Jump to content
tanknet.org

Chromebooks Vs Real Computers


Recommended Posts

Why buy a Chromebook which only really works with a WiFi connection when you can get a real computer for not many pesos more with a real processor, real memory, real hard drive, real operating system that cannot be hacked (with proper precautions) such as produced by HP and others? Anyone who believes that Cloud storage/Cloud computing is even slightly remotely secure needs their head checked.

Link to post
Share on other sites

Some of my friends swear by them. By pushing everything into "The Cloud"[tm], they don't have to worry about their laptop's hard drive crapping out or filling up, or someone stealing the laptop (they'll still have access to all their files, but the thief won't, and they will just have to replace the hardware), or software upgrades, or syncing data between their laptop and other devices.

 

It also makes for a cooler (temperature-wise), thinner, lighter laptop. And yes, for some people the "Google = cool" factor is a draw.

 

Not me, though. I'd never use such a thing. Would rather maintain my own hardware/software, and keep my data in my physical possession. If my laptop is thicker/heavier because of it, no big shakes. I never bought into that whole "thinner is better" crap, and compared to the rest of the stuff in my backpack a laptop weighs nothing. I'm not a bobble-headed stick figure to whom six or eight pounds is a burden, and I don't trust Google in the slightest.

 

*shrug* different strokes for different folks, is all.

Link to post
Share on other sites
Guest Jason L

For me, physical thievery (ie someone busting into my office or apt) and jacking a laptop or a drive from my desktop has always been a more probably reality than a cloud based data breach, and while strong ecryption on physical data.

 

What do you guys think about the various options of an add on-ecryption layer to dropbox? Boxcryptor, Safemonk, etc.

 

Chromebooks are attractive on a cost basis - cheap as hell for a 15" unit with great screen and battery life. I think the real problem is when you get to the higher end chromebooks like the pixel that are basically neutered full featured laptops, why would you buy a chromebook pixel when you can get a MacBook air or an Asus Zen?

 

The Chrome OS only really works if you buy it as a low cost unit accepting that it's basically a smartphone-level system. That paradigm breaks down when you hit the pricepoint of the pixel.

Edited by Jason L
Link to post
Share on other sites

I'm skeptical about any encryption layer that hasn't been designed and tested by a wide range of academics and working security gurus. I'm really skeptical of any encryption SW that is targeted towards a niche application.

 

On those rare occasions I'll store data online, I'll encrypt the data locally and then upload. But I've not integrated online storage into my workflow, if there were daily uploads/downloads that wouldn't be too workable.

 

Generally I don't author enough unique content to make a daily copy to thumb drive a chore, and moving data around on thumb drives is an hourly occurence for me anyway (at work, where firewall rules are expressly designed to prove that the network admin is the prince of d-bags).

Link to post
Share on other sites
Guest Jason L

Almost all of the 3rd party add ons use full round AES 128 or AES 256. I presume that's good enough for my data. Like, is there actually a bad way to implement full round AES?

 

*edit, actually I see now that there are number of possible side channel attacks.

Edited by Jason L
Link to post
Share on other sites

I don't like the security, and the requirement for a full time wifi connection to do anything, but also you can't really add Android apps (yet) which are handy. The Wifi thing breaks the deal for me, although the kids school is pushing the concept for cloud computing/homework for them. But I will get them a real laptop that has a dvd drive, multiple USB ports, and a hard drive above 16 gb. If all you are going to do is web surf, and let Google have all your personal information, then I guess they are great. Maybe, just maybe if Libre Office was available on a Chromebook, I might be possibly, somewhat tempted for about 6 microseconds to think about one.

Link to post
Share on other sites

Be very skeptical of all cryptosystems. Even the best implementations are dependent on underlying infrastructure which has vulnerabilities which can be leveraged to compromise the cryptosystem.

 

Plus, folks are always discovering new side-channel attacks, as JasonL mentioned, and over time weaknesses in the underlying algorithms eventually emerge, always.

 

All of the RNG software commonly available for Windows, MacOSX, and Linux have known weaknesses. You can get hardware RNG devices, but you don't know if the vendor has deliberately introduced a weakness (qv NSA bribing RSA to incorporate weakness into their SecurID USB token).

 

You can build your own RNG hardware, but you'd better know what you're doing, and where does it stop? Hardware vendors (Sony, Samsung, Huawei, Cisco, Intel, Google, Apple) have all shipped products with security backdoors in the past. Are you going to build all of your computer hardware yourself, from silicon up?

 

Furthermore, D-Wave has been improving upon their quantum computing technology, making it more powerful and less expensive. It is still insufficiently complex to implement Shor's Algorithm, which would obsolete all cryptosystems which are based on the difficulty of factoring large numbers, but they're getting there (D-Wave's current offerings provide a quantum annealing function, which makes cracking some encryption schemes marginally easier).

 

This means to ensure your data remains secure in the future, you will need to use encryption which is not vulnerable to Shor's Algorithm, else your adversary can simply make a copy of your encrypted session and store it until D-Wave makes a SA implementation available. The eggheads are still figuring out DH equivalents suitable to postquantum public key encryption (the most promising are based on euclidean lattices, like NTRU), but they still have a ways to go.

