2. The enterprise is skittish to adopt because there's no support, so when users get locked out, they often have no recourse, which is bad for business
3. Address this—fill in the missing piece and introduce support
4. People react as if you didn't just announce you would be offering a solution to the very thing they're complaining about
With that said, this announcement doesn't look like it has any relevance to regular consumers. I'm gradually migrating as many things as possible away from Google, having realized that I'd have no recourse if they locked me out my accounts. Their TOS  says services can be terminated at any time. I'd feel a lot more comfortable if we had a guaranteed grace period for migrating away upon your Google Account being terminated. IANAL though, so maybe I missed something?
...and that's where the true problem with Google is. There's no mechanism to report/escalate a well-defined and reproducible technical bug - even as a technical sysadmin with a paid account. ...and if a data issue only impacts a small number of people, it'll never get fixed.
The GSuite forums are bombarded with usability questions, and real tech issues are given the old "let's see which FAQ I can post to get some karma" response.
Calling the help desk might get the issue escalated, but it's far far more time consuming than if I could just put a normal bug report together with a screenshot.
I actually work in the GSuite support organisation you refer to .
Firstly, I'm sorry if you feel that you weren't provided with an appropriate level of support. Or that troubleshooting took inordinate effort/time on your part.
Secondly, you probably know this, but there are multiple tiers of support - and there are meant to fairly well defined paths for escalation. Obviously the front line is very much basic initial troubleshooting for the average user - the products cater to a fairly wide range of technical skills/background.
Feel free to reach out to me anytime if you want - my HN username at <company that makes Chrome> dot com.
But most likely you're still going to need that AD or LDAP managed infrastructure because several roles aren't going to be able to get by with a Chromebook (not something I could see my self doing Scala development on personally).
And then it comes down to, what's the point? You're either already securing your company data and backing it up or you're already using hosted services for everything (Office365, GitHub Enterprise, Dropbox Enterprise, etc)
I agree it seems like more Google lock-in and for something so terribly simple too. I mean except for things like the managed app store, you could just get some really cheap Linux laptops and you'd get the same end result.
Also, Google does offer support, usually via a third party plus fanstastic Google for Business (G Suite?) support, as well, in my experience.
You're basing that off of a sample size of one?
That user just said "hm, google-something, business-something... eh, no thanks I don't want to get fucked over." Which is inaccurate but that's what happens.
The twitter mobs are baying for your blood. Some Employees inside Google might also be baying for your blood.
Will Google decide to end the business support agreement, and would you bet your business on the answer to that question being 'no'?
Google Docs is OK, but Google Sheets is abysmal for any serious amount of data. It seems very hard to have Google listen to our concerns.
OK, we are a small organisation, but I'm happy to recommend Google Sheets to anyone but power users. If you are crunching a lot more data than this, then I certainly agree that using a browser-based spreadsheet is not optimal.
The admin panel was also horribly slow and just was a pain to work with, especially once we became the target of a long running phishing attack and would have dozens of accounts locked out every day. It was easily a 30 minute process to restore access to cleaned accounts since the panel at the time (2012-2016) didn't have a way of mass management of users.
You can introduce missing pieces and support all you like, but if people think they can't trust you based on your previous history, then it won't make a whit of difference.
"And thus you see the supreme importance of never having the public find out you've ever, even once, locked someone out without recourse."
At what point do you stop using web browsers in a snit over some corporate bullshit? IE/Edge is MS, Apple does bullshitty things and Firefox is funded by Verizon/OATH.
It would certainly give peace of mind and the next time we read about 1 person in 10 million facing such a problem, we can think, "maybe they should have just paid $10 in insurance." As a public service the insurer could also publish rates of lockout.
I've had this idea for some time, so if you want it you need to reply with a resounding, yes, you'd pay for it. For the record, I'd pay for it. But I need to find 9 million other people too.
 I'm not a lawyer or even actuary.
