So, be inconvenienced in every aspects important to a dev but gain a bit of confidence in your machine (as long as you trust Big-G)?
verified boot seems like the only advantage here. You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily, and they don't require reliance on Google or the requirement that one uses a neutered OS. (yes, yes, it's secure. It's a users' platform. Development on chrome OS at this point is an act of masochism.)
If secure travel is your thing, stash your data on a cloud provider and pull it later after you arrive at your destination. Go whole-hog and travel without an SSD and buy a cheap one at your destination with cash. Sprinkle in some libreboot for more confidence.
It'll still be cheaper than a 200 dollar chromebook, and you probably won't have to deal with some of the worlds' worst chicklet keyboards.
P.S. don't travel with a yubikey that isn't partnered with another. Would be a bummer to lose.
Sub $200 Chromebooks with decent keyboards: Dell 11 (2014 & 2015 models), Asus C202SA, and maybe the Lenovo educational models. At higher prices, of course, you have many choices: both Pixels, Lenovo and HP 13" and the Acer 14 for Work (all last year), the new Asus C302SA.
I am not saying you're wrong but I'd like some advice on what to buy. The x220 I've never seen dip below $100 with 4GB RAM and a hard disk or at least a caddy.
You can get a Acer 14 refurb for under $200 which is a good dev machine using Crouton with ChromeOS. Nothing else is going to be able to touch this. Sounds like you are just not up to date what is now possible with Chromebooks.
I'm not sure how much extra "security" you're really getting out of staying strictly within ChromeOS. Yes, Secure Boot is disabled. However, the ChromeOS partition is still encrypted, and you can manually encrypt any of your crouton chroot environments, so someone looking at the thing still wouldn't be able to peek into the contents. If you're asked, "Why is this in Developer Mode?", you can answer, "I'm a developer."
Additionally, once Developer Mode is enabled, you must hit Ctrl+D to move past the warning screen every time. It is incredibly easy to inadvertently hit Enter or Spacebar, and then have the Chromebook wipe itself and restore to factory settings. I've done it inadvertently myself, and have heard multiple reports of a developer's spouse/child accidentally clicking it, too. Unless a Border Patrol agent knew exactly what they were doing, I'd be willing to bet they'd accidentally wipe it as well.
Finally, while I'm aware that disabling Secure Boot in theory opens you up to an Evil Maid attack, what is the likelihood that border patrol/customs would have a malicious OS on hand, and the know-how to flash it? Worst -case scenario, if you suspect they've tampered with the OS, simply hit Spacebar yourself as soon as you get it back, restore Secure Boot, and then start over from scratch!
As an aside, if you are confined to ChromeOS, I highly recommend Caret as an editor. It's a FOSS, Sublime clone chrome app that works swimmingly on Chromebooks.
That is a good point, but also a feature in my view. I see my chromebook as a mobile workstation, so more or less everything on it is backed up in a git repository, cloud storage, that sort of thing. ChromeOS automatically restores extensions and installed Android apps, and I usually keep builds of software I use in crouton on separate external flash storage; 16-32GB of internal storage isn't that much when you have to build from sources because ARM binaries are still fairly rare.
So an inadvertent wipe is really just an inconvenience of 30-60 minutes, and if it's a border patrol or TSA agent you can then have fun acting all indignant at how they broke your device and you lost so much work and your boss is gonna kill you and you want to talk to their supervisor right now.
The lack of hardware security is a consideration, but frankly if your device is handled by a malicious actor outside of your control, you're kinda screwed anyways.
The drive where the OS lives isn't encrypted. Rather it is verified. It uses do-it-yourself to chain every read from the device to a trusted authority. secure boot is how verifies that the kernel (running do-it-yourself) hasn't been tampered with (e.g., to add more trusted authorities or disable verification).
This protection is not just against "evil maids" but any attack that modified the disk in the past. E.g., if the system is compromisd due to a software fault, nothing can persist on disk undetected (like ZFS/bcachefs/BtrFS checksummi preventa bit-rot from being undetected)
As someone who has an on-off interest in ChromeOS but with little to no knowledge about it, does vim/neovim work? I found some vim version on the chrome web store but it is last updated on 2014 and pinned to 7.4 which was a bit disappointing.
I see the security argument come up often but have never once heard an anecdote of someone having a security breach or whatever people are scared of happening because their chromebook was in developer mode.
