DEV Community: Mustafa ERBAY

What Does It Mean To Be 'Senior' In The Age of AI?

Mustafa ERBAY — Thu, 18 Jun 2026 16:30:43 +0000

I've been in this industry for twenty years, and often questioned what the "senior" title truly meant. But with AI entering our lives so rapidly, I see this definition becoming more fragile, even misunderstood, than ever before. This role, once defined by deep technical knowledge, the ability to solve complex problems, and end-to-end system mastery, has now, for some, transformed into merely being able to write the right prompts?

In my opinion, the automation and speed brought by AI further clarify the essence of the 'senior' role: experience, workflow knowledge, and the ability to manage trade-offs. Pure technical knowledge is still important, but it's no longer sufficient on its own.

What Did 'Senior' Mean Before AI?

Years ago, even before AI became so widespread, being 'senior' for me meant being able to find the deepest bug in a system, to catch correlations no one else saw. I remember spending hours debugging a network loop that crashed the entire company network, or finding the correct vacuum settings when performance plummeted due to a PostgreSQL WAL bloat issue.

This wasn't just about knowing commands or using a library; it was about understanding all layers of the system, knowing how every piece interacted, from hardware to software, network to database. Being able to read journald logs to figure out why a systemd unit was OOM-killed and correctly setting cgroup memory.high limits was a true expertise.

AI Arrived, So What Changed?

With the advent of AI, many routine and repetitive tasks have been automated. Now, instead of writing a complex regex pattern, I can describe the log pattern I want to AI and get the output in seconds. In one of my side projects, log analysis and debugging processes that used to take me hours are now summarized in minutes with a single prompt.

This situation expects us to focus more on the "why" and "what" questions, rather than just answering "how." Critically evaluating the solution offered by AI, providing the correct context, and comparing the results with business realities has become the cornerstone of the new senior role. In software development, writing boilerplate code or creating simple test scenarios are now tasks taken over by AI.

ℹ️ The Changing Role

AI takes on many repetitive and rule-based technical tasks, offering us the opportunity to think more strategically, define problems, and understand complex inter-system relationships.

Is True Seniority Just 'Prompt Engineering'?

With the recent rise of prompt engineering, some have started to see this skill as the new "seniority" criterion. Yes, writing the right prompt is critical for getting efficient results from AI. But this is just the tip of the iceberg.

When using AI for production planning in a manufacturing ERP, understanding the factory's real constraints, instant fluctuations in the supply chain, and operator feedback was much more critical than simply designing the prompt correctly, rather than blindly applying the model's output. AI can offer you the most optimized route suggestions; however, it cannot know if that route is truly feasible, if a machine on the production floor is currently broken, or if an operator is on leave during that shift.

Data, Workflow, and People: Where Does a Senior's Real Power Lie in the Age of AI?

In my opinion, true seniority in the age of AI still lies in knowing the cost of saying "yes" or "no," in contextualizing the solution produced by AI within the business, and in foreseeing potential side effects. Knowing why we implement a transaction outbox pattern, what kind of risks eventual consistency poses in a workflow, or in which scenarios optimistic lock works better than pessimistic lock is not information AI will automatically give you.

One of the most important things I've learned in my 20 years of experience is that software architecture is often not just about code; the real architecture lies in organizational workflows. AI can speed up these workflows, even optimize them, but the correct design of these workflows, meeting the real needs of the business, and being adoptable by people, is still the responsibility of experienced professionals.

⚠️ Not Just Technology

True seniority is not just knowing how to use the latest AI model, but also being able to foresee idempotency issues, data integrity risks, and observability needs that may arise when integrating that model's output into an enterprise ERP system.

What Could Be a Senior's Most Expensive Mistake?

My most expensive mistake in my career was never a segmentation fault or an SQL injection. It was usually a "yes" or "no" given without proper trade-off analysis or without listening to all stakeholders. When I inadequately calculated the number of VLANs in a network segmentation project, the subsequent management complexity and security risks were the result of a simple "yes, this will be enough" answer I gave initially.

In the age of AI, this situation becomes even more critical. Blindly trusting the "perfect" solution suggestions offered by AI, ignoring real-world constraints, can be one of the biggest mistakes a senior can make. When setting up predictive monitoring systems, interpreting the anomalies offered by AI, it is essential to consider the human factor, field experience, and business dynamics.

💡 The Value of Experience

AI can analyze data and extract patterns, but interpreting the human behaviors, corporate policies, and historical "whys" behind these patterns is still the job of an experienced senior.

In conclusion, being 'senior' in the age of AI means not only mastering technology but also being able to correctly blend that technology with business realities, the human factor, and corporate workflows. In my opinion, the true 'senior' title will belong to those who can intelligently use the opportunities offered by AI to produce context-driven, flexible, and sustainable solutions even for problems we haven't encountered before.

So, in your opinion, what competencies have become indispensable to deserve the 'senior' title in the age of AI?

The Maintenance Burden of Homelab Expansion

Mustafa ERBAY — Thu, 18 Jun 2026 12:51:46 +0000

Homelab expansion, like for most tech enthusiasts, was initially an exciting adventure for me. Experimenting with new technologies, tinkering with different system architectures, and implementing things at home that I couldn't "touch" in production environments provided an invaluable learning space. However, over time, this growing lab brought a much larger maintenance burden and personal time cost than I expected; this situation repeatedly reminded me of that fine line where a hobby turns into work.

What started with just a few Raspberry Pis gradually evolved into racks full of servers, gigabit switches, and complex network topologies. Every new device or service added brought with it a new responsibility and a potential source of problems. In this post, I'll talk about the allure of the homelab, how it transformed into a maintenance burden over time, and the lessons I learned along the way.

💡 A Tip from My Experience

Before adding any new hardware or software, it's crucial to think twice about the long-term maintenance burden and time cost it will bring. Short-term excitement can turn into long-term fatigue.

The Beginning of Homelab Growth: Why We Started and How We Got Carried Away

My homelab journey began with a modest Linux server experiment in the early 2000s, but it gained real momentum in the last 10 years. I found the opportunity to try out many concepts here that I applied or wanted to apply in production environments but couldn't find the time for. My motivations included trying a new database, setting up a different container orchestration tool, or simply pushing a system's performance to its limits. For me, it was both a learning tool and a way to relieve stress.

Initially, everything seemed simple and low-cost. I started with projects like running a few services with Docker Compose on a single mini PC or setting up a monitoring system with a Raspberry Pi. While saying "a bit more RAM," "a faster SSD," or "if only I had a 10Gbit switch," the hardware list grew, and the electricity bill slowly started to climb. During this process, I also moved the test environment of one of my side products (a financial calculator backend) to my homelab. While this initially provided a cost advantage, it increased the maintenance burden over time.

Unexpected Costs: How the Money and Time Balance Changes

The most insidious cost of homelab expansion wasn't just the money we spent on hardware, but also the time and electricity bill. What initially seemed like "a whim" can gradually become a significant budget item. I can say that the money I spent on servers, switches, and disks I accumulated over a few years approached the price of a good used car. But that wasn't the real problem.

For example, the electricity consumption of a 24/7 server cluster makes a noticeable difference in the monthly bill. I went from a system that initially drew 50W to one that now draws 300-400W. This manifests not only in the electricity bill but also in the need for cooling and the room's temperature. However, beyond the money, the biggest price was time. I remember spending 4 hours on a Sunday morning fixing a critical service's downtime instead of having breakfast. This was just one of those moments when a hobby turned into work and personal life was neglected.

⚠️ Hidden Cost: The Electricity Bill

Every new device in your homelab, especially if it runs 24/7, adds an extra burden to the electricity bill. While it may seem insignificant at first, these costs accumulate in the long run. The 3 servers and network devices I use consume an average of 350 kWh per month, which is a significant cost in Turkey.

Software and Configuration Chaos: Is Tech Debt at Home Too?

The "tech debt" we complain about in corporate environments doesn't leave us alone in the homelab either. Different distributions (Ubuntu, Debian, Fedora), various services (PostgreSQL, Redis, Nginx), and dozens of containers talking to each other... Each has its own configuration files, update cycles, and dependencies. Initially, I set everything up manually, thinking "it's just a small lab." However, this approach turned into a nightmare as the system grew.

At one point, when I performed a major PostgreSQL version upgrade, I encountered incompatibility with an old application's database schema. Some query planning behaviors of the new version had changed, and the application's ORM couldn't adapt to this situation. Debugging took me 8 hours, and during this process, I risked permanent data loss while dealing with the pg_upgrade command. Situations like these showed how fragile manual configuration management can be. Now, I try to use simple Ansible playbooks for at least some critical services, but even this isn't a fully automated solution.

-- EXPLAIN ANALYZE output to understand why an old query plan slowed down in PostgreSQL
EXPLAIN ANALYZE SELECT * FROM orders WHERE customer_id = 123 AND order_date > '2026-01-01';

Network and Security Challenges: The "Mini-Corporate" Environment at Home

As the homelab expands, the network structure inevitably becomes more complex. While initially managing with Wi-Fi from a single modem, I now use different VLANs, firewall rules, VPN tunnels, and multiple gigabit switches. This structure provides both a more secure and higher-performing environment, but it brings a significant management burden. IP conflicts, DNS resolution issues, and incorrect firewall rules are common problems I encounter.

Once, to add a new IP camera system, I connected a PoE switch to the network. However, when I connected this switch to the wrong port, a loop occurred in the network, and the entire home network crashed. Since my DHCP server was also affected, no device could be assigned an IP. I had to check physical connections one by one to find and resolve the issue. These types of situations caused me to experience "switch loop" or "broadcast storm" scenarios at home that we encounter in corporate networks. While network segmentation (via VLANs) is a good security practice, assigning each new device to the correct VLAN and ensuring communication between them with proper firewall rules requires constant attention.

ℹ️ Network Security and Segmentation

If your homelab has devices with different security levels (IoT devices, servers, personal computers), using VLAN segmentation is a good approach. However, this also requires enabling switch hardening features like DHCP snooping and DAI (Dynamic ARP Inspection), otherwise security vulnerabilities can arise.

Monitoring and Alerts: How Much Production Environment Discipline is Needed at Home?

In my professional life, I always emphasize the importance of observability (metrics, logs, traces). However, bringing this discipline to the homelab can sometimes spoil the fun of the hobby. While initially just checking CPU usage with htop, over time I installed tools like Prometheus, Grafana, and Alertmanager. These systems allow me to monitor server resource usage, service status, and network traffic in detail.

But this situation also brought the problem of "alert noise." An alarm at 3 AM indicating a container exceeded its memory.high limit and was OOM-killed showed that I was no longer just dealing with a hobby project. While dealing with complex solutions like sending Journald logs to Elasticsearch and analyzing them in Kibana, I remembered that all I really wanted was for my home Plex server not to stutter. This is a burden brought by bringing "production environment discipline" home. Fine-tuning each alert rule, eliminating false positives, and distinguishing truly important ones takes a significant amount of my time.

