Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Chromebooks for Risky Situations?

T N trrevv at gmail.com
Thu Feb 7 14:55:19 PST 2013


The other things I meant to add:

Most Linux distro's are not running with their executable code on a
readonly filesystem, and it takes some effort to convert to a RO
configuration.

Also you can not login to a stock Chrome OS device as root.  That account
has logins disabled.  You have to flip to dev mode, in which case, the
machine will complain at every boot that it's mode has been switched (so
you know).


Trever


On Thu, Feb 7, 2013 at 2:41 PM, T N <trrevv at gmail.com> wrote:

> On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum <jacob at appelbaum.net>wrote:
>
>> It runs software that is in Debian, the GNU/Linux operating system. I
>> know, I've written some of it (eg: tlsdate). They do a good job of
>> locking things down but it is basically just another distribution of
>> Linux.
>>
>
> I don't agree it's "basically just another linux distribution" in that
> most distros (zero?) aren't using the dm-verity Google mostly wrote and
> contributed upstream for their purposes.  The distro's could use it.
> Chrome OS is also totally stripped down compared to a typical linux
> distribution.  It's runs X but the window manager is customized and their
> own (open source, but nonetheless).
>
> But yes- it's a Linux kernel with an admixture of userland things, some of
> which are GNU, some of which are not.
>
>
> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person.
>
>
> It has ssh and supports a number of VPN protocols.  What's so funny?
>
>
>
>> Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>> A persistent backdoor on your Chromebook is not actually impossible. I
>> have a few ideas for how to make it happen and I've discuss
>> security/development issues with the ChromeOS team on a nearly daily
>> basis.
>>
>
> Good luck with that.  Maybe you want to make some money this year at
> Pwnium?
>
>
> > Yes, you can't compare Chrome OS's attack surface to a typical linux
>> > distribution, or even a highly customized linux install which doesn't
>> have
>> > the hardware root of trust.
>> >
>>
>> Actually, I think you can compare it - one major advantage is that you
>> can protect your network traffic and compartmentalize your risk with any
>> Secure Boot enabled Linux distro. You can also do it without secure boot
>> and it isn't terribly hard as long as you draw arbitrary lines like "the
>> EFI firmware blobs and hardware are out of scope" which is what happens
>> with Secure Boot systems anyway.
>>
>
> I think you're seriously missing the point here.  My remarks were well
> qualified.  Conditionals have to met:
>
> - IF you want low cost (time is money, so efforts to set up a Linux secure
> laptop that are time consuming are expensive, as is all the time you spent
> to learn how to do these things in the first place)
> - IF you want a somewhat naive user to use the device (eg. journalist)
> - etc.
>
> All you're saying is that "If I'm a total techie weenie with nothing but
> time on my hands I can do way better than a Chromebook".
>
> Well of course.  I don't disagree with something along those lines.  But
> that's not the practical use cases I was trying to summons.
>
> That said, to the extent that I sort of implied a Chromebook is some kind
> of safe thing to use in China for a person at risk... well.... no.  I would
> not want to stand on that!  And I actually agree with what you're saying as
> far as that goes.
>
> My point was for something off the shelf, I know of nothing better and as
> far as it goes... I'd say it's a step up for a lot people who should be
> using more secure IT technologies and methods than they are (such as some
> journalists), and they can take that step with minimal investment in time
> and energy and a chromebook will meet their needs.
>
> Trever
>
>
>
>
>
>
>>
>> All the best,
>> Jake
>>
>> >
>> >
>> >
>> > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
>> >
>> >> The biggest (and very important) difference between Linux and
>> Chromebooks
>> >> is the hugely smaller attack surface.
>> >>
>> >>
>> >> NK
>> >>
>> >>
>> >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <brianc at smallworldnews.tv
>> >wrote:
>> >>
>> >>> Andreas,
>> >>>
>> >>> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>> >>>
>> >>> Also, lack of appropriateness for one use-case doesn't necessitate
>> lack
>> >>> of appropriateness across the board.
>> >>>
>> >>> Linux is a great solution for many use cases, but as has been
>> elaborated,
>> >>> quite a terrible one for many others.
>> >>>
>> >>> Brian
>> >>>
>> >>>
>> >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <
>> noergelpizza at hotmail.de>wrote:
>> >>>
>> >>>> On 02/06/2013 04:24 PM, Tom Ritter wrote:
>> >>>>> Nadim, I'm with you.  I'm not sure it's the perfect solution for
>> >>>>> everyone, but like Nathan said, if you already trust Google, I think
>> >>>>> it's a good option.
>> >>>>>
>> >>>>> On 6 February 2013 07:12, Andreas Bader <noergelpizza at hotmail.de>
>> >>>> wrote:
>> >>>>>> Why don't you use an old thinkpad or something with Linux, you have
>> >>>> the
>> >>>>>> same price like a Chromebook but more control over the system. And
>> you
>> >>>>>> don't depend on the 3G and Wifi net.
>> >>>>> We started with the notion of Linux, and we were attracted to
>> >>>>> Chromebooks for a bunch of reasons.  Going back to Linux loses all
>> the
>> >>>>> things we were attracted to.
>> >>>>>
>> >>>>> - ChromeOS's attack surface is infinitely smaller than with Linux
>> >>>>> - The architecture of ChromeOS is different from Linux - process
>> >>>>> separation through SOP, as opposed to no process separation at all
>> >>>>> - ChromeOS was *designed* to have you logout, and hand the device
>> over
>> >>>>> to someone else to login, and get no access to your stuff.  Extreme
>> >>>>> Hardware attacks aside, it works pretty well.
>> >>>>> - ChromeOS's update mechanism is automatic, transparent, and
>> basically
>> >>>>> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is
>> not
>> >>>>> true of Linux.
>> >>>>> - Verified Boot, automatic FDE, tamper-resistant hardware
>> >>>>>
>> >>>>> Something I'm curious about is, if any less-popular device became
>> >>>>> popular amoung the activist community - would the government view is
>> >>>>> as an indicator of interest?  Just like they block Tor, would they
>> >>>>> block Chromebooks?  It'd have to get pretty darn popular first
>> though.
>> >>>>>
>> >>>>> -tom
>> >>>>> --
>> >>>>>
>> >>>> But you can't use it for political activists e.g. in Syria because of
>> >>>> its dependence on the internet connection. This fact is
>> authoritative.
>> >>>> For Europe and USA and so on it might be a good solution.
>> >>>> --
>> >>>> Unsubscribe, change to digest, or change password at:
>> >>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>>
>> >>>
>> >>> Brian Conley
>> >>>
>> >>> Director, Small World News
>> >>>
>> >>> http://smallworldnews.tv
>> >>>
>> >>> m: 646.285.2046
>> >>>
>> >>> Skype: brianjoelconley
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Unsubscribe, change to digest, or change password at:
>> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >>>
>> >>
>> >>
>> >> --
>> >> Unsubscribe, change to digest, or change password at:
>> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >>
>> >
>> >
>> >
>> > --
>> > Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130207/118f7bbc/attachment.html>


More information about the liberationtech mailing list