Plus we celebrate WireGuard's inclusion in the Linux 5.6 kernel, and fight some exFAT FUD.

Links:

• WireGuard VPN makes it to 1.0.0—and into the next Linux kernel — It's a good day for WireGuard users—DKMS builds will soon be behind us.
• Linux 5.6 Is The Most Exciting Kernel In Years With So Many New Features
• fs: New zonefs file system — zonefs is a very simple file system exposing each zone of a zoned block device as a file. This is intended to simplify implementation of application zoned block device raw access support by allowing switching to the well known POSIX file API rather than relying on direct block device file ioctls and read/write.
• Ama-ZNS! Zonefs File-System Will Land with Linux® 5.6
• What is Zoned Storage and the Zoned Storage Initiative? — Zoned Storage is a new paradigm in storage motivated by the incredible explosion of data. Our data-driven society is increasingly dependent on data for every-day life and extreme scale data management is becoming a necessity.
• Linux Kernel Support - ZonedStorage.io
• dm-zoned — The dm-zoned device mapper target exposes a zoned block device as a regular block device.
• Device Mapper - ZonedStorage.io
• What are PMR and SMR hard disk drives?
• Beware of SMR drives in PMR clothing — WD and Seagate are both submarining Drive-managed SMR (DM-SMR) drives into channels, disguised as "normal" drives.
• Beware of SMR drives in PMR clothing [Reddit]
• The exFAT filesystem is coming to Linux—Paragon software’s not happy about it — When software and operating system giant Microsoft announced its support for inclusion of the exFAT filesystem directly into the Linux kernel back in August, it didn't get a ton of press coverage. But filesystem vendor Paragon Software clearly noticed this month's merge of the Microsoft-approved, largely Samsung-authored version of exFAT into the VFS for-next repository, which will in turn merge into Linux 5.7—and Paragon doesn't seem happy about it.
• The New Microsoft exFAT File-System Driver Is Set To Land With Linux 5.7
• Speeding up Linux disk encryption - The Cloudflare Blog — Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers.
• Add inline dm-crypt patch and xtsproxy Crypto API patch

Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

• Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog
• The Facts: Mozilla’s DNS over HTTPs (DoH)
• Security/DOH-resolver-policy - MozillaWiki
• HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica
• Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt: A History - The Morning Paper
• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register
• Ballot SC22: Reduce Certificate Lifetimes
• Google Chrome’s fear of Microsoft Edge is revealing its bad side
• Microsoft shares a roadmap for the new Microsoft Edge
• Microsoft Edge: Top Feedback Summary for March 4
• Download Microsoft Edge Insider Channels
• Flaw in billions of Wi-Fi devices left communications open to eavesdropping | Ars Technica
• kr00k: A serious vulnerability deep inside Wi-Fi encryption
• Kr00k Paper
• Technical Details of Why Cloudflare Chose AMD EPYC for Gen X Servers
• An EPYC trip to Rome: AMD is Cloudflare’s 10th-generation Edge server CPU
• Cloudflare’s Gen X: Servers for an Accelerated Future
• Impact of Cache Locality
• Gen X Performance Tuning
• Securing Memory at EPYC Scale
• Intel promises Full Memory Encryption in upcoming CPUs | Ars Technica

Plus so-so SSD security, and a new wireless protocol that works best where the Wi-Fi sucks.

Links:

• “Where the Wi-Fi sucks” is where a new wireless protocol does its magic
• Ubiquiti’s new “Amplifi Alien” is a mesh-capable Wi-Fi 6 router
• Self-encrypting deception: weaknesses in the encryption of solid state drives
• Securely erase a solid-state drive
• Solid state drive/Memory cell clearing - ArchWiki
• The Deep Learning Revolution and Its Implications for Computer Architecture and Chip Design
• Intel Core i9-10980XE—a step forward for AI, a step back for everything else
• How to recognize AI snake oil

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

• Why big ISPs aren’t happy about Google’s plans for encrypted DNS
• Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgrade
• How to enable DNS-over-HTTPS (DoH) in Google Chrome
• What’s next in making Encrypted DNS-over-HTTPS the Default - Future Releases
• WARP is here
• The Technical Challenges of Building Cloudflare WARP
• mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
• HTTP/3: the past, the present, and the future
• Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNet
• QUIC Implementations
• Startpage.com - The world's most private search engine
• Google extends support lifespan for seven Lenovo Chromebooks to 2025
• Google’s Quantum Supremacy Announcement Shouldn't Be a Surprise
• Scott’s Supreme Quantum Supremacy FAQ
• AMD Ryzen Pro 3000 series desktop CPUs will offer full RAM encryption | Ars Technica

Plus an update on Wifi 6, an enlightening Chromebook bug, and some not-quite-quantum key distribution.

Links:

• RF Chirp tech: Long distance, incredible penetration, low bandwidth | Ars Technica — Recently, I took the company's technology for a spin with a pair of hand-held demo communicators about the size of a kid's walkie-talkie. They don't do much—just light up with a signal strength reading on both devices, whenever a transmit button on either is pressed—but that's enough to get a good indication of whether the tech will work to solve a given problem.
• Wi-Fi 6 Is Officially Here: Certification Program Begins — Finally, along with the launch of the certification program itself, the Wi-Fi Alliance has already certified its first dozen devices.
• Say hello to 802.11ax: Wi-Fi 6 device certification begins today | Ars Technica — Today, the Wi-Fi Alliance launched its Wi-Fi Certified 6 program, which means that the standard has been completely finalized, and device manufacturers and OEMs can begin the process of having the organization certify their products to carry the Wi-Fi 6 branding.
• Someone sent us 21 more pictures of the leaked Pixel 4 XL - The Verge
• iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max: Hands-on with Apple’s new phones | Ars Technica
• Some Chromebooks mistakenly declared themselves end-of-life last week | Ars Technica — A lot of Chromebook and Chromebox users don't realize this, but all ChromeOS devices have an expiration date. Google's original policy was for devices to be supported for five years, but the company has recently extended that time to 6.5 years.
• LINUX Unplugged 318: Manjaro Levels Up
• Fear the Man in the Middle? This company wants to sell quantum key distribution | Ars Technica
• Gentle intro to Quantum Key Distribution (QKD) – Lahiru Madushanka
• The Super-Secure Quantum Cable Hiding in the Holland Tunnel - Bloomberg — Banks and governments are testing quantum key distribution technology to guard their closest secrets.
• Quantum Key Distribution - QKD — This paper provides an overview of quantum key distribution targeted towards the computer science community. A brief description of the relevant principles from quantum mechanics is provided before surveying the most prominent quantum key distribution protocols present in the literature.
• TechSNAP 403: Keeping Systems Simple
• Linux Headlines — Linux and open source headlines every weekday, in under 3 minutes.

Plus what to expect from USB4 and an upcoming Linux scheduler speed-up for AMD's Epyc CPUs.

Links:

• Google says hackers have put ‘monitoring implants’ in iPhones for years | Technology | The Guardian — Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
• Project Zero: A very deep dive into iOS Exploit chains found in the wild — We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes.
• Project Zero: In-the-wild iOS Exploit Chain 1 — This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.  
• Project Zero: In-the-wild iOS Exploit Chain 3 — It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users. While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing.
• Project Zero: JSC Exploits — In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS.
• Project Zero: Implant Teardown — There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.
• iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources — Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China.
• Google's Shocking Decision To Ignore A Critical Android Vulnerability In Latest Security Update — Despite immediately acknowledging the vulnerability and confirming in June that it will be fixed, Google had not provided an estimated time frame for the patch.
• Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn | Threatpost — “In the unlikely event an attacker succeeds in exploiting this bug, they would effectively have complete control over the target device,” he told Threatpost. Once an attacker obtains escalated privileges, “it means they could completely take over a device if they can convince a user to install and run their application,”
• Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks | WIRED — "During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some them"
• Linux 5.4 Kernel To Bring Improved Load Balancing On AMD EPYC Servers — The scheduler topology improvement by SUSE's Matt Fleming changes the behavior as currently it turns out for EPYC hardware the kernel has failed to properly load balance across NUMA nodes on different sockets.
• USB4 is coming soon and will (mostly) unify USB and Thunderbolt | Ars Technica — The USB Implementers Forum published the official USB4 protocol specification. If your initial reaction was "oh no, not again," don't worry—the new spec is backward-compatible with USB 2 and USB 3, and it uses the same USB Type-C connectors that modern USB 3 devices do.

