Tuesday, 14 July 2026
CISA sat on nine automated leak alerts for months before a reporter's tip forced a six-month-old secrets exposure into the open; Cloudflare starts fingerprinting mouse tremor and wrist pivot to catch agentic bots; Lobsters cuts its hosting bill in half by ditching MariaDB for SQLite
Today's Lead
EngineeringKrebs on Security
Lessons Learned from CISA's Recent GitHub Leak
CISA has published a postmortem on a contractor who published 844 MB of sensitive agency data — including administrative credentials to three AWS GovCloud servers and a plaintext password file for dozens of internal systems — in a public GitHub repository, where it sat for almost six months. The security firm GitGuardian had automatically alerted the offending account nine separate times before anyone acted; it took a direct notification from KrebsOnSecurity, and then more than 48 hours after that, before CISA invalidated the exposed keys. The agency's own report blames unclear reporting channels — researchers didn't know whether to email the contractor, use CISA's vulnerability-disclosure platform meant for product bugs, or go through a reporter — and says it's now refining those channels and publishing instructions in more places. For an agency whose job is telling everyone else how to run incident response, the case is a clean illustration of a familiar sociotechnical failure: nine machine alerts landing in a queue nobody owned turned a fixable one-day problem into a six-month exposure, and mature key-rotation tooling didn't help because the organizational path to using it was broken.
Martin Fowler
Notes from a Thoughtworks retreat on 'harness engineering' — the scaffolding of context management, validation, and guardrails that determines how much of a job an AI agent can be trusted with. A recurring thread is the shift from code review toward other forms of rigor as agents write more code, and a debate over how much latitude non-engineers should have to direct agents directly. Fowler relays a colleague's reframing: when a manager routes work to an LLM instead of their team, they haven't picked up a tool, they've made a hire, and the real question is whether that manager knows how to manage by objective rather than by method — Peter Drucker's 1959 distinction for when the worker (or model) knows more about the specifics than the manager does. The unresolved worry is what happens with unstated objectives: it's easy to ask an agent to build a todo-list app from your email, harder to enumerate everything it shouldn't do along the way, and conformance tests can't cover assumptions nobody thought to write down. The piece also touches on rising interest in self-hosting open-weight models — driven as much by a desire for model sovereignty and data control as by cost — and a course creator's report that AI has cut his sales by more than half, a preview of the incentive problem facing anyone who makes educational content that LLMs can absorb and restate for free.
Read →Cloudflare Blog
Introducing Precursor: detecting agentic behavior with continuous client-side signals
Cloudflare's new bot-management feature, Precursor, moves detection from single checkpoints (like a Turnstile challenge at login) to continuous, session-long behavioral analysis. It injects a lightweight script that tracks pointer movement, keyboard rhythm, and focus changes throughout a visit, on the theory that individual actions are easy for a bot to fake but a whole session's worth of physically-constrained human quirks — wrist-pivot arcs in mouse movement, measurable delays between seeing and clicking something, hand tremor — are much harder to sustain convincingly. Because the profile is scoped to the session rather than the request, a bot can't reset its behavioral fingerprint by refreshing the page or re-solving a challenge. Cloudflare frames this as raising the cost of automation across an entire user journey rather than just at the front door, which matters increasingly for the current generation of agentic browsing tools that can already pass individual CAPTCHAs and execute real JavaScript in real browsers.
Read →Netflix Tech Blog
Building Service Topology at Scale: Architecture, Challenges, and Lessons Learned
Netflix's real-time map of service dependencies — built from eBPF network flows, IPC metrics, and traces — worked fine locally and then broke in production: Kafka consumers fell behind, popular services created 'hot' instances receiving 100x normal traffic, and garbage collection ate more CPU than the actual business logic. The engineering team's fix was a three-stage pipeline that redistributes data twice via consistent hashing before writing it, which resolves network intermediaries (collapsing App → Load Balancer → App into a clean App → App edge) as a side effect of the same redistribution that prevents any one instance from being overwhelmed by a popular destination service. They also abandoned gRPC for inter-stage streaming in favor of plain Server-Sent Events, and pragmatically switched to mutable data structures on the hot path despite Scala convention favoring immutability, once profiling showed allocation churn was driving GC pauses. The throughline, stated explicitly: fix one bottleneck and the next one becomes visible, and 'best practices' are starting points to be overridden only when measurement — not convention or hype — says to.
Read →Lobsters
lobste.rs is now running on SQLite
After a first migration attempt failed under production read traffic and had to be reverted, the Lobsters team completed a switch from MariaDB to SQLite, cutting the site's VPS costs in half and leaving CPU and memory usage visibly lower through a full Monday traffic spike. The write-up is a candid account of the gap between local testing and production reality for anyone doing a database migration without access to real production data: SQLite doesn't support unsigned bigints, its default NOCASE collation only handles ASCII (unlike the UTF8MB4 collation the site relied on), and its full-text search tables needed the non-default 'contentless-delete' mode to behave sanely. Two queries that scanned entire tables and one N+1 pattern accounted for the first deploy's performance collapse. The author's main lesson for next time: build a production-realistic dataset before attempting an underlying database migration, rather than discovering scale problems only once the migration is already live.
Read →JSTOR Daily
The Rise and Fall of the Public Sandbox
The public sandbox arrived in the US in the 1880s as a deliberate, women-led civic project: Boston physician Marie Zakrzewska saw children playing on Berlin's sand hills and helped bring the idea home, over the objections of psychologist G. Stanley Hall, who argued in 1888 that girls should be excluded from sand play. The sandbox became one of the only public spaces of the era organized and run by women rather than the era's all-male parks commissions, and by the 1904 World's Fair it had become a fixture of the model urban playground, doubling as an informal daycare and lost-children collection point. Its decline came later and for an entirely different reason: by the late twentieth century, public health concerns about fecal contamination from animals turned the sandbox from a celebrated 'community builder' into something municipalities quietly stopped installing. It's a tidy case study in how a piece of everyday infrastructure can be created by one social movement and then dismantled by an entirely unrelated later one, with no continuity between the reasons it rose and the reasons it fell.
Read →