Friday, 22 May 2026
Martin Fowler defines vibe coding vs. agentic programming; Waymo pauses service over flood incidents; Google API keys linger after deletion
Today's Lead
Martin Fowler
Bliki: Vibe Coding
Martin Fowler argues that "vibe coding" — building software by prompting an LLM without ever reading the generated code, a term coined by Andrej Karpathy in 2025 — is fundamentally different from "agentic programming," where developers still review and reason about LLM output. Despite the term catching on as a synonym for all LLM-assisted coding, the distinction matters: vibe coding enables non-programmers to build disposable software quickly but introduces serious risks around security, maintainability, and correctness. Fowler recommends limiting vibe coding to throwaway projects with a small, risk-aware audience.
Also today
TechCrunch
Waymo Pauses Atlanta Service as Its Robotaxis Keep Driving Into Floods
Waymo suspended robotaxi service in Atlanta, San Antonio, Dallas, and Houston after autonomous vehicles repeatedly drove into flooded roads despite software updates meant to address the problem. A robotaxi became stranded in Atlanta floodwaters for about an hour, and the company admits it lacks a final solution to water-hazard detection. Federal regulators have opened an investigation into the incidents.
Read →Zero Shot
Google is Shattering Under Its Own Weight: The IBM-ification of Google
A blogger argues Google is following IBM's path from dominance to irrelevance — citing its product graveyard, destructive AI Overview practices that strip-mine content, arbitrary account terminations, and a lost engineering culture. Google's vertical integration, once a strength, has become a bureaucratic liability that drives users and creators away across every product line. The post drew significant discussion on Hacker News about whether Google's structural decay is reversible.
Read →0xsid.com
A developer discovered that Google silently replaced Antigravity's traditional IDE interface with a new conversational chatbot interface via a background auto-update, breaking their workflow entirely. The two versions are incompatible, with no rollback path except a full uninstall and reinstall of the previous version. The incident is a case study in why background updates should deliver security patches, not wholesale product replacements.
Read →Aikido Security
Google API Keys Keep Working After You Delete Them — Long Enough to Be Exploited
Researchers found that deleted Google API keys remain functional for up to 23 minutes post-deletion, with revocation success rates varying wildly across regions — as low as 5% one minute after deletion. The window is long enough for attackers who obtained a leaked key to continue unauthorized access even after the key has been rotated. Google declined to fix the issue, characterizing the delay as an expected property of their eventually-consistent infrastructure.
Read →blog.changs.co.uk
Python 3.15: Features That Didn't Make the Headlines
Python 3.15 ships several under-the-radar improvements beyond the headline features, including enhanced asyncio TaskGroup cancellation, improved context managers that handle async functions and generators, and new threading utilities for iterator synchronization. Practical additions like Counter XOR operations and immutable JSON objects round out a release that rewards developers willing to dig past the changelog summary.
Read →Krebs on Security
Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada
Canadian authorities arrested 23-year-old Jacob Butler ("Dort") of Ottawa, charging him with running the Kimwolf IoT botnet that compromised millions of devices — including digital photo frames and webcams — and launched DDoS attacks peaking at nearly 30 Terabits per second, a recorded record. U.S. and Canadian charges followed a coordinated infrastructure seizure in March, and Butler faces up to 10 years in U.S. prison if extradited and convicted. The investigation also resulted in the simultaneous seizure of three competing botnets.
Read →Simon Willison
FTC to Require Cox Media Group to Pay Nearly $1 Million Over Fake "Active Listening" AI Service
The FTC fined Cox Media Group, MindSift, and 1010 Digital Works nearly $1 million for selling an "Active Listening" ad-targeting service that falsely claimed to eavesdrop on consumers through smart-device microphones to serve targeted ads. The service never captured voice data — it resold purchased email lists at a significant markup — and the FTC clarified that burying opt-in consent in standard app terms of service does not constitute adequate consent, even hypothetically.
Read →Cloudflare Blog
Announcing Claude Compliance API Support with Cloudflare CASB
Cloudflare extended its cloud access security broker (CASB) to integrate with Anthropic's new Claude Compliance API, giving enterprise security teams visibility into Claude usage without deploying endpoint agents. The integration surfaces findings on projects, attached files, chat messages, and generated artifacts that violate configured data-loss-prevention policies, directly alongside existing SaaS posture data in the Cloudflare dashboard.
Read →Dropbox Tech
Introducing Nova, Dropbox's Internal Platform for Coding Agents
Dropbox published the architecture of Nova, its internal platform for running coding agents at scale within the company's large monorepo and Bazel-based build infrastructure. Nova sessions run in isolated environments against real CI, with validation loops that feed build and test failures back to the agent — already powering flaky-test remediation, dependency upgrades, and CI-failure triage. Key takeaway: coding agent value comes as much from surrounding platform design — context, validation loops, guardrails — as from the underlying model.
Read →