Insights For Success

Strategy, Innovation, Leadership and Security

Chromebooks are great and here are some myths you might believe

GeneralEdward Kiledjian

Anytime I pull out a Chromebook in a professional setting, colleagues and friends are dumbfounded how a tech geek like me would "settle" for a browser only thin client. People are downright shocked when I pull out my $1200 Pixelbook. 

Why would I buy a "browser only" device when I could use a Windows or Mac device that can run the Chrome browser but do so much more?

Chromebooks can't run apps

If you are reading this article, there is a good chance you are not a millennial that grew up with iPads and smartphones. For you, a personal computing device (Windows, Mac or Linux) needs to run native apps. I'm here to shock you but Chromebooks (ChromeOS) devices do and do it without requiring dual-booting.

Chromebooks run Android apps. Most modern Chromebooks can easily install and run most Google Play store Android apps. The list of Android app capable devices is extensive and growing daily (list).

The most common Microsoft Office apps for Android (Word, Excel and Powerpoint) run surprisingly well on Chromebooks. 

Chromebooks will run Linux apps. VentureBeat first reported this and it was later confirmed during Google IO 2018. Goole's Chromebooks will be able to run native Linux applications using the built-in container technology (without dual-booting or emulation). 

Chromebooks will run Windows apps. CrossOver has a Chromebook app that will allow users to run Windows-only apps (like Quicken and Microsoft Office) on a Chromebook without needing to install Windows. 

Truth is that most users, will not need any of these functionalities most of the time. With a little updating of your work structures, you will likely be able to work on a Chromebook 98% of the time without needing to run Windows or Linux apps, but it's nice to know you can.

As an example, I switched to Polarr for my photo editing and it does everything I need. It is affordable, cross-platform and worth like a charm on Chromebooks. If you are looking for a very good password manager, you can use the Steve Gibson approved LastPass

Chromebooks are slow

You get what you pay for. When you compare dollar for dollar a Chromebook will always be fast, more reliable and more secure than Windows, Mac or Linux. The comparison most people late is a $1000 Macbook to a $250 Chromebook. That simply isn't a fair comparison. Chromebooks have become the defacto educational devices because they are very functional even at the low end of the scale. 

When comparing machines with comparable pricing, the Chromebook will always be faster.

I bought a $350 Acer C720P in 2013 (5+ years old) and it :

  • is still fast when running Chrome
  • receives regular updates from Google
  • is always kept secure by Google

I have 3+-year-old ($600-1000) Dell, HP and Lenovo Windows machines that have become slow and painful to use. 

My Pixelbook goes from powered off (not sleep but totally off) to ready to log in, in 5 seconds. 

Chromebooks are useless without an internet connection

I am convinced much of what you do (on your PC, smartphone or tablet) is internet based. As an experiment, try turning off WIFI (or cellular connectivity) for 1 day and see how dependent you really are. 

When the CR-48 came out (first Chromebook test unit from Google), it was nothing more than an internet connected thin client. This hasn't been true for a long time though. 

Google's most popular services (Gmail, Calendar, Google Drive, Google Docs, Google Sheets, etc) are all offline enabled. The Google Chrome Web Store even has a page dedicated to offline apps.

Add to these the millions of Android apps and you can do just about anything offline these days. The Chromebook actually has an advantage over competing platforms here (Windows or Mac). As an example, on a traditional laptop, I can't download Netflix content for offline consumption whereas I can with the Android Netflix app running on a Chromebook. Since Chromebooks are power efficient, this becomes an excellent offline and disconnected media consumption platform (aka planes).

Chromebooks barely run Android apps

For better or worse, Google makes many of its experiments public. It is true that Google has made multiple attempts to bring Android to Chromebooks (ChromeOS) and that most have failed. If you tried running Android apps on a Chromebook even a year ago, you may have thought it was a slow and painful experience but not anymore. It still isn't perfect but for those unique occasional needs, the current setup more than satisfies that functionality itch. 

I have tested Android apps on a Google Pixelbook, Acer Chromebook Flip C302 and a Samsung Chromebook Pro and the apps worked great on all of them. 

Chromebooks have no local storage

Not sure how this started but all Chromebooks have local storage. My Pixelbook comes with 250GB of lightning-fast SSD storage (similar storage capacity to my  MacBook Pro Retina). For content that is only occasionally accessed, you can store it in the Google Drive cloud and access it as you would a local file. The Chromebook "file explorer" integrated Google Drive for easy access. 

