177 comments

[ 2.6 ms ] story [ 232 ms ] thread
I tried using a Chromebook as a dev machine several years ago - before Android apps. The chroot situation worked well enough, but the dev-mode boot was a deal-breaker.

Back then, if a Chromebook's local storage filled up, it would factory-reset itself. Is this still the case? This is one big thing keeping me from trying this again (which I'm very tempted to do so after reading this article). Investing in setting up a dev environment like this is fun, but only the first time around...

I think the author was arguing that the install was cloud-backed in such a way that you could simply factory-reset it and restore it, especially before and after travel through oppressive security inspections. I'm not sure it's completely described though.
What's the problem? I switched my asus chromebox to dev mode and installed ubuntu and didn't notice anything. I think there was some small tweak to get rid of the warning and hit f1 to continue or whatever it was.
In five years of running a Chromebook dev mode, I've never had that happen but just in case Crouton has a backup feature to save a gzip of your chroot onto a SD card etc.
I love my C201, also not very expensive. I opted for the 4Gb version. My first setup was chromeos + crouton then I moved to linux on a sd card. I noticed I never boot into chromeos anymore so I got rid of it.
I have a C201 too...I reflashed the bootloader with libreboot and installed arch linux on it. It it actually quite snappy, and works fine for development!
I also run arch linux. I tried setting up debian recently, works good too. Do you run 3.14 kernel (linux-veyron) or the mainline (linux-armv7)?
This is a very interesting setup. You should elaborate a bit more about it!
What is your battery life, never using ChromeOS?
This certainly makes a great dev environment for golang as for development golang has very reasonable requirements.
Wouldn't want to compile some big Scala projects on it I suspect
I'm a bit confused (did skim article only). Is this running ChromeOS or Linux? Can I get steam games like stardew valley to run on it?
ChromeOS, Termux, and probably not. You might be able to run some Android games though.
That's what I thought. However, this article (http://lifehacker.com/how-to-install-linux-on-a-chromebook-a...) mentions crouton and being able to run Ubuntu. For instance, can I use apt-get, containers, etc.? Seems like there are two "solutions" .. one is to reboot into an open Linux system and the other is a more loose chromeOS?
Have you read the actual article? I thought it was quite thorough in explaining what the author was doing and why.
The author explains why they want to stick to "native" ChromeOS. You said you only skimmed the article, that is probably why you are being downvoted.
(comment deleted)
This blog post details using a chromebook as a temporary device, such that you can travel with a blank machine, and provision at your destination with the data and apps you may need:

> It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. ... the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. ... I could treat it as a burner and move on.

Edit; I've been using a de-chromed chromebook for over a year as my primary dev machine and really like it. I developed and launched one side project with it. The model I have (Acer C720) is a dual core Centrino, 2GB of ram, and I upgraded the m2 sata to 120GB. For Python/PHP/Ruby, it's great. I would not do Java development on this set up though. Java IDEs eat battery life and I imagine jvm startup time is a burden on this, although I haven't even installed Java to find out.

Edit 2: to clarify, this is not about removing chromeos, but to use chromeos for it's security features. The article goes over using Termux to get a basic development/work environment setup on chromeos. Plus a lot other helpful tips.

I offered my experience de-chroming as an example, I really like the platform. Apologies if that was confusing.

> Edit; I've been using a de-chromed chromebook for over a year […]

Ok, but as the article states, they did not de-ChromeOS it because they wanted TPM and Verified Boot and FIDO-certified U2F security key so that they didn't defeat the whole purpose of buying a Chromebook.

FTA: “As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a cheap mini-notebook with flaky drivers. The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.”

U2F keys also work on plain Linux with Chrome or Chromium. Though you may have to add some udev rules:

https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rul...

The article also states, in the first paragraph, that he wants to use the ChromeOS linux variant because he believes in the security model.

> I've come to fully appreciate Google's Chrome OS design. The architecture benefited from a modern view of threat modeling and real-world attacks.

This linked in the article explains what he means https://www.chromium.org/chromium-os/chromiumos-design-docs/....

