zlacker

[return to "I read the federal government’s Zero-Trust Memo so you don’t have to"]
1. static+ua[view] [source] 2022-01-27 15:56:56
>>EthanH+(OP)
This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

◧◩
2. c0l0+IH[view] [source] 2022-01-27 18:23:10
>>static+ua
I think 3. is very harmful for actual, real-world use of Free Software. If only specific builds of software that are on a vendor-sanctioned allowlist, governed by the signature of a "trusted" party to grant them entry to said list, can meaningfully access networked services, all those who compile their own artifacts (even from completely identical source code) will be excluded from accessing that remote side/service.

Banks and media corporations are doing it today by requiring a vendor-sanctioned Android build/firmware image, attested and allowlisted by Google's SafetyNet (https://developers.google.com/android/reference/com/google/a...), and it will only get worse from here.

Remote attestation really is killing practical software freedom.

◧◩◪
3. alksjd+Vs1[view] [source] 2022-01-27 21:33:08
>>c0l0+IH
Totally locking down a computer to just a pre-approved set of software is a huge step towards securing it from the kind of attackers most individuals, companies, and governments are concerned with. Sacrificing "software freedom" for that kind of security is a trade off that the vast majority of users will be willing to make - and I think the free software community will need to come to terms with that fact at some point and figure out what they want to do about it.
◧◩◪◨
4. 0xedd+v32[view] [source] 2022-01-28 00:50:12
>>alksjd+Vs1
Wrong. 80% of attacks are social engineering ones. In which an employee is convinced to make a bank transfer, open some document, install some program. From there, often times it's exploiting wide spread software commonly found in large organizations.

Everything you said cannot be further from the truth.

◧◩◪◨⬒
5. themac+e52[view] [source] 2022-01-28 01:01:14
>>0xedd+v32
Hence the pre-approved software restrictions. In a locked down system, even the most gullible employee won't have the authorization to "install some program".

I'd also hope that businesses care about more than 80% of attacks, preferably they should care about 100% of attacks. Hence, pre-approved software restrictions.

[go to top]