Skip to content
September 22, 2021 / Jim Fenton

Comments on the Federal Zero Trust Strategy

The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released a request for public feedback on a draft strategy for a zero-trust cybersecurity architecture for the US Government in response to Executive Order 14028 issued last May. Public comments were due September 21. The comments I submitted are below.


Thank you for the opportunity to provide public comment on your draft, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. I hope that the below comments will inform your decisions as you finalize this policy.

Identity

Use of phishing-resistant MFA

Phishing is an important attack vector and must be addressed. The use of phishing-resistant MFA critically prevents the use of credentials by impostor websites and services such as mobile apps. Requiring phishing-resistant MFA by agency staff, contractors, and partners is a logical step, although existing PIV and derived PIV credentials are already phishing resistant. At the present time, PIV credentials are not available to contractors and partners that typically do not require access to federal facilities, so an alternate approach to this problem might be to unify the authentication methods used by these parties to use PIV or equivalently secure authenticators.

Requiring phishing-resistant MFA as an option for public access to federal websites and online services encourages use and familiarization with these authentication methods by the public, in addition to their direct role in blocking phishing attacks. Members of the public that adopt phishing-resistant authenticators also need to be cautioned against the use of other multifactor authentication methods that they might be prompted to use by phishing actors.

Currently, many commercial products that offer phishing-resistant authentication using the WebAuthn standard do not meet the current technical requirements of verifier impersonation resistance in NIST SP 800-63-3 (cited in footnote 4 of the draft) because they bind the authentication to the domain name of the verifier rather than to the communication channel itself. However, this non-compliance does not significantly impact the phishing resistance of these authenticators. It is widely expected that NIST will recognize these authenticators as an alternative method of achieving verifier impersonation resistance in the next revision of that Guideline. For clarity, it would be useful to explicitly recognize these authenticators as phishing-resistant in this policy as well.

Checking passwords against blocklists

This draft notes that CISA will be making a service available to check passwords against known-breached data. Use of a password blocklist is required by NIST SP 800-63B as well. The size of these blocklists should be carefully considered. A blocklist that is too small does not sufficiently protect against the use of common passwords, but a list that includes every common or breached password is likely to frustrate users, who will then focus on coming up with an acceptable password rather than other aspects of password strength such as length. There should also be the ability for individual agencies to supplement these blocklists with agency-specific entries.

The use of common passwords is not the only weakness in password use. Agencies should be reminded of the need to store password verification secrets securely (using, at a minimum, “salting” and iterative hashing) and of the need for rate limiting to blunt online guessing attacks.

Networks

DNS encryption

The draft policy notes the importance of encrypting DNS traffic, but seems to be undecided on the use of DNS-over-HTTPS (DoH, which operates in browsers) or DNS-over-TLS (DoT, which is normally implemented in the operating system). There is significant interesting DNS traffic that is not initiated by browsers, such as that coming from email clients, instant messaging applications, and many others. This policy should consider the need for DNS encryption outside the browser as well as for Web traffic.

Encryption of DNS traffic does limit agencies’ ability to inspect DNS requests for indications of malware and other inappropriate behavior, so there is somewhat of a security tradeoff in its implementation. If CISA’s Protective DNS offering is centralized, it may not be possible for individual agencies to employ DNS monitoring for security purposes.

DNSSEC

Notwithstanding the removal (by OMB M-18-23) of the requirement to implement DNSSEC that was established by M-08-23, DNSSEC implementation continues to be an effective defense against demonstrated DNS spoofing attacks and in providing a trust framework for data published in DNS. DNSSEC has a single “source of truth” that is easily monitored for fraud, unlike the WebPKI which has in excess of 100 certificate authorities, any of which could potentially publish a rogue certificate. Minimizing external security dependencies is very much in the spirit of the Zero Trust architecture. While Certificate Transparency helps a vigilant domain to detect the mistaken issuance of a certificate to the wrong party, many CAs are in jurisdictions where they could be compelled to issue a certificate and make it available to a bad actor, perhaps in support of a state-sponsored attack. For this reason, the use of DANE in addition to WebPKI, particularly for sensitive applications, should be strongly considered.

