The Disclosure
What responsible disclosure actually looks like from the inside. The finding, the write-up, the send, the silence.
The Machines That Made Me
A hardware roll-call from the Commodore PET to the MacBook Pro. What each machine actually taught.
The Shoplifting Joke
A taxi driver’s leg-pull joke that still makes me laugh. On the architecture of a good misdirect.
The Cycling Case
How a small cycling charity in Retford won £250,000 from a car-first county council. The case, the presentation, and what it actually takes.
The Same Room
The pattern that kept showing up across different employers and different decades. What it says about them. What it says about me.
The Jet Question
What Whitby jet actually is, why fakes matter, and what it’s like to work on something genuinely niche.
The Essay at Home
I wrote a good essay on the family PC while off sick. The teacher called it plagiarism. I walked out.
The Teaching Room
Two boys, a karate bruise, and a teacher who decided what happened before I opened my mouth.
The Sabbatical
Post-2023, post-employment, post-certainty. What independent research actually involves, what DWP means for how you describe yourself, and whether I want to go back.
The Right Kind of Leaving
There is a wrong way and a right way to leave a job. I’ve done both. The right kind buys something. The wrong kind just costs.
The Palm Court
My Nana put an ad in the paper. I got fired for playing the piano drunk. They took me back the next day. Make of that what you will.
The French Head Waiter
The Royal Hotel, a formidable French head waiter, a sixth-form French student, and seventeen words that changed my standing in the dining room.
The PCI Argument
At a bank I was the person who wouldn’t let things slide on PCI-DSS. Some people rolled their eyes. Hindsight sorted that out.
Being Right
I designed a contactless payment system. Several ideas were ignored at the time and proved correct later. This is not a triumphant post.
Writing the Standard
In 2004 I co-authored a national cryptographic algorithms standard. Sixty million patient records. What it felt like to be handed the pen.
Oracle and the Burnout
Oracle in Reading, then San Francisco. The burnout that sent me back north. And the thing I wish I’d known about myself before it got that far.
The SG Walkout
Three months at a European bank. I handed in the resignation letter, gained a lifelong best friend, and learned something about the right kind of leaving.
The PS2 Network
I designed the PlayStation 2 UK online network around 2000. A geek’s dream job that ended in burnout, politics, and a colleague accused of hacking his own account.
The Hoover and the Router
A network goes down in an office. Elaborate failover plans, redundant uplinks, careful documentation — none of it mattered. The cleaner needed a socket.
Reuters to Bloomberg
Got fired for talking back and swearing at a salesperson. Walked across the road to the competitor. Got hired the same afternoon.
The Resignation Letter
I wrote a resignation letter, put it in an envelope, walked into the manager’s office, and threw it on his desk. I was nineteen.
The Teacher and the Play
My teacher cancelled the school play because of my karaoke. Years later she watched me perform in a touring production and said something I will never forget.
The CUB monitor
The green phosphor screen shocked you if you touched it. I touched it anyway. On the BBC Model B, Granny’s Garden, and the first time a computer felt like mine.
Eight Miles
I walked eight miles a day to avoid the school bus. It wasn’t bravery. It was the only version of myself I could stand.
The Headmaster Said Sunshine
On the headmaster who used the word “sunshine” as a weapon, and why I still hear it that way thirty-five years later.
The longest line
A folding bike. A bank office. The longest straight line you could ride without hitting a desk.
Three months in
Thirty-five posts. Stuart didn't plan that — he planned one. What the discipline of writing up research regularly has done to the research itself. What it left open. The blog is still a PING into the dark.
How attackers see your network, Part 2: what the logs say
The inside view from the logs. What the honeynet record actually showed about attacker behaviour — the patterns, the scanning, the things that came back. The gap between what was intended to be visible and what was.
How attackers see your network, Part 1: the outside view
An attacker does not see your network the way you drew it on the whiteboard. They see what answers. Reconnaissance, banner-grabbing, and the gap between your network diagram and what is actually exposed.
The insurance company's pf estate
Somewhere, in a repository that no longer exists, is a CVS history of every firewall rule change made at an unnamed insurance company for about four years. What managing pf rulesets as code, at scale, taught about configuration discipline.
Binary analysis without symbols
Without symbols, a binary is not mute. It is speaking a different language — but you already know most of the words. What strings, import tables, function prologues, and structure reveal before you disassemble a single instruction.
The NFC handshake, Part 2: what the proof actually proves
The CMAC is correct. The key never leaves the chip. The counter increments. What the design actually guarantees — and its honest limits. What cloning means and doesn't mean for NTAG 424 DNA. Educational, from first principles.
The NFC handshake, Part 1: what happens in the air
Every contactless tap involves two simultaneous things: a transaction, and a proof. The proof is the interesting part. What happens in the RF field — the challenge, the response, the CMAC — and why the key-never-leaves design is the right choice.
