Insights For Success

Strategy, Innovation, Leadership and Security

Is your Chromebook vulnerable to Specter or Meltdown?

GeneralEdward Kiledjian

TL;DR: If you are using a Chromebook that is actively supported, you are probably fine.

Specter and Meltdown are two significant chip level vulnerabilities that kicked off the 2018 security scene with a bang. Affection millions of devices from almost every manufacturer, many consumers are panicking about what this means for them. 

Since I love Chromebooks, I wanted to write an article about how these two vulnerabilities affect them. 

This isn't a deep technical review about Meltdown or Specter. There are loads of well-written articles about them. Instead, I will just lightly explain it to the general public.

These 2 are bugs in the design of the processor (aka the brain) of your computing device (made by Intel & AMD). These "bugs" have existed for about 20 years and allow an attacker (capable of running code on your system) to break security controls implemented on systems and in apps to steal information. Specter does affect your smartphone (probably). 

Great detailed information about these can be found here for those who are interested: https://meltdownattack.com/

Google has a support article that clearly outlines its plan to ensure all Chromebooks are eventually patched. 

But how do I check my device?

First, check the version of ChromeOS you are running. Most should be at version 63 already and this partially fixes some of the issues. You can check if your product has an update available here.

The good news is that most mainstream devices are patched including:

  • Google Pixelbook 2017
  • Samsung Chromebook Pro
  • ASUS Chromebook Flip C302

Some even say "patch not required" like:

  • Samsung Chromebook Plus
  • Acer Chromebase

Systems with kernel 3.18 or 4.4 are already patched. you can also use the chrome://gpu flag and search for operating system to find your kernel level. 

Google's position is that ARM-powered Chromebooks and Chromeboxes are not vulnerable but will be patched anyway with future updates. 

How is Google fixing the issue? With something called Kernel Page Table Isolation (KPTI). Basically, they are separating the kernel memory from that of the user processes. 

The moral of the story? Security is a hard computer science problem but you should sleep much better tonight (compared to Windows or Mac users) knowing that Google is working feverishly to protect you from these types of attacks. Just make sure you are using a supported product and reboot when you see the little upward arrow indicating there is an update (in the lower right hand status bar). 

SecureDrop protects the anonymity of whistle-blowers

GeneralEdward Kiledjian

SecureDrop is an open-source project created by (the late) Aaron Swartz with support from Kevin Poulsen and James Dolan. The entire raison d'être of SecureDrop is to create a safe information exchange mechanism between media organizations and whistleblowers. 

The solution requires two servers:

  • a TOR facing server to store messages and files
  • a private server that monitors the security of the first server

When a message or files are dropped on the first server, the information is encrypted with GPG for secure storage. 

By using the TOR anonymizing network, whistle-blowers can protect their identities from local threats (schools, companies & governments) and from the media organization receiving the information. 

If TOR is blocked from your origin location, you can use the special GETTOR service I wrote about here. 

The SecureDrop system assigns a codename for every whistle-blower. This codename is a means for the media organization to build a relationship with the whistle-blower while maintaining full anonymity. 

It is obvious why the whistle-blower benefits from the anonymity but so does the media organization. The media organization may be given information it otherwise couldn't obtain. Journalists are also protected because they can't "give up" their sources because they don't know who they are. 

The system doesn't use any third party embedded content, and the only information it logs is the codename and the date/time of the last message sent. Every time a new message is sent, the previous date/time stamp is deleted. 

Who uses SecureDrop?

At last count, there were more than 36 news organizations around the world that use SecureDrop. You can find the list here. Some "normal" web links to media organizations that leverage this tool include:

I added the last link (Radio Canada) because they are the French sister site to the CBC and accept French submissions.

The above links are the normal internet web pages that explain (for each site) how they use SecureDrop. Links to the TOR SecureDrop for each can be found in the main directory above or on each of the normal web pages.

Alternative ways to get the TOR browser

GeneralEdward Kiledjian

Tor is an incredible power privacy enhancing tool that every security-conscious netizen should have in their arsenal. It doesn't replace a VPN service, since TOR isn't optimized for high bandwidth usage (like streaming music/videos) but it definitely has a place in my internet usage portfolio. 

To use TOR, you need access to a small kit of software that includes the TOR router and the TOR browser (a locked down customized version of the Mozilla Firefox browser). 

The Great Firewall of China site test tool confirms that the TOR Project website is blocked.

Luckily I live in Canada where we enjoy incredible internet freedom but what if you don't? What if you need TOR (because you live in a zone where the internet is tightly controlled or monitored) but you can't access the website to download the installer kit? The TOR project has create the GETTOR strategy to help those people gain access to its power network.

You can:

The system will then share with you a secret list of links to download the installer from GitHub, Dropbox or Google Drive.

Once you install the TOR package (after checking the validity to ensure it hasn't been tampered with), you can also use a TOR Bridge if your country, school, company or ISP performs deep packet inspection to block TOR. A TOR bridge is a relay to help circumvent censorship. 

You are now ready to enjoy private, anonymous and secure web browsing. Once installed, all future updates to the TOR software will be delivered via the TOR browser itself so you don't have to worry about performing these steps again.

The New York Times now available on TOR

GeneralEdward Kiledjian
I do not agree with what you have to say, but I’ll defend to the death your right to say it.
— Voltaire

When the average consumer thinks about TOR (which isn't very often), they imagine that it is the ugly, damp & rancid underbelly of the internet. 

Reality is that TOR is a US government-funded project to create anonymity on the internet. It is a platform that allows everyone to have a voice without fear of punishment or even death (think political activists).

No technology is perfect, but TOR is a very powerful tool for human rights activists and other dissidents. 

In a 2015 The Intercept article, Edward Snowden goes as far as saying "I think Tor is the most important privacy-enhancing technology project being used today. " & " What Tor does is it provides a measure of security and allows you to disassociate your physical location."

Proof that TOR isn't just for drugs and counterfeit goods is the fact many reputable organizations have started to create their own TOR presence. 

The New York times launched it's TOR Onion Service website (in late October) as a secure way of making its content available to people around the world that may otherwise not have access to its content (China, Iran, etc.)

When companies moved to the web 15-20 years ago, sites were less reliable as companies tried to figure out how this "web thing" worked. TOR is the same today. Sites Like the New York Times are still trying to figure out how to efficiently use TOR, and therefore you should assume these sites are all in beta status. 

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
— The New York Times

You can access The New York Times TOR ONION Service site here : https://www.nytimes3xbfgragh.onion/ [remember this doesn't work via the "normal web". 

Karma releases an anonymizing hotspot

GeneralEdward Kiledjian

Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

Is it worth it?

I have not had a chance to test the device so everything written here is based on the documentation. 
 

We wanted to create a product that allows consumers to feel protected while surfing the web. Karma Black is that product. Our users can freely consume internet content while knowing that no one is looking over their shoulders. Consumers do not want strangers listening to their phone calls… they deserve the same security from intrusion when going online.
— Todd Wallace, Karma Mobility CEO

I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here

Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.