Furthermore, M-08-23 was in some cases interpreted as a requirement to DNSSEC-sign .gov domains but not necessarily to implement DNSSEC verification of DNS requests originating within an agency. In contrast many consumer DNS providers, including internet service providers and services such as Google, implement DNSSEC verification thereby giving their users a security advantage that these agencies currently do not have available. This policy should require verification as well as DNSSEC signing by agencies; verification could potentially be an aspect of the CISA Protective DNS program.

Encrypting email traffic

The draft correctly notes the importance of encryption for email traffic. It describes the use of MTA-STS to accomplish this by allowing a domain to advertise a policy that it supports SMTP-over-TLS. However, this publication requires additional infrastructure (web servers) to effect this, and requires caching of previously received policies to overcome the possibility that a bad actor will block the policy advertisement. In contrast DANE, which is deployed on DNSSEC protected domains, provides a way to publish a similar policy without this trust-on-first-use limitation and without the need to stand up additional infrastructure to support policy publication. DANE should be strongly considered as an alternative to MTA-STS for this requirement.

In addition, there is a complementary standard, REQUIRETLS (RFC 8689), that allows the sender of an email message to tag it to indicate that the message must only be sent over a TLS-protected channel, effectively overriding the opportunistic nature of STARTTLS. This most directly satisfies the stated goal of guaranteeing that Federal emails are encrypted in transit. Unfortunately, REQUIRETLS has not received significant deployment, but government interest in this capability would undoubtedly motivate deployment. REQUIRETLS builds upon MTA-STS or DANE.

Conclusion

Please do not hesitate to contact the undersigned if any further information or clarification is needed.

James L. Fenton
Principal
Altmode Networks
Los Altos, California

December 12, 2020 / Jim Fenton

Photovoltaic system updates

This past spring, I noticed that our 20 year-old wooden shake roof needed serious work. The roof condition, combined with all of the recent wildfire activity in California, prompted us to replace the entire roof with asphalt shingles. This, of course, necessitated the removal and replacement of the solar panels we had installed in 2006.

In anticipation of doing this, we consulted with our local contractor, Solar Lightworkers, to see what might be done to update the system as well as to add a bit of extra capacity since we now have an electric car. Photovoltaic technology has advanced quite a bit in the past 14 years, so we wanted to take as much advantage of that as possible while reusing components from our existing system. As described earlier, our system had consisted of 24 200-watt Sanyo panels, with half of the panels facing south and half facing west. Because these two arrays peaked at different times of day, we had two inverters to optimize the output of each array.

Design

SolarEdge inverter
SolarEdge inverter

Mark from Solar Lightworkers strongly recommended a SolarEdge inverter that uses optimizers to minimize the impact of shading of some of the panels on the overall system output. This also compensates for the fact that different panels have maximum output at different times of day. As a result, a single inverter is sufficient for our new system. We also added four 360-watt LG panels to increase our capacity. This SolarEdge inverter is also capable of battery backup, but we haven’t opted into that yet.

Since our original installation, building codes had changed a bit requiring that the panels be installed at least 3 feet below the peak of the roof. This made us rethink the layout of the existing panels. When we did the original installation, we were concerned about the aesthetics of the panels on the front of the house. But since that time, so many other houses in our area have installed solar panels that we weren’t as concerned about appearance of panels on the front (south) side of the house. We still have some panels facing west, because they seem to be nearly as efficient economically as those facing west due to time-of-use electricity pricing.

South-facing solar panels, showing 10 legacy panels in a line with 4 new (larger) panels
South-facing solar panels

Data Collection

I have enjoyed collecting data from our photovoltaic system, and have done so more or less continuously since the original system was installed, using a serial interface from one of my computers to the inverters. I wanted to continue that. The SolarEdge inverter comes with a variety of interfaces through which it can send data to SolarEdge’s cloud service, which I can view on their website. Wanting more detailed information, I found that they provide an API through which I can get data very comparable to what I got from the old inverters, and continue to analyze the data locally (as well as using their facilities, which are very good).

