8 essays7 browser toolssince 2019 writing online
Featured · Research
Age Without Identity
An under-16 social media ban need not become a national identity layer for the internet. The fear that age checks are digital ID through the back door is well founded, but only if we ask the wrong question. The right one is not who this person is, but whether a platform can know only that they are over 16. Privacy-preserving credentials and zero-knowledge proofs answer it: a narrow, unlinkable, session-bound proof that reveals no name, no face, no document. The standard should be brutal and simple: prove the attribute, not the person.
Read the piece
Who's behind this
Engineer working where operational technology, industrial networks, and AI-enabled automation meet, and writing about what it all means.
Currently Eating Wotsits
The writing
All writingStart here
1
Every argument about where AI goes next is, underneath, an argument about the climb: recursion, self-improvement, compute bending the curve back on itself and accelerating. The progress is real and the excitement is earned. But a climber is only as good as the hill. Optimisation power, however vast, is worthless without something faithful to climb toward, and that target, the gradient that tells the system which way is up, is the thing nobody is pricing. We have built an extraordinary engine for going up, and said almost nothing about who decides where up is. This piece argues that the unpriced variable in the whole debate is not capability but direction.
2
A one-time pad is unbreakable, provided it is true, and that second half, the quiet condition, is where the whole claim lives. A true pad is a very specific object: genuinely random, at least as long as the message, used once, kept secret, never copied, logged, inferred, generated from a seed, or reused by accident. The word “true” is doing all the work. This piece pulls that condition into the light, showing how a guarantee that is flawless in theory turns fragile the moment it meets real machines and real people. The proof is easy; the discipline is not. And the lesson generalises far beyond cryptography: a word carries a claim only when the thing it names actually satisfies the conditions that make the claim hold. Until then it is language with ambitions.
3
Building Automation Systems are the silent brains of modern buildings: HVAC, lighting, access control, lifts, energy management. Designed for reliability, they were quietly connected to the internet and the wider IoT estate, and every new connection widened the attack surface. This piece walks through how BAS became a soft target: open protocols that trust by default, real incidents that exploited overlooked vulnerabilities, and the uncomfortable truth that a comfort system can become a way into the corporate network. It covers why these systems are so exposed, long lifecycles, weak segmentation, vendors optimising for uptime over hardening, and what defence actually requires: visibility, segmentation, and treating the physical integrity of a building as a security concern, not just its data. The threat is invisible because the systems are.
Recent
“Make money while you sleep” is an old dream, and AI has made it newly plausible: a machine can research, draft, sort, and prepare while you rest. But the phrase confuses production with revenue. A draft is not a sale; output overnight is not income. AI is neither employee, oracle, nor entrepreneur. It is a layer of executable cognition wrapped around repeatable work, and in the hands of a fantasist it produces fantasy at scale, in the hands of an operator, leverage. The machine does not make money while you sleep. It performs the labour that used to stop you building the thing that makes money, clearing the path between judgement and output. The old world rewarded those who worked hardest for longest. The next rewards those who can tell labour from judgement, and automate only the first.
AI is not just another tool in the cybersecurity stack. It is becoming part of the system being defended, part of the system doing the defending, and increasingly part of the system being attacked. This piece separates cybersecurity with AI, models that detect threats, triage alerts, and accelerate response, from cybersecurity of AI, where the model itself, its data, prompts, outputs, permissions, and training pipeline become the attack surface. It walks through adversarial manipulation, poisoned training data, inference and privacy leaks, and the model as a weapon, then argues for governance without theatre: discipline across the whole chain rather than one framework or control. As models move from tool to participant, the old security boundary does not disappear, part of it moves inside the model.
TLS and centralised Public Key Infrastructure were built for the web, humans connecting to servers, not for fleets of machines talking continuously with no human in the loop. As Industrial IoT scales to millions of devices, traditional PKI strains: certificate authorities become single points of failure, revocation is slow, and one compromised node can threaten the whole system. This piece makes the case for Brontide, the Lightning Network's encrypted handshake, as a better fit for machine-to-machine communication: decentralised trust, channel graphs standing in for certificate authorities, and identity backed by economic stake rather than a single signing party. It walks through the limits of conventional PKI at industrial scale, how Brontide and Instant Karma PKI reframe the problem, and why borrowing trust from a payments network might be what securing industrial machines needs.
AI is not just another tool in the cybersecurity stack. It is becoming part of the system being defended, part of the system doing the defending, and increasingly part of the system being attacked. This piece separates cybersecurity with AI, models that detect threats, triage alerts, and accelerate response, from cybersecurity of AI, where the model itself, its data, prompts, outputs, permissions, and training pipeline become the attack surface. It walks through adversarial manipulation, poisoned training data, inference and privacy leaks, and the model as a weapon, then argues for governance without theatre: discipline across the whole chain rather than one framework or control. As models move from tool to participant, the old security boundary does not disappear, part of it moves inside the model.
TLS and centralised Public Key Infrastructure were built for the web, humans connecting to servers, not for fleets of machines talking continuously with no human in the loop. As Industrial IoT scales to millions of devices, traditional PKI strains: certificate authorities become single points of failure, revocation is slow, and one compromised node can threaten the whole system. This piece makes the case for Brontide, the Lightning Network's encrypted handshake, as a better fit for machine-to-machine communication: decentralised trust, channel graphs standing in for certificate authorities, and identity backed by economic stake rather than a single signing party. It walks through the limits of conventional PKI at industrial scale, how Brontide and Instant Karma PKI reframe the problem, and why borrowing trust from a payments network might be what securing industrial machines needs.
Explore by topic
Try it yourself
All toolsSmall, real software that runs entirely in your browser, nothing you type or upload ever leaves your device.
Image Steganography
Hide a secret message in the least-significant bits of an image, then read it back, entirely in your browser. Nothing is uploaded.
Passphrase Entropy Visualiser
How strong is your password, really? A live, honest strength visualiser that shows the maths a cracker actually uses, and never sends a keystroke anywhere.
Mine a Bitcoin Block
Proof-of-work, by hand. Turn up the difficulty, spin the nonce, and watch real double-SHA-256 hunt for a hash below the target, the actual mechanism behind Bitcoin.
TLS Certificate Inspector
Paste a PEM certificate and read what it actually claims, subject, SANs, issuer, validity, key type and signature. Parsed in your browser; nothing is uploaded.
Text Embeddings, In Your Browser
See how an AI model understands meaning. Compare texts by semantic similarity and run semantic search, using a real ML model that runs entirely in your browser, with nothing sent to any server.
CIDR / Subnet Visualiser
Enter an IPv4 CIDR block and see it laid bare, network and broadcast, usable host range, mask, host count, the binary, and a splittable map of the address space. All computed in your browser.