<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Stewart Wallace notes</title><link>https://stiubhart.com/notes/</link><description>Technical notes on production systems, platform security and operational judgement.</description><item><title>Operational scar tissue as an engineering skill</title><link>https://stiubhart.com/notes/operational-scar-tissue/</link><guid>https://stiubhart.com/notes/operational-scar-tissue/</guid><pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate><description>Production experience is not just knowing tools; it is knowing how systems fail once real users, attackers, deploys and incidents are involved.</description></item><item><title>Security controls should produce signal, not just friction</title><link>https://stiubhart.com/notes/security-controls-signal/</link><guid>https://stiubhart.com/notes/security-controls-signal/</guid><pubDate>Wed, 24 Jun 2026 00:00:00 GMT</pubDate><description>A useful control should make abuse more expensive while also telling operators what changed and whether the control is working.</description></item><item><title>Fail-open is not fail-unsafe</title><link>https://stiubhart.com/notes/fail-open-not-fail-unsafe/</link><guid>https://stiubhart.com/notes/fail-open-not-fail-unsafe/</guid><pubDate>Wed, 17 Jun 2026 00:00:00 GMT</pubDate><description>Some controls should fail open, but only when the surrounding system can observe, constrain and recover from that decision.</description></item><item><title>Long-lived credentials are the problem, not rotation</title><link>https://stiubhart.com/notes/long-lived-credentials/</link><guid>https://stiubhart.com/notes/long-lived-credentials/</guid><pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate><description>Rotation helps, but the bigger win is removing standing secrets and replacing them with scoped, short-lived identity.</description></item><item><title>Rate limits as detection controls</title><link>https://stiubhart.com/notes/rate-limits-detection-controls/</link><guid>https://stiubhart.com/notes/rate-limits-detection-controls/</guid><pubDate>Wed, 03 Jun 2026 00:00:00 GMT</pubDate><description>Rate limits are often sold as blockers, but their operational value is frequently in the abuse signal they produce.</description></item><item><title>Replay is the awkward bit of challenge tokens</title><link>https://stiubhart.com/notes/replay-challenge-tokens/</link><guid>https://stiubhart.com/notes/replay-challenge-tokens/</guid><pubDate>Wed, 27 May 2026 00:00:00 GMT</pubDate><description>Silent challenges are only as useful as the system’s ability to reason about replay, token scope and downstream verdicts.</description></item></channel></rss>