Installing a chroot isn't that difficult, in fact it was actually kind of fun and started me on an incredible tech exploration journey that currently has me learning software development using Vim on a command line only linux distribution. I never would have imagined such a thing a year ago. It is weird thinking having a $140 refurbished acer c720 may have led me on a completely different, exciting life path.
I think I am misunderstanding you, but isn't paragraph 2 an argument for staying in normal Chrome OS (as this article suggests) instead of enabling developer mode?
I've been running the Chromebook Pixel 2015 as my primary dev machine since it came out. Unlike the author however, I've opted for the less-secure "dev mode" on the laptop, and do everything in crouton. (Java web / Android, mostly).
It may not be as secure, but it's hella convenient (still use 2FA). ChromeOS boot is < 5 seconds, and I just stay there for web browsing / netflix. Dropping into crouton is another < 5s when I need to do dev work, or play steam games.
Everything important on the laptop is backed up to some cloud service or another, but it's expensive enough that I'd be distraught if I lost it (plus they stopped selling them).
I'd be more worried about somebody straight up stealing the laptop than any other security risks I may be running by running in dev mode.
I love the idea of natively developing in ChromeOS, but at this point it just seems like more hassle and fighting the system than it's worth.
This blog post details using a chromebook as a temporary device, such that you can travel with a blank machine, and provision at your destination with the data and apps you may need:
> It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. ... the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. ... I could treat it as a burner and move on.
Edit; I've been using a de-chromed chromebook for over a year as my primary dev machine and really like it. I developed and launched one side project with it. The model I have (Acer C720) is a dual core Centrino, 2GB of ram, and I upgraded the m2 sata to 120GB. For Python/PHP/Ruby, it's great. I would not do Java development on this set up though. Java IDEs eat battery life and I imagine jvm startup time is a burden on this, although I haven't even installed Java to find out.
Edit 2: to clarify, this is not about removing chromeos, but to use chromeos for it's security features. The article goes over using Termux to get a basic development/work environment setup on chromeos. Plus a lot other helpful tips.
I offered my experience de-chroming as an example, I really like the platform. Apologies if that was confusing.
> Edit; I've been using a de-chromed chromebook for over a year […]
Ok, but as the article states, they did not de-ChromeOS it because they wanted TPM and Verified Boot and FIDO-certified U2F security key so that they didn't defeat the whole purpose of buying a Chromebook.
FTA: “As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a cheap mini-notebook with flaky drivers. The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.”
So, the solution to the uncertain threat of airlines picking your luggage and stealing your computer or its data is... giving over your data to somebody that it's certain it's spying on you and whose business model is to comb over your data.
How is this not "you won't catch me, I'll just throw myself off a bridge"?
Also, termux has ~600 packages. Debian has 50,000. Besides the basics, you're liable to need packages you just don't have in termux, which makes it a serviceable environment in a pinch, but not one where you want to do your work on.
It might be better to give your data to someone who has to tell you how they're spying on you, than to somebody who legally shouldn't be able to but does so anyway.
> When things get completely borked (which in two weeks of heavy use only happened a couple of times for me)
how are people willing to live with this? I would be furious if I had to lose all my state and (for all intents and purposes) restart my machine multiple times in two weeks.
And if this "borking" happens right before or during a presentation (the author was writing about using this setup for giving talks on), this would be very embarassing for me and extremely annoying for the audience.
A work/presentaion machine has to be rock solid for me. No compromises, no workarounds and most certainly no "completely borked". Just pure solid.
One of the BIGGEST drawbacks using a Chromebook with 11.6 inch screen that nobody here talks about yet, is the grainy and crappy 1366 x 768 screen resolution! I've been a long time Macs guy anything inferior than RetinaDisplay will considerably straining my eyes before I am used to it. Dell XPS 13 included.
If you're going to compare to a Mac, it's better to look at the higher end Chromebooks like the Pixel 2, HP Chromebook 13, and Samsung Chromebook Pro. They all have screens with pixel density and quality that's on par with the 15" MacBook Pro I have.
I have the Samsung Chromebook 3 (same size and resolution). I don't mind it at all. By comparison, the 14" Lenovo from my employer has the same resolution and looks worse. The Chromebook is no retina display, but it's not that bad in my opinion.
Not really an issue for me. Almost all of my work can be done through the terminal and through Emacs. For maximum visibility, I run a full screen terminals with large font and good contrast. I really wouldn't have it any other way, as I'm not a fan of GUIs. Of course, I still retain the ability to spin up a GUI if I am forced to do so. The only effect the screen has is that it does not entice me to watch videos (which is a great feature for a work machine).