I read the article. The comment of my parent poster seemed to imply that U2F will only work on Chromebooks and 'vanilla' Linux.
You can have verified boot, and use the TPM and the U2F security key without the chrome os on a chromebook.
Totally agreed, but given the engineering efforts that Google have gone through to make the hardware and software stack work in harmony and given Google employees use Chromebooks the author of the article wants to set up a working dev environment by adding to Chrome rather than nuking it and coming up with a semi-custom solution. My first comment was to point this out.

We all know you can put Chromebooks into dev mode and load Ubuntu, in fact I thought it was necessary to get the most out of Chromebooks. If it turns out that Chromebooks can make decent dev environments without nuking and installing Ubuntu or whatever and if they can run Android apps then Chromebook suddenly become a very interesting value proposition.

I use U2F with chrome on ubuntu. How how do you get TPM+verified boot without chromeos?
(comment deleted)
I used my CB30 as a dev machine for a little while, both using cloud environments (koding, codeanywhere) and using vscode under crouton.

It is so close to being usable. It is such a user friendly operating system, it just falls short on a few significant fronts.

1. Developer mode should be friendlier to use (no horrible noises on boot, no delayed boot time).

2. It needs support for electron-based/alike apps to run natively in browser windows without crouton. E.g. vscode.

You probably know this but ctrl-d avoids the delay and the noises.
Pressing keys while it's booting up is pretty scary with the threat on the screen to delete everything.
I had no idea! As far as I can remember it says any keypress will take you out of developer mode.. I will definitely try this tonight, thanks!
So, be inconvenienced in every aspects important to a dev but gain a bit of confidence in your machine (as long as you trust Big-G)?

verified boot seems like the only advantage here. You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily, and they don't require reliance on Google or the requirement that one uses a neutered OS. (yes, yes, it's secure. It's a users' platform. Development on chrome OS at this point is an act of masochism.)

If secure travel is your thing, stash your data on a cloud provider and pull it later after you arrive at your destination. Go whole-hog and travel without an SSD and buy a cheap one at your destination with cash. Sprinkle in some libreboot for more confidence.

It'll still be cheaper than a 200 dollar chromebook, and you probably won't have to deal with some of the worlds' worst chicklet keyboards.

P.S. don't travel with a yubikey that isn't partnered with another. Would be a bummer to lose.

I am not saying you're wrong but I'd like some advice on what to buy. The x220 I've never seen dip below $100 with 4GB RAM and a hard disk or at least a caddy.

Thank you for your help.

You can fInd x220 in not very good condition for 100 to 150 usd. And even a x201 is ok for development purposes.
> The x220 I've never seen dip below $100 with 4GB RAM and a hard disk or at least a caddy.

ThinkPad caddys are dirt cheap. You can buy third party compatible caddys for under $10. [0]

In terms of a laptop with a reasonable build quality that includes a TPM, pretty much any corporate laptop will suffice. X220's command a premium because they're ThinkPads.

If you look at other options, something like the Dell E6220, which is from the same generation as the X220, can be purchased used for around $100. [1]

They don't support coreboot, but they're otherwise reliable machines. The Dell UEFI implementation supports only allowing signed updates and SecureBoot. Depending on your threat model this might be enough for you.

> You can buy an ebay business-grade laptop with TPM for 40 bucks USD readily

You'll have to buy something older than the E6220 mentioned above, but the Dell E6400 is available for $40. [2] That will have an integrated TPM.

[0] http://www.ebay.com/itm/Lenovo-Thinkpad-X220-X220i-Hard-Driv...

[1] http://www.ebay.com/itm/Dell-Latitude-E6220-13-3-Intel-Core-...

[2] http://www.ebay.com/itm/Dell-Latitude-E6400-Laptop-Core-2-Du...

If you want the literal 40 dollar laptop I had in mind, look around for an X60/X60s/X61.

They are old, but they are well equipped and I love their keyboard feel, plus TPM and all that jazz.

Their specs are pretty low-end nowadays, but I find that devs have too varied a range of preferences and tasks to judge what they need too readily.

