This photo is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0) license by Jason Beaird.

Administering Chromebooks

For teams traveling to complex and hostile environments

If you are traveling to hostile or complex environments the phrase “use a Chromebook” has become the “use Signal, use Tor” of border crossing device security. Nearly all of the individuals who work in these environments knows that, as with everything, it’s more complex than that.

I recently decided to look take a look at the configurations that needed to be done to make Chromebooks travel ready for complex and hostile environments. There are more than a few narrative summaries of Chromebook security available. But, there didn’t seem to be any source to look at the security implications for each specific configuration option.

Over a period of a few months worked on a personal project to document the administration and configuration considerations for using Chromebook’s in a range of complex and hostile environments. The project that came out of it was simply my personal Chromebook setup and configuration notes running amok.

What does that mean?

I created a 33 page spreadsheet where I compared each Chromebook user and device against the assumptions, requirements, threats, and mitigations one might put in place when protecting a globally distributed team operating in a range of complex and hostile environments.


Q&A

Why did you include other mitigations beyond Chromebook settings?

I have concerns about mitigations that promote the use of fake user accounts to fool border officials who force travelers to login to their devices and online services. But, I had not put together any public analysis of an alternative. I used this project as an opportunity to explore an alternative mitigation. (See the Proof of Inaccess mitigation for more information.)

Is this spreadsheet accurate?

Not likely. This was a personal project done in my free time and will continue to have gaps in its assessment based upon my level of interest in digging into those topics. That is why I included the URL of the sources I used and long-form comments about my decisions for each user and device setting.

I’m putting together a Chromebook travel program. How can I use this project?

The Workflow page shows how to use this project to inform a Chromebook program.

There are too many pages. How do I find what I need?

The Index has suggestions for various ways to explore this project.

Why use a Google Spreadsheet?

I wanted a chance to explore different methods for supporting risk management documentation using Google Sheets. This project proved to me that it’s more than possible to leverage Google Sheets to do all sorts of automated risk management comparison and evaluation.

At the same time, I would not recommend using this spreadsheet as a guide. There are a lot of things I would have done differently if I was doing this to support risk management tasks.

Why would you publish this if you don’t plan on finishing it?

For two reasons:

  1. It took a lot of time to consider each option and I wanted to save my colleagues from having to do their own research from scratch.
  2. I’m not going to have time to work on it for a while so I figured I would share it out instead of hoarding a 1/2 finished project forever.

Does it cover anything other than configs? (Yes!)

Cost Calculator

Threats By Context

Etc…

Show your support

Clapping shows how much you appreciated Seamus Tuohy’s story.