美國聯邦政府推動的 Zero Trust 架構

看到美國總統行政辦公室發佈的「Moving the U.S. Government Toward Zero Trust Cybersecurity Principles」這個備忘錄,在講 Zero trust security model,算是讓其他聯邦單位可以依循的指引,從比較高的角度來說明聯邦政府對系統安全設計的方向。

裡面有提到「Phishing-resistant MFA」,一般的 MFA 無法防止 phishing (像是軟體 TOTP 類的 Google Authenticator 或是硬體式 TOTP 的 RSA SecurID,或是透過簡訊輸入收到的字串那種),要能夠對抗 phishing 的應該只有 U2F 或是後續的 WebAuthn 這種有把網站位置也放進 protocol 的協定。

另外提到了 RBACABAC 兩種設計,而且更偏好用 ABAC 得到更多彈性:

Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.

另外因為 zero trust 的設計,內部網路其實只能當作是一個傳輸媒介,不能當作是一個安全的傳輸層,任何的傳輸都需要有另外的驗證機制確保 CIA,所以從 DNS 的流量必須是透過 DNS over HTTPS 或是 DNS over TLS 的保護:

Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers.

任何 HTTP 傳輸都需要使用 HTTPS 保護,甚至是把 .gov 直接放進 HTTPS-only 清單 (應該是指 HSTS preload?):

More generally, the .gov top-level domain has announced an intent to eventually preload the entirety of the .gov domain space as an HTTPS-only zone.

不過裡面也有提到 email 的 encryption 到目前為止沒有好的方法可以確保 encryption 的使用,尤其是跟外部的人溝通:

Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.

然後提到安全漏洞的測試與回報機制也蠻有趣的,像是鼓勵外部測試:

In addition to their own testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify

以及鼓勵安全回報的制度:

Public vulnerability disclosure programs, which allow security researchers and other members of the general public to report security issues safely, are used widely across the Federal Government and many private-sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.

拿來翻一翻讀一讀...

白宮下令政府機關 Open Data

白宮所下達的行政命令,命令全美政府機關在公開資訊時,必須提供電子格式,且可容易被程式讀取:「Executive Order -- Making Open and Machine Readable the New Default for Government Information」。

重點是:資料不只要「公開」,還要「可被機器讀取」與「可被重複利用的授權」,並且要求政府單位強制提供。

中止日光節約時間 (Daylight Savings Time) 的請願...

在「Petition the White House to eliminate daylight saving time」看到有人直接到白宮請願網站上請願中止每年需要調整兩次時間的「日光節約時間」:「Eliminate the bi-annual time change caused by Daylight Savings Time」。

請願者認為,以現在的觀點來看,這實在太擾民了... 而發起還不到一個禮拜,就有兩萬人請願了,來看看接下來的進度... XD

白宮 We the People 提高答覆連署人數

白宮宣佈提昇 We the People 的強制答覆連署上限,將原本 25k 人提昇至 100k 人:「Why We're Raising the Signature Threshold for We the People」。

因為最近參與的人變多太多:

另外白宮給了一份 Infograph,更詳細的說明參與的狀況:

Overview

英國有個 data.gov.uk,美國有個 We the People,再加上昨天看到的 alpha.data.gov (A collection of open data from the government, private sector, and non-profits that are fueling a new economy.),感覺台灣跟世界上的已開發國家愈差愈遠了...

data.gov.uk alpha.data.gov

美國政府正式拒絕死星建造計畫...

起於去年十一月時,有人在白宮We the People 網站上發起建立死星的請求 XDDD

該份請願書在「Secure resources and funding, and begin construction of a Death Star by 2016.」。依照規定,請願超過兩萬五千人後,白宮必須給予正式的回覆。

於是... 白宮就正式回覆了 XDDD 回覆是由 Paul Shawcross (Chief of the Science and Space Branch at the White House Office of Management and Budget) 掛名。BBC 中文網給了很短的說明 (不過把重點都提到了):「美國未批准修建星球大戰式太空站」。

在回覆內容中,標題的「This Isn't the Petition Response You're Looking For」是有梗的... 可以參考 IMDBStar Wars 的名言錄:「These aren't the droids you're looking for.」。

條列式列出三個政府反對的原因,第一條還很正經解釋預算問題。第二條就很正經的歪掉:

The Administration does not support blowing up planets.

而第三條直接說「啊這東西沒用啦~」:

Why would we spend countless taxpayer dollars on a Death Star with a fundamental flaw that can be exploited by a one-man starship?

解釋完後,後面就在推廣 ISS 與最近的成就... XD