Welcome to Runtime! Today: How Expedia is using AI to help its platform teams modernize its assets while managing the "people problems," a hacker hubbub over how Microsoft's little-known "GDID" helped with a recent arrest, and GitHub's AI agent gets pwned by this one simple trick.

Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime for free every week, or level up here.

Only the beginning: Expedia Group's IT teams have been on a years-long quest to consolidate the dozens of software-development platforms running across the wide array of sites it runs, from the flagship travel-booking site to Vbro and Hotwire. In a recent interview with The Stack Expedia's SVP, platforms engineering, Rick Fast, described how coding agents have dramatically accelerated the coding part of that project, but they need a proper roadmap.

"The areas where we've seen the most tangible improvement in terms of being able to move fast are in the areas of modernisation," Fast told The Stack's Kiera Fields. But moving fast creates new challenges when it comes to managing and deploying all that code: "We eliminated the technology problem, and now we're just running into a wall on the people problems," he said. Read Kiera's full interview below.

How Expedia is using AI to speed up platform consolidation
“We eliminated the technology problem, and now we’re just running into a wall on the people problems.”

CTO and CIOs have long talked about making sure their developers follow a "golden path" — a company-approved collection of programming languages, development tools, and cloud providers — so they can keep track of new applications and feel assured they meet company standards. As it happens, AI coding agents need very similar guidance, and Fast's team built an internal command-line interface called Tarmac that steers agents in the right direction and connects them with the data they need to execute tasks.

However, letting agents take the wheel leads to a huge increase in login attempts and authentication tests that companies will need to manage, and that's not easy. "Agents are extremely creative and will find a way to do things, and that's created new failure modes," Fast said, but companies like Expedia are figuring out how to make this new technology work safely and efficiently.

An arrest puts the GDID in the spotlight: It's Microsoft's "secret weapon" said one over-excited commentator wrongly on X, after an FBI affidavit revealed that Redmond's little-known Global DeviceID had helped investigators track the activity of an alleged member of the prolific Scattered Spider cybercrime group, despite the teenager in question having used a VPN and secure tunneling services.

The Stack's Edward Targett took a closer look at the affidavit, asked Microsoft about the GDID, and heard from legendary cybersecurity professional and former zero day broker "The Grugq" about the friction entailed in ensuring good operational security (opsec) online.

Of diamond chains, “GDIDs” and a Scattered Spider arrest
“A Microsoft device identifier (a Global Device ID, or GDID, described below) associated with STOKES is linked to the .168 address”

Shields up: The term "secret agent" is about to get a whole new meaning. The UK's NSCS said this week that it wants to "build a national fleet of 'red' and 'blue' AI agents to deliver the so-called UK Cyber Shield," according to our report, and the NSCS said the agents would provide "automated scanning of critical UK IP ranges for exposed vulnerabilities analysis of aggregated data to understand national level exposure."

Cyber Shield will see AI agents running UK cyber ops
UK cybersecurity agency the NCSC is planning a Cyber Shield system that will see AI agents “run national-level operations” its deputy CTO said.

Join peers following The Stack on LinkedIn

Hot mess: CISA warned Adobe users this week that a vulnerability in its ColdFusion web-application development platform is currently being exploited, although a patch is available. The vulnerability earned a CVE score of 10 (that's bad) and it allows attackers with access to a ColdFusion server to change the destination for certain files that they weren't supposed to be able to access.

Max severity Adobe ColdFusion being exploitated warns CISA
ColdFusion vulnerability could lead to arbitrary code execution.

Who are you: As Expedia's Rick Fast noted above, authentication is going to be one of the hardest problems for companies running AI agents to solve before a rogue agent does real damage. This week Vercel snapped up Better Auth to add its authentication technology to its development platform, with plans to go "where auth is heading: a future where agents act on users’ behalf and need secure, scoped, and revocable access," Better Auth CEO Bereket Engida said in a blog post.

Vercel buys Better Auth to boost agent identity controls
Preparing for “a future where agents act on users’ behalf and need secure, scoped, and revocable access.”

"Per my email": "Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses," Noma Security's Sasi Levi wrote this week in detailing a pretty bad one that allowed an attacker to steal data from a private GitHub repo. All they had to do was start the request for private data with the word "additionally" inserted into an otherwise benign prompt, and GitHub's AI agent was more than happy to hand over that data when asked so nicely.

How one word allowed a security researcher to steal private data from GitHub
“Prompt injection attacks have become ... a systematic, category-wide vulnerability class,” according to Noma Security.

Marked safe from memory: Rust has been one of the fastest-rising programming languages in recent history thanks in part to its memory-safe design, which prevents developers from making the kinds of memory-handling mistakes that spawned countless numbers of software vulnerabilities over the last several decades. This week it cracked the top ten of the TIOBE Index of programming languages for the first time, which also goes to show how many C and C++ applications still run huge chunks of the internet.

The Rust hype is becoming deafening
“You get a good engineer and you also arm them with an LLM and Rust, you can vomit out really good code that just doesn’t break”.

We're also reading:

Hiring for tech jobs may never be the same after the AI boom; Gergely Orosz broke down just how much has changed through 50+ interviews with job seekers and hiring managers.

Thinking about jumping off AWS and adopting an EU sovereign cloud? Techstrong took a deep look at the gaps between the massive amount of services available on the cloud infrastructure giant and the options offered by seven European cloud providers.

In case you missed it: Here's how European neobank bunq built its hub-and-spoke set of agents to power customer service across the bank for its 20 million customers; an interview sponsored by AWS.

Want to sponsor a newsletter and get in front of 30,000+ subscribers, including CTOs and CIOs wielding $150 billion in annual tech budget? Get in touch through our Partner page. 

The link has been copied!