I tried using a Chromebook as a dev machine several years ago - before Android apps. The chroot situation worked well enough, but the dev-mode boot was a deal-breaker.
Back then, if a Chromebook's local storage filled up, it would factory-reset itself. Is this still the case? This is one big thing keeping me from trying this again (which I'm very tempted to do so after reading this article). Investing in setting up a dev environment like this is fun, but only the first time around...
Regarding the TOTP app, I generally prefer FreeOTP to Google Authenticator/Duo/Authy, etc. It might not provide push codes, but at least the implementation is Open Source and the binaries come from a trusted source.
I bought the exact same machine, Samsung Chromebook 3, as soon as I realized I could run Termux on it.
I'm using it to poke at languages I'd normally never have the time to experiment with.
I'm on the train for about an hour every day, and I wouldn't feel comfortable with a "real" laptop - too likely to be stolen. But for $169? Not such a big loss.
I'm also really excited about how rock-solid this thing is, as a way to hand a kid a computer that can really teach them programming.
I love my C201, also not very expensive. I opted for the 4Gb version.
My first setup was chromeos + crouton then I moved to linux on a sd card. I noticed I never boot into chromeos anymore so I got rid of it.
I have a C201 too...I reflashed the bootloader with libreboot and installed arch linux on it. It it actually quite snappy, and works fine for development!
As a side point about Termux, Android 7 finally stopped hijacking the control+space combination, so you can use emacs efficiently.
Termux is really useful, giving you an almost complete linux environment in Android phones and tablets. You can install it via Google Play, no need for root or any modification to your device. Add an external keyboard and you can work on the go.
In March, we have seen reports of Android Studio possibly coming to Chrome OS. Android Studio would mean IntelliJ IDEA and the entire family of IntelliJ IDEs. That would make this an even better idea.
Nearly every how-to and blog post I've found on "Chromebooks for developers" essentially starts with either: "Boot into Developer Mode" or "Install Debian/Ubuntu as the main OS". I'll just say it: This is bad advice. It would be akin to recommending that friends jailbreak their shiny new iPhone. You're obviously free to do as you wish with your own gear, but recognize that at Step 1, you'll have lost most of the core security features of Chromebook
Well, it's possible to temporarily unlock firmware write protection and replace Google key with your own and run self-signed kernels and arbitrary distribution securely. But indeed, I haven't heard of anyone actually going through the effort to do so.
What's the alternative solution for a cloud/remote based factory wipe, travel and restore? Is there anything on Linux that offers the same quality of user experience without being hampered by chromeOS and dealing with Google/a 3rd party?
Get two yubikeys. Set up LUKS full disk encryption the usual way on Ubuntu. Install yubikey-luks and yubikey-personalization-gui. Set up yubikeys for HMAC challenge response on a free slot. Enroll both keys using yubikey luks. Clear slot 0, leaving you with an encrypted brick unless you have one of two yubikeys. Mail one key to your destination. Leave the other key at home. Travel, pickup key, use it to access device at destination. Before you return home, unenroll the key. Once you arrive home, use the home key to re-enroll the travel key. Repeat as necessary.
I have a potential application for a U2F keys and I'm wondering why you recommend the $18 Yubikey on Amazon versus the $10 one that is also FIDO certified. Is there a difference in the function or some other important difference?
Not the OP but, I use a $6 one without a button that simply activates on insert. Unfortunately the company that sold them is more interested in bulk sales and the stopped selling individual units. I plan to eventually replace it with the Feitian ePass NFC FIDO U2F Security Key, which is still $17 but includes NFC which I could use with my android phone. for that functionality from Yubi you would need the $50 Yubikey Neo.
Does chromeOS allow you to remote wipe the box? That seems like that would be another advantage to this in the case of theft (note: definitely not in the case of the box being confiscated by a lawful authority).
[+] [-] serf|8 years ago|reply
verified boot seems like the only advantage here. You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily, and they don't require reliance on Google or the requirement that one uses a neutered OS. (yes, yes, it's secure. It's a users' platform. Development on chrome OS at this point is an act of masochism.)
If secure travel is your thing, stash your data on a cloud provider and pull it later after you arrive at your destination. Go whole-hog and travel without an SSD and buy a cheap one at your destination with cash. Sprinkle in some libreboot for more confidence.
It'll still be cheaper than a 200 dollar chromebook, and you probably won't have to deal with some of the worlds' worst chicklet keyboards.
