Re: [liberationtech] Chromebooks for Risky Situations?
On Sat, Feb 9, 2013 at 1:46 PM, Brian Conley wrote: > Do I trust Google not to share my information, ever? No, of course not. > But do I trust Google not to share my information with the chinese > government? I certainly trust them more than I trust Skype or Yahoo, or a > number of others. > Likewise, because of Google's track record relative to those others. A lot of the discussion I'm seeing here has gotten off the thread, so much so that I'm hesitant to enter the noise. Things like "thou shall only sing 'Free the software' in churchy communion with Richard Stallman" and "my super ninja techniques are way superior to running Chrome OS" are not addressing the original posting, which is discussion of the merits of using Chrome OS in risky situations. To argue that there are more secure things- let's just assume that, as I believe the thread originally did. That's totally besides the point. The point is, could Chrome OS also be a good idea? I THINK THAT'S A VERY INTERESTING QUESTION AND WORTHY OF SOME DISCUSSION. I wish to see more discussion from other people with enough knowledge of Chromebooks to speak to this, my own assessment is not that interesting to me. One of a chromebook's claims to fame is it's security. But even more importantly, this is an off the shelf, easy to use and administer, inexpensive mainstreamy type of device that clearly can meet a lot of use case needs at least in terms of what it can do (but is it secure enough?), and there has really not been anything like it before in the broader market place. Surely that's worth looking that, without risking complete and utter moral corruption. If you aren't entirely familiar with the current state of Chrome OS and the devices that run them (because Chrome OS devices are not the same as running Chromium OS on generic hardware), please, start another thread where you can lament what people are saying on this one in your complete ignorance, talk about alternatives that you do know, or generate whatever noise you want to. But in this thread, that's keeping better informed points of view from participating? Perhaps. I have an enormous amount of respect for what Richard Stallman has contributed, I think Tails linux is the bees knees, etc. etc. But that is not the point. The point is would using a Chromebook sufficiently mitigate risks for someone in a risky situation (use case to be more fully specified for any given argument, yea or nay)? -T -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
On Thu, Feb 7, 2013 at 4:46 PM, Jacob Appelbaum wrote:
> As I said in another thread, I hadn't seen that they supported any VPN
> endpoints; my original ChromeOS device had no VPN support at all. I'm
> glad to see that they support IPSEC and OpenVPN (gladly no PPTP!).
> Ideally, I would like to see them offer an SSH setup wizard where it
> also uses OpenSSH as a VPN transport.
>
> I plan to look into their VPN setup - I would love to see that they're
> not vulnerable to the issues in our recent vpnwed paper.
>
AFAICT, they are doing a bunch of work on expanding VPN support so
enterprises can adopt the product.
The ssh client is "interesting", check it out if you haven't. It's openssh
in NaCl form, running inside of hterm (javascript terminal). One claim I
saw them make was this is more secure than a typical ssh client (running
off a linux distro, say) because in addition to the careful stuff done to
avoid any possibility (cough) of a javascript exploit, the whole caboodle
is running inside of a sandbox (because inside Chrome). I don't know what
to make of that. Various key management, tunneling and other support has
AFAICT been coming along.
> Weaponizing an exploit and persisting something malicious aren't the
> same problem. Consider a Chrome extension that logs all the urls one
> visits in the browser, will the ChromeOS security model prevent it?
>
I see what you're saying. Yes, the "ironic" thing about Chrome OS is that
the base OS is relatively secure, but all of that is to force you into a
browser ("web world"). What exactly does one say about that!? A giant
step forward in a commercial OS/hardware hardening effort, and a giant
regression? Eh, the web still scares me. Therapy hasn't helped. Anyways
for a journalist in certain situations, connecting to say Google Docs...
using two factor authentication... in the spirit of what started this
thread, it seems like compared to a lot of off the shelf alternatives, this
is still a giant leap forward in terms of security. It is at the very
least an interesting debate/thing to think about (per the thread)?
> I think you're seriously missing the point here. My remarks were well
> > qualified. Conditionals have to met:
> >
> > - IF you want low cost (time is money, so efforts to set up a Linux
> secure
> > laptop that are time consuming are expensive, as is all the time you
> spent
> > to learn how to do these things in the first place)
>
>
> Download Tails and boot it up.
