Greg Brockman (OpenAI 的 President) 宣佈離職

OpenAI 的 President,Greg Brockman 宣佈離職:

不過更重要的是後續的說明,看起來是與 Sam Altman 聯合起來整理情況,算是另外一邊第一手的資料?

目前主要是一些時間線的呈現,分別被解任與拔除 President。

這邊講的 Ilya 是 Ilya Sutskever,在 Sam Altman 被幹掉後有些八卦傳言有提到他,不過目前 Cofounders 這邊還沒直接開火,沒辦法驗證更多資訊,再繼續等看看有沒有什麼資訊還會冒出來...

美國聯邦政府推動的 Zero Trust 架構

看到美國總統行政辦公室發佈的「Moving the U.S. Government Toward Zero Trust Cybersecurity Principles」這個備忘錄,在講 Zero trust security model,算是讓其他聯邦單位可以依循的指引,從比較高的角度來說明聯邦政府對系統安全設計的方向。

裡面有提到「Phishing-resistant MFA」,一般的 MFA 無法防止 phishing (像是軟體 TOTP 類的 Google Authenticator 或是硬體式 TOTP 的 RSA SecurID,或是透過簡訊輸入收到的字串那種),要能夠對抗 phishing 的應該只有 U2F 或是後續的 WebAuthn 這種有把網站位置也放進 protocol 的協定。

另外提到了 RBACABAC 兩種設計,而且更偏好用 ABAC 得到更多彈性:

Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.

另外因為 zero trust 的設計,內部網路其實只能當作是一個傳輸媒介,不能當作是一個安全的傳輸層,任何的傳輸都需要有另外的驗證機制確保 CIA,所以從 DNS 的流量必須是透過 DNS over HTTPS 或是 DNS over TLS 的保護:

Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers.

任何 HTTP 傳輸都需要使用 HTTPS 保護,甚至是把 .gov 直接放進 HTTPS-only 清單 (應該是指 HSTS preload?):

More generally, the .gov top-level domain has announced an intent to eventually preload the entirety of the .gov domain space as an HTTPS-only zone.

不過裡面也有提到 email 的 encryption 到目前為止沒有好的方法可以確保 encryption 的使用,尤其是跟外部的人溝通:

Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.

然後提到安全漏洞的測試與回報機制也蠻有趣的,像是鼓勵外部測試:

In addition to their own testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify

以及鼓勵安全回報的制度:

Public vulnerability disclosure programs, which allow security researchers and other members of the general public to report security issues safely, are used widely across the Federal Government and many private-sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.

拿來翻一翻讀一讀...

Elon Musk 退訂美國總統的 Twitter 帳號

先前因為 cjin 的這則推,跑去追蹤了 @BigTechAlert 這個帳號:

@BigTechAlert 這個帳號會把名人以及大企業的 Twitter 帳號所追蹤與推追蹤的行為找出來,然後發表在 Twitter 上面。

平常 @BigTechAlert 所抓出來的追蹤與退追大家也都習以為常,你去看 @BigTechAlert 的帳號也可以發現沒什麼 retweet & like。

但前幾天這則退訂通知讓不少人 retweet & like,因為是 Elom Musk 退追了 @POTUS 帳號 (也就是 President of the United States):

退追的真實原因不知道,但看到純粹覺得很有趣...

2012 與 2016 美國總統選舉的變化

The Economist 這邊看到圖表,比較 2012 與 2016 年投票的變化:「Who voters supported in the last American election compared with this one」。2016 美國總統選舉將在 11 月初舉辦,這邊是目前的情況。

這張圖表頗清楚的,雖然有些比例不太對... 可以看到兩大黨以外的票比 2012 增加了不少。