This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
The Mandate That Replaced the Checkout Button: How FIDO AP2 and Verifiable Intent Build a Trust Layer for Agentic Payments
How AP2 and Verifiable Intent turn purchase consent into a tamper-evident, portable mandate -- making delegation without presence a first-class primitive.
-
The Thirty-Year Migration Ships in a pip install: How Post-Quantum Cryptography Crossed from Standard to Shipping Code
Post-quantum cryptography spent thirty years reaching a pip install. ML-KEM and ML-DSA shipped in pyca/cryptography v48 weeks ahead of the federal deadline.
-
Two Standards Bodies, One Presentation Protocol: How ISO and OpenID Are Ending the mdoc-vs-SD-JWT War Without Picking a Winner
Digital credentials split into two presentation protocols, not two formats. How the joint ISO/OpenID DCHP group unifies the wire while both formats coexist.
-
Who Authorized This Tool Call? OpenID AuthZEN, the MCP Profile, and the Standards Race to Govern AI Agents
A valid OAuth token proves an AI agent is a legitimate caller but never authorizes the tool call. How OpenID AuthZEN and its MCP profile answer at runtime.
-
Five Ways Windows Authentication Breaks: A Machine-Checked Tour -- and Why Finding Nothing New Is the Point
A Tamarin and Dolev-Yao tour of 23 Windows authentication protocols: five recurring failure patterns, what a prover can prove, and the boundary it cannot cross.
-
One Event, Three Portals: How a Single Sysmon Line Becomes a Microsoft Defender XDR Incident
Trace a single Sysmon ProcessCreate event through six hops -- from Windows kernel emission to a unified Microsoft Defender XDR incident -- and where the convergence stops.
-
Below the OS: The Pre-Boot Trust Chain Where Secure Boot Inherits Its Trust From
Walk the eleven rungs from CPU reset to winload.efi -- Intel Boot Guard, AMD PSB, CSME, the PSP, KB5025885, and why the April 2023 MSI OEM-key leak is structurally permanent.
-
Rotating Every Cipher: SChannel and the Twenty-Year Algorithm-Agility Story of Windows TLS
How one Windows DLL rotated every TLS primitive from RC4 to ML-KEM without breaking IIS, RDP, SQL Server, or .NET SslStream -- and why Vista's 2007 CNG was the inflection point.
-
The Same-Privilege Paradox: Twenty-One Years of Windows Kernel Self-Defense
PatchGuard, KASLR, KDP, and the Win32k Lockdown are four answers to one paradox -- a defense at the attacker's privilege cannot succeed in principle. The 2005-2026 trajectory is migration out of the kernel.
-
The Twenty-Year Local Admin Password Crisis: From GPP cpassword to Windows LAPS
Microsoft published the AES key that "protected" Group Policy Preferences passwords. Twelve years later, MS14-025 still has not deleted the artefacts. Here is how Windows LAPS finally fixed the architecture -- and what it still cannot solve.
-
A Mitigation That Became a Primitive: The Story of SeImpersonatePrivilege
How a 2003 backward-compatibility privilege became the most-abused Windows service primitive, and why every Microsoft closure path breaks something shipped.
-
Seventy-Eight Minutes That Evicted Antivirus From the Windows Kernel
How a CrowdStrike channel-file update on July 19, 2024 collapsed twenty years of resistance to evicting third-party AV from the Windows kernel.