Reading vendor advisories
A security advisory tells you what was fixed. It does not always tell you what was broken. Reading between those two things — cross-referencing commits, version ranges, CVE entries — is a research method in its own right.
Fuzzing: a week of noise
Fuzzing is not intelligence. It is patience with better tooling. What a week of fuzzing actually looks like — reading the output, the noise-to-signal ratio, what it finds that manual review misses, and vice versa.
How I set up a research box
The right research environment is one you trust completely — not because nothing can go wrong, but because you know exactly what going wrong looks like. Isolation, snapshots, tooling, and the discipline of keeping research separate from production.
The specification is a promise, Part 2: what happens when they break
The gap between a specification and its implementation is not always a bug. Sometimes it is. The skill is in telling the difference — when a security boundary has been crossed versus a benign divergence. BSD examples, from the source.
The specification is a promise, Part 1: what contracts look like
Every protocol begins as a document. The document is a set of promises. RFCs, man pages, vendor docs — how to read them as contracts, what MUST and SHOULD actually mean, and where security researchers should pay closest attention.
Reading a packet capture
A packet capture is a conversation, written down. The interesting questions are: who is talking, and what are they not saying? Wireshark and tcpdump as research tools — the gap between specification and what actually goes across the wire.
What the logs said
The Oracle honeynet generated more data in a week than could be read in a month. The discipline was not collection — it was interpretation. What the logs actually showed, and how to separate observation from conclusion.
The minimal reproducer
The bug is not the ten thousand lines that led to it. The bug is the twelve lines that prove it. The art of reduction — what the discipline of minimising a reproducer teaches you about the defect itself, and why it matters for the engineer who receives it.
Static analysis for the impatient
You do not have to run the code to know something is wrong. Sometimes the wrongness is right there in the text. Grep-driven research, pattern recognition in source, and what you can find without executing a single instruction.
Before the report, Part 2: writing it so someone can act on it
A report that cannot be acted on is a complaint. Three things: reproduction steps, impact statement, fix hint. Writing for the engineer who has to understand and fix it, not for the audience. Economy of language as a form of respect.
Before the report, Part 1: verifying what you actually found
The most dangerous moment in security research is when you think you've found something. The discipline of asking "am I actually sure?" — distinguishing real vulnerabilities from defence-in-depth, and why the minimal PoC is a verification tool first.
Behaving as designed
The finding I was most confident about — fskitd missing an entitlement check on formatResource and activateVolume — came back as expected behaviour. A note on what that means, and what it taught about the difference between a security gap and a design choice.
The asymmetric guard
The binary evidence of the TOCTOU race in XProtectRemediator is real and verifiable. The exploit claim was not. How to tell the difference, and why both matter.
The 2am habit
There is a specific quality of attention that arrives around 2am. The distractions are asleep. The problem is not. What late-night independent research produces — and why working without external reason generates different thinking than daytime professional work.
Source is not enough
Reading XNU source at 2am and finding a bug. Not being able to reproduce it at runtime. The closed submission that taught the most important rule: source analysis is not security evidence.
The shake that confirmed
The macOS lockscreen’s visual response to a valid username differs from its response to an invalid one. A username enumeration primitive that requires physical presence. Apple: expected behaviour.
Reading a kernel, Part 2: where the interesting bits live
Once you know where the rooms are, the question becomes: which doors are left ajar? Privilege transitions, input parsing, interface boundaries — the places in a kernel where trust changes hands, and where a careful reader pays closest attention.
The card that wasn’t there
CryptoTokenKit reports 2 state changes. PC/SC reports 147. Same hardware, same card operations. When a framework misses 98.6% of events, the card-removal lock that depends on it misses them too.
The retraction
I found a CFGetTypeID gap in secd’s IPC decode path. I submitted it. I could not reproduce the IPC-triggered crash. I retracted it. This is what clean retraction looks like, and why it matters.
Reading a kernel, Part 1: getting your bearings
Kernel source is not a book you read front to back. It is a building you learn to navigate. How to orient yourself in a production kernel for the first time — directory structure, subsystem mapping, finding the entry points.
A null on the way back
BSD traceroute on macOS crashes with a NULL dereference when ECN mode and ICMP protocol are combined. Apple: local DoS by user themselves; not in scope. They’re right.
The root prerequisite
A TOCTOU race in XNU’s exec_activate_image() around SUID bit evaluation. Requires root to set up. Apple: root prerequisite exceeds exploit; no security boundary crossed. Correct.
The internet hotel
The data centre in Budapest had guards with AK-47s. Stuart knows this because he walked past them carrying patch cables. CityReach, the dot-com era, Europe by train with an Ericsson handset and early GPRS on Cellnet — managing a network estate from a moving carriage.
The database on the floor
interactionC.db carries 644 permissions. On a SIP-enabled host, the Data Vault makes those permissions cosmetic. The lesson: finding the permissions gap is not the same as demonstrating the breach.
The path that was open
One XPC method on kernelmanagerd returns kext paths without an entitlement check while six siblings are gated. Apple: not an actionable security report. The information was already public.
