Slashdot Mirror
Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers?
dryriver writes: This is not a question about dual-booting OSs -- having 2 or more different OSs installed on the same machine. Rather, imagine that I'm a business person or product engineer or management consultant with a Windows 10 laptop that has confidential client emails, word documents, financial spreadsheets, product CAD files or similar on it. Business stuff that needs to stay confidential per my employment contract or NDAs or any other agreement I may have signed. When I have to access the internet from an untrusted internet access point that somebody else controls -- free WiFi in a restaurant, cafe or airport lounge in a foreign country for example -- I do not want my main Win 10 OS, Intel/AMD laptop hardware or other software exposed to this untrusted internet connection at all. Rather, I want to use a 2nd and completely separate System On Chip or SOC inside my Laptop running Linux or Android to do my internet accessing. In other words, I want to be able to switch to a small 2nd standalone Android/Linux computer inside my Windows 10 laptop, so that I can do my emailing and internet browsing just about anywhere without any worries at all, because in that mode, only the small SOC hardware and its RAM is exposed to the internet, not any of the rest of my laptop or tablet. A hardware switch on the laptop casing would let me turn the 2nd SOC computer on when I need to use it, and it would take over the screen, trackpad and keyboard when used. But the SOC computer would have no physical connection at all to my main OS, BIOS, CPU, RAM, SSD, USB ports and so on. Does something like this exist at all (if so, I've never seen it...)? And if not, isn't this a major oversight? Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?
real exploits of that situation are rare
End thread.
It would be complex, expensive, huge and stupid. Dual boot, encrypt both partitions.
That second system you are looking for, to browse and email and such, it's in your pocket.
It's called your phone.
The need you are describing is apparently not widespread nor strong enough for anyone to invest in implementing it in the way you describe.
Use your phone.
'If the women don't find you handsome, they should at least find you handy.' — Red Green
#DeleteFacebook
Because buying a 2nd laptop only costs like $300.
Just carry a second laptop around! 2 Surface Pros are still less weight and size than just 1 typical laptop from 4 years ago!
Puppy Linux on a bootable USB stick. Set it to not allow access to your hard drive.
Virtualization is the obvious answer. Inside your VMs you can run Linux, or Windows, or whatever. It's quite safe. You should run your work-related stuff in one VM, and your personal stuff in another VM, and not use the native OS for anything except the virtualization software.
This is the most secure option you will find, and modern virtualization platforms (VMware, etc) will even let you set flashpoints where the VM is saved, and if there's an issue, you can rewind to the safe point and continue.
There's little to no performance penalty as long as the hosted OSes run natively on Intel.
- Vincit qui patitur.
SoCs are just liveCDs for lazy people.
Because it will make data mining that much more difficult.
Both products could allow you to run a complexity separate os. It would require a powerful laptop as you are splitting resources.
Problem solved.
Or use Hyper-V or ESXi and just run your stuff in that.
This isn't a hard problem that hasn't been solved many times over.
If it is that important that you don't trust a dual boot, you probably aren't going to trust anything that is in 1 package.
That being said, I carry 2 laptops (personal and business) and 2 phones. I have 2 phones as well, same reason.
It could be worse, it could be Monday.
...for business should extend to your personal life too, and cutting corners with systems that require have different models about what's secure and what isn't won't help the problem resolve more quickly, it will slow it down and make it more confusing to understand.
There's also no guarantee that a human, with all its fallibility, is going to have the discipline to train itself to operate under who different sets of security expectations, so will likely lean on one more than the other anyway, with all the cross-over madness that ensues.
So let's just keep fucking up until we get it right.
Let me introduce you to qubes os (https://www.qubes-os.org/) and purism (https://puri.sm/)
There are 2-in-1 laptops (that flip into a tablet) but generally for various reasons they use the same chip. Just dual-boot or VM whatever you need. You can run Android or Linux on your x86 and boot Windows in a VM when you truly need it. Apply encryption to the hard drive with a strong password or even have your VM in a hidden partition/sectors of your system or if you have serious trouble with customs of various countries, have your data only available on a separate hosted server.
