Tag: Security

I recently came across an exceptionally dense technical analysis about container security that’s worth sharing. The author started with a simple hypothesis: container filesystem isolation should be sufficient for multi-tenant workloads without virtual machines, if you sufficiently understand what’s happening at the syscall level.

After thorough investigation, the conclusion is more uncomfortable than expected: the defaults protect you well, but the moment you reach for “advanced” features like bidirectional mount propagation or SELinux relabeling, you’re one misconfiguration away from handing an attacker the keys to your host.

Vercel has announced the general availability of Vercel Sandbox, an execution layer designed specifically for AI agents. But beyond the AI agent hype, there’s an interesting question: can it be useful for running code safely in different languages like PHP, Node, or Go?

What is Vercel Sandbox?

Vercel Sandbox provides on-demand Linux microVMs. Each sandbox is isolated, with its own filesystem, network, and process space. You get sudo access, package managers, and the ability to run the same commands you’d run on a Linux machine.

The Problem We All Know (But Pretend Doesn’t Exist)

As someone who has managed web infrastructure for decades, I’ve seen too many bots pretending to be what they’re not. User-Agent: “Mozilla/5.0 (Windows NT 10.0; Win64; x64)” when in reality it’s a Chinese scraper sucking up your content at 3 in the morning.

Traditional methods for identifying legitimate bots have been, let’s be honest, pathetic:

• IP ranges: That change, are shared, or are spoofed
• User-Agent headers: That anyone can forge in one line of code
• Reverse DNS: That works until it doesn’t

Today Cloudflare announced that it’s integrating HTTP Message Signatures directly into its Verified Bots program. And after reading the technical details, I have to admit something: this could definitively change the rules of the game.

When installing/renewing let’s encrypt on a web server with nginx, we have to decide whether to do it with a temporary server, which means we must temporarily stop the web service, or indicate what the DocumentRoot of the web server is for the domain.

The latter implies that the website or service has a “public” DocumentRoot, and that’s not always easy when we’re using, for example, a Python, Java, or Go application and nginx as a proxy.

A la hora de instalar/renovar let’s encrypt en un servidor web con nginx tenemos que decidir si lo hacemos con un servidor temporal, lo que implica que debemos parar el servicio web temporalmente, o indicando cual es el DocumentRoot del servidor web para el dominio.

Esto último implica que la web o servicio tenga un DocumentRoot “público”, y eso no es siempre sencillo cuando estamos utilizando, por ejemplo una aplicación en Python, Java, Go y el nginx como proxy.

On the El Mundo website, we have an article with a headline that says: “Mr. Bean ‘sneaks in’ to the official website of the Spanish presidency“.

This article, without a doubt, is an example of the lack of rigor, and technological “yellow journalism” that floods us.

A “recipe” to keep on hand:

cat fichero.log  |
       \ awk '{print $1}'  |
       \ sort |
       \ uniq -c |
       \ sort -n |
       \ tail -10

I have always said: ” there are two types of people: Those who have lost data and those who have not yet“. Given this scenario, we try to do everything in our power to safeguard all the information we have on computers in the safest way.