Slashdot Mirror
Security Experts See Chromebooks as a Closed Ecosystem That Improves Security (cnet.com)
The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article:
Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.
That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...
"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...
"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
Linux for the win!
Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus.
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
Inheritance is the sincerest form of nepotism.
Everything from Google, a giant advertising company that wants to track your every move. Fools.
Yes, Preparation-H is the greatest thing ever. Thanks to that, I no longer feel the pain of hemorrhoids. Thank you, Preparation-H.
VERY secure.
Students aren't secure from Google, who bullied their way into education, starting with California charter schools about five years ago, expressly for the purpose of data collection. I don't think Apple's strategy is the right one either (though I trust their motives), but Google is serving Google, as always.
Burma Shave
... an oxymoron.
It little behooves the best of us to comment on the rest of us.
would be just as good as long as it is in competent hands
Politics is Treachery, Religion is Brainwashing
So to secure your data you have to give it all to google. No other options. Right. Cutting edge technology, eh.
Also: "hackers" means diddly squat except "bogeyman in your interwebz". But then, "security expert" really means "s'kiddie", and that has been the case since the misappropriation and divorce of "hacker" from its original meaning a honorific indicating great technological skill and creativity. No surprise, then, that both are sorely lacking among "security professionals".
I can see why one would purchase a cheap laptop with Chrome OS for their children in middle school or high school but once they are college bound only a quality laptop that is neither repairable nor upgradable running macOS with 10 dongles will do.
- Tim in Cupertino
First let me establish to what extent I am qualified or not to address this question:
I've been a security professional for 20 years. Most of that time I used Linux exclusively. Recently I've also started using Mac. You'll find my name in the kernel change log.
There are three main areas of security; confidentially, integrity, and availability. Most of the time when people say "security" they mean confidentially first, with some thought to integrity, and they rarely think of availability. For confidentiality and integrity, the top two things an OS can do to help is limit the attack surface (such as not running unnecessary daemons or other software) and provide quick, reliable updates. The only code that can't possibly be hacked is code that isn't there, so the most secure system is the most minimal system. Real-life attacks use known vulnerabilities 99.99% of the time, so quick, automatic updates to resolve known issues are very important.
There is one Linux distribution that stands out for avoiding any unnecessary code (and potential vulnerabilities) and providing quick, reliable updates. That distribution is ChromeOS. It's well ahead of the others. It would be rather difficult indeed to set up a general-purpose distribution such as Ubuntu, which is made to support servers of all kinds, all kinds of workstations, etc, to be as secure as Chrome OS.
The third leg of security is availability. If the features and functions you need aren't available on ChromeOS, it won't work for you. Normally we think of availability as "not subject to denial of service or random crashes", but if the service you need is denied by the creator of the OS, that has the same effect as a denial of service attack.
ChromeOS is therefore well ahead of any general-purpose OS in terms of security - for users who don't need anything ChromeOS doesn't provide. That's a LOT of people. It even suits my needs while traveling because my travel device only needs to SSH to my main machines, and provide a web browser.
"Fewer software choices mean limited options for hackers."
Seems like this would be fewer things you would need to focus on to own them all.
Chrome OS is still Linux-derived, as is Android. Something doesn't need to be 100% FOSS in order to be "Linux" by definition.
Philosophically, I prefer FOSS. I run a Linux desktop, though I do put on a small amount of proprietary code as necessary. I use an iPhone. I'd prefer if iOS were open source, and when a truly stable, usable, mainstream FOSS phone is available I'll probably switch to that (maybe it will be CopperheadOS; I seriously doubt it will be Purism, which is building towards obscurity).
Yes, it would be great if everything were open source. But the fact is that open source does not necessarily = more secure. Lots of open source projects are maintained by only a handful of people and miss security holes just as often as closed source.
The #1 problem the FOSS movement has is large portions of it are being run by programmers rather than managers / business people, and programmers tend to make things that THEY want and expect the customers to adapt, which is wrong. Business people make things for the CUSTOMER and order the programmers to adapt, which is right. This is why Red Hat and Canonical have been wildly successful; they are run by managers. This is what the FOSS movement needs.
Why wouldn't you use Startpage for private Google searches? I seriously don't get why anyone in the IT community who uses Google search would not use Startpage instead.