A system with 2 separate chips does exist somewhat, it's called a MacBook Pro, you can use the secondary system to fetch e-mails and the like when your laptop is closed.
If you want actually a secondary tablet on top of your laptop, simply glue one onto the back of the screen. There are plenty of laptops and tablets that are thin and light enough.
Custom electronics and digital signage for your business: www.evcircuits.com
A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.
From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS lets you do a VM per window and color codes them. And something like BitVisor has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)
But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.
“Common sense is not so common.” — Voltaire
This question originated in a patent writing effort I was a part of 3 years ago. Basically, we were drafting the patent document for an invention on one PC that had no internet connection at all - to keep the invention safe from prying eyes until the patent could be filed. And we were using another computer with internet connection in a different room to look up stuff on the internet, like patent writing regulations, patent formatting guidelines, patent filing deadlines, technical stuff and so on. It was a pain in the ass because to keep the invention to be patented confidential, we had to write the patent on one computer with no internet whatsoever, and do everything internet related on a separate computer, going back and forth between the 2 machines for weeks. So I thought - why not make a computer that can go on the internet WITHOUT potentially exposing the entire machine to the internet. Having a 2nd mini-PC inside the main computer that can go online but cannot expose the rest of the computer to any would-be hackers seemed like a great solution for this. There are many real-world situations where you DO need the power of a full Win 10/Core i7 PC to accomplish something, and DO need to look stuff up on the internet all the time while you are doing this - technical details or technical knowhow for example - but are constantly fretting that exposing the ENTIRE PC or laptop to the internet could result in your work being stolen. So I came up with the idea of 2 computers in one casing - 1 large, fully featured computer that is not seen by the internet, and 1 much simpler SOC computer that CAN see the internet and be seen by the internet. Its kind of like using little netbook computer alongside your main laptop for internet stuff, but the netbook is built into your main machine, and can run parallel to it when needed.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
You're trying to solve a problem in hardware. We're about twenty years past that. Hardware doesn't do anything anymore.
Back in my day, "drivers" were a bad thing -- there were modems, and there were winmodems, that latter needed software drivers. That logic has flipped. Now hardware does nothing without software driving it.
You're trying to double your hardware, and then add more hardware to switch between them. That's just not the equation anymore.
And in truth, you wouldn't want that. You wouldn't want to be using your SOC to browse the web, and then not be able to get that document/data/image onto your work hardware to, you know, actually work with it.
As far as protections are concerned, you're either using your SOC to access the internet to get sensitive data anyway (like e-mail) and hence you've secured absolutely nothing, or you're getting a file to transfer to your work machine, and hence you've breached your own security anyway.
If you know what you're doing, and it sounds like you could, then it's not difficult to secure your work data from your internet connection. Think about the easy things -- like a second hdd/ssd for the work file.
Secondary storage drives are easily turned off in device manager on a whim.
Don't visit terrible sites at all. Don't walk down dark alleys with your 10-year-old daughter ever.
Know how to clear buffers, and generally know that all's clear before spinning up that work drive.
But most of all, know:
that Ethan Hunt can always break in,
that there aren't as many Ethan Hunts as you've been led to believe,
that most of the time, Ethan Hunt doesn't actually harm you when he gets what he wants.
You aren't actually responsible for the edge cases, so don't expend all of your energy defending against them.
My 2009 MacBook is triple booted (Ubuntu, Mac, Windows 10). 500GB ssd, it runs pretty well especially when you consider its a core 2 duo
My now-ancient ASUS G50VT included ExpressGate. Based on Splashtop, burned into the BIOS ROM, manageable. Rudimentary Firefox browser, email client, Skype, and obviously hard to update. But it ran independently of any OS installed on storage.
Splashtop is now done, but it was also used by ASUS on some motherboards, and then endured obscurity, competition, and finally turned into something else.
