Things I build, break, fix, and write about

8 July 2026
Local DNS proxy now preserves DNSSEC records

Cloudflare One Client for Windows now leaves DNSSEC records alone, which is exactly the sort of change I like, because it stops the client quietly meddling with answers. I have seen enough broken name resolution to know that a neat tunnel can still hide a messy DNS state.

8 July 2026
Cloudflare One Client for macOS DNS search suffixes

Cloudflare One Client for macOS can make a short hostname behave very differently, and most of the pain sits in the suffix list rather than DNS itself...

7 July 2026
Tracing acme.sh certificate handling in TLS interception

I spent too long chasing the neat version of TLS wiretapping reconstruction, then found the mess: shell parsing, token limits, and renewal timing. The...

7 July 2026
Reverse engineering game binaries with static analysis

Game binaries give up more than they should, if you know where to look. I start with binary analysis, not the folklore around the game, then use...

Latest blog posts you might like

4 July 2026
Chunked range reads with etcd RangeStream

etcd RangeStream is one of those changes that sounds minor until you watch a large read stop clogging memory on both ends of the RPC. I like it because it replaces one ugly pause with a series of...

3 July 2026
Why Kubernetes CVE records still flag unfixed issues

Kubernetes CVE records can say “fixed” when nothing was actually fixed, and scanners will believe them. I have seen that sort of paperwork mistake turn into quiet false negatives, then loud surprises...

3 July 2026
Spotting API access in DDoS-as-a-Service panels

DDoS-as-a-Service platforms rarely hide what they are doing; the panel, the payment flow, and the API tend to sit out in the open. I pay more attention to the selling machinery than the noise, because...

2 July 2026
23andMe breach notification gaps and account risk

23andMe breach notification gaps are the part that still bothers me, because people were left guessing whether they had a password problem or something much wider. If you reused a login anywhere,...

2 July 2026
Malware delivery through chatgpt.com/s links

ChatGPT share links can look boringly legitimate, which is exactly the problem. Once a trusted domain starts rendering attacker-controlled HTML, I stop trusting the address bar and start checking...

1 July 2026
cifs.upcall root trust and NSS lookup risk

A forged `cifs.spnego` request should die in the kernel, but on affected builds it reaches root-owned helper code instead. The ugly bit is `cifs.upcall`, where CIFS authentication key descriptions can...

1 July 2026
Harden PAN-OS by disabling auth override cookies

PAN-OS GlobalProtect authentication bypass is not a clever trick, it is a trust error with a neat finish. I prefer the boring fix, disable auth override cookies, then check the portal and gateway...

30 June 2026
Conditional access still anchors ZTNA policy

Zero Trust Network Access looks tidy until you test the policy against a failed identity provider, a stale token, or a changing location. I have seen too many setups where conditional access does all...

30 June 2026
ZTNA access policies for self-hosted services

ZTNA access policies only work when I treat the service, not the subnet, as the thing being protected. Once you start drawing the boundary around the app, rather than the VLAN, the gaps show up...

29 June 2026
Persisting federated users in AWS Cognito

AWS Cognito writes the user record before most people notice the decision point has gone, so I keep the real check in AWS Cognito PreSignUp_ExternalProvider. Anything later is tidying up after the...