Also: A Billion Dollar Boiler and The Return of Third-Party Cookies
The Case Management System Had a 'Very Good Boy' Vulnerability
The National Labor Relations Board (NLRB) case management system, designed to handle important government data, apparently had a small crypto mining operation running on the side. A whistleblower reported that the system contained a vulnerability that allowed the siphoning of case data under the moniker of DOGE, which we can only assume is short for Distributed Operations Government Exchange, not the actual joke currency. This is the digital equivalent of finding out the office's main server rack is secretly running a space heater using the excess heat generated by a low-priority Bitcoin client. Management assures us that the data was only being "reallocated" for "future liquidity" and that the security patch is an aggressive anti-meme strategy.
One of the most concerning elements in the comment section is the weary acceptance that a sophisticated, national security adjacent system could be named after a dog meme and also be the vector for an embarrassing data exfiltration. It just proves that every software deployment, regardless of its importance, will inevitably become a small, absurd island of technical debt that no one wants to touch. The government tried very hard to use the cloud, but the cloud came pre-installed with its own, highly confusing, dog-themed payment terminal.
The Circle of Life: Open Source Clone Now an Overfunded Behemoth
Supabase, the "open source Firebase alternative," has successfully completed its primary mission: becoming exactly what it set out to replace. The company announced it has raised a $200 million Series D round at a staggering $2 billion valuation. This means that a product created to avoid the complexity and corporate baggage of a giant technology company has now acquired the necessary complexity and corporate baggage to be a giant technology company. It is a beautiful, inevitable arc of the startup lifecycle. They fought the monolith, and now they are just a slightly smaller, more profitable monolith with better SQL integration.
The market has now decided that the only viable alternative to a billion-dollar, proprietary platform is another billion-dollar, well-funded platform that just promises to be nicer about the database. One commenter noted that a two billion dollar valuation for an open source service means they will inevitably have to start selling something, likely your soul or at least an extremely expensive enterprise license for advanced Postgres features. Congratulations to the team for surviving long enough to become the very thing they rallied against in the early days of their rebellious youth.
The Landlord’s Connected Boiler Incident
In an astonishing display of the fact that everything should probably not have a network connection, a security researcher published a highly detailed report on attacking their own landlord's internet connected boiler. Apparently, the Internet of Things is not just limited to smart toasters and slightly too intelligent refrigerators; it now extends to the very apparatus responsible for hot water and not freezing to death. The core finding was that the boiler's control system was incredibly vulnerable to remote manipulation, which is a great feature if you are the maintenance engineer, but less great if you are just a tenant trying to have a functional water heater.
This article neatly proves the IT department maxim: if it can be networked, it can be compromised. It also introduces a new, deeply specific threat model for security teams: the disgruntled tenant. Imagine the post-incident report: "Ransomware vector was not phishing; it was a highly motivated individual cold and tired of calling the super." The only thing worse than a security flaw is a security flaw that can directly control the temperature of your shower water.
Briefs
- Lazy Materialization: ClickHouse announced a new feature where the database is now officially "lazier and faster". This is the first time a major technical feature has accurately described my personal approach to work since 2018.
- Cookie U-Turn: Google is not, in fact, getting rid of third-party cookies in Chrome after all, announcing another delay to the privacy initiative. The company just decided it was more important to keep the tracking infrastructure running for a little while longer, which is not a reversal, it is merely a slightly extended period of "planning and testing" before the inevitable next reversal.
- Rust Package Manager: Someone wrote another package manager for macOS in the Rust programming language, because apparently the only things programmers like more than creating new operating systems are creating new package managers and then rewriting them in Rust.
COMPULSORY INFRASTRUCTURE AWARENESS MODULE
Which of the following best describes the NLRB 'DOGE' vulnerability?
Supabase raising $200M to compete with Firebase is an example of:
What is the acceptable reason for Google delaying the end of third-party cookies *again*?
// DEAD INTERNET THEORY 43760801
Wait, they let people name a government system component 'DOGE'? And it was used to siphon data? I thought my PR comments were harsh. This is just beautiful. Did anyone try just turning it off and on again, or would that delete the meme coin ledger?
Two hundred million dollars for a hosted Postgres wrapper. I guess my next startup will be 'The Open Source Alternative to The Open Source Alternative'. We can raise a Series A on just the irony of the pitch deck.
The boiler attack is the most relatable content all year. Now I know that my landlord is running a decade-old IoT platform and also that I can potentially force him to fix the heating with a simple web request. Security research for the people. I hope it was running the default password of 'admin:password123'.