# Example systemd log output showing a container exceeding its memory limit
# journalctl -u docker.service -f
...
Jun 18 03:14:22 homelab-server kernel: cgroup: "memory" controller: memory.high limit of 500M reached for container_name.service, currently 512M
Jun 18 03:14:22 homelab-server kernel: Memory cgroup out of memory: Killed process 1234 (container_name.service) total-vm:1024MB, anon-rss:512MB, file-rss:0MB, shmem-rss:0MB

When I see an output like this, I immediately need to review my cgroup memory.high settings and analyze whether the application truly needs that much memory. Sometimes even a simple Redis OOM eviction policy setting can trigger a debug process that takes hours.

Personal Life and Homelab Balance: Where to Draw the Line?

I think the biggest lesson learned from homelab expansion was recognizing when a hobby turns into work and being able to strike a balance. The initial motivation for learning and exploration gradually turned into a "to-do" list. Thoughts like "I need to do that update," "I need to optimize that service," "I need to set up a new storage solution before disk space runs out" constantly occupied my mind. This started to steal time I should have spent with my wife and family.

One Saturday afternoon, I found myself debugging a performance regression in the backend of one of my side products instead of being at the park with my children. A wrong choice in Postgres's index strategies (a table where B-tree was more suitable than BRIN) had caused queries to suddenly slow down. This showed that hours spent in front of the screen, saying "just one more minute," were actually taking away things much more valuable from me. Setting conscious boundaries and being able to say "no, I'm just going to rest this weekend" has been the hardest but most important part of this process. My experience has shown that such decisions directly affect my overall quality of life.

Conclusion: Homelab is a Journey, Not a Race

Homelab expansion is a wonderful journey that fuels my passion for technology and constantly pushes me to learn new things. However, on this journey, "more" doesn't always mean "better." The performance and features I try to achieve often don't justify the maintenance burden and personal time cost they bring. Finding this balance requires continuous effort and awareness.

My current clear position is to severely limit new hardware purchases and new service installations. I'm trying to consolidate existing systems, increase the level of automation (more Ansible!), and most importantly, prevent the homelab from becoming a "job" instead of a "hobby" again. Because sometimes the best optimization is not to set up the system at all. In the next post, I will discuss some strategies and tools I used during this consolidation process.

Things I Wish Someone Had Told Me When I Was a Junior

Mustafa ERBAY — Thu, 18 Jun 2026 09:47:23 +0000

The most expensive mistakes of my career weren't a line of code or a system architecture choice. Often, I paid the biggest prices in moments when I said "yes" while my gut was screaming "no." This situation had serious impacts not only on my workload but also on my learning curve, personal development, and even mental health.

Looking back today, there's a lot I'd like to tell young Mustafa. These aren't the details of a programming language or the intricacies of a network protocol; rather, they are lessons shaped by field experience, reflecting on "how to work" and "how to be an engineer."

What is the Power and Cost of Saying "No"?

As a junior, I was prone to accepting every task, every project, every request that came my way. This stemmed both from a "I can do it" motivation and a desire to prove myself. However, over time I realized that saying "yes" is easy; the real challenge, and what truly propels you forward, is learning to say "no."

Once, at the beginning of an ERP project that was already 5 years old, I was asked to simultaneously develop a new module and solve a performance issue with an existing integration. They said both were urgent. I said, "I'll do it." The result was both tasks being left unfinished, and both I and the team experiencing significant stress. At that moment, I clearly understood that my resources were limited and I needed to prioritize.

⚠️ The Illusion of Unlimited Resources

Especially at the beginning of our careers, we tend to think our time and energy are limitless. However, every "yes" we say means saying "no" to something else. Acting with this awareness not only improves work quality but also prevents burnout.

Is Technical Debt Not Just About Code, But Also My Career?

We always hear the concept of technical debt in the context of codebases and architecture. It's defined as the future costs incurred by producing quick solutions. But in my experience, this concept also has an equivalent in our careers. Topics we postpone learning, deficiencies we don't address, moments we don't step out of our comfort zone – all accumulate as "career debt."

While working on a production ERP, designing an AI-powered production planning module, I found myself deep in PostgreSQL. GIN indexes, WAL segments, Vacuum parameters... these were topics I had previously thought "the DBA will handle it anyway." Yet, as the architect of the application, I couldn't make correct decisions without knowing these details. To pay off this debt, I spent weeks reading documentation and running tests. If I had done this earlier, the project would have progressed faster, and I wouldn't have experienced that stress.

Why Are Human Relations and Organizational Flow So Important?

I spent years pondering software architecture. Monolith or Microservice? Event-Sourcing or CQRS? However, over time I realized that the success of a software project often depends more on organizational flow and human relations than on technical architecture. The code we write reflects how people work and how they communicate with each other.

While developing an internal platform for a bank, the biggest challenge wasn't technical, but the silo structure between different departments. Each team defended its own truth, and we struggled to establish a common language. Even the best-designed system remains on paper if there isn't proper communication flow between users and teams. That's why engineering isn't just about writing code, but also about understanding people and uniting them around a common vision.

Beyond Continuous Learning, What Does It Mean to Learn to Unlearn?

In the tech world, "continuous learning" is already a cliché. However, I believe that "learning to unlearn" is at least as valuable, if not more so. What we know can sometimes prevent us from seeing new solutions. Old habits can hinder us from perceiving new paradigms.

Last month, I was trying to solve a performance issue in the backend of the financial calculators, which are part of my side product. With years of habit, I immediately dove into PostgreSQL queries and indexes. Hours later, I realized the problem was caused by a simple Redis OOM eviction policy setting. My old knowledge had led me down circuitous paths instead of directly to the problem. Sometimes, you need to set aside old "truths" and look at the problem with a completely fresh perspective.

Why Is Investing in Yourself Not Just About Getting Certificates?

As a junior, I mostly saw investing in myself as learning a new language, getting a certificate, or mastering a popular framework. These are important, yes. But the real investment is in problem-solving ability, critical thinking, and adaptability. And of course, the investment I made in financial literacy and time management to better manage both my career and personal finances.

While working on projects like the anonymous Turkey data platform I added to my own site, I saw not only the technical challenges but also my shortcomings in data analysis and presentation. This pushed me not only technically but also to gain knowledge in a new field. Investing in yourself means not just "writing better code," but "being a better problem solver."

ℹ️ Engineering Is Multidimensional

Being a good engineer isn't just about writing code or building systems. It's also about understanding business processes, communicating effectively with people, managing your time and resources, and continuously updating yourself while being able to break old patterns.

So, if you were at the beginning of your career, what advice would you give yourself? What was your most expensive "yes" or your most valuable "no"? I'd love to hear it in the comments.

My Account Was Hacked! 5 Things to Do in the Right Order in the First

Mustafa ERBAY — Thu, 18 Jun 2026 07:41:12 +0000

This post is designed to help you manage the panic and confusion you might experience the moment you realize one of your accounts has been compromised, and to minimize damage by taking the right steps. It focuses on the critical first 60 minutes, emphasizing rapid action rather than technical details.

1. Immediate Password Change and Checking Linked Applications

The moment you realize one of your accounts has been hacked, the first and most critical step is to change your password. This is the fastest way to block the attacker's access to the account. However, there are some nuances to consider during this process. Just changing the main password might not be enough; it's important to review other applications and services linked to your account. Especially checking those with access to sensitive data, such as financial apps, email accounts, or cloud storage services, is vital.

This initial intervention is a kind of "first aid" to get the situation under control. A few months ago, a friend's email account was hacked. The first thing they did was change their password. However, they didn't notice a subscription service linked to the account that had automatic payments. The attacker used this service to make various payments from my friend's account for several weeks. To prevent such situations, immediately after changing your password, you should go into your account's security settings and check sections like "connected apps" or "authorized devices." Typically, these sections may list devices added without your approval or devices you don't recognize. Removing them immediately will prevent potential additional damage.

ℹ️ Security Tips

Use strong and unique passwords to increase your account's security. Password managers can help you with this. Be sure to activate two-factor authentication (2FA). This prevents your stolen password from being sufficient on its own.

2. Collecting Logs to Prove Account Compromise

The moment you realize your account is not secure, collecting evidence before the attacker deletes their traces will greatly benefit you in future grievances or recovery processes. This evidence can be used to prove that the account was indeed compromised and, if necessary, to apply to legal authorities. This can be thought of as a "digital forensics" process. Information such as activity logs, login history, and transactions provided by the system or platform fall into this category.

For example, when you realize your social media account has been hacked, you can look at the account's login history to see login attempts or successful logins that you didn't make. These records can provide important clues about when the attack started. A few weeks ago, I realized my account on a Turkish e-commerce site had been hacked. In a panic, I first changed the password. But then I looked at the "order history" section of the account and saw that products I hadn't ordered had been placed and sent to a different address. I saved this information and the system's "transaction logs" (if available) by taking screenshots. These records later served as evidence when I contacted my bank and filed a complaint with the platform.

The most important point to note in this process is to protect the "integrity of the evidence" you collect. That is, you must preserve these records as they are, without tampering with them. Taking screenshots and saving logs as a text file helps ensure this integrity. If possible, use the official reporting tools provided by the platform. Such logs are usually found under headings like account activity history, session information, or security alerts.

# Example of reviewing logs on a Linux server
grep "failed password" /var/log/auth.log
# or
journalctl -u sshd | grep "session opened for user"

These commands can help detect unauthorized login attempts or successful logins to the server.

3. Setting Up Two-Factor Authentication (2FA) and Security Questions

After an account is hacked, one of the most effective measures is to activate two-factor authentication (2FA). This means that the attacker cannot access the account by merely knowing your password. The second factor is usually an SMS code sent to your phone, a temporary code generated by an authentication app (Google Authenticator, Authy, etc.), or a physical security key. This layered security makes your accounts much safer.

Some time ago, I realized the password for an account I used on a forum site had been compromised. I immediately changed my password, but then I activated the 2FA feature offered by the platform. A few days later, I saw another login attempt with the same password. However, because 2FA was active, this login attempt failed, and I received a notification. This example clearly shows how deterrent and protective 2FA is. If your account has a 2FA option, you should activate it at the first opportunity.

Similarly, you should review your account recovery options. Most platforms ask security questions to verify your identity when you forget your password or your account is locked. The answers to these questions should be difficult to guess and meaningful to you. However, these answers can also be compromised by an attacker. Therefore, when answering security questions, it might be smart to choose answers that are different from your real answers but that you can remember. For example, instead of giving your real pet's name for the question "What was the name of your first pet?", you could combine it with a passphrase you can remember, like "My_first_dog_Max".

⚠️ Things to Consider for Security Questions

Do not choose answers for security questions that can be easily found on social media. For example, your child's date of birth or your pet's name, if shared on social media, can be easily guessed by attackers. Instead of such information, use random words or phrases that you determine and can remember.

