Chromebooks: Maybe They're Finally Ready for Prime Time
After writing about how Chromebooks are replacing Ipads in some schools, I began to wonder if these little Internet computers are really viable candidates for general use now. If you want the short answer, it's this: It depends. You'd probably like more than that, so stick with me and we'll consider the computer that's "nothing more than a browser." This week's issue is unusual in that it's essentially a one-trick pony -- all about Chromebooks, but we'll consider the topic from several viewpoints.
Recently, I noted that Chromebooks have started to displace Apple's Ipads in schools because they have keyboards, because they're easier for schools to manage, and because they cost less. If that's all they have going for them, they fall short of the mark.
When Chromebooks were introduced (May 2011), I didn't think much of them. After all, how useful could the computer be if you couldn't install any software and it depended entirely on Web-based programs to do everything? At the time, that was a valid point, but things change. Particularly over 3 years. That's a lifetime in hardware years, several lifetimes in Internet years.
So it was time to take a look.
I acquired a Samsung Chromebook 2 with a 13-inch screen. The CPU is essentially the same as what you might find in a smart phone (Samsung Exynos 5 Octa 5800) and that gave me pause. It also has only 4GB of memory with 3.5GB usable and a mere 16GB of storage. I had visions of maple syrup in January, so I made sure to buy from a vendor that would allow me to return it if the Chromebook turned out to be a colossal disappointment.
It's still here.
There are two small disappointments: First, this Chromebook has no touch-sensitive screen. Some manufacturers offer models with touch screens and I'm sure that I would like this one better if I could use the screen the way I do on a Windows 8 tablet or a Nexus 7. Second, Samsung went a bit cheap on the screen. The size (13 inch diagonal) and the resolution (wide screen 1920 x 1080) are fine; the problem is viewing angles. Viewing off-center horizontally is acceptable, but changing the vertical viewing angle results in a dim, washed-out image. I might wish for better, but I can live with the screen.
The most expensive Chromebook is the Pixel by Google. At $1300 to $1500, it costs more than a Microsoft Surface computer, which would be far more capable. But most Chromebooks sell for $200 to $400, which puts them in the same price range as a low-end notebook computer.
Wow! $1500 for a Chromebook?
The Chrome operating system uses the Linux kernel and the Google Chrome web browser along with an integrated media player. Many of the apps require Internet connectivity, but some can be used in off-line mode.
One of the most impressive features of Chromebooks is boot time: It's about 7 or 8 seconds from power off to login screen. After you provide your password, the machine will be ready to use in another 1 or 2 seconds.
Instead traditional word processing, spreadsheet, and communications applications, users add browser apps from the Chrome Web Store. Google says that their multi-layer security architecture eliminates the need for antivirus software.
Many USB devices (cameras, mice, external keyboards, and flash drives) are supported and the Chromebook keyboard has a surprising number of shortcuts; the keys are reasonably sized and they have sufficient "travel" when pressed to provide a reasonable typing experience.
Here's an interesting bit of information from an article by Salvador Rodriguez in the Los Angeles Times: During the first 11 months of 2013, more than 1 million 750 thousand Chromebooks were sold in the United States. Two points stand out: First, that was 21% of the US commercial business-to-business laptop market. Second, during the same period in 2012, Chromebooks sold less than half a million units and had a negligible market share. Whether this is a trend or a blip remains to be seen.
Specialized Apps
Maybe you think that all applications on a Chromebook require Internet connectivity. I did, but that's wrong. Maybe you thought that there's only a limited number of applications that will run on a Chromebook. That's what I thought and that's right, but the limit is a lot larger than I thought.
There are literally hundreds of applications, some mainstream and some esoteric, that run on Chromebooks.
If you must have Skype, it's not available on a Chromebook. But Bitstrips and Pandora are. Google Earth (oddly) is not available, but Google Maps is and it provides views from Google Earth. The Kobo and Kindle readers are available, but not Nook or Aldiko. If a particular application is essential to you, try a Google search for "your_essential_application Chromebook" to find out if what you need is available.
