So, be inconvenienced in every aspects important to a dev but gain a bit of confidence in your machine (as long as you trust Big-G)?
verified boot seems like the only advantage here. You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily, and they don't require reliance on Google or the requirement that one uses a neutered OS. (yes, yes, it's secure. It's a users' platform. Development on chrome OS at this point is an act of masochism.)
If secure travel is your thing, stash your data on a cloud provider and pull it later after you arrive at your destination. Go whole-hog and travel without an SSD and buy a cheap one at your destination with cash. Sprinkle in some libreboot for more confidence.
It'll still be cheaper than a 200 dollar chromebook, and you probably won't have to deal with some of the worlds' worst chicklet keyboards.
P.S. don't travel with a yubikey that isn't partnered with another. Would be a bummer to lose.
Sub $200 Chromebooks with decent keyboards: Dell 11 (2014 & 2015 models), Asus C202SA, and maybe the Lenovo educational models. At higher prices, of course, you have many choices: both Pixels, Lenovo and HP 13" and the Acer 14 for Work (all last year), the new Asus C302SA.
I am not saying you're wrong but I'd like some advice on what to buy. The x220 I've never seen dip below $100 with 4GB RAM and a hard disk or at least a caddy.
> The x220 I've never seen dip below $100 with 4GB RAM and a hard disk or at least a caddy.
ThinkPad caddys are dirt cheap. You can buy third party compatible caddys for under $10. [0]
In terms of a laptop with a reasonable build quality that includes a TPM, pretty much any corporate laptop will suffice. X220's command a premium because they're ThinkPads.
If you look at other options, something like the Dell E6220, which is from the same generation as the X220, can be purchased used for around $100. [1]
They don't support coreboot, but they're otherwise reliable machines. The Dell UEFI implementation supports only allowing signed updates and SecureBoot. Depending on your threat model this might be enough for you.
> You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily
You'll have to buy something older than the E6220 mentioned above, but the Dell E6400 is available for $40. [2] That will have an integrated TPM.
If you want the literal 40 dollar laptop I had in mind, look around for an X60/X60s/X61.
They are old, but they are well equipped and I love their keyboard feel, plus TPM and all that jazz.
Their specs are pretty low-end nowadays, but I find that devs have too varied a range of preferences and tasks to judge what they need too readily.
If you're sitting in a huge IDE or photoshop or otherwise have a strong need for heavy lifting and high resolution during your travels, however, these cheapy business-grade laptops from yesteryear are probably a poor choice.
But I sit in emacs and IRC most of the time with music on -- they are perfect for that.
You can get a Acer 14 refurb for under $200 which is a good dev machine using Crouton with ChromeOS. Nothing else is going to be able to touch this. Sounds like you are just not up to date what is now possible with Chromebooks.
I'm not sure how much extra "security" you're really getting out of staying strictly within ChromeOS. Yes, Secure Boot is disabled. However, the ChromeOS partition is still encrypted, and you can manually encrypt any of your crouton chroot environments, so someone looking at the thing still wouldn't be able to peek into the contents. If you're asked, "Why is this in Developer Mode?", you can answer, "I'm a developer."
Additionally, once Developer Mode is enabled, you must hit Ctrl+D to move past the warning screen every time. It is incredibly easy to inadvertently hit Enter or Spacebar, and then have the Chromebook wipe itself and restore to factory settings. I've done it inadvertently myself, and have heard multiple reports of a developer's spouse/child accidentally clicking it, too. Unless a Border Patrol agent knew exactly what they were doing, I'd be willing to bet they'd accidentally wipe it as well.
Finally, while I'm aware that disabling Secure Boot in theory opens you up to an Evil Maid attack, what is the likelihood that border patrol/customs would have a malicious OS on hand, and the know-how to flash it? Worst -case scenario, if you suspect they've tampered with the OS, simply hit Spacebar yourself as soon as you get it back, restore Secure Boot, and then start over from scratch!
As an aside, if you are confined to ChromeOS, I highly recommend Caret as an editor. It's a FOSS, Sublime clone chrome app that works swimmingly on Chromebooks.