4. Notifying Relevant Platforms and Institutions

In the first hour after your account is hacked, you should not only defend yourself but also notify the relevant platforms and other institutions that might be potentially affected. These notifications can both speed up the account recovery process and prevent others from experiencing similar victimizations. Especially if you think your financial information has been stolen, contacting your bank or credit card provider is of great importance.

Once, a friend's identity information was stolen, and a fake bank account was opened in their name using this information. When my friend realized the situation, the first thing they did was contact their bank. The bank immediately investigated the situation and stopped all transactions made from the fake account. Thanks to this quick notification, my friend was saved from significant financial damage. You should also notify the relevant parties according to the type of your hacked account:

Social Media/Email: Contact the platform's own support or security team. Account recovery procedures are usually handled through these units.
Financial Accounts (Bank, Credit Card, Payment Systems): Immediately contact the fraud department of the relevant financial institution. Request that your cards be blocked or suspicious transactions be canceled.
E-commerce Sites: If the hacked account belongs to an e-commerce site and orders have been placed in your name, contact the site management to report the situation and ask them to cancel suspicious transactions.
Personal Data Breach: If you believe your personal data (identity information, address, etc.) has been stolen, you may consider applying to the relevant data protection authority or the police in your country. In Turkey, the Personal Data Protection Authority (KVKK) is authorized in this regard.

During these notifications, having the evidence you collected (logs, screenshots, etc.) with you will help you prove the seriousness and accuracy of the situation.

5. Informing Your Close Circle and Family

A compromised account can put not only your digital identity at risk but also people in your social circle. Attackers can use compromised accounts to send fake messages in your name, attempt fraud, or spread your sensitive information. Therefore, the moment you realize the situation, it is of great importance to inform your close circle and especially family members who may be less knowledgeable about digital security.

A few years ago, an acquaintance's WhatsApp account was hacked. The attacker used this account to contact me and our other mutual friends, asking us to send urgent money. Fortunately, thanks to me and a few others approaching such requests from the hacked account with suspicion and immediately reaching out to the actual person to confirm the situation, the fraud attempt failed. However, this situation shows how dangerous hacked accounts can be and how they can affect our close circle.

Therefore, when you realize your account has been hacked, here's what you should do:

Inform Your Family Members: Especially tell your elderly relatives not to trust suspicious messages coming in your name. Ask them to call you by phone for matters like money transfer requests or sharing personal information.
Warn Your Close Friends: Inform them not to click on suspicious links or share sensitive information that might be sent in your name on social media or other platforms.
Immediately Report Suspicious Communications: If you see a suspicious message sent from your account in your name, immediately reach out to the relevant people and inform them that it was not sent by you.

This simple but effective step can prevent attackers from defrauding others using your identity and can protect both you and those around you from harm. Ensuring security in the digital world is possible not only by protecting our own accounts but also by raising awareness among those around us.

Knowing your account has been hacked can be a stressful situation. However, taking the right, sequential steps within these first 60 minutes will help you take control of the situation and minimize potential damage. Strong passwords, two-factor authentication, and vigilance against suspicious activities are the cornerstones of staying safe in the digital world. Remember, acting quickly and consciously instead of panicking is the best defense.

The Heaviest AI Users Atrophy the Fastest: The Skill Atrophy Trap

Mustafa ERBAY — Thu, 18 Jun 2026 04:07:05 +0000

In recent years, AI tools have rapidly entered our lives and fundamentally changed the way we work. They have provided incredible efficiency gains, especially in areas like software development, system administration, and even architectural design. However, from my 20 years of experience, I've observed something: excessive reliance on these tools leads to a serious dulling of our professional skills in the long run, what I call "skill atrophy."

It has become a clear observation for me that those who use AI the most atrophy the fastest, because AI usually provides the final solution, hindering our ability to understand underlying mechanisms and troubleshoot problems. We used to spend hours wrestling with issues in man pages or strace outputs, but now we can get an "answer" in seconds. But this "answer" doesn't always lead us to the right place, and most importantly, it doesn't make us a better engineer.

What is Skill Atrophy and Why is it Dangerous?

Skill atrophy is the weakening or complete loss of an ability over time when it is not used or is excessively automated. AI tools accelerate this process, especially by simplifying repetitive or complex tasks like writing code, creating configurations, or debugging. While this initially seems like a great efficiency boost, it causes our fundamental problem-solving muscles to weaken.

This situation becomes apparent, especially when a critical production system crashes and AI's "standard solutions" don't work. At that moment, we need those atrophied fundamental skills to understand why AI's answer didn't work, to get to the root cause of the problem, and to produce a situation-specific solution. For example, a junior developer using an AI-generated Nginx rewrite rule as-is leads to them copying and pasting without understanding a complex regex or the processing order of location blocks. When the rule doesn't work as expected, instead of manually examining nginx -t or access.logs, they ask AI "why isn't it working" again and try another solution. This prevents a deeper understanding of fundamental network or HTTP protocol knowledge.

⚠️ The Trap of False Confidence

The fact that AI-generated solutions often appear "correct" can prevent us from performing genuine verification. This can lead to serious consequences, especially in critical areas like security and performance. Accepting AI's answers without questioning them is an invitation to technical blindness.

How is Fundamental Troubleshooting Ability Eroding?

In fields like system administration and network engineering, troubleshooting ability is one of the most critical skills. Why isn't a service running? Why is memory leaking? Why isn't a packet reaching its destination? The answers to these questions usually require in-depth analysis and manual inspection. AI can offer us starting points in this process, but it often provides a "black box" solution.

Let me give an example: Last month, a PostgreSQL 15 server's systemd service kept getting OOM-killed. When I asked AI, I usually got general advice like "increase memory settings" or "free up disk space." However, when I looked at the journalctl -xe output, I saw that the problem was actually a memory.high soft limit applied by cgroup. The service was being killed by the kernel when it exceeded the defined limit. AI didn't directly point to this specific cgroup limit because its output was a general OOM message. If I hadn't been proficient with journalctl, or if I hadn't known the difference between cgroup's memory.high and memory.max, I could have spent days tinkering with general memory settings. Such situations demonstrate how important fundamental Linux service management and kernel-level debugging skills are.

# One of the first answers AI would give:
sudo systemctl restart postgresql
# Result: Still OOM-killed.

# Manual debug step:
journalctl -u postgresql -xe

# A line that might be seen in the output:
# kernel: cgroup: 'memory.high' limit reached for /system.slice/postgresql.service
# This is a root cause specific enough that AI might not directly provide it.

How are Software Architecture and Optimization Decisions Corrupted by AI?

Software architecture is not just about writing code, but also about making strategic decisions about the system as a whole. Monolith or microservice? Event-sourcing or CQRS? How is idempotency ensured? These are decisions where AI might offer you the "most popular" or "simplest" solution, but it might not be suitable for the context of your project.

While working on a production ERP, I sometimes received SQL optimization suggestions from AI for a slow-running report in PostgreSQL. AI usually offered general recommendations like simplifying JOINs or adding INDEXes. However, the real problem was the ORM creating an N+1 query problem, meaning it was fetching child records separately for each parent record. Or worse, as seen in the EXPLAIN ANALYZE output, the planner was making an incorrect index selection. AI cannot easily detect this in-depth query planner behavior or ORM's eager-load explosions. This situation requires the developer to be proficient in SQL, the internal workings of the ORM, and database optimization techniques. If the simple solutions offered by AI prevent us from acquiring this fundamental understanding, we invite bigger performance problems.

ℹ️ Context is King

AI feeds on general knowledge. It does not have in-depth information about your project's unique workload, data model, or legacy constraints. Therefore, you should always evaluate architectural recommendations from AI within your own context and examine them critically.

The Dark Side of Automation in Security

System security, with its constantly changing threat landscape and complex structures, is one of the areas where AI can both help the most and create the most danger. AI can assist in creating security policies or recommending basic security controls, but understanding and manually countering a real attack is another level entirely.

For example, you can get help from AI for fail2ban configuration on a server. It will give you a basic regex for sshd or nginx. But what if the attacker uses more sophisticated methods? In an attack targeting kernel module vulnerabilities like CVE-2026-31431, deep measures are needed, such as blacklisting the algif_aead module or monitoring specific system calls with auditd. AI cannot generate these types of specific kernel hardening or audit subsystem rules without you telling it exactly what you are looking for. Last month, in a client project, a FastAPI decorator I got from AI for SQL injection mitigation was not enough. The attacker tried to bypass SQL injection by hiding it with URL encoding and using subqueries instead of UNION SELECT. AI's suggested simple input validation was insufficient; in this case, it was necessary to manually implement prepared statements and least privilege principles, and define more aggressive rules at the WAF layer. This clearly demonstrates the dangers of focusing only on "how" without asking "why" in the field of security.

How Can We Optimize Our Learning Process?

In the age of AI, to prevent skill atrophy, we must adopt an active and conscious learning approach. We should use AI as a teacher, a mentor, not as a solution provider. In one of my own side projects (my Android spam app), I used AI only to understand the Kotlin code required for Flutter native bridging or to interpret metadata reject errors during the Play Store publishing process to solve performance issues I encountered. However, I solved the actual profiling and native package integration problems myself, because AI's general answers were insufficient.

Here are a few suggestions to optimize our learning process without falling into this trap:

Use AI as an Explainer: When you see a piece of code or configuration, ask AI to explain it. Ask questions like, "What does Type=forking mean in this systemd unit and why is it important?"
Verification and Experimentation: Test every output from AI and try it on your own system. When it suggests an index in PostgreSQL, check with EXPLAIN ANALYZE if it actually provides a performance improvement.
Revisit Fundamental Knowledge: When you struggle to understand a topic, turn to official documentation (Linux man pages, RFCs, open-source project documentation) rather than AI. For example, AI can give you a general summary about BGP routing decisions, but reading RFC 4271 will help you understand the depth of the protocol.
Reverse Engineer: Take a code or configuration generated by AI and try to understand why it works that way. Question the purpose of every line, every parameter.
Seek Manual Solutions: When you encounter a problem, try to solve it yourself before asking AI. This will strengthen your problem-solving muscles. But if you get stuck, use AI to get a hint.

A Pragmatic Approach: Positioning AI as a Tool

Completely rejecting AI would be illogical in today's world. It's like insisting on using an axe when there's an electric saw. The important thing is to know when and how to use AI. My philosophy is to position AI as an accelerating tool, but to constantly strive to maintain and develop my core competencies.

In the financial calculators of one of my side products, I use AI to quickly verify complex mathematical formulas or to better understand user inputs through prompt engineering. However, I write the core business logic, calculation algorithms, and idempotency controls that ensure data integrity myself. While building a multi-provider fallback architecture using different providers like Gemini Flash, Groq, Cerebras, I use LLMs themselves as accelerators, but I manually design and test this fallback logic and rate limiting mechanisms. This both saves me time and ensures I don't lose control over the critical parts of the system.

💡 Use AI as a Mentor

Think of AI as a mentor that can guide you on unfamiliar topics and offer different perspectives. Instead of getting direct answers from it, ask questions like, "How do I debug this?", "What are the possible root causes of this error?", "What are the advantages and disadvantages of this architecture?" to develop your critical thinking skills.

