On January 3, three vulnerabilities in modern CPUs reframed two decades of assumptions about hardware-enforced isolation. The patches are landing. The deeper lesson — that speculative execution as currently designed is fundamentally hostile to security — is what we are still working out.
tag: #linux
Mathy Vanhoef forced WPA2 to reinstall a key it was already using, resetting the nonce and handing an attacker the keystream. Every correct implementation was affected, and Linux managed to be affected worst of all by installing an all-zero key. Here is the handshake, the flaw, and why the link layer was never where your trust belonged.
ext4 will hand you a corrupted file and swear everything is fine. ZFS checksums every block, repairs what it can, and makes snapshots cost nothing. With ZoL 0.7 out and Stretch a contrib package away from it, here is why my homelab storage now runs on copy-on-write, and the licensing mess you sign up for by using it.
Debian 9 Stretch released two weeks ago, ending Jessie's reign as stable. Most servers will upgrade through the year. Here is what is genuinely new, what is worth knowing before you migrate, and what is going to bite you.
Stretch is out, dedicated to Ian Murdock, with over 90% of packages now reproducible, MariaDB instead of MySQL, and the modern GnuPG by default. It also renames your network interfaces out from under you, which is how a routine upgrade locks you out of your own server. Here is what is worth caring about, and what to check before you reboot.
Self-hosting email used to mean installing Postfix and pointing an MX record at it. In 2017, the deliverability fight against Gmail and Outlook is the real work, and most of the difficulty is not the mail server itself.
Borg 1.0 has been stable since February. If your backup strategy is still rsync to an external drive, you are leaving real safety on the table. Encryption, deduplication, and compression are not optional anymore.
A race in mm/gup.c lets any local user write to read-only memory and rewrite setuid binaries. It sat in the kernel for nine years. Here is how the race actually works, and why "it's only local" was always a lie, especially now that everyone runs containers.
Let's Encrypt left beta last week and entered general availability. Free, automated, ninety-day certificates from a CA that browsers actually trust. The change is bigger than the price tag suggests.
A brief summary of what this post is about.