The Chromebook isn't a full blown laptop that can run all sorts of high end software.
True, but it did crowd more versatile compact laptops out of the market. To what extent did the introduction of the Chromebook in third quarter 2011 cause inexpensive compact laptops to cease being a market segment at the end of 2012?
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
If you oppose all web advertisements, would you prefer having to pay $5 for each distinct domain that you visit in a month? That'd make web search engines a lot less convenient. If you have a third option in mind other than ads or paywalls, I'd be interested to read it.
It even suits my needs while traveling because my travel device only needs to SSH to my main machines, and provide a web browser.
Good luck SSHing from a moving city bus. It won't stay near one Wi-Fi access point long enough for your Chromebook to associate. If you're buying cellular Internet service just to use SSH from your Chromebook, you end up needing to include the price of a cellular subscription over the course of your Chromebook's useful life in its effective price.
And where are your "main machines"? If at home, many home ISPs use NAT that blocks incoming connections.
I can see why one would purchase a cheap laptop with Chrome OS for their children in middle school or high school
Middle school maybe. But how would a high school student taking AP Computer Science complete his homework using Chrome OS?
Your school system is habituating people to crippled, minimal devices - the very poster child for dumbing down the students.
Chromebooks are only a good answer to going backwards.
I've fallen off your lawn, and I can't get up.
No mention of how much is leaked to google: copies of your files sent there or other metrics that google might sniff. But if you are happy with that then yes it is secure.
title should add "Self-proclaimed" to the "security expert" part.
What percentage of the high-school students in the US are in this group [of students taking programming]?
100 percent, if the College Board gets its way. The College Board administers SAT and AP tests that high school students take to determine their eligibility to attend university.
An Atom CPU is no worse in performance than a similarly clocked Pentium 4 CPU.* Thus an Atom laptop can still hold its own running Xubuntu, especially for things like lightweight hobby or contract programming work to pass the time on the bus commute to and from one's day job.
* Yes, this is telling about how inefficient NetBurst was, but bear with me.
Sure, I'll agree with summary. A closed system is inherently harder to hack. And harder to put malware onto if the model is excluding unsigned/unapproved code.
But is this something we really want? We've heard that 'they' would like general purpose computing to be revoked from the general population, or at least severely limited.
This is a step in that direction, under the guise of 'It's more secure!', yeah, it's also locked down and useless for any function other than it's designated function. I'm not really interested in this. I don't think it's a good idea to be pushing this kind of solution.
It's a nice looking 'gift', but it's trojan horse. A trojan to train the population that they don't need general purpose computing, and that general purpose open computing is dangerous and unsafe. Not good.
It's their livelihood.
I see security experts as utter fucking shitcocks.
"Security" for gullible people. Feel good already?
they wrote a book about this situation! The Secret Garden - boy in literal walled garden is safe - but doesn't seem happy until he is let out
The article is makes some good points. For years, my girlfriend's laptop has been plagued with malware, popups Ask.Com tool bars. Yahoo tool bars. All kinds of crap. Periodically I'd clean it up and she would be good for a couple months. Eventually she'd blame the laptop, and buy a new one.
Finally, I bought her a nice Acer 15 inch Chomrebook. She's had it about a year and half without ANY problems. I never have to "fix" it or screw around with it. No more running anti-virus or hacking the registry to turn off nasty shit. Her Chromebook just works. For a lot of people, a Chromebook is all they need, and it is all they should have.
I've got a Pixelbook 2, and I'm in two minds about it.
The hardware is awesome, I like... CPU, RAM, screen, weight, keyboard, USB-C, battery life. The software though... is like being in alpha-test experiment here?
The UI is totally weird, maybe it made sense when it was just a browser in an OS, but with the Android apps as well... the UI is really clunky. Sometimes an app is an Android app which appears in its own window, sometimes it opens a browser tab. It comes across as a UI experiment in its early days rather than a product which is ready to ship. For some apps you can install both, and confuse everything even more. Forget about dev - to do any serious dev work, you need to do a remote desktop to a real machine, perhaps your home/work desktop, or even a cloud VM. None of the remote desktop clients totally ticks the 10/10 'it just works securely' space. Chrome Remote Desktop is fine, but desktop is low quality, but it only works on certain systems (limited Linux distro support).