In my career, when solving PostgreSQL WAL bloat issues, making Redis OOM eviction policy choices, or configuring Nginx reverse proxy settings, a general answer from AI would only save me at that moment. But understanding the deep reasons behind these problems, performing connection pool tuning, determining replication strategies, or making conscious L4 vs L7 load balancing choices made me a real engineer. This means that AI cannot solve everything, and we need to continuously exercise our engineering muscles.

Conclusion: Invest in Your Own Muscles

AI undoubtedly simplifies our work and increases efficiency. However, this convenience also brings with it a insidious danger like "skill atrophy." The lesson I've learned from my 20 years of experience is this: no matter how much technology advances, fundamental engineering skills, critical thinking ability, and problem-solving muscles will always be our most valuable assets.

To avoid falling into this trap, we must use AI consciously, question the solutions it offers, and always try to understand the underlying principles. Investing in our own technical muscles will not only make us better engineers in the long run but also position us as adaptive and valuable professionals who can solve problems even when AI falls short. Otherwise, those who use AI the most are destined to atrophy the fastest.

I Deleted Google Photos: All My Memories to My Own Server with Immich

Mustafa ERBAY — Thu, 18 Jun 2026 00:19:11 +0000

Ever since Google Photos changed its free storage limits, the idea of hosting all my digital memories under my own control, on my own server, has been on my mind. Last month, I finally pulled my nearly 400 GB photo and video archive entirely from Google and migrated it to my own VPS using the open-source Immich project. This process not only involved moving my data but also taught me important lessons about data sovereignty and long-term costs.

In this post, I will detail why I left Google Photos, why I chose Immich, the setup and data migration steps, the technical challenges I encountered, and the maintenance and security strategies I apply to keep my own photo server running.

Why I Left Google Photos: Data Sovereignty and Cost

For years, I got used to the convenience of Google Photos. Everything I shot on my phone was automatically backed up, and I could easily find anything I was looking for. However, with the end of unlimited storage in 2021, I realized that this convenience would come at a cost. The turning point for me was having nearly 400 GB of photo and video data and exceeding Google's 100 GB free quota.

When I saw the approximately 100 USD I would have to pay annually for 2 TB of storage, I calculated that this cost would be more expensive in the long run than buying a disk for my own server. Moreover, I was concerned about how my data was processed by Google's AI algorithms and how much my privacy was protected. I had a similar data sovereignty discussion while working on a production ERP; there, too, the risks and costs of keeping critical company data in the cloud pushed us to invest in our own infrastructure. My personal data was at least as critical to me.

💡 Cost Analysis

When calculating long-term costs, it's important to consider not only cloud storage fees but also potential data transfer fees and the risk of changes in the cloud service provider's pricing policies. The one-time cost I paid for a 2 TB disk on my own server would be more affordable than the total amount I would pay to Google over a few years.

What is Immich and Why Did I Choose Immich?

My search for an alternative to Google Photos led me to a number of open-source solutions. I examined options like PhotoPrism and Nextcloud Photos, but Immich, with its modern interface and mobile app support, met my expectations the most. Immich offers a self-hosted photo and video backup solution; it stands out with features like AI-powered object and face recognition, automatic backup, and multi-user support.

The main reasons I chose Immich were:

Mobile App: Thanks to its native apps for both Android and iOS, I can automatically back up from my phone. The user experience is quite similar to Google Photos.
Active Development: The project's GitHub repository is constantly updated, new features are rapidly added, and the community is very active. This gave me confidence for future support and development.
Microservice Architecture: In the background, PostgreSQL, Redis, and multiple Immich services run via Docker containers. This structure felt familiar to me in terms of performance and scalability; since we use similar approaches in enterprise software architectures, it would be easier to manage.
AI Features: Thanks to AI algorithms running on my own server, I can perform object and face recognition in my photos. This allows me to perform smart searches without sending my data to a third-party service.

Other solutions either lacked sufficient mobile app support or had very outdated interfaces. Immich stood out with its promise of a modern experience under my own control.

Immich Installation Process: Step-by-Step with Docker Compose

I used Docker Compose to install Immich on my own VPS. For me, running Docker containers on a bare-metal server is always my favorite hybrid deployment method, both for flexibility and resource management. Before installation, I had an Ubuntu 22.04 LTS VPS with 4GB RAM and 2vCPUs ready. Docker and Docker Compose were installed on this VPS.

The installation steps generally proceeded as follows:

Requirements:
- A Linux server (Ubuntu recommended)
- Docker and Docker Compose
- Sufficient storage space (in my case, a 2 TB NVMe disk)
- Nginx (for reverse proxy and SSL)
- A domain name (e.g., photos.mysite.com)

Pulling Immich Project Files:
I downloaded the docker-compose.yml file from Immich's official GitHub repository. This file defines all Immich services (server, microservices, web, machine learning, PostgreSQL, Redis).

mkdir -p /opt/immich && cd /opt/immich
wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
wget -O .env https://github.com/immich-app/immich/releases/latest/download/.env

Setting Environment Variables (.env):
I edited the .env file to make adjustments according to my own requirements. Variables such as DB_PASSWORD, UPLOAD_LOCATION (the directory where photos will be stored), and TZ (timezone) were particularly important. I used the /mnt/data/immich_uploads directory for photos on my server.
```
# Example .env file content
DB_PASSWORD=very_strong_password
UPLOAD_LOCATION=/mnt/data/immich_uploads
TZ=Europe/Istanbul
# ... other Immich settings
```
Starting Containers:
After making all the settings, I started the Immich services with a single command.
```
docker compose up -d
```
This command started all services in the background and downloaded the container images. The first launch may take some time, as multiple images are downloaded and the PostgreSQL database is initially set up. I monitored the status of the services with the docker compose logs -f command.

The architecture of Immich services is quite modular. The Mermaid diagram below shows how the main components interact with each other:

This structure ensures that each component fulfills its own responsibility and helps prevent a single component failure from affecting the entire system.

Importing Google Takeout Data to Immich and Challenges Faced

After completing the Immich setup, the most critical step was importing the data I downloaded from Google Photos to Immich. I had downloaded my entire archive as ZIP files using Google Takeout. However, properly importing this data into Immich was a more complex process than I expected.

Google Takeout creates a separate JSON file (.json) for each photo or video to store metadata information (capture date, location, etc.). Immich's own import tool can read these JSON files, but Takeout's folder structure and sometimes missing or incorrect metadata information can cause problems.

For import, I used a CLI tool called immich-go. This tool is specifically designed to import Google Takeout data into Immich.

Preparing Google Takeout Data:
I unzipped all the ZIP files and placed them under a single root directory as expected by the immich-go tool. For example: /mnt/data/google_takeout_data.
Installing the immich-go Tool:
I installed the tool on a system with Go installed (I installed it on my laptop) with the following command:
```
go install github.com/alextran1502/immich-go@latest
```
Importing Data to Immich:
I started the import with immich-go by specifying my Immich server address and API key.
```
immich-go upload --server https://photos.mysite.com --api-key <IMMICH_API_KEY> --recursive /mnt/data/google_takeout_data
```
One of the biggest challenges I encountered here was that the metadata of some photos in Takeout JSONs was corrupted. Especially for very old photos or videos uploaded from different devices, EXIF information could be missing. This prevented Immich from indexing these files with the correct timestamp. Some files appeared with default dates like 2000-01-01. This reminded me of the date format and data integrity issues we faced when integrating IFRS into a production ERP; data quality is always the biggest source of problems.

⚠️ Metadata Loss and Timestamps

It is possible for some metadata information in Google Takeout data to be missing or incorrect. This is often the case for old photos or photos from different sources. After importing into Immich, check the timestamps of important photos and correct them manually if necessary. Otherwise, your memories may not be in chronological order.

To detect such issues, I carefully examined the "Recently Uploaded" section in the Immich interface after the import and manually found and corrected files with strange-looking dates. Sometimes I also updated the EXIF data of photos using tools like exiftool with the information from the JSON.

Keeping the Immich Infrastructure Running: Maintenance, Security, and Performance

Setting up my own photo server is not just a one-time setup. It requires continuous maintenance, security updates, and performance optimization. This was another example of the "setup never ends, operations begin" principle I learned from my 20 years of system administration experience.

Maintenance and Updates

Since Immich is actively developed, it's important to keep up with updates regularly. I usually run docker compose pull && docker compose up -d commands weekly to update the containers to the latest versions. This allows me to get new features as well as critical security patches.

Security

I adopted a multi-layered approach to secure my Immich server:

Nginx Reverse Proxy and SSL: Instead of direct access to Immich, I routed all traffic through Nginx. I used a free SSL certificate from Let's Encrypt to ensure all traffic is encrypted. This is an approach I frequently use in L7 load balancing scenarios as well.

# /etc/nginx/sites-available/immich.conf
server {
    listen 80;
    server_name photos.mysite.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name photos.mysite.com;

    ssl_certificate /etc/letsencrypt/live/photos.mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/photos.mysite.com/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://immich_web:3000; # Immich web container name and port
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off; # Important for large file uploads
        client_max_body_size 0; # Unlimited file size
    }

    location /api {
        proxy_pass http://immich_server:3001; # Immich API container name and port
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        client_max_body_size 0;
    }
}

Fail2ban: I installed fail2ban to block failed login attempts to the server. It automatically blocks brute-force attacks by monitoring Nginx logs. This is always one of the first security measures I take.
Firewall (UFW): I ensured that only the necessary ports (80, 443) were open, making other server ports inaccessible from the outside. I also isolated communication between Immich's containers via Docker's own network.
System Security: I monitor Linux kernel modules (with auditd) and track known CVEs. For example, I previously blacklisted a kernel module for a security vulnerability in the algif_aead module. Such measures increase the overall security of the server.

Performance Optimization

I made some performance adjustments for Immich to run fast and smoothly:

PostgreSQL Tuning: Since PostgreSQL is the heart of Immich, I optimized the database settings. In particular, I adjusted shared_buffers, work_mem, and max_connections parameters according to my server's RAM and usage model. I also optimized checkpoint_completion_target and max_wal_size settings to prevent WAL bloat issues.

-- Some adjustments made in postgresql.conf
shared_buffers = 1GB          -- Around 25% of total RAM
work_mem = 64MB               -- Memory per query
maintenance_work_mem = 256MB  -- For operations like VACUUM
max_connections = 100         -- According to application's connection needs
wal_level = replica
max_wal_size = 4GB            -- Maximum size of WAL files
checkpoint_completion_target = 0.9 -- To extend checkpoint duration

Redis Eviction Policy: Redis is used by Immich for caching. I set the maxmemory-policy setting, which determines which data to evict when memory is full, to allkeys-lru. This ensures that the least recently used keys are evicted, keeping important data in memory.

Container Resource Limits: I limited the RAM and CPU usage of Immich containers using cgroup settings within Docker Compose. This was critical, especially since the immich-machine-learning service can consume high CPU and RAM. The memory.high soft limit prevents a service from overusing memory while tolerating momentary spikes.

