CISA’s AWS GovCloud Keys Sat Public on GitHub for Six Months

CISA credentials sat in a public GitHub repo for six months. Netflix mapped 10k+ services in real time. Debian bookworm moves to LTS. A busy day for postmortems.

// SECURITY FOCUS

CISA’s AWS GovCloud Keys Sat Public on GitHub for Six Months

A contractor leaked dozens of CISA internal credentials – including AWS GovCloud keys – to a public GitHub repo, and nobody at the agency caught it for nearly six months; Krebs had to notify them. The postmortem gaps CISA identified map directly to what most security teams are missing: no automated secret-scanning on contractor repos, no rotation-on-exposure SOP, and alert fatigue suppressing GitGuardian-style signals.

What to do: Run secret scanning across all repos your contractors can push to this week, and verify you have rotation runbooks that don’t require a human to notice the leak first.

  1. Building Service Topology at Scale: Architecture, Challenges, and Lessons Learned — Netflix TechBlog · Jul 13
    Netflix’s Parth Jain, Rakesh Sukumar, Yingwu Zhao, Renzo Sanchez-Silva, and Nathan Fisher detail how the company built a real-time service dependency map that processes millions of flow records per second across four regions. The core is a three-stage distributed aggregation pipeline: Stage 1 batches raw eBPF network flows into 5-minute windows, Stage 2 resolves load balancer and NAT hops into direct app-to-app edges using consistent hashing to co-locate related flows, and Stage 3 handles enrichment and graph persistence. Two stages failed in production because intermediary resolution concentrated traffic so unevenly that some instances received 100x the load of others – splitting resolution from enrichment fixed the hot-node problem. They also replaced gRPC with Server-Sent Events after finding serialization and connection-pool overhead consumed more CPU than business logic, and built reactive backpressure throughout so the pipeline slows gracefully under load rather than dropping records or crashing. The result is topology freshness measured in tens of minutes versus hours for batch approaches – meaningful for incident response but worth calibrating expectations against before assuming sub-minute freshness.
  2. Graviton5 Outperforms Intel Xeon Granite Rapids but Falls Short of AMD EPYC Turin — Phoronix · Jul 13
    Michael Larabel at Phoronix benchmarked AWS Graviton5 (m9g.4xlarge) against AMD EPYC Turin (m8a.4xlarge) and Intel Xeon 6 Granite Rapids (m8i.4xlarge) on Ubuntu 26.04 with Linux 7.0, using matched 64 GB / 4xlarge EC2 instance sizes. Graviton5 beats the Intel Xeon 6975P-C but trails the EPYC 9R45 Turin across the tested workloads – though the pricing gap is notable: m9g is $0.78/hr on-demand versus $0.97/hr for m8a and $0.85/hr for m8i. The M8i comparison has a significant asterisk: it maps 16 vCPUs to only 8 physical cores plus their HT siblings, while Graviton5 and EPYC each get one physical core per vCPU, so the Xeon numbers aren’t apples-to-apples on core count. The M8i also runs DDR5-7200 rather than the MRDIMM-8800 the Xeon 6900 series supports, leaving performance on the table. If you’re choosing M-series instances today and AMD’s Turin lead doesn’t justify the ~24% price premium over Graviton5, m9g is the value pick.
  3. Debian 12 Bookworm Moves to LTS – Final Normal Release Shipped — LWN.net · Jul 13
    Debian 12 “Bookworm” has shipped its final normal point release and transitions to LTS, with security-only updates continuing until 2028. The update itself is routine – mostly security fixes, as you’d expect from a stable release near end-of-regular-life. If you’re still on Bookworm, this is a reasonable nudge to plan a move to Debian 13 “Trixie”, which received a parallel update this weekend carrying many of the same security fixes.
  4. Flux Schema and Ecosystem Catalog: Manifest Validation with CEL and JSON Schema — Flux CD · Jul 13
    The Flux project released a new CLI plugin, `flux schema validate`, that catches manifest errors – wrong types, missing required fields, violated CEL rules – locally before they reach the cluster. It runs the same CEL evaluation engine as the Kubernetes API server, so a HelmRelease missing both `chart` and `chartRef` fails in CI rather than in a failed reconciliation on main. The accompanying Ecosystem Schema Catalog covers roughly 9,000 schemas across 100 projects (Kubernetes built-ins, CNCF projects, AWS/Azure/GCP operators), hosted on Cloudflare and refreshed daily from upstream releases. There’s also an MCP server at schemas.fluxoperator.dev exposing the catalog to AI agents without authentication; the post claims agents given four manifest tasks against recent CRDs scored 1/4 from training data alone and 4/4 with the MCP server, using 57% fewer tokens than web search. If you run Flux and want schema violations caught at pull-request time rather than reconciliation time, this is the obvious place to start.
  5. BPF-Based Exploit Shielding for Running Kernels: John Fastabend at LSFMMBPF 2026 — LWN.net · Jul 13
    Cisco’s John Fastabend presented a BPF technique for blocking kernel exploits in-place without a reboot – directly relevant for shops running custom or vendor kernels where patching windows are measured in quarters, not days. More hooks needed before it covers the full attack surface.

// In other news

ai

cloud

culture

  • Fragments: July 13 (Martin Fowler) · Jul 13 — Martin Fowler shares notes from Thoughtworks’ internal Future of Software Development retreat, covering how thinking on the topic has shifted across multiple sessions.

dev

  • crates.io: development update (Rust Blog) · Jul 13 — crates.io six-month update covers infrastructure changes, new features, and ongoing work from the registry team – useful baseline if you publish or depend on crates at scale.

iac

  • Sign in to Pulumi Cloud with Passkeys (Pulumi Blog) · Jul 13 — Pulumi Cloud now supports passkeys for email/password accounts, letting teams drop shared passwords for infrastructure deployments without a full SSO rollout.

k8s

  • Operating OpenTelemetry at scale with OpAMP (CNCF Blog) · Jul 13 — OpAMP (Open Agent Management Protocol) lets you remotely configure and update OTel Collectors across large heterogeneous fleets without redeployment – practical if you run more than a handful of collectors.
  • Kubernetes Dashboard to Headlamp: A Step-by-Step Guide (Kubernetes Blog) · Jul 13 — Step-by-step migration guide from Kubernetes Dashboard to Headlamp, covering what changes and what carries over for teams that relied on the old dashboard.

linux

obs

sec

web

Don’t let a contractor repo be the one to tell you what’s in your GovCloud account.

Leave a comment