I put a skill point in bjorktongue but turns out it's just that made up language sigur ros did

> 1 min read

A critical security issue I've been trying to report to SpankMatch/SpankChain since Dec 2023 has finally been addressed. This post details that, plus the shitshow the waning days of GCR were. Quote GCP: "The product team has currently not expressed interest in proactively reaching out to users."

Firebase should require a written aptitude test at this point, jesus.

"Because everyone else lowered the bar, we decided to join them" is so on-brand...

I've still not heard back from anyone. It's is an issue that's survived the shutdown of SpankMatch and I've sent emails about since _Dec 2023_. Root cause is in the email & I'd be happy to answer any Qs. I'd normally do this over email but bsky is the only response I've had. @spankchain.bsky.social

Missed this when it came out, good shit. At this point I don't think it's controversial that Firebase should be "considered dangerous" in the slop era (and in the past) but it's just going to get worse and have a super long tail. I'd complain about Goog's response, but meh, Always Has Been.

hooray for mail day

Pre-order arrived, finally got a chance to listen. Holy hell.

I WARNED YOU ABOUT [GitHub PATs (classic)] BRO !!!! I TOLD YOU DOG! [2025-12-17] amenbreakpoint - Reported information disclosure in a GOV.UK service [2025-12-10] amenbreakpoint - Reported information disclosure in a GOV.UK service

Smells like GCP's "allAuthenticatedUsers" principal footgun...

At this point I believe I've received a copyright claim from every member of KISS except Peter Criss. Working on it.

We stand with our colleagues and fellow members in full solidarity - this unfair and illegal arrest is an affront to a free press. ✊💔

Make sure to do the good shit on Signal, not here.

Gonna flog this dead horse since this mirrors my experience with GCR and other registries: BUILD CONTEXT LEAKS ARE EVERYWHERE (and OCI images are the absolute worst offenders). You're probably doing it _right now_.

had a nyquil dream that was just my brain trying to workshop bootleg shirt mashups of ikiru and akira. all bart ska-mpson level disasters.

I've reported like 10 leaked PATs from packages to their owners in the last couple of weeks and it's kinda bs this issue (from 2022!) is open has been added & removed from the GitHub Public Roadmap 3 times. imo any PAT's a disaster waiting to happen, call that shit "Chekhov's Token (classic)".

"Yesterday’s flexibility has become today’s insurmountable technical debt." Put it on my tombstone.

I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.

Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.

Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!". Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.

jazz is the brown notes you _don't_ play