Jesse Houwing
@jessehouwing.net
Loves Charlotte and Lily & Mika. Works at Xebia. Scrum.org, Github and Microsoft Trainer
Can go in the box in the attic along with its 18 predecessors.
October 22, 2025 at 7:22 PM
Can go in the box in the attic along with its 18 predecessors.
Use this link to learn more about Xebia or book some time with our team.
events.xebia.com/microsoft/-x...
events.xebia.com/microsoft/-x...
Xebia at GitHub Universe 2025: AI, Copilot & Enterprise
Join Xebia at GitHub Universe 2025 to explore AI, Copilot, and enterprise solutions. Don’t miss demos, sessions, and ways to make an impact.
events.xebia.com
October 9, 2025 at 7:33 PM
Use this link to learn more about Xebia or book some time with our team.
events.xebia.com/microsoft/-x...
events.xebia.com/microsoft/-x...
Oh yeah. Even worse. Though we didn't need AI for this stupidity.
October 7, 2025 at 4:56 PM
Oh yeah. Even worse. Though we didn't need AI for this stupidity.
Yeah... I've had to paste in `utility --help` into the AI multiple times now so it would trust me some parameter did or did not exist.
Even more fun when it's a "hidden" parameter.
And then to convince another human... ARGH!
Even more fun when it's a "hidden" parameter.
And then to convince another human... ARGH!
October 7, 2025 at 3:13 PM
Yeah... I've had to paste in `utility --help` into the AI multiple times now so it would trust me some parameter did or did not exist.
Even more fun when it's a "hidden" parameter.
And then to convince another human... ARGH!
Even more fun when it's a "hidden" parameter.
And then to convince another human... ARGH!
You can add custom instructions to auto create a [WIP] ... Commit in case of unsaved changes.
September 24, 2025 at 5:14 PM
You can add custom instructions to auto create a [WIP] ... Commit in case of unsaved changes.
Subtly downgrade a band
U1¾
U1¾
September 24, 2025 at 12:19 PM
Subtly downgrade a band
U1¾
U1¾
Great post John! And it's easy to replace bicep with terraform or another tech. There's also a terraform MCP integration available.
September 8, 2025 at 8:58 AM
Great post John! And it's easy to replace bicep with terraform or another tech. There's also a terraform MCP integration available.
As a temporary solution I got these. That hopefully gives me 100Mbit, which would be enough.
amzn.eu/d/h7SQmir
But I'd rather have a proper plug on the end.
amzn.eu/d/h7SQmir
But I'd rather have a proper plug on the end.
BRIEFCEC RJ45-aansluiting op terminal Block 8-pins adapter, Covvy CCTV/DVR Ethernet verbindingsstuk RJ45 vrouwelijke jack naar 8-pins schroef RJ45 verbindingsstuk (2 x stekker) : Amazon.nl: Elektronic...
BRIEFCEC RJ45-aansluiting op terminal Block 8-pins adapter, Covvy CCTV/DVR Ethernet verbindingsstuk RJ45 vrouwelijke jack naar 8-pins schroef RJ45 verbindingsstuk (2 x stekker) : Amazon.nl: Elektronic...
amzn.eu
September 6, 2025 at 6:23 PM
As a temporary solution I got these. That hopefully gives me 100Mbit, which would be enough.
amzn.eu/d/h7SQmir
But I'd rather have a proper plug on the end.
amzn.eu/d/h7SQmir
But I'd rather have a proper plug on the end.
That's a huge compliment coming from you :).
September 5, 2025 at 11:07 AM
That's a huge compliment coming from you :).
But there are more potential problems in their GitHub actions infrastructure. Things that probably weren't part of this attack chain, but could be abused in the future.
I hope the blog post will help plug the remaining holes as best possible.
I hope the blog post will help plug the remaining holes as best possible.
September 3, 2025 at 5:47 PM
But there are more potential problems in their GitHub actions infrastructure. Things that probably weren't part of this attack chain, but could be abused in the future.
I hope the blog post will help plug the remaining holes as best possible.
I hope the blog post will help plug the remaining holes as best possible.
All 3 were needed to extract the secret. Had any of these not been there, the attack would have failed immediately.
The rest of the attack chain made assumptions about the safety of the repo itself, which was compromised by the leaking of the valid write token.
It all went down from there.
The rest of the attack chain made assumptions about the safety of the repo itself, which was compromised by the leaking of the valid write token.
It all went down from there.
September 3, 2025 at 5:45 PM
All 3 were needed to extract the secret. Had any of these not been there, the attack would have failed immediately.
The rest of the attack chain made assumptions about the safety of the repo itself, which was compromised by the leaking of the valid write token.
It all went down from there.
The rest of the attack chain made assumptions about the safety of the repo itself, which was compromised by the leaking of the valid write token.
It all went down from there.
The default GitHub token permissions being read/write must have been the one thing that would have caused the biggest problem.
Followed by the script injection attack.
Followed by the use of the pull_request_target.
Followed by the script injection attack.
Followed by the use of the pull_request_target.
September 3, 2025 at 5:45 PM
The default GitHub token permissions being read/write must have been the one thing that would have caused the biggest problem.
Followed by the script injection attack.
Followed by the use of the pull_request_target.
Followed by the script injection attack.
Followed by the use of the pull_request_target.
No, I don't think so. It would surely reduce the attack surface, but in this case it probably wasn't the deciding factor.
September 3, 2025 at 5:37 PM
No, I don't think so. It would surely reduce the attack surface, but in this case it probably wasn't the deciding factor.
It's a great teaching moment... Chasing virtual stickers is a lot less important than a lot of other things.
My daughter was pretty distraught during vacation as well, then felt a lot more free for not having to chase that stupid streak while enjoying the mountains and practicing with real people.
My daughter was pretty distraught during vacation as well, then felt a lot more free for not having to chase that stupid streak while enjoying the mountains and practicing with real people.
August 25, 2025 at 10:28 AM
It's a great teaching moment... Chasing virtual stickers is a lot less important than a lot of other things.
My daughter was pretty distraught during vacation as well, then felt a lot more free for not having to chase that stupid streak while enjoying the mountains and practicing with real people.
My daughter was pretty distraught during vacation as well, then felt a lot more free for not having to chase that stupid streak while enjoying the mountains and practicing with real people.