Linked by Thom Holwerda on Fri 28th Jul 2017 19:44 UTC
Google

In the last year while talking to respected security-focused engineers & developers, I've come to fully appreciate Google's Chrome OS design. The architecture benefited from a modern view of threat modeling and real-world attacks. For example, Trusted Platform Module (TPM) hardware chips are built into every Chromebook and deeply incorporated into the OS. The design documents go into some detail on the specific protections that TPM provides, particularly around critical encryption functions.

I also learned that Chromebook is the daily driver for many of Google's own senior developers and security engineers. In short, the combination of the underlying Chromebook hardware with the OS architecture makes for a pretty compelling secure development environment.

[...]

It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. Since there is a wide range in Chromebook prices, the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. The threat model here does not include recovery from physical tampering; if the machine were somehow confiscated or otherwise out of my custody, I could treat it as a burner and move on.

Interesting guide on how to turn an inexpensive Chromebook into a burner developer device safe for international travel.

Thread beginning with comment 647256
To read all comments associated with this story, please click here.
Practical tutorial
by BlueofRainbow on Sat 29th Jul 2017 04:37 UTC
BlueofRainbow
Member since:
2009-01-06

Interesting and practical tutorial.

This is the first one I have encountered in which the first step is not "Enable Developer Mode".

However, it relies on Termux which in turns requires the Chrome OS - Android "bridge". Many of the devices pre-2015 are not supported by the Chrome-Android bridge even if they have not yet reached their official end-of-life-support date. This includes the Google Pixel 2013.

With increasing airport security measures, I can envision a case for purchasing an inexpensive Chromebook when one arrives at the destination. Even better, one could have a device rental service. Airlines could provide such rental devices as one boards the plane (of course, for a fee) for long flights.

One would just need to carry a removable storage (uSDHC, SDHC, or USB), and a security key to have a truly portable environment.

While not straightforward, it appears feasible to configure the synchronization of the device with one's cloud service while retaining a high level of security of the data and the various accounts and keys used.

From my perspective though, I have yet to see a tutorial which tackles the needs of a non-developer. Engineers, graphic artists, and many others have applications requirements greater than the "Office Suite". Not quite good enough for me yet.

Reply Score: 2

RE: Practical tutorial
by Sidux on Sat 29th Jul 2017 05:28 in reply to "Practical tutorial"
Sidux Member since:
2015-03-10

There are companies that do rent chromebooks directly from Google. You won't find this information online because of NDAs mostly.
As soon as chromebooks will become more "usable" by average joe we may see this in "real life" as well.
If security is not that much of an issue you can also use any decent speced smartphone with one USB-C connector for this as well.

Reply Parent Score: 1

RE: Practical tutorial
by Alfman on Sat 29th Jul 2017 08:11 in reply to "Practical tutorial"
Alfman Member since:
2011-01-28

BlueofRainbow,

With increasing airport security measures, I can envision a case for purchasing an inexpensive Chromebook when one arrives at the destination. Even better, one could have a device rental service. Airlines could provide such rental devices as one boards the plane (of course, for a fee) for long flights.

One would just need to carry a removable storage (uSDHC, SDHC, or USB), and a security key to have a truly portable environment.



A loaner laptop would go against the author's stated security objectives on physical tampering:

The threat model here does not include recovery from physical tampering; if the machine were somehow confiscated or otherwise out of my custody, I could treat it as a burner and move on.


Not that anyone would necessarily care, but from a security standpoint it should be treated as a public device and not a personal device. Heck even brand new devices can be compromised by NSA interdiction, although the average joe is quite unlikely to be a target.



Another issue is that internet bandwidth is still not sufficiently reliable (or abundant) in flight. On a coast to coast jetblue flight recently, internet outages were announced via redirection pages saying "the internet is currently unavailable..." and offered wifi users an inflight amazon shopping portal instead. This is annoying for normal users, but even more problematic for cloud based users.

Edited 2017-07-29 08:13 UTC

Reply Parent Score: 2

RE[2]: Practical tutorial
by BlueofRainbow on Sat 29th Jul 2017 14:31 in reply to "RE: Practical tutorial"
BlueofRainbow Member since:
2009-01-06

Alfman:

Good points.

With respect to a "rental chromebook", and from the renter's point of view, how the security model would be different than for the chromebooks currently in schools and shared by the students?

From the user's view point, any interchange of information over the cloud/network could potentially be intercepted and un-encrypted. And, unless there are back-doors in Chrome OS, the risk of the operating system having been tempered should be low.

Rental units could have a hardware "wipe" button. A security conscious user would engage this hardware wipe after receiving the unit and before returning it. The rental company would have, in theory, protocols for doing the same.

Another approach might be the possibility to purchase "travel chromebooks" in the secure area of airport. This would allow use during the outgoing flight and at the destination. However, what to do with the unit for the return trip without being wasteful?

As for wifi interruptions, Chrome OS could conceivably implement a local work space with automatic synchronization to the cloud whenever in range with a wifi connection of sufficient bandwith to have a high probability of doing it properly.

Reply Parent Score: 2