Sun 15 June 2025
Why I Left Spotify
I made my first Spotify payment on Friday, September 9th, 2011, and remained a loyal customer for fourteen years. During that time, I've watched the platform evolve from a focused music streaming service into something broader and more complex. While Spotify continues to serve millions of users effectively, it just doesn't work for me anymore. I prefer choosing my own music and podcast content rather than having algorithms suggest what I should listen to.
My Spotify Era (2011 → 2025)
Before Spotify, managing my music library had become a chore. I spent countless hours with MP3tag software, updating ID3 tags, trying different organizational systems, never quite happy with the navigation. I'd been through several iterations over the years, and the whole process was exhausting.
When Spotify Premium launched in the UK, it solved these headaches instantly. Streaming felt revolutionary - freedom from endless MP3-tag tinkering, the content delivered directly via their network, everything just worked. Eventually, I moved to a Premium Duo plan with my partner, which we maintained for the last two years. We talked it through before hitting "Cancel" - both of us felt the same way about the platform's direction.
Why I Left
Over time, continuous UI overhauls replaced the once-clean layout with increasing complexity. Features I never asked for began dominating the experience - the AI DJ, aggressive podcast tiles crowding my music, "Recommended Shows" I'd never asked for burying my own playlists. The home screen kept defaulting to podcasts, pushing my carefully curated music aside. The app's performance degraded too, with slower load times and clunky navigation.
The core issue was how recommendations kept getting in the way. Spotify would default to recommended content rather than my own saved music and playlists, and crucially, I couldn't switch this behavior off.
The breaking point came while trying to visit my mom in hospital. I was already running late, fighting with the recommendation-centric home screen and slow mobile data latency just to find the podcasts I wanted to listen to. The app felt user-hostile when all I needed was the content it knew I liked cached and ready. The interface that once helped me now actively hindered me when I needed it most.
I discovered AntennaPod - a free, minimalist podcast app that immediately met my needs. The contrast was stark: AntennaPod is ~9 MB, focused on doing one thing well, while I was paying for a bloated service fighting against my preferences. Decision made: subscription cancelled.
Rediscovering my black 2005 iPod Classic reinforced my decision. It still held reggae mixtapes and Lee "Scratch" Perry dub tracks totally absent from Spotify's catalogue. The platform's millions of tracks meant nothing if it lacked the specific music I wanted.
Beyond missing music, I wanted tight control over my podcast feeds. In an age of disinformation, podcast feeds are how I dodge misinformation - no algorithmic inserts. With AntennaPod, I choose my sources directly and can listen to podcasts I am actually interested in like Ones and Tooze or The Rachman Review on my terms.
Life After Spotify
The shift has been revealing. When I play Talking Heads' Stop Making Sense on CD, it stops at the end - no autoplay dragging me into something the algorithm thinks is similar. Each album feels like a complete artifact rather than what Huxley called soma - that constant drip of content designed to keep you passive.
Finding that compilation of all UB40's 1980s singles in a record store brought genuine discovery back into my life. My friend's DJ set from Sheffield uni in 2003, preserved as an MP3, represents the kind of personal musical history no streaming service can replicate.
I'd been streaming Spotify through my PS5, where every track gets up-scaled into Dolby Atmos. On paper that sounds like an upgrade, but the result felt thin—extra reverb, smeared bass, no real punch. The moment I switched to Stereo Direct and played the same album from my plain old CD player, the mix snapped back to life: crisp cymbals, tight low-end, space between instruments. Drop the needle on a vinyl copy and the improvement is even more obvious—warmth, depth, and a sense of being in the room with the music. That A/B test told me convenience was costing me something real.
I've moved to foobar2000 on my phone syncing with my NAS library. The £16.99 I used to hand over to Spotify now travels a different route. A couple of weeks ago, over a pint with my old colleague James Green, I was grumbling about subscription bloat when he said, "Why not give that money to artists directly on Bandcamp Friday?" The idea stuck. Every first Friday of the month I pick up two new releases—records I actually own—paid for by the cash that once vanished into a Premium Duo fee.
What I've Gained
The pros are clear: better sound through my hi-fi, actual ownership of music, and intentional discovery through Malvern's second-hand shops. Yes, I hear adverts when accessing some content now, and maintaining my own library requires effort. But these are acceptable trade-offs for regaining control.
This isn't a call for everyone to abandon Spotify - it's simply a reminder to evaluate whether services still earn their fees. If you're experiencing algorithm fatigue, simpler tools or physical formats might rekindle your connection with music.