Plus Apple's blaring bluetooth beacons and Facebook's worrying plans for WhatsApp.

Links:

• Apple bleee. Everyone knows What Happens on Your iPhone – hexway — If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
• Facebook Plans on Backdooring WhatsApp - Schneier on Security — In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
• Signal — Privacy that fits in your pocket.
• xkcd: Security — Turns out it's a $5 wrench, even better!
• Jim Salter on Twitter — I wonder why #privacy wonks aren't talking about browser fingerprinting more frequently? Privacy Badger, Ghostery, etc don't do a damn thing to prevent or mitigate Canvas / WebGL #fingerprinting.
• Browser Fingerprinting: What Is It and What Should You Do About It? - PixelPrivacy — Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.
• Canvas Fingerprinting - BrowserLeaks.com — The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.
• WebGL Browser Report - WebGL Fingerprinting - WebGL 2 Test - BrowserLeaks.com — WebGL Browser Report checks WebGL support in your web browser, produce WebGL Device Fingerprinting, and shows the other WebGL and GPU capabilities more or less related web browser identity.
• AmIUnique — Device fingerprinting or browser fingerprinting is the systematic collection of information about a remote device, for identification purposes. Client-side scripting languages allow the development of procedures to collect very rich fingerprints: browser and operating system type and version, screen resolution, architecture type, lists of fonts, plugins, microphone, camera, etc.
• Panopticlick — Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software. However, we only do so with your explicit consent, through the TEST ME button below.
• How private is your browser’s Private mode? Research into porn suggests “not very” | Ars Technica — This leaves browser fingerprinting as a method to tie your profiles together—and unfortunately, Incognito mode doesn't appear to help.
• Privacy Tools - Encryption Against Global Mass Surveillance — You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance.
• ‘Fingerprinting’ to Track Us Online Is on the Rise. Here’s What to Do. - The New York Times — Fingerprinting involves looking at the many characteristics of your mobile device or computer, like the screen resolution, operating system and model, and triangulating this information to pinpoint and follow you as you browse the web and use apps. Once enough device characteristics are known, the theory goes, the data can be assembled into a profile that helps identify you the way a fingerprint would.
• Digital 'Fingerprinting' Is The Next Generation Tracking Technology | The Takeaway | WNYC Studios — This growing technology is almost invisible, making it impossible for users to opt-out of the tracking system. As it becomes more popular, tech companies are developing new ways to try and protect consumers from this form of tracking. But is it going to work?
• New Warning Issued Over Google's Chrome Ad-Blocking Plans — The plans, dubbed Manifest V3, represent a major transformation to Chrome extensions including a revamp of the permissions system. As a result, modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work.
• Comment on Chrome extension manifest v3 proposal by gorhill — The blocking ability of the webRequest API is still deprecated, and Google Chrome's limited matching algorithm will be the only one possible, and with limits dictated by Google employees. It's annoying that they keep saying "the webRequest API is not deprecated" as if developers have been worried about this -- and as if they want to drown the real issue in a fabricated one nobody made.
• CanvasBlocker
• Ghostery
• Disconnect

Plus we turn our eye to hardware and get excited about the latest Ryzen line from AMD.

Links:

• Third parties confirm AMD’s outstanding Ryzen 3000 numbers | Ars Technica — AMD debuted its new Ryzen 3000 desktop CPU line a few weeks ago at E3, and it looked fantastic. For the first time in 20 years, it looked like AMD could go head to head with Intel's desktop CPU line-up across the board. The question: would independent, third-party testing back up AMD's assertions?
• The Internet broke today: Facebook, Verizon, and more see major outages | Ars Technica — Last week, Verizon caused a major BGP misroute that took large chunks of the Internet, including CDN company Cloudflare, partially down for a day. This week, the rest of the Internet has apparently asked Verizon to hold its beer.
• It was a really bad month for the internet | TechCrunch — In the past month there were several major internet outages affecting millions of users across the world. Sites buckled, services broke, images wouldn’t load, direct messages ground to a halt and calendars and email were unavailable for hours at a time.
• Cloudflare outage caused by bad software deploy (updated) — For about 30 minutes today, visitors to Cloudflare sites received 502 errors caused by a massive spike in CPU utilization on our network. This CPU spike was caused by a bad software deploy that was rolled back.
• How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today — Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider.
• Getting started | Prometheus — This guide is a "Hello World"-style tutorial which shows how to install, configure, and use Prometheus in a simple example setup.
• prometheus/node_exporter — Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors.
• Using netdata with Prometheus — Prometheus is a distributed monitoring system which offers a very simple setup along with a robust data model. Recently netdata added support for Prometheus.
• prometheus/nagios_plugins — Nagios plugin for alerting on prometheus query results.
• RobustPerception/nrpe_exporter — The NRPE exporter exposes metrics on commands sent to a running NRPE daemon.
• m-lab/prometheus-nagios-exporter — The Prometheus Nagios exporter reads status and performance data from nagios plugins via the MK Livestatus Nagios plugin and publishes this in a form that can be scrapped by Prometheus.
• Comparison to alternatives | Prometheus — Prometheus is a full monitoring and trending system that includes built-in and active scraping, storing, querying, graphing, and alerting based on time series data.
• Quality server monitoring solution using NetData/Prometheus/Grafana — I’m going to quickly show you how to install both netdata and Prometheus on the client and server. We can then use grafana pointed at Prometheus to obtain long-term metrics netdata offers.
• Monitoring stack by using Grafana + Prometheus + Netdata — This monitoring stack you can monitoring in real-time by Netdata and see the history by using Grafana.
• Monitoring Agent · NCPA — New to NCPA? See some of the awesome features present in the Web GUI and API, available on any operating system.
• Nagios 101: Understanding the Fundamentals - Nagios
• Nagios Documentation

Plus the biggest stories out of Kubecon, and serverless gets serious.

Links:

• Everything that was announced at KubeCon
• CNCF to Host etcd — The Cloud Native Computing Foundation Technical Oversight Committee voted to accept etcd as an incubation-level hosted project.
• Introduction to Knative — Knative is a framework from the folks at Google and Pivotal focused on “serverless” style event driven functions.
• IBM Embraces Knative to Drive Serverless Standardization — Knative is not the first open-source functions-as-a-service effort that IBM has backed. Back in 2016, IBM announced the OpenWhisk effort, which is now run as an open-source project at the Apache Software Found.
• How Google Is Improving Kubernetes Container Security — "We go beyond what's in open source and put additional restrictions in place to secure users"
• Demystifying Kubernetes CVE-2018-1002105 — With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
• The silent CVE in the heart of Kubernetes apiserver
• Crossplane: An Open Source Multicloud Control Plane
• security.christmas — This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about the world of security.
• Introducing the Helm Hub — This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.

Plus the latest router botnet, why you should never go full UPnP, and the benefits of building your own home router.

Special Guest: Jim Salter.

Links:

• Google goes down after major BGP mishap routes traffic through China — Google lost control of several million of its IP addresses for more than an hour on Monday in an event that intermittently made its search and other services unavailable to many users.
• Internet Vulnerability Takes Down Google
• China has been 'hijacking the vital internet backbone of western countries'
• RPKI - The required cryptographic upgrade to BGP routing
• HTTP/3 — The protocol that's been called HTTP-over-QUIC for quite some time has now changed name and will officially become HTTP/3.
• HTTP/3: Come for the speed, stay for the security
• The Road to QUIC
• Botnet pwns 100,000 routers using ancient security flaw — Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention
• BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers
• From Zero to ZeroDay Journey: Router Hacking
• The Ars guide to building a Linux router from scratch

Plus the latest vulnerabilities in Wireshark and OpenSSH, the new forensic hotness from Netflix, and some great introductions to cryptography.

Special Guest: Martin Wimpress.

Links:

• I’m teaching email security to Democratic campaigns. It’s as bad as 2016.
• Botched CIA Communications System Helped Blow Cover of Chinese Agents
• NSA-Designed Speck Algorithm to Be Removed From Linux 4.20
• Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
• Wireshark can be crashed via malicious packet trace files
• Service provider story about tracking down TCP RSTs
• The case of the 500-mile email
• Diffy: A cloud-centric triage tool for digital forensics and incident response
• An intensive introduction to Cryptography
• The Manga Guide to Cryptography | No Starch Press