If you're sitting in a huge IDE or photoshop or otherwise have a strong need for heavy lifting and high resolution during your travels, however, these cheapy business-grade laptops from yesteryear are probably a poor choice.

But I sit in emacs and IRC most of the time with music on -- they are perfect for that.

https://arrowdirect.com/

Get a dealer account and you get 20-40% off the listed prices. I applied and got the account in about a week or two.

"Grade A" refurbs are in really good shape.

Cheapest X220 (Grade A) right now is $153.60 ($192.00 list).

Cloud restore is the other big win here. You don't have to roll your own and it just works.

That's why the author has you setup a new account so that you can segment your burner data from your real life.

Syncthing does this for me. I start it, click on one of my other computers, select "introducer" and everything copies back exactly where it was.
Sub $200 Chromebooks with decent keyboards: Dell 11 (2014 & 2015 models), Asus C202SA, and maybe the Lenovo educational models. At higher prices, of course, you have many choices: both Pixels, Lenovo and HP 13" and the Acer 14 for Work (all last year), the new Asus C302SA.
The Dell 13" is regularly discounted.
You can get a Acer 14 refurb for under $200 which is a good dev machine using Crouton with ChromeOS. Nothing else is going to be able to touch this. Sounds like you are just not up to date what is now possible with Chromebooks.
In March, we have seen reports of Android Studio possibly coming to Chrome OS. Android Studio would mean IntelliJ IDEA and the entire family of IntelliJ IDEs. That would make this an even better idea.
Is it not currently possible to install any GUI-based IDEs into Chrome OS?
Only inside a Linux chroot (like Crouton)
You can currently only use web based IDEs or Android based IDEs in Chrome OS.

There are some good web ones (Cloud9) out there and even a few Android based ones (AIDE). You won't be running any Windows or Linux IDEs though (because Chrome OS is not either of those.)

If you're referring to full-blown IntelliJ, Elcipse, VS, etc, the answer is no afaik. But if syntax highlighting, code completion and lightweight refactoring (within and across files) counts, then Caret or Zed might be worth a look. These are native Chrome apps, and don't require web access/connectivity. (I wrote most of the Chromebook piece in the OP and all my Go code using Caret, and am happy with it). I did some toy stress testing by opening up a few copies of War & Peace (1.5M+ line) text files in Caret. It took a couple of seconds to load, but search & replace and rapid scrolling/navigating worked well. Trying the same thing in vim either in Termux natively or via local ssh didn't hiccup at all. As mentioned in other threads, it's a side effect of design decisions, and naive assumptions about in-memory files. Kids today...
While I like the idea and the listed apps are just awesome (didn't know about termux, wow), the whole setup depends too much on google services for my taste :-/
Yeah, this is a no go for me. I don't use anything by Google at all. How can a security conscious person talk about privacy and security on a Google device? They are listening, filming and tracking every single thing you do near that device.
That ("They are listening, filming and tracking every single thing you do near that device") is a claim you're going to have to substantiate. Don't spread such rumours unless you can back them up.
Indeed, how dare they suggest that Google would track! They would never do such a thing!
If the claim being made was that they track your usage of their products, that would have been a reasonable response. But the claim being made is that they continuously monitor you through the webcam and microphone. That is extremely bold and, may I say, complete tinfoil nuttery.
Why is that so hard to believe? Personalized ads are huge right now, if you could listen in to people's conversations you can use the data to improve your ad conversion rate. If there's ROI in recording and doing the data collection you can bet they have at least experimented with it.

Can't imagine what recording webcams would do- but I suppose it might be effective for something.

> Why is that so hard to believe?

Because there's no actual evidence to support it.

(comment deleted)
(comment deleted)
He's not suggesting they are tracking you through their ad network as you go to websites that use them.

He's suggesting they are secretly filming you, logging your keystrokes, and rerouting your mic audio. That is a very bold claim that should be backed up or retracted.