>
Really though? "Mr. Rather, could you please download tails and boot it
up?"
"Mr. Koppel, if you have a problem with this thing I'm handing you, contact
me, I'll get a hold of the mailing list..."
I'm being facetious of course. And I think this gets into an interesting
area about how to support secure liberation technology. That I don't know,
so not entirely sure what to say to what you suggest.
> > - IF you want a somewhat naive user to use the device (eg. journalist)
> > - etc.
>
> Ditto.
>
> I train journalists all the time and the only people who have issues are
> journalists with Macbooks, as there is a specific problem with new apple
> hardware and booting from a USB disk. In those cases, a DVD is read only
> and does just fine.
>
Okay, that's your experience.
I'd suggest users have no hard disk and boot off of a Tails USB disk.
Now we've reduced the attack surface to the BIOS/EFI layer - something
> that I suspect is pretty crappy all across the board.
>
> While ChromeOS will complain if it is shut down, I remember that it
> won't complain about being in Developer mode if it wakes from sleep.
> Thus, it is totally possible to hand someone a compromised ChromeOS
> device that is awake, let them login and you've won without even having
> to reflash the core OS.
Are we really trying to defend against that threat model?
Re your next email, I'll address one point, though spending this time
defending Chrome OS seems a bit silly. I'm not a shill for Google and have
nothing to gain here (and thus at some point better things to do! :-).
What I would say is to really go (again?) to chromium.org and look at all
the lengthy discussion of their security design. Anywho, if the dev switch
is flipped, one has root without so much as a password (until one is set).
But so what? Dev mode only takes effect after the switch is flipped and
machine is boot (or reboot). In other words, gaining root on an acquired
device gets you no closer to any cached data or credentials on the Chrome
OS device, because that stuff is all encrypted and being root doesn't help
you there, the user has to be logged on in and *active* session for root to
have any access to their data. But if the user is active, the user is
right there physically and thus the threat model is again totally
different. The Chrome OS documentation goes into quite a bit of detail
about what threat models they can and can't defend against. The point I
would make here is gaining root on a Chrome OS devic
Re: [liberationtech] Chromebooks for Risky Situations?
The other things I meant to add: Most Linux distro's are not running with their executable code on a readonly filesystem, and it takes some effort to convert to a RO configuration. Also you can not login to a stock Chrome OS device as root. That account has logins disabled. You have to flip to dev mode, in which case, the machine will complain at every boot that it's mode has been switched (so you know). Trever On Thu, Feb 7, 2013 at 2:41 PM, T N wrote: > On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum wrote: > >> It runs software that is in Debian, the GNU/Linux operating system. I >> know, I've written some of it (eg: tlsdate). They do a good job of >> locking things down but it is basically just another distribution of >> Linux. >> > > I don't agree it's "basically just another linux distribution" in that > most distros (zero?) aren't using the dm-verity Google mostly wrote and > contributed upstream for their purposes. The distro's could use it. > Chrome OS is also totally stripped down compared to a typical linux > distribution. It's runs X but the window manager is customized and their > own (open source, but nonetheless). > > But yes- it's a Linux kernel with an admixture of userland things, some of > which are GNU, some of which are not. > > > This is hilarious. >> >> I would *never* use a laptop that lacks a way to protect all your >> traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious >> surveillance as an at risk person. > > > It has ssh and supports a number of VPN protocols. What's so funny? > > > >> Not only because the remote systems >> will have your exact geographic location and because a lack of anonymity >> allows for targeted attacks, but also because the local network is well >> known to be seriously hostile! >> >> A persistent backdoor on your Chromebook is not actually impossible. I >> have a few ideas for how to make it happen and I've discuss >> security/development issues with the ChromeOS team on a nearly daily >> basis. >> > > Good luck with that. Maybe you want to make some money this year at > Pwnium? > > > > Yes, you can't compare Chrome OS's attack surface to a typical linux >> > distribution, or even a highly customized linux install which doesn't >> have >> > the hardware root of trust. >> > >> >> Actually, I think you can compare it - one major advantage is that you >> can protect your network traffic and compartmentalize your risk with any >> Secure Boot enabled Linux distro. You can also do it without secure boot >> and it isn't terribly hard as long as you draw arbitrary lines like "the >> EFI firmware blobs and hardware are out of scope" which is what happens >> with Secure Boot systems anyway. >> > > I think you're seriously missing the point here. My remarks were well > qualified. Conditionals have to met: > > - IF you want low cost (time is money, so efforts to set up a Linux secure > laptop that are time consuming are expensive, as is all the time you spent > to learn how to do these things in the first place) > - IF you want a somewhat naive user to use the device (eg. journalist) > - etc. > > All you're saying is that "If I'm a total techie weenie with nothing but > time on my hands I can do way better than a Chromebook". > > Well of course. I don't disagree with something along those lines. But > that's not the practical use cases I was trying to summons. > > That said, to the extent that I sort of implied a Chromebook is some kind > of safe thing to use in China for a person at risk... well no. I would > not want to stand on that! And I actually agree with what you're saying as > far as that goes. > > My point was for something off the shelf, I know of nothing better and as > far as it goes... I'd say it's a step up for a lot people who should be > using more secure IT technologies and methods than they are (such as some > journalists), and they can take that step with minimal investment in time > and energy and a chromebook will meet their needs. > > Trever > > > > > > >> >> All the best, >> Jake >> >> > >> > >> > >> > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi wrote: >> > >> >> The biggest (and very important) difference between Linux and >> Chromebooks >> >> is the hugely smaller attack surface. >> >> >> >> >> >> NK >> >> >> >> >> &g
Re: [liberationtech] Chromebooks for Risky Situations?
On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum wrote: > It runs software that is in Debian, the GNU/Linux operating system. I > know, I've written some of it (eg: tlsdate). They do a good job of > locking things down but it is basically just another distribution of Linux. > I don't agree it's "basically just another linux distribution" in that most distros (zero?) aren't using the dm-verity Google mostly wrote and contributed upstream for their purposes. The distro's could use it. Chrome OS is also totally stripped down compared to a typical linux distribution. It's runs X but the window manager is customized and their own (open source, but nonetheless). But yes- it's a Linux kernel with an admixture of userland things, some of which are GNU, some of which are not. This is hilarious. > > I would *never* use a laptop that lacks a way to protect all your > traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious > surveillance as an at risk person. It has ssh and supports a number of VPN protocols. What's so funny? > Not only because the remote systems > will have your exact geographic location and because a lack of anonymity > allows for targeted attacks, but also because the local network is well > known to be seriously hostile! > > A persistent backdoor on your Chromebook is not actually impossible. I > have a few ideas for how to make it happen and I've discuss > security/development issues with the ChromeOS team on a nearly daily basis. > Good luck with that. Maybe you want to make some money this year at Pwnium? > Yes, you can't compare Chrome OS's attack surface to a typical linux > > distribution, or even a highly customized linux install which doesn't > have > > the hardware root of trust. > > > > Actually, I think you can compare it - one major advantage is that you > can protect your network traffic and compartmentalize your risk with any > Secure Boot enabled Linux distro. You can also do it without secure boot > and it isn't terribly hard as long as you draw arbitrary lines like "the > EFI firmware blobs and hardware are out of scope" which is what happens > with Secure Boot systems anyway. > I think you're seriously missing the point here. My remarks were well qualified. Conditionals have to met: - IF you want low cost (time is money, so efforts to set up a Linux secure laptop that are time consuming are expensive, as is all the time you spent to learn how to do these things in the first place) - IF you want a somewhat naive user to use the device (eg. journalist) - etc. All you're saying is that "If I'm a total techie weenie with nothing but time on my hands I can do way better than a Chromebook". Well of course. I don't disagree with something along those lines. But that's not the practical use cases I was trying to summons. That said, to the extent that I sort of implied a Chromebook is some kind of safe thing to use in China for a person at risk... well no. I would not want to stand on that! And I actually agree with what you're saying as far as that goes. My point was for something off the shelf, I know of nothing better and as far as it goes... I'd say it's a step up for a lot people who should be using more secure IT technologies and methods than they are (such as some journalists), and they can take that step with minimal investment in time and energy and a chromebook will meet their needs. Trever > > All the best, > Jake > > > > > > > > > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi wrote: > > > >> The biggest (and very important) difference between Linux and > Chromebooks > >> is the hugely smaller attack surface. > >> > >> > >> NK > >> > >> > >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley >wrote: > >> > >>> Andreas, > >>> > >>> Plenty of Syrians do have internet access, and use it on a regular > basis. > >>> > >>> Also, lack of appropriateness for one use-case doesn't necessitate lack > >>> of appropriateness across the board. > >>> > >>> Linux is a great solution for many use cases, but as has been > elaborated, > >>> quite a terrible one for many others. > >>> > >>> Brian > >>> > >>> > >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader >wrote: > >>> > On 02/06/2013 04:24 PM, Tom Ritter wrote: > > Nadim, I'm with you. I'm not sure it's the perfect solution for > > everyone, but like Nathan said, if you already trust Google, I think > > it's a good option. > > > > On 6 February 2013 07:12, Andreas Bader > wrote: > >> Why don't you use an old thinkpad or something with Linux, you have > the > >> same price like a Chromebook but more control over the system. And > you > >> don't depend on the 3G and Wifi net. > > We started with the notion of Linux, and we were attracted to > > Chromebooks for a bunch of reasons. Going back to Linux loses all > the > > things we were attracted to. > > > > - ChromeOS's attack surface is infinitely smaller than with Linux > > - Th
Re: [liberationtech] Chromebooks for Risky Situations?
