The firmware is locked down with typically either a screw (older devices) or a CR50 security chip (newer devices): https://wiki.mrchromebox.tech/Firmware_Write_Protect#How_Does_Firmware_Write_Protect_Work.3F

The problems with loading a different distro on them would be:

• Cost to go through the process of installing alternate firmware and a new distro on hundreds of devices
• Cost to setup an alternate system to manage/track the devices
• Cost to deal with students who can now more easily re-flash the devices to run other things
• Loss of the fairly extensive management capabilities that ChromeOS provides that allows a school/government to lock the devices down, monitor them, etc

They’re downplaying their responsibility and the problem while taking a negative tone about the white hat (bold added):

https://www.cuinsight.com/press-release/cu-solutions-group-issues-statement-on-recent-crm-vulnerability/

CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed “researcher” who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a “bounty” to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, “HACK READ.” These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested “bounty.”

CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified “on the same day.” […] In his Website Planet blog, Mr. Fowler has done similar “research/publication” work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.

CUSG CEO Dave Adams, summarized this incident this way: “While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer “call to action”, and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled.”

And of course, the obligatory ‘we have an excellent security team, everyone faces threats, you can’t blame us’:

Continuing, Adams expressed confidence in CUSG’s Internal Technology security: “For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”

Basically the standard “we take security seriously”:

https://www.troyhunt.com/we-take-security-seriously-otherwise/

“We take security seriously”, otherwise known as “We didn’t take it seriously enough”

I’m curious what about the software is hell as a technician? I was under the impression that the ChromeOS part being normally unmodifiable by the user would lead to fewer problems. Is there something about it that makes it worse than a comparable Windows or Mac computer?

The Verge article got it wrong and used “Datatilsysnet”. The original BleepingComputer article used “Datatilsynet”. Please don’t blame the TLDR bot for The Verge’s mistake when copying someone else’s article.

Looks like it’s not focused on the student’s schoolwork/personal data but how they use the devices/services.

From the original BleepingComputer article that The Verge article is based on:

https://www.bleepingcomputer.com/news/google/denmark-orders-schools-to-stop-sending-student-data-to-google/

The agency clarified that permissible uses of student data include providing the educational services offered by Google Workspace, enhancing the security and reliability of these services, facilitating communication, and fulfilling legal obligations.

Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring performance or developing new features and services for these platforms.

Removing the software wouldn’t make it cheaper considering where TV manufacturers are making their money nowadays. The choice would be between a cheap smart TV and a more expensive dumb TV. This has been going on for years.

From 2021:

https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021

It’s been less than a year since Vizio became a publicly traded company, and one consequence of that is we know more about its business than ever before. The TV maker released its latest earnings report on Tuesday and revealed that over the last three months, its Platform Plus segment that includes advertising and viewer data had a gross profit of $57.3 million. That’s more than twice the amount of profit it made selling devices like TVs, which was $25.6 million, despite those device sales pulling in considerably more revenue.

Then there’s this taken to the extreme:

https://www.theverge.com/2023/5/15/23721674/telly-free-tv-streaming-ilya-pozin-ads

There’s a new type of TV coming […], and it’s completely free if you don’t count the price of your attention — or data. Telly […] offers up a TV that makes up for its nonexistent price tag by showing constant advertisements in a second, smaller display.

Something like Amazon Sidewalk could be used by a device to send back telemetry theoretically but I haven’t heard of it actually being used for that. Connecting to an open Wi-Fi network or through some partnership with an ISPs (like Xfinity) seems like the easiest thing a device could do though.

https://www.amazon.com/Amazon-Sidewalk/

Seriously, Microsoft needs to get out of their own way with the marketing and just make a good product instead of trying to force all these things on people. They’d get a lot less negative attention if they just focused on the browser. The times I’ve tried it, it wasn’t bad but I now refuse to use it out of spite for their forcing it on you.

This is also a problem with them overall. They’ve improved so many things in modern Windows under the hood (e.g. we’ve gone from installing drivers for every component to needing practically nothing installed manually due to it doing it for you, it rarely bluescreens anymore in my experience, winget is nice) but then they ruin it with stuff like going backwards on the default apps screen (in 10 it was easy to set for common apps like browser/email/media/etc, in 11 its per protocol/file). Making it difficult to switch browsers or using Edge anyways for some things and ignoring the default just pisses people off for no good reason.

