This is the index post for a series on building hid_guard, a HID-BPF security monitor for the Linux kernel — from the first embarrassingly bad prototype to an RFC on the linux-input mailing list. I'll update the links below as each part goes live, assuming I don't get distracted rewriting Part 2 for the fourth time.

How this actually started

Every "I built a security tool" post claims to start with a researcher noticing a subtle gap in the threat model. Mine starts with me pranking my roommate.

Our cybersecurity club runs an intro session every fall to reel in new members, and in August–September 2025 it was my turn to make the pitch. The club is only three years old and still fighting the older, flashier clubs for attention, so standing on stage clicking through bullet points was not going to cut it. I had an ESP32-S2 sitting in a drawer doing nothing useful with its life, and I knew it could be flashed to act as a USB HID device; so I built a wireless Rubber Ducky: a 500–600Rs ($5–6) chip that shows up to any computer as "just a keyboard" and fires off whatever script you gave it the second it's connected.

It landed better than I hoped, roughly 60 sign-ups, the highest in the club's short history. I'd like to think the little wireless duck gets some of the credit.