Most people think of “digital ID” as just a card on your phone. The real issue is the centralised database behind it. Linking everything about you into one system doesn’t just create a surveillance risk. It creates a massive security vulnerability. Once that data is breached or misused, you can’t put it back in the box. It also hands government unprecedented control. The ability to link, track, or even restrict access to everyday life is not something any free society should give up lightly. Privacy isn’t just about liberty, it’s about safety. Centralising sensitive data in this way puts both at risk.

This is why I Bitcoin.

One good thing that has come from this Core vs Knots debate is that at least more people are running nodes!

It’s crazy how the Core vs Knots debate differs between people on Nostr and X. Across Nostr, people seem to at least be debating. On X, it’s just pure tribalism and people popping off on each other 🙈

Bitcoin doesn’t need politicians. Politicians need Bitcoin.

Bitcoin Core vs. Bitcoin Knots: two sides of decentralisation from a professional hacker’s perspective. A quick intro: I’ve spent the last seven years finding and exploiting security issues in everything from software and networks to trains and power plants. I mention that because I’m looking at the Core vs Knots debate through a security practitioner’s lens, not a tribal one. There’s a lot of noise around the Core vs. Knots debate right now, but much of it misses the real point. They’re not actually fighting over the same thing and this has meant that whilst people are focusing on the spam argument, we’re sleep walking into some big issues that should be discussed NOW. Bitcoin Core developers are focused on block production decentralisation. Their concern is making sure every miner, whether a massive pool or a solo operator, has a fair chance to get transactions into a block. That’s why they push for neutrality. If a transaction is valid under Bitcoin’s rules and pays a fee, it should be relayed across the network. Supporters of Bitcoin Knots are more focused on validation decentralisation. Their priority is keeping full nodes lightweight and affordable to run. They don’t want people priced out by spam or arbitrary data clogging up the blockchain. That’s why they push for stricter relay policies and filters. It makes life easier for ordinary users who want to run a node at home. Here’s where a lot of confusion comes in. * Consensus rules define what must be accepted in a block. These are universal. * Policy rules define what your node chooses to relay or keep in its mempool. These are local choices only. Filters can protect your own node, but they don’t stop miners from including those transactions if they want to. Neutral relay keeps miners on equal footing, but it also means node operators shoulder more of the load. For me, one of the biggest threats to Bitcoin isn’t just spam or bloat. It’s the risk that private relay networks become “fast lanes” to miners. If that happens, the balance of power shifts. Transactions that reach miners through these networks will get priority, while transactions from ordinary node operators may lag behind. This risk is even sharper if Knots-style filters slow down how quickly some nodes can relay transactions. A filtered mempool means your node might not broadcast as fast, giving private relay networks an even bigger head start in reaching miners. That could tilt block production toward those with privileged access, undermining fairness. That creates a few dangers: * It could tilt block production towards miners who are plugged into these relay highways, making the system less decentralised. * It could make censorship easier. If relay networks decide not to carry certain transactions, those transactions may never reach miners in time to compete for block space. * It could leave node runners with little to no influence over which transactions make it into blocks. At that point, running a node still helps you validate your own transactions, but it no longer contributes much to the fairness of the network. And if that were to happen, Bitcoin risks becoming less like a neutral, permissionless monetary system and more like a controlled network where a handful of actors decide what gets confirmed. That would weaken the very property that makes Bitcoin valuable as money in the first place. So this isn’t decentralisation versus centralisation. It’s about which form of decentralisation we prioritise today. Do we focus on keeping nodes light and accessible, or on keeping block propagation fair for miners? If Bitcoin is going to grow into the world’s dominant money, it probably needs both. So what’s the takeaway from this post? For me, Bitcoin is a monetary network and I don’t want to see spam clogging up the blockchain. But I also want those running Knots to recognise that filtering alone won’t stop spam from ending up in blocks. That risk only grows if what gets into blocks is effectively decided by a handful of private relay networks and miners. I don’t believe Core developers have been “compromised,” but I do worry about the attitude that unless you’ve contributed code, your opinion doesn’t count. That creates an echo chamber around Core, shuts out fresh ideas, and builds distrust among people looking in from the outside. I think broader adoption of technologies like Stratum V2 is one of the best ways we can reduce the power of mining pools and relay networks. That’s where more of us should be putting our energy today. And lastly, we need to drop the “us versus them” mentality. This needs open, hard conversations, not rushed decisions. I’ll be quietly running a slightly behind version of Core after the next release, because I’d rather take the time to understand the risks properly. What matters most is that as many people as possible understand the threats to Bitcoin, so we can work together on solutions, rather than a small group pushing updates when most people don’t even understand the why.