P.S. don't travel with a yubikey that isn't partnered with another. Would be a bummer to lose.
[+] [-] kasey_junk|8 years ago|reply
That's why the author has you setup a new account so that you can segment your burner data from your real life.
[+] [-] andmalc|8 years ago|reply
[+] [-] keganunderwood|8 years ago|reply
Thank you for your help.
[+] [-] johnsmith21006|8 years ago|reply
[+] [-] AdmiralAsshat|8 years ago|reply
Additionally, once Developer Mode is enabled, you must hit Ctrl+D to move past the warning screen every time. It is incredibly easy to inadvertently hit Enter or Spacebar, and then have the Chromebook wipe itself and restore to factory settings. I've done it inadvertently myself, and have heard multiple reports of a developer's spouse/child accidentally clicking it, too. Unless a Border Patrol agent knew exactly what they were doing, I'd be willing to bet they'd accidentally wipe it as well.
Finally, while I'm aware that disabling Secure Boot in theory opens you up to an Evil Maid attack, what is the likelihood that border patrol/customs would have a malicious OS on hand, and the know-how to flash it? Worst -case scenario, if you suspect they've tampered with the OS, simply hit Spacebar yourself as soon as you get it back, restore Secure Boot, and then start over from scratch!
As an aside, if you are confined to ChromeOS, I highly recommend Caret as an editor. It's a FOSS, Sublime clone chrome app that works swimmingly on Chromebooks.
[+] [-] leggomylibro|8 years ago|reply
So an inadvertent wipe is really just an inconvenience of 30-60 minutes, and if it's a border patrol or TSA agent you can then have fun acting all indignant at how they broke your device and you lost so much work and your boss is gonna kill you and you want to talk to their supervisor right now.
The lack of hardware security is a consideration, but frankly if your device is handled by a malicious actor outside of your control, you're kinda screwed anyways.
[+] [-] rkeene2|8 years ago|reply
This protection is not just against "evil maids" but any attack that modified the disk in the past. E.g., if the system is compromisd due to a software fault, nothing can persist on disk undetected (like ZFS/bcachefs/BtrFS checksummi preventa bit-rot from being undetected)
[+] [-] limeblack|8 years ago|reply
In doesn't show up in Chrome Extensions search as easily as I would hope.
[+] [-] mrisoli|8 years ago|reply
[+] [-] chasote|8 years ago|reply
Installing a chroot isn't that difficult, in fact it was actually kind of fun and started me on an incredible tech exploration journey that currently has me learning software development using Vim on a command line only linux distribution. I never would have imagined such a thing a year ago. It is weird thinking having a $140 refurbished acer c720 may have led me on a completely different, exciting life path.
[+] [-] geofft|8 years ago|reply
[+] [-] chiefalchemist|8 years ago|reply
[+] [-] Sodman|8 years ago|reply
It may not be as secure, but it's hella convenient (still use 2FA). ChromeOS boot is < 5 seconds, and I just stay there for web browsing / netflix. Dropping into crouton is another < 5s when I need to do dev work, or play steam games.
Everything important on the laptop is backed up to some cloud service or another, but it's expensive enough that I'd be distraught if I lost it (plus they stopped selling them).
I'd be more worried about somebody straight up stealing the laptop than any other security risks I may be running by running in dev mode.
I love the idea of natively developing in ChromeOS, but at this point it just seems like more hassle and fighting the system than it's worth.
[+] [-] le-mark|8 years ago|reply
> It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. ... the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. ... I could treat it as a burner and move on.
Edit; I've been using a de-chromed chromebook for over a year as my primary dev machine and really like it. I developed and launched one side project with it. The model I have (Acer C720) is a dual core Centrino, 2GB of ram, and I upgraded the m2 sata to 120GB. For Python/PHP/Ruby, it's great. I would not do Java development on this set up though. Java IDEs eat battery life and I imagine jvm startup time is a burden on this, although I haven't even installed Java to find out.
Edit 2: to clarify, this is not about removing chromeos, but to use chromeos for it's security features. The article goes over using Termux to get a basic development/work environment setup on chromeos. Plus a lot other helpful tips.
I offered my experience de-chroming as an example, I really like the platform. Apologies if that was confusing.
[+] [-] igravious|8 years ago|reply
Ok, but as the article states, they did not de-ChromeOS it because they wanted TPM and Verified Boot and FIDO-certified U2F security key so that they didn't defeat the whole purpose of buying a Chromebook.