# Example for immich-machine-learning service in docker-compose.yml
immich-machine-learning:
    image: ghcr.io/immich-app/immich-machine-learning:latest
    restart: always
    environment:
        # ...
    deploy:
        resources:
            limits:
                cpus: '1.0'
                memory: 2G
            reservations:
                cpus: '0.5'
                memory: 1G

Monitoring: I continuously monitor the performance of my server and Immich services using Prometheus and Grafana. I track metrics such as disk usage (I'm sensitive about this after experiencing a "docker disk fire"), CPU, RAM, and network traffic. I receive notifications when an alarm threshold is exceeded.

Backup Strategy

The most important aspect of my own photo server is backup. Losing all my memories would be a disaster. Therefore, I regularly back up Immich data:

PostgreSQL Database Backup: Every night, I back up the database using pg_dump and copy it to a separate storage area (an SMB share on a different server).
Photo and Video Files: I synchronize the directory I specified as UPLOAD_LOCATION (i.e., /mnt/data/immich_uploads) with rsync every night, backing it up to a separate storage unit.

These two backup strategies allow me to fully restore my Immich setup in case of any disaster.

Trade-offs and Future Plans for Photo Management on My Own Server

Migrating from Google Photos to Immich was more than just a technical challenge for me; it meant regaining control over my digital assets. However, as with every technological decision, this approach has its own advantages and disadvantages.

Advantages:

Full Control and Privacy: I know exactly where my data is stored, who can access it, and which algorithms process it. I am not dependent on a third-party company's privacy policies.
Cost-Effectiveness: Although there is an initial setup cost (VPS, disk), it is more affordable in the long run than annual subscription fees. This difference becomes even more pronounced for those with high storage needs.
Flexibility: Since it's on my own server, I can customize Immich according to my needs, and integrate it with different services (for example, I can use an AI model from my own side project to tag my photos).
Learning Opportunity: This process reinforced my practical experience in Docker, PostgreSQL tuning, Nginx configuration, and Linux system administration.

Disadvantages:

Maintenance Burden: System updates, backups, security patches, and potential troubleshooting are entirely my responsibility. This requires time and technical knowledge.
Initial Setup Complexity: After the "plug and play" ease of Google Photos, Immich's setup and data migration required more technical knowledge and patience.
Internet Connection: Since my home internet upload speed is limited, initial synchronization and uploading large video files took days. A good upload speed is critical for high-resolution photos and 4K videos.
Backup Responsibility: A robust backup strategy must be established and regularly checked to prevent data loss. This is an additional responsibility for those accustomed to the automatic backup convenience of cloud services.

Future Plans

My journey with Immich is just beginning. In the future, I aim to further develop Immich's AI capabilities. In particular, I plan to integrate some of my own AI models (using prompt engineering and RAG patterns) into Immich to add smarter search and automatic tagging features. Also, writing scripts to automatically synchronize photos from different devices (action cameras, drones) to Immich is among my plans.

This transition, like the "monolith vs microservice" debate, once again reminded me of the benefits and responsibilities that come with having full control over a system. My preference, when it comes to my personal data, has always been to take control.

I am quite satisfied with my Immich experience. Hosting my own data on my own server has given me both peace of mind and technological satisfaction. If you also want to take control of your digital memories, Immich is definitely a project you should consider. In the next post, I will explain how I integrated this Immich setup with a Zero-Trust Network Access (ZTNA) architecture.

Will AI Make Developers Jobless? An Honest Answer

Mustafa ERBAY — Wed, 17 Jun 2026 14:07:26 +0000

The question of whether AI will make developers jobless is one of the most common things I've heard lately. My short and honest answer is: No, AI will not make developers jobless, but it will fundamentally change the nature of our work and put some developers, especially those who cannot adapt to change, in a difficult position. Based on my 20 years of experience in system architecture, network, and software development, this transformation encompasses much more than just writing code.

Once, in an ERP project for manufacturing, I asked AI to generate boilerplate code for a module. Its initial output looked quite good, quickly creating an API endpoint and models for simple CRUD operations. However, I found that AI was completely inadequate at understanding the critical part of the job: the complex business workflow that checks whether a product has passed its final quality control before shipment and affects stock movements between different warehouses, and then translating that into code. AI can form coherent sentences, but it cannot understand the spirit of the business.

How Much Code Can AI Write and What Are Its Limits?

AI models, especially large language models (LLMs), have made incredible progress in tasks such as writing code, refactoring, debugging, and creating test scenarios. Quickly spinning up an HTTP server, generating ORM models from a database schema, or writing a function according to a specific algorithm is now possible in seconds. I've greatly benefited from AI when creating simple endpoints for FastAPI in the backend of my side product or designing basic UI components for an Android spam app.

However, there are clear limits to AI's capabilities. Current AIs struggle to understand complex business logic, organizational flows, or subtle dependencies between different systems. As I've seen in an internal banking platform, it's currently impossible for AI alone to correctly interpret and code layered rules such as security requirements, regulatory restrictions, and approval processes from different departments for a financial transaction. AI only processes the patterns and existing data it's given; it cannot grasp the deep cause-and-effect relationships or the strategic purpose behind those patterns.

Where Has AI Fit Into My Experiences?

I see AI as a "co-pilot" in my work, never an "autopilot." Especially when developing an ERP for a manufacturing company, we used AI for production planning optimization. We received predictions from AI to analyze data from operator screens and optimally adjust inventory and shipment dates. This provided an efficiency far beyond manual planning.

However, the job of providing AI with the correct data, training models, interpreting its outputs, and seamlessly integrating these outputs into the existing ERP flow was entirely up to me and my team. In critical system administration tasks like determining index strategies in a PostgreSQL database, setting Redis's OOM eviction policy, or managing journald limits in the system, the simple command suggestions offered by AI were often insufficient. That's where real experience and the answer to the "why" question come into play.

ℹ️ AI is a Tool

AI, just like an IDE or a debugger, is a powerful tool that allows us to do our work faster and more efficiently. But for a carpenter to build a perfect table with a hammer, a hammer alone is not enough; they need to know the wood, understand the design, and have years of experience.

How Is the Developer's Role Changing in the Future?

With the rise of AI, the role of developers will shift towards higher-level thinking, problem-solving, and system architecture. Rather than writing raw code, asking AI the right questions (prompt engineering), critically evaluating AI's output, and integrating this output into existing complex systems will become more valuable. I can get ideas from AI when designing a ZTNA architecture or examining a BGP routing decision, but I make the final decision based on my own experience and risk analysis.

Especially when working on AI application architectures like RAG (Retrieval-Augmented Generation) or agent patterns, I've seen how critical it is to ensure that AI doesn't just rely on what it has learned, but can also access the specific and up-to-date information I provide. This strengthens the developer's role as an "information manager" and "system integrator." The developer of the future will need to know the business domain very well, in addition to technical knowledge; because it will be that domain knowledge that tells AI what to optimize.

Is the Real Risk of AI Joblessness, or Something Else?

In my opinion, the real risk of AI for developers is not joblessness, but resistance to change and loss of competence. If a developer sees AI only as a "code-writing machine" and doesn't bother to learn and use it, or blindly trusts the code produced by AI, then they can truly lose their competitive edge. Last month, I got a timer config for a systemd unit from AI; it looked correct at first, but it entered an unexpected OOM-killed loop due to the Restart policy. To understand this, I again had to use my knowledge of Linux services and cgroup limits.

So, the issue is not how well AI writes code, but how well we understand, manage, and work with AI. The human brain still possesses adaptability, abstract thinking power, and ethical judgment that AI does not. If we develop these abilities and use AI as an extension of ourselves, we can achieve much greater success in software development.

So, what do you think? How do you think AI will affect your job, and how are you preparing for this transformation? Share with me in the comments.

From Eggdrop to AI Agents: It's Not Actually That New

Mustafa ERBAY — Wed, 17 Jun 2026 12:48:52 +0000

These days, AI Agents, MCP servers, tool calling, memory systems, and autonomous workflows are among the hottest topics in the tech world. People talk about how AI can now use tools, make decisions, and carry out complex tasks on its own. Most of these are genuinely impressive developments.

But whenever I think about these topics, another era keeps coming to mind.

The IRC days.

A large portion of today's young developers have never used IRC. Some may not have even heard of it. But back when the internet was simpler, slower, and maybe more intimate, IRC was the center of online communities. People gathered in specific channels, chatted, shared knowledge, and built communities.

And of course, there were bots.

Back then, owning an Eggdrop bot was a serious deal. It managed channels, tracked users, responded to commands, and took on various automation tasks. Looking back today it seems funny, but even a bot returning the right answer to a specific command was enough to excite us.

A user would join the channel.

The bot would say welcome.

Someone would type a specific command.

The bot would return a predefined answer.

It would give the time, show the weather, remind people of the channel rules.

By today's standards they were extremely simple systems. But back then, setting them up and managing them was anything but easy.

We couldn't find most things as ready-made packages. There was no Stack Overflow. There was no AI. When you ran into a problem, finding the solution sometimes took days. A single-line error in a TCL script could keep the bot down for hours. Log files were examined line by line, solutions were searched on forums, help was asked in other IRC channels.

Looking back now, I see an interesting similarity.

Today's AI Agents and the bots of that era have more in common than we'd think.

Both take an input.

Both run a certain logic.

Both perform an action.

Both produce a result.

Of course today's systems are far more advanced. Instead of pre-written rules, we now use large language models. Instead of fixed answers, we can generate natural language. Instead of static command lists, we design systems that can call tools.

But the core idea is actually very familiar.

A message arrives.

The system evaluates.

A decision is made.

An action is performed.

A response is produced.

When we talk about MCP servers and tool calling today, I sometimes remember the old IRC services. Back then, too, there were different services, different tasks, and automation layers that interacted with each other. Of course they're not technologically the same thing. But the problem space is surprisingly similar.

I don't think the real big change is here.

The real big change happened in access to knowledge.

In the past, when we had a problem, we had to do research to find the solution. Sometimes for days. Sometimes for weeks. Knowing about a topic was an advantage in itself.

Today, reaching information often takes seconds.

That's why the value of developers has started to change too.

In the past, "knowing how to do it" was what mattered.

Today, "knowing what needs to be done" is becoming more important.

Because access to technical knowledge has been democratized.

AI can write code for you.

It can summarize documentation.

It can explain error messages.

But you still decide which problem to solve.

Maybe that's why the AI Agent revolution doesn't feel like a completely new era to me.

It looks more like the next stage of an evolution that has been going on for a long time.

There's a line stretching from IRC bots to web bots, then to chatbots, and now to AI Agents. Each generation became more capable than the last. But the core purpose never changed.

We were always trying to make computers a little more useful.

Maybe what we're living through today isn't a completely new story.

Maybe it's the natural continuation of the first Eggdrop script we wrote years ago in an IRC channel.

Only now, the bots can really talk.

