Hacker News new | ask | show | jobs
by maxsaltonstall 3289 days ago
Bring Your Own Device is fine for ChromeOS and Mobile. You might not get the full amount of trust as a Google-issued device (for mobile/tablet).

To achieve the highest levels of access in the BeyondCorp model you need a machine with Google's management agents, so we can evaluate device state accurately and pull information from our inventory management system.
2 comments
DorothySim 3289 days ago
But if you don't provision the device yourself how can you be sure it hasn't been tampered with in a way that just displays "bootloader OK, everything good" but in the mean time it was rooted? Or is that a risk calculated in the "no full amount of trust"?
link
ariwilson 3289 days ago
https://www.chromium.org/chromium-os/chromiumos-design-docs/...
link
kuschku 3288 days ago
That protects against newbies, but we’re talking here about Google employees – modifying and cloning the ICs on the board to fake a verified boot status should be a triviality for people who design their own chips and boards for Google’s own servers, right?
link
MrMorden 3288 days ago
That would be covered by policy controls, not technical ones—it's the same issue as someone taking pictures of the screen with their personal phone. You'd need to address the actual issue that's causing people to do that (ill-thought-out policies, employee actually working for $INTELLIGENCE_AGENCY, employee enjoys espionage,…).
link
kuschku 3288 days ago
A recent example would have been the data that was stolen from Google and given to Uber – the employees who were qualified enough to design their own LIDAR chips and boards would equally be qualified to circumvent any such protections.
link
mentat 3286 days ago
And that's how / why the legal system is involved and it's cost them their job. Security isn't just preventing something from ever being possible.
link
radlad 3288 days ago
On a Google-approved device, you can still use that device, and copy content to another, non-Google-approved device. Nothing is perfect, but at some point you trust your employees.
link
nunez 3288 days ago
you can't clone code from a non-Google-approved device so if you write code you might as well have a google issued machine
link