locale
Leontii Maksimov
informatics · systems · offsec · anonymity
personal@info
────────────────────────────
OS FreeBSD 15.0-RELEASE amd64
Langs C, C++, Java, Python, Rust, RISC-V asm
Now CJCA · malware research
Email
PGP 0xAF271E3E47F9945F · show key
CV argon2id-locked

experience/01

Embedded Systems Team Lead @ Phantum e.V. Dec 2024 — Dec 2025

Owned the in-flight computer configuration for a high-performance UAV. Designed and shipped firmware for the microcontroller-driven afterburner and water-injection subsystems. Stood up the supporting telemetry, comms and license servers, and held the line on a clean Linux-based build/deploy pipeline for the team.

Software Engineer · Flight Control & Sysadmin @ Phantum e.V. Nov 2024 — Dec 2025

Real-time control logic for UAV flight systems. Linux server administration for internal infrastructure. C/C++ on bare-metal targets, Python on supporting tooling.

Firmware Engineer · Rocketry Electronics @ WARR Oct 2024 — May 2025

Firmware contributions to the rocketry electronics stack. Hybrid work in Garching, alongside a strong embedded community.

Mathematics Tutor @ Nachhilfedienst Alain Defoort Oct 2023 — Jan 2024

Tutored Mittel- and Oberstufe students through the German curriculum up to Abitur.

Sysadmin Intern @ Moscow State University Jun 2022 — Aug 2022

Summer internship inside a large university IT operation. First serious exposure to real production systems administration.

education/02

B.Sc. Informatics @ Technische Universität München Oct 2023 — present

Computer Science, leaning toward operating systems, computer architecture and security.

International Baccalaureate @ Berlin Brandenburg International School Aug 2013 — May 2023

Higher Level focus: Mathematics, Physics, English, German.

current_focus/03

achievements/04

HackaTUM 2024 @ Technical University of Munich Nov 2024

Team built a social-media platform deployed to the Solana devnet. Posts were hashed and committed on-chain, full set of social features layered on top. 36-hour build, end-to-end. Certificate of participation issued by TUM.

Particle Physics Masterclass @ Humboldt-Universität zu Berlin

Hands-on session with real LHC data.

IceCube Masterclass @ DESY Zeuthen

Astroparticle physics workshop at the German Electron-Synchrotron.

notable_projects/05

gemma4-vuln-scanner · Python · SAST · LLM-assisted offsec view source

LLM-powered static analysis tool for finding bugs, exploits and crashes in security-critical codebases. Eight-pass workflow: SAST (Semgrep / cflow / Bandit) + tree-sitter function extraction + NetworkX call-graph and risk scoring + multi-lens local-LLM analysis (Ollama / gemma4:31b on an RTX 5090) + a judge pass to filter false positives + SARIF / HTML reporting. ~7,400 lines of Python, SQL, Bash and YAML; 43 unit tests; native systemd deployment, no Docker. Functionally complete; first real-world runs queued against the OpenBSD source tree and the I2P Java codebase.

BootWarden · system security · anti-Evil-Maid view source

Minimalist verifier for unencrypted boot partitions in high-risk environments. Cryptographically validates the bootloader before the OS loads to mitigate Evil-Maid attacks. Designed to ship on a portable Void Linux + MUSL ISO carried separately — relevant when committing the boot partition to a dedicated USB isn't acceptable, e.g. preserving Qubes' sys-usb.

I2P_Crawler · Python · anonymity tooling view source

Python crawler that walks the I2P network through a local i2pd daemon on 127.0.0.1:4444, logging every reachable destination and harvesting any .onion and clearweb links it encounters along the way. Slow and primitive on purpose — clearweb links are recorded but never followed, so the crawler never reveals itself outside the anonymity network.

PasswordSplitter · C++ · secret sharing view source

Command-line utility that splits an ASCII password into n independent strings; the original is only recoverable when all n shares are recombined. Useful for distributing high-value secrets across locations or trustees. Early project — written in C++ before I knew what constant-time meant — kept around for the idea, not the implementation.

systems/06

Daily-driver across init systems and unices. Each picked for what it does well, none worshipped. Self-host bias on principle — own mail, own DNS, own git, own monitoring. no SaaS unless I have to.