That is a good point, but also a feature in my view. I see my chromebook as a mobile workstation, so more or less everything on it is backed up in a git repository, cloud storage, that sort of thing. ChromeOS automatically restores extensions and installed Android apps, and I usually keep builds of software I use in crouton on separate external flash storage; 16-32GB of internal storage isn't that much when you have to build from sources because ARM binaries are still fairly rare.
So an inadvertent wipe is really just an inconvenience of 30-60 minutes, and if it's a border patrol or TSA agent you can then have fun acting all indignant at how they broke your device and you lost so much work and your boss is gonna kill you and you want to talk to their supervisor right now.
The lack of hardware security is a consideration, but frankly if your device is handled by a malicious actor outside of your control, you're kinda screwed anyways.
The drive where the OS lives isn't encrypted. Rather it is verified. It uses do-it-yourself to chain every read from the device to a trusted authority. secure boot is how verifies that the kernel (running do-it-yourself) hasn't been tampered with (e.g., to add more trusted authorities or disable verification).
This protection is not just against "evil maids" but any attack that modified the disk in the past. E.g., if the system is compromisd due to a software fault, nothing can persist on disk undetected (like ZFS/bcachefs/BtrFS checksummi preventa bit-rot from being undetected)
As someone who has an on-off interest in ChromeOS but with little to no knowledge about it, does vim/neovim work? I found some vim version on the chrome web store but it is last updated on 2014 and pinned to 7.4 which was a bit disappointing.
There is a chrome extension called Crosh Window that keeps the Chrome shortcuts from coming in. That way things like Ctrl-w in Vim still work.
edit: this might just be when going through crouton though. I don't really use the crosh shell except to boot up my chroot.
I see the security argument come up often but have never once heard an anecdote of someone having a security breach or whatever people are scared of happening because their chromebook was in developer mode.
Installing a chroot isn't that difficult, in fact it was actually kind of fun and started me on an incredible tech exploration journey that currently has me learning software development using Vim on a command line only linux distribution. I never would have imagined such a thing a year ago. It is weird thinking having a $140 refurbished acer c720 may have led me on a completely different, exciting life path.
I think I am misunderstanding you, but isn't paragraph 2 an argument for staying in normal Chrome OS (as this article suggests) instead of enabling developer mode?
It is an inconvenience and a danger, yes. But the tradeoff with having crouton is having full access to a Linux environment, with all of the tools and programs that enables. Short of System76/Entroware/Dell XPS Developer Editions, the fact remains that moddable, Intel-series chromebooks are some of the best preconfigured Linux laptops you can buy, once you peel back the ChromeOS layer.
I mentioned above that I think Caret is a great Sublime clone, but I also like having the real SublimeText, with its awesome add-on packages, Git integration, etc. The article's recommendation that you must stick with Android-enabled Chromebooks limits your options, and the only reason the recommendation exists is that he needs some way of getting access to the developer tools--gcc, etc. A crouton chroot gets you there the same way, and I'd argue it's better since the programs are running natively rather than through an emulated Android layer.
Just being curious here: to me crouton is also a quite limited Linux environment, for example docker is a no go on crouton, so what advantage do you think that has against android-based solution such as termux?
Maybe a separate Linux install such as GalliumOS can really be called full access Linux environment?
Been a few years since I used a chromebook w/crouton, but that wasn't my recollection. In fact I recall a fork of crouton that supported Fedora explicitly stating that it installs via docker.
I've been running the Chromebook Pixel 2015 as my primary dev machine since it came out. Unlike the author however, I've opted for the less-secure "dev mode" on the laptop, and do everything in crouton. (Java web / Android, mostly).
It may not be as secure, but it's hella convenient (still use 2FA). ChromeOS boot is < 5 seconds, and I just stay there for web browsing / netflix. Dropping into crouton is another < 5s when I need to do dev work, or play steam games.
Everything important on the laptop is backed up to some cloud service or another, but it's expensive enough that I'd be distraught if I lost it (plus they stopped selling them).
I'd be more worried about somebody straight up stealing the laptop than any other security risks I may be running by running in dev mode.
I love the idea of natively developing in ChromeOS, but at this point it just seems like more hassle and fighting the system than it's worth.
I've been doing the same thing, but as I work with Docker often I had to waste a bunch of time compiling a custom kernel[0], which I ended up trashing after about a week because who cares?
