Richard Engel of NBC recently reported on how his fresh-out-of-the-box computers were immediately hacked once he landed in Russia. The story got more publicity than it deserved.
To make an analogy, what NBC did was the equivalent of getting Engel drunk, blindfolding him, putting him behind the wheel of a car on a rainy night and then, when he had the inevitable accident, report that the highway wasn't safe. Needless to say there was some backlash (here and here and here).
Nonetheless, Engel's report got me thinking about what I would do in an environment where hacking and spying was thought to be rampant. Here, in the first of two blogs on the subject, I focus on what I think is the safest computing device for traveling - a Chromebook.
To brutally simplify things, Chromebooks, a brainchild of Google, are laptop computers that only run the Chrome web browser. Chromebooks are a new paradigm in computing. Although physically they look much like a MacBook Air, they share almost no design philosophy with desktop systems (Windows, OS X, Linux) or mobile systems (iOS, Android).
Without question, a Chromebook is safer than Windows, OS X, Linux, iOS or Android. Security is baked into the design.
To begin with, the operating system, Chrome OS, does not allow software to be installed. Sure, this is annoying if you want to run Skype (not possible), but the flip side is that a malicious email attachment can't install a virus. Malicious Flash ads on a web page may infect Windows or OS X systems, but Chromebooks are immune, even though Flash is supported.
A web page with a malicious Java applet can't infect a Chromebook either. They don't do Java.
There is an exception to the rule about installing software on a Chromebook: web apps from the Chrome web store.
Like any software, Chrome web apps can also be malicious. They may inject ads into web pages or spy on you.
A Chrome app may start out safe, then get sold by the original developer and later turn malicious (this has happened). Or bad guys could trick the user into installing a malicious web app.
The good news is that there is a simple defense against malicious web apps: guest mode. Chromebook users normally logon with a Gmail email address and password. But you can also logon as a "guest" user without supplying any email address or password. Just click on "Browse as guest" and you're in.
All guests start off with a clean slate, no installed web apps. Guests can't install web apps or even create bookmarks (the usual star in the address bar is missing).
Not only are you safer going in to guest mode, you are also safer when you log out because Chrome OS erases all traces of your activity. Not just the usual browser history and cookies, it also removes any files that were downloaded onto the Chromebook (to keep downloaded files, copy them to a USB flash drive). Take that spy agencies.
Guest mode is much more secure than the incognito mode offered on desktop versions of the Chrome browser. You lose access to your bookmarks and saved passwords, but the safety is well worth the trade-off.
Even using a Chromebook normally, with a Google account, still provides safety because Chrome OS encrypts all your files. There is no way another person using the same Chromebook can see anything of yours (assuming you don't give out your Google password).
If you are going to lose a computing device, you want it to be a Chromebook. Your files are protected even if someone removes the solid state hard drive. And, unlike other operating systems, the encryption is stress free. That is, a Chromebook user does not have to enable anything, run anything or even remember anything, to have their files encrypted.
In addition, Chrome OS does assorted checks at system startup to insure that the operating system has not been tampered with. Quoting Google:
Every time the Chromebook starts up, it does a self check called Verified Boot. If it detects that the system has been tampered with, or corrupted in any way, typically it will repair itself without any effort, taking the Chromebook back to an operating system that's as good as new.
With a Chromebook there is also no need to worry about software updates. The operating system automatically downloads updates quietly in the background. The update gets installed at the next system startup. As with encryption, the end user is not involved at all. Second Tuesday of the month? Fuggedaboutit.
Chromebooks also benefit from being unpopular, a situation familiar to MacBook users that don't run antivirus software. Because so few people use them, there is little incentive for spies and bad guys to target Chromebooks. And, should Chromebooks ever become popular, it would take a while for spies and bad guys to get up to speed. In the mean time, Chromebook users are safe as heck.
The only computing device in the same league as a guest-mode Chromebook for safety is a desktop computer running Linux off a bootable CD (referred to as a Live CD). Which is safer may be a debatable point, but a Chromebook is, by far, the more practical option. And, as noted above, it is safer than anything running Windows, OS X, Linux (normally installed), iOS or Android.
GOOGLE SECURITY EXTRAS
Gmail users get an extra bit of safety when they use Google's Chrome browser, be it on a desktop OS or a Chromebook. The system behind secure web pages (HTTPS) has many design flaws and Google offers their users extra safety by supporting something called certificate pinning that insures you are really dealing with Gmail as opposed to a fraudulent copy of the site. A Chrome user at gmail.com is safer than someone using another web browser. This extra protection applies to all Google properties, not just Gmail.