Reliability... expect to see the Chromebook regularly update to something unreliable to be fixed in the next couple of days.
Something weird about the cryptography in ChromeOS: The policy on the Android app side is the same as your mobile phone, software cryptos are allows. On the Chrome app side, cryptography only works if its implemented in the TPM chip. This is "more secure" because TPM chips are "more secure". The TPM doesn't support newer cryptography algorithms like elliptic curve, so you have to use older algorithms like RSA. Oh wait... forget the thing I said about more secure.
Really security experts, the promise of security is great, but when ChromeOS has this many problems, I would not really trust the promise.
I'm not against closed ecosystems. I use Apple products after all. Thing is, if I'm going to choose a product built around a closed ecosystem, there's no way it's going to be from a company that makes their money farming data off their users.
We're comparing a solution that doesn't actually store any end user data locally and is an open system to one that does. You're talking apples and oranges. Also, Porteus Linux is a far better and far harder choice IMO.
What really gets me is, we're concerned about the daughter's laptop being hacked. We're afraid of a malicious banner ad or a bad gmail. I'm far more afraid of allowing them to have raw, unfiltered internet content and kid-friendly furry porn. ChromeOS Doesn't support web proxy, so the only way to get content filtering on the unit is via DNS.
Security != Privacy.
I also agree that merging HW + SW + limited applications that only run inside a sandbox browser on encrypted storage **is** more secure.
I can't get passed the "let google know everything" aspect, however.
Plus google pushes updates whenever they want. No way to stop it. THAT is a real issue. Getting an update while on travel that breaks things sucks.
I own 2 chromebooks. Both ran ChromeOS for about a week before I wiped them and put an Ubuntu flavor on.
Basically, got an Ultrabook with 10 hrs of battery and 1080p screen for $400. Perfect for remote access back to my real computers that are 20x faster than any laptop and not limited by stupid power and can be upgraded to hold 50T of storage.
Security is less using Ubuntu, but at least I don't have to worry about google pushing an update when I'm on an overseas trip. They fucked me over that with my first chromebook - I was in a tiny town in Thailand with less than dial-up connectivity. Fuck you google.
Couldn't you use your mobile phone as a Wi-Fi access point?
Not in my case. I have programming jobs for two different companies, one in an office and one from home. I work on projects for the latter to pass the time while riding the city bus to and from the former. Neither provides me "a company mobile". And with many of these being graphical and interactive (yet lightweight in CPU use), I would need to tunnel X11 or VNC over SSH, which would run up the latency and data usage even if I do manage to install some sort of X server or VNC viewer.
i'd rather sites that offer nothing of value just died
The availability of your home broadband Internet connection is subsidized in part by economies of scale from serving other subscribers in your city who enjoy viewing what you call "sites that offer nothing of value". Let's say hypothetically that most ad-supported websites close their doors a month from now, causing other subscribers to the ISP for your city to cancel home Internet service because their favorite sites had closed. Then the ISP gives you a termination notice on grounds that it is no longer profitable to offer home Internet in your city. How would you proceed? Would you instead access the Internet at a public library?
Other than your $5 figure vastly inflating the value of ad impressions these days
The $5 figure is based on the minimum buy-in for a subscription to ad-free use of a website, which in turn is based on fees per transaction charged by payment processors as well as the opportunity cost of serving a paywall notice without ads to visitors instead of an article with ads. Some sites will offer access for, say, $5 per month or $20 per year (buy 4 months up front and get 8 free).
I would be perfectly fine with the option paying money to not be bombarded with ads and tracking scripts. It’s why I’m a subscriber at sites like Ars Technica.
You mentioned "sites", plural. To how many such sites do you subscribe? This becomes important if an article on a site to which you subscribe cites an article on a different site to which you do not, and you want to follow the citation. It also becomes important when searching the web, as Google Search ended its First Click Free policy six months ago, and it would become frustrating when most of the results are from sites other than those to which you subscribe.
If your website can’t survive without treating your visitors as a product then the website doesn’t deserve to exist.
By this measure, would you conclude that Slashdot "doesn't deserve to exist"? If so, why do you continue to use such a site? (You didn't post with Karma Bonus, so it's hard for me to tell whether you're offered the Disable Advertising checkbox.)
