Articles
Long-form writing on tech, culture, and the edges of the internet.
Google's AI Search Shift: Run These Experiments Now
Real before/after data from 4 sites showing how Google's AI search changes traffic, CTR, and revenue by query type - with the exact tracking setup.
How Trust in Open-Source Updates Becomes a Systemic Failure Mode
A structural analysis of how trust in open-source updates becomes exploitable when systems assume past safety implies future safety, using the Trivy compromise as a case study.
ShinyHunters, Trivy, and the Pipeline Identity Problem
ShinyHunters cloned 300 Cisco repositories through Trivy running in a CI/CD pipeline. This is what failed structurally, why it failed, and what pipeline identity enforcement must look like.
The Advisory Told You to Update. It Didn't Tell You What's Already Running.
Patching the advisory isn't enough. If your CI pipeline ran during the compromise window, the compromised code is baked into your container images and still running. Here's how to find it.
The Real Architecture Behind Reliable AI Systems
Reliability in AI systems comes not from smarter models or autonomy, but from deterministic control, validation, and predictable failure recovery-patterns already proven in real-world production environments.
Why MFA Alone Will Not Save You
MFA stops credential stuffing but not AiTM phishing, token theft, or session hijacking. Here's what attackers actually do and how to close the gaps.
Why Your Firewall Rules Are Already Outdated
Most firewall rule sets have 30-60% dead rules. Here's why rule bases decay, what encrypted traffic and cloud migration did to perimeter security, and what to do about it.
The Real Failure in the axios npm Compromise Wasn't Code - It Was Trust
The [email protected] and [email protected] npm compromise was not a code flaw - it was a failure in trust validation. Credential theft enabled persistent supply chain poisoning due to lack of enforced MFA and session verification at every publish event.
Why Most Companies Fail at Incident Response
Most incident response plans are untested fantasies. Here's why companies fail at IR and the specific fixes that actually work.
Your npm install Just Ran Someone Else's Code
Supply chain security is not a dependency problem. It is a trust delegation problem. And the system was never designed to handle the weight.
First Transmission
Information systems became power systems. This site exists to examine what actually happened.
The Attention Economy Is a Hostage Situation
Attention was supposed to be the price of free services. It became the product. The architecture that followed was not designed for exchange. It was designed for capture.