The first job
University College Scarborough, 1994. The first proper job. What computing looked like before the web swallowed everything — and what that environment taught about networks that still holds thirty years later.
The first fiver
A paper round, a widow, and the Commodore PET her late husband left behind. First paid computer job. £5.
The comment-trap caper
A small cartoon at my expense, and the lesson it gets right. On the difference between what a comment says and what the code does.
The map and the hunt
After thirty-five years, I stopped trusting my instinct for where to look — and started laying three boring public data sources on top of one another.
The staging window
Six methods on com.apple.amfi.nsxpc require an entitlement check before dispatch. One does not. During an MDM profile staging window, it returns profile data to uid=501. Apple: insufficient attack surface.
Two tiny games on the front page
A snake and a text adventure now sit at the top of stuart-thomas.com. They were not, as I want to be clear, strictly necessary — but they change the room the homepage walks people into. A short note on the door and the invitation.
The ungated path
CVE-2025-24129 patched mDNSResponder’s primary trust-check bypass. The D2D/AWDL ingress path bypasses the same gate. Binary evidence is clear. Runtime PoC requires AWDL hardware I did not have.
Why I still read the man pages
A man page is a promise. The interesting question, for a security researcher, is whether the code keeps it. The gap between documentation and implementation is where the unveil(2) bug lived for eight years. On reading technical documentation as a research technique.
Skipping the hostname check
mDNSResponder’s DNS-over-TLS path does not validate the server’s TLS hostname. A rogue DoT resolver on an MDM-managed Mac accepts connections. CWE-297, CVSS 8.1. Apple closed without comment.
The door that did not close
fskitd accepts unlimited appex spawn requests from unprivileged callers. Apple: resource exhaustion requiring local code execution is not a security issue. Correct — and there’s a quality observation underneath.
Two credentials
mac_proc_check_settid receives two credential parameters that can differ. Apple confirmed: expected behaviour. What it means for forensic tools that read only one.
The harness that lied
My PoC printed EXPLOIT CONFIRMED regardless of whether anything was exploited. How I found out, what the verdict-before-evidence pattern is, and the rule I now apply to every test harness.
Ninety days
The 90-day standard is a number that has a human being inside it. What coordinated disclosure actually feels like from the researcher’s side: the acknowledgements, the silences, the two-word replies, the patches, the closures without comment. Warm and honest throughout.
The stone that knows itself
Genuine Whitby Jet has been imitated since the Victorian era. For 150 years, provenance was a matter of expertise and trust. NTAG 424 DNA NFC chips implement AES-128 CMAC authentication in hardware. The stone no longer just claims to be genuine — it can demonstrate it.
What a CVE doesn’t say
A CVE entry is a summary of a summary. The interesting material — the affected function, the commit that fixed it, the real-world trigger — lives in the references, not the description. How to follow a CVE back to the room where the secrets are kept.
Writing for the person who has to fix it
A vulnerability report is not written for the researcher. It is written for the engineer who has to understand it, reproduce it, fix it, and ship the fix. Three paragraphs, a minimal reproducer, the impact. Everything else is noise. On the craft of the good report.
Touch and go
Every time you tap your card on a London Underground barrier, something genuinely interesting happens in about 300 milliseconds. Stuart worked on TfL contactless payment architecture. This is what it looks like from the inside — and why the key that never leaves is the design choice that makes it all work.
The honeynet and the long wait
Setting a trap is the easy part. Stuart ran an Oracle honeynet long enough to develop a specific discipline: separating observation from interpretation, resisting the urge to intervene, and trusting the log as truth. The habits it built have lasted twenty years.
The open source that made this possible
Apple publishes XNU — the kernel at the heart of every Mac — as open source. They are not obliged to. They have been doing it for over twenty years. Every piece of macOS research on this blog depends on that decision. A warm acknowledgement of something that deserves one.
The unreasonable joy of it
Nobody asked me to do this. I read kernel source in the evenings, in Whitby, for fun. The bug had been in a #if 0 block for eight years. The reply from OpenBSD was two words. It was the best two words I'd read all week. On why independent security research is genuinely, ridiculously good fun — and why you might like it too.
Running tight
Twenty-five years of OpenBSD: from Snort on firewall hosts at CityReach to a large insurer running CVS-managed pf rulesets across a global estate, to reading the kernel source on a Mac Mini and finding two bugs now fixed and credited. On the OS that treats correctness as a discipline, not a feature.
The shape of an answer
In 2001 I wrote a short paper for SANS on ICMP crafting. I thought I was writing about a protocol. I was actually working out how to ask a question carefully — and how much a careful answer reveals. This is where the blog gets its name.
The neighbours always answer
FreeBSD and OpenBSD publish a security advisory record going back decades. Darwin shares a great deal of code with both. A practical technique for using that public record as an annotated security changelog for XNU — one of the most underused starting points in solo macOS research.