What does this achieve? How does this stop anyone compelling you to do your fancy setup?
Whether or not a government can compel you to download and reinstall data to your laptop is a much trickier legal problem than whether they can ask you to show them what is on it currently (in the US they almost certainly can request that at the borders). It also adds to the hassle factor for the border crossing agent. If you are walking through customs/border entry with a in box, factory default chromebook in your checked baggage, changes the legal conversation.

Even if you aren't worried about state level inspection, this setup allows you to put the laptop in your checked baggage and not worry that your data has been intercepted by criminal enterprises in the case of rerouted bags or theft. This is a big boon for many business travelers as they are more worried about IP protection than privacy from governmental interlopers.

Yubikeys tend to wear out your USB ports after a bit I found, at least on my X201 and the X61 that preceded it.
Any port used frequently will wear out - they have limited life spans due to the moving parts. I see it with my external display ports pretty frequently.

One potential solution is a USB hub, or even a USB extension cable you keep plugged in.

Or use Duo's mobile app which has no mechanical parts!
The reason people use u2f keys is because they can't be cloned and the key can't be extracted. I too like and use TOTP (with Authy), but it really can't beat specialized hardware.
I agree entirely. However I'm willing to trade off convenience on this.
(comment deleted)
Yubikey NEO NFC!
My main issue with neo is that it doesn't have 4096 bit pgp support, unlike yubikey 4 and 4 nano.
I seem to remember reading that NASA would use short sacrificial extension cables so that ground tests would certify the jacks they'd be flying but not wear them out.
Cool. Question: what are your editor options? Any gui-based emacs or atom? If not, do you at-least have text-based emacs in termux?
Emacs works.

I ended up liking the "Caret" editor - it's a Chrome App.

As long as you don't mind Google spying on everything you do.
Regarding the TOTP app, I generally prefer FreeOTP to Google Authenticator/Duo/Authy, etc. It might not provide push codes, but at least the implementation is Open Source and the binaries come from a trusted source.
Agreed, and it's more usable as well (hides the codes by default, copies them to clipboard when you tap one, lets you rearrange them, etc).
What is push code?
I meant a push notification to accept/decline login (so without code in fact).

I've seen Google Authenticator do this (for Google accounts), or the Blizzard Authenticator. I would guess that Duo has a product for this.

Then it's separate feature from TOTP. It's not a real 2fa because it works like service>duo>user where duo can accept anything for you.
Agreed. I said "TOTP app" where I should have said "2FA app".

I still think it's a second factor. Only a third party might have access to the factor too, like SMS codes/3DSecure.

Yeah it's a mess when you recommend duo/authy not clear TOTP or internal system. It's a second factor but not the one that's worth implementing: basic link to email has same security and costs $0
Its not that simple.

Its true that push2factor have some disadvantages, but it has one really strong advantage above pure TOTP: phishing dosnt work as the 2factor is send directly to the site and cant be mitmed at your terminal. Read about it.

What stops phishing? The attacker triggers push request, victim accepts - everything is the same?
I bought the exact same machine, Samsung Chromebook 3, as soon as I realized I could run Termux on it.

I'm using it to poke at languages I'd normally never have the time to experiment with.

I'm on the train for about an hour every day, and I wouldn't feel comfortable with a "real" laptop - too likely to be stolen. But for $169? Not such a big loss.

I'm also really excited about how rock-solid this thing is, as a way to hand a kid a computer that can really teach them programming.

Does chromeOS allow you to remote wipe the box? That seems like that would be another advantage to this in the case of theft (note: definitely not in the case of the box being confiscated by a lawful authority).
If and only if the machine is enrolled and managed via the Apps Admin console.
Usable? Scanning codes and plastic sticks? Not really
> When things get completely borked (which in two weeks of heavy use only happened a couple of times for me)

how are people willing to live with this? I would be furious if I had to lose all my state and (for all intents and purposes) restart my machine multiple times in two weeks.

And if this "borking" happens right before or during a presentation (the author was writing about using this setup for giving talks on), this would be very embarassing for me and extremely annoying for the audience.

