Mike Preston

💻 A while back, I had some concerns about AI. Mostly, my lack of knowledge around a tool that I am using daily. I said it would most likely become my next rabbit hole. 🐰 Well, I have started digging and would love for you to join me! I’m sharing what I’m learning as I go in two places: 📖 Learn AI With Me (the written lessons + code) 📺 Mike Knows Nothing About AI (the matching video walkthroughs) Lesson 1 is now live: Foundations It covers LLM basics, like, really basic, like, "why is the answer different every single time" basic. I try to explain exactly how an LLM differs from software that we are traditionally used to! If you are curious and want to learn alongside me: 📌 GitHub lesson: https://t.co/4j6mjPrDzt 🎥 YouTube video: https://t.co/cWFcqca3R9 If you watch or read it, I’d love feedback. What felt confusing, what should I simplify, what am I missing? Lesson 2 which deals with tokens will be along shortly!

Two missing characters, one horrible result 😬 Wiz shared a supply chain risk tied to AWS CodeBuild + GitHub that (in the worst case) could’ve ended with an attacker gaining control of your repos. Here’s what went wrong... 🧵👇 Some CodeBuild projects used a webhook filter based on GitHub ACTOR_ID (GitHub account ID) and compared it using a regex allow-list. But the regex wasn’t anchored (basically missing ^ and $), so it behaved like a substring match instead of an exact match. 🔓 So in essence, an adversary could… 🧨 🔍 Learn which IDs are “trusted” from the exposed/observable pipeline configuration tied to the project. 👥 Create lots of GitHub identities until one ends up with a numeric ID that contains a trusted ID as a substring. Basically, if an approved ID was 1234, a user with an ID of 584912343939 would word as 1234 is in the string. Wiz used automation to speed this up. 🎰 🧾 Open a PR from that identity. ⚙️ In turn, that triggered a CodeBuild run (because the substring match passes the allow-list check). 🕵️ Abuse the build context to grab GitHub credentials/tokens from the build environment/process. 🔑 Use those creds to wreak havoc on the GitHub Org, setting up a classic supply-chain nightmare 💣 AWS patched this up quickly and found no evidence of exploitation ✅ The lesson 🧯 Treat CI like production: 🔐 least-privilege tokens 🧑‍⚖️ approval gates for privileged builds and of course, 💾 Backup + Recovery for your GitHub org (and actually test restores) If you’re thinking about this from a resilience angle, this is why solutions like Rubrik exist. 🧊🛟 Stay safe out there ✌️ https://t.co/JIrvLUsAYa https://t.co/kIXdT2raD5

A lot of teams treat Azure DevOps like it’s disposable 🗑️ Worst case we will just recreate pipelines right? Repos are versioned by got, shouldn’t be an issue Boards aren’t that important, we’re good! 🤣Sure. Cool cool cool! That is until Azure DevOps goes sideways and suddenly: 🤷nobody remembers why a change was approved ❌ half the pipelines fail for “reasons” ⛱️ and the one person who knows how it works is on vacation ✅ Turns out DevOps data is… data. 🔥 And losing it hurts more than you think.

Fun fact: I still misspell “focuses.” In college, I had a summer job with the Canadian federal government, teaching employees Microsoft Word - right when autocorrect was brand new. My demo? Adding an autocorrect for focusses → focuses. 20+ years later… my brain never updated. Autocorrect still hasn’t either.