Security Experts See Chromebooks as a Closed Ecosystem That Improves Security (cnet.com) 85
The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article: Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.
"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
Really, it's about how much it doesn't let you do.
If you are trying to be productive, chromebooks are exceedingly annoying because they are so limited.
This plays well with a lot of security researcher mindset, that would rather see useless computers than tolerate what they could imagine to be a security problem.
Sometimes they find legitimate problems (e.g. Heartbleed), but often the declare some severe CVE for "administrator can do administrator things" sorts of behaviors.
Then they wonder at why when they find a very severe issue and get a lot of credibility, why it goes away in a matter of weeks as they try to open/brand a wave of 'vulnerabilites' that are perfectly actually expected/intended behaviors by the developers and the users of that software.
The point was to reply to the person saying that this story about chromeos somehow relates to Linux security model. While it does avail itself of certain linux features (SELinux), it's mostly about implementing a very limited sandbox and they can/do pretty much implement that wherever their browser runs. You can pretty much also get the same security by never running anything outside a browser context.
In many cases, sure, you are dealing with a situation where the owner of the device is not the operator o
The Chromebook isn't a full blown laptop that can run all sorts of high end software.
True, but it did crowd more versatile compact laptops out of the market. To what extent did the introduction of the Chromebook in third quarter 2011 cause inexpensive compact laptops to cease being a market segment at the end of 2012 [slashdot.org]?
An Atom CPU is no worse in performance than a similarly clocked Pentium 4 CPU.* Thus an Atom laptop can still hold its own running Xubuntu, especially for things like lightweight hobby or contract programming work to pass the time on the bus commute to and from one's day job.
* Yes, this is telling about how inefficient NetBurst was, but bear with me.
The point about netburst was high clockrates, atom cpus tend not to have such high clockrates.
Most (all?) chromebooks can be repurposed to run a full blown linux if you want to, or you can run chromeos in developer mode which is basically linux anyway.
Even though you can do more with a mac (or even an iPad, especially the iPad pro)....chromebook is still better?
One difference is that Google Chrome, the pack-in browser on a Chromebook, is more capable (in support for web platform features) than Safari, the pack-in browser on a Mac or iOS device. And any third-party web browser on an iPad will have exactly the same deficiencies in support for web platform features as Safari due to their shared Apple WebKit engine.
Your school system is habituating people to crippled, minimal devices - the very poster child for dumbing down the students.
Chromebooks are only a good answer to going backwards.
Apparently the ASR-33 teletypes my school had when I was in high school were 'dumbing down the students' because they were going backwards. We could have had 300 baud glass crts, after all.
Your school system is habituating people to crippled, minimal devices - the very poster child for dumbing down the students.
Chromebooks are only a good answer to going backwards.
Unfortunately, going backwards is a trend that is taking over all of society.
Over the last 30 years, computers have become more and more powerful, hard drives and monitors have become bigger and cheaper, and yet today most people spend all their time staring at a phone with a 5 inch screen and the power and storage of an early 90s era PC.
Full blown laptops are geek toys, designed for geeks by geeks... The average reader of slashdot might be capable of operating such a tool, but most people are not and many people would never have bought such a machine at all if it wasn't the only available tool for doing some key activity (eg internet access)...
Now there are many new tools which are far more suitable for most people's needs (chromebooks, tablets, phones, games consoles etc), the niches that require a full blown laptop are shrinking.
So does Apple.
The challenge comes in as you try to continue to get open ended devices in a world where you have more and more people locked into the google ecosytem or similar. Sure, different tools for different purposes, but that can cause difficulty when your tool of choice becomes more and more rare in the face of tools you do not like.
I started using a Chromebook a few years ago thinking that it would be limited to these tasks. However, I've found that I don't use my MacBook any more... For anything. Seems the Chromebook meets all of my needs. When I first got it I set up Linux on it thinking that I could use that for any "heavy duty" tasks but I haven't needed it.
Oh yeah. Nothing says open source "for the win" like a Closed Ecosystem.
