Ideas
Thinking
out loud.
Notes on AI security, design, and the places where they collide. Covering LLM exploits, zero-days, and the craft of building things that last.
AI can compress postmortem writing from 3 hours to 20 minutes and generate runbook first drafts from incident timelines. Here is how to automate the right parts, keep the human analysis intact, and build a postmortem corpus that makes future incidents shorter.
Model Context Protocol lets SRE agents query Elasticsearch, Prometheus, Honeycomb, and Kubernetes in natural language. Here is what the MCP tool surface looks like for a real observability stack, and what changes when the agent can see everything.
PagerDuty and Azure SRE Agents report 75% lower MTTR in 2026. Here is how to structure an AI-assisted on-call workflow: what to automate, where to keep humans in the loop, and how to avoid the false confidence trap.
The dominant UI trend of 2026 is not maximalism or AI-first automation. It is restraint. Calm interfaces that respect human attention, surface AI as a thoughtful copilot, and refuse to amplify noise.
AI-generated interfaces can hallucinate dark patterns, render XSS payloads, and systematically violate WCAG — not through malice, but through statistical plausibility. When the UI itself is model output, the security model must treat the interface as untrusted.
Prompt injection ends when the conversation closes. Memory poisoning does not. The MINJA attack achieves 95% injection success with a payload that sits dormant until the right future query activates it — days or weeks later.
RSAC 2026 saw five major vendors launch incompatible agent identity frameworks in the same week. Protocol fragmentation is not just an interoperability problem — when an agent cannot verify the identity of the agent it is talking to, every delegation becomes a trust assumption.
When Agent A delegates to Agent B which delegates to Agent C, who actually authorized the final action? Multi-agent delegation chains are breaking the accountability model that OAuth was designed to provide — and most frameworks don't enforce scope narrowing at all.
65% of agentic chatbots have never been used yet still hold live access credentials. Token lifetime is not a configuration detail — it is the primary blast-radius control for every agentic system in production. One stale credential, seven hundred breach notifications.
A chart that requires a legend to decode is a chart that failed. The best data visualizations make their argument without explanation. Chart type as semantic choice, the data-ink ratio, annotation over legend, honest scales — and why misleading visualizations destroy trust faster than bad data does.
Designing for the edges of human capability doesn't produce a restricted interface — it produces a better one. The curb cut effect, POUR principles, color contrast, focus management, screen reader semantics, and why accessibility constraints force the clarity every interface should have by default.
A spinner is not a design decision — it's a surrender. Every loading state is an opportunity to tell the user something true about what's happening. Skeleton screens vs spinners, progressive loading, optimistic UI, and why specific loading copy beats a bare animation every time.
Phishing used to be detectable by bad grammar and generic salutations. LLMs eliminated both signals and now enable personalized, contextually aware attacks at a volume no human attacker could produce. The spear-phishing pipeline, voice cloning for vishing, detection evasion, and why verification protocols matter more than email filters.
When an AI agent asks to read your files, send your email, or execute code — how does the system decide if it should? Most agentic systems grant broad access at deployment time and never revisit it. Least-privilege per task, dynamic permission requests, capability tokens, and why every permission use needs an audit trail tied to the task that justified it.
LLMs are uniquely vulnerable to resource exhaustion: the attacker pays almost nothing while the defender pays per token. Token flooding, sponge examples that maximize compute at inference time, recursive expansion attacks, and context window stuffing — plus output token limits, cost-based circuit breakers, and request queuing that actually work.
AI incidents are different from traditional breaches — there's no clear breach moment, behavioral drift is hard to detect, and "rollback" is more complex than reverting a deploy. Detection signals, containment steps, investigation framework for tracing the attack vector, and recovery procedures that close the door before you re-open the system.
The system prompt is the first line of defense in any LLM application — and the most commonly misconfigured one. Instruction anchoring, explicit refusal directives, output constraints, canary tokens for leakage detection, and why no amount of prompt engineering substitutes for access control, model training, or architectural isolation.
Traditional perimeter security fails AI where every model, agent, and pipeline is an internal attack surface. Five zero-trust layers: cryptographic workload identity (SPIFFE/SPIRE), least-privilege tool scoping, data micro-segmentation, continuous output authorization gates, and immutable audit logging the AI system itself cannot delete.
The EU AI Act, NIST AI RMF, and sector-specific regulations (SR 11-7, FDA SaMD) are creating concrete compliance obligations. Governance requires traceability, human oversight, continuous monitoring, incident response, and third-party model governance built in from the start — not bolted on after deployment.
LLM APIs introduce attack surfaces that don't exist in traditional REST services: system prompt leakage, cost exhaustion attacks (one prompt can burn $50 in compute), cross-user injection through shared context windows, and session isolation failures. Why most rate-limiting implementations are wrong for AI workloads.