The issue I see is, what happens when a spam-account gets blocked? And how do you keep people who knowingly break e.g. google policy from forming the majority of your customers.
[And for the record - yes, definitely.]
As billing account owner, my account was suspended. That meant I could no longer receive emails, because that was the same account. The Google project was also suspended, terminating all servers and the DNS records for the domain, which were using Google nameservers.
That meant it was impossible to do the Google account recovery process, which relied on adding records to the domain to prove we owned it.
It was also impossible for me to open a support ticket without being able to log in or access the domain.
Thankfully, we had another account on the project that was still able to log in and open the ticket.
It was really a terrible experience. The moral of the story is you can't rely on one provider for everything, especially if they don't have accessible customer support.
Google really should not algorithmically blow away a corporate account in good standing without some notice and cure period offered.
If Google suddenly turned me off right now I don't really know what I'd do. Probably cry in the shower.
In time, you will no longer depend on Gmail for the rest of your life and can just switch to, for example Fastmail, any time.
This is the biggest reason I am hesitant to try fastmail.
Most mail providers can terminate users for any reason, but at least with a few days of notice, allowing you to move the data elsewhere.
But for me, the really killer solution is their 'important mail' filter. I'd love to find an alternative to gmail with a similarly well-functioning system.
Fastmail's spam filter is good† and customisable (with niceties like score displayed right there), to the extent that I just forward things from Gmail by wildcard-disabling the Gmail spam filter.
† the learning filter won't kick in until you make it learn 200 messages.
Google can still terminate your account without notice, but if you're using your own domain, you'd at least be free to move to another service immediately.
Oh, and don't forget to get regular backups, so you don't have to start at zero in the case of an account termination.
My main email is in gmail still,no more google searches (resorting to bing would suck), no googlemaps to help navigate, and youtube for content, etc
going to swap to proton mail later or just use my hosting provider on my domain to handle email. Plus local backups
Any consumer facing service faces similar issues. Microsoft in the consumer division has down similar things.
Enterprise services get far better support. Personal services are used by literally billions of users, with possibly millions of fake bot accounts spamming all the time, so it's not surprising that sometimes false positives happen. And providing support to billions of people is not easy.
Better is relative. it is accurate to say it is better than the no support they give to free consumers. But it is a far cry from "good" support
If you've got good devs and admins, the support is really not all that useful. When it comes to managed chromebooks, I bet you could get a similar cost saving experience if you took one desktop and one linux admin and had them try sourcing chromebook-like PCs, installing Linux on them and experimented giving them to employees only needing access to web apps.
Sure you don't get the managed chrome store or whatever, but I bet it'd meet most use cases for a lower cost. Some high schools have managed chromebook programs so there are people out there doing this already.
Edit: ~source: https://en.m.wikipedia.org/wiki/Category:Discontinued_Google... I didn't calculate the average lifetime for their discontinued products, but there are many.
1. More often than not, it's not something nefarious or convoluted, but something very simple.
2. A lot of the things Google does are for the protection of the users themselves (whether from themselves or from outside forces).
(Disclaimer: I work for Google).
It especially does not matter that it wasn't nefarious when Google isn't going to listen to you anyway unless you happen to write a blog post that happens to get viral in the right circles.
It's not like there's a simple form that you can fill and which is reviewed and resolved in a few days reliably if your account gets deactivated by mistake. At that point you might as well be banging your head on a wall for all the good that will do.
Even a few days is unacceptable. There are times in my life where, if my Google Calendar, Google Docs, and email had all been shut off simultaneously, even for only a few days, I would have been completely fucked. Think travel, etc.
I switched to a different email provider for this reason.
(Remember that this also includes your phone, if you're on an Android device).
If you want that level of service, maybe you shouldn't use a free product.
You can have a free product, or you can have good, responsive, human customer service. You can't have both.
If you chose a free product, be ready to handle the consequences of your decision like everybody else.
...did you not read the part where I said I switched to a different provider?
