Skip to content

About 0x1RIS

The Short Version

Mahmoud , also known as 0x1RIS

Backend engineer by trade , security obsessive by nature

I build backend systems that happen to be hardened because I physically can't write code that ignores edge cases , doesn't sanitize input , or leaves crypto as "future work" That "future work" is where breaches happen , and I've seen enough of those to know better

Security isn't my job title - it's a habit that got out of control somewhere around 3AM when I was deep in an RSA-4096 implementation and realized I'd been reading NIST SP 800-56B for fun

The Long Version

Backend Engineer With a Security Problem

Here's the thing - I don't wake up and think "today I'm gonna be a security researcher" I wake up and think "this API endpoint needs proper rate limiting , the DB pool is misconfigured , and who the fuck left the debug endpoints exposed in production" The security part is just... what happens when you actually care about the systems you build

I've been writing production code across the full stack for years - FastAPI , React , Flutter , Rust , whatever solves the problem without adding technical debt I don't chase frameworks I chase correctness Security is just correctness under adversarial conditions

What I Actually Do

I ship software that works in production , not just on localhost I handle the full lifecycle - from schema design to deployment , from auth implementation to audit logging , from "it works on my machine" to "it survived a 48-hour no-internet stress test in an Egyptian warehouse"

When I pick a stack , it's because it solves the problem , not because it's trendy When I pick a crypto algorithm , it's because I've read the source , understood the threat model , and verified the implementation doesn't leak timing information

Projects

1. SMail - Zero Trust E2EE Email System

The one that got out of hand

Started as "let me build a secure email client" and spiraled into a full-blown academic research project with 8 chapters of documentation , architecture diagrams , and a crypto layer that would make most enterprise solutions look like toys

Stack: * FastAPI (Python 3.13) on the backend , Flutter on the frontend * SQLite for local dev , PostgreSQL for production , SQLAlchemy ORM managing it all * RSA-4096 for legacy compat , X25519 for key exchange , AES-256-GCM for data * Argon2id for password hashing , PBKDF2 as fallback * Hybrid post-quantum key exchange because "quantum-safe" isn't a buzzword when your threat model includes state actors

Architecture * Zero Trust - no implicit trust , every request verified , every session reauthenticated * Perfect Forward Secrecy - compromise today's keys , yesterday's emails stay encrypted * Client-side encryption/decryption - server never sees plaintext , never could

Features that took way too long: * Gmail bridge with IMAP sync - because migrating is hard , meet people where they are * Encrypted attachments with streaming AEAD * Audit logging with hash chains - tamper-evident , cryptographically linked * Anti-spam that doesn't suck , 2FA that actually works offline * 30+ REST endpoints spanning auth , email , keys , folders , the bridge

The Numbers: * Solo developer , entire system from crypto layer to Flutter UI

2. Online POS - Car Parts Shop

The online version for a specific use case - car parts inventory management with QR codes

Stack: * Vite + vanilla JavaScript (no framework fatigue here) * NeonDB for serverless Postgres * bcryptjs + JWT for auth * QR code scanning via html5-qrcode * XLSX export/import for inventory management

Deployment: Vercel-ready , zero-drama CI/CD

The QR scanning feature was a fun rabbit hole - getting html5-qrcode to work reliably in low-light warehouse conditions took longer than the entire auth system

3. FerroWA - Encrypted WhatsApp Desktop Client

Because typing zeroize in Rust code is satisfying as hell

Stack: * Tauri 2 with Rust backend * WebSocket bridge for WhatsApp Web protocol * Native Linux notifications (because I live in the terminal , but I still want to know when you message me)

Crypto (the fun part): * ChaCha20-Poly1305 for config encryption - fast , authenticated , modern * Argon2 for PIN hashing - memory-hard , ASIC-resistant * HMAC-SHA256 for integrity verification * jemalloc allocator - because the default allocator leaks under heavy WebSocket traffic * zeroize on drop - secrets don't persist in memory , ever

Features: * Tray icon with native OS integration * WebKitGTK cookie access for session persistence * Enterprise CSP that blocks everything not explicitly whitelisted

Role: Solo developer , systems programming in Rust , learned Tauri 2 from scratch because why make life easy

4. Great Society - Website

Property management for a real community , not a startup pitch deck

Stack: * React 19 , Material UI 7 , Radix UI primitives * Supabase for backend with MySQL in the host (auth , DB , storage) * Vite for build tooling

Features: * Property management with featured listings , search , filtering * Contact notifications with real-time updates * Image uploads with JPEG compression at exactly 0.75 quality - tested it , that's the sweet spot * Super admin dashboard with full CRUD * Arabic-first interface - RTL isn't an afterthought , it's the default

Deployment: Hostinger for the main site , Vercel for previews and testing

The Philosophy

Security-as-Habit vs Security-as-Job

Most "security researchers" treat it as a 9-to-5 I treat it as "this SQL query needs parameterization because I'd rather not explain a data breach to my client at 2AM"

The difference is subtle but it's everything

When security is your habit , you don't think about it - you just write the audit log before the transaction , you hash before you store , you encrypt before you transmit It's not extra work It's the default

What I Believe

  • "Good enough" security is an oxymoron Either you control the threat surface or you don't
  • Crypto isn't magic - it's math with strict proofs and harder implementations
  • Documentation isn't optional - your future self at 3AM debugging a production issue will thank you
  • Academic-grade documentation is fun Fight me
  • If your threat model doesn't include "adversary has physical access" , your threat model is incomplete (looking at you , SMail crypto layer that I spent 3 weeks on)

Tools I Actually Use

  • Python for everything that doesn't need to be fast
  • Rust for everything that does
  • FastAPI because Flask feels like 2015
  • Flutter because native mobile dev takes too long
  • Odoo because ERP shouldn't require a mortgage
  • Tauri because Electron is a crime against memory
  • ParrotOS because it's been my second home for years now

Tools I've Watched Explode

  • Burp Suite freezing mid-scan on a critical engagement (thanks Burp , very cool)
  • Nmap lying about closed ports because of rate limiting I didn't notice
  • Docker eating all my disk because I forgot to prune
  • That one time I spent 6 hours debugging a crypto issue and it was a typo in a hex string (still not over it)

Let's Connect

I don't do LinkedIn motivational posts or Twitter threads

I ship code , write docs , and occasionally break things to understand how they work If any of that sounds useful to you , reach out

Links: * LinkedIn 0x1RIS - I check this when I remember * GitHub 0x1RIS - Actual code lives here * Telegram 0x1RIS - Fastest way to reach me

How to reach me: * Business stuff -> LinkedIn message * Technical questions -> GitHub issue or Telegram * Friends -> carrier pigeon , whatever works * Vulnerability disclosures -> encrypted comms , don't make me regret saying that