On December 9, an arbitrary code execution vulnerability in Apache Log4j 2 went public. The world spent the weekend patching. A week later we have CVE-2021-44228, the follow-up CVE-2021-45046, and CVE-2021-45105, three patches in five days, and a long list of structural lessons that the Java ecosystem will be working through for years.
tag: #security
The project formerly known as bitwarden_rs renamed to Vaultwarden last month, completing the rebrand at the request of the Bitwarden team. Six weeks in, the new name is settling. The underlying project remains what it always was - the right way to self-host Bitwarden if you want full control of your password infrastructure.
QUIC is in late draft, HTTP/3 is shipping in Chrome and Firefox, and Cloudflare and Google are already serving meaningful traffic over both. The internet's transport layer is being rewritten. This is what changed, why it changed, and what it means for everyone who runs servers.
Jason Donenfeld submitted WireGuard for inclusion in the Linux kernel mainline in August. Even before merge, the four-thousand-line VPN is already faster, simpler, and more secure than OpenVPN or IPsec. Here is what it is, why the design matters, and how to deploy it now.
On January 3, three vulnerabilities in modern CPUs reframed two decades of assumptions about hardware-enforced isolation. The patches are landing. The deeper lesson — that speculative execution as currently designed is fundamentally hostile to security — is what we are still working out.
Mathy Vanhoef forced WPA2 to reinstall a key it was already using, resetting the nonce and handing an attacker the keystream. Every correct implementation was affected, and Linux managed to be affected worst of all by installing an all-zero key. Here is the handshake, the flaw, and why the link layer was never where your trust belonged.
Self-hosting email used to mean installing Postfix and pointing an MX record at it. In 2017, the deliverability fight against Gmail and Outlook is the real work, and most of the difficulty is not the mail server itself.
Borg 1.0 has been stable since February. If your backup strategy is still rsync to an external drive, you are leaving real safety on the table. Encryption, deduplication, and compression are not optional anymore.
Let's Encrypt left beta last week and entered general availability. Free, automated, ninety-day certificates from a CA that browsers actually trust. The change is bigger than the price tag suggests.