The week Silicon Valley Bank collapsed, I wanted to answer one question for the small bank holding my business checking account: how much of its deposits were uninsured, and what did its capital position actually look like? Every finance site was recycling the same three charts. The real numbers were… Read more →
Security, DevOps & Trading Tech — Practical Guides
-
Reading a JWT Offline: How to Spot alg:none and Algorithm Confusion Before They Bite
A pentester friend sent me a JWT last month with a one-line note: “spot the bug in 10 seconds.” I pasted the three segments into Base64Lab, flipped on URL-safe decoding, and read the header. The alg field said none. That token had no signature at all, and the backend was… Read more →
-
Your Photos Are Broadcasting Your Home Address — Strip EXIF GPS in the Browser
A friend sent me a photo of their new apartment last year and asked me to guess the neighborhood. I opened the JPEG in a terminal, ran exiftool, and read back their street address to two decimal places of latitude. They had never posted the location. The phone did it… Read more →
-
The Treasury FiscalData API: Pull the U.S. National Debt as JSON (No Key)
Last month I was building a dashboard that needed the actual interest rate the U.S. government pays on its debt. Not a headline number from a news site, not a scraped table — the real figure, updated monthly, that I could pull programmatically and trust. I went looking for an… Read more →
-
Check If a Password Was Breached Without Sending It (HIBP k-Anonymity)
A junior dev on my team once wanted to add a “check if your password was breached” feature to our signup form. His first instinct: POST the plaintext password to Have I Been Pwned and show a warning if it came back dirty. I stopped him before the PR got… Read more →
-
How One Regex Took Down Cloudflare: Catastrophic Backtracking, Tested in Your Browser
A single line of validation code once took down half of Cloudflare. On July 2, 2019, a regular expression pushed to their WAF spiked CPU to 100% across their global network and knocked a chunk of the internet offline for about 27 minutes. The regex looked harmless. It contained a… Read more →
-
The SEC EDGAR XBRL API: Pull Any Company’s Financials as JSON (No Key)
I wanted a quick answer to a boring question: what was NVIDIA’s gross margin last fiscal year, straight from the filing, no scraped-together blog number I have to trust? Most people open a stock site and read whatever it shows. I wanted the figure that came out of the actual… Read more →
-
I Stopped Pasting JWTs Into Online Base64 Decoders — Here’s the Browser-Only Fix
Last month I watched a teammate debug an auth bug by pasting a production JWT into the first “base64 decode online” result on Google. The token was a live bearer credential — valid for another 50 minutes, signed for our payments service. He pasted it into a text box on… Read more →
-
The SpaceX 424B Prospectus Is Free on SEC EDGAR — Here’s What It Says and How to Pull It
The day SpaceX priced its IPO, half the finance Twitter accounts I follow linked to a paywalled news story. The other half linked to a screenshot of a screenshot. Almost nobody linked to the one document that actually mattered: the SpaceX 424B prospectus sitting on SEC EDGAR, free, with every… Read more →
-
AirPods Max 2 Just Dropped to $399 on Amazon — Apple’s Flagship Headphones Have Never Been This Cheap
Prime Day 2026 just served up the deal a lot of us have been waiting for since March. Apple’s over-ear flagship, the AirPods Max 2, has dropped to $399 on Amazon — $150 off the $549 launch price, and the lowest this headphone has ever been. If you sat out… Read more →