Hi, I’m Tom.

There’s a class of bugs that took me a long time to recognize because they don’t look like bugs at all. Nothing crashes. Nothing fails tests. Nothing even looks wrong. And yet, a critical assumption about the system is no longer true. These are the bugs that happen when a guardrail is silently removed—intentionally or accidentally—and the system keeps working as if nothing changed. I’ve started thinking of these as “you don’t know what you don’t know” bugs. ...

“How do you approach testing?” I’ve been asked this in every interview I’ve had—and my answer tends to surprise people. Here’s my honest answer—and it’s shaped by years of shipping real products, not theory. I don’t believe in 100% test coverage as a universal rule. In theory, it’s a great goal. In practice, it can be difficult to manage without creating bad incentives. When teams mandate it, they often end up optimizing for passing tests, not useful tests. You get coverage numbers that look great, but tests that catch nothing and protect nothing. ...

Most security failures I see today aren’t caused by carelessness. They’re caused by engineers who were never forced to understand how the web actually works. At some point, security stopped being something most engineers were forced to internalize. Not because people became careless. But because the tools, abstractions, and workflows changed. Today we have security engineers, AppSec teams, audits, scanners. All good things. Necessary things. But they’re not replacements for a basic understanding—and that’s what’s missing. ...

The UUID collision you think you saw didn’t happen. And neither will AGI anytime soon—for the exact same reason. Every few months I see someone post a screenshot of two identical UUIDs in their database. Technically, no one can prove from the outside that it didn’t happen. But it didn’t happen—not if they were using a well-implemented UUIDv4 on a modern system. It’s a hard idea to internalize. Even I hesitate when I think about it. Math says collisions are possible. Physics says the universe simply doesn’t give us enough time or storage to ever see one. ...

Tech keeps adding more surveillance to interviews instead of asking a simpler question: Why are we defending a broken system in the first place? People keep saying the solution to cheating is simple. Bring everyone back into the office. Interview in person. Stare at the candidate. Control the environment. As if geography magically fixes a broken process. Or worse, record their screen, record their face, record their audio, and make them sign a sworn affidavit that they are not using outside help. ...

I just listened to ThePrimeagen talk about “Meta’s Crime Empire,” and there was a number I can’t unhear: 10% of Facebook’s 2024 ad revenue—$16 billion—came from scams. Not indirectly. Not accidentally. Directly. From scam ads. An internal team investigated, escalated the worst offenders, and presented them all the way up the chain. Leadership looked at the findings… …and kept many of the scam ads running. Because they did a cost–benefit analysis and realized something horrifying: ...

Last week I applied to 10 jobs. One rejected me. The other nine will probably never say anything at all. And weirdly… that is what finally pushed me to change my entire strategy. First, let me be clear: there is something wrong with the market. Ghost jobs are real. Getting ghosted is real. Broken processes are real. I have the receipts. I have been tracking every direct application in a spreadsheet (this does not even include recruiter-led processes): ...

Every few years, a PHP RFC comes along that’s interesting enough to make me pause—and ask a simple question: Is this actually solving a problem we can’t already solve? The new Context Managers RFC introduces a using keyword intended to mimic Python’s with statement. It aims to make resource handling cleaner by automatically running setup and teardown code around a scoped block. Here’s the motivating example from the RFC. Today, you write something like: ...

The programming interview is completely broken in 2025 A few weeks ago, I got invited to a screening interview that was completely automated. No human interaction. Just a timer and a problem. Fine—it’s screening, I get it. This is common now. I open it up and the problem is simple: merge and sort two arrays. Okay, that’s easy. Two lines of code. I was using PHP, but it’d be the same in any language. ...

AI did not give me my writing voice. It just helped me finally hear it clearly. People assume the hardest part of writing is the words. It is not. The hardest part is the quiet humiliation of thinking something deeply, believing it matters, writing it down… and then being too afraid to share it. For most of my life, that fear won. I have always had ideas. Not trendy ideas or manufactured ideas, but the kind of thoughts that stay with you for years because they refuse to leave. Evergreen thoughts. Stable beliefs. Recurring frustrations. Things I have been turning over in my head since I was a teenager. ...