This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
BitUnlocker: When Microsoft's Recovery Environment Becomes the Master Key
In July 2025, Microsoft's internal red team chained four CVEs in WinRE to bypass TPM-only BitLocker in under five minutes -- and the structural lesson is older than Windows 11.
-
The Registry Adventure: How One Researcher Read 100,000 Lines of Windows Kernel C and Found 50 Bugs
Between May 2022 and December 2023, Mateusz Jurczyk audited the Windows registry parser and produced 50 CVEs. The methodology is the story.
-
Windows Security Boundaries: The Document That Decides What Gets a CVE
Microsoft maintains a single public document that decides which Windows vulnerability reports receive a CVE, a Patch Tuesday bulletin, and a bounty payout. Here is how to read it.
-
KRBTGT: The Account That Owns Active Directory
Active Directory ships with one cryptographic key whose disclosure forges valid TGTs for every principal -- and why rotating it is necessary but not sufficient.
-
Rust in the Windows Kernel: A Field Guide to the 2024-2026 Memory-Safety Refit
Rust ships in the Windows 11 kernel today. A primary-sourced field guide to what actually shipped from BlueHat IL 2019 through 24H2 in 2026, and what did not.
-
Who is allowed to log in where? The KDC-side answer to credential theft in Active Directory
A 28-year arc from Paul Ashton's pass-the-hash demonstration to the 2026 reference deployment of Tiering, Protected Users, and Authentication Policy Silos.
-
Windows Downdate: When the Update Itself Is the Attack
How Alon Leviev turned Windows Update into a downgrade primitive, rolling fully-patched Windows 11 back to vulnerable VBS components while every signature still verified.
-
Two Checkmarks and the Keys to the Kingdom: How Active Directory's Replication Protocol Became the Longest-Lived Credential Attack on Windows
MS-DRSR was designed for domain controllers to replicate secrets to each other. Its access check gates on an ACL, not on whether the caller is a DC. Eleven years after Mimikatz proved it, no patch can fix it.
-
The Age Gate That Doesn't Know Your Age: How Anonymous Credentials Finally Crossed the Deployment Chasm
Forty years after David Chaum's manifesto, anonymous credentials -- Privacy Pass, BBS, SD-JWT, Longfellow-zk -- have shipped into every major browser.
-
"The Vault is Solid. The Delivery Truck is Not." -- Microsoft Recall's Two-Year Re-Architecture from Plaintext SQLite to VBS Enclaves
How Microsoft Recall went from a plaintext SQLite database broken in four weeks to a VBS-Enclave + TPM-sealed + Hello-gated architecture, and what TotalRecall Reloaded still extracts. (Article title borrows Alexander Hagenah's framing, attributed in §8.1.)
-
CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms
A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in.
-
eBPF vs ETW: Two Generations of Kernel Observability
Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems.