CISA credentials sat in a public GitHub repo for six months. Netflix mapped 10k+ services in real time. Debian bookworm moves to LTS. A busy day for postmortems.
// SECURITY FOCUS
CISA’s AWS GovCloud Keys Sat Public on GitHub for Six Months
A contractor leaked dozens of CISA internal credentials – including AWS GovCloud keys – to a public GitHub repo, and nobody at the agency caught it for nearly six months; Krebs had to notify them. The postmortem gaps CISA identified map directly to what most security teams are missing: no automated secret-scanning on contractor repos, no rotation-on-exposure SOP, and alert fatigue suppressing GitGuardian-style signals.
What to do: Run secret scanning across all repos your contractors can push to this week, and verify you have rotation runbooks that don’t require a human to notice the leak first.
- Building Service Topology at Scale: Architecture, Challenges, and Lessons Learned — Netflix TechBlog · Jul 13
Netflix’s Parth Jain, Rakesh Sukumar, Yingwu Zhao, Renzo Sanchez-Silva, and Nathan Fisher detail how the company built a real-time service dependency map that processes millions of flow records per second across four regions. The core is a three-stage distributed aggregation pipeline: Stage 1 batches raw eBPF network flows into 5-minute windows, Stage 2 resolves load balancer and NAT hops into direct app-to-app edges using consistent hashing to co-locate related flows, and Stage 3 handles enrichment and graph persistence. Two stages failed in production because intermediary resolution concentrated traffic so unevenly that some instances received 100x the load of others – splitting resolution from enrichment fixed the hot-node problem. They also replaced gRPC with Server-Sent Events after finding serialization and connection-pool overhead consumed more CPU than business logic, and built reactive backpressure throughout so the pipeline slows gracefully under load rather than dropping records or crashing. The result is topology freshness measured in tens of minutes versus hours for batch approaches – meaningful for incident response but worth calibrating expectations against before assuming sub-minute freshness. - Graviton5 Outperforms Intel Xeon Granite Rapids but Falls Short of AMD EPYC Turin — Phoronix · Jul 13
Michael Larabel at Phoronix benchmarked AWS Graviton5 (m9g.4xlarge) against AMD EPYC Turin (m8a.4xlarge) and Intel Xeon 6 Granite Rapids (m8i.4xlarge) on Ubuntu 26.04 with Linux 7.0, using matched 64 GB / 4xlarge EC2 instance sizes. Graviton5 beats the Intel Xeon 6975P-C but trails the EPYC 9R45 Turin across the tested workloads – though the pricing gap is notable: m9g is $0.78/hr on-demand versus $0.97/hr for m8a and $0.85/hr for m8i. The M8i comparison has a significant asterisk: it maps 16 vCPUs to only 8 physical cores plus their HT siblings, while Graviton5 and EPYC each get one physical core per vCPU, so the Xeon numbers aren’t apples-to-apples on core count. The M8i also runs DDR5-7200 rather than the MRDIMM-8800 the Xeon 6900 series supports, leaving performance on the table. If you’re choosing M-series instances today and AMD’s Turin lead doesn’t justify the ~24% price premium over Graviton5, m9g is the value pick. - Debian 12 Bookworm Moves to LTS – Final Normal Release Shipped — LWN.net · Jul 13
Debian 12 “Bookworm” has shipped its final normal point release and transitions to LTS, with security-only updates continuing until 2028. The update itself is routine – mostly security fixes, as you’d expect from a stable release near end-of-regular-life. If you’re still on Bookworm, this is a reasonable nudge to plan a move to Debian 13 “Trixie”, which received a parallel update this weekend carrying many of the same security fixes. - Flux Schema and Ecosystem Catalog: Manifest Validation with CEL and JSON Schema — Flux CD · Jul 13
The Flux project released a new CLI plugin, `flux schema validate`, that catches manifest errors – wrong types, missing required fields, violated CEL rules – locally before they reach the cluster. It runs the same CEL evaluation engine as the Kubernetes API server, so a HelmRelease missing both `chart` and `chartRef` fails in CI rather than in a failed reconciliation on main. The accompanying Ecosystem Schema Catalog covers roughly 9,000 schemas across 100 projects (Kubernetes built-ins, CNCF projects, AWS/Azure/GCP operators), hosted on Cloudflare and refreshed daily from upstream releases. There’s also an MCP server at schemas.fluxoperator.dev exposing the catalog to AI agents without authentication; the post claims agents given four manifest tasks against recent CRDs scored 1/4 from training data alone and 4/4 with the MCP server, using 57% fewer tokens than web search. If you run Flux and want schema violations caught at pull-request time rather than reconciliation time, this is the obvious place to start. - BPF-Based Exploit Shielding for Running Kernels: John Fastabend at LSFMMBPF 2026 — LWN.net · Jul 13
Cisco’s John Fastabend presented a BPF technique for blocking kernel exploits in-place without a reboot – directly relevant for shops running custom or vendor kernels where patching windows are measured in quarters, not days. More hooks needed before it covers the full attack surface.
// In other news
ai
- [AINews] Codex usage up >10x in 6 months to 7M users, +1M in the past ~day; did Codex overtake Claude Code?? (Latent Space) · Jul 14
- What Anthropic’s latest AI discovery does—and doesn’t—show (MIT Technology Review AI) · Jul 13 — MIT Tech Review stress-tests Anthropic’s latest internal research claim, separating what the experimental evidence actually supports from what the press release implies.
- Using uvx in GitHub Actions in a cache-friendly way (Simon Willison) · Jul 14 — Simon Willison documents a cache-friendly pattern for running uvx tools in GitHub Actions that avoids re-downloading the tool on every workflow run.
- sqlite-utils 4.1.1 (Simon Willison) · Jul 12 — sqlite-utils 4.1 ships new features; 4.1.1 follows quickly with an edge-case fix that Claude chat spotted before a human did – a minor but telling QA note.
cloud
- Amazon SQS turns 20: Two decades of reliable messaging at scale (AWS News Blog) · Jul 13 — SQS turned 20 on July 13 – the AWS retrospective covers the original design decisions and how the service scaled from AWS’s first three offerings to its current volume.
- Introducing Precursor: detecting agentic behavior with continuous client-side signals (Cloudflare Blog) · Jul 13 — Cloudflare’s Precursor uses continuous client-side behavioral signals across full sessions – not just individual requests – to distinguish humans from bots in bot management.
culture
- Fragments: July 13 (Martin Fowler) · Jul 13 — Martin Fowler shares notes from Thoughtworks’ internal Future of Software Development retreat, covering how thinking on the topic has shifted across multiple sessions.
dev
- crates.io: development update (Rust Blog) · Jul 13 — crates.io six-month update covers infrastructure changes, new features, and ongoing work from the registry team – useful baseline if you publish or depend on crates at scale.
iac
- Sign in to Pulumi Cloud with Passkeys (Pulumi Blog) · Jul 13 — Pulumi Cloud now supports passkeys for email/password accounts, letting teams drop shared passwords for infrastructure deployments without a full SSO rollout.
k8s
- Operating OpenTelemetry at scale with OpAMP (CNCF Blog) · Jul 13 — OpAMP (Open Agent Management Protocol) lets you remotely configure and update OTel Collectors across large heterogeneous fleets without redeployment – practical if you run more than a handful of collectors.
- Kubernetes Dashboard to Headlamp: A Step-by-Step Guide (Kubernetes Blog) · Jul 13 — Step-by-step migration guide from Kubernetes Dashboard to Headlamp, covering what changes and what carries over for teams that relied on the old dashboard.
linux
- Security updates for Monday (LWN.net) · Jul 13 — Monday security batch covers Debian and Fedora updates for Chromium, Mesa, libxfont, librabbitmq, and a broad range of other packages – patch your staging boxes.
- Realtek RTL8723BS WiFi Linux Driver Hardened Against Malicious WiFi Access Points (Phoronix) · Jul 12 — Realtek RTL8723BS staging driver hardened against malicious access points in the Linux 7.2-rc3 cycle; the bulk of this week’s staging fixes target that one driver.
- Reworked System Call Entry Handling Slated For Linux 7.3 (Phoronix) · Jul 13 — Thomas Gleixner’s syscall-entry rework, triggered by a single patch review, is now slated for Linux 7.3 and cleans up decades of accumulated entry-path complexity.
- Security support for Bookworm handed over to the LTS team (Debian News) · Jul 12 — Debian 12 Bookworm exited regular security support on July 12, 2026 and transferred to the LTS team – if you’re running it, your update SLA just changed.
- New Linux Patches Aim To Better Handle Multiple Swap Devices (Phoronix) · Jul 14 — New kernel patches propose smarter multi-swap-device handling, targeting swap-tiering setups where current logic treats all devices as roughly equivalent.
obs
- Building an end-to-end reliability testing strategy with Grafana Cloud (Grafana Labs) — Grafana walks through combining synthetic monitoring, load testing, and frontend observability into a single reliability testing loop inside Grafana Cloud.
sec
- Rust-proof your code with our new Testing Handbook chapter (Trail of Bits) · Jul 13 — Trail of Bits added a Rust chapter to their Testing Handbook covering security-specific tooling and techniques for auditing Rust code – a practical reference, not a primer.
web
- X-post: Hardening GitHub Actions workflows across the WordPress organisation (Make WordPress Core) · Jul 13 — WordPress.org security team is systematically hardening GitHub Actions workflows across the whole org – worth reading for the specific controls being applied.
- Consistent navigation in WordPress 7.1 with persistent toolbar (Make WordPress Core) · Jul 13 — WordPress 7.1 introduces a persistent toolbar that unifies navigation between the admin and block editor, removing the context-switch that confused users since Gutenberg shipped.
Don’t let a contractor repo be the one to tell you what’s in your GovCloud account.

Leave a comment