Genuine question: What’s stopping them from using these same powers on FOSS software providers that may be located in the UK?

That’s how the UK is framing it, “oh, it doesn’t give us the power to block anything, Apple is just over reacting”.

They already have the power to block things from the Investigatory Powers Act 2016: https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016

From the OP’s article:

The Investigatory Powers Act 2016 (IPA) actually implemented many of the proposed powers, including granting the government the power to issue orders to tech companies to break encryption by building backdoors into their products. Apple strongly objected to this at the time.

So with this, they would now have the advance notice needed to actually block updates where before Apple could just release an update and by then it was too late for the UK to do anything about.

You mean a lawsuit like the one about the “Great 78 Project” by the music companies or maybe the one about the “National Emergency Library” by the book publishers?

I think you’re right that we need to start working on alternatives, hopefully something decentralized. The Wayback Machine would be an irreplaceable loss though if the data isn’t preserved somehow.

It’s because of that https effort. Everything should be assumed to be https and only http or misconfigured/bad https gets a warning. No need to show a lock when it can be assumed and it was getting misinterpreted. Now they can use that spot to show something indicating controls and someone might actually click on it and see they can set site specific permissions and settings there.

Not quite, in 2018 they did add tracking protection to their list of goals for their Private browsing mode and have implemented features to reduce tracking/fingerprinting/etc while in it. The main focuses though were still the same at the start though: protecting against local data being saved.

https://wiki.mozilla.org/Private_Browsing

We target Private Browsing to 3 privacy goals; in a Private Browsing session, Firefox:

• Doesn’t save the browsing history or display it in the Firefox UI
• Prevents the session’s data from writing to persistent storage
• Protects the session’s data from online tracking

And it’s been that way since the beginning basically and is a lot more upfront about what it does and doesn’t protect against than other browsers like Safari.

The new language just makes it even clearer it applies to Google’s online services and I don’t see that as a bad change though.

Guest sessions already exist in the profile menu and is a separate feature. Guest doesn’t save history/cookies/etc locally but also doesn’t use your existing history, extensions, bookmarks, settings, etc. It’s intended more for an actual guest user to sign into temporarily.

b and c) Go after the ISPs who don’t disconnect the pirating users and sue them instead. Go after the deep pockets.

Or the ISPs in this case. They want the information about the pirates to use them as witnesses to show that the ISP didn’t terminate copyright infringing users, even when notified dozens of times and to show that the ISPs benefitted from these practices by retaining them as paying customers.

If poor security practices only affected those responsible, I might agree with you on that front. As shown from the 23andMe “breach” and also how botnets are formed, individuals’ poor security practices can affect many more people than just themselves. I feel we have a responsibility to protect people from doing stupid things, even if that might not be the most free thing to do.

Software on Windows is still a bit of a mess compared to most other platforms though. The fact that it is normalized to download and install things from the various developer websites, without much verification and without permissions/restrictions on what the apps can do is not a plus in my mind. winget has been helpful in managing the installation and updating of things though.

Everyone having their own launcher is also not great, especially since they are not all created equal with respect to features, stability, and resource consumption. Games have had this problem for some time with EA, Ubisoft, Epic, etc having their own launchers. As like what happened to games, I don’t think it will necessarily end up with more freedom to buy the apps from the store you want, but rather you’ll be forced to download a store/launcher based on the whims of the app publisher. Some may publish to multiple stores but I don’t expect all to.

If the mandate to open the platform up to more stores came with some kind of requirement that apps be available across multiple stores so that the stores actually had to be competitive on their own features, not app exclusivity, I would be more inclined to support having more stores.

It appears they aren’t taking legal action against the pirates but instead wanting to use them as witnesses against the ISP who has more money to go after and from the sound of it didn’t have decent repeat infringer policies in place. They also are after more than just the IP address, such as name, email address, and logs. That would presumably be enough to identify someone more clearly.