Supposedly Google is starting a pilot program of disabling Internet connectivity from employee computers:
The company will disable internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail. Some workers who need the internet to do their job will get exceptions, the company stated in materials.
Google has not confirmed this story.
JonKnowsNothing • July 24, 2023 8:19 AM
Air Gaping a network the size of Google is not going to be easy nor will it be successful. Today’s workers cannot survive without access to the internet; companies have well indoctrinated the population as to the necessity of full on demand access.
It’s not even really air gaping but an poor attempt to prevent insider-outsider influence. When companies pull out rules like No Sit Down and remove all the chairs it is not about security.
Years back, there were attempts to block chat-apps, when these were first available. Blocking them on the corporate network didn’t work then either. Today, people carry a fully featured computer with them and maybe forcing that into airplane mode within a building, companies can block them within a perimeter range.
Even hospitals have given up on blocking cellphone connections. The hospitals get too much value from open access. MDs now have to answer more than a few devices besides a pager. Patients and relatives can communicate directly without constantly bombarding the hospital switchboard or paging the Attending to get updates.
Many people carry more than one device now since they are so cheap and telecom companies bundle multiple devices on a discount plan.
In Tech-Sweat Shops, people are monitored constantly for all sorts of metrics. These workers don’t have much access or time for access “to waste employer’s money” by checking the weather app.
So, who is the intended target for a crackdown?
The USA has an enormous fear of unions and the power of workers to: STOP WORKING. Scares the B-Js out of some Economic Adherents.
It’s really an indicator of desperation rather than technical innovation.
anon • July 24, 2023 8:20 AM
I am told this story is being widely misreported, and that the key words to focus on are “select desktops”, i.e. this is a focused policy and is not targeted at MacBook and Chromebook users at large
Clive Robinson • July 24, 2023 8:22 AM
@ Bruce, ALL,
“Supposedly Google is starting a pilot program of disabling Internet connectivity from employee computers”
Sounds like a sensible idea from both the,
1, Security
2, Productivity
3, Profitavility
4, Risk
Aspects of work.
The fact is “Internet Connectivity” for the majority of employees is at best a distraction, at worst a ticking time bomb of nuclear proportions that can fell the ebtire operation in minutes.
By “Internet Connectivity” I mean communications beyond direct organisational control. Which includes any and all external Email, Messaging, Collaboration, and Cloud Systems.
As I’ve said before, one of the first questions I ask is,
“What is the business case for this computer to have external communications?”
You’ld be surprised at how many times there is not one and after prompting it boils down to something like “Because…”,
1, Everybody does it.
2, It might have bebifit
3, It’s what they said in business classes.
For those that have not had the opportunity to get their nose off the gridstone and do a “Headsup look around” we are unsurprisingly heading into an economic recession some say we are already,
“Deep in the doo doo!”
So effective and/or profitable productivity is rather more important than it was just a year or two ago. So workplace distractions and non work related costs need to be minimized to enable this.
As a side note, effective usefull productivity went up with “homeworking” which tends to suggest the number of unproductive distractions in the work place is way higher than most business operators realise.
Thus “The Great Bring Back” in office” of enoloyees is probably the worst business move anyone can make this year…
Winter • July 24, 2023 8:54 AM
Google Reportedly Disconnecting Employees from the Internet
An Internet company creating Internet software disconnecting their employees from the Internet.
That is like KFC or MacDonalds requiring their employees to eat only plant based foods, for health reasons.
Winter • July 24, 2023 8:59 AM
I see that The Register has said it much better:
World’s most internetty firm tries life off the net, and it’s sillier than it seems
What do you call an air-gapped Googler? Anything you like, they can’t hear you
‘https://www.theregister.com/2023/07/24/google_air_gap_comment/
The ultimate reason is the ultra-dense irony of Google trying to cut itself off from the internet. It’s so concentrated it collapses in on itself to a singularity of self-contradiction. No company has done more than Google to make our lives at work and outside completely dependent on the internet. Try turning your computer’s network off and see how far you get. Unless the modern workplace is completely reinvented, cutting off the internet is cutting off the work.