I was surprised to find that a free version of SnagIt is available on Chromebooks. Although it has nowhere near the number of features that you'll find on the Windows version of the application, it does allow the user to add arrows, rectangles, ovals, and text. And the resulting image is stored in PNG format to your Google Drive.
You can view the New York Times website in the Chrome Browser, of course, but the screen's size and resolution may be inadequate for your needs. The newspaper has created an app that's optimized for Chromebooks.
No Antivirus Needed?
Google says that users of Chromebooks don't need to bother with antivirus applications and you might wonder if this is simply marketing hyperbole (also known formally by it's abbreviation, BS). It's not, but the answer isn't quite that simple.
The Acer shown here sells for $200.
Chrome, the operating system used by Chromebooks is based on Linux. As you know, Linux can be compromised with certain variants of cross-platform malware. But Chrome isn't plain Linux and the implementation is such that it's difficult to install anything that would cause a problem.
Difficult. Not impossible.
All of the default applications on a Chromebook are cloud-based. Should any malware find its way onto a Chromebook, you could simply reset it to factory defaults and start over. Of course, that would mean having to configure and customize the device and to reinstall any local apps that you had downloaded.
Fortunately, though, the Chromebook has a process that will allow it to recognize malicious changes in most cases and eliminate the problem the next time you boot the computer.
Some apps can be installed and used even when the device isn't connected to the Internet. These include photo programs, text editors, games, and more. A lot more. Of course, if you restrict yourself to installing just applications that you obtain from the Chrome Store, it's unlikely that you'll ever see any malware.
I consider antivirus applications like vaccinations: They may not entirely eliminate the possibility that any one person (machine) will be infected, but the overall health of the community is better when everyone (every machine) is inoculated. Still, if you look for antivirus or antimalware applications for Chromebooks, you won't find any.
Chromebook Security in Depth
In a paper written at Massachusetts Institute of Technology, students Katherine Fang, Deborah Hanus, and Yuzhi Zheng characterize the operating system as uncommonly secure, but they note that certain system defaults weaken security. Chromebook buyers exist at both ends of the user community: Inexperienced people who use the Chromebook as their primary computer and can be assumed to have little knowledge of security, as well as highly-experienced people who see Chromebooks as capable portable devices and fully understand the security implications of the operating system's various security settings.
Because of this, the very people who need the most help with security are the ones least likely to get it. For example, Chrome security is strengthened by an auto-update process and by what's called "verified boot". Chrome has the least obtrusive automatic update yet devised, but it happens only at boot time. Because many novice users will just close the case instead of powering the system off, their Chromebooks could run for months between boot times. Experienced users will know enough to restart the system regularly.
The verified boot process is designed to eliminate malware even if an attack of some sort managed to install it. Each Chromebook actually has two root partitions. The computer compares the partitions at boot time and will boot from the first partition under most circumstances, but it can also automatically restore the boot partition if something has changed.
The boot process compares both sectors when the user starts the computer.
The MIT researchers explain it this way: Recall that the goal of verified boot is to ensure correctness of the currently running code. Because this correctness is only checked on boot, there are many attacks which exploit the situation in which the user does not shut down the computer after it has been attacked. In addition, only the firmware and signing key are guaranteed against rollbacks; the kernel is not.
So if the user doesn't boot the computer regularly (a process that takes less than 10 seconds), a system that has been successfully attacked will remain compromised.
By default, the Chromebook will ask for a password only when it boots, not when it is awakened from sleeping. This is easy to change, but an inexperienced user who doesn't understand security threats would likely be unaware that the option exists or know where to find the setting and change it.
Although files are located on the computer when they're being used, they are also stored on Google Drive. This means that if the computer is lost or stolen, the files are still available. It doesn't protect files on the computer, though. If someone steals an unlocked Chromebook, all of the files on the computer and all files in the user's Google Drive account are vulnerable.
The developers have made a significant effort to keep data secure, though. The thief who steals a locked Chromebook and cannot determine the user's password will find only encrypted data on the device. The computer can have more than one account and individual users can see only their own data because Chromebooks have no concept of "administrative" users who have access to all data on the system.
Some users will be concerned about storing data on any server that's accessible via the Internet and this is a reasonable concern. Inattentive users who accidentally reveal their passwords for their Google accounts, or create passwords that are easy to guess, would make all of their stored data accessible to an attacker. Phishing for login credentials is certainly easier than stealing a user's computer or decrypting protected data.
The two most important steps a Chromebook user can take (after creating a strong password, of course) are requiring a password when the computer wakes from sleep and booting more frequently.
The researchers conclude that "the fundamental security design of Chrome OS is solid, and it is clear the system was designed with security in mind. As data becomes more frequently digitized, security becomes increasingly important. Chrome OS rises to this challenge by making privacy guarantees about both code and data. First, verified boot ensures the code is correct, and second, a data partition with encryption ensures that the data is safe. Auto-update with two root partitions is a good idea not only for backup but also for security, because it minimizes the window of vulnerability."
Your Internal Security System Is Still Needed
Just because it's (nearly) impossible for malware to be installed on a Chromebook doesn't mean that users face no threats. It's up to the user, regardless of operating system, to use the wet-ware installed between their ears to evaluate threat levels.
If you receive a message that asks for your bank account number, Social Security ID, and password, you should know enough not to provide it. No reputable organization will ever ask for this kind of information by e-mail.
And, while on the subject of passwords, make sure your Google account has a long and strong password that can't easily be guessed.
If you're using a Chromebook, you're automatically safer than someone who's running a Windows, OSX, or Linux system, but threats remain. Bad things can still happen to you and your computer.
Is a Chromebook for You?
The most important consideration in buying any piece of hardware is whether it runs the software you need; second perhaps is whether the device is physically comfortable to use.
This Toshiba Chromebook sells for $280.
Whether a Chromebook will be a good choice for you depends on what you do and how you want to do it. For example, I started writing this section of the report in a remote location at lunch time. I used a generic text editor on the Chromebook and saved the file to Google Drive. That meant that I could continue editing later on the Chromebook, a notebook computer, the desktop, or any computer that has an Internet connection, no matter where it is.
Chromebooks are incredibly light, fast booting, and quite a bit larger than most netbooks, which have largely fallen out of favor. Although you can use the "guest" account that Chromebooks provide, you'll be much more satisfied if you create a Google account and use it. (If you have a G-Mail account, that's all you need.)
Those who rely on specific applications might find Chromebooks to be unacceptable. You can't run Outlook, Word, Excel, Photoshop, Skype, or any program that has an explicit installer, but there are extensions and apps that provide similar functionality to that provided by many desktop applications.
No Microsoft Office or Adobe Creative Cloud, but you can use Google Docs.
Because LastPass is a browsers extension, you can still use it to manage passwords and most of the extensions that run in the Chrome browser will be just fine on a Chromebook because the browser is what it's all about.
Just don't plan to use Firefox, Internet Explorer, Opera, or Maxthon. It's called a CHROMEbook for a reason.
If you wonder whether Chromebooks can use thumb drives, external hard drives, and secure digital cards, the answer is generally yes. In most cases, you'll need a Micro-SD card if you go that route. And USB ports are generally included for thumb drives, mice, and external hard drives.
View and edit OneNote documents on Android or Chromebook devices and sync to OneDrive.
Most Chromebooks have a better keyboard than netbooks, run for many hours on a battery charge, and update themselves better than Linux, Apple, or Windows machines.
Another consideration is how comfortable you are in storing all of your work files on the Internet. Chromebooks have very little storage space. That said, I plugged in a 32GB Micro-SD card and that's no longer a consideration for me.
