Pinned
NLG Know Your Rights reminder: Shut the f*** up!
YouTube video by National Lawyers Guild, Detroit & MI
www.youtube.com
Make sure to do the good shit on Signal, not here.
"Cmon, what are the odds?" I'll say, as I click the button and record the change absolutely nowhere.
January 14, 2026 at 5:40 PM
"Cmon, what are the odds?" I'll say, as I click the button and record the change absolutely nowhere.
Make sure to do the good shit on Signal, not here.
NLG Know Your Rights reminder: Shut the f*** up!
YouTube video by National Lawyers Guild, Detroit & MI
www.youtube.com
January 12, 2026 at 11:52 PM
Make sure to do the good shit on Signal, not here.
NLG Know Your Rights reminder: Shut the f*** up!
YouTube video by National Lawyers Guild, Detroit & MI
www.youtube.com
January 8, 2026 at 1:38 AM
Make sure to do the good shit on Signal, not here.
lol, my hometown poison has broken containment.
The vitamin/nutritional values of Enuf is completely wacky. Years ago a roomie of mine had to cut way down after blood work and a doctor visit because of it. It was basically the WKUK "Hot Dog" sketch but for Dr. Enuf stubbies.
The vitamin/nutritional values of Enuf is completely wacky. Years ago a roomie of mine had to cut way down after blood work and a doctor visit because of it. It was basically the WKUK "Hot Dog" sketch but for Dr. Enuf stubbies.
December 22, 2025 at 12:48 AM
lol, my hometown poison has broken containment.
The vitamin/nutritional values of Enuf is completely wacky. Years ago a roomie of mine had to cut way down after blood work and a doctor visit because of it. It was basically the WKUK "Hot Dog" sketch but for Dr. Enuf stubbies.
The vitamin/nutritional values of Enuf is completely wacky. Years ago a roomie of mine had to cut way down after blood work and a doctor visit because of it. It was basically the WKUK "Hot Dog" sketch but for Dr. Enuf stubbies.
The GitHub Action "google-github-actions/auth" is my fave silent killer for static creds GCP creds and I've encountered leaks from it dozens of times in the wild. Writes creds to the pwd, which then get silently "COPY ." into the image. README points out .dockerignore but it doesn't enforce/warn...
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud.
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
github.com
December 11, 2025 at 12:02 PM
The GitHub Action "google-github-actions/auth" is my fave silent killer for static creds GCP creds and I've encountered leaks from it dozens of times in the wild. Writes creds to the pwd, which then get silently "COPY ." into the image. README points out .dockerignore but it doesn't enforce/warn...
Gonna flog this dead horse since this mirrors my experience with GCR and other registries: BUILD CONTEXT LEAKS ARE EVERYWHERE (and OCI images are the absolute worst offenders). You're probably doing it _right now_.
Security firm Flare has scanned the Docker Hub portal and found secrets and tokens, including for production systems, in more than 10,000 images
flare.io/learn/resour...
flare.io/learn/resour...
Thousands of Exposed Secrets Found on Docker Hub - Flare
In a month, we found Docker Hub images that contained leaked secrets (including live credentials to production systems) from over 100 companies.
flare.io
December 11, 2025 at 11:55 AM
Gonna flog this dead horse since this mirrors my experience with GCR and other registries: BUILD CONTEXT LEAKS ARE EVERYWHERE (and OCI images are the absolute worst offenders). You're probably doing it _right now_.
had a nyquil dream that was just my brain trying to workshop bootleg shirt mashups of ikiru and akira.
all bart ska-mpson level disasters.
all bart ska-mpson level disasters.
December 2, 2025 at 10:28 PM
had a nyquil dream that was just my brain trying to workshop bootleg shirt mashups of ikiru and akira.
all bart ska-mpson level disasters.
all bart ska-mpson level disasters.
The tech at large has the memory of a goldfish. This crew just got a partnership with Dreamworks: amenbreakpoint.com/posts/zigazoo/
Zigazoo too, Another Firebase Boogaloo
GCP security at "The World's Largest Social Network for Kids!"
amenbreakpoint.com
November 23, 2025 at 1:13 AM
The tech at large has the memory of a goldfish. This crew just got a partnership with Dreamworks: amenbreakpoint.com/posts/zigazoo/
Putting users into a shittier security posture because a single REST API doesn't work like all the other ones sucks.
> "To use the REST API to manage GitHub Packages, you must authenticate using a personal access token (classic)."
> "To use the REST API to manage GitHub Packages, you must authenticate using a personal access token (classic)."
REST API endpoints for packages - GitHub Docs
Use the REST API to interact with GitHub Packages.
docs.github.com
November 22, 2025 at 8:30 PM
Putting users into a shittier security posture because a single REST API doesn't work like all the other ones sucks.
> "To use the REST API to manage GitHub Packages, you must authenticate using a personal access token (classic)."
> "To use the REST API to manage GitHub Packages, you must authenticate using a personal access token (classic)."
I've reported like 10 leaked PATs from packages to their owners in the last couple of weeks and it's kinda bs this issue (from 2022!) is open has been added & removed from the GitHub Public Roadmap 3 times.
imo any PAT's a disaster waiting to happen, call that shit "Chekhov's Token (classic)".
imo any PAT's a disaster waiting to happen, call that shit "Chekhov's Token (classic)".
Packages support for fine-grained PATs · Issue #558 · github/roadmap
Summary Personal Access Tokens, or PATs, provide users a quick way to create tokens they can use to make API calls. The tokens allow users to specify scopes to determine what the token can access. ...
github.com
November 22, 2025 at 8:28 PM
I've reported like 10 leaked PATs from packages to their owners in the last couple of weeks and it's kinda bs this issue (from 2022!) is open has been added & removed from the GitHub Public Roadmap 3 times.
imo any PAT's a disaster waiting to happen, call that shit "Chekhov's Token (classic)".
imo any PAT's a disaster waiting to happen, call that shit "Chekhov's Token (classic)".
"Yesterday’s flexibility has become today’s insurmountable technical debt."
Put it on my tombstone.
Put it on my tombstone.
November 13, 2025 at 12:16 PM
"Yesterday’s flexibility has become today’s insurmountable technical debt."
Put it on my tombstone.
Put it on my tombstone.
I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.
September 6, 2025 at 8:28 PM
I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.
Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.
New from 404 Media: viral woman's dating safety app Tea breached. 4chan taking peoples' uploaded photos, used to verify its a woman-only app. App recently hit no. 1 in App Store. “DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” www.404media.co/women-dating...
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan
“DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” the thread read before being deleted.
www.404media.co
July 25, 2025 at 3:39 PM
Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.
Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!".
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Zigazoo too, Another Firebase Boogaloo
GCP security at "The World's Largest Social Network for Kids!"
amenbreakpoint.com
July 21, 2025 at 1:52 PM
Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!".
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
jazz is the brown notes you _don't_ play
May 30, 2024 at 8:29 PM
jazz is the brown notes you _don't_ play