Links:

• Caddy offers TLS, HTTPS, and more in one dependency-free Go Web server
• Caddy 2
• Caddy v2 Improvements [slightly out of date]
• Proposal: Permanently change all proprietary licensing to open source · Issue #2786 · caddyserver/caddy
• Revert "Implement Caddy-Sponsors HTTP response header" by lol768 · Pull Request #1866 · caddyserver/caddy
• Intel’s 10th generation desktop CPUs have arrived—still on 14nm
• Intel Comet Lake 10th Gen CPU release date, specs, price, and performance
• 10th Gen Intel® Core™ Desktop Processors
• US military is furious at FCC over 5G plan that could interfere with GPS
• The Pentagon's fight to kill Ligado's 5G network
• FCC Approves Ligado L-Band Application to Facilitate 5G & IoT

Plus Cloudflare steps up its campaign to secure BGP, and why you might want to trade in cron for systemd timers.

Links:

• AMD Claims World’s Fastest Per-Core Performance with New EPYC Rome 7Fx2 CPUs
• AMD EPYC 7F52 Linux Performance - AMD 7FX2 CPUs Further Increasing The Fight Against Intel Xeon Review
• Understanding RAID: How performance scales from one disk to eight
• New Cloudflare tool can tell you if your ISP has deployed BGP fixes
• Is BGP safe yet?
• RPKI - The required cryptographic upgrade to BGP routing
• Why I Prefer systemd Timers Over Cron – Thomas Stringer
• systemd/Timers - ArchWiki
• systemd.time (Time format docs)
• systemd.timer (Unit docs)

Plus Intel's surprisingly overclockable laptop CPU, why you shouldn't freak out about 5G, and the incredible creativity of the Demoscene.

Links:

• Asus ROG Zephyrus G14—Ryzen 7nm mobile is here, and it’s awesome
• Linux on Laptops: ASUS Zephyrus G14 with Ryzen 9 4900HS
• Intel’s 10th-generation H-series laptop CPUs break 5GHz | Ars Technica
• Wi-Fi 6E becomes official—the FCC will vote on rules this month
• Celebs share rumors linking 5G to coronavirus, nutjobs burn cell towers
• Not-actually Linux distro review: FreeBSD 12.1-RELEASE
• Not actually Linux distro review deux: GhostBSD
• MOD (file format) - Wikipedia
• AT&T.MOD (YouTube)
• DJ Moses Rising—Ice Cream Trance (YouTube)
• Farbrausch—The Product (64K Intro, 2000)
• Farbrausch—Poem to a Horse (64K Intro, 2002)
• Finland accepts the Demoscene on its national UNESCO list of intangible cultural heritage of humanity

Plus Let's Encrypt's certificate validation mix-up, Intel's questionable new power supply design, and more.

Links:

• Let's Encrypt changes course on certificate revocation
• Revoking certain certificates on March 4
• Let's Encrypt: Incomplete revocation for CAA rechecking bug
• Pass authzModel by value, not reference
• The Complete Guide to CAA Records
• DNS Certification Authority Authorization
• AMD's 7nm Ryzen 4000 laptop processors are finally here
• How Intel is changing the future of power supplies with its ATX12VO spec
• Single Rail Power Supply ATX12VO Design Guide
• FreeNAS and TrueNAS are Unifying
• FreeNAS and TrueNAS are Unifying [Video Announcement]
• Ubuntu 20.04's zsys adds ZFS snapshots to package management
• ubuntu/zsys: zsys daemon and client for zfs systems

Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

• Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog
• The Facts: Mozilla’s DNS over HTTPs (DoH)
• Security/DOH-resolver-policy - MozillaWiki
• HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica
• Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt: A History - The Morning Paper
• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register
• Ballot SC22: Reduce Certificate Lifetimes
• Google Chrome’s fear of Microsoft Edge is revealing its bad side
• Microsoft shares a roadmap for the new Microsoft Edge
• Microsoft Edge: Top Feedback Summary for March 4
• Download Microsoft Edge Insider Channels
• Flaw in billions of Wi-Fi devices left communications open to eavesdropping | Ars Technica
• kr00k: A serious vulnerability deep inside Wi-Fi encryption
• Kr00k Paper
• Technical Details of Why Cloudflare Chose AMD EPYC for Gen X Servers
• An EPYC trip to Rome: AMD is Cloudflare’s 10th-generation Edge server CPU
• Cloudflare’s Gen X: Servers for an Accelerated Future
• Impact of Cache Locality
• Gen X Performance Tuning
• Securing Memory at EPYC Scale
• Intel promises Full Memory Encryption in upcoming CPUs | Ars Technica

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

• Why big ISPs aren’t happy about Google’s plans for encrypted DNS
• Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgrade
• How to enable DNS-over-HTTPS (DoH) in Google Chrome
• What’s next in making Encrypted DNS-over-HTTPS the Default - Future Releases
• WARP is here
• The Technical Challenges of Building Cloudflare WARP
• mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
• HTTP/3: the past, the present, and the future
• Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNet
• QUIC Implementations
• Startpage.com - The world's most private search engine
• Google extends support lifespan for seven Lenovo Chromebooks to 2025
• Google’s Quantum Supremacy Announcement Shouldn't Be a Surprise
• Scott’s Supreme Quantum Supremacy FAQ
• AMD Ryzen Pro 3000 series desktop CPUs will offer full RAM encryption | Ars Technica

Plus what to expect from USB4 and an upcoming Linux scheduler speed-up for AMD's Epyc CPUs.

Links:

• Google says hackers have put ‘monitoring implants’ in iPhones for years | Technology | The Guardian — Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
• Project Zero: A very deep dive into iOS Exploit chains found in the wild — We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes.
• Project Zero: In-the-wild iOS Exploit Chain 1 — This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.  
• Project Zero: In-the-wild iOS Exploit Chain 3 — It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users. While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing.
• Project Zero: JSC Exploits — In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS.
• Project Zero: Implant Teardown — There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.
• iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources — Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China.
• Google's Shocking Decision To Ignore A Critical Android Vulnerability In Latest Security Update — Despite immediately acknowledging the vulnerability and confirming in June that it will be fixed, Google had not provided an estimated time frame for the patch.
• Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn | Threatpost — “In the unlikely event an attacker succeeds in exploiting this bug, they would effectively have complete control over the target device,” he told Threatpost. Once an attacker obtains escalated privileges, “it means they could completely take over a device if they can convince a user to install and run their application,”
• Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks | WIRED — "During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some them"
• Linux 5.4 Kernel To Bring Improved Load Balancing On AMD EPYC Servers — The scheduler topology improvement by SUSE's Matt Fleming changes the behavior as currently it turns out for EPYC hardware the kernel has failed to properly load balance across NUMA nodes on different sockets.
• USB4 is coming soon and will (mostly) unify USB and Thunderbolt | Ars Technica — The USB Implementers Forum published the official USB4 protocol specification. If your initial reaction was "oh no, not again," don't worry—the new spec is backward-compatible with USB 2 and USB 3, and it uses the same USB Type-C connectors that modern USB 3 devices do.

Also, a few Windows worms you should know about, the end of the road for EV certs, and an embarrassing new Bluetooth attack.

Links:

• A detailed look at AMD’s new Epyc “Rome” 7nm server CPUs | Ars Technica — The short version of the story is, Epyc "Rome" is to the server what Ryzen 3000 was to the desktop—bringing significantly improved IPC, more cores, and better thermal efficiency than either its current-generation Intel equivalents or its first-generation Epyc predecessors.
• AMD Rome Second Generation EPYC Review: 2x 64-core Benchmarked — Ever since the Opteron days, AMD's market share has been rounded to zero percent, and with its first generation of EPYC processors using its new Zen microarchitecture, that number skipped up a small handful of points, but everyone has been waiting with bated breath for the second swing at the ball. AMD's Rome platform solves the concerns that first gen Naples had, plus this CPU family is designed to do many things: a new CPU microarchitecture on 7nm, offer up to 64 cores, offer 128 lanes of PCIe 4.0, offer 8 memory channels, and offer a unified memory architecture based on chiplets.
• AMD EPYC Rome Still Conquering Cascadelake Even Without Mitigations - Phoronix — Out of curiosity, I've run some unmitigated benchmarks for the various relevant CPU speculative execution vulnerabilities on both the Intel Xeon Platinum 8280 Cascadelake and AMD EPYC 7742 Rome processors for seeing how the performance differs.
• Intel’s line of notebook CPUs gets more confusing with 14nm Comet Lake | Ars Technica — Going by Intel's numbers, Comet Lake looks like a competent upgrade to its predecessor Whiskey Lake. The interesting question—and one largely left unanswered by Intel—is why the company has decided to launch a new line of 14nm notebook CPUs less than a month after launching Ice Lake, its first 10nm notebook CPUs.
• A look at the Windows 10 exploit Google Zero disclosed this week | Ars Technica — On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root—er, system that is—on any unpatched Windows 10 system they're able to log in to
• Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) – Microsoft Security Response Center — Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.
• KNOB Attack — TL;DR: The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
• Troy Hunt: Extended Validation Certificates are (Really, Really) Dead — With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.
• Google wants to reduce lifespan for HTTPS certificates to one year | ZDNet — Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process. Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked.

Plus we turn our eye to hardware and get excited about the latest Ryzen line from AMD.

Links:

• Third parties confirm AMD’s outstanding Ryzen 3000 numbers | Ars Technica — AMD debuted its new Ryzen 3000 desktop CPU line a few weeks ago at E3, and it looked fantastic. For the first time in 20 years, it looked like AMD could go head to head with Intel's desktop CPU line-up across the board. The question: would independent, third-party testing back up AMD's assertions?
• The Internet broke today: Facebook, Verizon, and more see major outages | Ars Technica — Last week, Verizon caused a major BGP misroute that took large chunks of the Internet, including CDN company Cloudflare, partially down for a day. This week, the rest of the Internet has apparently asked Verizon to hold its beer.
• It was a really bad month for the internet | TechCrunch — In the past month there were several major internet outages affecting millions of users across the world. Sites buckled, services broke, images wouldn’t load, direct messages ground to a halt and calendars and email were unavailable for hours at a time.
• Cloudflare outage caused by bad software deploy (updated) — For about 30 minutes today, visitors to Cloudflare sites received 502 errors caused by a massive spike in CPU utilization on our network. This CPU spike was caused by a bad software deploy that was rolled back.
• How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today — Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider.
• Getting started | Prometheus — This guide is a "Hello World"-style tutorial which shows how to install, configure, and use Prometheus in a simple example setup.
• prometheus/node_exporter — Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors.
• Using netdata with Prometheus — Prometheus is a distributed monitoring system which offers a very simple setup along with a robust data model. Recently netdata added support for Prometheus.
• prometheus/nagios_plugins — Nagios plugin for alerting on prometheus query results.
• RobustPerception/nrpe_exporter — The NRPE exporter exposes metrics on commands sent to a running NRPE daemon.
• m-lab/prometheus-nagios-exporter — The Prometheus Nagios exporter reads status and performance data from nagios plugins via the MK Livestatus Nagios plugin and publishes this in a form that can be scrapped by Prometheus.
• Comparison to alternatives | Prometheus — Prometheus is a full monitoring and trending system that includes built-in and active scraping, storing, querying, graphing, and alerting based on time series data.
• Quality server monitoring solution using NetData/Prometheus/Grafana — I’m going to quickly show you how to install both netdata and Prometheus on the client and server. We can then use grafana pointed at Prometheus to obtain long-term metrics netdata offers.
• Monitoring stack by using Grafana + Prometheus + Netdata — This monitoring stack you can monitoring in real-time by Netdata and see the history by using Grafana.
• Monitoring Agent · NCPA — New to NCPA? See some of the awesome features present in the Web GUI and API, available on any operating system.
• Nagios 101: Understanding the Fundamentals - Nagios
• Nagios Documentation