And I was a paying customer - I had a Google Apps account, which comes with an annual fee for providing those services.
Of course, the problem isn't about me personally - it's that so many other, less technically savvy people aren't aware of how vulnerable they are to this problem. They don't think about it until it happens to them.
> You can have a free product, or you can have good, responsive, human customer service. You can't have both
This dichotomy is both reductive and inapplicable. The problem, as explained in this thread, is that Google has a reputation for bad service, even for their paid offerings. It exists, which is more than can be said of the support for the free products, but it's still not good enough. And again, most customers aren't aware of the extent of this and its implications until it's too late.
Agreed, and doesn't need to be less tech-savvy people, just look at HN. People seem to expect good and free service.
> This dichotomy is both reductive and inapplicable.
And is still unavoidable. You can't have both.
> And again, most customers aren't aware of the extent of this and its implications until it's too late.
It is the same behavior with airline tickets. Consumers almost always buy the cheapest ticket, and later complain about the quality of the service.
I am sure the first objection will be "you don't actually pay". Does a farmer not owe his (cash) cow at least basic veterinary (customer) services? I honestly feel like that objection is as naive as claiming that exploitative international trade doesn't actually kill anybody, when there are entire populations held in poverty and without basic safety rights over decades or even centuries due to unjust practices. So I guess the counterpoint to "it's free, don't expect anything" is "if you can't provide a complete product including understanding the problems that derive from it and treating people with respect, you shouldn't offer it at all". Money does not define social responsibility, engaging publicly with other people does.
It is still "free". You don't pay anything to use it.
> they do make a significant amount of money from each customer they can keep in the herd
No, they make a small amount of money from each customer. By far not enough to provide human 24/7 customer support.
> despite the fact that their income could more than support some basic customer service
If that's a fact I'm sure you'll be able to provide enough support to such a claim.
But let's do some basic math. Let's say that Gmail has 1B users, and each user will use customer support once every 2 years, and that each support ticket costs $10 to provide (I've heard similar numbers). Probably far more when you think about all the languages and products.
That's $5B in support per year. Which is 20% of their 2016 profit.
There you go, you can't have a free service and good customer support. Proven.
But hey, you're welcome to vote with your wallet and clicks, and move to another provider that gives free products with free, good, 24/7 human customer support.
Let me guess: you won't. Because there are none. Because it doesn't make any financial sense.
It is entirely irrelevant to this thread and discussion. We are talking about the service for one paid product (Google Apps), on a thread announcing the service for another paid product (Google Chrome Enterprise).
No, OP is talking about this case, which is a free product:
I've never put myself in a position where a freeware product had that much impact on my life. Heck I even pay to backup the paid services to a third party so I have a failover there.
You shouldn't blame Google, you should blame yourself.
Just because it's a consumer (rather than business) account doesn't mean we shouldn't have customer service, if we're willing to pay for it. There's no reason Google can't cater to us while also providing no-service free products.
I'd bet that type of customer service costs far more than that.
> Just because it's a consumer (rather than business) account doesn't mean we shouldn't have customer service, if we're willing to pay for it. There's no reason Google can't cater to us while also providing no-service free products.
And I'd bet there are too few consumers willing to pay for it to justify Google offering. It is the old argumentum ad capitalismum, if it would make money, I'm sure Google would offer it.
Even if few people are paying for it, it's worth it to address the negative perception about Google.
You seem to be assuming that Google (or any other company) does everything right, so if they're not doing it, it's a bad idea. That's not true. Companies make mistakes all the time.
Then nobody will use it, and you've set up a massive support infra in 100's of languages for ~0 paying users.
> You seem to be assuming that Google (or any other company) does everything right, so if they're not doing it, it's a bad idea. That's not true. Companies make mistakes all the time.
I'm assuming that people making those decisions are as smart as me, and if I can think about it, I'm sure they thought about it.
I never base my arguments solely on "other people are making mistakes".