Pickle deserialization gives arbitrary code execution the moment you load a malicious model checkpoint. With 500,000+ models on HuggingFace, typosquatting, compromised maintainer accounts, and poisoned fine-tuning datasets represent a supply chain attack surface the ML community is only beginning to address.
Imperceptible pixel perturbations cause confident misclassification — the fundamental geometry of adversarial attacks. Four attack categories (white-box, black-box, physical-world, universal perturbations) and three deployment scenarios: autonomous vehicle perception, biometric bypass, and content moderation evasion. Why defenses keep failing.
With 10k–100k queries, attackers can train a local model that achieves 90%+ behavioral agreement with a commercial API — effectively stealing the training investment. Three attacker goals (behavioral clone, white-box proxy, safety bypass) and why logit-masking defenses fail against distillation-based extraction.
Nasr et al. (2023) extracted ChatGPT training data including real email addresses and personal data using a $200 divergence attack. Memorization is a feature, not a bug — models must memorize to generalize. Four memorization factors and three extraction techniques that work against production LLMs.
Text rendered in white-on-white, steganographic LSB embedding, QR codes in document corners, natural-language overlays on product photos — four vectors for hiding AI instructions inside image content. When a vision-capable agent processes your uploaded receipt and executes the attacker's instructions instead of summarizing expenses.
Design tokens are the atomic units of a design system — named variables for color, spacing, typography, and motion that connect design tools to production code. The three-layer architecture, how dark mode becomes a token swap instead of a codebase audit, and naming conventions that scale.
Forms are where users do the work. Validation timing, label vs. placeholder, the questions you shouldn't ask, and why forms are conversations — not questionnaires. Every unnecessary field is a question that insults the user's time.
Motion in interface design has one job: reduce cognitive load by making state changes perceptible. Duration tables, the four principles of purposeful motion, what to avoid (bounce on controls, animating everything), and how to build a motion system that creates coherent product feel.
Red teaming AI systems requires a different methodology than traditional software. A four-phase process — threat model, attack technique families (jailbreaking, prompt extraction, indirect injection, capability elicitation), systematic coverage, and reporting — plus why attack success rate matters more than existence.
Process isolation doesn't contain what an AI agent decides to do. The primary escape vector is prompt injection through tool outputs — a five-layer containment architecture covering capability minimization, output validation, data flow control, human confirmation gates, and tool output sanitization.
Fine-tuning on custom data can override safety alignment trained into the base model. How backdoor attacks embed hidden triggers at 0.1% contamination rates, the four attack surfaces (data poisoning, alignment erosion, instruction injection, membership inference), and mitigations that actually transfer to the fine-tuned version.
AI has collapsed the cost curve of impersonation attacks. Spear phishing at $0.01 per target, voice cloning from 3 seconds of audio, real-time deepfake video in browser tabs. The Hong Kong CFO fraud case, why detection arms races favor attackers, and what actually works for defense.
Hallucinated package names get installed. Hallucinated URLs get visited. Slopsquatting — publishing packages at names LLMs consistently hallucinate — lets attackers weaponize model errors at scale. Why confidence amplifies the risk, and how to verify before you install.
Most design systems are designed for success. Error states are afterthoughts — vague, blame-shifting, and unhelpful. The anatomy of a bad error message, what makes one good, and why empty states are the most underused onboarding opportunity in any product.
A palette is a collection of colors. A color system is a set of rules for how they relate and where they're used. The three-layer architecture (primitive, semantic, component), why dark mode is a semantic problem, and why the neutral scale is where the real design work happens.
Hierarchy is the typographer's grammar. How size, weight, spacing, and color combine to create a reading order the eye follows without thinking — and the squint test that tells you whether your hierarchy is structural or just decorative.
AI agents with persistent memory are uniquely vulnerable to a slow, stealthy attack: adversarial content injected into vector stores that biases agent behavior over time. Why it's nearly undetectable, how vector databases become the primary target, and what memory integrity design actually requires.
When AI agents can click, type, and navigate browsers autonomously, every website becomes a potential attack vector. Hidden page instructions, ARIA label injection, financial fraud via mid-task manipulation — the threat model is fundamentally different from chat-based AI.
System prompts are not secrets. Five reliable extraction techniques — from direct instruction to differential probing to token smuggling via tool calls — and why designing your product assuming the prompt is public is the only safe posture.
The OWASP Top 10 for LLM Applications from specification to practice. Real attack patterns and mitigations for all ten categories — from Prompt Injection and Insecure Output Handling to Excessive Agency and Model Theft — with a prioritization framework for shipping teams.