Stepping off the mainstream platform reminded me that music listening doesn't have to be passive consumption. Whether it's curated playlists or algorithmic discovery, physical media or streaming, what matters is that your approach actually serves you.
Sat 07 June 2025
I've been involved with penetration testing for years, and I've watched it remain broadly static, alongside the broader transformation of software development practices. While pen testing remains a valuable security practice, its role and effectiveness have been significantly challenged by the shift toward continuous delivery, cloud-native architectures, and agile development methodologies. But with AI capabilities likely to improve aspects of productivity and red teaming approaches gaining momentum, we may be approaching a fundamental shift in how security testing operates.
The Traditional Model and Its Strengths
Traditional penetration testing emerged from and continues to serve important organizational needs. The model provides clear separation of duties through third-party assessment, establishing a genuine third line of defense. External pen testers bring established frameworks like CVSS for vulnerability classification, standardized tooling, and comprehensive written reports with quantifiable metrics.
This approach serves multiple stakeholders effectively. For auditors and compliance teams, it provides the documentation and independent verification required by regulatory frameworks. For executive leadership and non-technical stakeholders, it offers confidence through clear metrics and professionally presented findings. The separation between development teams and security assessors ensures that assumptions and blind spots within internal teams can be identified by fresh perspectives.
However, this very strength reveals a fundamental tension. The emphasis on standardized reporting, compliance alignment, and stakeholder communication often constrains the time and focus available for deep technical investigation. The most significant vulnerabilities frequently emerge not from checklist-driven testing but from extended exploration of edge cases, creative attack paths, and nuanced understanding of how systems behave under unusual conditions.
The Continuous Delivery Challenge
Modern software development operates through thin slices of functionality, small incremental changes, and rapid deployment cycles. Code moves from development to production daily or even hourly, with infrastructure defined and modified as code alongside application changes. The rise of continuous delivery, cloud infrastructure, and agile methodologies has created a fundamental mismatch with traditional pen testing cadences.
This stands in sharp contrast to the traditional stage-gate process of requirements specification, software development, deployment, penetration testing, sign-off, and release. The old model assumed relatively stable systems that could be assessed at defined points in time, with findings that would remain relevant throughout subsequent operational periods.
Organizations have generally responded by applying pen testing selectively - before initial production releases, for major feature launches, or when significant risk factors like sensitive data handling are introduced. While this maintains some security oversight, it creates an impedance mismatch between development velocity and security validation cycles.
The Rise of Compensating Controls
By 2025, rather than simply stretching traditional pen testing to cover modern development practices, the security industry has developed several complementary approaches that better align with continuous delivery workflows.
Developer-focused vulnerability scanning tools like Snyk provide immediate, actionable security feedback within CI/CD pipelines. Infrastructure security platforms like Wiz offer continuous assessment of cloud configurations and runtime environments. The shift-left security movement has brought threat modeling directly into development teams, while deeper integration of advanced detection has developed runtime monitoring, anomaly detection, and threat hunting to compare developer activities against established baselines.
The AI Turning Point of 2025?
We may be at a turning point where automated penetration testing tools finally take the leap in capability we've been eagerly waiting for since at least 2018. The advances in AI reasoning, contextual understanding, and tool use we've seen recently suggest that automated pen testing could soon handle much of the systematic exploration that currently requires human analysts.
AI agents that can understand complex architectures, analyze code repositories, and reason about attack paths might finally deliver on the promise of scalable, intelligent security assessment. Large language models with sophisticated reasoning capabilities could potentially automate the methodical aspects of penetration testing while maintaining context across complex investigation flows.
The Human Spark That Automated Tools Miss
But here's what I've observed about the best pen testers I know personally: they share something remarkable with the most skilled developers I've worked with. When a talented developer implements an elegant solution to a complex problem, there's a visible spark of delight - that moment when everything clicks into place beautifully. The most effective pen testers exhibit that same quality, but in reverse: they experience genuine glee when they pull the lid off a system and discover something unexpected, when following an intuitive hunch leads to unraveling a significant vulnerability.
This isn't just professional satisfaction - it's the manifestation of deep creative and analytical thinking. These moments of discovery happen when experienced pen testers sense that something feels wrong, even when all automated tools are quiet. They follow threads that logic suggests might be dead ends. They question assumptions about how systems should behave and explore the gaps between intended and actual behavior.
The Future of Security Discovery
Where do we go from here? What I anticipate is AI-assisted red teaming that could fundamentally change how we validate security controls. Red teaming differs from traditional penetration testing by simulating realistic adversary behavior to test an organization's entire defensive capability - not just finding vulnerabilities, but evaluating how well people, processes, and technology respond to actual attack scenarios.