Chris Becke • July 24, 2023 9:16 AM
@Clive Robinson:
There is no business case for allowing employees to have peripheral vision either.
Clive Robinson • July 24, 2023 9:21 AM
@ Winter,
You beat me to posting Rupert Goodwins comment / counter points.
But care needs to be excercised on reading it.
The presumption Rupert has is that “data is being worked upon” rather than “data is being created” or “Data is being consumed”. Thus his view is data has to “flow in” as well as “flow out”.
Whilst what Google has said is a little “airy fairy content lite” details wise, I get the feeling is being trialed on “creatives” thus the data is “flow out”.
SchneierReader • July 24, 2023 9:26 AM
This makes no sense. The internet is an invaluable resource for trouble shooting issues. Solving problems without the internet would be orders of magnitude slower.
Google should understand this better than most as they make the search engine that helps others troubleshoot issues. I can only presume this policy is more limited in scope that what it initially appears.
modem phonemes • July 24, 2023 9:51 AM
Dataset of 1 point: working in a large technological computing company, we used the internet 99% for recreation, and perhaps 1% for convenient on the fly technical reference lookups. It was understood by all that outside internet was not essential and was essentially a distraction.
Winter • July 24, 2023 9:52 AM
@Clive
Thus his view is data has to “flow in” as well as “flow out”.
Indeed, and we would expect a layered approach, aka, defense in depth.
I assume Google knows very well that, as you once posted:
The only secure computer is one that is turned off, had all connections removed, embedded in several tonnes of reinforced concrete and dropped into the deepest sub sea trench on earth at Challenger Deep in the Mariana Trench. Where no man could reach it.
So I assume they will select some computers for which it makes sense to decouple them from the wider internet. I do not expect Google to want to reduce the productivity of their personnel by disconnecting them from the one resource they need to do their work for Google.
Basically this is getting taken wildly out of context. My build/dev VM doesn’t need general internet access. My thin client laptop with Internet access is fine. I can still copy and paste off of stack overflow just like before. I’m enthusiasticly in favor of this policy.
MBW • July 24, 2023 11:12 AM
Seems to me that the missing part of this story is that every employee has a cell phone that’s capable of reaching the internet, regardless of what Google does with their desktop.
MrBadAxe • July 24, 2023 12:18 PM
🎵 I sold my soul to the company store 🎵
JonKnowsNothing • July 24, 2023 1:17 PM
@Clive, All
re: Who ARE the workers?
@C:
“Internet Connectivity” for the majority of employees is at best a distraction, at worst a ticking time bomb of nuclear proportions that can fell the ebtire operation in minutes.
“Internet Connectivity” I mean communications beyond direct organisational control. Which includes any and all external Email, Messaging, Collaboration, and Cloud Systems.
“What is the business case for this computer to have external communications?
The above is a selection of comments you make on a regular basis and taken AS IS FACE VALUE are not incorrect, there is however a underlying bias in these commentaries.
1) Business case is something used in Universities to teach statistical and mathematical modeling for analyzing how a business performs financial and to apply statistical modeling to forecast future probably outcomes.
It is not a de facto ruling of how to run a business. Lots of businesses run without an iota of Business Case statistical modeling. Loads of businesses spend huge sums running modeling criteria on every aspect of their enterprise. None have a de facto outcome for How To Run A Business.
You seem to apply this term in a somewhat derogatory sense as if a worker, regardless of their work, needs to justify their existence.
It is not the worker that needs to justify their existence, it is the employer that dictates what the work is and demands-requires the worker to do it as directed by the employer. Workers comply or find another place to work.
2) You apply the term “distraction” in the same sense as “Avocado Toast” and “Spoilt for Choice” is used by others. The concept that abounds in some economic theories that Every Worker Is A Shirker taking My Money and Workers do not give Value for Money.
For every point there is a counter point of course. And there are plenty of people who do not drop dead from work while others pull extra loads to make up the quota. It might be statistically safe to say that
3) Business organizations are setup by business owners or the directors of the business. Workers have almost no say in how a business runs or how it conducts business day to day.