FTA: “As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a cheap mini-notebook with flaky drivers. The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.”
[+] [-] andrepd|8 years ago|reply
How is this not "you won't catch me, I'll just throw myself off a bridge"?
Also, termux has ~600 packages. Debian has 50,000. Besides the basics, you're liable to need packages you just don't have in termux, which makes it a serviceable environment in a pinch, but not one where you want to do your work on.
[+] [-] microcolonel|8 years ago|reply
[+] [-] pilif|8 years ago|reply
how are people willing to live with this? I would be furious if I had to lose all my state and (for all intents and purposes) restart my machine multiple times in two weeks.
And if this "borking" happens right before or during a presentation (the author was writing about using this setup for giving talks on), this would be very embarassing for me and extremely annoying for the audience.
A work/presentaion machine has to be rock solid for me. No compromises, no workarounds and most certainly no "completely borked". Just pure solid.
[+] [-] devy|8 years ago|reply
[+] [-] datguacdoh|8 years ago|reply
[+] [-] Tharre|8 years ago|reply
You do realize the Dell XPS 13 has QHD as an option?
[+] [-] andmalc|8 years ago|reply
AFAICT the reason than even expensive 11" laptops generally don't run higher resolutions is that at that size you can't tell the difference.
[+] [-] bgrohman|8 years ago|reply
[+] [-] nur0n|8 years ago|reply
[+] [-] fredley|8 years ago|reply
Back then, if a Chromebook's local storage filled up, it would factory-reset itself. Is this still the case? This is one big thing keeping me from trying this again (which I'm very tempted to do so after reading this article). Investing in setting up a dev environment like this is fun, but only the first time around...
[+] [-] mkohlmyr|8 years ago|reply
It is so close to being usable. It is such a user friendly operating system, it just falls short on a few significant fronts.
1. Developer mode should be friendlier to use (no horrible noises on boot, no delayed boot time).
2. It needs support for electron-based/alike apps to run natively in browser windows without crouton. E.g. vscode.
[+] [-] soniman|8 years ago|reply
[+] [-] Aissen|8 years ago|reply
[+] [-] StavrosK|8 years ago|reply
[+] [-] homakov|8 years ago|reply
[+] [-] VikingCoder|8 years ago|reply
I'm using it to poke at languages I'd normally never have the time to experiment with.
I'm on the train for about an hour every day, and I wouldn't feel comfortable with a "real" laptop - too likely to be stolen. But for $169? Not such a big loss.
I'm also really excited about how rock-solid this thing is, as a way to hand a kid a computer that can really teach them programming.
[+] [-] g00gler|8 years ago|reply
I got a Lenovo 14" IdeaPad N42-20 and desktop to replace my 256gb MacBook Pro.
It turned out to be a bad idea, mostly because the screen is terrible. It's the same resolution as the Samsung 3 mentioned in the article.
It also seems so small compared to a 15". Side-by-side windows isn't very nice, either.
I find myself working less because I don't feel like sitting at my desk or using the Chromebook.
[+] [-] atopuzov|8 years ago|reply
[+] [-] em3rgent0rdr|8 years ago|reply
[+] [-] x220|8 years ago|reply
[+] [-] andmarios|8 years ago|reply
Termux is really useful, giving you an almost complete linux environment in Android phones and tablets. You can install it via Google Play, no need for root or any modification to your device. Add an external keyboard and you can work on the go.
[+] [-] bergie|8 years ago|reply
http://bergie.iki.fi/blog/working-on-android-2017/
[+] [-] chx|8 years ago|reply
[+] [-] devy|8 years ago|reply
[+] [-] cjsuk|8 years ago|reply
[+] [-] qb45|8 years ago|reply
Well, it's possible to temporarily unlock firmware write protection and replace Google key with your own and run self-signed kernels and arbitrary distribution securely. But indeed, I haven't heard of anyone actually going through the effort to do so.
[+] [-] sliken|8 years ago|reply
What threat does the chromebook protect against that isn't fixed by FDE?
[+] [-] albertgoeswoof|8 years ago|reply
[+] [-] danjoc|8 years ago|reply
[+] [-] albertgoeswoof|8 years ago|reply
[+] [-] talkingtab|8 years ago|reply
[+] [-] camiller|8 years ago|reply
[+] [-] andmalc|8 years ago|reply
Works the same as my $18 Yubi key but the little cover over the USB prongs keeps falling off...
[+] [-] kasey_junk|8 years ago|reply