This longer lifecycle, higher context approach solves the impedance mismatch introduced by high velocity software delivery. For auditors and compliance, this should shift focus from vulnerability counts to defensive effectiveness metrics: detection speed, response quality, and organizational resilience under realistic attack conditions.
Automated, increasingly AI supported, relatively straightforward checks can run at the point of change - integrated directly into CI/CD pipelines to catch obvious vulnerabilities and smells with immediate feedback that matches development velocity. Meanwhile, high-context, high-insight human-driven red team exercises can operate independently of the development cycle. This decoupling allows each approach to operate at its natural cadence and leverage its strengths. The human element remains essential for campaign strategy, creative attack development, and business context interpretation, while AI could handle systematic execution and adaptation.
I don't know for certain what the next steps in security testing will look like, but these extrapolations seem worthy of consideration. Combined with growing threats fueled in part by adversarial adoption of AI, it seems like a great time to be a pen tester!
Sun 23 March 2025
We're not 6 months from AGI. We're 6 months from an inflection point where LLMs are being given real-world agency – with all the security and governance implications that entails. Different ways of describing the same phenomena, one grounded in Silicon Valley marketing, the other in operational reality.
The organizational controls and governance frameworks created in response will significantly shape the trajectory of AI development.
Beyond Theoretical Debates
While theoretical debates about AGI timelines continue, a more immediate security concern is emerging: organizations are rapidly deploying LLMs with actual agency in production environments. The focus on capabilities and benchmarks misses the governance reality—systems are being granted permissions to act in ways that create novel attack surfaces and risk vectors.
The Implementation Gap
This rollout reveals concerning patterns across sectors:
- Reduced human oversight in critical decision pathways
- Deployment in environments with complex threat models
- Access provisioning to sensitive infrastructure and data
- AI systems integrated with financial transaction or health capabilities
The consequences won't be confined to research labs—they'll manifest in security incidents, compliance challenges, and operational disruptions that demand immediate responses.
Establishing Governance Frameworks
The institutional responses to these inevitable security incidents will establish lasting governance patterns. In short risk management frameworks will need to recalibrated for autonomous systems
These governance structures—developed under operational pressure—will likely define the security boundaries of AI development more definitively than any capability roadmap.
The coming months aren't about theoretical intelligence thresholds—they're about what happens when AI systems act with increasing autonomy in consequential domains without mature security models. The organizations that approach this transition with rigorous risk assessment methodologies will be best positioned to both innovate and maintain operational integrity.
The real question isn't when we reach artificial general intelligence. It's how effectively we can adapt our security governance to manage the operational, compliance, and risk implications of increasingly autonomous systems acting in our digital infrastructure.
Mon 09 September 2024
It's all just plugging Legos now
The tech industry has experienced a significant shift towards cloud computing and the integration of prepackaged services. This change has fundamentally altered the landscape of software development, moving away from custom builds towards a model of "gluing together" existing components. The era of building everything from scratch is giving way to a more efficient, modular approach that leverages pre-existing cloud infrastructure and services.
The changing role of developers
This shift has profoundly impacted the role of developers and engineers in tech companies. Increasingly, tech professionals find themselves following pre-set playbooks rather than crafting entirely novel solutions. The scope for innovative new programming languages and approaches has diminished as work is now often conducted at a higher level of abstraction. This change represents a significant departure from the traditional software development paradigm, emphasizing integration and configuration over ground-up creation.
Evolution of skills and knowledge
The skills and knowledge required for tech professionals have evolved in tandem with these industry changes. Cloud certifications have become increasingly important, reflecting the need for expertise in specific cloud platforms and services. This shift highlights a move towards more specialized, platform-specific knowledge rather than broader, language-centric programming skills. As a result, tech professionals must continually adapt and update their skillsets to remain relevant in this cloud-dominated landscape.
The new competitive landscape
The competitive landscape in the tech industry has been reshaped by this shift. While many companies have benefited from the move to cloud and prepackaged services, it has also led to a certain commoditization of tech services. Success now often favors those who can execute in the most consistent and efficient manner, rather than necessarily those with the most innovative ideas or the best raw talent. This change has leveled the playing field in some ways, but it also poses challenges for companies trying to differentiate themselves in an increasingly homogenized tech ecosystem.
