mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-19 22:51:41 +08:00
geekpi
GitHub
commit
491d3277d5
@ -1,35 +0,0 @@
|
||||
translating----geekpi
|
||||
|
||||
### Changes in Password Best Practices
|
||||
|
||||
NIST recently published its four-volume [_SP800-63b Digital Identity Guidelines_][3] . Among other things, it makes three important suggestions when it comes to passwords:
|
||||
|
||||
1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they [don't help][1] that much. It's better to allow people to use pass phrases.
|
||||
|
||||
2. Stop it with password expiration. That was an [old idea for an old way][2] we used computers. Today, don't make people change their passwords unless there's indication of compromise.
|
||||
|
||||
3. Let people use password managers. This is how we deal with all the passwords we need.
|
||||
|
||||
These password rules were failed attempts to [fix the user][4]. Better we fix the security systems.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
作者简介:
|
||||
|
||||
I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of EFF.
|
||||
|
||||
-----------------
|
||||
|
||||
via: https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
|
||||
|
||||
作者:[Bruce Schneier][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.schneier.com/blog/about/
|
||||
[1]:https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
|
||||
[2]:https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
|
||||
[3]:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
|
||||
[4]:http://ieeexplore.ieee.org/document/7676198/?reload=true
|
||||
@ -1,62 +0,0 @@
|
||||
translating---geekpi
|
||||
|
||||
What is Grafeas? Better auditing for containers
|
||||
============================================================
|
||||
|
||||
### Google's Grafeas provides a common API for metadata about containers, from image and build details to security vulnerabilities
|
||||
|
||||
|
||||
Thinkstock
|
||||
|
||||
The software we run has never been more difficult to vouchsafe than it is today. It is scattered between local deployments and cloud services, built with open source components that aren’t always a known quantity, and delivered on a fast-moving schedule, making it a challenge to guarantee safety or quality.
|
||||
|
||||
The end result is software that is hard to audit, reason about, secure, and manage. It is difficult not just to know what a VM or container was built with, but what has been added or removed or changed and by whom. [Grafeas][5], originally devised by Google, is intended to make these questions easier to answer.
|
||||
|
||||
|
||||
### What is Grafeas?
|
||||
|
||||
Grafeas is an open source project that defines a metadata API for software components. It is meant to provide a uniform metadata schema that allows VMs, containers, JAR files, and other software artifacts to describe themselves to the environments they run in and to the users that manage them. The goal is to allow processes like auditing the software used in a given environment, and auditing the changes made to that software, to be done in a consistent and reliable way.
|
||||
|
||||
Grafeas provides APIs for two kinds of metadata, notes and occurrences:
|
||||
|
||||
|
||||
* Notesare details about some aspect of the software artifact in question. This can be a description of a known software vulnerability, details about how the software was built (the builder version, its checksum, etc.), a history of its deployment, and so on.
|
||||
|
||||
* Occurrences are instances of notes, with details about where and how they were created. Details of a known software vulnerability, for instance, could have occurrence information describing which vulnerability scanner detected it, when it was detected, and whether or not the vulnerability has been addressed.
|
||||
|
||||
Both notes and occurrences are stored in a repository. Each note and occurrence is tracked using an identifier that distinguishes it and makes it unique.
|
||||
|
||||
The Grafeas spec includes several basic schemas for types of notes. The package vulnerability schema, for instance, describes how to store note information for a CVE or vulnerability description. Right now there is no formal process for accepting new schema types, but [plans are on the table][6] for creating such a process.
|
||||
|
||||
### Grafeas clients and third-party support
|
||||
|
||||
Right now, Grafeas exists mainly as a spec and a reference implementation, [available on GitHub][7]. Clients for [Go][8], [Python][9], and [Java ][10]are all available, [generated by Swagger][11], so clients for other languages shouldn’t be hard to produce.
|
||||
|
||||
One key way Google plans to allow Grafeas to be widely used is through Kubernetes. A policy engine for Kubernetes, called Kritis, allows actions to be taken on containers based on their Grafeas metadata.