Chromebooks can't print

Chromebooks support both local and network-based printers. For most users, you will plug in your local printer via USB and it will automagically work (if it is a recent printer). When shopping for a new device, why not opt for one that is Google Cloud Print ready? All major manufacturers support Google Cloud Print, including but not limited to : Brother, Canon, Dell, Epson, HP, Kyocera, Lexmark, Sharp, Toshiba, Xerox and more.

Chromebooks don't have any antivirus protection

This comment comes from Windows users that have been trained to install antivirus products on all of their devices. 

Remember that ChromeOS (the operating system powering Chromebooks) was designed to be secure from the start. As an example, it uses techniques like process isolation to keep you safe. Most manufacturers say that Chromebooks do not need antivirus products because : 

  • ChromeOS is updated every 6 weeks
  • ChromeOS is designed with an application and process sandboxing framwork
  • All data on a Chromebook is encrypted by default

Sample support page from Toshiba

So let's extend the question and talk about Chromebook (ChromeOS) security. Why do most security professionals choose Chromebooks as their personal device of choice? Why do security professionals bring Chromebooks to the world's most tech hostile conferences (blackhat, defcon, shmoocon, etc)?

The answer is that Chromebooks are more secure than any other traditional computing platform (including MacOS). How?

  • Automatic updates - Google pushes a ChromeOS update every 6 weeks that all devices receive immediately (regardless of where you bought your Chromebook from and the manufacturer of the Chromebook). These updates add functionality but more importantly they fix security issues.
  • Sandboxing - Each web-page and application on a Chromebook is isolated from every other web-page and application using a technique called Sandboxing. If you visit a malicious web-page, the malware cannot infect other tabs or the computer itself. 
  • Verified Boot - If magically threat actors manage to exploit a vulnerability and "jump" out of the sandbox to infect the boot process (to ensure they infect the device every time it restarts, The verified boot process will detect this and it will automatically repair itself. Every time a Chromebook boots, it checks itself and if it detects that the boot process has been tampered with, it fixes itself without any user intervention. 
  • Data Encryption - Using tamper-resistant encryption (a local TPM chip), all local data is encrypted with a user key which means it cannot be accessed by other users or by threat actors if stolen.
  • Recovery Mode - If anything does go wrong with your Chromebook, you can use a special keyboard combination (differs by manufacturer to enter a special recovery mode that brings back a fresh, clean version of ChromeOS in minutes and with no user intervention. All your data and settings are stored in the cloud so as soon as you log in, your personalizations and settings will all automagically come back.

Conclusion


This article could have easily been 5 times longer, but I believe I captured the most important concepts. If you haven't tried a Chromebook in a while, I encourage you to take a look. Remember that no single device meets everyone's needs, and a Chromebook is no different. I believe Chromebooks are THE alternative for most general computing users and even some individual edge cases (like us crazy security people). 

Remeber that you get what you pay for. Don't expect a $200 Chromebook to perform like $1200 MacBook. Compare a $1200 Google Pixelbook to a $1200 MacBook, and now you have a fair comparison. 

Google to rebrand music service to Youtube Music

GeneralEdward Kiledjian

It seems not a week goes by without Google renaming, cancelling or somehow changing one of its services. Google will update its music service with the hope of dethroning  Spotify and Apple Music. 

Google will leverage its most recognized media brand to give music a fighting chance. So you will soon welcome YouTube Music into this world. 

On Tuesday, May 22, we’ll be changing that by introducing YouTube Music, a new music streaming service made for music with the magic of YouTube
— Elias Roman, Product Manager - YouTube Music


Early information suggests it will marry the substantial unique music of Youtube (live performances, covers, etc.) to advanced discovery probably powered by AI. 

This new service will (eventually) replace Google Music. Taking a page out of the Youtube and Spotify playbooks, they will offer a limited ad-supported free tier. Music lovers will be able to buy a $9.99 per month subscription to YouTube Music Premium which will offer ad-free listening. 

Youtube Music will firsts roll out to the U.S., Australia, New Zealand, Mexico and South Korea. Once again Canada is a second-class citizen. Other key markets will launch "soon" including Austria, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Norway, Russia, Spain, Sweden, Switzerland and the United Kingdom. 

