#security
- The Software Year That Ended With Everything on Fire
Looking back at 2021's biggest software and security stories, from Log4Shell to Copilot to Gopher, as the year closes out.
- Log4j Fatigue Is Real, and It's Teaching Us the Wrong Lesson (Sort Of)
Three Log4j patches in under two weeks left security teams exhausted — and exposed a deeper problem: nobody actually knows what's in their software.
- Copilot Writes Fast. Does It Write Safe?
New academic research digs into how often GitHub Copilot's AI-generated code suggestions contain insecure patterns.
- CISA Orders Federal Agencies to Patch Log4Shell — And Apache Ships a Third Fix
CISA issued an emergency directive on Log4Shell as Apache released its third Log4j patch in under two weeks.
- Patch Tuesday Lands on Windows 11 While the Internet Fights Log4Shell
Microsoft's December cumulative update brings fixes and small UX polish to Windows 11, arriving as IT teams scramble to contain Log4Shell.
- Log4j Gets a Second Patch While the Geminids Light Up the Sky
Apache ships Log4j 2.16.0 after CVE-2021-45046 exposes gaps in the first fix, and the Geminid meteor shower peaks the same week.
- What a CVSS 10.0 Actually Means (And Why Log4Shell Earned It)
A plain-language look at the CVSS scoring system, using Log4Shell's maximum 10.0 score to explain what severity ratings really tell IT teams.
- Log4Shell Just Dropped and the Internet Is on Fire
A critical remote-code-execution flaw in the ubiquitous Log4j library was disclosed today as CVE-2021-44228, and exploitation is already underway.
- Apache Rushes Out a Patch for a Nasty Log4j Flaw
A maximum-severity remote-code-execution bug in the ubiquitous Apache Log4j library got its first fix today, and the fallout is only beginning.
- Don't Let Black Friday Turn Into a Phishing Trip
A few practical habits to avoid scams during the Black Friday and Cyber Monday shopping rush.
- GoDaddy's 1.2 Million-Customer Breach Is a Managed Hosting Nightmare
GoDaddy disclosed a breach exposing sFTP, database, and even SSL private key credentials for up to 1.2 million Managed WordPress customers.
- Russia Just Blew Up a Satellite, and Now the ISS Crew Is Dodging Debris
Russia's anti-satellite missile test destroyed Kosmos 1408 and scattered over 1,500 trackable fragments, forcing the ISS crew to shelter in place.
- The Facebook Papers Are Here, and They're Ugly
A media consortium began publishing stories from leaked internal Facebook documents this week, exposing what the company knew about Instagram's harm to teens.
- How One Bad Config Push Erased Facebook From the Internet
A closer look at the BGP misconfiguration that knocked Facebook, Instagram, and WhatsApp offline for six hours last week.
- Twitch's Nightmare Week: A 125GB Leak and a Scramble to Contain It
An anonymous leak of Twitch's source code and payout data forced the platform into emergency damage control this week.
- South Africa's Justice Department Goes Dark After Ransomware Hit
A ransomware attack knocked South Africa's Department of Justice offline, forcing courts back to pen and paper.
- Facebook Hits Pause on Instagram Kids
Facebook is pausing development of Instagram Kids after pressure from lawmakers, child-safety advocates, and 44 state attorneys general.
- One Ransomware Attack, Hundreds of Closed Bookstores
A ransomware hit on French SaaS provider TiteLive shows how one vendor breach can cascade across an entire retail sector.
- Can AI Moderation Really Police a Platform the Size of Facebook?
The Facebook Files reporting reignites the debate over whether automated content moderation can catch harm at billion-post scale.
- The Facebook Files: What Frances Haugen's Leaked Documents Reveal
The Wall Street Journal's new Facebook Files series, drawn from tens of thousands of leaked internal pages, shows Facebook knew Instagram harms teen girls.
- When a DDoS Attack Knocked Out New Zealand's Post Office and Banks
A distributed denial-of-service attack briefly took down NZ Post, several major banks, and government sites, exposing how fragile national digital infrastructure can be.
- Howard University's Ransomware Wake-Up Call
A ransomware attack knocked Howard University's wifi offline for days, another sign campus IT is a soft target in the hybrid-learning era.
- The Poly Network Hacker Gave the Money Back, and Also a Job Offer Happened
Poly Network confirms nearly all $611 million from its August 10 hack has been returned after the attacker handed over the final private key.
- T-Mobile's Breach Just Got Worse — Now It's Your Device's Turn
T-Mobile disclosed that attackers also grabbed IMEI and IMSI numbers, pushing the total affected past 76 million.
- T-Mobile's Breach Just Got Much, Much Worse
T-Mobile now says over 40 million former and prospective customers had records exposed, alongside 7.8 million current postpaid subscribers.
- T-Mobile Confirms It Got Hacked, and the Details Are Still Coming In
T-Mobile confirmed a major breach after stolen customer data surfaced for sale, with an attacker allegedly brute-forcing an exposed network gateway.
- NortonLifeLock and Avast Are Joining Forces, and It Says a Lot About Where Security Is Headed
NortonLifeLock's roughly $8 billion deal to acquire Avast consolidates two of the biggest names in consumer antivirus software.
- The $611 Million Heist Nobody Saw Coming — And the Hacker Who Says They Want to Give It Back
A Poly Network exploit drained over $611 million across three blockchains, making it the largest DeFi hack ever — and then things got weird.
- Apple's iCloud Photo Scanning Plan Is a Privacy Minefield
Apple's new on-device CSAM detection for iCloud Photos aims to fight child exploitation but opens a surveillance debate security researchers can't ignore.
- Kaseya Finally Gets Its Decryptor — Three Weeks Late
Kaseya says a "trusted third party" handed it a universal REvil decryption key, three weeks after the ransomware attack locked out roughly 1,000 businesses.