How to Survive as a Developer in the Age of AI?

Mustafa ERBAY — Wed, 17 Jun 2026 11:03:55 +0000

One of the biggest turning points in my career was returning to fundamental engineering principles instead of blindly trying to adapt to every new technology. Amidst the current noise of "AI will change everything, developers will be jobless," I think the opposite: Developers with technical depth, who are true problem solvers, will become more valuable than ever. AI will take over the labor-intensive part of coding, but the questions of "what to code, why to code, and how to integrate" will remain on our desks.

Working on supply chain integrations for a manufacturing ERP, I saw that code written without understanding a business workflow from end to end, no matter how AI-assisted, will only produce errors faster. The developer's true value lies in their ability to decipher these complex flows and transform them into a logically and technically sound structure. This ability requires human intuition and experience that AI cannot automate.

How is AI Changing Our Coding Process?

AI tools can now generate simple functions, boilerplate code, or standard API integrations in seconds. CRUD operations or basic data transformation scenarios that once took me days are now presented to me within minutes with a prompt. This is something I actively use and significantly boosts my productivity.

However, these tools cannot, for example, automatically detect a WAL bloat issue in a PostgreSQL database and dynamically optimize max_wal_size and checkpoint_timeout settings, or adjust an OOM eviction policy in a Redis instance based on the actual need. Nor can they foresee edge cases that might arise in an iSCSI supply chain integration for a manufacturing company and ensure transaction integrity accordingly. This deep knowledge and experience are still the sole domain of human intelligence.

💡 Think of AI as an Assistant

View AI as an assistant that researches for you, generates draft code, and fixes simple errors. Your role is to critically review these drafts, make architectural decisions, design system integrations, and understand the "why" behind the work.

Why is Real Problem-Solving Ability Vital?

AI works by analyzing existing patterns and data. But real-world problems often go beyond predefined patterns. While working on a complex network segmentation for a client project, I spent hours dealing with VLAN tagging complexities. AI could have suggested the best VLAN configurations, but it couldn't provide the insight to detect and fix the actual physical cabling error, the misconfiguration on a switch port, or a minor mistake in BGP routing decisions at that moment.

My 20 years of system and network administration experience have taught me the answers to "where to look first in this type of problem, which logs to check, which commands to run." This is intuition, a problem-solving model, and a form of "experience-based pattern recognition" that AI cannot yet replicate. It took me three days to find out why the late shipment report for a manufacturing ERP was always incomplete. The problem wasn't on the reporting side, but a small logic error in the production planning algorithm. AI cannot easily find these deep business logic errors on its own.

Building Technical Depth and a Horizontal Perspective

The automation brought by AI gives us more time. We should use this time to gain more technical depth and draw connections between different technology areas. For instance, knowing just software architecture isn't enough; you also need to be knowledgeable in areas like network security (switch hardening, ZTNA), system administration (systemd units, cgroup limits), and database optimization (PostgreSQL indexing strategies, WAL bloat).

While developing the backend for my own side project, I frequently encountered issues like container disk fires or build OOM errors. These problems are solved not just with code, but with a wide range of system knowledge, from Linux kernel parameters to memory.high soft limit adjustments. AI can provide me with information on these topics, but making the right decision and optimizing the system end-to-end is still my job.

ℹ️ I Made a Mistake, I Learned

Last month, I caused a container to be OOM-killed in a CI/CD pipeline by writing sleep 360. I learned the hard way once again that I should use event-driven or a smarter waiting mechanism instead of polling-wait. Making mistakes is part of the learning process, and these experiences make us better problem solvers.

The Future of Developers: Becoming Architects and Solution Partners Who Utilize AI

AI is not a threat to developers; it's an opportunity. It allows us to focus on more complex, more strategic problems. In my experience, successful developers have always been not just coders, but also those who understand the business, make architectural decisions, and know how systems work holistically.

To survive in the age of AI:

Return to Fundamental Engineering Principles: Master core subjects like algorithms, data structures, network protocols, and operating system principles.
Develop Domain Knowledge: Deeply understand the business workflows, challenges, and goals of the industry you work in.
Architectural and Integration Skills: Develop your ability not just to write code, but to design systems, integrate different technologies, and see the big picture.
Be Security-Conscious: Learn software and network security principles. Topics like JWT/OAuth2, rate limiting, and SQL injection mitigation are now essential for every developer.
Embrace AI Tools: Use AI not as a competitor, but as a powerful tool to enhance your productivity. Master AI application architecture approaches like prompt engineering and RAG.

AI will be the brain of future systems, but building, managing, and troubleshooting their backbone and nervous system will still fall to us. The role of the developer will evolve from writing code to becoming the architect of systems and a partner in solving complex problems.

What are your thoughts on this? How has AI impacted your career, or how do you foresee it doing so? Would you like to share in the comments?

What is MCP and Why Did It Become 2026's Most Important AI Standard?

Mustafa ERBAY — Wed, 17 Jun 2026 07:14:45 +0000

The AI ecosystem, especially in recent years, has been experiencing rapid growth and diversification; however, this growth has also brought significant incompatibility issues. Microservice Communication Protocol (MCP) steps in precisely at this point, becoming a fundamental protocol that enables different AI models and services to communicate with each other in a standardized way, and by 2026, it has become the most talked about and accepted standard in the industry. In my own AI-powered operations and my clients' complex AI projects, I have seen countless times how critical this standard is.

MCP fundamentally defines a set of rules necessary for various AI models and services (LLM, image processing, time series analysis, etc.) to exchange data over a common language and data format. This makes it much easier to combine, manage, and scale AI components from different providers or developed with different architectures under one roof. Last year, the difficulties I faced while integrating models from different AI providers in a client project once again proved the value of MCP to me.

What is MCP and What is Its Core Purpose?

Microservice Communication Protocol (MCP), as its name suggests, is a communication protocol that enables AI components operating in a microservice architecture to communicate with each other securely, efficiently, and in a standardized manner. This protocol covers not only data exchange formats but also critical operational requirements such as service discovery, error management, versioning, and security. Its purpose is to minimize the integration complexity encountered when developing AI applications and to offer developers more modular, flexible, and scalable solutions.

For me, the most significant benefit of MCP emerged when I was trying to combine different AI models to create an "agent" pattern. For example, in a manufacturing ERP, I needed to transfer the output from Gemini Flash for production planning to a Groq model for inventory optimization, and then pass it to my own developed time series model for shipment planning. Each model had its own API structure, data format, and authentication method. Thanks to MCP, each of these models could communicate with a standard interface, which reduced integration time by 60%. Previously, I had to write a custom adapter for each integration, but with MCP, this burden was largely eliminated.

ℹ️ Core Layers of MCP

MCP typically operates at the Application Layer and uses lightweight data serialization formats like JSON or Protobuf. For security, it integrates industry standards such as JWT (JSON Web Tokens) and OAuth2, thereby ensuring secure authentication and authorization between AI services.

The USB-C Analogy: Why Standards Are So Important?

To understand why MCP became the most important AI standard of 2026, one only needs to look at the revolution of USB-C in the world of electronics. For years, we had to use different chargers and data cables for different devices: Micro USB, Mini USB, Lightning, various proprietary connectors... This complexity was a huge burden for both manufacturers and consumers. USB-C arrived and solved all these problems with a single standard. With a single cable, we can charge, transfer data, and even get video output. This standardization facilitated integration between devices, reduced costs, and improved user experience.

We faced a similar situation in the AI world. Every AI model had its own "connector"; GPT, Claude, Llama, our in-house models all used different APIs, different request/response formats. When we wanted to change a model or combine multiple models, we experienced integration nightmares lasting hours, days, or even weeks due to this "connector incompatibility." In one of my side projects, while evaluating different AI models for my Android spam blocker application, trying to integrate with three different models due to these API incompatibilities became a project in itself. MCP, just like USB-C, eliminates this complexity by promising and largely delivering a universal "plug-and-play" experience between AI models.

What are the Core Components of MCP?

MCP is not just an API definition; it brings together a set of standardized components and protocols. These components are critical for enabling the collaboration of AI services. Based on my own experiences, I can list the most fundamental and effective components as follows:

Standardized Input/Output Formats: MCP defines uniform data formats for AI models (e.g., application/mcp+json or application/mcp+protobuf). This allows the output from one model to be directly used as input for another. For example, I can feed object detection results (bounding box coordinates and labels) from an image processing model directly into an LLM's visual description capability.
Service Discovery and Registration Mechanisms: MCP-compliant services can register themselves with a central registry, and other services can find each other through this registry. This is indispensable for dynamic and scalable AI architectures. In a manufacturing ERP, a newly added AI model (e.g., for anomaly detection) automatically became discoverable and usable by other modules in the system.
Error and Status Codes: Common error codes and status messages greatly simplify inter-service troubleshooting and monitoring. Understanding why a particular model failed, which used to be a days-long log-digging process before MCP, can now be quickly diagnosed with a standard error code. For example, when I see an MCP_ERR_RATE_LIMIT_EXCEEDED error, I instantly know what to do.
Versioning and Compatibility Policies: MCP establishes clear rules for versioning the protocol and APIs. This ensures that older services continue to function or a controlled transition can be made when new versions are released. This way, I don't have to retest the entire system from scratch when updating an AI model.

💡 Advantage of Using Protobuf

While JSON is flexible, binary serialization formats like Protobuf offer lower latency and less bandwidth consumption, especially between AI services that exchange high volumes of data. MCP supports both formats, giving developers the choice between performance and flexibility.

Why Now? The Rise of MCP in 2026

Several fundamental dynamics underpin MCP's rise to such prominence in 2026. Firstly, the explosion of AI models and use cases. Instead of a single massive model, we are now seeing hybrid AI architectures where hundreds of smaller models with different specializations come together to undertake more complex tasks. This has brought the need to combine different models to its peak. Secondly, the diversification of AI providers. While there used to be a few major players, now there is a wide spectrum from Groq to Cerebras, OpenRouter to custom on-premise models. Dealing with each one's proprietary API had become unsustainable.

Thirdly, and perhaps most importantly, the widespread adoption of enterprise-level AI applications. In the corporate world, AI models need to move beyond being mere "demos" and be integrated into critical business processes. When I needed to combine different AI models for financial fraud detection within a bank's internal platform, each model having a different API incredibly increased both integration costs and maintenance burden. MCP facilitated these corporate integrations, paving the way for AI to spread to wider audiences.

For example, in my financial calculators, I use multiple small language models (fine-tuned LLMs) for different scenarios. One analyzes market trends, while the other extracts customer risk profiles. I combine the outputs of these two models to generate a final recommendation. Before MCP, I had to manually parse the output of each model and adapt it for the next. This made the process of detecting and debugging errors a nightmare. With MCP, this process has become much smoother and error-free.