Businesses are not there for the benefit of workers, they are designed for the benefit of the owners. If the owners find benefit in The Cloud, they will use the Cloud. If the directors find benefit in Outsourcing and Offshoring they will do that. Workers have no inputs to these decisions. There are pallid attempts to get Worker Input To Corporate Directions under the false assumption that workers are a benefit to the owners and should have some inputs into how to do their assigned tasks faster, better, cheaper and with merited wage increases. Workers are only indirect methods for making profits and profits go to the owners.
So, business owners make the decisions about how things run, when things are done, what funds the inject into the business and what sort of actions the business will undertake.
4) There is a false sense of longevity to all business activities: that they will be here tomorrow. On this presumption workers take up positions on the assumption that tomorrow will be the same as today and work will continue.
We know that this is not the case but is a persistent view point in both management and workers as well as governments and economic forecasts. There are all attempts at keeping things “as is”. That doesn’t mean a business failure is a problem as long as it is not all businesses. Even wars on small scales don’t alter this view, unless you are the one in the war zone and the factory was burnt to the ground. Some other factory somewhere else will take this new business opportunity and some other worker will take your job.
The over arching problem of security has to do with stability and not quite so much with whether workers are distracted by an incoming PING from a customer sending an order in from their smart phone or fielding the vast number of incorrect billing issues generated each monthly billing cycle.
Computer Security for the most part is a 100% failure in coding. The failure of the code design is a failure to understand the weaknesses in the initial designs and how the implementation is a failure that goes on creating insecurity, now at a global scale. Businesses use computer insecurity to their advantage too.
A simple business case model runs nearly all business decisions:
RL anecdote TL;DR
At one of those character building jobs you get before you know better, I was given the task of adding up all the daily recipients for company sales from multiple outlets and to subtotal different aspects of the receipt. This was before computers and before PCs and before spreadsheets. I was given a very old hand crank adding machine.
The previous lucky recipient of this task took 2 weeks to make all the tallies. Tedious work but I managed to do the job in 5 days.
I realized that most of the time was spent waiting for the gears to rotate on the calculator. I asked a number of the other office workers if I could borrow their faster calculators for the task and no one would let me use theirs even though they were not using it at that time.
I requested the SrVP to get me a better calculator so I could complete the job quicker. My estimation I could finish in 2 days.
It wouldn’t be a good war story if you can’t guess the answer.
The savings of the extra days was immaterial. My salary was fixed. The ROI on the calculator outweighed the value of my time.
Anonymous • July 24, 2023 1:38 PM
This is a wholly reasonable approach, one that more companies should take. Since I don’t know the exact details of what they are doing, I can’t comment on them. But I work for a company that makes very high tech very mission-critical things in worldwide use. Many of us work from home. Our laptops have full internet access which is OK. But to get to almost anything inside the company, we have to connect via a very secure firewall/VPN. Once inside this company, the network is segmented into several security rings. There’s the mostly public stuff (intranet home page, non-sensitive Sharepoint sites, etc). To get to anything even remotely more interesting, there’s the first ring of firewalls I have to connect to via a secure client. That lets me onto our Unix/Linux servers with some tools and stuff. The next ring is engineering access, but only outward facing. I can look at some code using search tools for example. But to access repositories, check out and copy code, I need to get into the inner ring with another firewall. The hardware tools have their own rings. And each ring has a whitelist of people who are actually allowed in.
Do I miss the days of mounting a code repository right on my laptop via shared drive? Yes. But I understand why that’s not a good idea; the laptop is child’s play to hack in to. The concern is not that they could see the internet (via cell phone for example), but that their laptop could be compromised externally and used to tunnel in the the good stuff.
JonKnowsNothing • July 24, 2023 2:58 PM
@Anonymous
re: reasonable approach v useful approach
Restrictions work only if there are Zero Exceptions. Once you have an Exception to the Rule, your Rule is broken. Broken Rules are Rules that no longer Work As Intended.
lurker • July 24, 2023 3:02 PM
It seems G is removing internet access and sudo from the selected desktop machines. Those employees however can still use their laptops and smartphones. So it could be just another inhouse experiment by G to measure the leakage impedance of wetware.
Clive Robinson • July 24, 2023 3:27 PM
@ Chris Becke, ALL,
Re : A horse or oxen by any other name.