Most (all?) chromebooks can be repurposed to run a full blown linux if you want to, or you can run chromeos in developer mode which is basically linux anyway.
As I wrote in this journal entry, a Chromebook in developer mode will wipe its storage if someone else turns it on and looks at it funny. This loses all installed software and all commits that have not yet been pushed to a remote repository. How would one go about repurposing a Chromebook to run GNU/Linux without running the risk of it being wiped?
His daughter would be safer standing in the middle of a freeway than using a Windows laptop. This sets the bar at a subterranean level, which is effectively the only way to be able to say something nice about Chromebooks.
We all know the Cyber War Domain Enabling operating system Windows is of no alternative.
Can't be. Would threaten this nice multi billion dollar monopolist scam.
So let's badmouth AbiWord, OpenOffice, Gnumeric and so on. Never mind 99% of users never need the features only MS Office has.
* a nice Unix, including command line
* excellent hardware
* a good office suite
* good security (sandboxing for all apps)
otherwise Apple is complete and utter shit. People should buy Windows and not forget to buy an expensive firewall plus Kaspersky virus scanner, too.
Linux only runs some of the most important server systems in finance (e.g. EUREX), weather simulations and all of the Android phones, but otherwise it is fully, completely irrelevant.
This meme must be upheld at great cost by MSFT shills in order to keep their sheeple-customers tied to them.
In a rational world, at least 90% of users could switch to Linux with little effort. Many switch to Apple and are happy to have the MSFT hell of viruses and countermeasures behind them.
We need more corrupt and greedy people like MSFT has an army of. Let them destroy Linux. That's your message, eh ?
Even if they succeed, we have the xBSD operating systems. Keep doing your corrosive work, it is futile.
Google press release to distance itself from Facebook. It is just that simple. The propaganda message is "Trust Google and Apple with your private data. American companies are trustworthy.". This message is typical for hardware too, e.g., "Trust our proprietary phone hardware" (there is hardly any open source phone hardware).
Let Google-NSA safeguard all your data, all your ideas, all your intellectual property. They promise to never abuse this power. Really.
...must be conditioned at a very young age to submit their ideas to a Central Authority for vetting.
Then the glorious leadership, about 1 percent of the populace, can proactively intervene to Correct Wrong Ideas.
Imagine the horrible things which could happen if the plebejans had private papers !!! These folks might take away political power from the 1 percent of Chosen Ones.
So - collect their ideas and feelings when they are 10 year old and write the first sentences of their own. Thereby you can control these little fuckers until they die at age 85.
Many users have a need for a proper spreadsheet, for a vector drawing program, for a circuit simulator, for a symbolic math program, for a PCB design system, for a LaTeX document generation system.
They do not need to be computer science graduates to do that.
Using a tablet is not "using a computer". Its a glorified 21st century Television.
Real operating systems can run games and do banking. They also do not need a virus scanner.
it does not hurt to use a TAN generator for banking, though.
That's all that needs to be said about this.
> Confidentiality is having everything you do uploaded to the worlds most prolific data collection and advertising agency?
That's something you have to consider. Whether you choose ChromeOS, ChromiumOS, Windows, Ubuntu or something else, and whether you use Google docs or not. You can use Windows and trust Microsoft with all your data of you want to. Personally my "consoles", the machines I touch daily, are just SSH consoles, so Google isn't getting anything from me other than browsing history.
You're right, Google is the world's most prolific data company. Their mission is to organize the world's data, and they are good at it. Their crown jewels, the company's primary asset, is the data, and so far they've done a pretty good job protecting it, so if you're going to use any type of cloud storage and applications Google is certainly a reasonable choice, a choice to consider. If you're working on top secret plans for the next fighter jet (as I may be doing soon), that data shouldn't be in any cloud, or accessible via the internet at all. You shouldn't be using public wi-fi to work on that in the first place.
Most people are going to trust SOMEONE with their data. The world's best data company, Google, is a reasonable option.
really? When MS and Apple try that angle they're the devil but the fucks at Google aren't?
What about privacy?
Nope. Your ASR-33s were just somewhat clumsy interfaces, not computer systems. And other than wasting paper and being slow, they could do a lot of what those early glass CRTs could do. The important parts, in terms of letting you stretch your computing chops.