One of the unexpected benefits of the SolarEdge optimizers is the ability to see the performance of each panel individually. It turns out that one of the old panels had a power output almost exactly half of the others. I’m not sure how long that had been going on; perhaps since 2006. I found that the panels have a 20-year output warranty, so I contacted Panasonic, which had acquired the Sanyo product line, and filled out some paperwork and sent pictures. They sent me three very similar panels (replacing two panels with cosmetic defects as well as the one with low output) soon after. I was very happy with the service from Panasonic. Solar Lightworkers installed the new panels, and output is where it should be.

Performance

On a typical summer day with little shading, the system generated 23.7 kWh in on 8/30/2019 and 34.8 kWh (+47%) on 8/27/2020. The additional panels would account for 30% of that increase and the defective panel an additional 2%. In the late fall, the old system generated 14.6 kWh on 11/25/2019, and the new system 22.9 kWh (+57%) on 11/26/2020. There are of course other variables, such as soot on the panels from the California wildfires this year.

It will take quite a while for the increased output to pay for the upgrades, of course, but much of that cost would have been incurred just as a result of the need to replace the roof. We are quite pleased with the performance of the new system.

September 8, 2020 / Jim Fenton

Line voltage fluctuations

Voltmeter showing 101.3V

This past July, we replaced our roof and at the same time updated our solar panels and inverter (I’ll write about the new solar equipment in the near future). I was monitoring the new equipment somewhat more closely than usual, and noticed on one warm August day that the inverter had shut down due to low line voltage. Having home solar generation shut down on a warm day with a high air conditioning load is the opposite of what the utility, Pacific Gas & Electric (PG&E), should want to happen. In addition to shutting down solar power inverters, low line voltage can be hard on power equipment, such as motors.

At a time when our voltage was particularly low, I opened a low line voltage case with PG&E. This resulted in a call from a field technician that told me several things:

  • PG&E has been aware of the voltage regulation problem in my neighborhood for some time
  • The problem is likely to be due to the older 4-kilovolt service in my part of town. Newer areas have 12-kilovolt service that would be expected to have about 1/9 the voltage drop with an equivalent load.
  • Another possible cause is the pole transformer that feeds our house and nearby neighbors that the technician told me is overloaded. [Other neighbors that aren’t as close are reporting these problems as well, so they would have to have similarly overloaded transformers.]
  • Line voltage at my home is supposed to be between 114 and 126 VAC.

Another technician from PG&E came out a couple of days later to install a voltage monitor on the line. But it occurred to me that I have been collecting data since 2007 from my solar inverter that includes voltage data. A total of about 3.2 million data points. So I thought I’d check to see what I can find out from that.

My data are in a MySQL database that I can query easily. So asked it how many days there have been where the line voltage went below 110 VAC (giving PG&E some margin here) and the solar inverter was fully operating. There were 37 such days, including very brief voltage dips (<10 minutes) up to over 5 hours undervoltage on September 2, 2017. The line voltage that day looked like this:

A more recent representative sample is this:

Part of my concern is that this problem seems to be getting worse. Here is a table of the number days where <110 VAC lasted for more than 10 minutes:

YearDays with
Undervoltage
Undervoltage
Minutes
200700
200800
2009114
201000
201100
201200
201300
201400
2015119
2016110
2017141386
201800
20197561
2020 (to June 30)2160

And as I mentioned above, the problem seems to occur on particularly hot days (which is when others run their air conditioners; we don’t have air conditioning). Fortunately, the NOAA National Centers for Environmental Information provide good historical data on high and low temperatures. I was able to download the data for Los Altos and relate it to the days with the outages. Indeed, the days with the most serious voltage problems are very warm (high of 110 on 9/2/2017 and 100 degrees on 6/3/2020 shown above).

Does that mean we’re seeing purely a temperature effect that is happening more often due to global warming? It doesn’t seem likely because there have been very warm days in past years with little voltage drop. Here’s a day with a recorded high temperature of 108 in 2009:

My street, and the City of Los Altos more generally, has seen a lot of extensive home renovations and tear-down/rebuilds the past few years. The section of the street I live on, which has about 50 homes, currently has three homes being completely rebuilt and currently unoccupied. So this is only going to get worse.