Instead, I just have my Chromebook and a VPC on Google Cloud that I SSH into for work. Theoretically I wouldn't be able to work if I didn't have internet access, but I've never actually run into that problem. I still have dev mode off, but I don't think turning it on is a huge risk.
Steam games though? I didn't know you could do that.
Awesome link, thanks! Docker is actually the one thing I was never able to get working properly in my chroot!
Re: Steam games, yup it's powerful enough to run most indie games that support linux (which is an increasing number, recently). The biggest constraints are GPU and disk space. I've had a few good runs of FTL (Faster than Light) on long-haul flights.
You just gotta make sure you keep an eye on the battery, since if it dies you accidentally wipe the system :/
This blog post details using a chromebook as a temporary device, such that you can travel with a blank machine, and provision at your destination with the data and apps you may need:
> It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. ... the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. ... I could treat it as a burner and move on.
Edit; I've been using a de-chromed chromebook for over a year as my primary dev machine and really like it. I developed and launched one side project with it. The model I have (Acer C720) is a dual core Centrino, 2GB of ram, and I upgraded the m2 sata to 120GB. For Python/PHP/Ruby, it's great. I would not do Java development on this set up though. Java IDEs eat battery life and I imagine jvm startup time is a burden on this, although I haven't even installed Java to find out.
Edit 2: to clarify, this is not about removing chromeos, but to use chromeos for it's security features. The article goes over using Termux to get a basic development/work environment setup on chromeos. Plus a lot other helpful tips.
I offered my experience de-chroming as an example, I really like the platform. Apologies if that was confusing.
> Edit; I've been using a de-chromed chromebook for over a year […]
Ok, but as the article states, they did not de-ChromeOS it because they wanted TPM and Verified Boot and FIDO-certified U2F security key so that they didn't defeat the whole purpose of buying a Chromebook.
FTA: “As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a cheap mini-notebook with flaky drivers. The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.”
Totally agreed, but given the engineering efforts that Google have gone through to make the hardware and software stack work in harmony and given Google employees use Chromebooks the author of the article wants to set up a working dev environment by adding to Chrome rather than nuking it and coming up with a semi-custom solution. My first comment was to point this out.
We all know you can put Chromebooks into dev mode and load Ubuntu, in fact I thought it was necessary to get the most out of Chromebooks. If it turns out that Chromebooks can make decent dev environments without nuking and installing Ubuntu or whatever and if they can run Android apps then Chromebook suddenly become a very interesting value proposition.
So, the solution to the uncertain threat of airlines picking your luggage and stealing your computer or its data is... giving over your data to somebody that it's certain it's spying on you and whose business model is to comb over your data.
How is this not "you won't catch me, I'll just throw myself off a bridge"?
Also, termux has ~600 packages. Debian has 50,000. Besides the basics, you're liable to need packages you just don't have in termux, which makes it a serviceable environment in a pinch, but not one where you want to do your work on.
It might be better to give your data to someone who has to tell you how they're spying on you, than to somebody who legally shouldn't be able to but does so anyway.
It's a false alternative. Encrypt your hard drive with a key on a thumb drive on your person. Problem solved: nobody can read your hard drive unless they physically get your key as well.
Yes. But then you're still left without your laptop. Under his scenario, he loses his hardware, it's inexpensive, so he just buys a replacement without breaking a sweat. The lost machine was already wiped so the reinstall was a given anyway.
I hear ya. But he was fairly particularly and upfront about his scope.
> When things get completely borked (which in two weeks of heavy use only happened a couple of times for me)
how are people willing to live with this? I would be furious if I had to lose all my state and (for all intents and purposes) restart my machine multiple times in two weeks.
And if this "borking" happens right before or during a presentation (the author was writing about using this setup for giving talks on), this would be very embarassing for me and extremely annoying for the audience.
A work/presentaion machine has to be rock solid for me. No compromises, no workarounds and most certainly no "completely borked". Just pure solid.
(author here) I think this was misunderstood. I don't mean the _entire_ Chromebook or OS was unstable -- just the opposite actually. I was referring to having to restart Termux twice in two weeks. Two weeks of constant wake/sleep cycles on and off battery, and plugging/unplugging from an external monitor.