Gmail also offers Perfect Forward Secrecy, an advanced security feature that I wrote about back in June. This feature is not limited to the Chrome browser but it also does not work with all browsers.
Any time you connect to a public network, be it wired or wireless, your best defense is a Virtual Private Network (VPN).
For employees of large companies, VPNs offer encryption between their computing device and the home office. For the rest of us, VPNs offer encryption between where we are and a VPN server maintained by a VPN provider. That is, VPNs create encrypted connections that protect us from spying by those running the network (or the country in the case of the Olympics) we are connected to.
Someone in Sochi Russia, for example, may establish a VPN connection to a server in Florida. This would offer protection from spying by anyone or anything in Russia. When the data leaves Florida however, it is no longer encrypted.
If someone at the Olympics connected to a VPN server in Moscow, then their data leaving Moscow would no longer be encrypted and assorted Russian entities could spy on it. No one in Sochi, however, could read it.
There are three common types of VPN, two of which are thought to be secure while the third type is the equivalent of WEP, better than nothing, but just barely.
The least secure flavor of VPN is called PPTP and it is supported by most operating systems, including Windows 7, Windows 8, Android, iOS and OS X. Chromebooks do not support PPTP.
The more secure types of VPN are L2TP over IPSec and OpenVPN (also called SSL). Chromebooks support them both.*
I tested my Chromebook with an L2TP/IPSec VPN and was surprised to find that even though I created a network connection for the VPN as a guest user, the VPN definition remained after a re-boot. The only thing that was not saved was the password, it needed to be re-entered every time I connected to the VPN as a guest user.**
For quite a while now Chrome OS has had an annoyance with VPN definitions: you can't edit them. If you want, for example, to connect to VPN server A instead of B, you can't change an existing VPN definition, you need to create a whole new one. So, if you use a VPN provider that offers servers in multiple cities, you will end up with connection definitions for each city.
VPNs also offer a side benefit, new DNS servers.
DNS is the system that translates the name of a computer (www.computerworld.com) into its underlying IP address (22.214.171.124). All data that travels on the Internet uses IP address, the names are just a convenience for us humans. A malicious DNS server can send you to a fake copy of a website and, without certificate pinning, you would have no clue as to the scam.
Nerds like me configure their computing devices to use DNS servers from known trusted organizations such as OpenDNS. However, most people have their DNS servers provided by the network they connect to. Comcast users, for example, typically use DNS servers maintained by Comcast. Trusting DNS servers provided by a Russian coffee shop, as Richard Engel did, is not a good idea.
When you connect to a VPN, your computing device switches over to using DNS servers from the VPN provider, which should be safer.
Besides security, I can personally attest that Chromebooks are just fun to use. Out of the box, fast start-up and shutdown makes a good first impression.
Critics point out, correctly, that Chromebooks can't do as much as a machine running Windows, OS X, Linux, iOS or Android. The flip side of this, however, is that the user interface is very simple. No matter how tech phobic someone may be, getting up to speed on a Chromebook takes very little time.
The market failure of Windows 8 has led more and more hardware companies to introduce Chromebooks. Most have screens just under 12 inches, but a recent Toshiba model is 13.3 inches and HP released one recently with a 14 inch screen.
Hate the trackpad? A Chromebook should work with any mouse, wired or wireless.
An off-line computer is always safer than one connected to the Internet.
Initially Chromebooks were useless without an Internet connection, but that has changed as more web apps are becoming available for off-line use. Perhaps most importantly, Chromebooks support off-line word processing and text editing. Not with Word of course, Chromebooks are like Kryptonite to Microsoft. Gmail is also available off-line.
An off-line Chromebook can open and view Office documents in Word (.DOC and .DOCX), Excel (.XLS and .XLSX) and PowerPoint (.PPT and .PPTX) formats. It can also view files in PDF, ZIP, TXT, GIF and JPG formats. Got an MP3 file? You can listen to it with an off-line Chromebook.
Finally, Chromebooks are cheap. Almost all of them sell for between $200 and $300.
Yes, Chromebooks are less functional than other computing devices, but you may find that they are functional enough for short term use. If so, the huge increase in security they offer, combined with their cheap prices make them an excellent travel companion.
*I have not tested a Chromebook with an OpenVPN/SSL type VPN. According to PrivateTunnel, an OpenVPN provider, Chrome OS "has implemented a very limited subset of the OpenVPN client in its interface. The limitation that is in place now would not allow the operating system to connect to our services." This statement however, is not dated and does not say which version of Chrome OS it is referring to.
**There are two ways to identify yourself to an L2TP/IPsec VPN. I only tested using a password (typically referred to as a "pre-shared key"). I did not test with a digital certificate, so I'm not sure if that allows one-click VPN access when logged on as a guest.