If you see some sort of contradiction there then I don't think you understand either of those phrases.
Indeed, chromeos may be a closed system in its default configuration, but its still open source and its success actually provides significant benefits to those of us who want to use regular linux distros...
You used to get websites which check your user agent string and reject anything which is not windows or macos, such things are less common these days thanks to mobile and chromeos...
Manufacturers shipping devices with chromeos ensures that the hardware is compatible with chromeos, and thus also with linux
not sure i'd call chromeos a closed ecosystem. Everything you do on the device is being sold to the highest bidder, its about as wide open as an ecosystem can get. Sure, you can't do anything useful on the device itself, but there is absoluely nothing 'secure' or 'closed' about all the data sucked back to the mothership.
Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus.
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
I have used ABP for the last few years, but i recently(2 weeks ago) switched to safescript because i was sick of websites abusing my eyes. Much better! May have to configure for $favoritesites but other than that, i see what i want and nothing more.
Check out Pi Hole to deep six ads.
Ads, paywalls, or what else? (Score:3)
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
If you oppose all web advertisements, would you prefer having to pay $5 for each distinct domain that you visit in a month? That'd make web search engines a lot less convenient. If you have a third option in mind other than ads or paywalls, I'd be interested to read it.
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
If you oppose all web advertisements, would you prefer having to pay $5 for each distinct domain that you visit in a month?
How about we gets less intrusive and trespassing ads?
Personally, I agree. And I admire Daring Fireball's print-like model [daringfireball.net], also seen on Read the Docs [readthedocs.io], where the advertiser sends the ad image to the publisher and the publisher hosts it. Firefox Tracking Protection blocks ads that track me but allows publisher-hosted ads, such as those on Daring Fireball and Read the Docs. But I imagine that fibonacci8 would disagree because "deciding some ads were acceptable for the end user" would amount to "malware".
I second this..
I never blocked ads until they started becoming intrusive (sound, delaying page loads, breaking page layout or altering it as they load slowly etc)...
I block ads on this site because the default ads sometimes break scrolling in safari on osx.
If you oppose all web advertisements, would you prefer having to pay $5 for each distinct domain that you visit in a month?
Other than your $5 figure vastly inflating the value of ad impressions these days, yes, I would be perfectly fine with the option paying money to not be bombarded with ads and tracking scripts. It’s why I’m a subscriber at sites like Ars Technica.
If your website can’t survive without treating your visitors as a product then the website doesn’t deserve to exist. If I would be perfectly happy with most of thwse ad-laden clickbait sites going away forever. Nothing of value would be lost
i'd rather sites that offer nothing of value just died, then maybe we could find half decent sites back on the clearnet like the good old days.
Malware (Score:3, Insightful)
Everything from Google, a giant advertising company that wants to track your every move. Fools.
Depends what your threat model is. If you're worried about leaking data to corporate entities, then Apple / Google / MS based devices are always going to be a potential problem. If you're worried about organised crime or hackers then you're probably better off on a Chromebook as it's pretty locked down from those threats, and a Linux distro is quite easy to make insecure if you install the wrong service and/or don't keep it updated.
But please don't give me "but Apple are secure because they tells me so!" -
VERY secure.
... an oxymoron.
In case people don't see exactly how clever your comment is, ChromeOS is a Gentoo-based Linux distro with a prebuilt frozen userland and Google administration. It really does come down to trust of Google, once that information isn't being obscured.
Free people use their private BBS,
..on their own..
Although since it's open source, could someone not create a fork that was linked to someone else's service instead of google's?
Not trusting google is fine, but people without the technical knowledge to operate a full blown laptop could hire someone they trust to manage a forked chromebook for them.
First let me establish to what extent I am qualified or not to address this question:
I've been a security professional for 20 years. Most of that time I used Linux exclusively. Recently I've also started using Mac. You'll find my name in the kernel change log.
There are three main areas of security; confidentially, integrity, and availability. Most of the time when people say "security" they mean confidentially first, with some thought to integrity, and they rarely think of availability. For confidentialit
> If the features and functions you need aren't available on ChromeOS, it won't work for you.