It did work. It was pretty minimal, and could have been cool. And it certainly is possible today, even in BIOS, with flexibility and update capabilities, but somehow I don't see any of this on the market.
The obvious solution would be to embed ChromeOS or something similar, fairly lightweight and useful. This could let you keep your primary OS invisible.
Cost?
deleting the extra space after periods so i can stay relevant, yeah.
Security through isolation - Cubes OS does that...
https://www.qubes-os.org/
As for isolation on hardware level you don't really need that. But if you would the best would be to have second device.
The "editors" here have no clue what counts as a real question and what doesn't. Miss Mash would be far better suited as a homemaker than what she does here.
Le Sigh.
actually some companies have indeed exactly tried that, with products such as SplashTop:
some of the first Dell laptops to feature "Latitude On" where exactly that: a special custom SOC in a specially modified mini-PCIe card, that was able to run some restricted Linux (a web kiosk and a few built in apps. basically a distant ancestror of the chromebook concept), while accessing the nornal regular laptop screen and keyboard (but not much beyond that and certainly no access to any Sata mass storage).
it had a few minor advantage (mainly, instant power-on, and lower power usage of the SoC compared to the main CPU)
but a lot of disadvantage (complexity and restrictions due to the switching concept)
and cannot be used at the same time as the main CPU with Windows.
eventually, later version of "Latitude On" evolves into exaclty what you're suggesting: the mini-PCIe card evolved into an SSD with a Linux installation on it, and the main CPU simply dual booted into either the Linux installation on SSD or the Windows installation on SATA HDD.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I've always thought it would be pretty neat to have ESX running on a laptop and swapping between the different OSes as needed.
Don't even boot Windows.
I boot to elive on a USB stick so I never even have to see any hint of a blue tint at all. It's a live session, do your thing, like check emails, and the best part is the forget-about-the-run-cos-I'm-done. Save any work, like drafts of replies, on the hard drive; boot to Windows at home.
Since you powered off, it's total amnesia for the system you carry around.
Use an apple laptop to dual boot all the time. Hard to believe a writer is unaware that all macs can dual boot right out of the box.
I already have such a secured device, appropriately configured, with that added bonus that I can use it when my laptop's battery is empty, or the laptop is smashed up, or confiscated or in my checked baggage, or in front of me on the desk.
Dialectician. Archology.
Find/build a Live CD version of Linux that doesn't mount your hard drives, and you're pretty close.
You can get a USB zero client that basically does that.
You want a second OS? Use a VM. You want to keep your confidential files private? Encrypt them and only decrypt them when you feel like it's safe to do so. You don't like people trying to spy on you when you're connected to public wifi? Use a VPN. Everything you listed already has solutions readily available and that frankly are better options than booting into a completely different OS.
A few years ago, some laptops used to come with HyperSpace or Splashtop, pre-installed cut down linux systems that could be used to surf the net, Skype, play music, etc. They didn't use separate SOCs, but HyperSpace at least could use virtualization to run both your main O/S and the HyperSpace O/S at the same time.
I think they were primarily intended to get around long boot times in situations where you wanted an instant-on web browser, and not as a security measure when connecting to a hostile local network.
This is beyond niche and solved by access policy. What OP is describing only describes a way to make a weird, less secure (more attack surface area) edge case for the IT department to deal with.
--
"Insert witty quote here."
basically what you're asking for is perfectly reasonable but "not considered financially viable". even for EOMA68 (for which i'm the copyright holder of the Certification Mark), if you are expecting to have the power of a "modern" intel-based laptop in the form of a physically removable Computer Card where you would be able to isolate "work" from "external stuff", it's going to take another 4-5 years before the power reductions and performance increases from are sufficient so that it's actually even possible to fit a complete "high to medium performance" quad or octal core 3+ ghz computer plus 8 to 16 GB of RAM into such a small space.
the only *hardware*-level system that i ever heard of which had some form of dual (independent) processor system in it was about three to five years ago, it was announced here on slashdot: it was something like Lenovo or Dell who had put in an independent processor that could boot from the "BIOS" (if it's a full operating system it's hardly a BIOS but you know what i mean) into a complete and self-contained GNU/Linux OS with its own web browser.
aside from that, the only viable suggestions that you will get (and there will be some which will get lots of +1 moderations) will be dual-boot, or hypervisor-based (not that that means much any more with the spectres and meltdowns coming out the woodwork) virtual machining, or external USB memory-stick-based GNU/Linux OSes, and so on and so forth, all of which provide physical access to the drive, consequently *in theory* could actually maliciously be exploited and end up damaging the drive.
unless the work OS hard drive is removable. or the work OS hard drive *IS* the external USB stick and you swap over the USB sticks from work to "other" and back again. that would actually do the job that you're looking for, albeit with the performance penalty associated with some forms of external USB media, so you would have to do your research.
sorry it's not better news! honestly, though, if you absolutely really want to use the on-board (internal) drive, do consider virtualising the entire windows OS and sandboxing it... *and* sandbox the "other" OS as well. so that's 3 operating systems: the hypervisor / manager one (which you NEVER permit access to the internet) and that one should without a shadow of doubt be GNU/Linux-based. then you run Windows under QEMU (please don't use oracle virtualisation products), *AND* you run the "other" OS also under QEMU (or other suitable hypervisor system, do investigate XEN etc.) but... like i said: for all of these, you have to take into account the fuckups by Intel in the design of their processors where they prioritised profit over security: spectres, meltdowns and much more yet to be discovered.
Buy an old laptop (an older one with plenty of room in the shell) Gut it. Buy a nice ARM single-board computer (for your main OS, windows 10 for ARM since you mentioned win10) Buy a raspberry Pi for your secondary OS. Buy a cheap KVM switch, gut it. Get some batteries, a charging unit, etc. Have fun soldering.
You think the most common OS on the planet by device installations, most commonly distributed in a heavily modified binary blob, is significantly more secure than Windows 10. How cute.
If you're worried about the dangers of free wifi, check your open ports and use a VPN, problem solved.
"When information is power, privacy is freedom" - Jah-Wren Ryel
As others have said, run both the "secure" and "internet" OSes as virtual machines under a plain-jane hypervisor or host-OS that you use only to run the VMs under, and nothing else.
Unless someone exploits a bug or you do something stupid or careless - like carelessly access the internet from your host OS - you should be fine.
Locking down the host OS or hypervisor and keeping it patched is left as an exercise to the reader.
==
That said, there are no doubt cases where having a "two in one" computer is better than having two seperate computers or having two VMs running on the same hardware, but the number of such cases is small enough that it's no wonder there's not much of a market out there for such devices.
The scenario you mention is best solved by either a VM solution or, if there is a strict legal requirement that even a VM can't solve, using two computers. Why two computers? Because the cost of geting a 2-in-one computer that is certified to meet your legal requirement is probably way more than the "cost" - including the "pain in the butt cost" - of buying and using two computers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Nobody is interested so nobody builds them. And no, a bunch of losers masturbating to comic books is not a customer base anyone would cater to, even if it amounted to anything?
Use a grownup operating system (and no, OSX doesn't count either). Learn to use your OS.
I have a USB LTE modem so I generally don't have to worry about using someone else's internet. I also have a VPN capable router at home so I can connect to the open WiFi and have my traffic encrypted back to my home network. And the VPN will run over LTE just in case I don't trust the local LTE.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Strange that nobody suggested using a VPN.
If you care at all about security, you have no business connecting EITHER system to third-party WiFi (whether open at a coffee shop or closed at some other business) without employing a VPN.
The VPN should either terminate at your home/company router (hopefully you trust your own company's IT department to maintain a secure environment) or with a trusted third party. (i.e. your IT/security people should vet the company's security).
For your specific case (per your followup comment) that alone should have been sufficient.
But if - as you had stated originally - the Internet access was for personal stuff, and you want to avoid mixing business and personal uses, you could use a VM to keep the uses separate.
The two-computer system you used has a flaw, that could have been alleviated with a VPN. Somebody snooping on your second computer's connection might reasonably be able to determine what you were working on based on your searches and visited sites.
For your actual use case, use a single computer with a VPN. For your hypothetical use case (personal use as well) use one or two VMs and use separate VPNs to connect to the Internet from each.
Because it is a specialist user case and flawed from the get go.
First you want the second system to use the same keyboard and display as the windows 10 system? but not have access to any other hardware such as usb? That sounds 100 times more complicated than you carrying around a cheap (200-300) tablet for web browsing and emails.
What kills me is that you want the 2nd system to connect to some hardware but not all of the hardware... The keyboard and trackpad both have their own firmware that could be compromised by the 2nd system which then could compromise the windows 10 system. If running a VM is too much of a security risk for you than sharing ANY of the hardware is the same level of risk because at that point you are looking at targeted attacks and your attackers will already know who you are and what your habits are.
Seriously, it sounds like you just need a cheap tablet to use on insecure networks, just remember to never connect it to anything to be used on secure networks. dont try and invent solutions to problems only you can see and expect them to be a viable business case, most business travelers understand the difference between work related devices and personal devices.
Distance, between 'secure' and 'unsecure' electrodes, is the closest thing you will ever get to actual security. Any other type of 'security' is a marketing term used to sell you a security blanket.
The same reason a lot of well thought ideas don't exist - there's not enough money in it.
The market is too small for a hardware-based dual system as described.
For basic isolation -- I use my SmartPhone !! (with tape over the microphone & camera).
For even more isolation - I access YOUR PC at the coffee bar table next to me via the credentials I gathered via my pineapple that offered "Free WiFi".
The solution does exist. Due to the expense of having extra hardware to do this (the level of isolation you want) - most people dual boot using an encrypted file system or a local VM. TruCrypt had this feature -- a secret file system within another one hidden and accessible only via which passcode that you type in at boot time. This way if something ran amuck it couldn't access those other files.
I use a VM running on my PC to access external stuff - yeah that's backwards as the data I want to protect is on my main OS (because I use it the most). Convenience. For trippy things I spin up a VM in the cloud and go from there.
and with all due seriousness -- for really encrypted stuff I have an encrypted Folder that contains these files and requires a second password to access them. I mainly use MS-Word/Excel encrypted files, and for lots of files I'll store them in 7Zip password protected archives. Once I even created an encrypted Virtual Disk and spun up a VM to access the files. Turned out to be a pita and haven't done it since.
just pick up a used D630 and put tails on it
I agree with the recommendations to use a VM to host your personal email and web surfing. I suggest Virtualbox with a Linux VM, firewall and a script blocker.
I think that the point is that the poster does not want his Win10 laptop on someone else's wifi. Which I agree with. Windows should never be connected to an insecure/unknown internet access point. (Or installed on any computer, but that's another flame war - haha)
I would also recommend using your phone to connect to the internet. Most plans allow you to use your phone as a hotspot. Enable that and use your data plan. If you have a limited data plan or you use a work phone and cannot, get a portable hotspot.
There are several lightweight os options to boot from usb or flash media if you dont want to dedicate resources to dual booting a VM
Not really as complex as you make it sound. In fact, its been done before...
The older Motorola 60x(e) PowerPC Mac's (pre OS X) had an ability to take an AMD K6 with RAM, etc. on a PCI (or NuBus?) card that allowed them to boot Windows / DOS natively. I want to say there was a similar option for Sun UltraSPARc's as well.
I'm guessing the simpler solution is to use a HDMI stick instead, whether Android or a Compute Stick for a full OS. The would be small and 100% independent of whatever other computer hardware you're using.
You could also grab a RPi and a case to do the same.
I suspect putting a single board computer on a PCIe card with a shared graphics memory space so the main computer can show the display shouldn't be too hard of an engineering challenge if someone wanted to do it...it's just that any shared memory space becomes an attack vector.
Because for $5 or less I can just boot an alternate non persistant os from a usb drive.
this is a weird niche, so probably wont ever exist as a product. you should just use vm's, or carry a seperate machine
i have an esp8266 in a spare mpci slot running a cp/m emulator. because i was bored, had spare parts from past projects, and wanted to play zork on cp/m on a separate cpu. but its really useless.
To physically switch control of screen, keyboard, camera, microphone and so on. Otherwise non-work untrusted app can present work UI and steal your credentials. Even with a switch you could forget to flip it. A physical separate device is still best for security, even at the cost of a slight inconvinience.
My untested hypothesis would be 3 fold.
1) There isn't a huge market for such a thing so the cost of it would be prohibitive.
2) There is more profit in making hardware that will be bought by the 90% then the 10%
3) There are probably some work around that get you near what you want. ( also, my guess would be such systems probably do exist for military use , but you would probably be hard pressed to find them and unwilling to the pay the price if you could get one.).
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
I remember seeing somewhere one of the U.S. spy agencies will run insecure programs in a virtual machine inside another virtual machine. They used different guest and host operating systems. It's like putting a leaking a leaky bucket inside another leaky bucket and hoping the holes don't line up.
My opinion is this.might work but you'd need a pretty beefy laptop to run at any decent speed and therefore a heavy battery. That would be expensive. I, personally, would rather carry two tablets (less expensive superior battery life).
https://www.cnet.com/news/dells-hybrid-laptops-intel-arm-windows-linux/
Blackberry did this with BB 10, with a work mode and a personal mode.
Let's take a step back and look at the problem you're trying to solve, as it sounds like the switching mechanism you describe might be over-engineering things a bit. You want to use sketchy public wifi with a mission critical work computer?
My first inclination would be not to risk using it in public places to begin with, or do my web browsing with a different personal device.
Otherwise, a VPN connection and VM would be the most elegant solution. Solves the trust issues with the local network, and (mostly/arguably) solves the risks you take any time you use a web browser.
/* No Comment */
TENS, formerly known as LPS, is a nice package: https://spi.dod.mil/download.htm
Also includes 'Encryption Wizard' to crunch/encrypt files & folders.
It appears that whomever wrote the article has little idea of how VMs work.
He talked about CAD and his files being "visible to the internet" while online in another response. He is proposing a hardware solution any disagreements he responds to with attacks "the ENTIRE system faces the internet" not believing FDE works and demanding proof etc.
He's an engineer that doesn't know how computers, the internet, or the market works but believes he is smart enough to know the solution and wants validation for how smart he is. Other hardware engineers in this thread are being gentle with him. The security and internet savvy people are not.
Like, to begin with, why are you even using your business laptop in an insecure manner? You're basically asking "why can't I run two physically separate devices in one device" and the answer to that is "because you can't connect two computers together in any manner that lets you share the expansion bus"
The closest you will ever get to this is one of the Wacom tablet products which switches from being basically a portable Cintiq to a rather crappy Android tablet.
Like, I could see Apple pulling this off, but realistically it's just not something that makes any kind of sense, because if someone steals the machine, they still have access to the data that is on it, and by making there be "two machines" it just cuts the security in half, since you can leverage exploits in the weaker system.
The best solution is to literately carry two devices. Keep your business laptop secured, use an iPad or some shitty Android tablet when you connect to public Wifi.
Have you ever heard about them?
How would separate hardware be more secure?
My EUR 0.01 contribution: don't connect to untrusted networks and services at all and you won't need the pc inside a pc.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
If you really think you need to do this, keep it simple: Create a VM with the client OS of your choice and isolate that VM completely from the host's filesystem (no shared directories, no drag & drop between environments, etc. etc.). Keep your laptop's built-in WiFi turned off in questionable situations and connect the VM to a separate USB WiFi module (be sure NOT to also enable this WiFi module on the host computer). I think that's about the best you are going to get.
I agree with other responders that running Windows in a VM would probably be sufficient, but I'm old, and tend to want some kind of physical solution. My first thought was having a laptop with a removable drive bay (Apple need not apply) and swap out SSDs between your "work" instance and your "don't care if it's pwned" instance.
Barring that, I'd encrypt my main Windows drive and boot Mint (substitute your Linux of choice, or even Windows) off a low profile flash drive for browsing and email in sketchy environments. I see low profile thumb drives are up to 128 Gb now. With two empty USB ports on your laptop, you could have an instance running on a quarter terabyte without touching your main drive.
Enlarging on that, now that I think about it, your Windows instance could contain a clean image of your "burner" OS, for easy restoration should it get pwned in an airport. Or to refresh regularly just on general principles.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I have many. Maybe 1/2 dozen. Most are not allowed on the internet.
At one point, this was exactly what Citrix XenClient did and what Qubes does now. I believe Citrix completely changed direction, but the product at one time was a very thin hypervisor with two distinct virtual machines. Presumably one was your business VM and one was personal. The business VM synchronized back to the server and could be redeployed on new hardware very easily. It included capabilities so you could bring windows into the active VM from the background one while maintaining a good degree of isolation. In theory there was a lot to like, but the complexity/cost didn't justify the benefit to many and, as far as I know, ceased to exist in that form.
The problem with regular desktop virtualization is that you must choose one of your environments as the host and accept the impact that may have (security, patching impact etc). But for most, that nuance doesn't matter.
Rent an instance on Amazon or Google or any of the other hosting services. The ones I've used allow me to RDP to the instance.
Insert standard boilerplate about remote system security.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
A lot of people are suggesting virtual machines -- but at least theoretically, you might not be allowed to install VM software on your business laptop. Perhaps you're only supposed to be using the apps approved for it by I.T., or ??
The cheap solution would be carrying around a USB drive that's set up with an OS (like Linux) designed to run entirely off of it.
Sounds like the OP only wanted to be anonymous online. But there are other tools which can spoof almost any parts of your OS, HW MAC, Browsers, etc. so there's no need for a SoC with a seperate OS to do this. There were already tools available to do what you wanted.
For instance, running a basic OS which can only access the net won't surely touch your encrytped Win10 partition if it was setup properly.
captcha: minimum
This is what VMs are for.
But even putting that aside, why two completely different systems? That's not substantially different than just carrying two devices. Why not just select a different boot drive? If you're really paranoid this could be a hardware switch that completely changes which disk is at the end of a single sata connection, so there is absolutely no possibility of the system installed on disk having online content with the system installed on the other.
The Microsoft SurfaceBook has a detachable screen that becomes a tablet. I have no idea what capabilities the screen has when detached working as a tablet but if it were to have its own wireless networking, that would be the closest thing to what the OP asked for.
It would seem that the easiest thing to do would be to run the sensitive applications in a VM. Then make sure the VM isn't running when you take the laptop to an untrusted location.
Run a Linux or BSD distribution on the hardware that can act as a router/firewall, and provide NAT based network access to a WindowsVM running in KVM or Virtualbox.
I'm not sure what state virtualisation is in on various BSD variants, but it's certainly pretty doable on major Linux distributions.
Good luck finding a solution that works for you.
Explain, please. Why is it not a need? For anybody?
I charge by the hour to prove negatives, payment up front.
Inheritance is the sincerest form of nepotism.
I had an old HP mini that used an embedded Linux for just this purpose. It was neat it booted fast and was separate from Windows. It had it's own button and everything.
You are defining what the solution to the problem is, and defining that solution as something that doesn't exist in the marketplace. Furthermore your defined solution is dumb.
Don't do that. Start with the problem. You want secure access to the internet for lightweight activities. Something with some real isolation. The tech world has multiple solutions for this issue:
1). Run a portable OS on a USB stick;
2). Run a VM;
3). Run a completely separate device for this function. This is the only solution that has total isolation and can truly guarantee safety of your primary system.
