Security Experts See Chromebooks as a Closed Ecosystem That Improves Security

The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article: Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.

That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...

"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."

Only one particular Linux distro

[raymorris]

First let me establish to what extent I am qualified or not to address this question:

I've been a security professional for 20 years. Most of that time I used Linux exclusively. Recently I've also started using Mac. You'll find my name in the kernel change log.

There are three main areas of security; confidentially, integrity, and availability. Most of the time when people say "security" they mean confidentially first, with some thought to integrity, and they rarely think of availability. For confidentiality and integrity, the top two things an OS can do to help is limit the attack surface (such as not running unnecessary daemons or other software) and provide quick, reliable updates. The only code that can't possibly be hacked is code that isn't there, so the most secure system is the most minimal system. Real-life attacks use known vulnerabilities 99.99% of the time, so quick, automatic updates to resolve known issues are very important.

There is one Linux distribution that stands out for avoiding any unnecessary code (and potential vulnerabilities) and providing quick, reliable updates. That distribution is ChromeOS. It's well ahead of the others. It would be rather difficult indeed to set up a general-purpose distribution such as Ubuntu, which is made to support servers of all kinds, all kinds of workstations, etc, to be as secure as Chrome OS.

The third leg of security is availability. If the features and functions you need aren't available on ChromeOS, it won't work for you. Normally we think of availability as "not subject to denial of service or random crashes", but if the service you need is denied by the creator of the OS, that has the same effect as a denial of service attack.

ChromeOS is therefore well ahead of any general-purpose OS in terms of security - for users who don't need anything ChromeOS doesn't provide. That's a LOT of people. It even suits my needs while traveling because my travel device only needs to SSH to my main machines, and provide a web browser.

Re:FOSS needs managers

[Bert64]

Indeed, chromeos may be a closed system in its default configuration, but its still open source and its success actually provides significant benefits to those of us who want to use regular linux distros...
You used to get websites which check your user agent string and reject anything which is not windows or macos, such things are less common these days thanks to mobile and chromeos...
Manufacturers shipping devices with chromeos ensures that the hardware is compatible with chromeos, and thus also with linux. The same hardware can also usually be bought in other models of devices. Previously most non-server hardware was never tested with linux and could have all kinds of stupid compatibility problems.