The word "Linux" doesn't refer to anything, other than maybe the kernel. Chrome OS is linux. But it's a massively stripped down "distribution" that has a radical design, including the fact that it will ONLY run if all of the cryptographic checks are verified from the root of trust. That root of trust is Google's massively large PKI public key that is burned into the firmware. For a journalist in the field, that's a great reassurance. Take your Chromebook to China. The Chinese government can not alter what you are running without either (a) modifying your hardware, which means they take possession of it for a period of time and manage to do something that is tricky to do (i.e. circumstances under which you'd no longer trust your computer anyways) or (b) you will know they tried to hack it and your Chromebook will refuse to boot, and will instead wipe away the hacks and update itself and won't boot unless the update is a legitimate one signed by Google. Yes, you can't compare Chrome OS's attack surface to a typical linux distribution, or even a highly customized linux install which doesn't have the hardware root of trust. On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi wrote: > The biggest (and very important) difference between Linux and Chromebooks > is the hugely smaller attack surface. > > > NK > > > On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley wrote: > >> Andreas, >> >> Plenty of Syrians do have internet access, and use it on a regular basis. >> >> Also, lack of appropriateness for one use-case doesn't necessitate lack >> of appropriateness across the board. >> >> Linux is a great solution for many use cases, but as has been elaborated, >> quite a terrible one for many others. >> >> Brian >> >> >> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader wrote: >> >>> On 02/06/2013 04:24 PM, Tom Ritter wrote: >>> > Nadim, I'm with you. I'm not sure it's the perfect solution for >>> > everyone, but like Nathan said, if you already trust Google, I think >>> > it's a good option. >>> > >>> > On 6 February 2013 07:12, Andreas Bader >>> wrote: >>> >> Why don't you use an old thinkpad or something with Linux, you have >>> the >>> >> same price like a Chromebook but more control over the system. And you >>> >> don't depend on the 3G and Wifi net. >>> > We started with the notion of Linux, and we were attracted to >>> > Chromebooks for a bunch of reasons. Going back to Linux loses all the >>> > things we were attracted to. >>> > >>> > - ChromeOS's attack surface is infinitely smaller than with Linux >>> > - The architecture of ChromeOS is different from Linux - process >>> > separation through SOP, as opposed to no process separation at all >>> > - ChromeOS was *designed* to have you logout, and hand the device over >>> > to someone else to login, and get no access to your stuff. Extreme >>> > Hardware attacks aside, it works pretty well. >>> > - ChromeOS's update mechanism is automatic, transparent, and basically >>> > foolproof. Having bricked Ubuntu and Gentoo systems, the same is not >>> > true of Linux. >>> > - Verified Boot, automatic FDE, tamper-resistant hardware >>> > >>> > Something I'm curious about is, if any less-popular device became >>> > popular amoung the activist community - would the government view is >>> > as an indicator of interest? Just like they block Tor, would they >>> > block Chromebooks? It'd have to get pretty darn popular first though. >>> > >>> > -tom >>> > -- >>> > >>> But you can't use it for political activists e.g. in Syria because of >>> its dependence on the internet connection. This fact is authoritative. >>> For Europe and USA and so on it might be a good solution. >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >> >> >> >> -- >> >> >> >> Brian Conley >> >> Director, Small World News >> >> http://smallworldnews.tv >> >> m: 646.285.2046 >> >> Skype: brianjoelconley >> >> >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Chromebooks for Risky Situations?
