, firewall OS.

You might’ve picked up that this is similar to my OpenWRT/T35 project. In fact, the original intention was to use the T35 as a firewall as is it originally was using OPNSense. I was discouraged by the fact that OPNSense uses FreeBSD, and although it is Unix-like, I am less familiar with BSD compared to Linux. On hitting a roadblock getting the internal network-switch to work on my T35 using OpenWRT, I decided to bite the bullet and buy a OPNSense-suitable appliance. I bought a Dell Wyse with two NICs and installed OPNSense onto it.

OPNSense has richer firewall rules than OpenWRT, and a larger computational footprint. In summary, OpenWRT is for embedded routers whereas OPNSense is a full-fledged firewall.

Before I had my OPNSense firewall, I had a Raspberry Pi 4 running IPFire. I was underwhelmed by the features and limitations of IPFire, but principally, the RPi 4 has only one network port and an SD card for storage. I was bottlenecking my network by using a USB-Ethernet adapter for one of the interfaces. Also, IPFire has a limitation that it can only have one VLAN assigned per interface, which disrupted my plans to segregate my LAN, WLAN, DMZ, and work VLANS on the same interface.

What I am doing with OPNSense

I host a server (including this website) and I wanted to segregate traffic to and from my server from the rest of my network. This is accomplishable with VLAN segregation and the NetGear VLAN-aware switch I have. It also lets me segregate and monitor my work VLAN and WLAN’s traffic.

OPNSense has intrusion detection and prevention baked into it, which I’ve yet to fully explore, but I utilize it.

I also wanted to host a wireguard peer to serve as a relay and ingress for my private LAN. The WireGuard tunnel lets me stream video, VNC, file-sharing, and ssh from and between my trusted devices and my LAN.

Lastly, OPNSense can host a DNS server, which was the original catalyst for using IPFire. That way I can address my servers, PC, laptop, and phone by domain name instead of IP; very handy!

What’s OpenWRT?

OpenWRT is an open-source, Linux-based, community-developed, router OS for embedded devices.

What’s a Firebox T35?

A Firebox T35 is a hardware firewall developed by WatchGuard. Its a 5-port, gigabyte firebox designed for small business and offices. It was declared end-of-life by WatchGuard in 2025, with support no longer being provided, nor security firmware/software updates. Because of it’s end-of-life, it’s no longer useful as a security appliance for production use.

Why then, install a router OS on a firewall?

One can find a glut of used, T35s on E-Bay for as little as $20 that are physically in perfect working order. A friend of mine gave me her used T35 to tinker with. I was initially interested in installing OPNSense, an open-source firewall OS based on Open-BSD, on the hardware. The T35, uses the NXP/Freescale T1024 SoC which uses a PowerPC64 architecture. While the OpenBSD kernel and OPNSense supports PPC64 architecture, and even the QoriQ family of chips the T35 uses, at the beginning of the project I was mistaken that it was not compatible with PPC64. Neither OpenWRT nor OPNSense support the T35 with readily installed image.

I decided that it was a worthwhile endeavor to contribute support for the T35 to the OpenWRT project. Further, the T35 is part of the T-series, a series of similar tabletop firewalls, and development work on the T35 would likely lead to easier development for support on the other devices in the series. As of the time of writing, the only WatchGuard product with OpenWRT support is the m300.

First steps

Gratefully, the T35 has a number of features that make it easier to reverse-engineer and develop on. Namely, the storage is a removable, writable mSATA SSD. None of the drive is encrypted (that I encountered, at least). The first thing I did was remove the drive and capture an image of the entire SSD and each of the partitions. On booting the WatchGuard, the user is greeted by a U-Boot boot-loader selection menu to boot into standard or recovery mode from the first three partitions. The partitions each contain a kernel u-image and a device tree. As expected, the boot-loader boots the kernel in the selected partition.

There is a u-boot command line available where one could change the boot parameters and command-line, but it is password protected. Ideally, I would reflash the boot-loader so that I could edit it, but a mistake would likely brick the board without a way for me to boot again. Instead, my plan was to write the OpenWRT kernel and file-system to the SSD partitioned and named the same way such that the existing boot-loader would boot it none the wiser that it was actually booting OpenWRT instead.

Getting a Linux command-line on the stock image

There was much information that would be useful the collect at runtime on the stock image of the T35, namely the information in the /proc file-system. The difficulty is, the shell that one gets in a T35, even when logged in as the admin user, is not a standard Linux shell where one could read and edit files; it’s a secure network-appliance shell that deliberately makes it difficult to escape and execute standard Linux commands. My first attempt was the swap out the /sbin/init process so my script would collect the information I needed and dump it to a file on the disk. The two problems were:

1. Without the original init process running, much of the info I needed was uninitialized… whoda guessed that?
2. The file-system was a tempfs so all writes, even to an external USB drive, were ephemeral

Back to the drawing board…

Fortunately, the WatchGuard engineers sensibly named the user the CLI process runs as user cli and the shell it runs is /usr/bin/cli. I swapped the file /usr/bin/cli with a BusyBox shell executable, and after logging in through the normal WatchGuard log-in, it launched me a BusyBox shell where I could read and list the files I needed from the /proc tree. The WatchGuard stock kernel left CONFIG_IKCONFIG_PROC=y in their .config, so I was able to get the original kernel configuration from the running, original stock image.