δivergent Byte
← All essays
Divergent Brain  ·  Infrastructure

We Need Extra Friday Double Maths

Why the IT industry built a multi-billion pound revenue stream on the GUI, what block all actually means, and the CVE database as the invoice for that decision.

James Bacchus  ·  Divergent Byte Ltd  ·  2026  ·  CC BY 4.0

Rishi Sunak was right.

I say this as a Lincoln man, a LibDem, and someone who graduated from the same college some years before he arrived. I say it having watched him follow Liz Truss into the particular corner of history reserved for Conservative prime ministers who had the misfortune of being correct about at least one thing at entirely the wrong moment.

He wanted extra Friday double maths. He was mocked for it. He was not wrong.

The industry took the opportunity

The IT industry has built a thirty-year, multi-billion pound business model on the back of the people who found Friday double maths disagreeable. The web server is the tell.

Every GUI on every network security device — every colour-coded dashboard, every threat indicator dial, every PHP frontend wrapping three lines of plain text — exists because the purchasing chain contains people who looked at block all and saw hieroglyphics rather than a complete network security policy.

This is not their fault. It is the industry's opportunity, and the industry took it.

What block all actually is

It is two words. It is a complete thought. It says: nothing enters, nothing leaves, until I decide otherwise. It is, in the language of network security, the correct default posture. Security professionals have a term for it — "default deny" — and they consider it foundational. The alternative, "default allow," is the thing that keeps the CVE database in business.

Notice, incidentally, that block all uses words. English words, in the correct order, meaning exactly what they say. The hostility is not to the language. It is to the context — to the moment, somewhere around Year 8, when the letters stopped being letters.

Algebra is where the humanities comfort zone ends. You had been fine. Words were your medium; you were good at this. Then someone wrote 3a on the board and didn't explain it, because there was nothing to explain — it was obvious, it was just three of a, keep up. Except a was a letter this morning. And now it is apparently also a quantity, and it has a number in front of it, and the rules of engagement had changed without warning or apology. The resulting unease — the sense of betrayal, almost — never entirely left.

$ext_if is just a variable. It means "the external network interface" — whichever physical port connects to the outside world. proto tcp means the TCP protocol, the one your browser uses. port { 80, 443 } means web traffic.

The braces are not parentheses and the distinction matters. Braces mean something specific: here is a defined list, a bounded collection, apply this rule to all members of the set. Port 80 and port 443 are not in competition. They are a group. Read those three lines knowing all of that, and they say precisely what they say in plain English, just more efficiently. The compression is the point. The compression is also, for a significant portion of the population, the problem.

A complete policy

Here is what a complete OpenBSD perimeter security policy looks like:

block all

pass out on $ext_if proto tcp to port { 80, 443 }
pass in on $ext_if proto tcp from $mgmt_net to port 22

Three lines. Block everything by default. Allow outbound web traffic. Allow inbound management from the designated network only.

This is not simplified for the purposes of illustration. For a significant proportion of SME network environments, this is the actual policy. The sophistication is in what it does not permit rather than in what it does. Every additional line is a considered decision, visible in the file, auditable by anyone with the relevant knowledge, unchanged by vendor updates, unaffected by licensing expiry.

You cannot replicate this transparency in a GUI. The GUI abstracts the policy into interface elements that feel comprehensible but conceal the underlying logic. When you click "Enable Advanced Threat Protection," you do not know what rules have been written. When the vendor releases an update, you do not know what has changed. When the support contract lapses, you do not know which features have been quietly removed.

The three lines of pf.conf will be identical next year. They will be identical in five years. They will mean exactly what they say because they say exactly what they mean.

The CVE database as the invoice

The CVE database — the Common Vulnerabilities and Exposures repository — is in essence the invoice for the industry's decision to make block all invisible. When you cannot read the two-word policy, you cannot audit it, you cannot question it, you cannot verify that the dashboard reflecting it is accurate. You must trust the vendor. The vendor, quite naturally, makes money from that trust.

The numbers are not subtle. In 2024, the CVE database catalogued over 40,000 vulnerabilities. A meaningful proportion of those lived in the management interfaces of the very systems sold to prevent exactly this kind of problem. The Fortinet vulnerabilities. The Palo Alto vulnerabilities. The authentication bypasses on the things that were supposed to do the authenticating.

∵ The attack surface of a system includes everything built to make that system comprehensible to people who did not do the Friday double maths.
Not contempt for non-technical people

I want to be precise about what is happening here, because it is easy to misread this as contempt for non-technical people. It is not. It is contempt for an industry that spotted a genuine human limitation and built a forty-year revenue stream around it rather than addressing it.

The GUI exists not to make the system more secure. It exists to make the system legible to the person holding the budget. These are different problems. The industry conflates them with great financial success.

I graduated from Lincoln in Physiological Sciences — Biology, Chemistry, and Physics at A-level, which is to say I was never afraid of the notation. I then spent twenty-five years in operational IT, most recently as IT head at an institution that navigated genuine crises — the kind where decisions must be made quickly, correctly, and without the option of ringing the vendor's support line to ask what the dashboard means. Crisis management teaches you, with some urgency, the value of systems you can read.

What changes

The industry will continue to sell dashboards to people who did not do the Friday double maths. This is rational behaviour on the industry's part. The market exists, the margin is substantial, and nothing in the current procurement culture incentivises change.

What changes is the alternative becoming legible to the people who hold the budget. Not in technical evangelism to engineers who already know, but in the patient translation of block all into terms that a CTO can bring to a board meeting — with the numbers, the track record, the risk comparison, and the honest assessment of what the GUI has been concealing all along.

Sunak wanted the extra Friday double maths. The IT industry did not. Thirty years later, the CVE database logs approximately 110 new entries every single day, and the average enterprise firewall requires three certified consultants to explain what it is doing.

The equations were on the board. They are still on the board.

James Bacchus
Founder, Divergent Byte Ltd
divergentbyte.com
Islington, London · 2026
CC BY 4.0

Read next: Next-Gen Firewalls: When Mathematical Reality Meets Vendor Theatre →