On Wed, Feb 6, 2013 at 2:16 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote:
> It runs software that is in Debian, the GNU/Linux operating system. I > know, I've written some of it (eg: tlsdate). They do a good job of > locking things down but it is basically just another distribution of Linux. > I don't agree it's "basically just another linux distribution" in that most distros (zero?) aren't using the dm-verity Google mostly wrote and contributed upstream for their purposes. The distro's could use it. Chrome OS is also totally stripped down compared to a typical linux distribution. It's runs X but the window manager is customized and their own (open source, but nonetheless). But yes- it's a Linux kernel with an admixture of userland things, some of which are GNU, some of which are not. This is hilarious. > > I would *never* use a laptop that lacks a way to protect all your > traffic (eg: VPN/Tor/SSH tunnel/etc) in a place with serious > surveillance as an at risk person. It has ssh and supports a number of VPN protocols. What's so funny? > Not only because the remote systems > will have your exact geographic location and because a lack of anonymity > allows for targeted attacks, but also because the local network is well > known to be seriously hostile! > > A persistent backdoor on your Chromebook is not actually impossible. I > have a few ideas for how to make it happen and I've discuss > security/development issues with the ChromeOS team on a nearly daily basis. > Good luck with that. Maybe you want to make some money this year at Pwnium? > Yes, you can't compare Chrome OS's attack surface to a typical linux > > distribution, or even a highly customized linux install which doesn't > have > > the hardware root of trust. > > > > Actually, I think you can compare it - one major advantage is that you > can protect your network traffic and compartmentalize your risk with any > Secure Boot enabled Linux distro. You can also do it without secure boot > and it isn't terribly hard as long as you draw arbitrary lines like "the > EFI firmware blobs and hardware are out of scope" which is what happens > with Secure Boot systems anyway. > I think you're seriously missing the point here. My remarks were well qualified. Conditionals have to met: - IF you want low cost (time is money, so efforts to set up a Linux secure laptop that are time consuming are expensive, as is all the time you spent to learn how to do these things in the first place) - IF you want a somewhat naive user to use the device (eg. journalist) - etc. All you're saying is that "If I'm a total techie weenie with nothing but time on my hands I can do way better than a Chromebook". Well of course. I don't disagree with something along those lines. But that's not the practical use cases I was trying to summons. That said, to the extent that I sort of implied a Chromebook is some kind of safe thing to use in China for a person at risk... well.... no. I would not want to stand on that! And I actually agree with what you're saying as far as that goes. My point was for something off the shelf, I know of nothing better and as far as it goes... I'd say it's a step up for a lot people who should be using more secure IT technologies and methods than they are (such as some journalists), and they can take that step with minimal investment in time and energy and a chromebook will meet their needs. Trever > > All the best, > Jake > > > > > > > > > On Wed, Feb 6, 2013 at 12:15 PM, Nadim Kobeissi <na...@nadim.cc> wrote: > > > >> The biggest (and very important) difference between Linux and > Chromebooks > >> is the hugely smaller attack surface. > >> > >> > >> NK > >> > >> > >> On Wed, Feb 6, 2013 at 2:36 PM, Brian Conley <bri...@smallworldnews.tv > >wrote: > >> > >>> Andreas, > >>> > >>> Plenty of Syrians do have internet access, and use it on a regular > basis. > >>> > >>> Also, lack of appropriateness for one use-case doesn't necessitate lack > >>> of appropriateness across the board. > >>> > >>> Linux is a great solution for many use cases, but as has been > elaborated, > >>> quite a terrible one for many others. > >>> > >>> Brian > >>> > >>> > >>> On Wed, Feb 6, 2013 at 7:44 AM, Andreas Bader <noergelpi...@hotmail.de > >wrote: > >>> > >>>> On 02/06/2013 04:24 PM, Tom Ritter wrote: > >>>>> Nadim, I'm with you. I'm not sure it's the perfect solution for > >>>>> everyone, but like Nathan said, if you already trust Google, I think > >>>>> it's a good option. > >>>>> > >>>>> On 6 February 2013 07:12, Andreas Bader <noergelpi...@hotmail.de> > >>>> wrote: > >>>>>> Why don't you use an old thinkpad or something with Linux, you have > >>>> the > >>>>>> same price like a Chromebook but more control over the system. And > you > >>>>>> don't depend on the 3G and Wifi net. > >>>>> We started with the notion of Linux, and we were attracted to > >>>>> Chromebooks for a bunch of reasons. Going back to Linux loses all > the > >>>>> things we were attracted to. > >>>>> > >>>>> - ChromeOS's attack surface is infinitely smaller than with Linux > >>>>> - The architecture of ChromeOS is different from Linux - process > >>>>> separation through SOP, as opposed to no process separation at all > >>>>> - ChromeOS was *designed* to have you logout, and hand the device > over > >>>>> to someone else to login, and get no access to your stuff. Extreme > >>>>> Hardware attacks aside, it works pretty well. > >>>>> - ChromeOS's update mechanism is automatic, transparent, and > basically > >>>>> foolproof. Having bricked Ubuntu and Gentoo systems, the same is not > >>>>> true of Linux. > >>>>> - Verified Boot, automatic FDE, tamper-resistant hardware > >>>>> > >>>>> Something I'm curious about is, if any less-popular device became > >>>>> popular amoung the activist community - would the government view is > >>>>> as an indicator of interest? Just like they block Tor, would they > >>>>> block Chromebooks? It'd have to get pretty darn popular first > though. > >>>>> > >>>>> -tom > >>>>> -- > >>>>> > >>>> But you can't use it for political activists e.g. in Syria because of > >>>> its dependence on the internet connection. This fact is authoritative. > >>>> For Europe and USA and so on it might be a good solution. > >>>> -- > >>>> Unsubscribe, change to digest, or change password at: > >>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech > >>>> > >>> > >>> > >>> > >>> -- > >>> > >>> > >>> > >>> Brian Conley > >>> > >>> Director, Small World News > >>> > >>> http://smallworldnews.tv > >>> > >>> m: 646.285.2046 > >>> > >>> Skype: brianjoelconley > >>> > >>> > >>> > >>> -- > >>> Unsubscribe, change to digest, or change password at: > >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech > >>> > >> > >> > >> -- > >> Unsubscribe, change to digest, or change password at: > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > >> > > > > > > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