Just FYI: Chrome OS devices are not subject to roll back attacks because the verified boot does not allow that. Google has extensive documentation on this, and you can review the implementation by viewing the source code. Rollback attacks were an attack vector they specifically designed to prevent. In fact as a chrome OS user this is as much an disadvantage as it an advantage: updates are forced- you can not go back and bug regressions which don't effect security but that are annoying can occur and there isn't anything you can do about that. Also, it isn't just verified boot an attacker would have to overcome. The DM verity means any OS and onboard application code must checksum correctly or it will never run, this is true at all times. Realize as well that all of this code is always running off read only file systems. Note that the builtin data partition (not executable code, in fact data filesystem is mounted no exec) encryption is defeatable in the minimal sense that Chrome OS does allow users to choose to not have to login when waking from sleep, so user stupidity allows a small opening here. Heh- happened to me. Lost my chromebook and could not remember if I had left it "locked" (long story!), but I knew it was asleep. Finderay have had access to my login session, albeit og little use since I changed my password and I believe this deactivated access to current email login, eg. Also enterprise administrators may have the option of overriding user choice here, saving users from their stupidity. Another interesting point: the onboard ssh client is implemented partially in javavscript (the terminal portion). Before you whince, know that Google argues this is more secure than normal ssh Unix clients because in addition to all the usual ssh protections, it is necessarily running in a Chrome sandbox! They are probably right about that? I think so. Finally, I wrote up some stuff on their wiki: you can run in dev mode but still have fully verified boot and auto update. This gives the machine a larger local attack surface (not remote though), but opens access to some Unix user land such as the onboard openssl which you could use for additional encryption. Not too that chrome is devices share well and do while totally protecting users from each other. Not a security expert myself. But I have been administering Unix systems fulltime for over 15 years. No question in my mind that these things are more secure BY FAR than any other off the shelf solution you can buy as a consumer. That a normal Unix distro could be made to be as secure is IMO not true as well. Google has of course just made Chrome OS the target for their Pawnium challenge this year. Should be interesting! Trever On Feb 6, 2013 8:31 AM, "Tom Ritter" wrote: > On 6 February 2013 10:52, micah anderson wrote: > > > > Can you say what you mean here? What is SOP in this context? > > ChromeOS's 'Apps' are all extensions or webpages. One can't interact > with any other do to the standard Same Origin Policy browsers enforce. > It's what stops evilco.com from reading your logged in gmail.com tab > in FF/Chrome/IE/any browser today. > > > > I would be surprised if you actually 'bricked' these systems, since > > neither operating system you mention involves a procedure that has the > > risk of bricking a device. I suspect this is hyperbole? > > Well, I have a colleague rebuilding a FDE Ubuntu computer right now > because we can't figure out how to repair its partition table and get > it to boot without a LiveCD. It's probably possible, but we're pretty > technical people and we made the call it would take less time to > recreate the machine than 'fix' it. Similarly, I recently paid the > gentoo tax while upgrading udev and not having a kernel switch turned > on - wouldn't boot, requiring me to LiveCD it, enable the setting, > recompile the kernel and replace it. > > So bricked in the sense of it's now a brick and might as well be sold > for parts - you're right, that's hyperbole. But for a non-technical > person, with no access to someone to repair a machine for him/her - I > don't know, I think it might as well be bricked. They can't fix it on > their own, and it's not going to boot. > > > >> - Verified Boot, automatic FDE, tamper-resistant hardware > > > > All of this reminds me of this post: > > http://mjg59.dreamwidth.org/22465.html > > > > which concludes: > > > > "Some people don't like Secure Boot because they don't trust > > Microsoft. If you trust Google more, then a Chromebook is a reasonable > > choice. But some people don't like Secure Boot because they see it as an > > attack on user freedom, and those people should be willing to criticise > > Google's stance. Unlike Microsoft, Chromebooks force the user to choose > > between security and freedom. Nobody should be forced to make that > > choice." > > I don't disagree with the notion that Chromebooks, Windows 8, iOS, and > other examples make you choose between "In