In one case it was a hard kill and I lost one ssh window that had been open for a week. In the other, the Termux gui came up and I never dropped my session (the ssh process never died). I'm not yet familiar enough with the Termux internals to understand that. As far as the Chrome OS stability, it's been one of the most stable machines I own, and I say that as a long-time MBP & Librem owner. 99% of the reboots were intentional as I reinstalled the whole build from Powerwash to Erlang hello world, to make sure I got the details right for the post (and to help troubleshoot some minor install roadbumps a couple of my reviewers experienced).
On the presentations, I joined multiple Hangouts & BlueJeans (WebRTC) video client calls with zero trouble. Signal and Wire voice worked like a champ too.
So while I certainly understand some of the comments here, for _my_ use case — a reliable $160 multi-week travel/burner dev notebook with strong security, I'm more than satisfied. And of course it's not in the same league as my $2K++ MBP. I would never try to run a big JDK app, but for offline Go and Python work, it fits my bill.
Yeah, that's pretty terrible. My GNU/Linux machines have months long X11 sessions with firefox, libre office, hundreds (I've hit the window limit) of xterm windows, and lots of other stuff open while waking up and sleeping (s2ram) multiple times every day.
I've them crash once every few years after I'm done setting them up, usually it goes down because I run out of power or want to update the kernel. There's no good reason some GUI should die because of waking up from sleep.
I reboot my laptop every day. I shut it down at night. It's all in what you're used to doing. There's no particular inconvenience, though it can seem that way if you're disorganized and don't ever close anything for fear of losing your place.
1) Mid-2010 MacBook Pro, with RAM and SSD upgrades. This is my main machine at home. It has never had to be wiped and reinstalled, and it gets rebooted about once a month.
2) Late-2013 MacBook Pro. This is my work machine and the story is similar to my home machine. It's never needed a reinstall and gets rebooted about once a month as well.
3) Lenovo ThinkPad x131e (Intel). This is my travel computer, serving a similar purpose as the Chromebook mentioned in this article (minus presenting stuff). I'm running OpenSUSE Tumbleweed on this - frequent updates lead to frequent reboots. There's also all the associated weirdness that comes with running a rolling release Linux on a machine that requires proprietary WiFi drivers (they tend to lag by a couple of days). When I ran OpenSUSE Leap it was almost as solid as the Macs.
I'd call the Macs "pure solid" machines, or as close as I can reasonably get. The ThinkPad is decent and the weirdness with it is really my fault.
Despite using Arch Linux, and weekly "upgrade everything".
I know it isn't everyone's experience, but I was exceedingly choosey about the hardware that went into my machine, so that I could do this.
The only problem I've had in the last two years, was an incompatibility between ocaml and fish shell, which eliminated my PATH. Unfortunate, but an issue on the ocaml side of things. A big problem, for certain, but two years of bleeding edge updates, and that's it.
Mostly the same experience, running Debian Unstable on my X201. Keeping a simple environment (AwesomeWM and urxvt, rather than Gnome or KDE; dhcpcd, rather than NetworkManager) probably helps. I put it to sleep every day, often multiple times, and it never fails to come up, connect to Wifi, etc.
Oh, excellent; thank you. I mentioned it because this has bitten me, so I'll want to use that fix.
Fun story: for $REASONS, I have an Arch system with root on btrfs and /boot on ext4, and it doesn't usually have the boot partition mounted (it's a poorly done mutiboot issue). I recently discovered that this means if I forget to mount boot before updating I get stuck with no loaded drivers to mount /boot :) Thankfully kexec worked, but I'd like to not need to do that:)
My Macs have an uptime in months. Sometimes I have to restart a process, but needing to restart the machine is exceedingly rare outside of the normal security update related reboots.
Over the years I have given quite a few presentations to customers and at public talks. None of my machines ever let me down.
One of the BIGGEST drawbacks using a Chromebook with 11.6 inch screen that nobody here talks about yet, is the grainy and crappy 1366 x 768 screen resolution! I've been a long time Macs guy anything inferior than RetinaDisplay will considerably straining my eyes before I am used to it. Dell XPS 13 included.
If you're going to compare to a Mac, it's better to look at the higher end Chromebooks like the Pixel 2, HP Chromebook 13, and Samsung Chromebook Pro. They all have screens with pixel density and quality that's on par with the 15" MacBook Pro I have.
Exactly! With a comparable price tag, Chromebook doesn't have advantages (if any), let alone of the Chrome OS's less user friendly stack (GUI based apps and whatnot).
In fact I do! QHD is 1440p (2560x1440)[1] whereas Retina Display on a 13inch MacBook Pro is at 2560×1600, therefore Dell XPS 13 with QHD is still inferior.
Scaling the same pixel density up to 13" and 15" yields 1614x908 and 1862x1047, respectively. So that's equivalent to arguing that there's no need for a better-than-1080p screen on even 15" laptops. Certainly many people are satisfied with 1080p, but there's a reason that modern high-end laptops offer (much) higher-resolution displays.
I have the Samsung Chromebook 3 (same size and resolution). I don't mind it at all. By comparison, the 14" Lenovo from my employer has the same resolution and looks worse. The Chromebook is no retina display, but it's not that bad in my opinion.
Not really an issue for me. Almost all of my work can be done through the terminal and through Emacs. For maximum visibility, I run a full screen terminals with large font and good contrast. I really wouldn't have it any other way, as I'm not a fan of GUIs. Of course, I still retain the ability to spin up a GUI if I am forced to do so. The only effect the screen has is that it does not entice me to watch videos (which is a great feature for a work machine).
I tried using a Chromebook as a dev machine several years ago - before Android apps. The chroot situation worked well enough, but the dev-mode boot was a deal-breaker.
Back then, if a Chromebook's local storage filled up, it would factory-reset itself. Is this still the case? This is one big thing keeping me from trying this again (which I'm very tempted to do so after reading this article). Investing in setting up a dev environment like this is fun, but only the first time around...
In five years of running a Chromebook dev mode, I've never had that happen but just in case Crouton has a backup feature to save a gzip of your chroot onto a SD card etc.
I think the author was arguing that the install was cloud-backed in such a way that you could simply factory-reset it and restore it, especially before and after travel through oppressive security inspections. I'm not sure it's completely described though.
What's the problem? I switched my asus chromebox to dev mode and installed ubuntu and didn't notice anything. I think there was some small tweak to get rid of the warning and hit f1 to continue or whatever it was.
Regarding the TOTP app, I generally prefer FreeOTP to Google Authenticator/Duo/Authy, etc. It might not provide push codes, but at least the implementation is Open Source and the binaries come from a trusted source.
Yeah it's a mess when you recommend duo/authy not clear TOTP or internal system. It's a second factor but not the one that's worth implementing: basic link to email has same security and costs $0
Its true that push2factor have some disadvantages, but it has one really strong advantage above pure TOTP: phishing dosnt work as the 2factor is send directly to the site and cant be mitmed at your terminal. Read about it.
I bought the exact same machine, Samsung Chromebook 3, as soon as I realized I could run Termux on it.
I'm using it to poke at languages I'd normally never have the time to experiment with.
I'm on the train for about an hour every day, and I wouldn't feel comfortable with a "real" laptop - too likely to be stolen. But for $169? Not such a big loss.
I'm also really excited about how rock-solid this thing is, as a way to hand a kid a computer that can really teach them programming.
I love my C201, also not very expensive. I opted for the 4Gb version.
My first setup was chromeos + crouton then I moved to linux on a sd card. I noticed I never boot into chromeos anymore so I got rid of it.
I have a C201 too...I reflashed the bootloader with libreboot and installed arch linux on it. It it actually quite snappy, and works fine for development!
As a side point about Termux, Android 7 finally stopped hijacking the control+space combination, so you can use emacs efficiently.
Termux is really useful, giving you an almost complete linux environment in Android phones and tablets. You can install it via Google Play, no need for root or any modification to your device. Add an external keyboard and you can work on the go.
In March, we have seen reports of Android Studio possibly coming to Chrome OS. Android Studio would mean IntelliJ IDEA and the entire family of IntelliJ IDEs. That would make this an even better idea.
You can currently only use web based IDEs or Android based IDEs in Chrome OS.
There are some good web ones (Cloud9) out there and even a few Android based ones (AIDE). You won't be running any Windows or Linux IDEs though (because Chrome OS is not either of those.)