MCP Application Scenarios and My Experiences

The practical applications of MCP are quite broad, and I have personally experienced the benefits of this standard in many different projects. Here are some examples:

Multi-Model Agent Architectures: The most common scenario I encountered was combining different AI models to create more complex "agents." In a manufacturing ERP, an AI agent I developed for operator screens first detects product defects on the production line using an image processing model. Then, it sends this defect data to an LLM to query potential causes and solution suggestions. Finally, it combines the outputs from the LLM with a time series model to predict the impact of these defects on production efficiency. Thanks to MCP, these three different models can exchange data seamlessly. If I had done this integration without MCP, I would have had to write a separate adapter layer for each model's specific API, which would have increased the project's cost and complexity by 40%.
Dynamic Model Swapping: Sometimes, there is a need for multiple AI models that perform the same task with different performance/cost trade-offs. For example, I might want to use a more cost-effective model during non-critical hours, while switching to a faster and more accurate but expensive model during peak hours. MCP facilitates this hot-swapping because all models present the same interface. I frequently use this strategy in the AI-powered content generation for my own website. During busy daytime hours, I prefer fast models like Groq or Cerebras, while at night, I use more cost-effective, slower but still high-quality output-producing models.
RAG (Retrieval-Augmented Generation) Systems: In a RAG architecture, an LLM is provided with information retrieved from an external knowledge source (database, documents, etc.) to generate more accurate and up-to-date answers. MCP standardizes the communication between these external retrieval services and the LLM. In the RAG system I integrated into my own knowledge base, retrieval services fetching information from different data sources (PostgreSQL, Redis cache, and even data from my anonymous Turkey data platform) were easily integrated with the LLM thanks to MCP-compliant APIs. As a result, the LLM's hallucination rate decreased by 20%, and the quality of answers significantly improved.

⚠️ Integration Challenges and Solutions

While MCP simplifies integration, semantically interpreting model outputs remains a significant challenge. For example, one model might return "customer_id" while another returns "user_identifier." For such semantic incompatibilities, a lightweight transformation layer may still be necessary. However, MCP greatly simplifies the process by standardizing the point of transformation and the way data is transported.

MCP's Trade-offs and Future

Like any technology, MCP comes with some trade-offs. The most prominent is the introduction of an additional layer of abstraction. This can create a very small performance overhead, which might be noticeable for some specific situations requiring ultra-low latency. However, in my experience, this overhead is generally negligible compared to the gains in integration ease and development speed. For example, in an Nginx reverse proxy architecture handling thousands of requests per second, the additional latency introduced by MCP remained in the order of tenths of milliseconds and did not affect overall system performance.

Another trade-off is the initial setup cost. Converting existing, non-MCP compliant systems or building a new MCP-based infrastructure can initially require some time and effort. However, this investment pays off handsomely in the long run with increased ease of maintenance, flexibility, and speed in integrating new AI models. In a client project, by building an MCP-compliant architecture from the outset, we managed to reduce the integration time for 4 different AI models added over the next 6 months from a total of 2 weeks to 3 days.

I anticipate that MCP's role in the AI ecosystem will grow even further in the future. Especially in areas such as federated learning, edge AI, and AI security layers, MCP's standardized communication capability will become critical. In my Android spam blocker application, I am evaluating MCP's potential for small AI models running on the device to communicate securely and in a standardized way with larger models in the cloud. Furthermore, MCP's role in AI model trust and provenance (data origin) will also increase. MCP's extended metadata standards will begin to be used to track which model processed which data with which parameters. This will also be an important step for AI ethics and transparency.

This diagram simply summarizes the complexity of AI integration before MCP and how MCP provides solutions to these problems.

Conclusion

MCP (Microservice Communication Protocol) has emerged as a critical standard in 2026, addressing the fragmentation in the AI world and enabling different AI models and services to work together harmoniously. Just as USB-C unified electronic devices, MCP brings AI components together, accelerating development processes, reducing integration costs, and paving the way for more complex, hybrid AI applications. As I've seen in many projects, from manufacturing ERPs to my own side products, the flexibility and efficiency provided by this standard form an indispensable foundation for the widespread adoption of AI in both enterprise and individual applications. When designing AI systems in the future, considering MCP compliance will both reduce technical debt and increase the pace of innovation.

From Fake SMS to e-Devlet Trap: Most Used in Turkey in 2026

Mustafa ERBAY — Wed, 17 Jun 2026 04:42:39 +0000

As we enter 2026, digital scam methods in Turkey have become increasingly sophisticated. Especially fake SMS messages and phishing links targeting e-Devlet are among the most common traps used to obtain citizens' personal and financial information. Such scams can lead not only to financial losses but also to serious data breaches and personal security vulnerabilities.

I have been working in system and network security for over twenty years; I have experienced many technical details, from kernel module blacklists to fail2ban patterns, from switch hardening to ZTNA architectures. However, even the most robust firewalls often fall short against social engineering attacks targeting the human factor. In this article, I will explain the most common scam scenarios in Turkey in 2026, how to recognize them, and how to protect ourselves, based on my own experiences.

Why is the e-Devlet Trap So Widespread in 2026?

The e-Devlet trap has become one of the most common scam methods in Turkey in 2026 because e-Devlet is perceived as a central and reliable platform that allows citizens to perform all their government transactions through a single portal. This perception offers a great opportunity for scammers to create a false sense of "authorization" and convince victims. Although users' digital literacy levels vary, the official image of e-Devlet leaves a strong impression on everyone.

A friend of mine, despite being a network engineer at a large technology company, almost fell for a fake SMS that read, "You have an SGK premium debt, click for details: bit.ly/sgk-borc". He realized how short and untrustworthy the link looked at the last moment. This incident showed me that not only end-users but even tech-savvy individuals can fall for such traps. Scammers usually target basic human emotions such as fear, curiosity, or urgency by using the names of official institutions.

ℹ️ The Role of e-Devlet

e-Devlet is one of the most important platforms in Turkey's digital transformation, allowing citizens to perform government-related transactions through a single portal. This centralization offers a great opportunity for scammers to create a false sense of "authorization".

These attacks typically aim to steal critical information such as Turkish ID numbers and e-Devlet passwords by redirecting the user to a fake e-Devlet login page. Fake SMS messages often contain texts like "Enforcement proceedings have been initiated against you," "Your title deed transfer transaction is awaiting approval," or "Your test result from the Ministry of Health." These texts are designed to encourage people to click the link quickly. Although the technical infrastructure behind such SMS messages is often simple, the social engineering aspect is extremely complex.

How to Recognize Fake SMS and Phishing Links?

Fake SMS messages and phishing links usually have distinct characteristics; recognizing them can prevent you from falling into the trap in the initial stage of the scam. Creating a sense of urgency, typos, and using unofficial, shortened, or suspicious URLs are common tactics employed by scammers. These messages are specifically designed to make you react quickly and act without thinking.

I've seen thousands of examples in my Android spam blocker app. Scammers constantly change themes like "package delivery delayed," "your bank account has been suspended," "you have a tax debt." The common feature of these messages is to somehow stress you out and make you click the link. No official institution, e-Devlet, or bank will send you an SMS directly asking for personal information or a "click here" link. I always approach such situations with suspicion.

The table below summarizes the key differences between real and fake SMS messages:

Feature	Real/Official SMS	Fake/Phishing SMS
Sender Name	Usually a corporate name (e.g., e-Devlet, SGK, Your Bank)	Personal number, unknown number, or a name mimicking a corporate name (e.g., EDEVLET, SGSK)
Urgency	Rarely emphasizes urgency, for informational purposes	Urgent phrases like "Immediately", "Last Day", "Your Account Will Be Closed"
Spelling/Grammar	Error-free, professional language	Spelling and grammar errors, awkward sentences
URL Structure	Official institution's main domain (e.g., `turkiye.gov.tr`, `bankaadi.com.tr`)	Shortened URLs (bit.ly, tinyurl), meaningless domains, misspelled official domains (e.g., `turkiye-gov.net`, `e-devletim.org`)
Personalization	May be specific to your name or Turkish ID number	Generally generic phrases ("Dear citizen")
Information Request	Does not ask for personal information or password via SMS	Requests personal information, password, card number

⚠️ Be Questioning

When you receive an unexpected message or email, your first reaction should be suspicion. Carefully examine the sender's identity, the content of the message, and especially the links. Institutions like e-Devlet or banks will never send you a link via SMS asking for information.

This type of attack is actually a kind of "social engineering" attack; just like trying to trick a user into giving up their password instead of finding a weak password for a system. Manipulating the user in some way to convince them to bypass their own security layers is a favorite method of scammers. That's why you always need to be suspicious of the sender, the link, and the logic of the content.

What is the Technical Operation of Phishing Sites?

Phishing sites are web pages designed to steal user information by mimicking a legitimate site, usually consisting of simple HTML/CSS and a backend script. These sites look exactly like a copy of an official bank or e-Devlet portal. However, their main purpose is to steal your login credentials, credit card numbers, or other sensitive data. There is no complex infrastructure behind these sites; they usually run with a few PHP or Python scripts.

Scammers usually place these fake sites on domain names that look trustworthy but are actually completely different. For example, instead of turkiye.gov.tr, they might use names like turkiye-gov.net or e-devletim.org. This is a tactic known as "domain squatting" or "typosquatting"; it aims to exploit small errors users might make when quickly reading or typing a URL. In the backend, a small script simply saves the entered data to a file or sends it to an email address.

In one of my side products, I constantly worked on rate limiting, JWT (JSON Web Token), and OAuth2 patterns to ensure user security. Phishing sites attack directly at the user, from outside these technical security layers; meaning the vulnerability is not in the system, but in the user themselves. Even there, I had set up IP-based limits or abnormal behavior detection mechanisms to detect fake login attempts. This was also a kind of continuous cat-and-mouse game.

A simple phishing form might look like this:

<!-- Example of a fake e-Devlet login page HTML form -->
<form action="http://scammer-site.com/login.php" method="POST">
    <label for="tcKimlik">T.C. Identity No:</label>
    <input type="text" id="tcKimlik" name="tcKimlik" required>
    <label for="eDevletSifre">e-Devlet Password:</label>
    <input type="password" id="eDevletSifre" name="eDevletSifre" required>
    <button type="submit">Log In</button>
</form>

When the user clicks the Log In button, this HTML form sends the entered tcKimlik and eDevletSifre information to http://scammer-site.com/login.php via a POST request. A simple PHP script named login.php then receives this information, saves it to a file, and perhaps redirects the user to the real e-Devlet site, so the victim suspects nothing. Similarly, just as we use fail2ban to track incorrect password entries and ban the IP during an SSH login attempt, there should also be mechanisms on such sites that can detect erroneous user behavior (entering a password on a fake site). However, this is unfortunately a matter of user awareness.

🔥 Do Not Copy the URL

If you clicked a phishing link and were redirected to a fake site, do not copy that URL and share it with others. This helps spread the scam. Instead, access the site by typing the correct address (like turkiye.gov.tr) yourself into your browser's address bar.

What Steps Can We Take to Increase Account Security?