I've fallen off your lawn, and I can't get up.
And clearly don't understand organization theory OR economics. Profit is the natural market signal of having served the needs of the customer. That's not "greed;" it's the way the world works.
What's futile are the FOSS developers who think their little tribes of 3-5 people doing something else "their way" regardless of market trends is going to change the world; it never does. That's why most FOSS projects are perpetual failures. The winners are the ones who embrace the market.
Micropayments.
I visit your web page and stay for more than ten seconds, you get a penny.
I'm be totally for this rather than ads or site-specific paywalls or being data-mined.
I've fallen off your lawn, and I can't get up.
Sure there is less that can be hacked on each individual chrome book but that just changes the attack vector. Now nefarious people will aim their efforts at google's servers or software publishers themselves, they will be hoping to sneak malicious code into the software updates and packages on the google play store. This "security" is nothing more than putting your trust in google engineers and hoping that they can keep things secure, it might work in the short term but in the long run it will end up being a pr nightmare as that trust will diminish instantly when people find out that googles servers have been hacked.
In the end it does nothing to improve security, it just shifts trust to someone else and changes the cost benefit analysis in the sense that it makes it worth more to try and compromise google due to the massive reward. In other-words, when it comes to security, putting all of your trust into one entity just makes it worth more to hack that entity as it will lull people into a false sense of security.
It's an interesting thing. As you said, Google analyzes the data in order to serve relevant ads, and also uses it to provide better services, which they use for more ads. So there is an inherent conflict of interest there. Many people don't use Google services for that reason, and that makes sense.
ALSO like Coca-Cola has their secret formula, and KFC has it's "eleven herbs and spices", every company has their crown jewels. Google is not Microsoft - they don't survive by selling Office 365. Their most valuable asset isn't their source code - they open source much of it. They aren't Apple, selling hardware. The key to their success and survival isn't patents, or market research. The most valuable thing Google has is that data. Their interest, their survival instinct even, is to analyze that data while making sure nobody else gets ahold of it.
Google's self-centered interest is to make sure that only you and them can access that data. Their track record has been much better than Amazon, Microsoft, or other peers. Therefore reasonable people may decide keep their general office documents on a local hard drive, or in Google docs. Both are reasonable options.
Again, for top-secret research and development of the latest fighter jet, different rules apply. We're not talking about top secret information here. I'm talking about things like our onboarding checklist for new developers - install Git and VMware, set up a Linux development VM, etc. The planning sheet for our office party is on Google Docs. I built a system to store credit card numbers and it doesn't use the cloud. Those are stored encrypted on an isolated system with a minimal OS that's only accessible from the local keyboard (after getting past Glock-carrying employees) and from the local secured network using a passphrase-protected ssh key. Even with physical access to the box, one doesn't have access to the CC numbers because they are encrypted. Different levels of security are appropriate for different assets.
Micropayments.
I visit your web page and stay for more than ten seconds, you get a penny.
How would the website know whether I viewed it for more than ten seconds if I've turned off JS?
I'm be totally for this rather than ads or site-specific paywalls or being data-mined.
And how would the micropayment processor assure readers of their privacy? Because the main problem I have with Google's "Contributor" micropayment system is that it shares a parent company with AdWords and DoubleClick and therefore likely shares Contributor users' browsing history as well.
Someone accidentally wiping your developer-mode Chromebook is a valid concern. But you can reflash the firmware with something like MrChromebox's Firmware Utility Script to prevent that. I did that on the Acer 15" Chromebook I am using to write this post. It now runs GalliumOS (based on Xubuntu) and applications like Visual Studio Code and Minecraft. See: https://wiki.galliumos.org/Ins...
I did replace the flash memory with a 128GB module -- but that isn't strictly necessary. More details on all that in my comments here: https://news.ycombinator.com/i...
For under $400 total with the new drive plus some of my time, I am happy with it as my main personal machine these days for web browsing and some FOSS development. A centered trackpad with a 15" screen is otherwise a hard combination to find at the low end since so many companies add a numeric pad and offset the trackpad for terrible in-lap ergonomics. It's obviously not a MacBook Pro (which I use in my day job), and I do miss a backlit keyboard and a retina display, but it is a heck of a lot cheaper.
