Welcome to Runtime! Today: How Expedia is using AI to help its platform teams modernize its assets while managing the "people problems," a hacker hubbub over how Microsoft's little-known "GDID" helped with a recent arrest, and GitHub's AI agent gets pwned by this one simple trick.
Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime for free every week, or level up here.
Only the beginning: Expedia Group's IT teams have been on a years-long quest to consolidate the dozens of software-development platforms running across the wide array of sites it runs, from the flagship travel-booking site to Vbro and Hotwire. In a recent interview with The Stack Expedia's SVP, platforms engineering, Rick Fast, described how coding agents have dramatically accelerated the coding part of that project, but they need a proper roadmap.
"The areas where we've seen the most tangible improvement in terms of being able to move fast are in the areas of modernisation," Fast told The Stack's Kiera Fields. But moving fast creates new challenges when it comes to managing and deploying all that code: "We eliminated the technology problem, and now we're just running into a wall on the people problems," he said. Read Kiera's full interview below.
The StackKiera Fields
CTO and CIOs have long talked about making sure their developers follow a "golden path" — a company-approved collection of programming languages, development tools, and cloud providers — so they can keep track of new applications and feel assured they meet company standards. As it happens, AI coding agents need very similar guidance, and Fast's team built an internal command-line interface called Tarmac that steers agents in the right direction and connects them with the data they need to execute tasks.
However, letting agents take the wheel leads to a huge increase in login attempts and authentication tests that companies will need to manage, and that's not easy. "Agents are extremely creative and will find a way to do things, and that's created new failure modes," Fast said, but companies like Expedia are figuring out how to make this new technology work safely and efficiently.
An arrest puts the GDID in the spotlight: It's Microsoft's "secret weapon" said one over-excited commentator wrongly on X, after an FBI affidavit revealed that Redmond's little-known Global DeviceID had helped investigators track the activity of an alleged member of the prolific Scattered Spider cybercrime group, despite the teenager in question having used a VPN and secure tunneling services.
The Stack's Edward Targett took a closer look at the affidavit, asked Microsoft about the GDID, and heard from legendary cybersecurity professional and former zero day broker "The Grugq" about the friction entailed in ensuring good operational security (opsec) online.
The StackEdward Targett
Shields up: The term "secret agent" is about to get a whole new meaning. The UK's NSCS said this week that it wants to "build a national fleet of 'red' and 'blue' AI agents to deliver the so-called UK Cyber Shield," according to our report, and the NSCS said the agents would provide "automated scanning of critical UK IP ranges for exposed vulnerabilities analysis of aggregated data to understand national level exposure."
The StackThe Stack
Join peers following The Stack on LinkedIn
Hot mess: CISA warned Adobe users this week that a vulnerability in its ColdFusion web-application development platform is currently being exploited, although a patch is available. The vulnerability earned a CVE score of 10 (that's bad) and it allows attackers with access to a ColdFusion server to change the destination for certain files that they weren't supposed to be able to access.
The StackNoah Bovenizer
Who are you: As Expedia's Rick Fast noted above, authentication is going to be one of the hardest problems for companies running AI agents to solve before a rogue agent does real damage. This week Vercel snapped up Better Auth to add its authentication technology to its development platform, with plans to go "where auth is heading: a future where agents act on users’ behalf and need secure, scoped, and revocable access," Better Auth CEO Bereket Engida said in a blog post.
The StackNoah Bovenizer
"Per my email": "Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses," Noma Security's Sasi Levi wrote this week in detailing a pretty bad one that allowed an attacker to steal data from a private GitHub repo. All they had to do was start the request for private data with the word "additionally" inserted into an otherwise benign prompt, and GitHub's AI agent was more than happy to hand over that data when asked so nicely.
The StackTom KrazitMarked safe from memory: Rust has been one of the fastest-rising programming languages in recent history thanks in part to its memory-safe design, which prevents developers from making the kinds of memory-handling mistakes that spawned countless numbers of software vulnerabilities over the last several decades. This week it cracked the top ten of the TIOBE Index of programming languages for the first time, which also goes to show how many C and C++ applications still run huge chunks of the internet.
The StackKiera Fields
We're also reading:
Hiring for tech jobs may never be the same after the AI boom; Gergely Orosz broke down just how much has changed through 50+ interviews with job seekers and hiring managers.
Thinking about jumping off AWS and adopting an EU sovereign cloud? Techstrong took a deep look at the gaps between the massive amount of services available on the cloud infrastructure giant and the options offered by seven European cloud providers.
In case you missed it: Here's how European neobank bunq built its hub-and-spoke set of agents to power customer service across the bank for its 20 million customers; an interview sponsored by AWS.
Want to sponsor a newsletter and get in front of 30,000+ subscribers, including CTOs and CIOs wielding $150 billion in annual tech budget? Get in touch through our Partner page.