Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

• Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog
• The Facts: Mozilla’s DNS over HTTPs (DoH)
• Security/DOH-resolver-policy - MozillaWiki
• HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica
• Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt: A History - The Morning Paper
• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register
• Ballot SC22: Reduce Certificate Lifetimes
• Google Chrome’s fear of Microsoft Edge is revealing its bad side
• Microsoft shares a roadmap for the new Microsoft Edge
• Microsoft Edge: Top Feedback Summary for March 4
• Download Microsoft Edge Insider Channels
• Flaw in billions of Wi-Fi devices left communications open to eavesdropping | Ars Technica
• kr00k: A serious vulnerability deep inside Wi-Fi encryption
• Kr00k Paper
• Technical Details of Why Cloudflare Chose AMD EPYC for Gen X Servers
• An EPYC trip to Rome: AMD is Cloudflare’s 10th-generation Edge server CPU
• Cloudflare’s Gen X: Servers for an Accelerated Future
• Impact of Cache Locality
• Gen X Performance Tuning
• Securing Memory at EPYC Scale
• Intel promises Full Memory Encryption in upcoming CPUs | Ars Technica

Plus the latest Intel speculative execution vulnerability, and Microsoft's troubled history with certificate renewal.

Links:

• Oregon company makes top bid for Microsoft check - CNET
• Microsoft’s failures to renew: Teams, Hotmail, and Hotmail.co.uk | Ars Technica
• Microsoft Teams goes down after Microsoft forgot to renew a certificate - The Verge
• Browser review: Microsoft’s new “Edgium” Chromium-based Edge | Ars Technica
• Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree | Ars Technica
• Ubuntu 20.04 LTS Adds WireGuard Support - Phoronix
• Multipath TCP Support Is Working Its Upstream - First Bits Landing With Linux 5.6 - Phoronix
• MultiPath TCP - Linux Kernel implementation
• Upstreaming multipath TCP
• LPC2019 - Multipath TCP Upstreaming - YouTube
• LPC2019 - Multipath TCP Upstreaming - Slides
• LPC2019 - Multipath TCP Upstreaming - Paper
• Using MultiPath TCP to enhance home networks
• Linux 5.6 Crypto Getting AVX/AVX2/AVX-512 Optimized Poly1305
• Poly1305
• CacheOut
• CacheOut Paper
• Intel Responds to ZombieLoad and CacheOut Attacks | Tom's Hardware
• New CacheOut Attack Targets Intel CPUs, Leaks Data From VMs And Secure Enclave

Plus a look back at Apollo-era audio that's still relevant today with the surprising story of the Quindar tones.

Links:

• Critical Vulnerabilities in Microsoft Windows Operating Systems
• Win10 Crypto Vulnerability: Cheating in Elliptic Curve Billiards 2
• NSA discovers a serious flaw in Windows 10
• Exploiting CVE-2020-0601
• CVE-2020-0601 POC
• NSA Cybersecurity Advisory on CryptoAPI Flaw
• Why can’t I get to the internet on my new OPNsense install?! - Jim's Blog
• OPNsense: a true open source security platform and more
• There's An Actual Name And Reason For Those Beeps You Hear In Recordings Of Astronauts In Space
• Quindar Tones
• Cap'n Crunch Whistle and the Secrets of the Little Blue Box

Links:

• Introducing Nebula, the open source global overlay network from Slack
• nebula: A scalable overlay networking tool with a focus on performance, simplicity and security
• Nebula VPN routes between hosts privately, flexibly, and efficiently
• How to set up your own Nebula mesh VPN, step by step
• LINUX Unplugged 329: Flat Network Truthers
• Cloudy with a chance of neurons: The tools that make neural networks work
• Welcome To Colaboratory
• ImageColorizer Notebook
• DeOldify: A Deep Learning based project for colorizing and restoring old images (and video!)