Probably the biggest limitation is you can't run Windows-only games or anything requiring intensive graphics processing. Steam's remote streaming from a desktop does work but is laggy.
It is also true that if you update the firmware you are out of the Google security ecosystem -- with both good and bad implications. So for the casual user, plain ChromeOS is probably a better choice (ignoring Google privacy issues). And web services like Cloud9 IDE can do a lot. And many of the latest Chrombooks can run Android apps.
And I can see why security professionals going to conferences would prefer the stock ChromeOS firmware and being able to powerwash back to a known good install -- with their data is stored elsewhere on the network.
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
REAL experts in security would know that a device whose code they have not seen, but which is tethered to and in regular communication with one of the biggest and most powerful corporations on Earth, is COMPLETELY INSECURE.
Where's your data? If it's in the cloud, then your data is not YOUR data... it's Google's data.
Are your communications private and secure? Not if they're going through Google.
Are your activities private? Nope, not if they are being constantly phoned-home to Google.
Same thing applies to Win10 and Microsoft.
If you have modern "connected" devices that are in contact with the parent corporations (who incidentally get rich mopping-up data, analyzing it, and selling it) then it is very clear that you have no security concerns at all; you're a complete chump and a data exhibitionist. Anybody who advises that this is either a good idea or secure is no security expert at all.
Most people I wouldn't trust to maintain mission critical security on a productive workstation. They click on FunnyCatsVideo.exe and could tell a client from a server if their life depended on it. For these such a thing as a chromebook truely *is* the more secure solution.
Google watches over you.
That's not just a disadvantage. Which is why I recommend it to all ordinaries with no money and no grasp of computers. The ones with money I tell to get the apple stuff.
We suffer more in our imagination than in reality. - Seneca
If JS is the means to implement this, then the website would know not to serve you a page if it couldn't work with your browser. This is easily done. If JS is off, you're already not seeing a good deal of content on the web; this would just be more of what you're already experiencing. A web site could refuse to serve you anything, or it might serve you a watered-down or "teaser" version of the available content.
OTOH, it might be a new technology (or several) that doesn't use scripting, but instead utilizes a new handshaking capability built into browsers that doesn't do anything but handle that particular payment task.
Or you might see both.
Privacy, or lack thereof, is a feature/malfeature between you and the services you choose to use — it's a technology-enabled policy issue, by which I mean that a company could choose to be entirely on the "we don't use your personal information" side, or entirely on the "we make Facebook look private" side, or anywhere in between. I imagine no likely scenario where you release micropayments without having to authorize same at some point along the line. If the terms and conditions aren't acceptable to you, don't engage. Quite literally, vote with your wallet.
For instance, when considering Facebook, one of the things I did was read the terms and conditions. I found them unacceptable, so I never joined. I eventually found alternative services where the terms were acceptable to me, and that's where my social presence is, such as it is.
I would imagine that a useful component of something like this might be a dialog that offers something like:
o Don't pay out
o Authorize pay out for this visit only
o Authorize pay out for visits in the next N days
o Pay out every visit
o Increase pay out above minimum by X for N visits
o Plus the ability to easily alter the settings at any time thereafter by entering the website into a revision dialog, or re-setting them for all websites.
That, or equivalent functionality. These are just technical implementation details.
That is in the nature of suspicion. I expect that reading terms of service would go a long way to letting you know if your "likely" is "actual." My suggestion is that when a website — any website — offers terms of service you have to agree to, you actually read them and make a conscious decision based on what you read as to whether you actually proceed, or not.
I've fallen off your lawn, and I can't get up.
Preparation H literally saved my life. Thank you, Preparation H!
My phone has a 2960x1440 display; that's higher resolution than my desktop monitors are. It is small, but that's a feature, not a bug. It also can do displayport-out to a 4K display and connect to a bluetooth keyboard, should I desire that.
It also has a 64-bit, 8-core, 2.8 GHz CPU; 6 GB of ram; 64 GB of storage (plus an additional storage card slot capable of swapping up to 400 GB removable storage in and out); three cameras; quite a few sensors; cellular, bluetooth, multi-band wifi, near-field, FM, and GPS(+) radio services; and very nice audio capabilities to top it all off.