A work/presentaion machine has to be rock solid for me. No compromises, no workarounds and most certainly no "completely borked". Just pure solid.

>Just pure solid

Does that actually exist?

My Macs have an uptime in months. Sometimes I have to restart a process, but needing to restart the machine is exceedingly rare outside of the normal security update related reboots.

Over the years I have given quite a few presentations to customers and at public talks. None of my machines ever let me down.

Yeah, but probably not on a developers laptop. Even my mac does an occasional BSOD (aka kernel panic).

That said, multiple times a week is very silly. Once a month would probably top out my personal tolerance for similar bugs.

I reboot once a month, so that it reboots at all.

Despite using Arch Linux, and weekly "upgrade everything".

I know it isn't everyone's experience, but I was exceedingly choosey about the hardware that went into my machine, so that I could do this.

The only problem I've had in the last two years, was an incompatibility between ocaml and fish shell, which eliminated my PATH. Unfortunate, but an issue on the ocaml side of things. A big problem, for certain, but two years of bleeding edge updates, and that's it.

Mostly the same experience, running Debian Unstable on my X201. Keeping a simple environment (AwesomeWM and urxvt, rather than Gnome or KDE; dhcpcd, rather than NetworkManager) probably helps. I put it to sleep every day, often multiple times, and it never fails to come up, connect to Wifi, etc.
If you upgrade Arch without rebooting, don't you get messed up by losing unloaded kernel modules (because Arch doesn't keep old kernels)?
Hasn't been an issue yet.

But it ever does, I'll probably adopt and adapt one of the solutions from this thread [0].

[0] https://www.reddit.com/r/archlinux/comments/4zrsc3/keep_your...

Oh, excellent; thank you. I mentioned it because this has bitten me, so I'll want to use that fix.

Fun story: for $REASONS, I have an Arch system with root on btrfs and /boot on ext4, and it doesn't usually have the boot partition mounted (it's a poorly done mutiboot issue). I recently discovered that this means if I forget to mount boot before updating I get stuck with no loaded drivers to mount /boot :) Thankfully kexec worked, but I'd like to not need to do that:)

You can get pretty close.

I've got three machines that I use regularly.

1) Mid-2010 MacBook Pro, with RAM and SSD upgrades. This is my main machine at home. It has never had to be wiped and reinstalled, and it gets rebooted about once a month.

2) Late-2013 MacBook Pro. This is my work machine and the story is similar to my home machine. It's never needed a reinstall and gets rebooted about once a month as well.

3) Lenovo ThinkPad x131e (Intel). This is my travel computer, serving a similar purpose as the Chromebook mentioned in this article (minus presenting stuff). I'm running OpenSUSE Tumbleweed on this - frequent updates lead to frequent reboots. There's also all the associated weirdness that comes with running a rolling release Linux on a machine that requires proprietary WiFi drivers (they tend to lag by a couple of days). When I ran OpenSUSE Leap it was almost as solid as the Macs.

I'd call the Macs "pure solid" machines, or as close as I can reasonably get. The ThinkPad is decent and the weirdness with it is really my fault.

Like everything else, your experience may vary.

I reboot my laptop every day. I shut it down at night. It's all in what you're used to doing. There's no particular inconvenience, though it can seem that way if you're disorganized and don't ever close anything for fear of losing your place.
(author here) I think this was misunderstood. I don't mean the _entire_ Chromebook or OS was unstable -- just the opposite actually. I was referring to having to restart Termux twice in two weeks. Two weeks of constant wake/sleep cycles on and off battery, and plugging/unplugging from an external monitor.

In one case it was a hard kill and I lost one ssh window that had been open for a week. In the other, the Termux gui came up and I never dropped my session (the ssh process never died). I'm not yet familiar enough with the Termux internals to understand that. As far as the Chrome OS stability, it's been one of the most stable machines I own, and I say that as a long-time MBP & Librem owner. 99% of the reboots were intentional as I reinstalled the whole build from Powerwash to Erlang hello world, to make sure I got the details right for the post (and to help troubleshoot some minor install roadbumps a couple of my reviewers experienced).

