Things I build, break, fix, and write about

8 July 2026
Local DNS proxy now preserves DNSSEC records

Cloudflare One Client for Windows now leaves DNSSEC records alone, which is exactly the sort of change I like, because it stops the client quietly meddling with answers. I have seen enough broken name resolution to know that a neat tunnel can still hide a messy DNS state.

8 July 2026
Cloudflare One Client for macOS DNS search suffixes

Cloudflare One Client for macOS can make a short hostname behave very differently, and most of the pain sits in the suffix list rather than DNS itself...

7 July 2026
Tracing acme.sh certificate handling in TLS interception

I spent too long chasing the neat version of TLS wiretapping reconstruction, then found the mess: shell parsing, token limits, and renewal timing. The...

7 July 2026
Reverse engineering game binaries with static analysis

Game binaries give up more than they should, if you know where to look. I start with binary analysis, not the folklore around the game, then use...

Latest blog posts you might like

29 June 2026
fits_open_file can copy arbitrary paths before validation

CFITSIO Extended Filename Syntax is the bit that makes me distrust a filename on sight. If `fits_open_file` gets attacker input, it can copy, fetch, or touch paths before FITS validation even starts,...

29 June 2026
Weekly Tech Digest | 29 Jun 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

28 June 2026
Android security boundary failures around AuthToken handling

Android Biometric AuthToken handling is one of those details that looks tidy until you trace what actually trusts it. I pay closest attention to the hand-off points, because that is where a neat...

28 June 2026
Access control in WrappedADS authorised mint flow

WrappedADS wrapTo() mint path is not hiding much, and that is the point. If the caller is trusted, the mint goes through; if that trust is wrong, supply moves just as easily.

27 June 2026
redeemPosition rounding turns fixed deposits noisy

A fixed deposit should not unlock more SEA just because the round counter shifts. The SEA settlement adapter let that line blur, and a flash-loan loop made the mistake expensive; once redemption...

27 June 2026
MMR proof indexing in a bridge dispatcher audit

The ugly part of an Ethereum bridge dispatcher is not the proof itself, it is the gap between a tidy verification trace and the bytes that finally reach custody logic. If those two ever diverge, the...

26 June 2026
Uniswap V2 spot reads distort reward payouts

A pair reserve is a terrible price feed when someone can shove it around for one transaction. I have seen the same bad read turn cheap stake entry into inflated principal, then pay out rewards from...

26 June 2026
Web shell persistence in BadIIS loaders

BadIIS is not clever, just persistent, and that is what makes it unpleasant. It survives IIS restarts, rewrites selected traffic, and leaves behind enough build artefacts, like demo.pdb, to give...

25 June 2026
OpenVPN vulnerabilities and patch priority

OpenVPN vulnerabilities are easy to shrug off until they hit the client, where malformed packets can knock out remote access before the tunnel is even trusted. I would patch that before almost...

25 June 2026
Operational threat intelligence for IIS hijacking

IIS hijacking is boring until it is not, which is exactly why a threat intelligence programme has to watch for the awkward bits, not the headline alert. When redirects, 503 spikes, and odd proxying...