Advanced Plus Security DeepWeb's Chromebook Config 2019

[DeepWeb]

As some of you might know I bought a Chromebook because I wanted to structure my entire security around the hardware. Chrome OS was the way to go because:
-It's very cheap
-Every process is sandboxed
-Verified boot checks all the signed code
-Automated backup and sync
-TPM chip and full disk encryption
-Google Project Zero is providing security updates, one of the best security teams in the world.

 

[dash]

Good to see another Chromebook around here.

 

[Vasudev]

View attachment 207902​

As some of you might know I bought a Chromebook because I wanted to structure my entire security around the hardware. Chrome OS was the way to go because:
-It's very cheap (bought this Chromebook for INR 6,440! Sheesh!)
-Every process is sandboxed
-Verified boot checks all the signed code
-Automated backup and sync
-ARM chip makes me incompatible with almost all malware written for x86 CPUs
-This particular CPU is immune to Spectre/Meltdown as well
-LTE gives me Internet wherever I am
-TPM chip and full disk encryption
-Google Project Zero is providing security updates, one of the best security teams in the world.

Cons:
-Not fast enough for true gaming, video editing, heavy unoptimized websites
-No backlit keyboard unlike my laptop and I miss it especially when you're not in a well lit area.
-I found out that the LTE modem is made by Huawei........ Anyway... :notworthy: make sure you check the hardware parts. At least it's not Intel.

With Intel you'll have same features as Huawei LTE along with Intel MEI for best security.

 

[ForgottenSeer 58943]

Nice setup. It's getting hard to avoid Intel, but the good part is, Chromebooks are quite well hardened now against Spectre/Meltdown, even with Intel chips due to proactive patching by Google. I myself use a Chromebook as my 'daily driver' and the ONLY notebooks that ever leave my home are all Chromebooks because I want a secured platform when I am mobile.

One of the better 'cheap' Chromebooks I have found is the HP 14-CA052WM.. You can snag it got $150 or so refurb, and it's really good, has a touch screen, 1080P resolution, and is well built. It does have Intel, but has been fully mitigated against all variants of Meltdown/Spectre if I recall my notes on it.

My inlaws are potatoes that click on everything, and I can't convince them to go Chromebook.. <sigh>

 

[dash]

Am I the only one that finds it a little ironic that Chromebooks only achieve Secure: Basic? Aren't they kind of Secure: Complete right out of the box? LOL. It just seems a little odd to me. I'll survive, I'm just saying.

 

[ForgottenSeer 58943]

Am I the only one that finds it a little ironic that Chromebooks only achieve Secure: Basic? Aren't they kind of Secure: Complete right out of the box? LOL. It just seems a little odd to me. I'll survive, I'm just saying.

At this point, they are one of, it not the most secure notebooks available. The only established vectors of attack are bad chrome extensions and bad android apps. If you don't install android apps, and don't use junk extensions, then your threat surface is effectively zero. So yes, currently, they're the most secure out of the box, generally available notebooks in the world.

 

[harlan4096]

Security Tags are not only assigned only because the processor/OS is secure (or enough secure), there are other criteria involved, such as Image System Backup Tool? etc...

 

[Vasudev]

Security Tags are not only assigned only because the processor/OS is secure (or enough secure), there are other criteria involved, such as Image System Backup Tool? etc...

I don't think usage of 3rd party WinPE works on Chromebooks but I heard it does run win 10 pro ARM.

 

[LDogg]

Thanks for sharing! Fab little bit of kit.

~LDogg

 

[DeepWeb]

Honestly switching between my Chromebook and Windows laptop, it's irritating how many issues I am dealing with on my Windows device and how I have to battle my AV to install anything, and all the driver issues. So many small bugs but they all add up to one big annoyance. Meanwhile my Chromebook just works. The small ARM CPU is far slower but Chrome OS is so well optimized that daily usage is smooth. My stress level browsing has dropped significantly and LTE ensures I am always connected.

 

[Vasudev]

Honestly switching between my Chromebook and Windows laptop, it's irritating how many issues I am dealing with on my Windows device and how I have to battle my AV to install anything, and all the driver issues. So many small bugs but they all add up to one big annoyance. Meanwhile my Chromebook just works. The small ARM CPU is far slower but Chrome OS is so well optimized that daily usage is smooth. My stress level browsing has dropped significantly and LTE ensures I am always connected.

Try linux. Now you can undervolt in Linux too.

 

[DeepWeb]

Everything remains the same but I upgraded to a Dell Chromebook 7310 with a 1080p screen and a faster Intel CPU and backlit keyboard. The difference was worth it. I enjoy using my Chromebook even more now.