I'm afraid that this includes over 90% of all laptop users. Without support for robust, fully Microsoft compatible document or spreadsheet handling for business professionals, without robust gaming support for even those few Steam games that have been converted, and without the developer support to handle virtual environments for other development, they remain useful only as web browser tools.
Good luck SSHing from transit (Score:2)
It even suits my needs while traveling because my travel device only needs to SSH to my main machines, and provide a web browser.
Good luck SSHing from a moving city bus. It won't stay near one Wi-Fi access point long enough for your Chromebook to associate. If you're buying cellular Internet service just to use SSH from your Chromebook, you end up needing to include the price of a cellular subscription over the course of your Chromebook's useful life in its effective price.
And where are your "main machines"? If at home, many home ISPs use NAT that blocks incoming connections [slashdot.org].
(It was a company mobile, and I was doing company business. Data plan not a problem!)
For confidentiality and integrity, the top two things an OS can do to help is limit the attack surface (such as not running unnecessary daemons or other software) and provide quick, reliable updates.
Confidentiality is having everything you do uploaded to the worlds most prolific data collection and advertising agency?
Talking confidentiality and integrity on a system that clearly isn't trustworthy in the first place is a waste of time.
The only code that can't possibly be hacked is code that isn't there, so the most secure system is the most minimal system.
Fundamentally misguided. Amount of code is not as important as organization of code.
Real-life attacks use known vulnerabilities 99.99% of the time, so quick, automatic updates to resolve known issues are very important.
Well over 90% of attacks exploit users not systems.
There is one Linux distribution that stands out for avoiding any unnecessary code (and potential vulnerabilities) and providing quick, reliable updates. That distribution is ChromeOS.
Only realistic hope in the near term is better hardware and isolation at hypervisor level.
would be just as good as long as it is in competent hands
Exactly the problem. Vast majority of users, including most IT professionals, are not security competent. Expecting people to know the ins-and-outs of computer security before they can be secure is a non-starter.
So to secure your data you have to give it all to google. No other options. Right. Cutting edge technology, eh.
Also: "hackers" means diddly squat except "bogeyman in your interwebz". But then, "security expert" really means "s'kiddie", and that has been the case since the misappropriation and divorce of "hacker" from its original meaning a honorific indicating great technological skill and creativity. No surprise, then, that both are sorely lacking among "security professionals".
I can see why one would purchase a cheap laptop with Chrome OS for their children in middle school or high school but once they are college bound only a quality laptop that is neither repairable nor upgradable running macOS with 10 dongles will do.
- Tim in Cupertino
AP Computer Science (Score:2)
I can see why one would purchase a cheap laptop with Chrome OS for their children in middle school or high school
Middle school maybe. But how would a high school student taking AP Computer Science complete his homework using Chrome OS?
College Board Pushes for CS as HS Grad Requirement (Score:2)
What percentage of the high-school students in the US are in this group [of students taking programming]?
100 percent, if the College Board gets its way [slashdot.org]. The College Board administers SAT and AP tests that high school students take to determine their eligibility to attend university.
No mention of how much is leaked to google: copies of your files sent there or other metrics that google might sniff. But if you are happy with that then yes it is secure.
title should add "Self-proclaimed" to the "security expert" part.
Sure, I'll agree with summary. A closed system is inherently harder to hack. And harder to put malware onto if the model is excluding unsigned/unapproved code.
But is this something we really want? We've heard that 'they' would like general purpose computing to be revoked from the general population, or at least severely limited.
This is a step in that direction, under the guise of 'It's more secure!', yeah, it's also locked down and useless for any function other than it's designated function. I'm not re
General purpose open computing *is* unsafe for most people, and people with zero technical knowledge using complex general purpose systems has resulted in epidemics of compromised machines, identity theft and all manner of other problems.
Many people are better off with a hardened device managed by someone else, wether its a chromebook, tablet or games console (a console is fundamentally no different, its just designed to play games instead of browse websites).
Were it not for a need to access the internet, m
