This week’s installment of my LinkBlog covers old tech that is new, operational tech that is secure, observability that is not expensive and a series of vulnerabilities for us to snigger at, then take a breath and take seriously. Mainframes are not dead I have often said that learning COBOL is on my bucket list and that my advice for young people in the software engineering sector is that learning how to program mainframes would be quite profitable as the current cohort of greybeards retire, and nobody understands anymore how the thing that holds banks and insurances and government together actually works.

My post is a little late this week as I went away with the scouts. Everyone else was in the bunkhouse, I was in a tent. Something about ratios. And I brought the summer sleeping bag. Freezing. Alone. Kind of like America must feel like. What does America have to do with tents, I hear you ask? Well, now that the US has abandoned an inclusive big tent approach and focuses more on pissing on everyone else’s tents, according to Cory Doctorow (of enshittification fame) it has handed us a golden opportunity to break free of American dominance of technology.

Like any blog post at New Year’s, we’ll be looking to the future. We’ll also check our assumptions and we’ve got some security content before looking at a website to destroy all websites. I did like this piece on The Register which looks at four potentially game changing technologies without mentioning AI. The oxygen of publicity this year has mostly been consumed by our two-lettered friend, AI. There’s no reason to think this will change in 2026.

To those who celebrate the festivals either end of the last 7 days of the year: Happy <insert here>! This time round, there’s not one, but two bleeding fails in security, some interesting protections, how slowing down is not only speeding up, but also making things more enjoyable. So without further ado, and much less waffle, let’s jump right in: GPG fail Our first fail is from the 39th Chaos Computer Congress gathering, which provided a rather bountiful set of vulnerabilities and weaknesses around GPG - the GNU Privacy Guard to give it its full title.

This week we’re looking through a mix of security and AI once more. Because tech is nothing but those two topics, right? Right? Anyway, I am often travelling on the train or stay in hotels these days, I find myself working on public wifis. Of course, one look on LinkedIn will immediately warn you of the dangers of public wifi. Seemingly, as soon as you connect a hacker will automatically steal your credit cards.

Let’s start this week with many happy returns for Let’s Encrypt! It’s been 10 years since free TLS certificates made it much more common that things go via HTTPS rather than HTTP. When anyone and everyone was able get a cert, it certainly reduced the barriers to adoption. These days it is almost unimaginable to have some web traffic that doesn’t use TLS. Now, if only we could convince some “security experts” to stop going on about how connecting to a public wifi will allow h4x0rs to steal all your data.

This week, we’re talking about React4shell. The latest in the 4shell family of vulnerabilities. What does 4shell mean? Usually that it’s possible to do RCE (Remote Code Execution) based on an application vulnerability and typically, attackers will leverage that to get a remote shell. And now, for something completely different My first link is not related to react4shell, but it’s yet another way of how guardrails in LLM models can be subverted.

This week is an odd mixture about sandworms, supply chains and basically how everything is broken anyway. And then (after all the naughtiness) let’s end on something nice. Thumped by a Sandworm Sha1 Hulud came back for another go at supply chain attacks. Patient zero of this wave appears to have been Posthog - an analytics platform a bit like Mixpanel. According to their postmortem, their build pipeline was compromised by a simple pull request.

This week there have been some interesting bugs. Or interest in bugs. Bugs It was Cloudflare’s turn to break the internet. As per usual, the transparency on display is rather cool. It was rather interesting that for once, the problem wasn’t DNS or BGP, neither was it a cyberattack. Though indirectly, the threat of bots was responsible. As a subtle change in the handling of queries meant that the bot management system suddenly produced config files that were twice as large and that made them larger than the system could handle.

This week’s edition of the weakly link has got some fire in it: First on the menu we’ve got a report that tries to tell us that if there’s an AI bubble, that’s a good thing: The AI Wildfire Is Coming. It’s Going to Be Very Painful and Incredibly Healthy Instead of a bubble, the post tells us of one dinner guest at a CEO dinner in Silicon Valley who argues that instead of a bubble it is more like a wildfire.