That's before we get into the issue of trying to serve both a mass market and a niche at the same time. It doesn't work. Google should not try to serve the several thousands or few million users who want a fully-featured, paid product for personal use.
An add-on of the kind I'm suggesting is exactly the way to serve both a mass market and a niche at the same time. Everyone uses Gmail, but the few who want support for personal use pay. That's much less effort than building another product with paid support.
It's also no different from freemium mobile apps where 2-5% of users pay.
Google decision-makers are smart, but not infallible.
In other words, a second-tier email service rather than the best in breed.
> In my uni most people do not care if they lose their gmail
No one's forcing them to pay for support.
Is that inherent in using Android, or only if you use Google's own apps and online storage for your calendar etc?
If this software exists and it is an adequate substitute to Google products.. well, let's just use it then.
I think with great trust comes great responsibility, and Google is eroding this trust, as shown in this thread, with kafkaesque processes around account termination.
However, as a general principal, I've found that Google has very robust protections to protect users from both themselves, and from malicious outside forces.
However, the general principals I stated do apply in many cases.
Also - the author of that post has posted a reply:
Without the huge stink that my prominence created, I would still be locked out. Also, I'm not allowed to talk about why I was banned (which would help others not get banned), nor how someone less notable could've gotten their life back.
"..those who torment us for our own good will torment us without end for they do so with the approval of their own conscience.”
I recently had an issue where a hijacker, from another country, was able to take over my account and change the password, without access to the backup email, the SMS, or anything except the password.
Google even mailed me a warning that this user from another country was accessing the account, and changing the password.
When I tried to get it restored – I knew the phone number (but had no access anymore because the number was reassigned to another person), had the old password, access to backup email, knew the content of emails on the account, etc – I was denied.
It was easier to get the user who got my old number, contact them, and go together with them through all the steps to get the account back.
To top it even off, after I had contacted Google support about this originally, they never contacted me back – instead, once I recovered the account, I found that instead they had talked with the hijacker.
And you tell me this was to protect me? Honestly, fuck that.
A lot of people hate this answer, but do not entrust Google, Yahoo^H^H^H^H^HOath, or any other big free service with gatekeeper status to anything financial or, really, anything more important than chatting with pals. Host it with someone trustworthy; if that is not you or someone you personally trust, then someone you pay, who will listen to your instructions to, say, never change credentials over the phone, or however you wish to structure it.
> And you tell me this was to protect me?
...In the same sense that the managers of public buildings' preference for you to piss yourself in public over cleaning formerly public restrooms is "for your protection".
But in 2011, no 2FA existed yet, so the old account had none. I had mostly forgotten about it.
Still, I didn't want anyone using it to spam to friends, family, etc in my name.
Then let's not make them happen.
> 2. A lot of the things Google does are for the protection of the users themselves (whether from themselves or from outside forces).
Please please please listen to customer and figure out how to protect them.
I have exactly zero interest in doing business with Google ever again. I don't even look at their new product announcements. I saw what they did to one of our clients about a decade ago. I have never since even looked at a Google service nor recommended them. Search, maps and AdWords are the only things I use. I won't touch anything business critical.
When a company deals with their clients the way you might expect a prepubescent third world country dictator might treat his subjects, well, the best idea is to just stay away.
The advice given typically is to have a separate account for the device 'ownership', that way, even if your main account gets blocked you still have access to it.
See for instance this blog article which talks about that:
'factory resetting' a device is easy too so that you can get rid of the device in a nice pristine state...
Never went another day without an IMAP client.
1. Is this a problem if you're using a G Suite account run by a company instead of a personal Google account (as in the linked case, as far as I can tell)?
2. Is this a problem if you're using on-prem AD for auth instead of Google accounts, which is one of the things specifically being introduced in this launch?
I mean, independent of whether you think this was Google shutting down free speech or whatever, it totally seems like neither Google's algorithms or humans should be able to shut down a single corporate account (there's of course cases for shutting down an entire corporate G Suite setup, e.g., if it's used by spammers), but also that seems like such a basic feature that I would have assumed that's written into the contract.
