[liberationtech] Chromebooks for Risky Situations?
Jacob Appelbaum
jacob at appelbaum.net
Thu Feb 7 16:46:41 PST 2013
T N:
> On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>
>> It runs software that is in Debian, the GNU/Linux operating system. I
>> know, I've written some of it (eg: tlsdate). They do a good job of
>> locking things down but it is basically just another distribution of Linux.
>>
>
> I don't agree it's "basically just another linux distribution" in that most
> distros (zero?) aren't using the dm-verity Google mostly wrote and
> contributed upstream for their purposes. The distro's could use it.
> Chrome OS is also totally stripped down compared to a typical linux
> distribution. It's runs X but the window manager is customized and their
> own (open source, but nonetheless).
ChromeOS is just a distribution of Linux with the Linux kernel and with
a user space that performs a bunch of the same functionality as any
distro. They take more care with security than most distros but until
they're running a BSD kernel or something and drop all the code in
common with other distros, I don't see major differences.
Their main difference comes from a focus on security in a holistic sense
and I respect their efforts.
This is mostly splitting hairs but not every Linux distro is a sysV unix
clone, ChromeOS is another variant and a reasonable one.
>
> But yes- it's a Linux kernel with an admixture of userland things, some of
> which are GNU, some of which are not.
Most of the positive security model comes from isolation and the idea
that the ChromeOS team scoped out a specific specification for each
thing they wished to solve. I appreciate the effort and I hope that most
of their work is adopted by other distros.
>
>
> This is hilarious.
>>
>> I would *never* use a laptop that lacks a way to protect all your
>> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious
>> surveillance as an at risk person.
>
>
> It has ssh and supports a number of VPN protocols. What's so funny?
>
As I said in another thread, I hadn't seen that they supported any VPN
endpoints; my original ChromeOS device had no VPN support at all. I'm
glad to see that they support IPSEC and OpenVPN (gladly no PPTP!).
Ideally, I would like to see them offer an SSH setup wizard where it
also uses OpenSSH as a VPN transport.
I plan to look into their VPN setup - I would love to see that they're
not vulnerable to the issues in our recent vpnwed paper.
>
>
>> Not only because the remote systems
>> will have your exact geographic location and because a lack of anonymity
>> allows for targeted attacks, but also because the local network is well
>> known to be seriously hostile!
>>
>> A persistent backdoor on your Chromebook is not actually impossible. I
>> have a few ideas for how to make it happen and I've discuss
>> security/development issues with the ChromeOS team on a nearly daily basis.
>>
>
> Good luck with that. Maybe you want to make some money this year at Pwnium?
>
Weaponizing an exploit and persisting something malicious aren't the
same problem. Consider a Chrome extension that logs all the urls one
visits in the browser, will the ChromeOS security model prevent it?
>
>> Yes, you can't compare Chrome OS's attack surface to a typical linux
>>> distribution, or even a highly customized linux install which doesn't
>> have
>>> the hardware root of trust.
>>>
>>
>> Actually, I think you can compare it - one major advantage is that you
>> can protect your network traffic and compartmentalize your risk with any
>> Secure Boot enabled Linux distro. You can also do it without secure boot
>> and it isn't terribly hard as long as you draw arbitrary lines like "the
>> EFI firmware blobs and hardware are out of scope" which is what happens
>> with Secure Boot systems anyway.
>>
>
> I think you're seriously missing the point here. My remarks were well
> qualified. Conditionals have to met:
>
> - IF you want low cost (time is money, so efforts to set up a Linux secure
> laptop that are time consuming are expensive, as is all the time you spent
> to learn how to do these things in the first place)
Download Tails and boot it up.
> - IF you want a somewhat naive user to use the device (eg. journalist)
> - etc.
Ditto.
I train journalists all the time and the only people who have issues are
journalists with Macbooks, as there is a specific problem with new apple
hardware and booting from a USB disk. In those cases, a DVD is read only
and does just fine.
>
> All you're saying is that "If I'm a total techie weenie with nothing but
> time on my hands I can do way better than a Chromebook".
>
> Well of course. I don't disagree with something along those lines. But
> that's not the practical use cases I was trying to summons.
>
I'm not making that statement at all.
> That said, to the extent that I sort of implied a Chromebook is some kind
> of safe thing to use in China for a person at risk... well.... no. I would
> not want to stand on that! And I actually agree with what you're saying as
> far as that goes.