If you're referring to full-blown IntelliJ, Elcipse, VS, etc, the answer is no afaik. But if syntax highlighting, code completion and lightweight refactoring (within and across files) counts, then Caret or Zed might be worth a look. These are native Chrome apps, and don't require web access/connectivity. (I wrote most of the Chromebook piece in the OP and all my Go code using Caret, and am happy with it). I did some toy stress testing by opening up a few copies of War & Peace (1.5M+ line) text files in Caret. It took a couple of seconds to load, but search & replace and rapid scrolling/navigating worked well. Trying the same thing in vim either in Termux natively or via local ssh didn't hiccup at all. As mentioned in other threads, it's a side effect of design decisions, and naive assumptions about in-memory files. Kids today...
Any port used frequently will wear out - they have limited life spans due to the moving parts. I see it with my external display ports pretty frequently.
One potential solution is a USB hub, or even a USB extension cable you keep plugged in.
I seem to remember reading that NASA would use short sacrificial extension cables so that ground tests would certify the jacks they'd be flying but not wear them out.
The reason people use u2f keys is because they can't be cloned and the key can't be extracted. I too like and use TOTP (with Authy), but it really can't beat specialized hardware.
Nearly every how-to and blog post I've found on "Chromebooks for developers" essentially starts with either: "Boot into Developer Mode" or "Install Debian/Ubuntu as the main OS". I'll just say it: This is bad advice. It would be akin to recommending that friends jailbreak their shiny new iPhone. You're obviously free to do as you wish with your own gear, but recognize that at Step 1, you'll have lost most of the core security features of Chromebook
Well, it's possible to temporarily unlock firmware write protection and replace Google key with your own and run self-signed kernels and arbitrary distribution securely. But indeed, I haven't heard of anyone actually going through the effort to do so.
FDE isn't really "full disk" because it still leaves the kernel image unencrypted so that it is accessible to the bootloader. This image can then be maliciously edited by an "evil maid" attacker.
Chromebooks use kernel signing to prevent this. The problem is, Google doesn't give you keys to your hardware so you have to replace them yourself or use devmode which disables kernel verification.
Another possible solution is to keep the kernel on an external, physically secured pendrive and never forget to press CTRL-U during boot (to stop a hypothetical attack involving a malicious kernel installed to the internal flash which exfiltrates your FDE passphrase or something like that).
What's the alternative solution for a cloud/remote based factory wipe, travel and restore? Is there anything on Linux that offers the same quality of user experience without being hampered by chromeOS and dealing with Google/a 3rd party?
Get two yubikeys. Set up LUKS full disk encryption the usual way on Ubuntu. Install yubikey-luks and yubikey-personalization-gui. Set up yubikeys for HMAC challenge response on a free slot. Enroll both keys using yubikey luks. Clear slot 0, leaving you with an encrypted brick unless you have one of two yubikeys. Mail one key to your destination. Leave the other key at home. Travel, pickup key, use it to access device at destination. Before you return home, unenroll the key. Once you arrive home, use the home key to re-enroll the travel key. Repeat as necessary.
1. If I change my plans I have to go back home or go to my original destination to pick up a key to decrypt
2. I might get there before my yubikey arrives
3. An adversary might look at my machine, and know there is data on there (in the chrome book case it just looks like a new machine), they could then detain me indefinitely or travel with me to my destination and force me to decrypt
You won't reach alberts-hacker-cloud.com behind the great firewall. The warning message you get from the internet police won't be a pleasant experience either. But try it and learn the hard way. Let the fear and dread wash over when you realize how far away from home you are, and how utterly alone you are in a foreign system.
Have you ever actually been to China? The great firewall acts as a blacklist, not a whitelist. If you don't publicly announce the server you are going to use, you'll be able to access it. If the traffic pattern looks suspicious, you might have to deal with randomly dropped connections or throttling, but with the right internet provider or one of the working VPNs, those aren't an issue either.
If it comes to the point where the police gets involved, no level of crypto is going to help you anyway. You'd better try to contact your country's embassy so they can get you out.
I have a potential application for a U2F keys and I'm wondering why you recommend the $18 Yubikey on Amazon versus the $10 one that is also FIDO certified. Is there a difference in the function or some other important difference?
Not the OP but, I use a $6 one without a button that simply activates on insert. Unfortunately the company that sold them is more interested in bulk sales and the stopped selling individual units. I plan to eventually replace it with the Feitian ePass NFC FIDO U2F Security Key, which is still $17 but includes NFC which I could use with my android phone. for that functionality from Yubi you would need the $50 Yubikey Neo.
Does chromeOS allow you to remote wipe the box? That seems like that would be another advantage to this in the case of theft (note: definitely not in the case of the box being confiscated by a lawful authority).
"As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a cheap mini-notebook with flaky drivers."
Hmm, I'm not sure about that. I went the Crouton route on my $169 Chromebook, and now I have both ChromeOS and Ubuntu. Plus I can switch between them quickly. And if I understand Crouton, the chroot is actually using the same kernel and drivers as ChromeOS. I haven't had any driver issues. And it's easy to set up encryption for your chroot. I think it's a good solution.
The chromeos security model praised in this article seems quite too conservative for devs to me, considering the inconvenience trade-offs:
- persistent state is discouraged, but not disallowed. in fact, when the browser is exploited, any/all internal state necessarily must be be accessable and modifiable. i'm taking an educated guess that persistent browser internal state is less guarded against exploitation than external inputs.
- once pwned, most of your important data can probably be captured and accounts taken over before you ever decide to reboot. it's a PITA to have to reboot before accessing anything sensitive; no one should have to think/remember to do that. (maybe if chromeos were serious about preventing persistent threats, they'd force a reboot every night?)
- yes, it's defense-in-depth, but security is a game of trade-offs, where convenience often trumps technical security mechanisms in terms of increasing security overall.
I enable dev mode, but I appreciate the "stateless" sentiment in terms of encouraging data backup. i think I end up backing up my data (git push, etc.) more often than I would on a non-chromeos laptop, because it "feels" like more a necessity; especially after my 2 yr-old son hit the spacebar during that god-awful dev-mode bootup warning screen, and proceeded to factory-reset my chromebook.
Chrome OS always has me torn. Its a beautiful well designed OS with a great concept behind it, however, its obviously non-usable from a privacy standpoint.
I used to own a chromebook and I loved it... until it failed.
I had computers that failed before, and usually I could manage to repair them somehow, most often by using a linux liveUSB, but with this chromebook, I've tried many things but I could not do anything. No access to BIOS, not bootable USB, nothing. Complete black box.
So I'm not sure I'll buy an other chromebook anytime soon.
a) because he was impressed by the ChromeOS security model?
b) because he got cloud sync/restore seamlessly out of the box?
c) because thats twice as expensive for a used item?
I get that people have nebulous concerns about Google's privacy policy, but he mentions specifically at the beginning of the article that he was interested in the ChromeOS security model. There are very few systems that have a model that matches that for the threats they consider most problematic.
Those reasons are understandable. I guess I'm confused why a software developer needs to save $200 on a travel device with < 1/10 the capability of something a bit more expensive. Kudos to him for experimenting.
I would love it if Android apps could somehow replicate the dev tools of a standard full-featured OS one day. I'm definitely a fan of ChromeOS.
Also, it feels like this Samsung Chromebook 3 is just tiny bit (I am sure it isn't but it feels that way) of upgrade from the famous Dell mini 9[1] from almost a decade ago.
It was super hackable and most people bought it installed hackintosh on it and with a near perfect hardware compatibility with OS X Snow Leopard. A few friends of mine went to Africa for a few months with Dell Mini 9 and were able to freelance their with a fully functional yet super affordable hackintosh Mac. I wish Dell can have another of those netbook lines with compatible hardwares.
While I like the idea and the listed apps are just awesome (didn't know about termux, wow), the whole setup depends too much on google services for my taste :-/
Yeah, this is a no go for me. I don't use anything by Google at all. How can a security conscious person talk about privacy and security on a Google device? They are listening, filming and tracking every single thing you do near that device.
That ("They are listening, filming and tracking every single thing you do near that device") is a claim you're going to have to substantiate. Don't spread such rumours unless you can back them up.
He's not suggesting they are tracking you through their ad network as you go to websites that use them.
He's suggesting they are secretly filming you, logging your keystrokes, and rerouting your mic audio. That is a very bold claim that should be backed up or retracted.
