Cryptographer & Software Engineer

Stuart
Thomas

Three and a half decades building systems that protect things that matter — patient records, payment networks, and the heritage of Whitby Jet. Based in Whitby, North Yorkshire.

Get in touch Security Research Whitby Jet Platform Maritime Cyber
Stuart Thomas
35+ Years in Computing
60M NHS Records Protected
8M Daily TfL Journeys
Active Security Researcher
Active Projects

What I'm Building Now

Current work at the intersection of cryptography, heritage, and community safety.

macOS Security Research: A Complete Framework

New (April 2026): a complete six-phase methodology distilled from 35 years of practice — Scope, Recon, Research Tracks, Red-Team, Submission, Archive. Eleven chapters covering vendor disclosure, the Darwin/XNU landscape, and the discipline of proof. Free under CC BY-SA 4.0 — HTML, EPUB and PDF.

macOS Darwin/XNU Methodology PING CC BY-SA 4.0
Read & download (free) →

Whitby Jet Provenance Platform

Cryptographic verification for genuine Whitby Jet jewellery. Each piece carries an NFC tag with an unforgeable AES-128 signature. Customers tap with any phone — no app required.

NFC AES-128 NTAG 424 DNA Node.js PostgreSQL
authenticwhitbyjet.co.uk →

Maritime Cyber Security — Whitby

Plain-English cyber security advice for Whitby's maritime community. GPS spoofing risks, marine insurance cyber gaps, onboard network security, and UK GDPR compliance for small operators.

Maritime GPS Spoofing UK GDPR Whitby
maritime-security.html →

Data Protection — Pro Bono

Background and experience in data protection: DPIAs, LIAs, clinical trial systems, law firms, retail, and family support. Not a services page — a record of what I know. Pro bono community help only.

UK GDPR DPIA LIA Clinical Trials
data-protection.html →

NTAG 424 DNA SDK for macOS

The first native macOS SDK for NXP NTAG 424 DNA NFC authentication. Full EV2First protocol, Secure Dynamic Messaging, key management. 2,145 lines of Swift + C. Zero dependencies.

Swift AES-CMAC PC/SC AGPL v3
github.com/jetnoir/ntag424-macos →

Scratchpad

A hyperlocal clipboard for macOS. Press CMD+SHIFT+X and move text between screens instantly. No cloud, no accounts, no tracking. 462 lines of Swift.

macOS Swift Menu Bar
github.com/jetnoir/scratchpad →
Career

What I've Delivered

Over forty years across defence, healthcare, finance, and government.

2011

TfL Contactless Travel Security

Transport for London

Designed the cryptographic key management architecture for London's contactless payment network. ISO 27001 and PCI DSS compliant. 22,000 readers, 8 million daily transactions.

ISO 27001 PCI DSS HSM Key Management
2004–06

NHS National Cryptographic Standards

NHS Connecting for Health

Authored cryptographic security standards for the NHS national programme. Smart card infrastructure analysis, key derivation protocols, protecting 60 million patient records.

NHS Smart Cards PKI AES
2009–23

Cyber Security & Data Protection

PwC · Deloitte · Harrods · Boots · London Stock Exchange

GDPR implementation, security architecture, penetration testing, and incident response across financial services, retail, and critical national infrastructure.

GDPR Pen Testing Incident Response
Heritage

Four Generations of Whitby Craft

The threads that connect Victorian jet workshops to AES-128.

Robert Dixon, Whitby Jet worker

Robert Dixon — Victorian Whitby Jet Worker

My four-times great-grandfather Robert Dixon worked Whitby Jet in the Victorian era, in the heart of the jet trade. The 1911 Census records him as a jet worker in a town where the material defined the economy and identity of its people.

When I moved to Whitby, I didn't plan to build a provenance platform. But standing on the same streets where my ancestor shaped jet by hand, the idea felt inevitable: use what I know — cryptography — to protect what he helped create.

William (Bill) Steele, Merchant Navy radio officer, c.1940

William (Bill) Steele — Signals, Convoys, Cold War Scarborough

My grandfather William (Bill) Steele served as a radio officer in the Merchant Navy during the Second World War, trained by the Marconi Company in Aberdeen. On convoy duty across hostile waters, he was responsible for receiving and relaying messages about submarine attacks — signals that kept ships and their crews alive. It was skilled, dangerous work conducted under fire and in extreme conditions.

After the war he was recruited into what was then called the Government Spy School — a signals intelligence agency — and ended up in Scarborough, where he spent the Cold War listening in on Russian Navy Morse code transmissions, helping to protect British interests at the height of the Cold War. There is still a government listening station in Scarborough to this day.

I didn't grow up thinking of encryption as a family trade. But somewhere between Bill's wartime radio set and the AES-128 keys I work with now, the thread is there.

Merchant Navy cap badge, c.1940
What I Care About

Principles

Provenance

Know where things come from

Heritage

Protect what came before

Honesty

Say what it is and isn't

Craft

Build things properly

Accessibility

Make it work for everyone

Independence

No investors, no extraction

Credentials

Qualifications

Professional certifications.

Privacy & Data Protection

CIPP/E
International Association of Privacy Professionals
GDPR Practitioner
Certified GDPR Practitioner
ISO 27001 Implementation & Management
Information Security Management

Security

CiSMP
Certificate in Security Management Practice
GSEC
GIAC Security Essentials Certification
Checked
Who I Am

Sometimes Serious. Sometimes Not.

All the hats. The cryptography is real; the pirate isn't.

Professional portrait
At the day job
Self-portrait with many hats — cryptographer, researcher, consultant, veteran
Many hats, over the years
AI-generated pirate portrait
AI silliness (Gemini) · Whitby pirate

Some decorative images on this site are AI-generated and labelled as such.

How I Work

A Note on Working With Me

Being honest upfront saves everyone time.

I’m neurodivergent — ADHD, autism, RSD. Over 35 years I’ve had more than 75 jobs. I’m not a conventional worker. I do my best work on things that genuinely interest me, on my own terms, at my own pace.

Not available for commercial work. This site is a record of what I’ve done, what I know, and what interests me — not a shop window. I share knowledge pro bono when health and energy allow, for community, charity, or research purposes.

Written communication only. No phone calls, no video meetings, no real-time chat. Async, at my pace. I may not respond quickly. I may not respond at all. That isn’t rudeness — it’s capacity.

Contact

Get in Touch

Based in Whitby. Not available for commercial work. Happy to share knowledge pro bono when health and time allow, written enquiries only.

stuartpaulthomas@gmail.com
This site uses no cookies or tracking. Server logs only. Privacy Notice