Mar 18, 2026
Broken Cloud Update - 2026-03-18 02:03 UTC
Always a fun day when endpoints hand out free shells and cloud "security features" double as recon tools. π Free Root via Langflow Langflow just gifted the internet a trivial RCE. They left
Broken Cloud Portal
Broken Cloud News
Cloud Security
Mar 17, 2026
Broken Cloud Update - 2026-03-17 20:06 UTC
The industry is too busy giving chatbots root access to notice our underlying routing and parsing infrastructure is still entirely broken. πΈοΈ Hijacking Cluster DNS Kube-router blindly trusts `ExternalIPs` and `LoadBalancer` IPs. Hand a user
Mar 17, 2026
Broken Cloud Update - 2026-03-17 18:22 UTC
We blow millions on endpoint agents while attackers just weaponize our management consoles and "working as designed" features. π± The Native Wiper Why write malware when MDM does it for you? Attackers wiped
Mar 17, 2026
Broken Cloud Update - 2026-03-17 02:50 UTC
Vendors are still shipping defaults that completely nuke their own security models. π½ Transparent Disk Decryption Running IncusOS bare-metal? Your TPM-backed LUKS encryption is security theater against physical access. The default TPM policy doesn'
Mar 16, 2026
Broken Cloud Update - 2026-03-16 20:06 UTC
If your security model assumes underlying runtimes actually parse strings correctly, I have some terrible news for you. πͺͺ The "Trust Me, Bro" JWT Authlib's JWS implementation has a fatal fallback
Mar 16, 2026
Broken Cloud Update - 2026-03-16 16:09 UTC
Relying on cloud providers to stop billing you, or OSes to tell the truth, are terrible strategies. π₯ Asynchronous Bankruptcy GCP takes your money instantly but stops dangerously slow. A startup ate a $128k bill
Mar 14, 2026
Broken Cloud Update - 2026-03-14 16:08 UTC
We spent years locking down cloud perimeters just to watch teams deploy naked LLMs to the public internet. π€ The Shadow AI Blast Radius Forget prompt injection. The nightmare is shipping an experimental AI agent
Mar 14, 2026
Broken Cloud Update - 2026-03-14 02:04 UTC
Another day, another stack of tools blindly trusting user input. πΈοΈ Dynamic Key Fetching Disasters Centrifugo builds JWKS URLs using unverified JWT claims. Pass it a junk token, and it interpolates your payload into the
Mar 13, 2026
Broken Cloud Update - 2026-03-13 20:16 UTC
The top K8s ingress controller is officially dead, and base OSes are still handing out trivial root shells. π End of the Road for Ingress-Nginx Maintainers dropped the final ingress-nginx release to patch one last
Mar 13, 2026
Broken Cloud Update - 2026-03-12 20:05 UTC
We keep trusting default configurations that fail at basic validation, while deploying security tools that drown us in useless alerts. π» The Anonymous Identity Crisis Running Parse Server? You might want to check your default