If the claim being made was that they track your usage of their products, that would have been a reasonable response. But the claim being made is that they continuously monitor you through the webcam and microphone. That is extremely bold and, may I say, complete tinfoil nuttery.
Why is that so hard to believe? Personalized ads are huge right now, if you could listen in to people's conversations you can use the data to improve your ad conversion rate. If there's ROI in recording and doing the data collection you can bet they have at least experimented with it.
Can't imagine what recording webcams would do- but I suppose it might be effective for something.
I have tried using Chrome OS as my main device and I'm basically going to use this post to rant a little. Why does Chrome OS have to use basically a dock like Macs.
Wondering if Google would themselves launch such a workspace. https://www.youtube.com/watch?v=mfLc4U8pnPk
The idea is to have a vnc/remote-desktop style machine on AWS. Just need only a client (secure chromeOS)
My current view is that best what average fullstack dev can do is still to buy beefy desktop with linux/nvidia + windows on virtualbox/vmware (for Windows stuff). Additional cheap Chromebook is nice but eg. IntelliJ is to heavy for it.
Whether or not a government can compel you to download and reinstall data to your laptop is a much trickier legal problem than whether they can ask you to show them what is on it currently (in the US they almost certainly can request that at the borders). It also adds to the hassle factor for the border crossing agent. If you are walking through customs/border entry with a in box, factory default chromebook in your checked baggage, changes the legal conversation.
Even if you aren't worried about state level inspection, this setup allows you to put the laptop in your checked baggage and not worry that your data has been intercepted by criminal enterprises in the case of rerouted bags or theft. This is a big boon for many business travelers as they are more worried about IP protection than privacy from governmental interlopers.
Anyone know why the author seems to be setting up to SSH into Termux? It looks like Termux itself has a perfectly good console, what's the deal with trying to SSH into it from a local client?
I have been using the YubiKey for over a year now, and the novelty wore off.
I lost my key a couple of weeks ago and was surprised how easy it was to get back into my accounts with just my phone. There is no point in using something like that if providers allow you to failover to more conventional authentication methods without any hassle; the keys are useless. They are not going to add manual verification for a couple of people who lost their YubiKey.
YubiKey is useful for instances when you want to grant somebody access to something with just a key. I don't see it going beyond that anytime soon.
Even for providers that do provide seamless failover, the inevitable "we see you requested an account recovery" email would serve as useful canary to know you're being targeted.
Well I imagine in most people's cases if they've managed to compromise their email then the game is already won.
Anecdotally, someone got my steam account credentials. I discovered this when they tried to change my password. Fortunately I had Steam's two-factor enabled and got the notification (2-factor is required to change steam account passwords), which alerted me to change my password. They actually tried the account recovery option and I got an email notification about that as well.
So in situations like that such notifications can be quite useful. But yeah, if they've compromised your most critical accounts/devices then YubiKey isn't going to save you. I don't think that's a knock against it.
Basically the author wants to have a Chrome OS installation that can run android and non-root unix/linux software. All this in a regular installation without requiring the user to enable developer mode.
Regarding your questions, yes it is running linux as Chrome OS is based on Gentoo. But it is not running any traditional linux distro. In order to provide a linux/unix environment, the author installs termux. But this app is for command line programs. The quake screenshot has nothing to do with termux, it was installed from the Play store. Therefore I'd say it's not possible to run Steam on it.
That's what I thought. However, this article (http://lifehacker.com/how-to-install-linux-on-a-chromebook-a...) mentions crouton and being able to run Ubuntu. For instance, can I use apt-get, containers, etc.? Seems like there are two "solutions" .. one is to reboot into an open Linux system and the other is a more loose chromeOS?
verified boot seems like the only advantage here. You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily, and they don't require reliance on Google or the requirement that one uses a neutered OS. (yes, yes, it's secure. It's a users' platform. Development on chrome OS at this point is an act of masochism.)
If secure travel is your thing, stash your data on a cloud provider and pull it later after you arrive at your destination. Go whole-hog and travel without an SSD and buy a cheap one at your destination with cash. Sprinkle in some libreboot for more confidence.
It'll still be cheaper than a 200 dollar chromebook, and you probably won't have to deal with some of the worlds' worst chicklet keyboards.
P.S. don't travel with a yubikey that isn't partnered with another. Would be a bummer to lose.