GingerlimeA critical Remote Code Execution vulnerability in WooCommerce Delivery Notes <= 5.8.0 allowed attackers to inject PHP code into plugin settings. The malicious code executed when any admin or the backend printed an invoice via DomPDF, installing backdoors and creating unauthorized admin accounts.
This vulnerability was publicly disclosed in December 2025 and is actively being exploited in the wild.
I’ve been playing around with Kamal from Basecamp (previously called MRSK) for deploying simple apps on a single server.
There’s a lot to like about Kamal’s ergonomics and principles. But there were a few things that I struggled with or that confused me.
It mostly boils down to Kamal offering some kind of a layer of abstraction over docker, SSH and some linux commands. But perhaps more importantly, DHH, the creator of Kamal quite explicitly says that:
“[It] is designed for multi-server operation”.
DHH
Because it implicitly avoids some of the nice (and more secure) features of docker on a single host, primarily: internal network connections and name resolution.
[It] is designed for multi-server operation, so the internal network idea breaks down pretty quick with that. You’d have to unstrip all of that when you go to scale it. So I think we’re better off keeping the network host transparent.
DHH
This is a completely fair design choice, and simplifies a lot of complexity for Kamal. However, when you’re running your new startup or a hobby project, you want to keep things simple and run it all on one host.
But you don’t want to compromise on security and unintentionally expose your Database or Redis to the outside world, right?
A few months ago I wrote a post: Does Apple care about your privacy?
In the post, I looked at Apple’s IDFA – ID For Advertising, and how it’s abused by companies like Facebook and many more to track you. I believed then, and still believe now, that what Apple is doing is not ethical and also not legal under the European GDPR.
Since then, Apple actually announced that iOS 14 would change the way IDFA was accessible to all apps by default and that it would start “Asking Permission to Track”. This is a welcome change. Sadly, despite iOS 14 rolling out already, and despite Apple’s claims on this page, this change is still not in place.
Luckily, however, I was able to collaborate on this issue with NOYB (None Of Your Business: a privacy organization; please consider donating if you care about your privacy). NOYB brought forward an official complaint against Apple. The complaint was not a GDPR complaint, but rather highlighting an ePrivacy violation. This is another legal framework which explicitly forbids the kind of stuff Apple is doing.
I love the fact that MacOS comes with TimeMachine built-in, and I also really appreciate its simplicity. It makes backups easy and accessible even for non-technical people. It gets messy though if you also want to have real offsite backups however.
TimeMachine works great with a USB external HD, but things get tricky over the network.
I own a small Synology NAS, and I managed to mount a TimeMachine volume and get it to backup to that volume. The problem started when the volume size started to grow. I could set a quota on the volume, but for some strange reason, when the quota is reached, TimeMachine just started failing without a clear reason. There’s no way to tell TimeMachine to only keep X versions, or keep disk storage below a certain threshold. It’s supposed to prune backups automatically, but seems to fail with my network volume.
This is a follow-up to my previous post: hey.com is onto something with its tracking-pixel blocker. I mentioned contacting Backblaze about their email tracking there.
I didn’t think too much of it at the time, and honestly (or naively?) was expecting some kind of a “Oh, yes, you’re right, there’s no need to track those emails”… But it didn’t unfold in quite the same way.
This is my own interpretation, obviously. Backblaze seems to think that tracking emails is totally fine, even under the GDPR. They’re not going to stop doing it until further notice.
About 4 years ago I wrote a rather lengthy rant about Fastmail, and why it didn’t fit my needs: Why I’m not using Fastmail. A few weeks ago, I gave it another chance, and this time the experience was way better.
I’ve been an Apple user since 2005 or so. Well, unless you consider my Apple IIc, in which case I guess I was a customer since 1987. I managed to negotiate with my parents to bundle two birthdays (my 12th and my Bar Mitzvah, that’s a big one) to get one of those. It was a turning point in my life… But I digress.
I really admire Apple’s push for security without compromising convenience, with Touch ID and Face ID making things safer. Apple’s touting their efforts to reduce web tracking, and Tim Cook publicly stated that “We at Apple believe that privacy is a fundamental human right”.
But when it comes to their own backyard, does Apple even meet the requirements of the GDPR? (The European privacy directive). I don’t think so.
envwarden is a simple open-source script that lets you manage your server secrets with Bitwarden.
Here’s a simple way to update your Kubernetes secrets directly from envwraden, so they are always in-sync.
I never thought I’ll write something negative about Bitwarden. I love it. It’s an incredible password manager, and I even created envwarden: a small open-source wrapper to handle server secrets with Bitwarden.
But I recently bumped into a small issue that looks like Security through obscurity to me. And I thought it was odd for a security-focused product.
The issue was that I couldn’t export the items in my company’s vault. Even though I had access to the cards [1].
I contacted Bitwarden about it, and they said that:
An Organization user cannot export the Organization’s Vault without being an Admin or Owner.
After trying to understand why, since I did have access to cards in my organization, so why couldn’t I export them? I was told:
We do not allow people to export the Organization Vault unless they are an Admin simply because this has been requested by demand from our customers. Being able to dump all passwords in one quick action is different than having to access every one individually to copy them out.
I explained that this seems like Security through obscurity, since I had vault access, and also it’s trivial to dump all passwords using the Bitwarden CLI anyway.
Many apps require some tasks to execute on schedule: cleaning up inactive user accounts, generating daily, weekly or monthly reports, sending out reminders via email, etc.
cron is a simple and trusted scheduler for unix, and used on pretty much any unix-based system I come across.
So cron seems like a natural candidate for triggering those job executions. But it’s not always the best solution.
In our case, we’ve used the whenever gem for rails successfully for a long while. The gem acts as a cron DSL and lets you inject and manage cron entries from your rails app.
The problem starts however when you start growing, and your app spans more than one server. Or even if you only use one server, but want to be able to fail-over, or switch from one server to another.
Why? suddenly you have more than one cron launcher, and jobs that should execute once end up executing once on each server. This can cause some weird and unexpected lockouts, duplication and other issues.