Agree or disagree with a user, but paying for a service doesn't guarantee you get to keep it.
Shopify has made the decision to keep Breitbart as a customer on the pretense they just provide an apolitical service, but crowds certainly tried to pressure them to take a stance and drop them.
I wish OVH would follow that idea when it comes to booting spammers off their network. Failing that, I moved my boxes (that also serve mail, but the legitimate kind) off their network, which ended my troubles with ip range based blacklists.
Sometimes companies need to decide which sort of customers they want to retain.
I would NEVER trust a Google Operating system in the Enterprise. For example they are pushing a use case as Kiosk's Kiosk need to run for years with stability, not be at the whims of a company that can kill the product in a whim or make substantial non-backward compatible changes to it ever 12 months
OS/2 was used in ATMs for a really long time, and so was WinXP in kiosks. There are a lot of systems that still use XP yes (causing many security nightmares), but Microsoft did support that OS for an incredibly long time. I agree, I wouldn't use anything Google for a Kiosk. You're better off with custom packages ontop of Ubuntu LTS or something similar.
And you could pay Microsoft to keep supporting it. Sure, it might be several million dollars to keep XP support for another year (and big increases each year)... but for some large customers it was available (banks with ATM's based on XP).
Glass was never a consumer product; Explorer Edition was fairly clearly marketed to people developing apps or investigating potential.
Where is my data stored? Does it stay in EU datacentres or does it go to the USA? How would I get support if you terminated my account as I would not be able to log in? etc. etc.
Google is known to drop services just like that.
I guess it's better to not become too dependent on them indeed.
Side Note: the reading experience on this blog is one of the best I’ve seen on mobile. Love the text size though the header animation was not the smoothest. Nonetheless great job.
"Enterprise Support Agreements for Chrome Google now offers phone and email support for Chrome, including help with deployment, management, configuration and more...LEARN ABOUT CHROME ENTERPRISE SUPPORT"
Also see: https://support.google.com/chrome/a/answer/6351685?hl=en
I like using google now to check the weather
Whether it sounds like a persons name isn't the issue.
Unless I'm misunderstanding the complaint (which is possible, it wasn't actually explained very well, just through an example or two but without a definition), it does help with the complaint.
Unless the complaint is actually "I like my services to have single word monikers", in which it doesn't, but in that case I'm not sure I think it's a complaint worth addressing without some explanation as to why that's actually important.
Whether it's a person's name or not, I know what Siri is. There are two word brands that work fine as well. Company <very common term> though, is hard to pull off.
> Company <very common term> though, is hard to pull off.
I think when <very common term> actually describes what the service does, it's an entirely different story. If I say I'm using Google assistant to map a route for me, or answer some search terms, even if there isn't a marketing campaign that's pervasive enough to seed the service name in my memory and the memory of those I am talking to, there's a high likelihood they know or can figure out what I'm talking about. There's only so much room for people to remember service names like that and expect them to be ubiquitous. I would much rather they be called Apple/Amazon/Google assistant so I didn't need to know them. It's not like there's a high chance of me using Siri or Alexa any time soon, since I don't own any devices that provide them. I don't use Cortana because why bother, I only have that for my desktop/laptop, and I can just as easily (if not more easily) search with text generally.
Do you like google now? Is google now the market leader?
Also, the wake word is entirely different..."ok Google".
I can figure it all out. My mom, though? Alexa makes more sense to her.
Although I think they sacrificed a bit too far there. The features checklist is just an image with a "link" to supported devices that does nothing and a little red squiggle under text.
If you leave the GUI, you can also run openvpn yourself on a good old .ovpn file, but you lose some of the nice security properties you get with the default Chrome OS setup, you have to do cros-specific hacks to make it work (https://github.com/dnschneid/crouton/issues/2215#issuecommen... plus switching back and forth between VPN and non-VPN DNS by hand), and last I checked it made ARC (Play Store) apps' networking stop working.