So you can have considerably more than "the power and storage of an early 90s era PC", although as with all reasonably capable computing hardware, you have to know enough to identify what you want and you have to be able to afford it.
I've fallen off your lawn, and I can't get up.
When I mentioned credit card information, I was talking about a database full of other people's cards, knowing that some of those people have only one account, with a low balance. A stray $100 charge will have them overdrawn and they'll start getting overdraft fees. Then they won't be able to buy gas or food until pay day. A high level of confidentiality is required.
For MY OWN credit card that I use to buy stuff online every day, I recognize that is sent to a lot of different companies who have widely varying security practices, and it will probably be leaked. Too many of them store it, and store it poorly. Probably already has been leaked. The thing is, when you have a "secret" that you tell hundreds of random people, different people every day, it's no longer really a secret. If you're sending every online merchant full access to all of your funds, you're doing it wrong.
It's COMMON to have all your money in one bank account and use the one debit card on that account to buy everything, but it's very silly. Much more secure is to have a savings or money market account where you save a little money for when your car breaks down or whatever, because shit happens. Then you have your monthly checking account you use to pay the mortgage and such. Lastly, you have a credit card with a $100-$300 limit and that's what you use to buy random crap on the internet. Somebody is probably going to leak your card number eventually; the secure thing is to do is make it so that card number doesn't wreck your life.
So I don't think most people should try to secure their phone and their laptop in such a way that they can store all their card numbers in browser plugin or similar. In fact, the standalone password manager programs have a terrible track record. I trust Google's password manager more than I trust LastPass, but I don't trust every merchant in the world that much, so I shouldn't be exposing all my money via a super-sensitive debit card number that's going to cause me a lot of pain when it leaks.
> keeps that view secret from the world, but:
> a. That's kinda creepy
Yes, it is kinda creepy. Agreed.
> b. There are solutions that don't require allowing a company to do that
I'm curious what you have in mind. To replace all Google services with services of similar quality would cost a decent amount of money, I'd they'd STILL have a profile of you based on web surfing and such.
> c. They use that view of you to make money out of you, and the temptation must be strong to do that by understanding aspects of your behaviour you don't understand about yourself
They don't *understand* anything. They have a bunch of numeric identifiers and a math formula that highlights correlations. User #846204628273 is correlated with website #736304638462, which is correlated with web site # 6306384739. They often don't even know that the correlation between the two sites is that they both sell RC plane parts. They don't need to know. They only need to know that people who visit site #74620463027 often also visit site #846934739, so they can advertise the second site to people who visit the first.
I just returned a PixelBook to Amazon for a refund. The new feature of running Android apps is unreliable: sometimes I had to wait hours or days for files on GoogleDrive to become available to Android apps on ChromeOS; this also afflicted my Samsung Chromebook Pro. Google support claimed never to have heard of this bug, so I don't expect it to be fixed any time soon.
Merging two OS's seems like such a stupid idea.
`Perche non reggi tu, o sacra fame de l'oro,l'appetito de' mortali?'
I would be happy with Xubuntu, as it's the same OS that I used on my last netbook from fourth quarter 2011 to mid-2017. But does "reflash[ing] the firmware with something like MrChromebox's Firmware Utility Script" cause me to lose eligibility for warranty repairs on the hinge or power jack? I had to have my last netbook's power jack repaired under warranty once.
I consider myself reasonable. I always read them from start to finish. Mind you, it's a very rare website/service that I actually venture into that has that kind of required agreement, so this is a pretty minor issue for me. Also, it doesn't take long to figure out if a site is mining, and if that's a reasonable trade for whatever they are offering. (usually, no.)
Otherwise, if you agree to the terms without reading the terms, you have no idea what you're agreeing to. That strikes me as entirely unreasonable. And stupid.
I've fallen off your lawn, and I can't get up.
What, Google payments? No. Google's evil. No point in going there. I'm suggesting something reasonable. Google would not be on my list of "reasonable" corporations. They data mine, they censor, they invade privacy, they do a terrible job of providing relevant search results above the mediocre level, they constantly offer services and then yank them once people have invested time into them.
Someone else - someone with a social conscience - needs to create a reasonable version of such services.
It's not here yet. I just want it to be here.
I've fallen off your lawn, and I can't get up.
Ever!