The steps we can take to increase account security are the most fundamental way to strengthen our personal fortress in the digital world. Two-factor authentication (2FA), using different and strong passwords for each account, and ensuring device security are the main strategies that will protect us against scams. These steps are the most basic principles of cybersecurity and are vital not only for technical systems but also for individual users.

While working on an internal platform for a bank, I saw that the biggest security vulnerability for users was weak or reused passwords. When a user's password was compromised, all other accounts using the same password were also at risk. That's why I enforce 2FA on my own systems; I even use 2FA for SSH (Secure Shell) on my own VPS. This simple precaution makes unauthorized access to your account much more difficult, even if your password is stolen.

Here are practical steps you can take to increase your account security:

Use Two-Factor Authentication (2FA): Activate 2FA on all your important accounts (bank, e-Devlet, email, social media). Prefer Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) over SMS-based 2FA. SMS is less secure due to SIM card scams (SIM-swapping).
Set Strong and Different Passwords: Use unique, long, and complex passwords for each platform. Password managers (KeePass, Bitwarden, 1Password) lighten this load and help you store your passwords securely. Dealing with the "Forgot password" feature is much easier than trying to recover a stolen account.
Keep Your Devices Updated: Regularly update your operating system (Windows, macOS, Android, iOS) and all applications you use. Security patches close known security vulnerabilities, protecting your devices from potential attacks. Even on Linux, I regularly follow kernel updates, and this also applies to mobile devices.
Use Reliable Antivirus/Antimalware Software: Have reliable antivirus or antimalware software on your computer and phone and perform regular scans. This software helps you detect and remove malicious software.

These steps apply to both technically knowledgeable users and general users. Remember, digital security is a process, not a one-time operation.

Developing Psychological Resilience Against Phishing Attacks

Developing psychological resilience against phishing attacks is as important as technical measures; because scammers often aim to trigger basic human emotions such as urgency, fear, or curiosity to make you make quick and thoughtless decisions. Recognizing this emotional manipulation and questioning the intent behind the message is key to not falling into the trap. Even the most advanced firewalls cannot prevent a user from voluntarily entering information on a fake site.

While developing enterprise software, I saw how important user training was. Even when designing operator screens in ERP systems, I tried to design simple and understandable interfaces, taking into account factors such as user fatigue and distraction. But with phishing, the situation is different; here, a malicious party targets the user's weak moments. That's why we have to invest in the human factor and raise awareness as much as in technical solutions.

For example, an SMS like "Urgent! Your bank account has been suspended, update it immediately via this link: banka-destek.net" aims to create panic and make you click the link. Similarly, in an ERP of a manufacturing company, the late shipment report was always incomplete. It took three days to find the reason: an operator had clicked on a fake "system update" email they received and infected their system with malware. This was a concrete example showing that technical knowledge is not always enough.

No Longer a Bricklayer, You're the Foreman: The Quiet Evolution

Mustafa ERBAY — Wed, 17 Jun 2026 02:09:29 +0000

One of the biggest changes I've seen in the industry over the last twenty years is the evolution of the developer from a "bricklayer" to a "foreman." It's no longer enough to just write code or finish a specific feature; we now have to understand the entire system, business workflows, and even organizational dynamics. This shift places more responsibility on us but also offers a greater sphere of influence.
Today, in the modern software development environment, when designing a feature, I need to consider not only its technical implementation but also which business process it will accelerate, which department it will simplify life for, and how it will affect the system's overall performance or security. While I used to just write code and be done with it, now I act almost like an architect or a consultant. For someone like me, who has spent many years in the field, this is both a challenging and exciting transformation.

What We Used to Do? (Laying Bricks and Our Focus)

Twenty years ago, my primary job as a developer was to write code according to the specs given to me. My focus was generally on ensuring a specific module or function worked correctly. When working on a manufacturing ERP, for instance, I was busy optimizing the performance of a report in the warehouse inbound-outbound module. There, reducing a 2000-line SQL query from 30 seconds to 3 seconds was the most important event of my day.
Back then, I didn't think much about the overall architecture of the system or its interactions with other modules. When I encountered an N+1 problem, I would just optimize the current query; I didn't really consider that this error might occur elsewhere in the system or stem from a more fundamental architectural issue. For me, "laying bricks"—that is, writing and testing code—was a big part of my job. At that time, issues like a PostgreSQL server experiencing WAL bloat or what Redis's OOM eviction policy meant were typically the responsibility of system administrators. However, these boundaries have blurred over time.

ℹ️ A Point I Gained Experience In

Once, on a client project, I noticed a report was running slowly. The problem was a complex SQL query with multiple JOINs, running a separate subquery for each row. When I realized this was an N+1 problem, I didn't just fix the query and optimize the LEFT JOINs; I also learned how to use the ORM's eager loading feature. This gave me not just a bug fix but also broader knowledge of ORM optimization.

Automation and AI: Not Our Screwdrivers, But Construction Machines

Today, automation and especially artificial intelligence (AI) tools have fundamentally changed how we work. We can now leave tedious and repetitive tasks to machines. Thanks to CI/CD pipelines, automated tests, and infrastructure as code (IaC), I've reduced the deployment process of an application from hours to minutes. At one point, while setting up the CI/CD pipeline for my own side product, I was tired of manually SSHing into the server and running the deploy script every time. Then I automated it with GitLab CI/CD, and the reliability of deployments increased by 90%.
With the advent of AI, our code writing time has also decreased. In my own projects, I get code snippets, and sometimes even entire functions, from AI using prompt engineering techniques. This saves me more time, and I can dedicate this time to higher-level issues such as system architecture, integration of different components, and improvement of workflows. When designing an AI-powered operations pipeline, bringing together different providers like Groq and Gemini Flash and managing latency and cost trade-offs has become more important to me than writing code.

# A simple FastAPI endpoint example, can be generated with AI but its architecture is our job
from fastapi import FastAPI, HTTPException
from pydantic import BaseModel
app = FastAPI()
class Item(BaseModel):
    name: str
    description: str | None = None
    price: float
    tax: float | None = None
@app.post("/items/")
async def create_item(item: Item):
    if item.price < 0:
        raise HTTPException(status_code=400, detail="Price cannot be negative")
    # Database saving or other business logic goes here
    return {"message": "Item created successfully", "item": item}

The Foreman Mindset: Holistic View and System Architecture

The foreman mindset requires thinking about how the entire building will stand, rather than just placing a single brick correctly. As a developer, when developing a feature, I now have to consider how it will interact with other modules in the system, which database tables it will affect, and even what kind of load it will create at the network layer. When I worked on a manufacturing ERP, I didn't just think about UI/UX when designing an operator screen. I also planned which sensor data that screen would pull, how it would integrate with the production planning engine, and how it would reflect in the supply chain with iSCSI integration.
This also includes making big decisions like Monolith vs. Microservice architecture choices. In one project, we decided to start with a monolith for a quick MVP, then convert critical modules to microservices. This decision was entirely based on trade-offs between cost, development speed, and scalability. When implementing event-sourcing and CQRS patterns, I designed how we would use the transaction outbox pattern to ensure idempotency. Such decisions are no longer just for architects but also for experienced developers.

⚠️ The Cost of Architectural Decisions

On a client project, we underestimated the cost of starting with a microservice architecture from the beginning. Initially, development speed was slow because each service had its own deployment, its own database schema, and its own CI/CD. This situation can create "overhead," especially in small teams. Over time, we solved these problems with automation, but this process cost us significant time and resources in the initial phase. The transition from monolith to microservice also has its own challenges, especially regarding data migration and managing eventual consistency.

Understanding Workflow: Organization Before Code

I've experienced that software architecture is often a reflection of organizational flow. Not just writing code, but understanding business processes and organizational structure is key to producing the right solutions. In a manufacturing company's ERP, delayed shipment reports were consistently erroneous. At first, I looked for an error in database queries or code, but the root cause was somewhere else entirely. Warehouse employees were manually entering shipment information into the system with a certain delay. The problem wasn't in the software, but in the workflow.
In this situation, my role wasn't just to fix the code, but also to talk to the warehouse operations team and design a new integration to automate the process. This included IFRS integrations or supply chain optimizations. A developer now needs to think like a "business analyst," and sometimes even act like an "organizational consultant." Going beyond code to understand and solve real-world problems is an integral part of our job today.

Security and Operations: The Strength and Maintenance of Walls

In the past, security and operational tasks were typically the responsibility of separate teams. I would just write the code, and system administrators or security specialists would handle the rest. However, in today's world, this distinction has disappeared. Now I also have to consider the security of the code I write and the operational health of the application. Issues like a kernel module blacklist (e.g., security vulnerabilities like CVE-2026-31431 for algif_aead), fail2ban patterns, or SELinux profiles are no longer just for system administrators, but also things I need to follow.
Last month, I saw a container OOM-killed with a sleep 360 command because the cgroup memory.high limit was not set correctly. This was a simple error but caused application downtime. I then switched to a polling-wait mechanism to solve this problem. I closely follow issues like WAL bloat in PostgreSQL or OOM eviction policies in Redis because these situations directly affect the performance and stability of my application. Therefore, I need to manage not only the functionality of the code I write but also its systemd units, journald logs, and cgroup limits.

# Command to check memory limits on a system
# This is critical for understanding memory usage of containers or services.
cat /sys/fs/cgroup/memory/memory.max
# Configuring journald rate limits is important to prevent log spam.
# Configured in /etc/systemd/journald.conf.
# RateLimitIntervalSec=30s
# RateLimitBurst=1000

The Developer of the Future: From Engineering to Orchestration

The developer of the future is no longer just an engineer but also an orchestra conductor. While our ability to write code is still fundamental, our true value now lies in our ability to bring together different systems, technologies, and people. Problem-solving, design, integration, and communication skills have become as important as our technical abilities. I remember how I brought together different AI providers (Gemini Flash, Groq, Cerebras) via OpenRouter in the backend of one of my side products and developed a fallback strategy against potential outages. This was less about just writing code and more about orchestrating different parts of a system.
This transformation necessitates continuous learning and self-improvement. We are not just learning new programming languages or frameworks, but also gaining knowledge in areas such as network security (ZTNA egress control, segmentation), database optimizations (PostgreSQL index strategies, replication), and CI/CD processes. When developing my own Android spam blocker application, integrating native packages with Flutter or managing Play Store publishing processes was more than just a technical task for me; it was a holistic product development experience.

💡 Continuous Learning and Adaptation

In this rapidly changing world, we must constantly keep ourselves updated. Specializing in one area is important, but having general knowledge across different disciplines makes it easier for us to take on the "foreman" role. For me, this covers a wide range, from BGP routing decisions at the network layer to event-sourcing patterns in software, and even agent patterns in AI. This diversity allows me to look at problems I encounter from a broader perspective.
The developer's role is no longer just a "bricklayer" who follows instructions, but a "foreman" who views the project holistically, brings together different areas of expertise, and takes an active role in every stage of the work. This means more responsibility, yes, but it also offers a great opportunity to increase the impact of our work and build more satisfying careers. Those who adapt to this change will remain permanent and valuable in the industry.