$ ls writing/ -lt
writing.
Notes from the desk, not thought leadership. Specifics over slogans. If a piece couldn't earn its keep at a kitchen table, it didn't make it here.
Total · 110 pieces
Latest · 2026·06·21 Page · 5 / 5 Locale · en_GB
License · CC BY 4.0
$ grep -l tag:* | sort | uniq
2022·05·26
INT8 quantisation, in numbers — and why INT16 is the boring choice What "INT8-quantised inference" actually means once you do the arithmetic, why dropping from FP32 to INT8 is a cliff and dropping to INT16 isn't, and why every interesting question about putting an ML model on real silicon ends up here. ai · ml · quantisation · inference · hardware
11 min
2022·04·26
What the teenagers taught the Fortune 500 LAPSUS$ compromised Microsoft, Okta, Nvidia, Samsung, Vodafone, and several others in a few months. They were teenagers using social engineering and MFA fatigue. The lesson, awkwardly, is that the dominant compromise vector in 2022 is social, not technical. incident · social engineering · mfa · governance
8 min
2022·01·12
Log4Shell, and the inventory question we cannot keep ducking A month on from CVE-2021-44228, the headline-grabbing exploits have slowed but the underlying problem has not. The discomfort of the past month was not really about Log4j. It was about how few firms could answer the question 'where is it running?' vulnerability · supply chain · governance · craft
7 min
2021·08·21
wlan0: the unlocked back door on every TV Part 4 of 4. Once you have root on the TV, the most useful thing on the device isn't the data on it — it's the second network interface nobody disabled. What this bypasses, why the SIEM is blind to it, and what to do about it. hbbtv · iot · network · defence · research
10 min
2021·08·17
Pegasus, and the question for UK boards we have been pretending not to face The Pegasus Project disclosures last month confirmed what specialists have privately known for years: commercial spyware is a mature, well-funded industry, and its customer list includes governments most UK firms do business with. The board question is what to do about it. spyware · privacy · ned · governance
7 min
2021·07·17
From the embedded browser to a shell on a smart TV Part 3 of 4. From the AIT-triggered page load to a shell prompt. CVE-2020-6383, shell.js, SMACK, and the public Samsung Q60T root chain. hbbtv · chromium · v8 · tizen · smacks · research
11 min
2021·06·19
The lab rig: re-broadcasting HbbTV into a test bench Part 2 of 4. What I built on the bench to study HbbTV attacks safely. Hardware, software, the AIT injection step, and the legal bit (do not transmit DVB into open air). hbbtv · sdr · dvb · lab · research
9 min
2021·06·10
Colonial Pipeline: the CNI lesson the UK should not need to learn the hard way Five weeks after the DarkSide ransomware attack on Colonial Pipeline shut down 45% of US East Coast fuel supply, what UK critical national infrastructure boards should be doing about it. cni · ransomware · governance · ned
7 min
2021·05·22
The TV in the corner: what HbbTV actually is Part 1 of 4. A primer on HbbTV from a security researcher's bench. Why I think the smart TV mounted on the meeting-room wall is the most under-considered attack surface in any UK office in 2021. hbbtv · iot · embedded · research · smarttv
7 min
2021·04·06
Hafnium and the patch-window asymmetry Five weeks after the Microsoft Exchange ProxyLogon disclosure, the dust is settling on what may turn out to be the most consequential mass-exploitation event of the decade. What it teaches us is structural, not tactical. incident · patching · craft · ned
7 min