 

[dash]

The experience is just that much better when you use a nice device. That Dell is solid.

 

[dash]

Hey, whoa, you've got a Secure: Complete on your Chromebook now. Hmm..

 

[oldschool]

Everything remains the same but I upgraded to a Dell Chromebook 7310 with a 1080p screen and a faster Intel CPU and backlit keyboard. The difference was worth it. I enjoy using my Chromebook even more now.

Do you mind saying how much $$ to upgrade?

 

[dash]

How about a shout out to how easy it was to pick up right where you left off on the old Chromebook lol..

 

[DeepWeb]

Do you mind saying how much $$ to upgrade?

Found used in great condition on ebay for $150. The matte 1080p IPS display and backlit keyboard alone are a massive upgrade. The CPU is actually a Broadwell CPU. I don't know why Intel uses such confusing numbering for mobile CPUs. It's fast and with a few chrome flags tweaks it's blazing.

Dell Chromebook 13 7310 13.3in. (16GB, Intel Celeron, 1.5GHz, 4GB) Notebook/Laptop - Black - 82KK4 for sale online | eBay

Find many great new & used options and get the best deals for Dell Chromebook 13 7310 13.3in. (16GB, Intel Celeron, 1.5GHz, 4GB) Notebook/Laptop - Black - 82KK4 at the best online prices at eBay! Free shipping for many products!

www.ebay.com

How about a shout out to how easy it was to pick up right where you left off on the old Chromebook lol..

Yes indeed. 2 min setup and I was back to where I was originally. But I wish it synced my Chrome flags and my wallpaper as well.

 

[DeepWeb]

Chrome 73 is more buggy than 72 in a few aspects. I decided to unsubscribe all but one malware list in Nano Adblocker. What's the point? It's technically impossible to install anything without my explicit permission which is nice!
I replaced Google's PasswordChecker with Okla's PassProtect because it uses less RAM and does the same. I have gone from using my Chromebook and Windows laptop 50-50 to 99% Chromebook. I'm only on my Windows laptop every other week at the most. It's stunning how easy the switch was. If you know Chrome you will learn Chrome OS in less than 2 min. It's that easy.

I have also switched from DDG to Ecosia.

 

[DeepWeb]

3 things:
1. I did a thing! I updated ALL of my passwords making them all 6 months old at the most. It actually took me multiple days but I managed to update passwords that have not been updated in 5-6 years and raise my security score. According to LastPass I am now in the top 3%.

2. While I was updating passwords I also moved every account that I could to two-factor authentication (2FA). Since Chromebook supports Android apps I was able to use the Android version of Norton VIP Access and Authy to sync my 2FA token vault. I turned off 2FA via SMS wherever I could in place for more secure 2FA tokens and another method:

3. I bought and set up a YubiKey to further solidify my online security. I think they are a worthwhile long-term investment but I'm paranoid about losing them so I bought a YubiKey Nano. I will buy 1-2 more just to have backups in case I lose one and then turn off 2FA tokens for those accounts where I have more than 1 YubiKey.

I think these steps made hacking into any of my accounts significantly more difficult and they give me peace of mind that even if someone knows my password they can't do much.

 

[DeepWeb]

-Nano Adblocker
-I don't care about cookies

+SmartAdBlock
+Emsisoft Browser Security
+Mailvelope
+Firefox Focus
+Yubikey 5 Nano
+Feitian Keys
+Google Advanced Protection

I've set up Google Advanced Protection that requires two hardware keys. I have 3 (1x Yubikey and 2x Feitian regular + bluetooth). It essentially only allows hardware keys to be used for two-factor authentication and it restricts 3rd party access to your Google account dramatically. Google Drive backups of apps are unaffected but if you use 3rd party email clients, forget it. 3rd party access to your location data? Forget it. But that's what I wanted in the first place so I'm happy.
Added Emsisoft Browser Security for additional phishing protection because it is the least intrusive and least RAM intensive phishing protection I could find.
I also installed Mailvelope so I can receive and send encrypted mail such as Facebook.
I managed to install Firefox Focus from the Play Store and it surprisingly shows up in Chrome's context menu (pic) which is amazing! The thing is my entire Android environment in Chrome OS runs through my VPN so I have effectively a sandboxed, virtualized browser window that moves all of its traffic through an entirely different channel. I use strongSwan as my VPN because of IKEv2 and its ability to stay connected if the network state changes.

Overall my Chromebook feels dramatically more secure than my Windows laptop. I just have a peace of mind that I did not have on Windows 10.