Google employees are to be protected from themselves. In what’s being described as a pilot program, they’ll lose internet access at work and/or root privileges.
The idea is to stop break-ins by bad actors. In this week’s Secure Software Blogwatch, we try not to imagine the horror.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Phoebe Sanders.
The future of zero trust?
What’s the craic? Jennifer Elias reports — “Google restricting internet access for some employees”:
“No root access”
Google on Wednesday is starting a new pilot program where some employees will be restricted to internet-free desktop PCs. … The company originally selected more than 2,500 employees to participate, but [will] allow employees to opt out, as well as opening it up to volunteers. The company will disable internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites.
Turning off most internet access ensures attackers cannot easily run arbitrary code remotely or grab data. … Some employees will have no root access, meaning they won’t be able to run administrative commands or do things like install software.
Why now? Pete Syme thinks he knows — “Google is asking a group of employees to work without internet”:
“Strengthen our internal systems”
Google is likely to be more concerned about security as it pursues US government contracts, with last year's announcement of a new division called Google Public Sector.
"Ensuring the safety of our products and users is one of our top priorities," a Google spokesperson said. … "We routinely explore ways to strengthen our internal systems."
It’s a radical move. But Rakia Ben Sassi stands and claps — “Is our constant connectivity a boon or a bane?”:
“Less is more”
The decision to return to the origins of office computing in a world defined by relentless connectivity might seem counterintuitive. … However, Google’s radical move in the very fabric of modern work culture deserves applause. As a seasoned software engineer, I understand the urgency of safeguarding sensitive data from lurking cyber threats.
Google’s move reflects an astute awareness of the vulnerabilities inherent in our ceaseless quest for technological advancement. Sometimes, less is more — less access, more security, and perhaps more space for profound insights.
It’s an odd idea though, right? Not according to oneplane:
This is not a strange hardening technique at all. You'd obviously weigh the friction vs. added security, but at Google scale you'd probably be engineering on Google sources using Google tools on Google systems anyway.
It's not like you're sitting around installing a random binary from Reddit on your Google server and calling it a day. Perhaps a followup program ends up with a Qubes-like configuration, or just separate systems.
Conversely, MoonShark thinks it’s too extreme:
I could see it making sense to air-gap certain sensitive accounts or tools or processes. That's basically what the government does with nuclear secrets, and I'm glad.
But actually blocking individual people from the net across their entire role? That seems extreme. Give them a separate account so they can be creative or communicate with outsiders partners and such.
Is Google giving us the whole story? Klink wonders if there’s a hidden reason:
By total coincidence, it also stops employees from spending hours on shopping or other sites that have nothing to do with their work job on their work computer.
Painted into a corner? xwin sees Google hoisted by its own petard:
Just run an ad blocker. No-script and adblocker can mitigate 99.9% of all browser based attacks. But of course Google will never do this as it sends the wrong message.
Access in itself is not a problem, it is the idiot behind the keyboard that is the problem. I have seen people running builds as root just so they can save few keystrokes. Properly installed and configured sudo is sufficient.
People use ssh keys without passwords and reuse the same ssh key for everything. In general, convenience overrides all security considerations. That is why attacks succeed.
Horse’s mouth? Google’s VP of security, Heather Adkins — @argvee — clarifies:
No, we aren’t turning the internet off. … We experiment continuously to raise the cost of attacks for bad guys and are running a short test on a small # of very specific machines; testers have full internet access on other devices, and can also opt out.
Meanwhile, u/Jaegernaut- takes it to its illogical conclusion:
Put your phone in the locker before you clock in. Clock out for bathroom breaks. Any liquid containers must have a clear top. No smoking on campus or within 1,000 yards of the building. Smiling means you put $1 in the smile jar, which is given to your boss at the end of each week.
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- See Webinar: State of Software Supply Chain Security Webinar
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk