Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Chromebooks for Risky Situations?

Jacob Appelbaum jacob at appelbaum.net
Thu Feb 7 16:46:41 PST 2013


T N:
> On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> 
>> It runs software that is in Debian, the GNU/Linux operating system. I
>> know, I've written some of it (eg: tlsdate). They do a good job of
>> locking things down but it is basically just another distribution of Linux.
>>
> 
> I don't agree it's "basically just another linux distribution" in that most
> distros (zero?) aren't using the dm-verity Google mostly wrote and
> contributed upstream for their purposes.  The distro's could use it.
> Chrome OS is also totally stripped down compared to a typical linux
> distribution.  It's runs X but the window manager is customized and their
> own (open source, but nonetheless).

ChromeOS is just a distribution of Linux with the Linux kernel and with
a user space that performs a bunch of the same functionality as any
distro. They take more care with security than most distros but until
they're running a BSD kernel or something and drop all the code in
common with other distros, I don't see major differences.

Their main difference comes from a focus on security in a holistic sense
and I respect their efforts.

This is mostly splitting hairs but not every Linux distro is a sysV unix
clone, ChromeOS is another variant and a reasonable one.

> 
> But yes- it's a Linux kernel with an admixture of userland things, some of
> which are GNU, some of which are not.

Most of the positive security model comes from isolation and the idea
that the ChromeOS team scoped out a specific specification for each
thing they wished to solve. I appreciate the effort and I hope that most
of their work is adopted by other distros.

> 
> 
> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person.
> 
> 
> It has ssh and supports a number of VPN protocols.  What's so funny?
> 

As I said in another thread, I hadn't seen that they supported any VPN
endpoints; my original ChromeOS device had no VPN support at all. I'm
glad to see that they support IPSEC and OpenVPN (gladly no PPTP!).
Ideally, I would like to see them offer an SSH setup wizard where it
also uses OpenSSH as a VPN transport.

I plan to look into their VPN setup - I would love to see that they're
not vulnerable to the issues in our recent vpnwed paper.

> 
> 
>> Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>> A persistent backdoor on your Chromebook is not actually impossible. I
>> have a few ideas for how to make it happen and I've discuss
>> security/development issues with the ChromeOS team on a nearly daily basis.
>>
> 
> Good luck with that.  Maybe you want to make some money this year at Pwnium?
> 

Weaponizing an exploit and persisting something malicious aren't the
same problem. Consider a Chrome extension that logs all the urls one
visits in the browser, will the ChromeOS security model prevent it?

> 
>> Yes, you can't compare Chrome OS's attack surface to a typical linux
>>> distribution, or even a highly customized linux install which doesn't
>> have
>>> the hardware root of trust.
>>>
>>
>> Actually, I think you can compare it - one major advantage is that you
>> can protect your network traffic and compartmentalize your risk with any
>> Secure Boot enabled Linux distro. You can also do it without secure boot
>> and it isn't terribly hard as long as you draw arbitrary lines like "the
>> EFI firmware blobs and hardware are out of scope" which is what happens
>> with Secure Boot systems anyway.
>>
> 
> I think you're seriously missing the point here.  My remarks were well
> qualified.  Conditionals have to met:
> 
> - IF you want low cost (time is money, so efforts to set up a Linux secure
> laptop that are time consuming are expensive, as is all the time you spent
> to learn how to do these things in the first place)


Download Tails and boot it up.

> - IF you want a somewhat naive user to use the device (eg. journalist)
> - etc.

Ditto.

I train journalists all the time and the only people who have issues are
journalists with Macbooks, as there is a specific problem with new apple
hardware and booting from a USB disk. In those cases, a DVD is read only
and does just fine.

> 
> All you're saying is that "If I'm a total techie weenie with nothing but
> time on my hands I can do way better than a Chromebook".
> 
> Well of course.  I don't disagree with something along those lines.  But
> that's not the practical use cases I was trying to summons.
> 

I'm not making that statement at all.

> That said, to the extent that I sort of implied a Chromebook is some kind
> of safe thing to use in China for a person at risk... well.... no.  I would
> not want to stand on that!  And I actually agree with what you're saying as
> far as that goes.
> 

Ok.

> My point was for something off the shelf, I know of nothing better and as
> far as it goes... I'd say it's a step up for a lot people who should be
> using more secure IT technologies and methods than they are (such as some
> journalists), and they can take that step with minimal investment in time
> and energy and a chromebook will meet their needs.
> 

I'd suggest users have no hard disk and boot off of a Tails USB disk.
Now we've reduced the attack surface to the BIOS/EFI layer - something
that I suspect is pretty crappy all across the board.

While ChromeOS will complain if it is shut down, I remember that it
won't complain about being in Developer mode if it wakes from sleep.
Thus, it is totally possible to hand someone a compromised ChromeOS
device that is awake, let them login and you've won without even having
to reflash the core OS.

All the best,
Jacob

> Trever
> 
> 
> 
> 
> 
> 
>>
>> All the best,
>> Jake
>>
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
>>>
>>>> The biggest (and very important) difference between Linux and
>> Chromebooks
>>>> is the hugely smaller attack surface.
>>>>
>>>>
>>>> NK
>>>>
>>>>
>>>> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <brianc at smallworldnews.tv
>>> wrote:
>>>>
>>>>> Andreas,
>>>>>
>>>>> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>>>>>
>>>>> Also, lack of appropriateness for one use-case doesn't necessitate lack
>>>>> of appropriateness across the board.
>>>>>
>>>>> Linux is a great solution for many use cases, but as has been
>> elaborated,
>>>>> quite a terrible one for many others.
>>>>>
>>>>> Brian
>>>>>
>>>>>
>>>>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <noergelpizza at hotmail.de
>>> wrote:
>>>>>
>>>>>> On 02/06/2013 04:24 PM, Tom Ritter wrote:
>>>>>>> Nadim, I'm with you.  I'm not sure it's the perfect solution for
>>>>>>> everyone, but like Nathan said, if you already trust Google, I think
>>>>>>> it's a good option.
>>>>>>>
>>>>>>> On 6 February 2013 07:12, Andreas Bader <noergelpizza at hotmail.de>
>>>>>> wrote:
>>>>>>>> Why don't you use an old thinkpad or something with Linux, you have
>>>>>> the
>>>>>>>> same price like a Chromebook but more control over the system. And
>> you
>>>>>>>> don't depend on the 3G and Wifi net.
>>>>>>> We started with the notion of Linux, and we were attracted to
>>>>>>> Chromebooks for a bunch of reasons.  Going back to Linux loses all
>> the
>>>>>>> things we were attracted to.
>>>>>>>
>>>>>>> - ChromeOS's attack surface is infinitely smaller than with Linux
>>>>>>> - The architecture of ChromeOS is different from Linux - process
>>>>>>> separation through SOP, as opposed to no process separation at all
>>>>>>> - ChromeOS was *designed* to have you logout, and hand the device
>> over
>>>>>>> to someone else to login, and get no access to your stuff.  Extreme
>>>>>>> Hardware attacks aside, it works pretty well.
>>>>>>> - ChromeOS's update mechanism is automatic, transparent, and
>> basically
>>>>>>> foolproof.  Having bricked Ubuntu and Gentoo systems, the same is not
>>>>>>> true of Linux.
>>>>>>> - Verified Boot, automatic FDE, tamper-resistant hardware
>>>>>>>
>>>>>>> Something I'm curious about is, if any less-popular device became
>>>>>>> popular amoung the activist community - would the government view is
>>>>>>> as an indicator of interest?  Just like they block Tor, would they
>>>>>>> block Chromebooks?  It'd have to get pretty darn popular first
>> though.
>>>>>>>
>>>>>>> -tom
>>>>>>> --
>>>>>>>
>>>>>> But you can't use it for political activists e.g. in Syria because of
>>>>>> its dependence on the internet connection. This fact is authoritative.
>>>>>> For Europe and USA and so on it might be a good solution.
>>>>>> --
>>>>>> Unsubscribe, change to digest, or change password at:
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Brian Conley
>>>>>
>>>>> Director, Small World News
>>>>>
>>>>> http://smallworldnews.tv
>>>>>
>>>>> m: 646.285.2046
>>>>>
>>>>> Skype: brianjoelconley
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 




More information about the liberationtech mailing list