“There is no business case for allowing employees to have peripheral vision either.”
And we tried stopping it with pack animals and found it had a very major series of downsides. Which is where the common expression “blinkered vision” comes from. It robs of situational awareness and it’s a danger to not just the force multiplier “pulling their weight” but the operator guiding them.
So we know that “peripheral vision” is fairly essential for good order and productivity.
If you ever loose part or all of your vision suddenly you go into a mental disease state only some of which looks like depression. It’s why putting a bag over someones head is used as a significant form of tourture.
As a teenager at school an incident in the metal workshop caused me to have my dominant eye bandaged for three days, it was a very unpleasent experience. Yes you get used to it and you find a new mental equilibrium but it’s not at all nice as you transition. Because amoungst other things you get strong feelings of helplessness and despair which means your ability to function is grossely impaired.
@ JonKnowsNothing, Chris Becke, ALL,
But few realise that most humans are not employed to do “work efficiently” they are employed for two reasons,
1, To keep them from creating trouble.
2, To try to harness their creativity.
Humans are basically creative, and mostly they want to create “good” not “bad” as that is what majes them socially acceptable.
If humans are not alowed to be creative in what we think of as a “good way” we become creative in other ways, that whilst they might be good for society are not good for the employer, and in other situations dangerous to society, especially those in the mistaken belief they run it.
The problem is the one thing most are creative at and want to trade with others is “emotion” which is not that marketable as a product. Because it is a thing of the mind, that is not physical or tangible. The nearest we get is to impress the information about the emotion inadiquately on a physical object and we get art and literature, and stored and communicated knowledge, to use to be more creative with. That is what society is actually all about. The creating of tradable goods is just a side effect of trying to improve our avility to have creative emotions.
The thing is most of us live by trading what we create. The trades very often do not involve money because they are very local, and we call it a “social life”. As trades get more distant some physical system is needed to carry them out. A side effect of which is tokens of exchange we chose to give negotiable value to.
There are a lot of things in my house, I have not gone out and purchased, I’ve traded for them. My extra large bath, came via a friend who was doing a hospital refit. The taps on it came from another friend who needed some electrical wiring done in their home. I used to go help the local shop move through all the sacks of vegtables and in return for a little of my time I had a lot of vegtables that back when I had neighbours that were not transitory I used to trade the vegtables with them for pantry items. I also went to the local market to grab their vegtable off cuts they would otherwise have to pay to have taken away. These I used to feed my “live stock” with that in turn got traded with the local game dealer for other things. Which in turn by the process of charcuterie became valuable trade items. I also made preserves and flavourd oils and alcohol. As you can imagine I was quite popular at festivities, and not just for my tireless dancing.
I was young healthy and life for me was very good. My big expenditure then was on “knowledge” via books and the like which I used “in my professional life” the 16-32hours a week I was “working” or “researching” by most peoples rather odd view on life.
Sadly and especially in some parts of the world we have become “enslaved by product” we yearn to create but are forced to sublimate it via needless acquisition… Happiness is not aquired through a catalogue of goods, or faux social interaction of purchasing a moment of a merchants time.
The reason humans create is to “feed forward” in society, to improve it. For many that is by making friends and family happy, the trades are small but almost constant. As we get further apart in space and time our relationships change and we try to maintain or keep them via technology and physical objects we embue the characteristics of the original owner with or remember them by.
I have a small stuffed toy, that my grandmother gave me when I was born. I look at it and I remember her, the same with other objects like my fathers glasses. They have no financial value, but emotional?
I have most of what I need or will want for the rest of my life, but I still create, not just for those around me, but for as many as I can provid information and the products of my creativity. The trade I ask mostly ask for is that they inturn feed it forward so society in part or whole gets moved forward for others benifit.
When I was young, I was told the true mark of a man was through those who remembered his kindness, his help, and his understanding and had helped their lives be in a better place.
Something all to many of use are pushed into ignoring or treating with scorn…
Clive Robinson • July 24, 2023 4:03 PM
@ Winter,
Re : It’s been updated…
“I assume Google knows very well that, as you once posted”
I guess you had a little fun finding the quote.