I would consider paying a premium just to get my Chromebook connecting to work's VPN smoothly, though of course I'd love it if improved VPN functionality were available to everyone by default.
At some point I'm probably also going to take a second look at the latest ONC docs. It looks like they've improved since I first looked at VPN setup a while back.
which is a WebUI thingy I wrote to solve exactly that problem.
[disclaimer: "advertising" tool I wrote]
When I last looked at the situation, I couldn't find an ONC equivalent for some of the options in the .ovpn file. It might be the docs or even functionality have gotten better. (I remember looking at some PDF, for example, and now there's https://chromium.googlesource.com/chromium/src/+/master/comp...) It's also possible I just missed something last time. Either way I should take another look.
Android apps (on some models of the laptops) might work though.
Having support for Wireguard would be pretty neat, but afaik not possible yet.
OpenVPN works quite fine for my use cases up to now.
That, and where does it say he was using a free account? A lot of universities are on the paid google suite.
Anecdotes are great but it literally says 24/7 support in the article. That seems like it means there is someone to talk to all day, every day (which is obviously best effort but so are most other products).
Chrome OS is already widely used in US schools (and tracks student online activities), now we have a 'business-friendly' version of Chrome OS.
What kind of analytics does a cloud OS like this record? What does Google do with that data? Even if that data is 'anonymised' (a pretty meaningless term nowadays), in aggregated form that gives Google staggering quantities of data that they can mine for the future. Why did Google not even mention the word privacy once in that blog?
Probably because there's nothing new to be said:
And there was a good article from the NYT this year about the controversies:
Just today I was thinking about high traffic areas in Waze and Google Maps. Sure they're going to use traffic cameras and municipal reporting services if they exist, but you have to wonder to what extent they're using location data from all those phones not currently running a navigation app.
The naming is puzzling. But I'm sure MS shops are used to weird names, and aren't likely to get pedantic about whether or not there should be an "OS" in there. They likely went with the simpler name to build on mindshare among decision-makers, and to intentionally muddy the waters to their benefit.
I wish they'd come up with something Family-oriented. I've got my mom, girlfriend, and girlfriend's children all using low-end Chromebooks / Chromebases as their primary computers, and I'm using one for about 80% of my computing. Chrome device management would be useful for us but $50/year per device plus needing to buy G.suite per user is a bit much.
The glaring hole is that they can't install Apps / Extensions and there's no way for us to do that on their behalf.
And no don't tell me google sheets. Great for sharing data...ultra crap for data manipulation.
The biggest issue for me is lack of keyboard shortcuts. If you use Excel a lot and have all the shortcut keys in muscle memory you can do things at speeds fast approaching magic. There are literally offices where first person to use the mouse during the day buys beers after work.
There is also random sht missing that matters to me but apparently not to some dude at google HQ. Like the ability to remove duplicates from a list.
Don't get me wrong - google sheets is great. It's just not a replacement for something that has been tweaked to perfection over years.
MS is going to get killed on multiple fronts in the coming years. Excel is not one of them. Nothing is even close.
Browser-based apps will always be far less powerful than native OS apps, and any sensible company will provide beefy machines for their engineers, finance team, graphic designers etc. And browsers for everyone else.
Also I think you are underestimating what people use Excel for. I've seen companies uses macros, tens of tabs, and basically build the software that runs their business in Excel. It's not just a simple spreadsheet.
If Google starts showing some reduced TCO figures, they'll start to pull a lot of converts.
I love it myself, but until you can walk into a Best Buy and a quarter of the options are Linux machines that the sales people can show off as well as the mac airs and surfaces, it's going to stay for people like me.
And that's just the home world. Trying to bring business into it? Unless your staff is purely development oriented, you now have to retrain every one of them (and probably most of the developers). Linux for wide spread average business user use is a non starter.
