Singapore To Cut Off Internet Access For Government Workers From 2017

An anonymous reader writes: Government workers in Singapore will return to a 1990s-level of net connectivity from May of 2017, as the domestic government has decided to block internet access on all of its 100,000 office computers. The decision has been made in the interests of national security, although the Draconian policy will still permit workers to forward work mails to private email addresses as necessary. Workers' own devices will be allowed to connect to the internet normally by special terminals being provided in early trials, while intra-departmental connectivity will presumably be maintained via VPN tunneling. The move comes in the direct wake of a visit to Singapore from the U.S. Secretary of Defense Ashton Carter late last week, promoting stronger security ties with Singapore in the face of the rise of China in the region.BBC News has more details.

Can you hear me now?

No? GOOD

Productivity not Security

[EmagGeek]

Government workers will actually have to do their jobs now instead of sit around all day watching cat videos.

Re:Productivity not Security

[Bing+Tsher+E]

We could hope this would spur a global reassessment of the use cases for Internet Access at the workplace. Most workplaces would function well with a whitelist of the small handful of websites a worker needs to be able to navigate to remain a productive worker.

You're at WORK.

Re:Productivity not Security

[funwithBSD]

This concerns me.

I rather have government workers looking at cat videos all day rather than harassing citizens.

Re:Productivity not Security

[__aaclcg7560]

You mean they don't troll the trolls on Slashdot like I do at my government IT job while waiting for a script to finish?

Re:Productivity not Security

They're still not going to do any work.

The goal here is to reduce the odds of being swayed to whistleblowing on impulse, by things like government atrocities showing up on the news while they should be working.

Re:Productivity not Security

Yes, because government workers didn't slack off before the Internet came along.

Re:Productivity not Security

If government workers actually spent all day working, we would need about half the number of them. This would cause mass lay-offs from the public sector, flooding the jobs market with unemployed people. This would cause a spiral of wage deflation, reduced spending power, declining tax receipts, spending cuts, leading to civil unrest, and ultimately the collapse of government and social order.

Let them have their cat videos.

Re:Productivity not Security

[nospam007]

"Government workers will actually have to do their jobs now instead of sit around all day watching cat videos."

Hardly, they'll just use their phablets instead.

Re:Productivity not Security

[SumDog]

Not as a developer. I've been at places with filtering where to many sites with information I need end up in the blacklist. Rather than put in a support ticket, I often find it easier to proxy over SSH. I've only been caught doing this once at a company and that was cause some dickhead used my proxy to pump a huge file though. I stopped giving people access to my jumpbox after that. (I wasn't fired either; just given a warning. It didn't matter though -- turned in my notice for a new job a month later :-P)

The past four jobs I've worked at didn't/don't have any filtering what so ever and I haven't found my overall productivity levels have changed at all.

Re:Productivity not Security

[Mikkeles]

Don't forget solitaire!

Re:Productivity not Security

[smooth+wombat]

watching cat videos

Considering how long it takes to get a response from private industry or get them to do what they're being paid to do I can only assume they're the ones making the cat videos.

Re:Productivity not Security

Yeah, bull.

It's pretty widely accepted that employyes aremore productive when given a little bit of leeway and freedom.

Yeah, I'm at work to do a job (which, actually more and more, at work is at home), it doesn't mean every second of my day belongs to my employer.

If I want to check some entertainment news for 5 mins between hourlong sessions of whatever, then I should be able to, and it shouldn't even be a concern in 2016.

The singaporeean government are idiots. Small minded, controlling idiots.

Re:Productivity not Security

I work for a large multinational and we have just that - a narrow whitelist of business-approved sites. Employees can add sites as needed with a browser plugin that our IT department cooked up. If we go to a blocked site, all we have to do is click a button in the browser and enter a quick, one-sentence justification for adding the site to the whitelist.

Then, we can access the site while management evaluates the appropriateness of the site for the whitelist.

This doesn't get in the way of doing work, but certainly does prevent people wasting time goofing off on the Internet. I don't go to work to play on the Internet. I go to do my job, as that is what they are paying me to do. I can play when I get home.

Re:Productivity not Security

Couldn't you just ask them to unblock stackoverflow so you could keep copy pasting your work?

Re:Productivity not Security

What were you a developer OF? because if it was websites, you're a part of the problem.

Re:Productivity not Security

[luis_a_espinal]

Couldn't you just ask them to unblock stackoverflow so you could keep copy pasting your work?

That's what we did at a previous company (defense contractor). We requested things like infoq, stackoverflow/stackexcange, acm and ieee.org for being unblocked, and voila. It kinda sucked not to have access to cnn, dilbert and slashdot, but that's the whole point (to limit dicking around.) Besides, if we really wanted to browse, we simply used our smartphones during coffee breaks.

I can totally see the reasoning behind it.

Re: Productivity not Security

While this may be great for most office workers, you've never done development especially in the windows environment. Most of the api and interfaces are documented online. MSDN... and tutorials for how to use those interfaces could be anywhere even youtube.

Re:Productivity not Security

[PrimaryConsult]

Sometimes productivity actually drops once filtering "fun" sites is implemented. Instead of 10 seconds to check facebook and 2 minutes to glance through a few news articles on a computer, it now takes 5 minutes on Facebook and 10 minutes on news sites to do the same thing on a phone.

Re:Productivity not Security

[msi]

If government workers actually spent all day working, we would need about half the number of them. This would cause mass lay-offs from the public sector, flooding the jobs market with unemployed people. This would cause a spiral of wage deflation, reduced spending power, declining tax receipts, spending cuts, leading to civil unrest, and ultimately the collapse of government and social order.

Let them have their cat videos.

To be fair I work in the private sector and I can't see much difference between your example and all of my work places.

Re:Productivity not Security

You're at WORK.

That's cool. At the same time can we have honest conversations as to why employees at times slack off on the internet as a way of dealing with their terrible jobs? In particular I'm referring to management that's either incompetent or simply doesn't understand their own businesses properly. Essentially I'm saying, if we're to ban people from using the internet at work, lets also look at why we've arrived at this point in the first place.

Re:Productivity not Security

A lot of things are "widely accepted." It does not make those things true.

Can you tell us by whom your postulate is "widely accepted," or were you just using weasel words?

Re:Productivity not Security

Title Envy does not accomplish much of anything, really.

You know, in my travels, I have not met too many engineers who did not think they could run the company better than the CEO. However, it is also my experience that engineers, when given management positions, fail at it spectacularly.

Why do you suppose that is?

Re:Productivity not Security

[luis_a_espinal]

Sometimes productivity actually drops once filtering "fun" sites is implemented. Instead of 10 seconds to check facebook and 2 minutes to glance through a few news articles on a computer, it now takes 5 minutes on Facebook and 10 minutes on news sites to do the same thing on a phone.

It is all a matter of balance and requirements. For a company doing "enterprisey" stuff, who cares about access to the internet. If you are working with a defense-related company (as in the example I alluded to), you cannot play with that shit.

And let's think about the context of this story. Singapore. Government agencies in Singapore are getting flooded by attacks from China, like you would not believe. They are being forced into implementing this policy. So I don't blame them, and that's what I would if I were in their shoes (and so would you.)

Re: Productivity not Security

That's what happens when the xenophobic racist IB in Singapore is causing the government to remove most of the IT workers from India and the Philippines leave the country by making a Employment Pass much much harder to get. You will notice a decline in the amount of hate speech online aimed at FT after this ban

Re: Productivity not Security

Oh no, no more online poker? The horror!!

Good start

[T.E.D.]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Re:Good start

[LichtSpektren]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Very clever, but I point out that local copies -- while still vulnerable to inside leaks and what not -- are NOT vulnerable to hackers across the world. It might be less efficient, but then again, how many billions of dollars are companies/governments pouring into infosec only to get breached anyway?

Re:Good start

Just crush their hands with a hammer if you see them writing. We don't need reading and writing, only what you can remember from what other people have told you. I like the idea of going back to bards.

Re:Good start

I had a boss who wished he could ban most of our users from using the printers but it was more about the sheer waste of paper. We have so many ways to electronically edit and mark-up documents and drawings but so many of the old engineers still want to print everything out and scribble all over it by hand. Some of them are just too stubborn to learn new tools and then complained when they were told by management "no, it's not a good use of time to hand write everything and try to get a younger engineer to then enter it all into the software for you."

Re: Good start

I don't understand why no one just uses pgp to sign documents or hash them.

Re:Good start

Getting rid of internet connected printers and photocopiers would be very good steps to more security and towards a paperless office. (*self-whoosh*)

Re:Good start

[Solandri]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

It sounds like they're going to do what the bank which holds my mortgage has done - eliminated all direct Internet access. Essential communications is maintained via email conducted through a relay, which strips out all suspicious attachments like zip files, Word docs, etc. PDFs are allowed, but based on what my loan officer told me, it sounds like any PDF sent to them is viewable only through a special app which lets them view it, but only sends the image to their computer not the actual PDF.

Re:Good start

[jon3k]

Great example of a logical fallacy.

Re:Good start

The "old engineers" use pen and paper like that because they work faster than any computer-based document or diagramming tool can handle.

It's not a problem with learning the new tools. The problem is that once they've learned the new tools, the new tools are still way fucking slower than a pen and paper.

Maybe you don't understand this, but when a true master is in the zone and cranking out top-notch work, this master can't be burdened with shitty software that doesn't work fast enough just to save a few sheets of paper.

When an experienced engineer like that costs $300/hr, it's better for him or her to be producing $10,000/hr of value using a pen and paper than it is producing just $3,000/hr of value using some shitty software. And it makes perfect sense to have the $25/hr inexperienced engineer, who'd be producing way less value than $7,000/hr, input the hand-written notes instead.

It's simple economics, and experienced engineers actually tend to understand economics and optimization far better than most managers do.

If these experienced engineers want to use pen and paper, it's because that's the optimal way of dealing with the problem. The software you're proposing is suboptimal.

Re:Good start

This. So very much this, except you leave too many security holes. How about this:

No phone, no lights, no motor car
not a single luxury
like Robinson Crusoe,
as primitive as can be.

Re:Good start

[tlhIngan]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

  It sounds like they're going to do what the bank which holds my mortgage has done - eliminated all direct Internet access. Essential communications is maintained via email conducted through a relay, which strips out all suspicious attachments like zip files, Word docs, etc. PDFs are allowed, but based on what my loan officer told me, it sounds like any PDF sent to them is viewable only through a special app which lets them view it, but only sends the image to their computer not the actual PDF.

Well, this is Singapore, who like a lot of countries, has a nice Great Firewall as well. (I still remember when internet was free and unfettered but there was talk of setting up the firewall... I think it was set up a year or two after I left).

Considering they want to keep contraband out of the country, I'd be surprised if they didn't already have some sort of gateway and all that - can't have illicit access to porn, for example. (Tor, they probably allow - given the penalty for drug use is death (firing squad, IIRC), well...)

Anyhow, it probably doesn't affect people as much as you think - Singapore is a very modern city-island-state and thus cellular data access is common everywhere.

Re: Good start

[LichtSpektren]

I don't understand why no one just uses pgp to sign documents or hash them.

I would venture to say that it's primarily because it's too difficult a process for non-tech people to grasp right now.

Re:Good start

[T.E.D.]

Don't worry. No one person can hold the knowledge for how to make any of that advanced stuff. Even, ironically, a pencil is beyond the capabilities of any single person to understand how to make. So without writing nobody will be able to look up how to make any of that stuff, and nobody will be able to order it from abroad either.

A small kingdom (on the order of 20,000 subjects) is about the most advanced society proven to be possible without any writing.

Re:Good start

[farble1670]

You're very funny, but it doesn't say no network access or no computer access. It's says no INTERNET access. Presumably they still have access to the intranet and all the resources therein which is probably the only thing they need to actually do their jobs.

Re:Good start

[lgw]

The difference being that when left unattended, the photocopiers, printers, and people's fingers don't walk around under the command of someone halfway around the world, find secret documents, copy them, and mail them off to the person controlling them.

Actually, most photocopiers support all of that functionality these days. I could only hope they'll be turning off internet access for the copiers as well, but you never know.

Re:Good start

[luis_a_espinal]

You know what would be even more secure? No printers or photocopiers. If someone wants to write a document, they have to do it longhand. If someone wants a copy, they have to copy it longhand as well. That will really slow down the leakage of information!

Of course a truly secure society would get rid of writing altogether. Important secrets will be passed down using special people with trained memory (often called "bards"). They use song and rhyme to help with the large amounts of memorization required. Ever heard of anyone running off with the vital military secrets of an Amazonian or Pigmy tribe? No? That's why.

Efficient dissemination of information is for suckers.

Why would you need to have access to, say, CNN or youtube when you are on the clock? You are on the clock. You work. You want to do some leisure media consumption, do it with your smartphone on a coffee break or when you get home.

Re:Good start

I live in Singapore, so please allow me to clarify some of your misconceptions: First of all, executions are through hanging. I'm not justifying it, I'm personally against all forms of corporal punishment. Secondly, porn is indeed not allowed, but the blocking isn't anything like the GFW. There is a list of 100 sites which all ISP's has to block (high-profile porn sites like pornhub, etc). Everything else is open. In fact, the law states that the list can only contain 100 sites, and some time ago there was some media reporting on them having to remove a site because a new one needed to be added.

Re:Good start

[Kjella]

The "old engineers" use pen and paper like that because they work faster than any computer-based document or diagramming tool can handle. It's not a problem with learning the new tools. The problem is that once they've learned the new tools, the new tools are still way fucking slower than a pen and paper.

Oh please, a lot of old farts refused to learn how to use a keyboard so the secretary had to type things up for them. I even known some accountants didn't really trust anything but their mechanical calculators. For the longest time, my mom wouldn't use the microwave because OMG radiation. I agree, there's certain kinds of sketches that are done better on paper. But I also know a guy who'll print 50 pages to add a few comments on paper and when the next revision is out, obviously the old is thrown away. He claims it's better, but I think it's like reading dead tree newspapers in the morning, it's just feels good. After a while you get used to anything.

Re:Good start

Am in Singapore.

They block about 100 web sites. Playboy, chick.com, etc.

It's more a symbol that the government is doing something then actually doing anything. This is to keep those conservatives quiet and show that the "government is taking action". They know they can't do a "great firewall" like in China without having a big hit on infocomm industry.

Thumb drives

[justthinkit]

A spokesman added that "Thumb drives should continue to work as before."

Re:Thumb drives

[ITRambo]

Possibly the best attack vector remains in place then. Great idea.

Re:Thumb drives

Never underestimate the bandwidth of a station wagon full of hard drives.

Re:Thumb drives

[SumDog]

Nah, the best attack vector are active virus scanners that run as the system user. If you find a bug, you can just send the person a broken PDF and they don't even have to open it. You just need the AV to scan it and you're in.

"the Draconian policy"

[LichtSpektren]

the Draconian policy

The capitalized 'D' indicates that this is some kind of proper name. I take it this policy was enacted by a man named Draco?

Re:"the Draconian policy"

[Dunbal]

Yes.

Re:"the Draconian policy"

[LichtSpektren]

Lowercase "draconian" means any (generic) kind of harsh law or treatment. Uppercase indicates that Draco himself issued this protocol.

Re:"the Draconian policy"

In fact, you almost have it correct:

https://en.wikipedia.org/wiki/Draconian

"Draconian is an adjective meaning great severity, that derives from Draco, an Athenian law scribe under whom small offenses had heavy punishments (Draconian laws)."

If it weren't Godwin'd, you could say "Hitlerian" and you'd see why it gets the capital "H".

Re:"the Draconian policy"

[Dunbal]

I beg to differ. You can have a Vesuvian eruption of a volcano, and Vesuvian (or Plinian for that matter) is capitalized even if it's a different volcano.

Re:"the Draconian policy"

'It is said that Drakon himself, when asked why he had fixed the punishment of death for most offences, answered that he considered these lesser crimes to deserve it, and he had no greater punishment for more important ones'

Is this guy running for sheriff somewhere?

The 90s is calling.

[Rande]

I used to have to work like this back in 1998. Internet access was severely restricted and only 1 person per division had access and you'd have to tell them what you were looking for and they'd do the search for you.

In practice, it was faster for me to walk home, search for the information I needed and walk back than to do this or reinvent the wheel when 100 people had found the same problem and had already posted a solution.

Honestly I'm more productive with internet access, even if I'm currently at work posting this while waiting for my script to finish running.

Re:The 90s is calling.

[xxxJonBoyxxx]

>> I'm more productive with internet access,

Name a national government concerned about "productivity."

Re:The 90s is calling.

[shippo]

I had similar experiences, also in 1998. I started working in the support department of a smallish PC manufacturer and supplier. We had no access at all to the web from our desktops, not even access to any of the support sites of our main suppliers. My support resources were just an old copy of a Microsoft Technet CD, and I had to look other things up at home after work, which was 30 miles away. Even E-mail access was restricted, and I could only send an external E-mail by using a PC on a desk situated next to the managing director. This naturally made the whole process of downloading patches and drivers to pass on to customers completely impossible, and I walked out after two days.

Re:The 90s is calling.

I had full internet access, since before there was a web. So, I don't understand the original poster's reference to 1990's net connectivity. In the 1990's, the connections were just slower like T1 for an entire building.

Re:The 90s is calling.

[antdude]

What role did you have and which company? During my days, I had full Internet access as a web designer at a dotcom company (RIP in 2001). :P

Re:The 90s is calling.

If you have time to kill waiting for that script to finish running, then you have time to start up some more work! Keep those wheels of capitalism spinning! You need to make more money for your corporate overlords!

Productivity issues?

[Dunbal]

It's not going to help much if they still leave a copy of Solitaire on government workers' computers.

I predict

[rossdee]

that the Singapore Govt may have difficulty retaining skilled staff.

Re:I predict

[Bing+Tsher+E]

True. They will lose all their staffers who are no longer able to update their Facebook.

Re:I predict

[Zontar_Thing_From_Ve]

that the Singapore Govt may have difficulty retaining skilled staff.

Unlikely. People who take government jobs aren't doing so for the paychecks. Very few of the people who would leave over this are working for the government anyway. It will be annoying, but the workers will adapt. Those who work for the government often do so because government jobs rarely get cut so it will take a lot more than this to get people to leave. Heck, I've known of people in private industry who were told bluntly "Your job WILL end. We're moving your job to another state and you won't be kept once that happens. The only problem is that we don't know when exactly that will happen. It could be 6 months from now. It could be 12 months. It could be longer. But when that day comes, you'll be lucky if you get even a few days notice that your employment is over. Most likely you'll just show up to work and be told to pack your things and leave." And even after all of that, some people still wouldn't leave the job until they actually got sent home and the doors were permanently locked.

Re:I predict

Actually government workers are very well paid in Singapore and the government only hires the best and brightest.

Re: I predict

Because of xenophobia and racism ( see TRS, ASS, Temasak Review, and others), the foriegn staff for a lot of MNCs and other companies are being sent out of Singapore. The locals are too arrogant and lazy to work the long hours demanded in IT. The 1990s welcome Singapore back.

As everyone should do.

Any company worth its salt.

Ditch Windows!

ditch OSX and no javascript in browser. Instant security!

SIPRNET?

So they're on the the Singapore version of SIPRNET..

Re:SIPRNET?

So they're on the the Singapore version of SIPRNET..

What? Full of Chinese and Russian hackers?

So no os updates?

[Joe_Dragon]

So no os updates? so if some can get into the network then it will be very easy to hack the systems then?

Re:So no os updates?

Why would you think this means no OS updates? That makes no sense. They have 100,000 seats. Obviously they don't rely on the user to update their system or deal with the vagaries of Windows Update. They will be using some enterprise solution. Probably WSUS or SCCM, but other options are certainly available. With something like SCCM, only one server has to have internet access, and only to a couple of IP addresses.

Re:So no os updates?

Why would you think this means no OS updates?

Because people who clearly don't know what they're talking about, obviously have no experience in the field, and cannot be bothered to do a Google search just love jumping to conclusions. That's why.

The internet demonstrates this all the time.

Re:So no os updates?

You're doing it wrong if you have an organization of this size and you're still depending on a third party provider for your updates directly to the end user workstation.

The fact that you got modded up for this makes me worry for the state of large scale IT. I sincerely doubt if any of these mods come from anyone in a large organization and if they did it is a sad sign of the crapstorm that's sure to come from it.

Re:So no os updates?

[ADRA]

Yeah, I mean they'd never have a DMZ and a replication server anyways. I'm sure that every single update gets downloaded from Microsoft's servers today... And if windows breaks, lets go down to the local bazaar and pick up a new copy from the back to a cart!

How backward do you see this country?

Re:So no os updates?

[Joe_Dragon]

But then the AD servers will need to be online but who knows what will happen when some non IT guy makes this call and things brake down / some small office can't be cut off from the internet with out running an private line to keep it working. The internet blocked systems have ports 80, 8080, 443 cutoff and WSUS fails.

Re:So no os updates?

Some non-IT guy makes what call, exactly? Why would you shut off these ports on the workstation level? What kind of moron would be having a "private" line installed when their connection fails? WHAT THE HELL ARE YOU TALKING ABOUT?

Other Perspective

I work in I.T. for a small subsidiary of a massive Singaporean defense company and I really had no idea what I was getting into, the attacks from China/APTs are completely ridiculous in terms of scale and quantity. We've had everything from traditional external attacks, stolen certificates used against us to physical attacks on-site in just the last 4 years and we're comparatively tiny with only a few hundred staff serving mostly the private sector. From what I heard, it's even worse for MINDEF. This doesn't surprise me at all and frankly, it's probably a good thing for the Singaporeans.

Re:Other Perspective

[T.E.D.]

It sounds to me like the main part of Singapore's defense budget should probably be going to cyber-defense, since that's where the attacks are coming from.

Re: Other Perspective

Sooo do they pay or are they more interested in your jogging abilities?

Re: Other Perspective

No, the pay is garbage.

Re:Other Perspective

Sounds like your work for ST.

And yeah, not just there, but in many places in Singapore, it's kind of obvious that there are attempted "cyber" attacks.

The U.S are only interested

in promoting their own interests and furthering their own agendas. Don't listen to their lies. Stay neutral, and don't fall for their "rise of China" bullshit, and realize that much of the wrongs done in the world today directly or indirectly involve the U.S, not China.

Re:The U.S are only interested

Stay neutral, and don't fall for their "rise of China" bullshit

Yeah total bullshit

and realize that much of the wrongs done in the world today directly or indirectly involve the U.S, not China.

And you think a rich and powerful China is better than a rich and powerful US? You're deluded. Enjoy the "freedom" from your Chinese overlords and let me know how that goes. You clearly know nothing about China.

Re:The U.S are only interested

[gtall]

Yes, pay no attention to those spanking new Chinese islands in the S. China Sea, nor to their claims to own the entire S. China Sea because their ancestors used to piss in it 2000 years ago. Also please ignore the threatening moves across the Taiwan strait, those have nothing to do China acting like a bully to get Taiwan and thus provide alleged Chinese leaders (sic) a reason for being allowed to continue to run the Chinese fascist state. And those nice Norks should not be persuaded by the Chinese to stop building nukes since the Norks are so well adjusted, the Chinese are in no way accountable for their lapdog's actions.

Re: The U.S are only interested

PRC claims as far south as the Ruai Islands in Indonesia. Hint. Batam and Bintan are south of Singapore and part of the same Indonesian island chain. There is a reason outsiders refer to Singapore as Chinapore. Read any article online about this. Singaporeans seemingly can't wait for China to take by force Taiwan, Vietnam, Malaysia, the Philippines, Brunei and Indonesia as it steals the "South China" Sea

Workers from the future

How do they *know* the government workers are from 2017? Wouldn't they just get confused with people from 2016?

In other totally unrelated news

Singapore is migrating all its government servers to Windows 10 to give a boost to security and privacy.

Standard where I work

[houghi]

Where I work this is standard. Whitelisting for the PCs. And you can ask for sites to be added. This will depend on your department, function and what not.

However there are plenty of PCs available throughout the company that DO have internet access. They are on a separate network and separate Internet connection. So we do have two networks and two internet connections.

So if you do need to do search for your work, you are still able to do so. However not at your desk. If you need it all the time, you will have access all the time.

The majority of the people does NOT need Internet access all the time. Want to check your email? Do that before you start, during your lunch break, you 10 minute break in the morning or the afternoon or after work.

This is not even about wasting time, because you can do that reading a newspaper. This is about people clicking on a file and unwilling let a trojan in and we become another company on /. who was hacked, We know we are being targeted. Nothing serious till now.

Re:Standard where I work

"However not at your desk"

Why not? Why not get everyone laptops and let them use WiFi? Your company sucks.

Re:Standard where I work

[luis_a_espinal]

"However not at your desk"

Why not? Why not get everyone laptops and let them use WiFi? Your company sucks.

Dude, if you have laptops connected with wi-fi, you are opening the same attack surface (if not a greater surface) than when you were connected directly to a LAN. There are legitimate reasons to only allow whitelisted sites (stackoverflow for example.) Why would you need access to CNN or youtube when ON THE CLOCK, clicking random websites loading trojans?

Re:Standard where I work

Wouldn't an equally secure approach be to have servers that you VNC to for accessing the web? It provides the same level of isolation without having to leave your desk.

It's basically what we do at our MLS site. We have VNC desktops for each security level and domain, and a VNC desktop for browsing the web and accessing unlabelled sites. The VNC clients we use have MLS labelling, our X11 server enforces labelling on clipboard contents, nothing but supervision is going to stop someone manually typing the contents of labelled documents into an unlabelled domain. The routers and the VNC clients have been security audited, but it's above my pay grade to know to what level and how effective that auditing is.

developers ?

[sxpert]

do they employ any developers there ?

how in hell are they going to be able to do the work they're paid for ? printing thousands of pages of paper documentation ?

Re:developers ?

[godrik]

You could have local install of documentations. We used to have dumps of main part of MSDN coming with visual studio. I don't see why you could not have a similar thing. Once you decide to adopt a framework/library, install a local copy of its documentation.

Re:developers ?

The "Managers" are here.

You could have local install of documentations. We used to have dumps of main part of MSDN coming with visual studio. I don't see why you could not have a similar thing. Once you decide to adopt a framework/library, install a local copy of its documentation.

Re:developers ?

[pete6677]

Backwards 1990s way of working. Modern development happens way faster than this, plus many things now are cloud-based. How exactly do you do web development without internet access?

Re:developers ?

[luis_a_espinal]

do they employ any developers there ?

how in hell are they going to be able to do the work they're paid for ? printing thousands of pages of paper documentation ?

Whitelist selected sites like stackoverflow. That's what I've seen done. It doesn't impair development productivity. After all, you do not need wholesome access to the internet, do you?

Re:developers ?

[Cro+Magnon]

Awhile back, I had to do something on the IBM mainframe, after several years away from it. Some of the JCL wasn't working right, all the old JCL books were gone, and most of the people who knew more than I did were retired, dead, or both. I found the solution via a Google search.

Contradicting Forwad Email

thestack
Government workers will be allowed to forward work mails to their own private email accounts as necessary.

BBC
Officials said employees across government would also be barred from forwarding any work-related information to personal emails

But the IDA spokesperson said this was not the case and that forwarding work emails would be prohibited.
Public servants will, however, be allowed to forward non-work e-mails to their private accounts, the spokesperson clarified.

I would BBC is correct on this.

to the extreme

[CimmerianX]

This is the extent to which some people want to keep win 10 off their systems..... cut off the entire internet.

GET BACK TO WORK!

[Thud457]

"The agriculture ministry is not in charge of Gundam."

So ..

[jon3k]

Basically the same policy we have with secure government networks in the US?

Why not VDI in some capability?

[mlts]

I have seen VDI used to keep criticial infrastructure walled off, so a compromised workstation is less of an issue.

I have also worked on having individual machines, which had zero net connectivity to the outside world, patches were done by WSUS, SCCM, software was pushed out via those means or VMWare ThinApp, and the only machines that the workstations could communicate with, were a RODC, software server, and a terminal server.

The terminal server allowed people to run their Web browsers via seamless RDP to pretty much any sites they felt like (within reason -- pr0n sites were blocked due to the legalities of sexual harassment, for example). This way, all the web browsing to external sites was done on a well controlled VM, and if it got compromised, malware couldn't propagate to the internal machines. This seemed like a good compromise between allowing users to browse the web when need be, while keeping security tight.

Re:Why not VDI in some capability?

[tnk1]

Deploying VDI is not without its challenges, and I suspect that rather than work it out, the simple governmental response was to ban things. It also makes them look tough.

It may well be that they end up with VDI when they tire of being back in the 1990s, but it is just as likely that they'll open themselves in a hodgepodge, case-by-case way that makes them even less secure than they were previously.

Re:Why not VDI in some capability?

VDI sounds great but it's rarely economical in all but some very narrow cases.

It's one of those products deemed "Enterprisey" and thus earns the "Because fuck you, that's why" pricing tears.

You need a fairly robust server farm with lots of resources. Servers need lots of memory, fast cpu, fast storage, and in some cases graphics acceleration. - All the things that make a server as expensive as possible. You can't skimp on any one aspect like most applications.

Then there's the server software. None of it is cheap. Windows server licenses and CALs like normal..

Then you need the VDI software and lisences. No matter who's solution you go with, it costs a fucking arm and a leg.

Then you need the licenses for your desktop windows and office and crap. Just like normal. (You can skip desktop windows pro/ent/whatever if you're doing old school RDS/TS but what's the point in 2016. VDI is so much better)

Point is it's no cheaper than rolling desktops, except in a few narrow cases where you have a lot of roaming users with lots of robust connectivity. The initial investment is HUGE and you need more specialized staff to manage your farm.. But you still need the regular staff too because thin clients exist in meat space and they need to be managed/inventoried/replaced/etc. Easier, but you really don't save a whole lot of staff hours over desktops.

You gain some ability to telecommute and have mobile staff, and some degree of centralized management.. But not much. It's really not much better than a modern managed fleet of desktops and you lose a bit of flexibility.

And it does nothing for laptops. At all.

Re:Why not VDI in some capability?

It's one of those products deemed "Enterprisey" and thus earns the "Because fuck you, that's why" pricing tears.

OpenBSD is free. FreeBSD is free. FreeBSD runs on an RPi which is cheaper than a PC.

You need a fairly robust server farm with lots of resources. Servers need lots of memory, fast cpu, fast storage, and in some cases graphics acceleration. - All the things that make a server as expensive as possible. You can't skimp on any one aspect like most applications.

We run VDI, we find it costs far less than desktops. A $500 server can easily support 100 users. Obviously not for CAD, but this is a government bureaucrat fram, not an engineering firm.

Then there's the server software. None of it is cheap. Windows server licenses and CALs like normal..

Windows CALs are much cheaper than desktop licenses, and in Server 2012 and later they include TS licenses as part of the product.

Then you need the VDI software and lisences. No matter who's solution you go with, it costs a fucking arm and a leg.

Bullshit, Windows TS is free with Windows CALs as I just said. Xrdp and Xvnc are also free. It's about one day work to add support for TLS and login redirection services to Xvnc (I don't know why it's not OOTB, but there you go). FreeBSD is free.

Point is it's no cheaper than rolling desktops, except in a few narrow cases where you have a lot of roaming users with lots of robust connectivity. The initial investment is HUGE and you need more specialized staff to manage your farm.. But you still need the regular staff too because thin clients exist in meat space and they need to be managed/inventoried/replaced/etc. Easier, but you really don't save a whole lot of staff hours over desktops.

Bullshit. the initial investment in greenfield is less than $0 when you subtract the cost of all the desktops you are not buying.

At our site, a bulk SD card copier keeps the stack of our FreeBSD TSC images full, and a stack of blank SD cards and virgin RPis keeps everything flowing. When a unit breaks, we just courier (if remote) or the user picks one up from IT support and drops of the dead one.

Also it costs much less to Fedex IE an RPi than a Dell or HP SFF PC.

And it does nothing for laptops. At all.

Rubbish. For that we roll an OpenBSD TSC image which supports just about every Thinkpad ever. Rolling inventory of Thinkpads is easy, we just plug them into a provisioning VLAN, hit the netboot key (usually F12), and it rolls a fresh OpenBSD TSC onto the HDD.

We did have to do about one week of work to create some nice friendly kiosk shells for the user to set their Wifi at whatever site they are at, and provide some pre and post login options.

Honestly, what you are describing sounds like the hell that exists at some sites, where they don't employ anyone competent (can program, in C), so they have to adopt all sorts of insane and expensive measures to solve problems that are a 5 minutes job for competent personnel.

Terminal services has been a solved problem for over a decade. Heck, VNC (RFB) is so simple, I wasn't happy with the existing clients, so I rolled my own in two weeks, at home, on my own time, after work.

No public cloud or web-based sites and services?

[calgarynerd]

So - they don't plan on using public cloud and combining with perhaps more than one vendor and/or using publically hosted websites? (i.e. Github, etc.) If they stick with one or two vendors, then private connections are possible, but this seems to be quite a step backwards in todays network-neutral, cloud, SaaS & managed web services connected world...

And 100,000 Lassies cried...

Ah, poor Lassie, she won't get fucked anymore! Who is going to step up and satisfy poor Lassie?!?
Those poor government workers are going to have to do actual work now, instead of spending their
time fucking the dog. I bet they'll find another way of getting back to Lassie...

Pretty harsh way of controlling access

[ErichTheRed]

The only positives I can see from an approach like this are the elimination of a vector for ransomware and viruses, and maybe some illusion of control. There was a story about JCPenney corporate headquarters users watching endless hours of YouTube in the 2013 timeframe. This was the same time the company was on the verge of going bankrupt after the Apple Store guy took over as CEO and tried to turn an old-school department store into a hipster haven. I'm very busy at work and have kids to get home to, so my breaks are usually pretty short; I can't imagine sitting for hours on YouTube all day. But, if I was a government worker in a pretty sleepy department, and really only had a couple hours of work to do a day, I would probably goof off a little more. Users with lots of goof-off Internet time are probably a little more susceptible to phishing-style attacks than tech workers, so that's a pretty good vector for spying right there.

The problem with things like ransomware is that they're easy to get, and easy to spread around the network, destroying data. Completely banning the Internet is probably not the best solution, but if China really is serious about asserting its dominance in the region, Singapore is a pretty juicy target. It's smack in the middle of a strategic trade route -- that's why the British were there in the first place.

Re: Pretty harsh way of controlling access

I guess the PSAs running constantly on the MRT were not enough... Also running is an anti-terrorism PSA and a anti-sickness PSA. Guess whats next?

I think it can be done right

[Hevel-Varik]

not every department need access to the internet nor do the departments that do need access need it to the extent that one might imagine.

I am increasingly finding that I can with forethought identify the domains hosting the information I need, e.g, stackexchange or wikepedia or javadocs or safari, there is no reason the prime aggregations of useful domain specific information can't be aggregated and downloaded with diffs maintained, the noise to signal ration on the internet is growing in the wrong direction and you could in theory have dedicated personal to keep on top of this.

That said I doubt this will end up as draconian as the statement suggests.

parallel computer system

have separate govt network, computers only connecting to that, and only allow admins to install software or open external drives

As a scientist...

...All Internet sites are relevant to me (note that I still write "Internet," and not "internet"). I once needed a fast integer multiplication algorithm. Google found it, but it was blocked at work, since it was on a gaming site. I needed to wait a day to get the information from home. Then there was the time that all of YouTube was blocked. There are some very good tutorials on YouTube among the usual fare. I needed to do that at home, too.

2007 Called...

Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you
    should share it.

    x86 virtualization is about basically placing another nearly full
    kernel, full of new bugs, on top of a nasty x86 architecture which
    barely has correct page protection. Then running your operating
    system on the other side of this brand new pile of shit.

    You are absolutely deluded, if not stupid, if you think that a
    worldwide collection of software engineers who can't write operating
    systems or applications without security holes, can then turn around
    and suddenly write virtualization layers without security holes.

    You've seen something on the shelf, and it has all sorts of pretty
    colours, and you've bought it.

That's all x86 virtualization is.

Where is Draconia?

> the Draconian policy will still permit ...

I thought this was about Korea, not Draconia.

Good move!

[Schaffner]

That'll make it so that their systems won't keep trying to "upgrade" to Windows 10! Smart move Singapore!

Sounds like they know something.

They must have pieced together the US Government / US corporations tracking methods.

The real story

[dosun88888]

Is that Singapore apparently has workers from the future.

Want to block the internet?

[wkwilley2]

Ports 80 and 8080.

Done deal.