Unfortunately it’s the old one…
Some bloke, actually got down their and spoiled the joke…
But the point that most are missing is it’s a “work desktop” and that there are three basic types of work flow process,
1, Source (data “flow out”).
2, Filter (data “flow in2out”).
3, Sink (data “flow in”).
How your job alines with those basic processes says what your data direction needs are. But also less obviously the distinction between organisational data you work on and other data you use to work with.
Those whose jobs are mainly “creative” align mainly with the “source process” their Internet access “On their desktop” is minimal or non existant. Thus the data flow from that computer is “out” not “in”. The non organisational or other data they need is for them not the desktop. So they can read/view it on another devices that is effectively “air gapped” from the “desktop computer”.
I’ve mentioned before I’ve worked this way for more than most of this century so far. That is the computers under “my control” are rather more than “air-gapped” (and I’ve described how in the past). My personal Internet usage –of which this is part of– is by a mobile “smart phone” which I mainly use for reading PDFs and typing up short notes to SMS/message etc. I assume that anything I use it for will be known by others AND will be made available and have done since I started using phones and developed many many ways to evesdrop on them to earn money professionaly. I also assume that someone can and will try to use it as a “bridge across the gap” as I had worked out and put up on this blog ways to do it, kong befor stuxnet became news. My reason was to show why voting machines that are lauded as “air gapped” could easily be got at through a repair technicians lap top… Sounds trite now, but way back then was considered by gurus and the like not possible or I was patanoid… (If I’d had a penny for each time I got told that “expert” crap, I’d own most of the worlds copper 😉
Clive Robinson • July 24, 2023 4:44 PM
@ JonKnowsNothing,
You and I mostly agree on what you are saying, but our audience?
I was once told,
“You only put on a little polish then rub it in if you wantva briliant finish”.
Same with the audiance justva drop then rub it in, then a drop more.
I said this to my son one day when he was a young teebager and getting upset about a rather nasty piece of political coprolite on BBC Radio 4. I’d said “you’re preaching to the converted” but it did not simmere him down…
On being told the polish story he came back with,
“Dad, it’s why we say ‘polish the turd’.”
And I thought “you are growing up to quick or I’m getting to old”.
Ted • July 24, 2023 6:44 PM
@anon, lurker, Anonymous, ALL
@anon: the key words to focus on are “select desktops”
Heather Adkins, Google’s Security VP, backs that up.
Heather tweeted (X’ed?) that the test will only affect “a small # of very specific machines” and testers will have internet access on other devices.
Another Reg article.
lurker • July 24, 2023 7:19 PM
@Ted, ALL
This operation is variously described as a “test” or “trial”. I suspect G is using it to find out what workarounds affected employees will devise, and how well those work.
Note also that G is removing root access for normal users (sudo or admin) on the test machines. This could slow ingress for some classes of attack*, but (how) will it slow normal work? And what bypass will be devised?
(*) Attack is always possible without internet: Stuxnet, Evil Maid, &c.
Clive Robinson • July 25, 2023 5:47 AM
@ lurker, ALL,
Re : Removal of tools.
“Note also that G is removing root access for normal users (sudo or admin) on the test machines.”
Removing executables or removing access by changing permissions?
It’s not clear from the little I’ve seen, and it makes a difference for some attacks[1]. One downside for instance, is to prevent some types of attack you may loose some “on-system” logging.
Which is why, your two questions of,
“but (how) will it slow normal work? And what bypass will be devised?”
Can not be precisely answered.
So it’s best to split the system users and functions by their intended “roles” and work out how to (re)move the privileges required and cull quite a few (is printing required? etc).
If you realy strip back as quite a few “embedded system” designers do you will end up with a few megabytes at most on the “needed” side and hundreds if not more on the “unneeded” side with most *nix systems.
You can do similar with current MS-OSs but MS try every which way to stop you doing it either easily or conveniently including withholding information. Which effectively makes all MS-OSs you come across these days as “Deliberately Insecure By Design” which from my point of view makes them only “fit only for the trash bin” or running in tightly controled “jails”[2].
But MS are not alone Corporate IBM has a history of stealing the work of others –including some of mine– and worse[4]. Unfortunately the GNU Linux community by and large has sleepwalked into a trap[3] that the likes of MS, IBM and other corporates will abuse one way or another, just as the “Social Media Suspects” and similar Silicon Corporates are already doing[5].