And Excel remains very powerful for quick data analysis, quicker than python tools for most one-time work.
I think that Linux will become more successful where people don't interact closely with the OS (Phones, Kiosks, simple terminals) but Windows will remain dominant on most computers.
And my point is, how will Chrome OS enterprise be different?
Do you think they'll write their own Printer management tools, or just install CUPS?
Will they write their own Active directory client, or just use SSSD or Samba or whatever RedHat is using these days?
Not sure if the migration effort and lost productivity is worth the cost savings.
Many places I've worked don't allow use of personal cell phones while at work, much less allowing access to personal accounts on enterprise equipment. Security is hard, adding complexity is a bad idea.
$50/device/year does seem like a lot of money especially when Google expect a device will last 6.5 years. 
Surely lowering the cost of the business licenses even further would increase Chrome OS adoption significantly?
I suppose I will eventually just buy a new phone in a few years, but I'm not thrilled about all that private work / business data that is sitting in limbo.
This all happened over a single weekend. Considering that we were in a monarchy, and some of investors were royalty, I took that as my cue to get the F out of Dodge before my passport got locked. It took me a while to recover from the stress and the trauma; not knowing what ever happened makes it hard to put it behind me.
Even now, I am afraid to share too much detail, because I am unsure of how that would affect the people who remained in the country. Always have an emergency exit ready to go; $5K in cash will get you across most borders, if you play your cards right.
Serious question - surely there are some custom non-web apps but I doubt they'd have released this if they didn't see some large companies who would find it a compelling cost reduction for big swaths of their staff.
Because tons of stuff is on-prem, e.g. Confluence, JIRA, Bitbucket.
But I really think now we're approaching the point where their fall might happen swiftly. Chromebooks are fine for the majority of corporate users. And if they catch on, there is no need for any of the Active Directory / Azure tie-ons that MS has been hoping would pull enterprise customers towards Azure, Office 365, and all the rest.
And even if Microsoft can convince customers to stay, they simply won't be able to charge the same prices they've enjoyed for decades now with the overpriced Office, Server, and Client access licenses.
And once an enterprise moves away from Active Directory and Office, I don't see any benefit of using the very expensive Sharepoint, Outlook, OneDrive, and other apps that have always been overpriced, but worth it as they integrated well together and saved companies more money via lower IT costs.
Some small companies can currently go with Chromebooks and the Google office suite (assuming they don't share many files externally), but for big business the compatibility needs to be there to switch from MSFT. Big businesses can't afford to refactor every single spreadsheet in existence to make the switch. Currently I have 2 Excel sheets, a Word doc, and Outlook open. Excel specifically is the most difficult to port elsewhere. Backward compatibility and network effects are immense.
It is great for education and siloed businesses though.
Until then MSFT owns the space and can charge significant annual license fees. I dont see that changing in the next decade.
It is fun to report those things to Google Project Zero and then find that people on that side obviously do not understand that security bypasses are... well... security issues.
full submission reproduced below, just in case they radar-disappear the item... duping items is apparently what Project Zero does so that the items disappear from Google results...
Thank you for an amazingly solid looking ChromeOS. Happy that I picked up a nice little Acer CB3-111, thought about plonking GalliumOS/QubesOS or heck OpenBSD on it, but with the TPM model and the disk wiping, not going to.
Just wanted to note this discovery so that you are aware of it and hopefully can address the problem as it would improve the status quo. Keep up the good work!
Jeroen Massar <firstname.lastname@example.org>
By disabling Wireless on the login screen, or just not being connected, only a username and password are required to login to ChromeOS instead of the otherwise normally required 2FA token.
This design might be because some of the "Second Factors" (SMS/Voice) rely on network connectivity to work and/or token details not being cached locally?
But for FIDO U2F (eg Yubikeys aka "Security Key") and TOTP no connectivity is technically needed (outside of a reasonable time-sync). The ChromeOS host must have cached the authentication tokens/details though to know that they exist.
