This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
A Perfect Signature for a Certificate That Should Never Have Existed: A Field Guide to X.509 and PKI
How the Web PKI turns a certificate into a trust decision -- path validation, revocation, and Certificate Transparency -- and every famous way that trust broke.
-
The Ciphertext Was Unbreakable. The Attacker Rewrote It Anyway: A Field Guide to Block Cipher Modes
Every block cipher mode -- ECB, CBC, CFB, OFB, CTR -- answers only confidentiality, never integrity. A field guide to why, the famous breaks, and the AEAD fix.
-
They Read Your Plaintext Without Breaking Your Cipher: A Field Guide to Padding Oracles
A padding oracle reads your plaintext without touching your key. Why CBC, Vaudenay, Lucky13, and POODLE are one bug -- and why Encrypt-then-MAC ends it.
-
Predictable or Repeated: The Only Two Ways Cryptographic Randomness Betrays You
Every key, nonce, IV, and salt fails in one of two ways: predictable when it must be unpredictable, or repeated when it must be unique. A field guide.
-
The Signature Was Valid. The Message Was Forged: A Field Guide to Serialization and Canonicalization Attacks
Why the bytes you sign matter more than the algorithm: hash length extension, ASN.1/DER forgery, JWT alg confusion, and XML signature wrapping -- and the fix.
-
Secure Against Whom? The Security Definitions Every Protocol Designer Needs
A protocol designer's field guide to IND-CPA, IND-CCA2, EUF-CMA, AEAD, and the random oracle model, and why the wrong adversary model sinks real protocols.
-
A Key Is Only as Unguessable as the Dice That Made It: Inside the Windows CSPRNG
Every software secret Windows makes is drawn from one CSPRNG. Trace the entropy, the SP 800-90A CTR_DRBG, ProcessPrng, and where the OS stops rolling the dice.
-
Beneath the Dashboard: What Your SIEM Actually Sees in the Windows Security Log
Advanced Audit Policy, SACLs, Windows Event Forwarding, and log anti-forensics: the native foundation every Windows SIEM assumes but few configure well.
-
The Mandate That Replaced the Checkout Button: How FIDO AP2 and Verifiable Intent Build a Trust Layer for Agentic Payments
How AP2 and Verifiable Intent turn purchase consent into a tamper-evident, portable mandate -- making delegation without presence a first-class primitive.
-
The Thirty-Year Migration Ships in a pip install: How Post-Quantum Cryptography Crossed from Standard to Shipping Code
Post-quantum cryptography spent thirty years reaching a pip install. ML-KEM and ML-DSA shipped in pyca/cryptography v48 weeks ahead of the federal deadline.
-
Two Standards Bodies, One Presentation Protocol: How ISO and OpenID Are Ending the mdoc-vs-SD-JWT War Without Picking a Winner
Digital credentials split into two presentation protocols, not two formats. How the joint ISO/OpenID DCHP group unifies the wire while both formats coexist.
-
Who Authorized This Tool Call? OpenID AuthZEN, the MCP Profile, and the Standards Race to Govern AI Agents
A valid OAuth token proves an AI agent is a legitimate caller but never authorizes the tool call. How OpenID AuthZEN and its MCP profile answer at runtime.