You can sign up to their availability tracker here music.youtube.com/coming-soon

Source : Youtube blog

Google to replace Drive with Google One

GeneralEdward Kiledjian

Google just announced their new Google One service. Google One will replace the existing Google Drive service and will allow users to buy additional storage that can be used across its various properties (gmail, drive, photos, etc). 

In addition to the new name, Google is throwing in some additional goodies into the existing plans

  • The $US9.99 ($CAD13.99) 1 TB storage plan will be upgraded to 2 TB for free
  • A new 200 GB tier will be implemented ($US2.99)

Existing 1 TB customers will automatically get upgraded in the coming weeks as soon as the move is implemented. 

Google One will allow you to share your storage allocation with up to 5 accounts. Each will have their own private storage using the total allocation.

Google promises to add some sort of consumer product help and provide "extras" like Google Play credits for subscribers. There aren't too many details yet so we'll have to wait and see. Sounds a lot like the TMobile Tuesday promo.

Google promises to roll out Google One to users in the USA over the coming weeks. No news on the global expansion yet.

Turn your legit link into a scary one

GeneralEdward Kiledjian

When Google finally shut down its Goo.gl shortening service, I wrote an article about the best alternative URL shorteners. 

Security specialists cringe at these services because they can often be used to hide attacks, but when brute forced (using a program that tries to find valid links automatically), you can usually find classified or confidential information. If you are interested in this type of research, check out this academic paper entitled "Gone in Six Characters: Short URLs Considered Harmful for Cloud Services."

The TLDR is that shortened URLs can be scanned using automation and doing so reveals a tone of Microsoft OneDrive accounts storing private information (most unlocked). Knowing that these files are automatically downloaded (most of the time) to the user's PC through synchronization, a threat actor can weaponize them. The researchers also discovered location information such as driving instructions for specialize medical services, prisons or adult establishments. 

Make that link scary

None of these valid concerns is the reason I wrote this article though. The purpose of this article is to take legitimate links and make them scary (at least for tech-savvy recipients). 

The purpose of VeryLegit is to take good links and make them scary (without actually being dangerous of course).

When asked how the service works, the humorous authors deliver this little gem:

Due to rapid advancement in dark ritual technology, the programming community has streamlined the development and deployment of unspeakable eldritch horrors. Using robust open-source libraries like a sack of live geese, websites like this one can be developed with far more efficient sacrificial rituals than ever before. We’re still stuck on the version with really inefficient sacrifical rituals though, due to comp͆aͭatib̊i̼͕l̈̿i̮̜t̚y̅ ͊i͋s̾s̢͈͠u̶e̛̊s̼̃.
— verylegit.link

Let's try it

1 - You copy a link like my article about Google Tasks  "https://www.kiledjian.com/main/2018/4/25/google-launches-new-tasks-app-mobile-web"

2- You paste it into the magical input box

3 - You click on Make it look dodgy

4 - You copy the scary looking link (http://ctf.verylegit.link/+javaexploit_970speedupurpc!!install-now!!java0day.docm.js.pdf) and voila.  Scare the pants of a tech-aware friend. 

It will redirect you to your original link only adding lots of scary extensions typically used by scammers and Nigerian princes wanting to give you millions of dollars.

So welcome to Monday, time to have some fun.

Google launches New Tasks App (Mobile & Web)

GeneralEdward Kiledjian

In a blog post entitled "With new security and intelligent features, the new Gmail means business", David Thacker (Google VP Product Management, G Suite) announced, "We’re also introducing a new way to manage work on the go with Tasks."

The new refreshed Tasks system will be available on the web and have accompanying mobile apps (Android and IOS). The new updated Tasks system will allow you to create tasks & subtasks with due dates and notifications. 

The current tasks was an anemic stand-alone product that barely worked. The new one will integrate into the G Suite and allow you to drag & drop emails from GMAIL, files from Google Drive and more. 

Now you can quickly reference, create or edit Calendar invites, capture ideas in Keep or manage to-dos in Tasks all from a side panel in your inbox.
— David Thacker

The announcement is happening in the G Suite (Enterprise blog), but this update will flow to the free consumer-friendly version as well. 

The Google help centre provides additional information about how all of this will work.

Download the new Android version here and the IOS one here