The article at  even mentions "No connection, no problem... It even works when your device has no phone or data connectivity."
Chrome Version: 59.0.3071.35 dev
ChromeOS 9460.23.0 (Official Build) dev-channel gnawty
First the normal edition:
- Take a ChromeOS based Chromebook (tested with version mentioned above)
- Have a "Security Key" (eg Yubikeo NEO etc) enabled on the Google Account as one of the 2FA methods.
- Have Wireless enabled
- Login with username, then enter password, then answer the FIDO U2F ("Security Key") token challenge
All good as it should be.
Now the bad edition:
- Logout & shutdown the machine
- Turn it on
- Disconnect the wireless from the menu (or just make connectivity otherwise unavailable)
- Login with username, then password
- Do NOT get a question about Second Factors, just see a ~5 second "Please wait..." that disappears
- Voila, logged in.
That is BAD, as you just logged in without 2FA while that is configured on the account.
Now the extra fun part:
- Turn on wireless
- Login to Gmail/GooglePlus etc, and all your credentials are there, as that machine is trusted and cookies etc are cached.
And just in case (we are now 'online' / wireless is active):
- Logout (no shutdown/reboot)
- Login with username, password.... and indeed asks for 2FA now.
Thus showing that toggling wireless affects the requirement for 2FA.... and that is bad.
- Being asked for a Second Factor even though one is not "online".
As now you are walking through say an airport with no connectivity, and even with the token at home, just the username and password would be sufficient to login.
For the Google Account (email@example.com) I have configured:
- "strong" password
and as Second Factors:
- FIDO U2F: Two separate Yubikeys configured
- TOTP ("Google Authenticator") configured
- SMS/Voice verification to cellphone
- Backupcodes on a piece of paper in a secure place.
Normally, when connected to The Internet(tm), one will need username(email), password and one of the Second Factors. But disconnect and none of the Second Factors are needed anymore.
The Google Account password changer considers "GoogleChrome" a "strong" password.... might want to check against a dictionary that such simple things cannot be used, especially as 2FA can be bypassed that easily.....
I’ve seen it before, reported a vulnerability to Google, got a "not a vulnerability, not eligible for anything" back, published the PoC on my website, and Google subsequently blacklisted my domain, IP range, and everything.
It’s a bit suboptimal when the only real way to fix issues is via HN or similar sites.
Google has created the full ecosystem (phone, laptop, apps) to compete against the MS and Apple stacks. It's still a rougher experience, but for me, it has crossed the good enough threshold.
I could not get used to using a shell in a browser tab; it was just too easy to accidentally lose my work by pressing ctrl+W.
But I have been a desktop linux user for ~20 years until switching to MacOS last year, when I got a new job and inherited my predecessor's Macbook Pro. So, getting E17 started, even with no GL acceleration, was really quite OK for me. (But as a desktop linux user, I'm sure I'm probably on a short list who would be ok with that... you might be too, I don't know how you were using it or what your background is.)
If I had something better than a 2012-model Samsung XE303C12 (anything but an ARM-based chromebook, I guess) something with an intel CPU that has Haswell chipset or Bay Trail, or i915 video, or the Chromebook Pixel line, or... I think it would be even better (with supported graphics acceleration, I mean.)
What were your issues/how far did you get, if you don't mind my asking?
I was running Docker just fine on the ARM hardware until they upped the kernel requirements (so, probably v1.11? Something something, unsupported now...) I almost wound up compiling my own kernel, but it was too complicated,
I wasn't sure I'd be able to do it at all without switching to Chromium OS, and at that point I might as well set up a server doing nightly builds and run my own Omega protocol OS Update infrastructure.
Yeah, I would definitely not ask programmers to work on a locked-down ChromeOS machine without crouton.
I would rather shave with a belt sander than use ChromeOS for any modicum of development ever again. Ended up installing Crouton on it, which made it workable, but then are you _really_ using ChromeOS anymore?