In ICTsec we tend to “look down the stack” not “look up the stack” to what are called by some “Levels 8 to 13” (refering to managment, corporate, regulatory, political, legislative and treaty levels). Which means we tend not to see “incoming” till they have laid waste to what we are trying to achieve.
[1] It’s actually simpler on “older linux” boxes, and it was kind of like building a chroot() jail in reverse. You work out what you need to keep for the “ordanary” or lowest “run time” privilege level you need and delete everything else from the admin etc directories. Obviously this “breaks the box” so first you copy the required “full” directories to a removable drive and then “mount them over” the “ordinary”/”run time” level directories when you need to do anything at higher level.
Fun fact Solaris can be set up so that you can even remove init()… Not tried the equivalent on other *nix.
[2] Yes, I know it’s not a popular view, but the current leadership of Microsoft “went rougue” some time ago and now treat all their users and what they do / create as “MS’s” to do with as they please. For those who don’t believe this, try installing just the Home user OS and Office without any “connectivity” as you might want to for your child to do homework etc. You can do it but you have to know a lot of things including the all important order you do them.
[3] As far as I’m concerned the loss of 32bit CPU support and the jump to the perversion that is systemd ruined Linux and your ability to be secure on-line. To see why just search for systemd on-line and you will find things like,
“Red Hat is the inventor and primary booster of systemd, so the best distros for playing with it are Red Hat Enterprise Linux, RHEL clones like CentOS and Scientific Linux, and of course good ole Fedora Linux, which always ships with the latest, greatest, and bleeding-edgiest.”
Which was true, but then Corporate IBM suits walked through the door and they have a serious case of “What is yours is ours, and what is now ours is closed off”. As you can see with other searches that throw up the recent likes of,
https://www.theregister.com/2023/07/07/red_hat_open_source/
https://www.theregister.com/2023/07/10/oracle_ibm_rhel_code/
[4] IBM has a long and nasty set of behaviours one story was what they did to Sun, they basically walked in the door and demanded money with menaces, and when rebuffed just came back with other threats. Then they did similar to hardware developers back in the 1980’s,
https://techmonitor.ai/technology/ibm_demands_patent_royalties_from_all_makers_of_risc_processors
And still do similar today…
[5] Fun factoid, the current US Executive kind of insisting on “Software Bills Of Materials” has caused quite a few people to be upset… by revealing that the Corporate “Wood-pile” is mostly not owned by the suits as they thought and the little they do think they own are effectively “for the look of it” so more surface “brush wood” or “kindling” than usefull “firewood”.
Steve • July 25, 2023 11:30 AM
After reading the various coverages, I personally conclude that this story is what the word “meh” was made for. . . or as Willie the Shake titled it Much Ado About Nothing.
Your meh-lage may vary.
Phillip • July 25, 2023 1:39 PM
Interesting. My Android does not yet support disable notifications with, say between 9am and 6pm. So yes, one might wonder what is going on here.
lurker • July 25, 2023 3:53 PM
@Clive Robinson
I haven’t seen any firm evidence of how they’ll do it, but I’m guessing they’ll take a quick ‘n dirty first step:
sysadmin removes the user from group [wheel | admin] plus optionally any other groups that have root access to hardware or processes.
Doing it the user:group level leaves the desktop box still in “standard” configuration for other users.
JonKnowsNothing • July 25, 2023 6:06 PM
@All
re: Removing Access
Some years back, I was requested to remove access to some network features. There were different paths depending on WHO the person is in the hierarchy
Such lists and programs get hard to administer when you are running huge scale systems. Adding and Removing people from different sections, maintaining the software and making sure a “default software update” does not bork the config. Modern software by default is Include All Allow All.
Most everyone runs under the start up configuration of Admin. They never setup secondary accounts for separation. Loads of software require Admin to run and Admin to install and Admin to update. It’s just easier if they use the Admin Account by default.
You will know when you hit a nerve, when someone starts to Make A Loud Noise that they cannot access something they used to have access to.