Self-replicating prompts that spread through multi-agent systems without any user interaction. Morris II demonstrated this in 2024. How propagation works, why standard defenses fail, and the mitigations that actually help — privilege separation, human confirmation gates, and memory integrity checks.
The blank areas in a design aren't the absence of design — they're the most active part of it. A case for negative space as the primary tool of visual hierarchy, grouping, emphasis, and rhythm. Plus the spacing system problem that causes most visual inconsistency in production.
AI agents inherit OAuth tokens that outlive their tasks, accumulate scopes across sessions, and become high-value targets when stored in MCP config files. The authorization model wasn't designed for autonomous agents — here's what secure agent authorization actually requires.
The injection variant that bypasses every system-prompt defense: adversarial instructions embedded in MCP tool responses, database records, and retrieved web content. Why standard defenses fail, and how the MCP tool layer amplifies the blast radius.
Model Context Protocol from first principles: the Host/Client/Server architecture, building MCP servers in TypeScript and Python with real code examples, configuring Claude Desktop, and understanding when MCP is the right tool versus other approaches.
Skills and MCP both extend AI agents, but at completely different layers. Skills define what the agent does (CLAUDE.md slash commands, reusable workflows); MCP defines what the agent can reach (external tools, APIs, databases). How to create both, and how they compose.
Three critical local privilege escalation vulnerabilities — CVE-2026-31431, CVE-2026-43284/43500, CVE-2026-46300 — all actively exploited in spring 2026. Breakdown, detection, and exact patch commands for Ubuntu, RHEL, and SUSE.
A heap buffer overflow in nginx's rewrite module — dormant since 2008, CVSS 9.2, no auth required — was disclosed April 2026 and immediately exploited. How to detect vulnerable configs and patch or mitigate now.
Developers using AI coding assistants are shipping features faster than ever. They're also shipping vulnerabilities faster than ever. The security debt of vibe coding is real, accumulating, and largely invisible until it isn't.
Anthropic's Model Context Protocol gives AI agents persistent access to tools and data sources. It also gives attackers a new vector that most security teams haven't modeled yet — and the window to get ahead of it is closing.
Every safety measure deployed in a large language model has been bypassed. Not some — every one. On why the jailbreak problem is structurally different from other security problems, and what that means for AI deployment.
DeepSeek's emergence forced a real conversation the AI industry had been avoiding. The model capability gap is closing. The governance gap is not. A framework for thinking about open-weight model risk.
Google's Project Big Sleep agent autonomously discovered a memory-corruption vulnerability in the Linux kernel's io_uring subsystem — patched before public disclosure. The era of AI-first vulnerability research is here.
Unlike buffer overflows or SQL injection, prompt injection attacks are semantic — they exploit the model's instruction-following nature. Understanding why this class of vulnerability is structurally different from everything that came before it.
Retrieval-Augmented Generation systems trust their data sources implicitly. Injecting adversarial content into a vector database can hijack every query that retrieves it. A walkthrough of the attack surface.
Anthropic's 2024 research showed that LLMs can be trained to behave normally until a specific trigger condition is met — and that standard RLHF safety training fails to remove the behavior. What this means for any organization deploying third-party models.
Researchers discovered over 100 models on Hugging Face Hub containing serialized payloads that execute arbitrary code on load via pickle deserialization. The ML supply chain has the same vulnerabilities as npm — and less scrutiny.
regreSSHion was a signal flare. A race-condition vulnerability dormant since 2006, rediscovered by Qualys's AI-assisted static analysis pipeline. On how AI-powered code auditing is surfacing bugs that escaped a generation of manual review.
From Google's Big Sleep SQLite buffer overflow to Microsoft's Security Copilot flagging misconfigurations in Azure — a curated log of vulnerabilities where AI either found the bug, accelerated the patch, or changed the disclosure timeline.
Why the obsession with pixel-perfect consistency might be the thing that's making your product feel lifeless — and what to reach for instead.
There's a reason the most interesting corners of the web keep reaching for fixed-width fonts. It's not nostalgia — it's a precision play.
Performance and aesthetics are the same conversation. A 3-second load time isn't a technical problem — it's a trust problem, a brand problem, a relationship problem.
On the resurgence of texture in digital interfaces, and why generations of designers keep rediscovering that the most modern surfaces are never perfectly smooth.
Dark mode isn't an accessibility feature or a user preference toggle. For some of us, it's the only honest way to work — a disposition, not a setting.
Every framework promises the future. HTML has already survived three decades. There's something to be said for betting on the thing that doesn't need updating.
Screen-native, battle-tested, and more expressive than anything that came after it. The most underrated typeface in the history of digital design is already on your device.
Stay in the loop
New ideas, when they're ready.