Plus the latest Intel speculative execution vulnerability, and Microsoft's troubled history with certificate renewal.

Links:

• Oregon company makes top bid for Microsoft check - CNET
• Microsoft’s failures to renew: Teams, Hotmail, and Hotmail.co.uk | Ars Technica
• Microsoft Teams goes down after Microsoft forgot to renew a certificate - The Verge
• Browser review: Microsoft’s new “Edgium” Chromium-based Edge | Ars Technica
• Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree | Ars Technica
• Ubuntu 20.04 LTS Adds WireGuard Support - Phoronix
• Multipath TCP Support Is Working Its Upstream - First Bits Landing With Linux 5.6 - Phoronix
• MultiPath TCP - Linux Kernel implementation
• Upstreaming multipath TCP
• LPC2019 - Multipath TCP Upstreaming - YouTube
• LPC2019 - Multipath TCP Upstreaming - Slides
• LPC2019 - Multipath TCP Upstreaming - Paper
• Using MultiPath TCP to enhance home networks
• Linux 5.6 Crypto Getting AVX/AVX2/AVX-512 Optimized Poly1305
• Poly1305
• CacheOut
• CacheOut Paper
• Intel Responds to ZombieLoad and CacheOut Attacks | Tom's Hardware
• New CacheOut Attack Targets Intel CPUs, Leaks Data From VMs And Secure Enclave

Plus Debian's continued init system debate, and our frustrations over 5G reporting.

Links:

• 5G Underwhelms in Its First Big Test - WSJ
• How South Korea built 5G, and what it's learning - RCR Wireless News
• After seven months, here’s what South Korea can teach us about 5G - CNA
• South Korea secures 4 million 5G subscribers | ZDNet
• Debian Developers Take To Voting Over Init System Diversity
• Debian GR Results
• General Resolution: Init systems and systemd
• Ringing In 2020 By Clang’ing The Linux 5.5 Kernel - Benchmarks Of GCC vs. Clang Built Kernels
• Using LLVM Clang To Compile The Linux Kernel Is Heating Up Again Thanks To Google
• Building the kernel with Clang - LWN
• ClangBuiltLinux
• Compiling the Linux kernel with LLVM tools (FOSDEM 2019)

Plus the surprising performance of eero's mesh Wi-Fi, some great news for WireGuard, and an update on the Librem 5.

Links:

• T-Mobile launches 600MHz 5G across the US, but no one can use it yet
• Study confirms AT&T’s fake 5G E network is no faster than Verizon, T-Mobile or Sprint 4G
• 5G on the horizon: Here’s what it is and what’s coming
• Can 5G replace everybody’s home broadband?
• The Snapdragon 865 will make phones worse in 2020, thanks to mandatory 5G
• Librem 5 backers have begun receiving their Linux phones
• Amazon’s inexpensive Eero mesh Wi-Fi kit is shockingly good
• WireGuard VPN is a step closer to mainstream adoption

Plus what to expect from USB4 and an upcoming Linux scheduler speed-up for AMD's Epyc CPUs.

Links:

• Google says hackers have put ‘monitoring implants’ in iPhones for years | Technology | The Guardian — Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
• Project Zero: A very deep dive into iOS Exploit chains found in the wild — We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes.
• Project Zero: In-the-wild iOS Exploit Chain 1 — This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.  
• Project Zero: In-the-wild iOS Exploit Chain 3 — It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users. While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing.
• Project Zero: JSC Exploits — In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS.
• Project Zero: Implant Teardown — There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.
• iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources — Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China.
• Google's Shocking Decision To Ignore A Critical Android Vulnerability In Latest Security Update — Despite immediately acknowledging the vulnerability and confirming in June that it will be fixed, Google had not provided an estimated time frame for the patch.
• Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn | Threatpost — “In the unlikely event an attacker succeeds in exploiting this bug, they would effectively have complete control over the target device,” he told Threatpost. Once an attacker obtains escalated privileges, “it means they could completely take over a device if they can convince a user to install and run their application,”
• Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks | WIRED — "During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some them"
• Linux 5.4 Kernel To Bring Improved Load Balancing On AMD EPYC Servers — The scheduler topology improvement by SUSE's Matt Fleming changes the behavior as currently it turns out for EPYC hardware the kernel has failed to properly load balance across NUMA nodes on different sockets.
• USB4 is coming soon and will (mostly) unify USB and Thunderbolt | Ars Technica — The USB Implementers Forum published the official USB4 protocol specification. If your initial reaction was "oh no, not again," don't worry—the new spec is backward-compatible with USB 2 and USB 3, and it uses the same USB Type-C connectors that modern USB 3 devices do.