Looking ahead
Looking ahead, while cloud adoption has reached a saturation point, its influence will remain strong. The introduction of generative AI is poised to further enhance the ability to integrate and "bolt together" various components, akin to the impact Visual Basic for Applications had in its time. While this trend may cover a significant portion of the industry's needs, there will still be opportunities for novel, custom software development, albeit potentially less frequently. The challenge for the industry will be balancing the efficiency and speed offered by these pre-packaged solutions with the need for innovation and customization that drives technological progress.
Sun 05 March 2017
First contact with VR
From the moment I was stood holding a lightsaber in the Star Wars VR demo I knew I was hooked. There was a flood of what I'm going to call 'emotions' to my stomach. I was present in the here and now.
It was a slow start- I've spent the last few years being completely down on VR. Like many others in the software industry you get desensitised to hype because it is constant in the technology industry and rarely means anything. Added to that, I'm old enough to remember Virtual Reality being rubbish and failing to take off the first time around, back in the 90s.
I remember seeing this setup on both Blue Peter and Tomorrows World in the 90s. I never tried it and it never took off.
It was essentially curiosity and FOMO which led to trying out the HTC Vive setup in the ThoughtWorks Manchester office. I expressed mild interest and a colleague offered to give me a demo. And at first the graphic resolution and quality seemed grainier and showed much less definition that I had expected. The fact that I was stood in the office essentially wearing a hood, unaware of my actual surroundings made me feel awkward. The sound was pretty disappointing and the overall impression was clunky.
Unexpected impact
Forty minutes later, I remember leaving the City Tower in Manchester with my mind racing about the possibilities of this technology. I called my wife and told her about the moment the light sabre popped out of the droids head and the storm troopers started running towards me. VR is clunky and expensive and awkward but it allows game designers to create experiences which connect like nothing I've experienced before in gaming. Its not a rational thing at all.
Getting a PSVR
So after my initial VR experience with the Vive I decided to buy the PSVR headset to extend my Playstation 4. I'm in my mid-30s so nobody knows what to get me for Christmas anyway — and I'm very lucky in that I have a lovely family who want to get me gifts even though I'm an adult. So I asked everyone for Amazon vouchers and then threw in a few quid of my own.
In fairness Rez Infinite is a great game
Sadly, Sony were out of stock of PSVRs over Christmas and some vendors were asking £50 over the asking price. As I'm not a 15 year old boy anymore, I wasn't going to pay over the asking price. My PSVR arrived last week almost 2 months after Christmas. Since then I've played some great, wonderfully immersive games such as Rez Infinite and Tethered.
(Actually I want to give a shout to Secret Sorcery, the developers who created Tethered. I was so impressed by the amalgam of really great looking VR, 'small scale graphics', early 2000s Peter Molyneux style weirdness and an interaction scheme that really works. And its a decent strategy game! Looking forward to seeing what comes next from this developer!)
Enter Resident Evil 7
With all that said, I want to make a few comments on Resident Evil 7.
Arggh!
It has made me feel a kind of fear I've simply never felt before.
I've never had any fear response to films. The Blair Witch Project was a complete waste of time as far as I was concerned. Amusing to hear some of the reactions in the cinema and at least I could say I'd seen it — but I was not scared at all. Bored perhaps. Equally things like American Werewolf in London, Carrie, The Exorcist, The Descent or The Thing. I found some of these films quite watchable in themselves, but scary was the aesthetic, not something I actually felt. And I'm quite aware that some people do physically recoil, as I've sat with my screaming wife holding onto me through several of these films.
Equally computer games — I can honestly say that I don't recall ever being shocked or actually scared by a computer game before. I remember there was a game in about 1994 called Creature Shock which surprised me when this tentacle thing attacked. So as a 13 year old I was momentarily overwhelmed by the combination of very advanced graphics for the time and interactivity. It didn't last for long though, as Creature Shock was not really very interactive at all after you'd played it for long.
True terror
Resident Evil made me scream yesterday. From the moment I arrived at the spooky house the game builds a slow sense of creepy tension which then unleashes moments of actual terror and shock (Spoiler: you're not alone in the house). All of a sudden I can actually relate to my wife's reactions when we watched The Descent.
After getting brutally murdered at one point I had to take the headset off and have a sit down. Was I just feeling VR motion sickness, or was it mild shock? Short of getting a taxi to the roughest pub in the city and upsetting some gang dudes there is no way I can replicate this feeling.
A breakthrough for immersive experiences
Psychologically and technologically I can relate to a lot of the reasons why this might work and why it might be the case. I guess a lot of folks who read sites like Medium can too. However I just wanted to share the sheer visceral human reaction this technology creates. Many reviews gloss over or make light of it — but its a big deal.
I can't wait to see where this technology develops next.
_(5-4_cropped).jpg)
