This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
Is This Laptop Trustworthy? The 600-Millisecond Cryptographic Answer
A six-link trace from TPM PCR extends through Microsoft Azure Attestation to Conditional Access isCompliant -- and why CAE does not revoke when BitLocker is disabled.
-
The Three Roles of Zero Trust: How Microsoft Entra Decoupled Risk, Policy, and Revocation
How Conditional Access, Entra ID Protection, and Continuous Access Evaluation factor a Zero Trust policy engine into three roles -- signal producer, decision point, and revocation bus.
-
From Two Lines of Code to a Hypervisor Boundary: Microsoft Recall's 2024-2026 Re-Architecture
How Microsoft Recall went from a same-user-readable DPAPI database that fell to two lines of code, to a VBS-Enclave + Pluton + Hello-ESS design that closes every exploit primitive from the May 2024 preview.
-
SMB 3.1.1: How a Forty-Year-Old File Protocol Learned to Defend the Public Internet
A textbook-depth walk through SMB security from MD5 signing in 1997 to AES-256-GCM, AES-GMAC, pre-authentication integrity, SMB-over-QUIC, and the Windows 11 24H2 hardening package.
-
Two Paths to the Same Ticket: Smart Cards and Virtual Smart Cards in Windows
A physical CAC and a TPM-backed Virtual Smart Card produce indistinguishable PKINIT AS-REQs at a Windows KDC. Here is why one will outlive the other.
-
Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You
Windows in 2026 has no first-class agent principal. The FIDO AATWG pillars meet AppContainer, S4U2Proxy, WebAuthn, and ETW -- and one missing glue layer.
-
Anonymous Credentials Finally Shipped: From TPM DAA to Privacy Pass to Age Gates That Don't Know Your Age
How forty years of cryptography papers became Privacy Pass at Cloudflare, Apple Private Access Tokens, BBS signatures, and Google longfellow-zk -- and in 2026, it all shipped.
-
CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms
A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in.
-
eBPF vs ETW: Two Generations of Kernel Observability
Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems.
-
Two Routes to Code Integrity: Linux IMA + AppArmor vs Windows WDAC + AMSI
Linux and Windows answer one question -- "is this code allowed to run?" -- with very different machinery. Where the verifier lives matters more than how strong it is.
-
Apple Secure Enclave vs Microsoft Pluton: Two Roads to Hardware Root of Trust
How Apple SEP and Microsoft Pluton solve the same problem -- keeping your secrets safe from a compromised OS -- using two very different silicon strategies.
-
Hyper-V Enlightenments, VMBus, and the Synthetic Device Model
How Hyper-V guests get high-performance device I/O without emulating legacy hardware: enlightenments, the TLFS, VMBus rings, the VSP/VSC pair, and why the host-side parser is the attack surface.