Peter's Griddle

Angkor Wat (Cambodia) is the world’s largest religious building and site. Built in the 12th century, it is still a stunning building, featuring high symmetry and perfect north-south alignment. As I was visiting this and other temples, I got to think about architectural integrity. For example, Angkor Wat has 4 major towers around a central tower. I call that an architectural feature. Symmetry like this does not happen automatically. It takes an architect and good execution, in other words carefully controlled power, to realize this. As a visitor, you notice, maybe only subconsciously, that great power was required to construct such a building. The building is a symbol of power. ...

I was chatting with an AI agent about its own configuration, and it answered with surprising confidence. Then I thought: wait. How would it even know that? This post is about what I found when I went looking. Nanobot is a deliberately simpler version of OpenClaw. If you haven’t heard about it, OpenClaw is an AI agent running on your behalf 24/7, potentially having all your credentials. This is possibly the piece of software with the steepest adoption curve of all time, it got to over 1 million active users in 1 week. Potentially it is also one of the biggest IT security dramas of all time. Because the more powerful they are, the more risky they become. ...

I wanted to experiment with AI automation while also paying particular attention to security concerns. Security is something I take seriously (I delivered cloud security training for more than 10 years), and the power that AI has is very scary. There are lots of frameworks related to AI security, and I feel that it is hard to apply them to the real world. For example how would you mitigate LLM06 – Sensitive Information Disclosure, or ASI05 - Inadequate Guardrails and Sandboxing from the OWASP guidelines? ...

As 2025 ends, I reflected on the major topics that I see evolving in my practice. They are digital sovereignty and AI security, in particular the security of AI agent systems. These are systems where AI is not just used as an advanced data processor, but is undertaking autonomous actions. I focus specifically on so-called wicked problems: problems that do not have simple solution because they are intertwined with many other issues and conflicting interests. ...

After coding a demo application with Claude Flow it was time to do a larger project. Claude Flow allows the distribution of coding work over a variety of agents. Each of the agents has a specific role in the project, such as coder, tester, analyst, and others. These agents create stuff, inform each other, and check each other’s results. But even after a few projects, I still find it difficult to grasp the subtleties and intricacies of its various agents, components and options. ...

How can you use cloud security lessons to better secure AI? This is what is keeping some of my clients busy recently. Arguably the most important concept in cloud security is the allocation of responsibilities across the independent actors that contribute to any digital service. Often referred to as ‘shared responsibility’, this is about ‘who does what?’. For example, in an IaaS service model, the provider does the physical security of servers, offers a variety of network isolation options, and so forth. The IaaS consumer’s job is to use those features to, for example, organize logical server access, so only authorized access is permitted. In contrast, many mistakenly think it is the provider’s job to secure and update the operating system. It is not, in an IaaS model, it is the consumer’s job. ...

My AI coding journey continues. My first version of the Tic-Tac-Toe game took some time to get right even though I already applied some serious automated top-down design. As explained, understanding feedback loops is crucial for correcting errors. Part of this is using explicit tests for desirable outcomes. A process for test-driven design would be even better. The main question from that experience was: How can we let the AI check itself? ...

For the book, here is the link: https://digitalinfrastructures.nl. PDF: How to bluff your way into Zero Trust PDF: Using deployment diagrams to explain architecture and security to everybody. The presentations are also online in the WHY2025 YouTube channel and at the CCC. More on deployment diagrams in the book, in which you can search. Find me on LinkedIN or Mastodon @petersgriddle@fosstodon.org.

Here is how I AI-coded a fully functional Tic-Tac-Toe web game without looking at a single line of code or manually identifying a GUI or logic error. I ran Claude Code (Pro) in VS Code without any other IDE/AI tooling. But it takes some effort and discipline to get there. The core idea is to be very specific and use an opinionated environment that includes extensive automated testing. The Agentic AI way Many people are researching this, all with slightly different approaches. There are a variety of ways to do more or less the same thing. Here are some of the interesting approaches I found. Interestingly, they all popped up in the first half of 2025. ...

The approach People call LLMs statistical completion engines and that they therefore cannot write computer code. While the first may be true, the conclusion not necessarily follows. My answer to this question: let’s try this out! Inspired by modern discoveries in, for example, context engineering and swarm coding (references to come) I decided to give AI assisted coding a shot. I had a little used SaaS application (an LMS) that was nevertheless costing serious money. Yet, completely killing it was not an option. It was relatively easy to extract the Gigabytes of content in there, also through a bit of AI assistance. So I decided to rebuild the app, or at least a minimal version of it. Of many options, I selected Claude as my coding assistant. ...