On the presentations, I joined multiple Hangouts & BlueJeans (WebRTC) video client calls with zero trouble. Signal and Wire voice worked like a champ too.

So while I certainly understand some of the comments here, for _my_ use case — a reliable $160 multi-week travel/burner dev notebook with strong security, I'm more than satisfied. And of course it's not in the same league as my $2K++ MBP. I would never try to run a big JDK app, but for offline Go and Python work, it fits my bill.

Yeah, that's pretty terrible. My GNU/Linux machines have months long X11 sessions with firefox, libre office, hundreds (I've hit the window limit) of xterm windows, and lots of other stuff open while waking up and sleeping (s2ram) multiple times every day.

I've them crash once every few years after I'm done setting them up, usually it goes down because I run out of power or want to update the kernel. There's no good reason some GUI should die because of waking up from sleep.

I have a potential application for a U2F keys and I'm wondering why you recommend the $18 Yubikey on Amazon versus the $10 one that is also FIDO certified. Is there a difference in the function or some other important difference?
Not the OP but, I use a $6 one without a button that simply activates on insert. Unfortunately the company that sold them is more interested in bulk sales and the stopped selling individual units. I plan to eventually replace it with the Feitian ePass NFC FIDO U2F Security Key, which is still $17 but includes NFC which I could use with my android phone. for that functionality from Yubi you would need the $50 Yubikey Neo.
Tbf, yubikey neo has much more features than feitian epass.
One of the BIGGEST drawbacks using a Chromebook with 11.6 inch screen that nobody here talks about yet, is the grainy and crappy 1366 x 768 screen resolution! I've been a long time Macs guy anything inferior than RetinaDisplay will considerably straining my eyes before I am used to it. Dell XPS 13 included.
> [...] will considerably straining my eyes before I am used to it. Dell XPS 13 included.

You do realize the Dell XPS 13 has QHD as an option?

In fact I do! QHD is 1440p (2560x1440)[1] whereas Retina Display on a 13inch MacBook Pro is at 2560×1600, therefore Dell XPS 13 with QHD is still inferior.

[1]: https://en.wikipedia.org/wiki/Graphics_display_resolution#QH...

In fact you dont.

I use dell xps 13 for half a year and I have 3200x1800 resolution. When buying a xps you have two screens to choose from.

If you're going to compare to a Mac, it's better to look at the higher end Chromebooks like the Pixel 2, HP Chromebook 13, and Samsung Chromebook Pro. They all have screens with pixel density and quality that's on par with the 15" MacBook Pro I have.
Interesting. (But the Pixel 2 was discontinued 11 months ago, and there is no replacement, i.e., no Pixel 3.)
> They all have screens with pixel density and quality that's on par with the 15" MacBook Pro I have.

Alas, they also have price tags more on par with a Macbook.

Exactly! With a comparable price tag, Chromebook doesn't have advantages (if any), let alone of the Chrome OS's less user friendly stack (GUI based apps and whatnot).
1366 x 768 can look quite sharp on an 11". You were probably just looking at a bad screen.

AFAICT the reason than even expensive 11" laptops generally don't run higher resolutions is that at that size you can't tell the difference.

Scaling the same pixel density up to 13" and 15" yields 1614x908 and 1862x1047, respectively. So that's equivalent to arguing that there's no need for a better-than-1080p screen on even 15" laptops. Certainly many people are satisfied with 1080p, but there's a reason that modern high-end laptops offer (much) higher-resolution displays.
I have the Samsung Chromebook 3 (same size and resolution). I don't mind it at all. By comparison, the 14" Lenovo from my employer has the same resolution and looks worse. The Chromebook is no retina display, but it's not that bad in my opinion.
Not really an issue for me. Almost all of my work can be done through the terminal and through Emacs. For maximum visibility, I run a full screen terminals with large font and good contrast. I really wouldn't have it any other way, as I'm not a fan of GUIs. Of course, I still retain the ability to spin up a GUI if I am forced to do so. The only effect the screen has is that it does not entice me to watch videos (which is a great feature for a work machine).
Also, it feels like this Samsung Chromebook 3 is just tiny bit (I am sure it isn't but it feels that way) of upgrade from the famous Dell mini 9[1] from almost a decade ago.