 

If you limit yourself to encrypting/decrypting your data on your own hardware and only transporting it in encrypted state, there are a great many adequate solutions. A simple OTP-fed NLFSR-based stream cipher would be sufficient. You'd better be sure that the hardware on which you encrypt/decrypt that data is secure, is all.

 

Or you can not worry about it too much, and accept a degree of risk. Just because a half-dozen companies and/or intelligence agencies could get at your data if they really wanted it doesn't mean they want it. If your expected adversaries are random thugs, local police, or smaller corporate players, imperfect security could still be plenty.

Link to post
Share on other sites
Guest Jason L

Maybe this is an erroneous analogy, but I see crypto security like anything else: be they bike locks, front doors, etc. You're never going to have something that is impenetrable without seriously encumbering yourself (financially, lugging around a 30 lb lock, etc, etc), but what you can do is make yourself a hard target relative to the value of what you're protecting, and especially an unattractive target compared to everyone else's lax standards.

 

On the list of things I worry about, a few companies having access to my "data" is ultimately pretty far down. The concept itself is offensive, but the amount of damage they could do is vanishingly small when push comes to shove. For stuff like fanancials, etc. The risk of a bank level or tax agency level compromise is far more likely than getting personally compromised.

Link to post
Share on other sites

Or you can not worry about it too much, and accept a degree of risk. Just because a half-dozen companies and/or intelligence agencies could get at your data if they really wanted it doesn't mean they want it. If your expected adversaries are random thugs, local police, or smaller corporate players, imperfect security could still be plenty.

 

That is my attitude, in a nutshell. I'm not worried about governments getting my encrypted data, because they have ways. I'm worried about some faux hipster in Starbucks snagging my netbook while I am collecting my frapp, imaging the SSD, and selling the image file somewhere out there in the digital wasteland.

 

To summarize TTK's screed, any app which encrypts/decrypts data at rest and/or data in flight will essentially involve 6 things:

- the encryption algorithm(s)

- the compilable software implementation thereof;

- the various utility functions; hash functions, PRNGs, etc.

- the compilable software implementation thereof;

- the design of the main program and its function calls of the above;

- the compilable software implementation thereof.

 

For example; you can have a great symmetric encryption algorithm, correctly implemented in C or whatever, great utility functions also correctly coded, and a correct program design, but an implementation of the program that leaves the password in cleartext in RAM that gets stored in the hibernation file.

 

Data protection schemes that rely on SSL/TLS have been found really sloppily implemented (defaulting back to SSL 1.0, which is broken). Likewise for anything using certificates; a couple of years ago some informal testing showed that popular browsers were not rejecting sites with bad/forged certs.

Link to post
Share on other sites

Well-said. I did sort of ramble in random directions a bit .. a screed indeed.

 

Ultimately your data is always vulnerable to the "thumbscrew attack", where the adversary kidnaps and tortures you until you decrypt your data for them.

Link to post
Share on other sites
  • 2 weeks later...

If it's government, accuse you of having "stuff" and demand you decrypt it. The punishment for failure to decrypt being the same as for being found guilty of having "stuff".

 

Of course, this proves to be a sticking point when they're demanding you provide the decryption key for a scrap .tmp file full of random scribblings.

 

Sidebar: "Compressible Encryption" Oh, Microsoft, you do amuse me so.

Link to post
Share on other sites

Well-said. I did sort of ramble in random directions a bit .. a screed indeed.

 

Ultimately your data is always vulnerable to the "thumbscrew attack", where the adversary kidnaps and tortures you until you decrypt your data for them.

 

If there is anything that valuable on your computer you should really be considering security measures that are a little more...kinetic. ;)

 

Like anything it is about layered defence against realistic threats. If someone is willing to go Jack Bauer on your ass, an encryption program isn't worth squat unless you're willing to die to protect whatever the hell you do on your computer. At the very least you should have significant physical security measures for your house/office and be thinking about close personal protection by professionals.

 

At the end of the day I'm sure the NSA can keep an up to date database on what level of GTA5 I'm up to, my library of saved memes and cat pictures and that I wrote an essay in 2002.

Protecting against someone pinching my computer and minimising the dangers of hacking through the interwizzle is really the only threat I can realistically protect against. If Moulder and Scully want access, I'm sure they can.

Edited by Archie Pellagio
Link to post
Share on other sites

Like anything it is about layered defence against realistic threats. If someone is willing to go Jack Bauer on your ass, an encryption program isn't worth squat unless you're willing to die to protect whatever the hell you do on your computer. At the very least you should have significant physical security measures for your house/office and be thinking about close personal protection by professionals.

On one hand I completely agree, but on the other hand no matter how well-hardened/armed you are against physical threats, there's always someone bigger than you.

 

Like most things security, it boils down to tradeoffs between convenience (and thus productivity), cost, and risk, and is always a matter of degree rather than absolutes.

Link to post
Share on other sites
  • 2 weeks later...

I bought Acer Chromebox (250 euros) last christmas and it has worked nicely. Perhaps I buy another "real pc" but right now I only browse net so it's pretty hard for me to justify purchase of something more expensive to do same thing... these boxes also use less electricity than traditional machines.

Edited by Yalmuk
Link to post
Share on other sites
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...