[liberationtech] Chromebooks for Risky Situations?
Jacob Appelbaum
jacob at appelbaum.net
Thu Feb 7 12:06:13 PST 2013
Nadim Kobeissi:
> On Wed, Feb 6, 2013 at 5:16 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>
>>
>>
>> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person. Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>>
> Thankfully, while Chrome does not support better solutions (such as Tor),
> it does in fact support VPN connections:
> http://support.google.com/chromeos/bin/answer.py?hl=en&answer=1282338
>
>
This is a new (to me) feature; thanks for pointing it out. I'm glad to
see it finally landed and is in production. Would someone with a
ChromeOS device test the VPN to see if it leaks the way that we
described in our vpwned[0] paper?
It should be rather straight forward to see if it leaks with trivial
tests. Killing the VPN to see if it fails open should also be straight
forward. I would be pleasantly surprised if they were not vulnerable to
either of those issues. I asked a ChromeOS security person their
thoughts on the matter and passed them our paper; we'll see what they say.
All the best,
Jake
[0] https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf
>>
>>
>
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
>>>
>>>> The biggest (and very important) difference between Linux and
>> Chromebooks
>>>> is the hugely smaller attack surface.
>>>>
>>>>
>>>> NK
>>>>
>>>>
>>>> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <brianc at smallworldnews.tv
>>> wrote:
>>>>
>>>>> Andreas,
>>>>>
>>>>> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>>>>>
>>>>> Also, lack of appropriateness for one use-case doesn't necessitate lack
>>>>> of appropriateness across the board.
>>>>>
>>>>> Linux is a great solution for many use cases, but as has been
>> elaborated,
>>>>> quite a terrible one for many others.
>>>>>
>>>>> Brian
>>>>>
>>>>>
>>>>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <noergelpizza at hotmail.de
>>> wrote:
>>>>>
>>>>>> On 02/06/2013 04:24 PM, Tom Ritter wrote:
>>>>>>> Nadim, I'm with you. I'm not sure it's the perfect solution for
>>>>>>> everyone, but like Nathan said, if you already trust Google, I think
>>>>>>> it's a good option.
>>>>>>>
>>>>>>> On 6 February 2013 07:12, Andreas Bader <noergelpizza at hotmail.de>
>>>>>> wrote:
>>>>>>>> Why don't you use an old thinkpad or something with Linux, you have
>>>>>> the
>>>>>>>> same price like a Chromebook but more control over the system. And
>> you
>>>>>>>> don't depend on the 3G and Wifi net.
>>>>>>> We started with the notion of Linux, and we were attracted to
>>>>>>> Chromebooks for a bunch of reasons. Going back to Linux loses all
>> the
>>>>>>> things we were attracted to.
>>>>>>>
>>>>>>> - ChromeOS's attack surface is infinitely smaller than with Linux
>>>>>>> - The architecture of ChromeOS is different from Linux - process
>>>>>>> separation through SOP, as opposed to no process separation at all
>>>>>>> - ChromeOS was *designed* to have you logout, and hand the device
>> over
>>>>>>> to someone else to login, and get no access to your stuff. Extreme
>>>>>>> Hardware attacks aside, it works pretty well.
>>>>>>> - ChromeOS's update mechanism is automatic, transparent, and
>> basically
>>>>>>> foolproof. Having bricked Ubuntu and Gentoo systems, the same is not
>>>>>>> true of Linux.
>>>>>>> - Verified Boot, automatic FDE, tamper-resistant hardware
>>>>>>>
>>>>>>> Something I'm curious about is, if any less-popular device became
>>>>>>> popular amoung the activist community - would the government view is
>>>>>>> as an indicator of interest? Just like they block Tor, would they
>>>>>>> block Chromebooks? It'd have to get pretty darn popular first
>> though.
>>>>>>>
>>>>>>> -tom
>>>>>>> --
>>>>>>>
>>>>>> But you can't use it for political activists e.g. in Syria because of
>>>>>> its dependence on the internet connection. This fact is authoritative.
>>>>>> For Europe and USA and so on it might be a good solution.
>>>>>> --
>>>>>> Unsubscribe, change to digest, or change password at:
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Brian Conley
>>>>>
>>>>> Director, Small World News
>>>>>
>>>>> http://smallworldnews.tv
>>>>>
>>>>> m: 646.285.2046
>>>>>
>>>>> Skype: brianjoelconley
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list