And G-Mail is the only game in town. You can't install another e-mail application if you prefer not to use G-Mail.
After all that, the answer to my opening question about whether Chromebooks are viable alternatives to other devices is still "it depends", but perhaps I've provided sufficient information that you'll know what questions to ask as you consider the possibilities.
Short Circuits
Android Phone Owners Face a New Treat
A recently-discovered security flaw that affects Android devices will be patched quickly, but owners of older devices may remain vulnerable.
The flaw was discovered by Bluebox Security. This same group found another flaw last year, so they understand the system. The new flaw could allow information to be stolen from millions of devices.
Bluebox says that all Android devices version 2.1 and later (starting in 2010) and up to, but not including, KitKat 4.4 have a flaw that means package installer signatures are not properly validated. The operating system automatically accepts apps that carry specific vendor IDs.
So this sounds like a terribly serious flaw and, in some ways, it is. But it's a terribly serious flaw that carries with it limited exposure: Apps that Google includes in the Play Store are thoroughly vetted. Because Google vouches for apps from their own store, the risk of obtaining a bad app from the store is tiny.
If you download and install apps from elsewhere, though, beware.
Bluebox puts it this way: An attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by a trusted vendor, and sign the application in a way that appears to contain a trusted certificate. When the Android OS installs the application, it will recognize the "good" signature and will then skip validating the app.
Bluebox notified Google about the problem in April and waited until now to make the information public so that Google could distribute a patch to manufacturers. Some of the manufacturers have already released patches, but others haven't and the oldest devices probably won't ever be patched.
So the bottom line, particularly for owners of older Android phones, is to avoid installing any app that doesn't come from the Play Store. Stick to the safe side of the street and you'll probably not be in danger.
Read the rest of the story at Gigaom.
Jailbreaks Are About to Be Legal
In what may be the highlight of the legislative session, the US House has agreed with the Senate on legislation that would make it legal for mobile phone owners to unlock ("jailbreak") those phones so that they can switch carriers without having to buy a new phone.
Current legislation makes jail-breaking phones illegal and consumers who do so can be fined up to half a million dollars. Apparently if something is both deeply unpopular and relatively trivial in nature, the House and the Senate can find ways to compromise on legislation.
The practice of unlocking phones was legal until last year because of an exemption to copyright legislation. Some cellular carriers even offered to unlock phones when customers changed from one service to another, but the new law will pave the way for people to make changes themselves or to hire others to do it for them.
The president says that he will sign the legislation, which is called the "Unlocking Consumer Choice and Wireless Competition Act."
Facebook Splits Chat from Main Application
Now Facebook users can run two applications to perform the tasks that one used to do. This is called progress. It's not a surprise, though. Facebook announced the change in April. If you have an Apple or Android tablet or phone, you'll be forced to change next week.
Messages from Facebook may confuse desktop users of the service, though. Those who use Facebook on a desktop system will not be required to use the new Messenger service. In fact, they can't. It doesn't (yet?) exist for desktops. Users of certain other devices (Windows phones, for example) will be able to continue using the single application.
Facebook rolled the new service out in Europe first, starting in April, and says that the results have been good there.
Now there's a Facebook icon and a Messenger icon.
The new application automatically picks up all of your Facebook contacts, so setup is easy, and it adds functionality such as Internet-based voice calls, group chat, photos, and short videos. Facebook says: "[O]ur goal is to focus development efforts on making Messenger the best mobile messaging experience possible and avoid the confusion of having separate Facebook mobile messaging experiences. Messenger is used by more than 200 million people every month, and we'll keep working to make it an even more engaging way to connect with people."
Mobile notifications now show a picture of the message sender.
About 20% of Facebook's customer base is already using Messenger. You'll still see message notifications inside Facebook, but you'll have the option of using Messenger to view and respond to the message. Additional changes will be coming because Facebook is in the process of acquiring WhatsApp, another service that provides Internet-based messaging.