The ongoing renovations and rebuilds in Los Altos are all considerably larger than the homes (built in the 1950s) that they replace, and I expect nearly all have air conditioning while the original homes didn’t. This is resulting in a considerably higher electrical load on infrastructure that wasn’t designed for this. While this is mitigated somewhat by the prevalence of solar panels in our area, the City needs to require that PG&E upgrade its infrastructure before issuing new building permits that will exacerbate this problem.

SolarEdge inverter display
December 21, 2019 / Jim Fenton

Japan/Singapore Day 16: Zoo and Home

November 23, 2019

We thought yesterday was a long day. Today is literally a long day, as we will be flying east across the International Date line. But first, let’s go to the zoo!

After checking out of the Fairmont and leaving our bags with the Bell Desk, we made our way to the Singapore Zoo. This involved a longish subway ride, followed by about a 20-minute bus ride. As we approached the zoo, there was quite a bit of construction; apparently the zoo is expanding.

Greeting monkey

We bought the normal zoo ticket with a supplement to ride the tram to get an overview. As we entered, it seemed quite crowded, and Jim said to Kenna, “With all these people, the animals are all going to hide.” Just as he said that, a monkey appeared about two feet to his left. Obviously the animals here are used to people.

The Singapore Zoo has an excellent collection of animal species, especially (as you might expect) tropical animals that are comfortable in Singapore’s warm, humid, and consistent climate. They had quite a number of animals that I hadn’t encountered elsewhere. We particularly enjoyed watching the lemurs jump from branch to branch over our heads; they are so energetic!

A meerkat in its “manor”

After considerable walking around the zoo (in addition to the tram ride), it was time to make our way back to the hotel to get our bags and on to the airport. We were a bit too conservative on the time and arrived before the United ticket counter opened, so we found a restaurant serving local food for a last taste of Singaporean cuisine.

The return trip to San Francisco is considerably shorter in time than the nonstop from San Francisco to Singapore, owing to the revailing winds on the route. Still, we had requested an upgrade to Business Class with a combination of frequent flight miles and some additional cash, in the hopes that we could try out that experience. As it happened, we didn’t have quite the frequent flight status to get upgraded, and did the flight in Economy Plus. At least we get the miles and cash we had offered for the upgrade back. It was a long flight, but tolerable.

It is a little strange getting back to a place where one needs to wear a jacket during the colder months. But it is, as always, good to be home.

This article is the final installment in a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 21, 2019 / Jim Fenton

Japan/Singapore Day 15: Gardens

November 22, 2019

Gaylang Serai Market

Today was a long day for both of us. Kenna, especially, did a lot of walking. Jim was in meetings wrapping up his work at the conference. Kenna decided to start off the day by venturing farther out toward the east coast to the Joo Chiat or Katong neighborhood. The guidebook showed that there was a large market, a couple of temples, and some colorful Peranakan terrace houses there. It was also interesting because the MRT went above ground away from the center of the city. It was a more residential part of town with many high-rise apartment buildings. Kenna started at the Geylang Serai Market, a wet market and hawker centre as well as stalls to buy just about anything else.

After returning to the hotel for some lunch, Kenna decided to take a walk around Fort Canning Park. She had until now missed this large park in the center of the city. Some of the grounds were blocked off in preparation for a concert that evening but there were exhibitions going on in celebration of Singapore’s bicentennial, the anniversary of Sir Stamford Raffles’ arrival in Singapore. One multimedia presentation with a timeline and pictures documenting the history of the land.

Gardens by the Bay

Once Jim got out of his meetings, we made our way to the Gardens by the Bay, adjacent to the Marina Bay Sands hotel. It was starting to get dark, so we had limited time to explore. There are two climate-controlled domes, the Flower Dome and Cloud Forest, which we did not explore , but we had plenty to see in the outdoor (and free) areas of the Gardens.

