This article is missing a key detail: that the expected workflow is that the workstations are basically just build machines.
My workstation is just an SSH server that I do builds on, everything else is on my laptop. I can’t remember the last time I used the internet on my workstation. I install packages but those come via a mirror, I scp files back and forth but that’s internal only.
Lots of people aren’t on this workflow yet, but I don’t think anyone is suggesting airgapping the main interface people are using.
All the coverage on this memo has missed this point. I guess they can’t imagine a company giving its employees two computers!
You can BYO ChromeOS devices too which make great thin terminals to a remote workstation or cloud VM. I have a whole bunch from dogfooding preproduction Chromebooks.
Are you sure?
Why would a build machine need access to GMail?
>The report says Google's new pilot program "will disable Internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail.
Many people at Google still use desktop Linux workstations. Those would be airgapped too under this plan and force these people to change to another workflow. There are at least hundreds of people who have been there 10+ years still using desktops for all development. For example on the team I was previously on, 4/8 people used a desktop workstation as their main device.
I used a cloud VM as my main machine, and still used internet all the time. I used github to sync my configuration (using a proxy would be out of date and no way to push), amongst other things.
I have a number of co-workers that do the same, but I can't live without my full Linux desktop environment. This is especially true if you use intelliJ or other desktop apps. Yes you can remote desktop, but it's just not the same.
we do the same. Codespaces, gitpod, or coder.dev all provide for this kind of workflow and honestly it just makes so much sense. Corporate desktop for comms and internet, ssh to a devcontainer (or vm if that is desired) for development activity.
I wonder if more package management tools should adopt the zero-install approach of Yarn Berry. You don’t even need a mirror: everything is right there in the repository. Want to update a dependency? That’s a commit, thank you very much.
How do you remote access an air-gapped workstation? Seems like you'd need to be constantly switching whether your laptop is on the internet-connected network or the isolated network. If the laptop can switch between them automatically, wouldn't that make it possible for an attacker to jump the gap?
Even just having hosts that are sometimes internet connected and sometimes on the airgap network will greatly weaken the isolation. Stuxnet could cross an airgap with just static media, allowing thousands of computers that sometimes connect to the internet across the airgap seems like a fatal weakness.
The other key detail missing was that this was just an experiment that was going to be active only on a small set of machines for a limited time. They wanted to get data on how much it impacts users workflows, what the opt out rate is, etc.
There's not even a current plan to continue limiting access after the trial period ends, much less a plan for expanding it to more machines.
A lot of people I know don't use them like that. They have a chromebook and RDP onto their cloudtop and never close it. One thing I like(d) about google is that they let you bring whatever workflow you're most productive with, rather than prescribing an "expected" workflow on you.
If these machines are denied outside internet access, but still connect to an internal network on which other machines have outside internet access, then that's a firewall, not an air gap.
If you take away the word “workstation”, this is what many dev environments already look like: a mini version of the production, which includes restrictive network rules.
You use the internet from your laptop, not the workstation.
Also, the article is using “air gap” wrong - it refers to an actual physical disconnect, which is not what this is. Only some firewall rules are apparently getting changed.
Disclaimer: I have no privileged information, only common sense from working in security and at FAANGs.
When I worked on azure compute we had dedicated laptops that were basically bricks. All they did was connect to production. No internet no admin rights limited set of software. This is a pretty reasonable security move.
This approach from google is basically the opposite. No internet on your workstation but your laptop works like normal.
The flip side of this is that you can ease the paranoia on the coding machines. You should probably be ready for 5% of them being compromised at any given time.
I thought BeyondCorp zero trust was supposed to completely and totally solve all of this such that air-gaps and network compartments are a thing of the past.
Air-gapping is creating a system-low zero access enclave. No different architecturally than running a separate access gateway.
Or is this a case of "yeah nobody ever actually believed that?"
Having run classified networks there's absolutely a need for compartmentalized system-high networks
I always thought BeyondCorp was intended to replace the VPN infrastructure with (effectively) a TLS reverse proxy gated by rules, SSO, device posture inspection, etc.
That’s how I always interpreted the marketing and technical documentation anyway.
I would be surprised if they’re not already running PAWs for things like administrative access to production GCP primitives and similar, even if they’re also running PAM, hardware authentication, and so on. I know Microsoft does for admin privileges to the Azure fabric.
My interpretation of beyond corp is about creating a very small inner parameter where only the prod machines have access - and those “airgapped” super-admin laptops that the article talks about.
99% of dev and admin work then takes place outside that perimeter, outside the VPN, by authenticating machines and encrypting traffic with TLS.
Since you will always expect compromised machines and bad actors in this area outside the inner perimeter, a four-eyes principle for any critical actions, such as code changes and configuration changes, is necessary.
this is historic practise in any secure work environment , like govt departments ,healthcare,financial institutions,pharma and energy.
based on level of protection required they lock the access accordingly.
allowing USB in work station is not allowed generally by any employer.
In most secure environments they disconnect your work station from outside world and is generally connected only to internal network.
If you require internet access you can apply for it and get approved,which will be monitored by the network admins.
I remember working in 2010 with Tata consultancy services as BofA as customer, they would make the service provider go through these hoops. The employees of TCS would connect over teamviewer into a VDI that would have access to the actual server where they would code. It used to be a hub model i.e. the VDI was somewhere is east or west cost and employees were in india, experience was crappy as the customer was getting billed per hour, no one cared.
"""
The company will disable internet access on the select desktops, with the exception of internal web-based tools and Google
-owned websites like Google Drive and Gmail. Some workers who need the internet to do their job will get exceptions, the company stated in materials.
In addition, some employees will have no root access, meaning they won’t be able to run administrative commands or do things like install software.
"""
This is exactly the sort of attack this change is helpful for, as pip would not work at all on these machines. Probably the only way to stop these “social engineering” (as google characterized it) attacks.
The scariest part of that thread is the many people saying that closing your eyes and yelling "zero-trust" means that you don't need to protect your devices from compromise.
When your entire business is built around public internet services and public internet enabled devices in the hands of end users, this approach feels like losing the plot. Compare with something like BeyondCorp, which actually advanced the state of practice in corporate security just a few short years ago, in a super internet-positive way.
What'll be their next old-school corporate move? Time cards? A ban on phones with cameras? A buggy middlebox that forges TLS certs?
If bard will provide at least somewhat useful suggestions to quirks of particular language (I'm looking at you, c++) and/or there will be whitelisted or mirrored sites like cppreference/godbolt, then I suspect I won't need actual big internet for work at all.
Most of the reference documentation is actually internal project/other google sources and internal docs/guides/design docs.
I find that idea fascinating but I doubt it will fly.
Todays LLMs are no suitable replacement for documentation, in my experience, because their knowledge is so sparse. You will not notice it immediately because they fill the gaps with plausible nonsense.
Also training a model with domain specific knowledge is not a realistic option for most of us as of today.
For having all the reference documentation locally (possibly indexed in a vector database and accessible to the LLM) I'm doubtful as well, since it is so hard to determine scope beforehand.
A couple of years ago I tried to program off-grid and prepared a MacBook with Dash (an OSX offline doc reader) and all the reference docs I thought I need. It was a nightmare, and that is from a dude who learned programming before the Internet, based on offline docs solely.
I work in customer support and while I haven't yet used Bard (because at the time it wasn't available to me), I have used ChatGPT to tell me what the customer is actually asking of me, when I didn't understand their emails. And thus far, it's been quite helpful. I even asked if once to rewrite the greeting part of the email so that it included now empathy (I'm kind of emotionally inhibited, as my doctor put it) and judging based on customer response, they were quite pleased.
godbolt would be a weird choice to whitelist if you go through the trouble of airgapping in the first place. All it takes is one accidental copy&paste of a sensitive code snippet and it's there for the world to see with no undo.
I hope they also remove USB drives and don't let them connect unauthorized bluetooth and keep their laptops in the office. Most users would just start working on their home pc and then you have their work account compromised on their home laptop. With USBs, you'd be surprised how many air-gap breaching worms there are.
The entire story isn't about laptops. It's about the workstations that may be used to work on code locally (or also build it locally). These machines already aren't allowed outside of premises.
I worked at a pharma company who disabled internet access for most people. Many downloaded things on their phone's 4G and transferred them to their computer with a USB cable, it was pretty pointless.
That said, I'm sure Google's IT are far more competent than that horror-show.
Anyone mentioning is air gap is often scorned these days, because in practice it is rarely used, used for long, or survives “this one workflow we really, really need and is commercially important”. However there are occasions and situations where it can be workable.
Air gap is a weapon. Know when to use it.
Seems like Google could just build some routing around their existing archive service and give all of their employees a stale copy of the web for 99% of cases. Use LAN for communication, etc.
> Those who choose to participate will have their general internet access removed along with root privileges on their individual boxes if they had that
Is it just a software thing? For example IP blocking via iptables? 0-days in OS kernels are not something super surprising in these days, not really sure a software lock would really help that much.
Maybe they should just give their employees two computers, one air-gapped for accessing internal systems and must be kept in the company facility issued the computer, and another one fully online for accessing Stack Overflow and must not store any company information.
> Google's tools and office software accessed via the web will still be accessible to those cut off from the internet generally. Workers in the program who require internet access for their jobs will be able to get exceptions.
It's almost certainly a network-based firewall, not a host-based one. And if you use multiple firewalls from multiple vendors with different OSes running on the firewalls, theoretically, an attacker could have zero days on all of them, but it's statistically much less likely than an attacker having a zero day on only one popular consumer/server OS.
[+] [-] danpalmer|2 years ago|reply
My workstation is just an SSH server that I do builds on, everything else is on my laptop. I can’t remember the last time I used the internet on my workstation. I install packages but those come via a mirror, I scp files back and forth but that’s internal only.
Lots of people aren’t on this workflow yet, but I don’t think anyone is suggesting airgapping the main interface people are using.
[+] [-] wffurr|2 years ago|reply
You can BYO ChromeOS devices too which make great thin terminals to a remote workstation or cloud VM. I have a whole bunch from dogfooding preproduction Chromebooks.
[+] [-] croes|2 years ago|reply
>The report says Google's new pilot program "will disable Internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail.
https://arstechnica.com/gadgets/2023/07/to-defeat-hackers-go...
[+] [-] mgraczyk|2 years ago|reply
I used a cloud VM as my main machine, and still used internet all the time. I used github to sync my configuration (using a proxy would be out of date and no way to push), amongst other things.
[+] [-] kyrra|2 years ago|reply
[+] [-] Jenk|2 years ago|reply
[+] [-] strogonoff|2 years ago|reply
[+] [-] joelwilliamson|2 years ago|reply
Even just having hosts that are sometimes internet connected and sometimes on the airgap network will greatly weaken the isolation. Stuxnet could cross an airgap with just static media, allowing thousands of computers that sometimes connect to the internet across the airgap seems like a fatal weakness.
[+] [-] IX-103|2 years ago|reply
There's not even a current plan to continue limiting access after the trial period ends, much less a plan for expanding it to more machines.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] hinkley|2 years ago|reply
[+] [-] jppittma|2 years ago|reply
[+] [-] hamandcheese|2 years ago|reply
[+] [-] MarkusWandel|2 years ago|reply
[+] [-] FirmwareBurner|2 years ago|reply
[+] [-] t8sr|2 years ago|reply
You use the internet from your laptop, not the workstation.
Also, the article is using “air gap” wrong - it refers to an actual physical disconnect, which is not what this is. Only some firewall rules are apparently getting changed.
Disclaimer: I have no privileged information, only common sense from working in security and at FAANGs.
[+] [-] valleyjo|2 years ago|reply
This approach from google is basically the opposite. No internet on your workstation but your laptop works like normal.
[+] [-] konschubert|2 years ago|reply
[+] [-] AndrewKemendo|2 years ago|reply
Air-gapping is creating a system-low zero access enclave. No different architecturally than running a separate access gateway.
Or is this a case of "yeah nobody ever actually believed that?"
Having run classified networks there's absolutely a need for compartmentalized system-high networks
[+] [-] TheNewsIsHere|2 years ago|reply
That’s how I always interpreted the marketing and technical documentation anyway.
