CaenJones
commented
4 days ago Hi @kkilobyte! Thanks for leaving an issue. I will certainly make some changes to ChromeSEC because of it; however, some things mentioned you are not fully correct.
The recommendation to disable accessibility features only works within Kiosk apps and not on normal ChromeOS, where users would still have access to the menu. Furthermore, students who need those features while testing usually use different solutions and would not be in normal Kiosk programs.
Secondly, the forced WiFi configuration only works if the school network is in range. Once students are at home, it would be possible to connect to a home network normally.
LTMEAT getting patched is valid, and I will be making changes to it soon.
Preventing users from accessing the task manager and not allowing them to task kill extensions as well as having an extension whitelist is a valid policy choice that most districts use to ensure the integrity of their extensions.
Blocking data:// bookmarklets is recommended in ChromeSEC, however, the guide also tells admins how to just prevent JS from running on those pages, where file:// was actually mentioned. Not on the total blocklist.
You know darn well that powerwashing is used for many chromeOS exploits :P
Disabling user re-enrollment is a recommended step by Google for dealing with Sh1mmer and can give better visibility into who is using it.
Yeah shimless cant unenroll, that's fair ;(
Have a great day!
kkilobyte
AshtonDavies
S-PScripts
let's start off with accessibility features. turning off every accessibility feature that could be used for kiosk exploits means you turn off every accessibility feature that could be useful for someone who is disabled/impaired. just take chromevox for example; you can get and hidden web browser in a kiosk and then use chromevox on it, but people who are visually impaired rely heavily on chromevox to do their work
now let's get into forced wi-fi configs. take a second to think. schools are 1:1 for a reason, and you guys let kids use chromebooks at home, if the wi-fi is forced onto the school network, how do they connect to the home network....??
and now ltmeat prevention. ltmeat has been long patched by google themselves, and blocking extensions this way is stupid. first of all, now its more difficult to remove extensions, such as those whitelisted or installed by default, and this blocks things like the dark reader control panel
and also. preformance settings. this is such a really stupid thing to block, considering you guys use really shitty chromebooks like the lenovo 300e gen 2 which breaks on itself and only has 4 gb of ram. do you guys realize how slow modern chromeOS is with 4 gb of ram and a celeron in 2024? it's barely usable! and you guys make it worse by force disabling users from making chrome maximize the best out of their ram
you guys also block the policy viewer, it doesn't let you change anything and in fact it's very useful as now you now which extensions are allowed or what websites are not allowed so you dont waste your time on "your admin blocked adblock" or "this website is blocked by your admin". that was just petty
(also whitelist extensions kinda sucks, and they won't approve shit, just give me my adblock my chromebook is too slow for these stupid ads)
same with chrome://system as you can't do anything and why in the world do you block chrome://restart, you can already restart chrome easily with alt+volume up+x but sometimes kids want a bookmark to do it, and you guys block file:// and data????? how in the fuck do you load a pdf file if file is blocked and data is used by many websites to load images
also, powerwashing. powerwashing is very useful especially in the case of system error and extreme slowness. and you guys pay for like 90 tb google drive, and some schools even default the local files to go to the google drive! hell both schools ive been to told you to powerwash before you get your chromebook troubleshooted by a sysadmin, which sometimes saves money as the powerwash normally fixes the issue.
disabling user enrollment is also not good in that regard, as powerwashing requires user enrollment, and if a kid wants to re-enroll, let them enroll??? you bring up the "personal device" issue but personal devices can't "set the enrollment policy"??? when a personal device enrolls into the org you should deprovision it remotely. hell some schools are dicks about it and keep it enrolled with "sorry your fault"
(plus a student re-enrolling can just go into their vt2 and enable enrollment via vpd)
ps: shimless cant unenroll