
Singapore to require public servants to access internet from separate PCs - kawera
https://www.theguardian.com/technology/2016/aug/24/singapore-to-cut-off-public-servants-from-the-internet
======
visakanv
To quote a commenter on /r/singapore:

[–]erisestarrs 38 points 3 hours ago

The "no Internet" thing really just means, our Internet access will be on a
separate PC from where we usually do our work, not that we have no Internet
access at all. People constantly joke that they don't know how we're going to
do our work without Internet, and it gets tiresome after a while.

–
[https://www.reddit.com/r/singapore/comments/4zb4iv/govt_empl...](https://www.reddit.com/r/singapore/comments/4zb4iv/govt_employees_of_rsingapore_what_are_some_truths/)

~~~
tn13
Many Indian outsourcing companies do that as well. Employees can only access
internet and few technical sites from their own computer but to access Gmail
they have to login into a separate computer.

~~~
snowfield
This is done in "secure sites" in the militeraly all over the world. the site
itself doesnt have internet but some provide connections through a completely
seperated series of thin clients outside of the network

------
willempienaar
I've seen this happen in a lot of industrial networks as well. At the end of
the day the work needs to get done. If internet access is necessary for that,
then somebody will plug in a mobile router or phone to this "isolated"
network. This is especially common when remote vendors and support teams need
access to this network to troubleshoot issues.

So now instead of centrally designed and managed IT infrastructure and remote
access, you have something like a Teamviewer service enabling remote access
through these rogue gateways.

~~~
xuki
The proper way to do this is to have 2 machines, one connects to intranet and
one connect to internet. The one connect to intranet won't accept any external
devices, completely unable to connect to internet or even copy data out using
thumbdrive. If cost is an issue, VM could work (but riskier).

~~~
chmars
Isn't it annoying if you cannot transfer data from your Internet computer to
your offline computer? And what's about cloud services?

~~~
mseebach
There will usually be a one-way file copy service (with AV scanner) that you
can use to transfer files to the secure network. No access to cloud services
is very much a feature, not a bug, as these measures are implemented for
security.

~~~
geofft
The purpose of security is to help the business get its job done without
disruption. If security were a goal in itself, you could just shut all the
servers down and go home.

If a "security" measure is causing disruption to the business, it's not doing
its job.

~~~
unethical_ban
It's a spectrum. Business would be a lot easier for DBAs if there were no
firewalls between PCI (credit card) data and their applications, but we do it
because it mitigates risk.

~~~
geofft
DBAs as in database admins? I'm talking about the business goals of the
_company_ as a whole, not for individual employees / departments. The reason
you want to mitigate risk is because you want the company to get its business
done (i.e., you want customers to be willing to give you money).

I don't think there's any spectrum here. Good security is what helps the
company's business goals. Bad security (which isn't really security) hurts it.
Sometimes there are legitimate questions about whether to optimize for short-
term or long-term goals, but that's no different for every other business
decision a company makes.

------
princeb
i don't know whether this is true or not... maybe hongyi can comment here ;)

but a lot of personal data in Singapore is wonderfully linked up across almost
all government departments in the country. all government services can be
accessed through a single log-in: taxes, property, immigration, CPF (a plan
similar to the 401(k)), healthcare and insurance, etc. are all on the same
system.

this might mean only one point of failure in any of the civil departments is
needed to gain access to a lot of details about a person living in Singapore,
resident or not. afaik, few other countries have integration as tight as this,
so a failure somewhere could be contained. I suspect it is more vulnerable
here.

~~~
jpatokal
Problem is, since everything accessible via this single log-in is by
definition open to the public Internet (because otherwise citizens can't use
it), cutting government bureaucrats off the net does precisely nothing to
reduce _this_ attack surface or secure this data.

~~~
princeb
you might get personal details of a single person by going through the public
internet, but find your way onto a civil servant's machine and you might get
personal details of everyone in Singapore.

guessing it's probably going to be like how you access microdata in the US.

~~~
jpatokal
That public website is pulling the data from _somewhere_ , yes? So if you can
hack into that, you can likely extract all the data.

I suspect this is more about the Singaporean government being paranoid about
internal gov't docs leaking out, which airgapping _would_ go some way to
preventing. This is, after all, the country that tried journalists for
revealing a deep dark secret: GDP growth figures.
[http://www.nytimes.com/1993/10/22/news/22iht-
sing_0.html](http://www.nytimes.com/1993/10/22/news/22iht-sing_0.html) (Yes,
that's 1993. But still.)