>
Ok.
> My point was for something off the shelf, I know of nothing better and as
> far as it goes... I'd say it's a step up for a lot people who should be
> using more secure IT technologies and methods than they are (such as some
> journalists), and they can take that step with minimal investment in time
> and energy and a chromebook will meet their needs.
>
I'd suggest users have no hard disk and boot off of a Tails USB disk.
Now we've reduced the attack surface to the BIOS/EFI layer - something
that I suspect is pretty crappy all across the board.
While ChromeOS will complain if it is shut down, I remember that it
won't complain about being in Developer mode if it wakes from sleep.
Thus, it is totally possible to hand someone a compromised ChromeOS
device that is awake, let them login and you've won without even having
to reflash the core OS.
All the best,
Jacob
> Trever
>
>
>
>
>
>
>>
>> All the best,
>> Jake
>>
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
>>>
>>>> The biggest (and very important) difference between Linux and
>> Chromebooks
>>>> is the hugely smaller attack surface.
>>>>
>>>>
>>>> NK
>>>>
>>>>
>>>> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <brianc at smallworldnews.tv
>>> wrote:
>>>>
>>>>> Andreas,
>>>>>
>>>>> Plenty of Syrians do have internet access, and use it on a regular
>> basis.
>>>>>
>>>>> Also, lack of appropriateness for one use-case doesn't necessitate lack
>>>>> of appropriateness across the board.
>>>>>
>>>>> Linux is a great solution for many use cases, but as has been
>> elaborated,
>>>>> quite a terrible one for many others.
>>>>>
>>>>> Brian
>>>>>
>>>>>
>>>>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <noergelpizza at hotmail.de
>>> wrote:
>>>>>
>>>>>> On 02/06/2013 04:24 PM, Tom Ritter wrote:
>>>>>>> Nadim, I'm with you. I'm not sure it's the perfect solution for
>>>>>>> everyone, but like Nathan said, if you already trust Google, I think
>>>>>>> it's a good option.
>>>>>>>
>>>>>>> On 6 February 2013 07:12, Andreas Bader <noergelpizza at hotmail.de>
>>>>>> wrote:
>>>>>>>> Why don't you use an old thinkpad or something with Linux, you have
>>>>>> the
>>>>>>>> same price like a Chromebook but more control over the system. And
>> you
>>>>>>>> don't depend on the 3G and Wifi net.
>>>>>>> We started with the notion of Linux, and we were attracted to
>>>>>>> Chromebooks for a bunch of reasons. Going back to Linux loses all
>> the
>>>>>>> things we were attracted to.
>>>>>>>
>>>>>>> - ChromeOS's attack surface is infinitely smaller than with Linux
>>>>>>> - The architecture of ChromeOS is different from Linux - process
>>>>>>> separation through SOP, as opposed to no process separation at all
>>>>>>> - ChromeOS was *designed* to have you logout, and hand the device
>> over
>>>>>>> to someone else to login, and get no access to your stuff. Extreme
>>>>>>> Hardware attacks aside, it works pretty well.
>>>>>>> - ChromeOS's update mechanism is automatic, transparent, and
>> basically
>>>>>>> foolproof. Having bricked Ubuntu and Gentoo systems, the same is not
>>>>>>> true of Linux.
>>>>>>> - Verified Boot, automatic FDE, tamper-resistant hardware
>>>>>>>
>>>>>>> Something I'm curious about is, if any less-popular device became
>>>>>>> popular amoung the activist community - would the government view is
>>>>>>> as an indicator of interest? Just like they block Tor, would they
>>>>>>> block Chromebooks? It'd have to get pretty darn popular first
>> though.
>>>>>>>
>>>>>>> -tom
>>>>>>> --
>>>>>>>
>>>>>> But you can't use it for political activists e.g. in Syria because of
>>>>>> its dependence on the internet connection. This fact is authoritative.
>>>>>> For Europe and USA and so on it might be a good solution.
>>>>>> --
>>>>>> Unsubscribe, change to digest, or change password at:
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Brian Conley
>>>>>
>>>>> Director, Small World News
>>>>>
>>>>> http://smallworldnews.tv
>>>>>
>>>>> m: 646.285.2046
>>>>>
>>>>> Skype: brianjoelconley
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list