This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
DPAPI and DPAPI-NG: The Credential Vault Under Everything
A 25-year tour of Windows Data Protection API: the four-stage classic chain, the 2012 DPAPI-NG redesign, the KDS root key, and the five structural ceilings the design cannot close.
-
Edge's Two Password Cryptographies: A Beautiful PSI on the Wire, and Plaintext RAM by Design
Microsoft Edge ships a homomorphic-encryption PSI for breach checking and decrypts every saved password into process RAM at launch. Both designs are deliberate. They defend different threat models.
-
ETW: How Windows 2000's Performance Hack Became the EDR Substrate
Event Tracing for Windows is the kernel-buffered observability bus every modern Windows EDR consumes. This is the architecture, the attacks, and the one provider that survives them.
-
Fuzzy Extractors and the One Inequality That Explains Why Windows Hello Doesn't Use One
Fuzzy extractors turn noisy biometrics into stable cryptographic keys. A single 2004 inequality explains why Windows Hello deliberately does not use one.
-
Kerberos in Windows: The Other Half of NTLMless
After NTLM, Kerberos becomes the load-bearing authentication protocol for Windows. Eight years of attacks, the December 2025 Beyond-RC4 cadence, and the H2 2026 IAKerb / Local KDC broad enable.
-
Plug and Trust: How Windows Decides What to Do When You Plug In a USB Device
In the 250 ms between physical insertion and class-driver attach, Windows executes eleven kernel-mode operations and trusts ~256 bytes of self-described descriptors.
-
Post-Quantum Cryptography on Windows: The Thirty-Year Migration That Just Arrived
How NIST FIPS 203/204/205 reaches the Windows platform via SymCrypt, CNG, Schannel, and .NET 10 -- the algorithm internals, the wire format, the migration timeline, and the honest accounting.
-
Process Mitigation Policies: CFG, ACG, CIG, and the Layer Between App Identity and the Kernel
A thirty-year history of Windows process mitigation policies -- DEP, ASLR, CFG, XFG, CET, ACG, CIG -- and the structural reason each one exists.
-
The ACPI Tables That Quietly Secure Your Windows Machine
Five small ACPI tables -- DMAR, IORT, WSMT, SDEV, WPBT -- form the firmware-OS contract behind VBS, Credential Guard, Kernel DMA Protection, and BitLocker.
-
The Empty Hash: Credential Guard, the LsaIso Trustlet, and the Eleven-Year LSASS Extraction Tradition
Why a 2026 Mimikatz dump returns [LSA Isolated Data] instead of an NTLM hash, what LsaIso.exe really computes, and the five things Credential Guard was never going to close.
-
WDAC + HVCI: Code Integrity at Every Layer in Windows
How Windows decides which code is allowed to run, end-to-end: WDAC policy schema, HVCI per-VTL SLAT enforcement, the audit-to-enforce loop, and the residual attack surface neither feature can close.
-
WebAuthn and Passkeys on Windows: From CTAP to the Credential Provider Model
The know/have/are taxonomy collapses against modern phishing kits. Passkeys, WebAuthn Level 3, CTAP 2.x, and Windows 11 24H2 third-party providers score against the criteria that actually matter -- and recovery is the load-bearing column.