One of the iconic sights in the Gardens is a number of very tall artificial “trees”. These are lit at night, and soon after it got dark, a short light show to music was put on. It was opera night this evening. The lighting and the sound system were both excellent. We understand this is put on twice every evening; quite an undertaking but not to be missed.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 21, 2019 / Jim Fenton

Japan/Singapore Day 14: Old and New

November 21, 2019

Exterior of Baba House

Unable to go to the Peranakan Museum, Kenna went in search of another Peranakan experience. This is the heritage of her friend Liz, who is from Singapore, so she was a little more curious about the culture. She found and booked a tour of the Baba House for this morning. The house was the ancestral home of a Peranakan Chinese family known as the Wee family. It was built in 1895 and acquired by the National University of Singapore in 2006. Most of the first and second floors of the house have been restored. A large proportion of the furniture, pictures, and other possessions are original to the home. The third floor is a small a museum of more objects and documents from around the turn of the 20th century. They have a lot of first-hand stories of the family history.

SkyPark infinity pool

After the tour Kenna went back to the hotel to meet up with Jim who had the afternoon off, so we could do some sightseeing together. We headed off to Marina Bay, walked through the shopping mall and had lunch, and then went to see the Skypark atop the 57th floor of the Marina Bay Sands Hotel. The S$26/person admission fee got us access to an observation deck at one end of the Skypark, but much of the Skypark remained off-limits to us and reserved for hotel guests, which is probably reasonable.

What a view from the top! We had a nearly panoramic view of the city and the harbor, which was full of container ships. From one end of the deck, we could also peek at the infinity pool being used by guests. Nearly all of them seemed to be taking selfies!

Following our visit we returned to our hotel to rest our legs and feet, and then returned to the Paranakan theme for dinner at the House of Peranakan restaurant a couple of blocks from the hotel. We shared a couple of traditional Singapore dishes, which was a change from the wide variety of non-Singapore food we had been eating.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 18, 2019 / Jim Fenton

Japan/Singapore Day 13: Museum and Gallery

November 20, 2019

Jim was off to more meetings this morning. Kenna had talk to with her companion from yesterday about possibly visiting a museum together, but a family emergency caused Wendy and her husband to suddenly fly back home today. On her own again and with rain having started last evening, Kenna decided that going to a museum was still a good idea. She had wanted to see the Peranakan Museum, but it was closed for renovation. She chose instead to start with the National Museum of Singapore.

This museum was originally the Raffles Library and Museum and is still housed in the original building from the mid-1800’s. They have recently added on a modern new space, only slightly modifying the old building to connect the two and preserve the historic structure. Kenna got there in time to join a guided tour in English. The historical exhibits are well organized and take the visitor through Singapore’s history, from the original settlers to the present day. There were also side exhibitions including one that is multimedia and another about growing up in Singapore in the 1950’s and 1960’s. It was interesting for Kenna to compare the items in that exhibit to her experience in the United States. When she went to leave the museum, the rain was pouring down but it soon let up enough for her to quickly make it back to the shopping area for lunch before setting out again.

This time she went over to the National Gallery Singapore. This is also in an historic building, actually two that are now combined with a new roof and bridges in between. There was an interesting exhibit about these buildings, which were the former city hall and supreme court, and how they have been transformed over the years including some of the renovations they had to do to stabilize them and make them one. Kenna enjoys art museums and this one was no exception. She was especially moved by a special exhibit of watercolors by the artist Lim Cheng Hoe. He was largely self-taught and painted mostly landscapes of Singapore from the 1930s to 1970s. Overall, it was a good day of learning about the history of Singapore and getting a better understanding of its diverse peoples.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 17, 2019 / Jim Fenton

Japan/Singapore Day 12: Ethnic Singapore

November 19, 2019

Tekka Centre Wet Market

Yesterday, Kenna and another spouse of someone attending the IETF meeting (or “companion” as we are called by IETF) made plans to do some sightseeing together. Wendy was still somewhat jetlagged so we decided to meet later, giving Kenna time to take care of a little more laundry she had to do. Most of our clothes could go to a full-service laundry but there were a few things that she wanted to hang to dry. She set out early for a self-service laundry she found a short subway ride away in the Chinatown district. After getting the load started there was time to do a little exploring. Unfortunately, the nearby wet (food) market was closed for a periodic cleaning. However, the Buddha Tooth Relic Temple, a large five-story temple, was interesting and had lots of statues, exhibits and places for people to worship. On the way back to the subway station, she was able to check out some of the shops that were now open.