~~~
princeb
unauthorized dissemination of economic data is a serious offense in many
countries. in the states, you can go to prison for it.

in this Singapore case, the journalists and the official involved were fined.
no jail. lucky them. the official involved is now our deputy PM and chairman
of the central bank, after holding various ministerial positions in the last
few decades.

~~~
bkor
> unauthorized dissemination of economic data is a serious offense in many
> countries.

We're talking about GDP growth figures. Those can be under an embargo, but
these should NOT be hidden. Pointing at others isn't needed.

~~~
princeb
they were not hidden. they were released ahead of time. the uncanny accuracy
of an expectation article a month before the official release led to the
opening of the case

------
Nux
It's not an unreasonable thought, but they'd better make sure there are no
serious dependencies on the Internet for their work.

I guess they'll find out how proper their network is and how much they were
relying on external "shadow IT". :)

It's mentioned at the end some Japanese companies tried it and failed; not
encouraging, but perhaps different circumstances.

------
alasdair_
I wonder if this has anything to do with the recent story by the Intercept
which released some more slides from the Snowden cache.

One of the slides (this one
here:[https://www.documentcloud.org/documents/3031643-CNO-
Course-E...](https://www.documentcloud.org/documents/3031643-CNO-Course-EAO-
Redacted.html) \- see slide 9) has an ip address on it.

Curious, I did a reverse lookup on the IP and found it to belong to a
Singapore government agency. (It seems to be a generic verizon IP now - is
there an easy way to see the history of whois records?)

Given the timing of the release of the slide and the new policy, it's
plausible that the two are related.

------
toyg
Won't this basically cut off a lot of small/medium public-cloud companies from
doing business with Singapore public agencies? All sorts of networking
trickery will be required to enable such services, which will be unfeasible
for "appointment reminder"-size businesses.

~~~
superuser2
Keeping data away from the cloud is presumably the point.

------
pulse7
I guess this will be a movement in the years to come: 1) Air gapping computers
2) Electromagnetic shielding of computers

Just to be far away from hackers who stole three-letter-agency spying tools...

~~~
angry_octet
EM shielding, audio isolation, light tight, and physically secure (including
guards to put everyone through a metal detector), supply chain security. Any
one of them imposes costs, and EM shielding most of all. (Will, a culture of
fear and anxiety might be more expensive, but we already live with that.)

It is too expensive for almost everyone. I think we will collectively settle
for pretending nothing is wrong.

~~~
superuser2
You've essentially rattled off the US Government SCIF specifications (which
are public and a fascinating read).

Also non-conductive ductwork and plumbing at the edges of the SCIF and careful
selection/programming of the phone system to make sure an attacker can't
remotely set a phone off hook and use it as a microphone.

~~~
angry_octet
Mostly right. SCIF phones are always press to talk with speakerphone disabled.
Typically they are very simple POTS phones, with high roll-off lowpass filters
where they exit.

Having a smart PABX which can transparently route cell calls to internal
numbers is very important to making SCIFs functional.

It was interesting to read that Hillary Clinton had problems at State because
her staff couldn't access their phones in the office - primarily SMS or BBM I
think.

------
coldcode
A real problem if you are serving the public.

------
paradite
The title is misleading and false to some extent.

We had this debate when the new just broke a few months ago and many people
simply assumed that public servants cannot surf Internet during work. This is
not true, and it was pointed in the article as well:

 _> Public servants would still be able to surf the web but only on separate
personal or agency-issued devices._

~~~
toyg
_> separate personal or agency-issued devices._

Which, for budgetary reasons I'm sure, will probably end up rationed and
shared. For The Powers That Be, this will mean less machines to track for
potential dissent-related activities, activities which will likely self-
curtail anyway because of reduced privacy while using such machines; but
that's just an unfortunate side-effect, I'm sure.

~~~
Steko
My company did the same thing recently, the general consensus seems to be that
it was entirely security driven. Old internet is locked down to a bunch of
whitelisted sites (before this it used a blacklisted gaming/nsfw sites) and
they put in a new private wifi you can do mostly whatever you want on and they
setup some terminals for people without their own devices.