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

• Why big ISPs aren’t happy about Google’s plans for encrypted DNS
• Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgrade
• How to enable DNS-over-HTTPS (DoH) in Google Chrome
• What’s next in making Encrypted DNS-over-HTTPS the Default - Future Releases
• WARP is here
• The Technical Challenges of Building Cloudflare WARP
• mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
• HTTP/3: the past, the present, and the future
• Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNet
• QUIC Implementations
• Startpage.com - The world's most private search engine
• Google extends support lifespan for seven Lenovo Chromebooks to 2025
• Google’s Quantum Supremacy Announcement Shouldn't Be a Surprise
• Scott’s Supreme Quantum Supremacy FAQ
• AMD Ryzen Pro 3000 series desktop CPUs will offer full RAM encryption | Ars Technica

Plus Apple's blaring bluetooth beacons and Facebook's worrying plans for WhatsApp.

Links:

• Apple bleee. Everyone knows What Happens on Your iPhone – hexway — If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
• Facebook Plans on Backdooring WhatsApp - Schneier on Security — In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
• Signal — Privacy that fits in your pocket.
• xkcd: Security — Turns out it's a $5 wrench, even better!
• Jim Salter on Twitter — I wonder why #privacy wonks aren't talking about browser fingerprinting more frequently? Privacy Badger, Ghostery, etc don't do a damn thing to prevent or mitigate Canvas / WebGL #fingerprinting.
• Browser Fingerprinting: What Is It and What Should You Do About It? - PixelPrivacy — Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.
• Canvas Fingerprinting - BrowserLeaks.com — The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.
• WebGL Browser Report - WebGL Fingerprinting - WebGL 2 Test - BrowserLeaks.com — WebGL Browser Report checks WebGL support in your web browser, produce WebGL Device Fingerprinting, and shows the other WebGL and GPU capabilities more or less related web browser identity.
• AmIUnique — Device fingerprinting or browser fingerprinting is the systematic collection of information about a remote device, for identification purposes. Client-side scripting languages allow the development of procedures to collect very rich fingerprints: browser and operating system type and version, screen resolution, architecture type, lists of fonts, plugins, microphone, camera, etc.
• Panopticlick — Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software. However, we only do so with your explicit consent, through the TEST ME button below.
• How private is your browser’s Private mode? Research into porn suggests “not very” | Ars Technica — This leaves browser fingerprinting as a method to tie your profiles together—and unfortunately, Incognito mode doesn't appear to help.
• Privacy Tools - Encryption Against Global Mass Surveillance — You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance.
• ‘Fingerprinting’ to Track Us Online Is on the Rise. Here’s What to Do. - The New York Times — Fingerprinting involves looking at the many characteristics of your mobile device or computer, like the screen resolution, operating system and model, and triangulating this information to pinpoint and follow you as you browse the web and use apps. Once enough device characteristics are known, the theory goes, the data can be assembled into a profile that helps identify you the way a fingerprint would.
• Digital 'Fingerprinting' Is The Next Generation Tracking Technology | The Takeaway | WNYC Studios — This growing technology is almost invisible, making it impossible for users to opt-out of the tracking system. As it becomes more popular, tech companies are developing new ways to try and protect consumers from this form of tracking. But is it going to work?
• New Warning Issued Over Google's Chrome Ad-Blocking Plans — The plans, dubbed Manifest V3, represent a major transformation to Chrome extensions including a revamp of the permissions system. As a result, modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work.
• Comment on Chrome extension manifest v3 proposal by gorhill — The blocking ability of the webRequest API is still deprecated, and Google Chrome's limited matching algorithm will be the only one possible, and with limits dictated by Google employees. It's annoying that they keep saying "the webRequest API is not deprecated" as if developers have been worried about this -- and as if they want to drown the real issue in a fabricated one nobody made.
• CanvasBlocker
• Ghostery
• Disconnect

Links:

• TechSNAP Episode 390: What’s Up with WireGuard
• WireGuard Sent Out Again For Review — WireGuard lead developer Jason Donenfeld has sent out the ninth version of the WireGuard secure network tunnel patches for review. If this review goes well and lands in net-next in the weeks ahead, this long-awaited VPN improvement could make it into the mainline Linux 5.2 kernel.
• CloudFlare announces Warp VPN — Using Cloudflare’s existing network of servers, Internet users all over the world will be able to connect to Warp VPN through the 1.1.1.1 app. In the same vein, Warp VPN will not significantly increase battery usage by using an efficient protocol called WireGuard.
• CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation - Phoronix — CloudFlare took to creating BoringTun as they wanted a user-space solution as not to have to deal with kernel modules or satisfying certain kernel versions. They also wanted cross platform support and for their chosen implementation to be very fast, these choices which led them to writing a Rust-based solution.
• cloudflare/boringtun — BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
• VPN protocol WireGuard now has an official macOS app — You can already download the WireGuard app on Android and iOS, but today’s release is all about macOS.
• WireGuard Windows Pre-Alpha — I've been mostly absent these last weeks, due to being completely absorbed in Windows programming. I think we're finally getting to the state where we might really benefit from testing of the "pre-alpha".
• Wintun – Layer 3 TUN Driver for Windows — Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux's /dev/net/tun and BSD's /dev/tun.
• WireGuard for Kubernetes: Introducing Gravitational Wormhole — Wormhole is a Kubernetes network plugin that combines the simplicity of flannel with encrypted networking from WireGuard.
• gravitational/wormhole: Wireguard based overlay network CNI plugin for kubernetes
• NetworkManager 1.16 — NetworkManager 1.16 is a big feature release bringing support for WireGuard VPN tunnels
• Portal Cloud - Subspace — Subspace is an open source WireGuard® VPN server that supports connecting all of your devices to help secure your internet access.
• subspacecloud/subspace — A simple WireGuard VPN server GUI
• jimsalterjrs/wg-admin — Simple CLI utilities to manage a WireGuard server
• 5 big misconceptions about virtual LANs — In the real world, VLANs are anything but simple.
• High Availability vs. Fault Tolerance vs. Disaster Recovery — You need IT infrastructure that you can count on even when you run into the rare network outage, equipment failure, or power issue. When your systems run into trouble, that’s where one or more of the three primary availability strategies will come into play: high availability, fault tolerance, and/or disaster recovery.
• High Availability: Concepts and Theory — Running server operations using clusters of either physical or virtual computers is all about improving both reliability and performance over and above what you could expect from a single, high-powered server.
• RPO and RTO: Understanding the Differences — Recovery time objective refers to how much time an application can be down without causing significant damage to the business. Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs.
• JupiterBroadcasting/Talks — Public repository of crew talks, slides, and additional resources.
• Command Line Threat Hunting — That viruses and malware are Windows problems is a misnomer that is often propagated through the Linux community and it's an easy one to believe until you start noticing strange behavior on your system. What do you do next? Join Ell Marquez and Tony Lambert in discussing a common sense approach to threat detection using only command line tools.
• Fear the Man in the Middle? This company wants to sell quantum key distribution — For now, Quantum XChange has only said about a dozen companies are part of the pilot. But with the appetite for quantum solutions in the US increasing—the National Quantum Initiative was just signed into law at the end of 2018 to advance the tech—this could be an opportune time to enter the market, so long as the service lives up to its billing.

Plus the importance of sane defaults and why netdata belongs on every system.

Links:

• Why you want QoS - Netdata Documentation — One of the features the Linux kernel has, but it is rarely used, is its ability to apply QoS on traffic. Even most interesting is that it can apply QoS to both inbound and outbound traffic.
• FireQOS Wiki — FireQOS is a helper to assist you configure traffic shaping on Linux.
• FireHOL - Linux firewalling and traffic shaping for humans — FireHOL is a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. The configurations stay readable even for very complex setups.
• tc(8) man page — Traffic Control consists of the following: SHAPING When traffic is shaped, its rate of transmission is under control. Shaping may be more than lowering the available bandwidth - it is also used to smooth out bursts in traffic for better network behaviour. Shaping occurs on egress. SCHEDULING By scheduling the transmission of packets it is possible to improve interactivity for traffic that needs it while still guaranteeing bandwidth to bulk transfers. Reordering is also called prioritizing, and happens only on egress. POLICING Where shaping deals with transmission of traffic, policing pertains to traffic arriving. Policing thus occurs on ingress. DROPPING Traffic exceeding a set bandwidth may also be dropped forthwith, both on ingress and on egress.
• Overview of Traffic Control Concepts — Traffic control is the name given to the sets of queuing systems and mechanisms by which packets are received and transmitted on a router. This includes deciding which (and whether) packets to accept at what rate on the input of an interface and determining which packets to transmit in what order at what rate on the output of an interface.
• Advanced traffic control - ArchWiki
• Journey to the Center of the Linux Kernel: Traffic Control, Shaping and QoS — This document describes the Traffic Control subsystem of the Linux Kernel in depth, algorithm by algorithm, and shows how it can be used to manage the outgoing traffic of a Linux system.
• Netdata Real-time performance monitoring, done right! — Netdata is distributed, real-time, performance and health monitoring for systems and applications. It is a highly optimized monitoring agent you install on all your systems and containers.
• Add more charts to netdata — To collect non-system metrics, netdata supports a plugin architecture.

