I’m not paranoid, a secure lifestyle: Part 1

Security is not a feature. For me, it’s a lifestyle, or so I try to make it.

This begins a series of posts which outlay my approach security not just at work, but at home. I’ll cover the choices made, tradeoffs accepted, and practices followed. I’ll approach this from the perspective of a target of advanced persistent threats (APTs). Not because I realistically think I can protect myself against a nation-state, but because more extreme measures will only help protect against less capable attackers.

My first part (this post) in this series will focus on my laptop. Future posts will cover password management, network architecture, IoT devices, etc.

A secure laptop (Why I run ChromeOS)

I travel often for work. Sometimes more, sometimes less, but I’m always concerned about someone obtaining access to the data on my laptop. Evil maid attacks are a real threat with documented attacks. Travelers connect to hostile networks frequently, operating systems have been found in recent years vulnerable to remote code execution vulnerabilities from presumably innocuous actions such as registering a DHCP address. It’s a scary world out there for Linux, MacOS, and Windows. Ultimately, it’s a question of attack surface.

Macs used to be better. They used to have full disk encryption and TPM chips. They didn’t used to have Thunderbolt. Today, however, I cannot recommend them.

In theory, one could build a Linux or Windows system protected with SecureBoot and full-disk encryption and call it a day. Yet, it’s not so simple. Applications will be able to access your decrypted data and you presumably need those. You’ll need a variety of applications from different vendors, few of which you may truly trust. Using Linux containers would help a bit, especially with a container system that can measure & attest, but the Linux kernel and system would need to be configured to offer true, good security. The Linux kernel has many security features which are simply by unused the the vast majority of users and distributions. Some of the best security features aren’t even merged upstream.

While technically possible, to build such a secure system would be a considerable effort. It’s a matter of attack surface. There are many applications and vendors providing an attack surface that must be understood. If only there was already an OS that did all of this? It would need to reduce the attack surface, configure the OS securely, use SecureBoot, and generally just do all the right things out of the box… thankfully this OS already exists: ChromeOS

Life with a Chromebook

The choice of a Chromebook might not be obvious, or might seem like a joke, but it’s actually quite capable and the most secure system one can buy today. Most tasks I do today imply internet access, which has the consequence that most tasks can be accomplished in a browser or via an SSH terminal.

This choice does imply some limitations, yes, but lets consider:

• Minimal attack surface by only running one end-user app: Chrome
• Frequent automatic updates
• SecureBoot and full-disk encryption out of the box, providing first-class protection against evil-maid attacks (not absolute protection)
• Application sandboxing / containerization built-in. It’s basically everything you want from Qubes, in an OS you can actually use and even buy off-the-shelf.
• Well-paid bug-bounty program to encourage reporting of vulnerabilities.
• Really inexpensive. If for some reason I believe my machine is compromised, I can destroy it and buy another. I can do this 10 times before I even break-even with the cost of a Macbook Pro. It’s not ecological, but I could afford to do this every time I cross an international border.

Cons:

• I can’t run certain apps which offer no analog in the Chrome Web Store. For me, that’s basically Photoshop and Lightroom. I don’t use these for work, especially not for travel, and keep a dedicated desktop at home for these apps. For non-graphics applications, however, users can make-do with Amazon Workspaces for running Windows desktop applications ($20–30/mo)

Not-cons:

• Weak hardware. Yes, Chromebooks have little RAM and CPU power. No, it doesn’t matter. 4GB is enough RAM for a web browser. Really, it is. My only complaint is that with my own Celeron-based model, music playback can affect browsing. Otherwise, I’m very happy with performance. More powerful and expensive models such as the Pixel mitigate hardware concerns.
• “I don’t trust Google”. If you already run Chrome, then you already trust Google. Worse, if you don’t run a measured system such as ChromeOS then I argue that you trust not only your web browser, but every single other application you install. You also trust the “Evil Maid”. Those actors could install Google software on your machine, or more likely, legitimately malicious code. As much as I might not trust Google, I must trust someone and I’d rather trust Google than everyone.
• No virtual machines, Linux containers, or command line. I have an SSH client and that’s enough. I run instances on Digital Ocean and AWS. That’s enough, really. VNC, Remote Desktop, and Amazon Workspaces offer remote desktop options. That’s more than enough. I prefer to run vim on those machines directly, but developers requiring an IDE can run Codenvy or Koding; both are great.
• “I don’t trust the cloud”. The Chromebook does NOT require saving data in the cloud. Data can be stored locally on disk or (unencrypted) on USB or SD card. Options to store data in the cloud encrypted are available. Finally, options like OwnCloud allow you to provide your own private online storage if desired. Most of what I store in the cloud is non-sensitive, public, or semi-public information (such as slide decks, github repos, etc).

Next steps…

Well, as much as I love having a machine that’s secure, and as much as I do prefer to trust Google over “everyone”, I am interested in personally verifying the integrity of my system. Long-term, I might still look to build an embedded terminal or bootstrap my own self-signed, secure-booted installation of ChromeOS. I don’t have time for that right now and what little time I do have for such endeavors, I’d rather spend on securing other systems.