Slashdot Mirror
Security Experts See Chromebooks as a Closed Ecosystem That Improves Security (cnet.com)
The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article:
Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.
That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...
"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...
"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
Really, it's about how much it doesn't let you do.
If you are trying to be productive, chromebooks are exceedingly annoying because they are so limited.
This plays well with a lot of security researcher mindset, that would rather see useless computers than tolerate what they could imagine to be a security problem.
Sometimes they find legitimate problems (e.g. Heartbleed), but often the declare some severe CVE for "administrator can do administrator things" sorts of behaviors.
Then they wonder at why when they find a very severe issue and get a lot of credibility, why it goes away in a matter of weeks as they try to open/brand a wave of 'vulnerabilites' that are perfectly actually expected/intended behaviors by the developers and the users of that software.
XML is like violence. If it doesn't solve the problem, use more.
would be just as good as long as it is in competent hands
Politics is Treachery, Religion is Brainwashing
The point was to reply to the person saying that this story about chromeos somehow relates to Linux security model. While it does avail itself of certain linux features (SELinux), it's mostly about implementing a very limited sandbox and they can/do pretty much implement that wherever their browser runs. You can pretty much also get the same security by never running anything outside a browser context.
In many cases, sure, you are dealing with a situation where the owner of the device is not the operator of the device, and it's nice to limit them. However for security researchers protecting themselves, they should be able to do it either way.
I don't mind chromebooks, but I am a bit put off by the security community in how they sometimes treat enduser empowerment and their endorsement of ChromeOS rather than a more empowering linux distro reminds me of some negative interactions is all.
XML is like violence. If it doesn't solve the problem, use more.
The Chromebook isn't a full blown laptop that can run all sorts of high end software.
True, but it did crowd more versatile compact laptops out of the market. To what extent did the introduction of the Chromebook in third quarter 2011 cause inexpensive compact laptops to cease being a market segment at the end of 2012?
The real version of AdBlock Plus has been malware since they started deciding some ads were acceptable for the end user.
If you oppose all web advertisements, would you prefer having to pay $5 for each distinct domain that you visit in a month? That'd make web search engines a lot less convenient. If you have a third option in mind other than ads or paywalls, I'd be interested to read it.
No mention of how much is leaked to google: copies of your files sent there or other metrics that google might sniff. But if you are happy with that then yes it is secure.