Special Guest: Chad M. Crowell.

Links:

• Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for years
• An Azure Infrastructure Year in Review
• Azure File Sync now generally available
• Microsoft's Newest OS is Based on Linux
• Azure Sphere
• What is Azure Stack?
• Azure Outage Proves the Hard Way Availability Zones are a Good Idea
• Microsoft Azure Infrastructure and Deployment on Linux Academy — In this course, we will cover an introduction to the Azure portal, followed by how to build infrastructure and deploy that infrastructure in real world scenarios.
• Chad Crowell on Twitter

Special Guest: Jim Salter.

Links:

• How to easily configure WireGuard — At its core, all WireGuard does is create an interface from one computer to another.
• Jessie Frazelle's Blog: Installing and Using Wireguard, obviously with containers — What is cool about Wireguard is it integrates into the Linux networking stack.
• WireGuard Didn't Make it To The Mainline Linux Kernel This Cycle — The code continues to be improved upon but looks like it came up just short of making it into this current development cycle.
• WireGuard VPN review: A new type of VPN offers serious advantages — Fewer lines of code, simpler setup, and better algorithms make a strong case.
• The Current Status of WireGuard VPNs - Are We There Yet?
• Using a free VPN? Why not skip the middleman and just send your data to President Xi?
• Feedback from Cody
• NRE Labs — NRE Labs is a no-strings-attached, community-centered initiative to bring the skills of automation within reach for everyone
• Introduction to Antidote — Antidote is an open-source project aimed at making automated network operations more accessible with fast, easy and fun learning.
• StackStorm — From simple if/then rules to complicated workflows, StackStorm lets you automate DevOps your way.
• wireguard-private-networking: Build your own multi server private network using wireguard and ansible
• Algo: Set up a personal IPSEC or WireGuard VPN in the cloud

Plus, Magecart strikes again, Alpine has package problems, and why you shouldn't trust Western Digital's MyCloud.

Special Guest: Jon Spriggs.

Links:

• GovPayNow.com Leaks 14M+ Records — Government Payment Service Inc. has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
• Magecart claims another victim in Newegg merchant data theft — Researchers from RiskIQ, together with Volexity, revealed that California-based retailer Newegg is the latest well-known merchant to succumb to the threat actors.
• RiskIQ: Another Victim of the Magecart Assault Emerges
• Password bypass flaw in Western Digital My Cloud drives puts data at risk — A security researcher has published details of a vulnerability in Western Digital’s My Cloud devices, which could allow an attacker to bypass the admin password on the drive, gaining complete control over the user’s data.
• WD MyCloud Metasploit Example
• Cloudflare goes InterPlanetary — Today we’re excited to introduce Cloudflare’s IPFS Gateway, an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer.
• End-to-End Integrity with IPFS — This post describes how to use Cloudflare's IPFS gateway to set up a website which is end-to-end secure, while maintaining the performance and reliability benefits of being served from Cloudflare’s edge network.
• How permanent is data stored on IPFS?
• Lesson: Add Content to IPFS and Retrieve It · Decentralized Web Primer
• Leo Tindall: Putting This Blog on IPFS
• A Beginner’s Guide to IPFS — IPFS consists of several innovations in communication protocols and distributed systems that have been combined to produce a file system like no other.
• Useful resources for using IPFS and building things on top of it
• OrbitDB: Peer-to-Peer Databases for the Decentralized Web
• Rebuild Alpine Linux Docker Containers After Package Manager Patch — An attacker could intercept a package request as a Alpine Linux Docker image is being built and add malicious code that target machines would then unpack and run within the Docker container