Bought, not stolen
The malware that spent months wearing Microsoft’s trust didn’t steal a thing. No cracked certificate authority, no private key lifted off some breached vendor. There was, in effect, a shop: you uploaded your malware to a …
Tags
13 pages
Opinion
The interpreter we forgot to sandbox
I write a CLAUDE.md for every project I work on, and a small pile of other markdown files besides. They’re how I keep an AI agent on the rails: what the project is, what the conventions are, what it must never do. I lean …
The campsite was never the point
I named myself, professionally, after a rule about litter. The Boy Scout Rule is the one every camp drills into you: leave the campsite cleaner than you found it. Robert Baden-Powell’s version, in the last message he …
The rung we sawed off
I was in a job interview yesterday, on the wrong side of the desk for once. After years of being the one asking the questions I’m having a look at what’s next, and somewhere in a long, wandering technical conversation …
Everyone wants Rust's safety, nobody wants Rust
This spring, the better part of a million lines of Zig quietly became a million lines of Rust. Bun, the JavaScript runtime that was the showcase for “you don’t need a borrow checker, you need good tools and a steady …
They switched it off while it was fixing my code
I woke up this morning to a one-line message from my own tooling: Claude Fable 5 is currently unavailable. Learn more: https://www.anthropic.com/news/fable-mythos-access I followed the link expecting a status page about …
Why I still write code
By any sensible reading of an org chart, I have no business being in this file. I’m a Head of Software Engineering. My calendar reckons I should be in a room somewhere talking about headcount and roadmaps. Instead it’s …
Anything under an 8
I read the news about the National Vulnerability Database over a coffee that went cold while I sat there muttering at my phone. The short version: the NVD, the free public catalogue that quietly props up half the …
The consent you can't ask for
There’s a comfortable story going round about telemetry, and it goes like this. There are two kinds. There’s the creepy kind, the usage data a vendor harvests to work out who you are and what you do, and that kind needs …
Nobody's coming to clean your supply chain
Pick a week in May 2026 and there’s a supply-chain attack in it. On the 11th someone owned TanStack’s CI and pushed 84 poisoned package versions in six minutes. On the 14th, three malicious versions of node-ipc, a …
