But its totally misplaced emotion. The whole design goal of a chromebook is constantly push signed OTA updates. They give you a hardware switch to turn off the signature checks. His comment that a hardware key you'd certainly lose is better than a jumper is pretty weak.
If you don't like them, fine, but this just comes off as nerd rage in an attempt at saying "I am very smart."
Really? The whole design goal? The design goal that Google's massive marketing department made up, or the design goal that was actually used in creating Chromebooks? And really, with what is common knowledge about Google, why would you ever trust them at face value?
Google's marketing department doesn't give a flying f*k whether you install another os on your chromebook. Use it however you like, with their blessing and even their assistance to the degree that they can help.
Your "common knowledge" notwithstanding, I can tell you with 100% certainty that the os protection features in chromeos devices are about security. More specifically, it's about creating a device that Google can use themselves for extremely high-security use cases.
You can trust it, or not, doesn't matter. But for Google, the modern Chromebook is the only desktop environment where they can be absolute sure that all the software and all the hardware are clean. Turns out that other companies like this capability as well, so it's a general product feature.
But if all you want is some cheap hardware where you can flash the bios and run Windows Vista, then you just go ahead and be you. That's fine.
Unfortunately the Arbiter of Emotion was not there to correct his frustration during the unlocking.
The Chromebook's model is obviously consistent with Google's fleshed out security model. But this model is at odds with Free users, and there isn't one straightforward way to reconcile the two, but rather various ones that will each attract their own criticism.
Individuals don't have the luxury of massaging their opinions with a PR department, and conflict (with the corporate narrative) draws attention to rough points. People aren't going to express things perfectly - one can either work to be tolerant of varying personalities and colorful overstating, or retreat to the safe space of sanitized corporate press releases.
Ask yourself what is your motivation to shit on him with classical bullying ("nerd rage"). Some casual ranting about security models while tediously reflashing a BIOS is not an attempt to say "I am very smart".
Or they could have made their point without the rant and increased their chances of being taken seriously. As it stands, it’s not clear that the author understands why the things he’s annoyed about exist.
It's amazing how these tone policing responses are coupled with patronizing endorsements of Google's security model...
We get it. Google's (and Apple's, Intel's, etc) contemporary security model is to work to retain control over the device for themselves, taking end users under their wing to provide them security. For a non-technical person with no technical family, obtaining a device with this security model from Best Buy is likely the pinnacle of what can be done.
But this is not the only device security model. And the idea of a manufacturer working against the owner of a device is abhorrent to the perspective of Freedom. Weighing Google's specific design decisions within their model is not terribly important if one is repudiating the entire model. I personally think a better synthesis could be found between the two models, but that was obviously not the point of the original post!
I'm not personally a huge fan of blog posts / youtube / etc that just reiterate and editorialize information that is easily found elsewhere. But I do recognize that this is how many people learn - both the viewers and the authors. By picking on this post for not having the details fleshed out and stated in an impartial manner, all you're really doing is putting a veil of faux impartiality over shouting down the culture of Freeing computing devices.
>We get it. Google's (and Apple's, Intel's, etc) contemporary security model is to work to retain control over the device for themselves
This is exactly what you and likely the author of the post don't get. Google's security model is vastly different from Apple's or Intel's or anyone else's. In particular, the google security model is the only one of these which still ensures the ability for a user to take full control of the device (to the extent possible in current times). And they have gone through a lot of effort to do so. The easy way out is to do what every other manufacturer on the planet does.
Their security model is the exact same one - trust us and we'll maintain your security. The difference is better described as Google deliberately adding an opt-out to the devices.
That's definitely appreciated and is nicer than not doing so. But it isn't a real model of hardware protections that would serve a Free device, nor does it allow for agility or nuance around that trust relationship with Google.
Which is why the experience of taking ownership of your device turns into a violent one - because you basically have to repudiate the OEM's built-in system in favor of a completely different Free road. Which is why it's much easier to do with a fresh device, rather than after you've grown accustomed to it.
>But it isn't a real model of hardware protections that would serve a Free device
What is your proposed mechanism to ensure a verified chain of boot that the vendor intends for the majority of its customers while simultaneously allowing a user to do whatever they please ? The current solution is about the only one you can do at a technical level. Note that the convenience (or lack thereof) is a separate minor thing that is not so relevant. You really need to understand the verified boot design in chromebooks to appreciate the nuance, as you put it.
>you basically have to repudiate the OEM's built-in system in favor of a completely different Free road
You are not repudiating anything. You are using a feature that the OEM explicitly added at significant cost to please someone like you. Buy any other machine, and tell me how much freedom you get.
Even though a TPM has be tamper proof hardware, it does not have to be beholden to the single party of the manufacturer. I'd start by removing any burned in (loaded-once) asymmetric keys from the trust root. I'd pop an explicit serial header on the motherboard to communicate with the TPM in a user-friendly manner.
Any signing key could then be loaded into the TPM by holding the machine in a specific wiping mode for say a few days, essentially making the ultimate trust root "long term possession of the machine".
The actual signing key that is loaded needs to be percolated up through the UI so the user can verify whom they're actually trusting. But this doesn't actually need to be done every single boot, but really only when the machine is setup for a new user.
The banal criticism is that doing so would be work that doesn't directly benefit Google. Well you asked, and that's inherent in any constructive solution.
> You are using a feature that the OEM explicitly added at significant cost to please someone like you. Buy any other machine, and tell me how much freedom you get.
Erm okay you're taking this back to a hostile direction. Take any pre-DRM PC from 1985-2010, where the CPU simply trusts its memory. That's the longstanding basic model that Google simply added an escape hatch to revert to. I've said that it is appreciated, but don't act like it was somehow onerous.
> making the ultimate trust root "long term possession of the machine
You probably don't want someone who steals your laptop to get access to your secrets after a few days. Also, how would you know your "brand new" laptop wasn't interdicted by a hostile party while it was "having problems clearing at customs"?
It is clear to me that your threat-model and Google's (they dogfood ChromeOS hardware extensively) are divergent. Chromebooks are not for everyone, and that's OK.
> You probably don't want someone who steals your laptop to get access to your secrets after a few days
Obviously. I was describing the signature chain management. The encryption key management would be as it is.
> how would you know your "brand new" laptop wasn't interdicted by a hostile party while it was "having problems clearing at customs"?
>> The actual signing key that is loaded needs to be percolated up through the UI so the user can verify whom they're actually trusting
> It is clear to me that your threat-model and Google's (they dogfood ChromeOS hardware extensively) are divergent. Chromebooks are not for everyone, and that's OK.
Here we go again with the condescending simplistic conclusions...
If you don't like them, fine, but this just comes off as nerd rage in an attempt at saying "I am very smart."