I would be surprised if they’re not already running PAWs for things like administrative access to production GCP primitives and similar, even if they’re also running PAM, hardware authentication, and so on. I know Microsoft does for admin privileges to the Azure fabric.
[+] [-] konschubert|2 years ago|reply
99% of dev and admin work then takes place outside that perimeter, outside the VPN, by authenticating machines and encrypting traffic with TLS. Since you will always expect compromised machines and bad actors in this area outside the inner perimeter, a four-eyes principle for any critical actions, such as code changes and configuration changes, is necessary.
[+] [-] karthie_a|2 years ago|reply
[+] [-] Skunkleton|2 years ago|reply
[+] [-] Animats|2 years ago|reply
[1] https://www.techradar.com/news/upcoming-windows-11-pro-updat...
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] jsnell|2 years ago|reply
https://news.ycombinator.com/item?id=36797471
[+] [-] debarshri|2 years ago|reply
[+] [-] 1B05H1N|2 years ago|reply
In addition, some employees will have no root access, meaning they won’t be able to run administrative commands or do things like install software. """
-https://www.cnbc.com/2023/07/18/google-restricting-internet-...
This is pretty standard across the industry for some workstations/build machines.
[+] [-] mattgreenrocks|2 years ago|reply
Works just fine on macOS!
[+] [-] formerly_proven|2 years ago|reply
[+] [-] cavisne|2 years ago|reply
[+] [-] hgsgm|2 years ago|reply
[+] [-] clhodapp|2 years ago|reply
What'll be their next old-school corporate move? Time cards? A ban on phones with cameras? A buggy middlebox that forges TLS certs?
[+] [-] galkk|2 years ago|reply
Most of the reference documentation is actually internal project/other google sources and internal docs/guides/design docs.
[+] [-] weinzierl|2 years ago|reply
Todays LLMs are no suitable replacement for documentation, in my experience, because their knowledge is so sparse. You will not notice it immediately because they fill the gaps with plausible nonsense. Also training a model with domain specific knowledge is not a realistic option for most of us as of today.
For having all the reference documentation locally (possibly indexed in a vector database and accessible to the LLM) I'm doubtful as well, since it is so hard to determine scope beforehand. A couple of years ago I tried to program off-grid and prepared a MacBook with Dash (an OSX offline doc reader) and all the reference docs I thought I need. It was a nightmare, and that is from a dude who learned programming before the Internet, based on offline docs solely.
[+] [-] LoveMortuus|2 years ago|reply
[+] [-] mike_hock|2 years ago|reply
godbolt would be a weird choice to whitelist if you go through the trouble of airgapping in the first place. All it takes is one accidental copy&paste of a sensitive code snippet and it's there for the world to see with no undo.
[+] [-] badrabbit|2 years ago|reply
[+] [-] smueller1234|2 years ago|reply
[+] [-] lozenge|2 years ago|reply
[+] [-] _Wintermute|2 years ago|reply
That said, I'm sure Google's IT are far more competent than that horror-show.
[+] [-] nickdothutton|2 years ago|reply
[+] [-] elif|2 years ago|reply
[+] [-] catsarebetter|2 years ago|reply
7th largest DDos attack in history last august, Gmail cyberattack a few hours ago. That's just what we know too.
[+] [-] nirui|2 years ago|reply
Is it just a software thing? For example IP blocking via iptables? 0-days in OS kernels are not something super surprising in these days, not really sure a software lock would really help that much.
Maybe they should just give their employees two computers, one air-gapped for accessing internal systems and must be kept in the company facility issued the computer, and another one fully online for accessing Stack Overflow and must not store any company information.
[+] [-] lloeki|2 years ago|reply
> Google's tools and office software accessed via the web will still be accessible to those cut off from the internet generally. Workers in the program who require internet access for their jobs will be able to get exceptions.
The headline twists the definition of "air gap".
[+] [-] nonameiguess|2 years ago|reply
[+] [-] amf12|2 years ago|reply
And why do you think that may not already be the case? Even other big tech companies already give out two computers.
[+] [-] politelemon|2 years ago|reply
[+] [-] fsflover|2 years ago|reply