What a Spy in The Paint and Green Dots Have in Common
If you're here, I appreciate your time.
A video about a hack
Earlier this year I watched a video about the XZ backdoor, one of the most sophisticated supply chain attacks ever attempted against open-source software. Someone spent two years, not weeks, years, building a reputation as a trusted contributor to a widely used Linux compression library. Legitimate code reviews. Helpful fixes. Earning trust. Earning commit access. All of it patient, deliberate groundwork for embedding a backdoor into a component used by servers worldwide.
It came within days of shipping in production Linux distributions. A Microsoft engineer caught it, not because any tool flagged it, but because he was curious about a half-second delay in an SSH login. Something most people would have shrugged off. He didn't shrug. He pulled the thread.
What made this attack nearly undetectable wasn't the code itself. It was the depth of understanding behind it. Whoever was behind it understood the social layer, how open-source trust is built and where it isn't questioned. The technical layer, where to embed code that wouldn't be closely reviewed. The operational layer, release cycles, review patterns, when attention is lowest. They didn't bolt something onto the system. They grew through it. The integration was so deep it became invisible.
That's a chilling thought. Because the principle is neutral. Deep understanding of a system allows you to become invisible within it, whether you're protecting it or compromising it. The only difference is intent.
But what stuck with me from the video wasn't the attack itself. It was how the presenters explained the encryption that the attacker was trying to compromise.
They used paint.
Six pots of paint
The concept is called Diffie-Hellman key exchange. It's one of the foundations of modern encryption, the mechanism that allows two people to agree on a shared secret over a completely public channel, without ever revealing their private information. Mathematically, it's elegant. Conceptually, it sounds impossible.
But with paint, it becomes obvious.
Diffie-Hellman colour-mixing diagram
Alice and Bob both start with the same colour, red. That's the public key. Everyone can see it.
Alice has her own private colour, green. Bob has his, orange. These never leave their hands unmixed. That's the critical part.
Each of them mixes their private colour with the shared red. Alice gets a red-green mixture. Bob gets a red-orange mixture. They swap these mixtures over the public channel. Anyone watching can see the mixtures, but they can't unmix them. You can't separate paint back into its original colours without knowing what went in.
Now Alice takes Bob's red-orange mixture and adds her green. Bob takes Alice's red-green mixture and adds his orange. Both mixtures now contain the same three colours, red, green, orange, in the same proportions. They've arrived at the same final colour. Without ever sending their private colour to each other.
That's how every secure connection your business makes actually works. Every online payment, every encrypted email, every VPN tunnel. And someone figured out how to explain it with paint.
Two layers of thinking
What struck me wasn't just the cleverness of the analogy. It was realising that this diagram represents two completely different acts of thinking.
The first: Whitfield Diffie and Martin Hellman needed to solve a problem that the entire field of cryptography considered impossible, secure key exchange over an insecure channel. They sat with that problem. They thought it through. They arrived at an answer that changed the world.
The second: someone else understood their answer so deeply that they could strip it back to its essence and explain it to anyone with no mathematical background, using paint.
The first layer solved the problem. The second layer made it understandable. Neither is possible without genuinely sitting with something complex until it becomes clear. Not skimming it. Not summarising someone else's summary. Actually sitting with it until you can feel the shape of the idea.
That's what real understanding looks like. And it's rare, precisely because it takes time that most people won't invest.
The whiteboard
Recently I figured that I can watch videos when skipping rope. Easter landed heavy on me, and although I promised myself to be careful with food, my sweet tooth won again. I just wanted a quick way to see that I'd actually done the exercise. So I drew a grid on the whiteboard, stuck some green dots on it, and that was that.
Whiteboard exercise tracker
A grid drawn in marker. Days of the week across the top. Three rows down the side: rope, weights, and anything else I can do in the office. Green dots for done.
That's the entire system. No app. No login. No sync. No notifications to dismiss. No battery to charge. A marker and a dot. The gap between doing the thing and recording the thing is exactly zero.
I've tried every habit-tracking app you can name. They all follow the same pattern: download, configure, use enthusiastically for two weeks, forget to log one day, feel guilty, stop opening the app, delete it three months later. The app failed not because it lacked features but because it had too many. The effort of maintaining the tracking system exceeded the effort of the exercise itself.
The whiteboard has never failed. Because there is nothing to maintain. The dots accumulate. The empty squares stare at you. The chain either grows or it doesn't. And because it's on the wall, not behind a login, not in a folder, not on a screen that needs unlocking, you can't avoid seeing it.
Near-zero maintenance. Instant feedback. Impossible to ignore.
The connection
I kept looking at these two things and realised they're teaching the same lesson from opposite directions.
The colour-mixing diagram says: if you can't explain what you're doing in terms someone else understands, you probably don't understand it yourself. The best thinking starts simple, not because the problem is simple, but because understanding has to come before tools. Before software. Before systems. Before any technology is purchased or installed.
The whiteboard says: if your systems require more effort to maintain than the work they're supposed to enable, people will route around them. Every workaround in your business, every spreadsheet that shadows an official system, every process that lives in someone's head because the documented version is too cumbersome, is evidence of a system that costs more energy than it saves.
Both come from the same place: someone thought clearly about a real problem, and the solution was so well understood that it became simple.
What this has to do with IT
The XZ attacker understood something that most IT providers don't: true integration, the kind that becomes invisible, is only possible through deep understanding of the entire system. Every layer. Every dependency. Every point where trust is assumed and attention drops off.
That understanding is neutral. It can protect or it can compromise. The difference is intent.
This is what we try to do for the businesses we work with, with the opposite intent. Not install technology. Understand the problem first. Understand the business, the people, the dependencies, the points of fragility. Think it through until the answer is simple enough that it just works, and then build it so it stays out of the way.
Technology that people notice is technology that's failing. The best IT is like the best infrastructure, invisible, load-bearing, and only appreciated when someone tries to remove it.
Complex made simple. Simple made frictionless. That's what integrated means.
What happened next
The whiteboard kept nagging at me. Why does it work when everything else fails? What is it about a green dot that sustains behaviour in a way that numbers, charts, and dashboards don't? I started pulling it apart, the instant feedback, the binary pass/fail, the visibility, the fact that it requires zero thinking to operate once it's set up.
That led somewhere I genuinely didn't expect. But that's another story.