Abdul Gafoor Mosque

Kenna and Wendy arranged to meet at Starbucks and from there they decided to walk to Little India. They used a walking tour they found in a guidebook and some ideas of other sights they had heard about to plan where to go. They were immediately impressed by how different this neighborhood was from other parts of Singapore. The Tan House was one of the first stops. It is not named for its color because it is actually very colorful. It is name for the family who owned it. After that they wandered around the Tekka Centre Wet Market which also has a large area upstairs with clothing and textiles. They then visited the Abdul Gafoor Mosque. They took off their shoes and wore appropriate covering to go in but didn’t stay long as there were many people having prayers. Later when they were outside again a pleasant gentleman greeted them and was helpful in explaining the mosque and answering any questions. They walked on to the Mustafa Centre, a multi-level superstore full of any kind of item you could think of, mostly imports from the subcontinent. They stopped at a nice Indian place for a delicious lunch. Then, as it was getting to be late afternoon, they moved on at a faster pace through the Kampong Glam district, a mostly Arab neighborhood, before returning to the hotel to freshen up for their evening activities.

ArtScience Museum light exhibit

After Jim was finished with his meetings, he and Kenna went to the IETF Social Event, held at the ArtScience Museum, an iconic flower-shaped building in Marina Bay. When we first arrived, it seemed the only thing to do was eat (although the food was quite good) and talk with colleagues (which is always worthwhile) but soon we discovered the doorway into the exhibit area. There were a number of rooms with different interactive art exhibits, most of which were very playful and fun. When we finished, we crossed over the Helix Bridge and back to our hotel.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 16, 2019 / Jim Fenton

Japan/Singapore Day 11: More Singapore orientation

November 18, 2019

While Jim spent most of the day in meetings, Kenna ventured out again to do some more sightseeing. Since she still had a few more hours left on her 24-hours hop-on/hop-off bus pass, she completed a route she started the previous day and then went on to take one more tour. The narration along the way was interesting, although sometimes repetitive when the routes overlapped. The background music got really old. With the heat and humidity in Singapore, sitting on the shaded upper deck of the bus was a good way to get to around town to preview sights.

She was just finishing the last route when she got a text that the laundry was ready to be picked up. The place was on her way to the hotel, so she picked it up and headed back. She found some lunch at another restaurant in the basement of the shopping mall before finding a place to sit in the conference area to watch people, get caught up on some correspondence, and plan how to spend her time for the next few days. After being on the road and running around for more than ten days, it was nice to slow down for a while. She still has a lot of time yet to see more of Singapore.

CHIJMES Hall

When Jim was done with his meetings, we didn’t feel like venturing out too far for dinner. Fortunately, there’s an excellent “dining complex” (better than a food court!), CHIJMES, across the street from the hotel. CHIJMES (an abbreviation for Convent of the Holy Infant Jesus Middle Education School and pronounced “chimes”) is a former convent much of which has been converted into a collection of upscale restaurants. We had tapas at “The Winery” which, along with a great view of the chapel, was just what we needed.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.

December 15, 2019 / Jim Fenton

Japan/Singapore Day 10: IETF Begins

November 17, 2019

Before Jim’s meetings began today, we located a nearby laundry where we were able to refresh our clothes of the past week. It wasn’t exactly cheap, but definitely less expensive than the hotel.

Botanic Garden

Jim headed off to meetings for the afternoon while Kenna began taking tours on the hop-on hop-off bus around the city. These buses have multiple routes in Singapore because there are a lot of different areas to cover. She started with a route that took her through some of the ethnic districts near the center of the city and then took a route that went to toward the Botanic Garden where she got off to look around. The gardens were lush and very calming, although busy on a Sunday afternoon. She found a place to get some satay for lunch and then walked around (getting lost for a while) before catching the bus to get back toward the hotel.

In the evening, we joined up to go to the IETF opening reception. This is always enjoyable for Jim as he gets to see many old friends. Kenna also connected with a few people she has met before as well as meeting some new people there.

This article is part of a series about our recent travels to Japan and Singapore. To see the introductory article in the series, click here.