// init

  • systemd linux
  • runit void, artix
  • OpenRC alpine, gentoo
  • rc.d freebsd, openbsd

// unices

  • FreeBSD infra
  • OpenBSD edge
  • QubesOS daily
  • Linux general

// hosting

  • nginx · caddy
  • postfix + dovecot
  • unbound + bind9
  • wireguard mesh
  • nftables · pf
  • prometheus + grafana

// userland

  • zsh 5.9 shell
  • tmux multiplexer
  • neovim editor
  • sway · dwm wm

cryptography/07

Cryptographic primitives — implemented from scratch in C (some Python or Rust) for the sake of understanding the things, not just calling them. The stuff below is hand-rolled at least once; not all of it is production-grade, that is not the point.

AES-128 AES-256 AES-GCM ChaCha20 Poly1305 X25519 Ed25519 HMAC-SHA256 HKDF Argon2id SHA-256 BLAKE2b constant-time compare RNG hygiene

In production: libsodium when I get to choose, OpenSSL when I don't. Mail: gpg. Files-at-rest: age. KDFs: argon2id (the gate on this very page is one).

anonymity/08

Privacy is structural, not a feature you opt into. These are small contributions on principle; the network only works if enough of us run something.

Isolation note: every service here runs in its own FreeBSD jail — the three Tor relays, the Monero node, the i2pd floodfill, and this website each have a separate jail with no shared filesystem or process namespace. Compromise of one does not imply compromise of another.

tor relay family
— no relays configured yet —
live data fetched from onionoo.torproject.org at page load
IPv6 note: My ISP-provided router firmware glitches whenever I attempt IPv6 pinholing, so these relays are IPv4-only for now — it's a hardware limitation, not a choice. If you're running your own relay, please enable IPv6 if your setup allows it; dual-stack relays meaningfully improve reachability and diversity for the whole network.
i2p i2pd floodfill node
Operating an i2pd floodfill — structurally important. Floodfills carry the netDb, so the network needs more of them than it usually gets; running one is help with routing, not just consumption.
monero node + on-the-side support
Run a full monerod node, mine opportunistically, contribute to the community on the periphery — wiki patches, helping new users with wallets, the occasional translation. RingCT + Bulletproofs + Dandelion++ is the right architecture for cash; everything else is surveillance with extra steps.

contact/09

email pgp 0xAF271E3E47F9945F FF34 0AE3 C084 9864 57D1 CFB0 AF27 1E3E 47F9 945F simplex — not configured — session — not configured —
gpg --armor --export 0xAF271E3E47F9945F 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEafSSlRYJKwYBBAHaRw8BAQdApkpiTYutnE6Mmegh7n3YwAd8KFjoEfv1pvHy
40K4SH60LUNsZWFybmV0IGlkZW50aXR5IDxsZW9udGlpLm1ha3NpbW92QHR1dGEu
Y29tPoiWBBMWCgA+FiEE/zQK48CEmGRX0c+wrycePkf5lF8FAmn0kpUCGwMFCQWk
0wsFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQrycePkf5lF8r6QEApbkvih36
3qaAFV8a/vTCARSq6p9TeY+/JRceAxMXloIBAMVRg++SqZu2Lo+zmXlg8pKcSx+f
4MzJbu8942i0EXQIuDgEafSSlRIKKwYBBAGXVQEFAQEHQI8+H0k3oZq9uU5ua81h
2O9V4+o6LBsJEWvea0QtoAgUAwEIB4h+BBgWCgAmFiEE/zQK48CEmGRX0c+wryce
Pkf5lF8FAmn0kpUCGwwFCQWk0wsACgkQrycePkf5lF8KZgD+IEwu5/edkn0maRj/
HgKTkRG2oLQRMy9K+0Hb8pOw5GYBALT/Si2PX4wvgOlrHYDTDXuwd8lVPyKBFuvV
GXrdTnkF
=mCZR
-----END PGP PUBLIC KEY BLOCK-----
fpr: FF34 0AE3 C084 9864 57D1 CFB0 AF27 1E3E 47F9 945F

retrieve_cv/10

Full CV is gated behind argon2id. Ask me for the passphrase if we've spoken.

./decrypt-cv --pass <passphrase> --kdf argon2id argon2id: m=8 MiB · t=3 · p=1 · 32-byte key → AES-256-GCM decrypt (Web Crypto, in-browser)
download cv.pdf · shasum -a 256 cv.pdf › computing…