I’ve been following the ongoing debate between Bitcoin Core and Bitcoin Knots. At first glance it looks like a fight about “spam” but when you dig deeper, it’s really about two different ways of protecting decentralisation. Coming from a cyber security background, I find this fascinating. In my world, trade-offs are everywhere. You tighten security in one area, you create pressure somewhere else. Bitcoin is no different. Core and Knots are both trying to defend the network, but they’re focused on different layers and that’s why they sometimes talk past each other. I’ve been thinking about writing up my perspective on this, especially around the often-missed distinction between consensus rules (what the entire network must accept) and policy rules (what your individual node chooses to accept or relay). Before I do, would anyone actually be interested in a deeper, non-biased dive on this? Or should I just shut up and stay out of the conflict as it’s too far gone?

People think physical security testing is all action-movie moments… in reality it’s usually just me, hiding in some bushes on a site recce.

I’m halfway through Build by Tony Fadell (who led the teams behind the iPod, iPhone, and Nest) and it’s easily one of the most practical books I’ve read on leadership and building products (whence why I’m posting about it!). One lesson that really stuck with me is that feedback isn’t about being nice or harsh, it’s about being clear. I’ll admit, I’ve definitely softened feedback in the past to avoid awkwardness. But as Fadell points out, unclear or sugar-coated feedback doesn’t actually help anyone. If people don’t know what’s really expected, they can’t grow. That’s something I’m working on. Being clear without being unkind. Clarity + context > comfort. If you work in tech, management, or leadership, I’d really recommend this book. It’s packed with lessons that apply far, far beyond product development.

Cyber security often gets painted as purely a “tech” problem. But the truth is, if someone can just walk into your office/house and either steal your stuff or plug in a device… all the fancy tools in the world won’t save you. I’ve seen plenty of cases where the weak point wasn’t a firewall or an endpoint. It was an unlocked server room, an unattended laptop, or even just a friendly colleague holding the door open. Physical security isn’t glamorous by any means, but it’s the foundation everything else sits on.

I think this Core vs Knots debate is good for Bitcoin (in the long run). If this was a centralised monetary system you’d just have to fall in line with whatever rules you were told to follow. This has highlighted that no matter what side you fall on, people will always have the freedom to run whatever nodes and filters that they seem fit. And if people turn on both Core AND Knots in future then other node clients will likely be created, further decentralising the network.

People regularly ask me “What’s the most common way you actually hack into businesses?” They look at me with bated breath, expecting some mind-blowing story about zero-days or Hollywood-style exploits. Instead, I bitterly disappoint them by being honest and telling them that 9.9 times out of 10, I get in due to ‘Password1’ or plain human error. Not very glamorous. But very real. One thing I’ve learnt is that security fundamentals are nowhere near as exciting as EDR, SD-WAN or AI. But they’re almost always the difference between me getting in and keeping me out.

I get the same DM all the time: “What certifications do I need to land a job in cyber security?” When I first started out, I thought the answer was simple: stack up certs. I went into a pen test interview with all the right ones… and completely bombed it. Why? Because I couldn’t explain basic network security fundamentals. I walked out thinking, “But I had XYZ certs - wasn’t that enough?” It was not. What actually helped me break in wasn’t another course. It was going back to basics, Googling what I didn’t know, and proving I had the curiosity and drive to keep learning. Here’s what I’ve learned since: - You don’t need a degree or a pile of expensive qualifications to get into cyber. - Most of what you need is out there for free. - Fundamentals + hands-on practice (HTB, TryHackMe, GitHub, etc.) matter way more than a cert you got 5 years ago. Sure, certs can help tick a box for hiring managers. But the people you’ll actually work with? They mostly just care if you know your stuff and keep pushing yourself to get better.

One month into my new Head of Penetration Testing role, and the learning curve has already been steep (in a good way). Lessons learned: - Change works best in stages, not all at once. - I can’t (and shouldn’t) do everything. - Delegation isn’t optional - it’s essential. Wins so far: - We’ve delivered some awesome pen tests. - Focused on high-value, bespoke testing tailored to each client rather than rigid, one-size-fits-all methodologies. - Expanded our team’s experience and capabilities across more technologies. Plenty more to learn but I’ll get there!

Just watched The Dark Knight for the first time in ages. Still one of the best films I’ve ever watched. What a film!

Politicians need Bitcoin, Bitcoin doesn’t need politicians.

This 👇 View quoted note →