It was super hackable and most people bought it installed hackintosh on it and with a near perfect hardware compatibility with OS X Snow Leopard. A few friends of mine went to Africa for a few months with Dell Mini 9 and were able to freelance their with a fully functional yet super affordable hackintosh Mac. I wish Dell can have another of those netbook lines with compatible hardwares.

[1] https://en.wikipedia.org/wiki/Dell_Inspiron_Mini_Series#9_Se...

I have been using the YubiKey for over a year now, and the novelty wore off.

I lost my key a couple of weeks ago and was surprised how easy it was to get back into my accounts with just my phone. There is no point in using something like that if providers allow you to failover to more conventional authentication methods without any hassle; the keys are useless. They are not going to add manual verification for a couple of people who lost their YubiKey.

YubiKey is useful for instances when you want to grant somebody access to something with just a key. I don't see it going beyond that anytime soon.

Depends on the provider. From some quick Googling Lastpass at least requires email verification before disabling Yubikey support.

https://lastpass.com/support.php?cmd=showfaq&id=2546

Even for providers that do provide seamless failover, the inevitable "we see you requested an account recovery" email would serve as useful canary to know you're being targeted.

> Depends on the provider

That was the whole point of my comment. It is up to the vendor and vendors do a horrible job.

> the inevitable "we see you requested an account recovery" email would serve as useful canary

There is nothing useful here. They are allowing you to bypass a secure key with a dumb email confirmation.

Your idea of a 'useful canary' is great; until you get rooted at 5 AM on a Monday morning and that email disappears before you wake up.

A cool down period would be useful here, just wait a couple of days for access
Well I imagine in most people's cases if they've managed to compromise their email then the game is already won.

Anecdotally, someone got my steam account credentials. I discovered this when they tried to change my password. Fortunately I had Steam's two-factor enabled and got the notification (2-factor is required to change steam account passwords), which alerted me to change my password. They actually tried the account recovery option and I got an email notification about that as well.

So in situations like that such notifications can be quite useful. But yeah, if they've compromised your most critical accounts/devices then YubiKey isn't going to save you. I don't think that's a knock against it.

I've been running the Chromebook Pixel 2015 as my primary dev machine since it came out. Unlike the author however, I've opted for the less-secure "dev mode" on the laptop, and do everything in crouton. (Java web / Android, mostly).

It may not be as secure, but it's hella convenient (still use 2FA). ChromeOS boot is < 5 seconds, and I just stay there for web browsing / netflix. Dropping into crouton is another < 5s when I need to do dev work, or play steam games.

Everything important on the laptop is backed up to some cloud service or another, but it's expensive enough that I'd be distraught if I lost it (plus they stopped selling them).

I'd be more worried about somebody straight up stealing the laptop than any other security risks I may be running by running in dev mode.

I love the idea of natively developing in ChromeOS, but at this point it just seems like more hassle and fighting the system than it's worth.

I've been doing the same thing, but as I work with Docker often I had to waste a bunch of time compiling a custom kernel[0], which I ended up trashing after about a week because who cares?

Instead, I just have my Chromebook and a VPC on Google Cloud that I SSH into for work. Theoretically I wouldn't be able to work if I didn't have internet access, but I've never actually run into that problem. I still have dev mode off, but I don't think turning it on is a huge risk.

Steam games though? I didn't know you could do that.

[0]: https://gist.github.com/christianbundy/ba62890a7c2f8128bcbb

Awesome link, thanks! Docker is actually the one thing I was never able to get working properly in my chroot!

Re: Steam games, yup it's powerful enough to run most indie games that support linux (which is an increasing number, recently). The biggest constraints are GPU and disk space. I've had a few good runs of FTL (Faster than Light) on long-haul flights.

You just gotta make sure you keep an eye on the battery, since if it dies you accidentally wipe the system :/