Field notes and career stories from an engineer who still ships. Zola 2026-06-14T00:00:00+00:00 https://blog.nyvorin.com/atom.xml 2026-06-14T00:00:00+00:00 2026-06-14T00:00:00+00:00 Unknown https://blog.nyvorin.com/posts/the-breach-that-kept-coming-back/ <p>It came in as a bug report on a Wednesday. The text editor on a site I look after had lost most of its buttons. An hour in, I understood I was not looking at a bug. I was looking at a hole, and someone was already climbing through it.</p> <p>My first instinct was to panic. I did not. Panic makes you start fixing before you understand what you are fixing. So I sat with the logs and mapped the damage first. What got in, how far it reached, what it might have touched. Once I could describe the blast radius out loud, I started to move.</p> <p>The work split into two jobs. Close the hole. Clean up what came through it.</p> <p>The cleanup ran late. Around midnight I called the system administrator on the client side and told her straight how urgent this was. We got on a Zoom and rotated the keys that mattered while we were both awake to confirm each one. Nothing proved those keys had been stolen. They could have been, and that was reason enough to treat them as if they were. You assume the worst on the things that would hurt the most. That keeps the blast radius small, and it lets everyone sleep that night instead of lying awake doing math.</p> <p>Then I thought I had it. I patched the path the attacker used, set up a scanner, and stepped back.</p> <p>Out of habit, I checked again myself. The attacker had already found a second way in, one my fix did not cover and my scanner never flagged. If I had trusted the green light over my own eyes, the site would have sat there wide open as though I had never shown up. That happened three times. Patch, reverify, find the next door hanging open. Whack-a-mole, and the mole was winning on volume.</p> <p>What ended it was going under the symptom. Instead of closing each door one at a time, I shut the whole wing. I cut off every route into that plugin at once. The recurrences stopped. By late Thursday into early Friday morning, it was actually over.</p> <p>A few things stuck.</p> <h2 id="recheck-it-yourself">Recheck it yourself</h2> <p>Reverification is the job. Run it yourself, every time. A scanner only catches what it was built to catch and stays quiet about the rest. The check I trusted was the one I ran by hand, hunting for the thing I had not thought of yet.</p> <h2 id="legacy-is-a-countdown">Legacy is a countdown</h2> <p>Running a live site on an out of date framework is a countdown. When the security patches stop coming and the known holes pile up, getting hit becomes a question of when somebody aims a bot your way. Sometimes the vendor does not ship a fix in time. In my case a clean upgrade would have triggered a cascade of other upgrades, too risky and too slow for a site already scheduled to be retired in a few months. So you hold the line by hand and you plan the exit.</p> <h2 id="the-human-part">The human part</h2> <p>The part people skip is the human one. The midnight call. The plain language. Choosing to act as if the worst were true so nobody had to gamble on it. Each time it came back I told her before she had to ask, owned that my last fix was too narrow, and showed her the wider one. That is what kept her trusting me enough to let me keep working while the ground moved under us.</p> <h2 id="when-attacking-gets-cheap">When attacking gets cheap</h2> <p>And then there is the part that actually sits with me. This landed three days after the exploit for that plugin went public. It also landed the day after Anthropic shipped its Fable 5 model, <a rel="noopener" target="_blank" href="https://www.anthropic.com/news/fable-mythos-access">which the company pulled soon after</a>, <a rel="noopener" target="_blank" href="https://cybersecuritynews.com/anthropics-claude-fable-5-jailbroken/">following a public jailbreak</a>.</p> <p>I cannot prove a model wrote the thing that hit me. I can tell you the timing made me sit up. Attacking a system used to take skill. Now someone can describe what they want and let a model do the reaching. More people will try, because trying just got cheap.</p> <p>So the next stretch looks like white hat AI against black hat AI. Some of the black hat will be bad intent holding a good model. Some of it will be a good model talked into bad work by someone who knew the right words. I spent two days as the white hat. I do not think it was my last.</p> 2026-06-13T00:00:00+00:00 2026-06-13T00:00:00+00:00 Unknown https://blog.nyvorin.com/posts/what-version-one-has-to-survive/ <p>Before Pluto TV was a company, it was a handful of files I owned end to end. No funding, no org chart, no second opinion. Just the bet, and the code the bet rode on.</p> <p>People treat version one like a rough draft. I have come to see it the opposite way. The first version carries the whole company on its back before anyone has agreed to catch it. It has to take a punch from reality and keep standing long enough for the next person to believe in it.</p> <p>So I built it to survive contact. I kept the moving parts few enough that I could hold the whole thing in my head at 2am. I made the risky pieces loud, so when something broke it told me where and why instead of going quiet. I left the clever ideas on the shelf and shipped the boring ones that I could reason about under pressure.</p> <p>That version got Pluto off the ground and into its first real funding. Later it grew into the free streaming service millions of people watch, and Viacom acquired it. None of that happens if the first cut folds the first week.</p> <p>Here is the lesson I still carry into every founding build. Version one is not where you prove how good you are. It is where you prove the idea can stand up. Make it small, make it honest about its own failures, and make it yours. The polish comes after something is alive to polish.</p>