Consider:
Would you want to try to remove Hellon from smack-talking on X-Bird-X because he doesn’t need to bother the world with what he thinks and should be doing his D2D job?
Nope, BTDT.
Workers get no say in what they have access to but if you try to take Solitaire away from the CEO all heck breaks out.
Clive Robinson • July 25, 2023 6:28 PM
@ lurker,
Re : Who do you wish to deny?
“I haven’t seen any firm evidence of how they’ll do it, but I’m guessing they’ll take a quick ‘n dirty first step:”
And that’s where most will trip over and do a squishy nose on the pavement impersonation.
The goal to be denied is some form of privilege from which to gain ground.
In effect there are two basic types of user,
1, Unauthorised.
2, Authorized.
And they can be,
3, Unprivileged.
4, Privileged.
The aim of an attacker is to get to 1/4 or 2/4 from either 1/3 or 2/3.
But if you remove privileged programs then privilege is for nought. They stay in the equivalent of 1/3 or 2/3.
Further if you then structure the system correctly a user who is 2/3 in a limited area can only go to 1/3 outside of that area.
Thus you have forced all user processes to be constrained both vertically and horizontally.
Doing that is almost trivial compared to stripping system services down many of which have to start privileged to gain access to certain resources then drop the privileges.
We have however known how to deal with this issue for oh five decades atleast. Which is have a priviliged server sort out the resource priviledges and then hand them over to the service. Having set services up in low privilege quiesent mode the server can remove it’s self as well as activate the services.
That way if a service dies, it remains dead untill a full reboot, because the server is gone neither they nor an attacker has access.
You can do this sort of trick with an encrypted file system. The key is needed for boot, but when booted and the services are started, the drive that holds the programs gets unmounted and the crypto key held in Core RAM gets overwritten. To reboot, they key has to be made available, which might be problimatical for a server box, but not for a personal desktop and a keyboard with a crypto-ignition Smart Card reader in it. The user just plugs in the card and hits the reboot sequence start, then pulls the card from the reader when prompted.
The idea is simple enough, unfortunately software is usually written with the assumption of it having high privilege that it then voluntarily drops after it initializes… As I said the software can be written differently if it’s open source but probably not if closed source. We need to re-write to get assured levels of privilege, this has been done in part for other reasons, but we need to do it better.
Bad as *nix is at file system and process handeling, it’s a lot better than MS’s basic offerings…
Roger A. Grimes • July 26, 2023 4:11 AM
For environments needing it, severely lock down the work image and do a red/green type of deployment. You can do it seamlessly using QubesOS. One desktop, hardware-hypervisored, users don’t know the difference.
Clive Robinson • July 26, 2023 7:02 AM
@ Roger A. Grimes, ALL,
“You can do it seamlessly using QubesOS.”
You can do it with most mordern *nix based OS’s including MacOS if you want to.
The longterm problem with QubesOS[1], like Plan9 and similar, is they are not “mainstream” so won’t get sufficient market penetration to become “mainstream”… arguably some have not made it out of “hobby” into “niche” or “wall flower” status.
It’s a conundrum I know, but it’s also the “Reality of the herd”. People “Run with the bulls” even though it’s one of the more stupid things they can do…
[1] Another issue is despite the name QubesOS is not an OS. It actually runs ontop of “Redhat Linux” by choice (other linuxes with some effort). The problem is Redhat nolonger exists except in name, it’s part of IBM and they have decided to make RedHat Linux effectively “closed source” to they think increase revenue. What effect this will have on QubeOS is unclear currently. But history shows it would be wise for them to compleatly “jump ship” to other distributions as IBM are almost inevitably going to kill RedHat in their corporate blunderings… Look at AIX that’s effectively no-more. Look at Sun/Solaris, Oracle have effectively killed that. What about UnixWare? and all the other corporate *nix’s? Shall we sing a verse or two of “Where have all the flowers gone”?
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Ted • July 24, 2023 7:50 AM
Coinciding with the rollout of AI tools…
It makes sense. There are currently efforts underway to prevent outside parties from illicitly acquiring important technologies.
This restriction also paralells NSA/CISA/ODNI guidance for secure software development. From Section 2.2.3 Secure Development Practices: