This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
Predictable or Repeated: The Only Two Ways Cryptographic Randomness Betrays You
Every key, nonce, IV, and salt fails in one of two ways: predictable when it must be unpredictable, or repeated when it must be unique. A field guide.
-
The Signature Was Valid. The Message Was Forged: A Field Guide to Serialization and Canonicalization Attacks
Why the bytes you sign matter more than the algorithm: hash length extension, ASN.1/DER forgery, JWT alg confusion, and XML signature wrapping -- and the fix.
-
Secure Against Whom? The Security Definitions Every Protocol Designer Needs
A protocol designer's field guide to IND-CPA, IND-CCA2, EUF-CMA, AEAD, and the random oracle model, and why the wrong adversary model sinks real protocols.
-
A Key Is Only as Unguessable as the Dice That Made It: Inside the Windows CSPRNG
Every software secret Windows makes is drawn from one CSPRNG. Trace the entropy, the SP 800-90A CTR_DRBG, ProcessPrng, and where the OS stops rolling the dice.
-
Beneath the Dashboard: What Your SIEM Actually Sees in the Windows Security Log
Advanced Audit Policy, SACLs, Windows Event Forwarding, and log anti-forensics: the native foundation every Windows SIEM assumes but few configure well.
-
The Mandate That Replaced the Checkout Button: How FIDO AP2 and Verifiable Intent Build a Trust Layer for Agentic Payments
How AP2 and Verifiable Intent turn purchase consent into a tamper-evident, portable mandate -- making delegation without presence a first-class primitive.
-
The Thirty-Year Migration Ships in a pip install: How Post-Quantum Cryptography Crossed from Standard to Shipping Code
Post-quantum cryptography spent thirty years reaching a pip install. ML-KEM and ML-DSA shipped in pyca/cryptography v48 weeks ahead of the federal deadline.
-
Two Standards Bodies, One Presentation Protocol: How ISO and OpenID Are Ending the mdoc-vs-SD-JWT War Without Picking a Winner
Digital credentials split into two presentation protocols, not two formats. How the joint ISO/OpenID DCHP group unifies the wire while both formats coexist.
-
Who Authorized This Tool Call? OpenID AuthZEN, the MCP Profile, and the Standards Race to Govern AI Agents
A valid OAuth token proves an AI agent is a legitimate caller but never authorizes the tool call. How OpenID AuthZEN and its MCP profile answer at runtime.
-
Five Ways Windows Authentication Breaks: A Machine-Checked Tour -- and Why Finding Nothing New Is the Point
A Tamarin and Dolev-Yao tour of 23 Windows authentication protocols: five recurring failure patterns, what a prover can prove, and the boundary it cannot cross.
-
One Event, Three Portals: How a Single Sysmon Line Becomes a Microsoft Defender XDR Incident
Trace a single Sysmon ProcessCreate event through six hops -- from Windows kernel emission to a unified Microsoft Defender XDR incident -- and where the convergence stops.
-
Below the OS: The Pre-Boot Trust Chain Where Secure Boot Inherits Its Trust From
Walk the eleven rungs from CPU reset to winload.efi -- Intel Boot Guard, AMD PSB, CSME, the PSP, KB5025885, and why the April 2023 MSI OEM-key leak is structurally permanent.