|
||||
|
||||
Several companies in addition to Google have announced plans for adding Grafeas support to existing products. CoreOS, for instance, is looking at how Grafeas can be integrated with Tectonic, and both [Red Hat][12] and [IBM][13] are planning to add Grafeas integrations to their container products and services.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.infoworld.com/article/3230462/security/what-is-grafeas-better-auditing-for-containers.html
|
||||
|
||||
作者:[Serdar Yegulalp ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[1]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[2]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[3]:https://www.infoworld.com/article/3207686/cloud-computing/how-to-get-started-with-kubernetes.html#tk.ifw-infsb
|
||||
[4]:https://www.infoworld.com/newsletters/signup.html#tk.ifw-infsb
|
||||
[5]:http://grafeas.io/
|
||||
[6]:https://github.com/Grafeas/Grafeas/issues/38
|
||||
[7]:https://github.com/grafeas/grafeas
|
||||
[8]:https://github.com/Grafeas/client-go
|
||||
[9]:https://github.com/Grafeas/client-python
|
||||
[10]:https://github.com/Grafeas/client-java
|
||||
[11]:https://www.infoworld.com/article/2902750/application-development/manage-apis-with-swagger.html
|
||||
[12]:https://www.redhat.com/en/blog/red-hat-google-cloud-and-other-industry-leaders-join-together-standardize-kubernetes-service-component-auditing-and-policy-enforcement
|
||||
[13]:https://developer.ibm.com/dwblog/2017/grafeas/
|
||||
@ -0,0 +1,33 @@
|
||||
### 密码修改最佳实践
|
||||
|
||||
NIST 最近发表了四卷[ _SP800-63b 数字身份指南_][3]。除此之外,它还对密码提供三个重要的建议:
|
||||
|
||||
1. 不要再纠结于复杂的密码规则。它们使密码难以记住。因为人为的复杂密码很难输入,因此增加了错误。它们[也没有很大帮助][1]。最好让人们使用密码短语
|
||||
|
||||
2. 停止密码到期。这是[我们以前使用计算机的一个老的想法][2]。如今不要让人改变密码,除非有提示。
|
||||
|
||||
3. 让人们使用密码管理器。这是我们如何处理我们所需要的所有密码。
|
||||
|
||||
这些密码规则不能[让用户安全][4]。我们最好修复系统安全。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
作者简介:
|
||||
|
||||
自从 2004 年以来,我一直在博客上写关于安全的文章,以及从 1998 年以来我的每月订阅中也有。我写书、文章和学术论文。目前我是 IBM Resilient 的首席技术官,哈佛伯克曼中心的研究员,EFF 的董事会成员。
|
||||
|
||||
-----------------
|
||||
|
||||
via: https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
|
||||
|
||||
作者:[Bruce Schneier][a]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.schneier.com/blog/about/
|
||||
[1]:https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
|
||||
[2]:https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
|
||||
[3]:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
|
||||
[4]:http://ieeexplore.ieee.org/document/7676198/?reload=true
|
||||
@ -0,0 +1,58 @@
|
||||
什么是 Grafeas?更好地审核容器
|
||||
============================================================
|
||||
|
||||
### Google 的 Grafeas 为容器的元数据提供了一个从镜像和构建细节到安全漏洞的通用 API。
|
||||
|
||||
|
||||
Thinkstock
|
||||
|
||||
我们运行的软件从来没有比今天更难保证安全。它分散在本地部署和云服务之间,并由不知数量的开源组件构建,而且以快速的时间表交付,因此保证安全和质量变成了一个挑战。
|
||||
|
||||
最终的结果是软件难以审核,考虑,安全化和管理。困难的不只是知道 VM 或容器是用什么构建的, 而是由谁来添加、删除或更改的。[Grafeas][5] 最初由 Google 设计,旨在使这些问题更容易解决。
|
||||
|
||||
### 什么是 Grafeas?
|
||||
|
||||
Grafeas 是一个定义软件组件的元数据 API 的开源项目。这旨在提供一个统一的元数据模式,允许 VM、容器、JAR 文件和其他软件工件描述自己的运行环境以及管理它们的用户。目标是允许像给定环境中使用的软件一样的审核,以及对该软件所做的更改的审核,以一致和可靠的方式进行。
|
||||
|
||||
Grafeas提供两种格式的元数据 API,备注和事件:
|
||||
|
||||
* 备注是有关软件组件的某些方面的细节。可以是已知软件漏洞的描述,有关如何构建软件的详细信息(构建器版本,校验和等),部署历史等。
|
||||
|
||||
* 事件是备注的实例,包含了它们创建的地方和方式的细节。例如,已知软件漏洞的详细信息可能会有描述哪个漏洞扫描程序检测到它的情况、何时被检测到的事件信息,以及该漏洞是否被解决。
|
||||
|
||||
备注和事件都存储在仓库中。每个笔记和事件都使用标识符进行跟踪,该标识符区分它并使其唯一。
|
||||
|
||||
Grafeas 规范包括备注类型的几个基本模式。例如,软件包漏洞模式描述了如何存储 CVE 或漏洞描述的备注信息。现在没有正式的接受新模式类型的流程,但是[这已经在计划][6]创建这样一个流程。
|
||||
|
||||
### Grafeas 客户端和第三方支持
|
||||
|
||||
现在,Grafeas 主要作为规范和参考形式存在,它有在[ GitHub 上提供][7]。 [Go][8]、[Python][9] 和 [Java][10] 的客户端都可以使用[由 Swagger 生成][11],所以其他语言的客户端也应该不难写出来。
|
||||
|
||||
Google 计划让 Grafeas 广泛使用的关键方案是通过 Kubernetes。 Kubernetes 的一个策略引擎,称为 Kritis,可以根据 Grafeas 元数据对容器采取措施。
|
||||
|
||||
除 Google 之外的几家公司已经宣布计划将 Grafeas 的支持添加到现有产品中。例如,CoreOS 正在考察 Grafeas 如何与 Tectonic 集成,[Red Hat][12] 和 [IBM][13] 都计划在其容器产品和服务中添加 Grafeas 集成。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.infoworld.com/article/3230462/security/what-is-grafeas-better-auditing-for-containers.html
|
||||
|
||||
作者:[Serdar Yegulalp ][a]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[1]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[2]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[3]:https://www.infoworld.com/article/3207686/cloud-computing/how-to-get-started-with-kubernetes.html#tk.ifw-infsb
|
||||
[4]:https://www.infoworld.com/newsletters/signup.html#tk.ifw-infsb
|
||||
[5]:http://grafeas.io/
|
||||
[6]:https://github.com/Grafeas/Grafeas/issues/38
|
||||
[7]:https://github.com/grafeas/grafeas
|
||||
[8]:https://github.com/Grafeas/client-go
|
||||
[9]:https://github.com/Grafeas/client-python
|
||||
[10]:https://github.com/Grafeas/client-java
|
||||
[11]:https://www.infoworld.com/article/2902750/application-development/manage-apis-with-swagger.html
|
||||
[12]:https://www.redhat.com/en/blog/red-hat-google-cloud-and-other-industry-leaders-join-together-standardize-kubernetes-service-component-auditing-and-policy-enforcement
|
||||
[13]:https://developer.ibm.com/dwblog/2017/grafeas/
|
||||
Loading…
Reference in New Issue
Block a user