Articles
Long-form writing on tech, culture, and the edges of the internet.
Back Button Hijacking Is Not a Bug-It's a Trust Boundary Failure
Back button hijacking isn't a bug-it's a trust boundary failure. When client-side state persists after logout, authenticated content remains accessible without server-side validation. This is not browser behavior; it's a design flaw in access control enforcement.
How Production Systems Actually Work With LLMs-Not Which Model You Choose
Production-grade AI systems don't depend on choosing between Claude and ChatGPT. They rely on consistent engineering: input sanitization, output validation, fallback logic, and structured pipelines-regardless of the underlying LLM.
How Trust Delegation Without Revalidation Creates Systemic Failure
Systems optimized for trust delegation without revalidation create persistent vulnerabilities. When automation assumes ongoing validity from trusted sources, adversaries exploit consistency-without breaking in-to propagate compromise at scale.
Running Gemma 4 Locally via Codex CLI: What Actually Works in Practice
Running Gemma 4 locally via Codex CLI offers isolation but not guaranteed consistency. Real reliability comes from input validation, output schema checks, and disciplined system design-not the model alone.
The Real Risk Isn't AI-It's Context Ignorance in Cybersecurity
AI-generated attacks fail in production due to unvalidated assumptions about access controls. The real risk isn't AI-it's context ignorance in cybersecurity operations.
The Router Is Not a Passive Device - It's the Attack Surface
Routers with default credentials and unpatched firmware are actively exploited due to lack of visibility and control. This post defines what failed, why it failed, and the systemic pattern that enables exploitation across infrastructure types.
Why 'AI Agent in Seconds' Platforms Fail in Production
Most 'AI agent in seconds' platforms sacrifice reliability for speed. Real production use demands validation, state persistence, and observability-features most no-code tools lack. This post explains why quick deployments fail at scale and how to build systems that actually endure.
Why Cloudflare CLI Automation Fails Without Verification
Cloudflare CLI automation fails without verification. This post explains why input validation, output checking, and idempotency are essential for reliable deployments-without speculative claims or exaggerated risks.
Why LLM Outputs Fail in Production-and How to Fix It
Non-deterministic LLM behavior leads to silent failures in production when outputs aren't validated. Learn how structured validation prevents cascading errors in real-world systems.
A single compromised email led to 7.7TB of LAPD data exfiltration - here's what telemetry actually showed
A compromised admin email led to 7.7TB of LAPD data exfiltration. No exploit, no payload - just valid API access and unmonitored behavior. What telemetry actually showed.
AI-Driven Attacks Expose a Fundamental Control Failure
Large-scale automated login attempts in Q2 2024 highlight a critical control failure: identity enforcement at request boundaries. The real risk is not AI, but trusting input based on origin rather than verification.
April 16 Cisco patches changed your threat model
Cisco's April 2026 patch wave includes seven Critical CVEs including a CVSS 10.0 RCE in FMC. Triage, detection, and architectural fixes for enterprise CISOs.