Why is your proposed solution dumb? Why do your BIOS, CPU, RAM, SSD, USB ports need to be isolated? Why do your screen, keyboard and trackpad not need to be isolated? How do you propose to ensure this isolation? No, simply repeating the term "SOC" doesn't make that happen!
There was a security article a couple of years ago about a corporate system that got hacked. The Admins of that system thought that they had "isolated" backups because they had taken the backup device offline, between backups. Except bringing that device online and offline was a software process... The hackers simply brought the backup device online (using much the same process the Administrators did), then they corrupted the backups. Oops. You seem to think that using an SOC without connections to the stuff you want to isolate solves your isolation problem, but often it won't. It's too easy to make assumptions about how the isolation is actually implemented and usually, that isolation simply involves a piece of software.
I'm suggesting to you that you have made an artificial scenario/solution. You can't explain why your CPU and USB ports need isolation, but the user I/O devices do not. Not without invoking the rationalization, "but it's easier and cheaper to design that way, and it satisfies some eccentric priority list I have." It's trivial to propose something that doesn't exist then complain about the fact it doesn't exist. I can do that too: Why don't Meat Popsicles exist?! I demand an answer!
Of course if you disagree, then feel free to bring your proposed device to market. You'll find out pretty quickly that the commercial market for such a device is so small, it might as well be non-existent. The existing solutions work well, have lots of support and are affordable. Your security focus has been tried many times, either directly or indirectly (see: BlackBerry, BlackPhone, SELinux, etc.). These solutions are unpopular and fail to get much traction outside of small, security-focused sub-sectors (military, spooks, Unabombers, etc.).
.
Your NIC with its DMA controller is IOMMU constrained inside the sys-net VM, so it wont let it write to memory outside its own memory space. The sys-filewall VM and its iptables and nat keeps all your internal user VM's safe from the network.
Just use a Chromebook and log on as Guest. No special privileges, OS is safe.
There's been a ton of replies already, but the only one that matters is missing.
What you want does not exist and will not exist because Microsoft aggressively stamps out any attempt to create what you're asking for. Want a Windows license? You can't ship with any other OS. End of story. The moment Dell created Latitude On, Microsoft was on the phone telling them, "No more," and every Windows license agreement since has included the new clause.
Just get a cheap android tablet or something similar.
I'm not sure what led you to think 10 emails a day from a phone was any kind of hardship. On a recent trip I wrote thousands of word a day on my phone - I had other devices with me as well, the phone was simply more convenient.
People type on phones. A LOT. And the security on a smartphone is simply way, WAY better than any laptop OS at the moment is going to be for a very long time. When I was in China I brought a laptop but made sure it was never connected to the internet in any way (not even tethering) and used only my phone for internet access. At this point you could even dictate long emails on a phone with reasonable accuracy, though I still prefer typing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Assuming you don't need to run both simultaneously (which is sounds like based on the premise) why not have a system that can let you swap hard drives, be it via a physical switch between two PCIe SSDs, or physically via a caddy (Just don't lose it!). You're basically using the same system at that point and keeping your data physically separated. At that point you would have to have a persistent firmware based infection to be able to have your other data compromised.
------
"And may your days be long upon the earth."
The prime reason to run a specific OS is because some piece of software runs on it. I know of no situation where there is a specific need to run two or more pieces of software that only are available for different OSes.
Running dual boot is an annoying mess anyway. ... Being able to boot or run a lightweight system to use some features like a music player or something used to be feasible - the Olivetti Quaderno had an audio player and a calculator that would run in a minimal mode - but those days have long since passed, because if you need a seperate music player you can get a really neat one for under 10$. Or have one built into your headphones. Besides, smartphones.
Bottom line: Quit dual-booting. Use a VM or Docker or something and be done with it.
We suffer more in our imagination than in reality. - Seneca
People that I know, have a laptop for work and a phone for personal email. They don't want both in the same case...
... add yet another component into the system that could be compromised and possibly even install a persistent and unremovable threat. Brilliant.
I had a netbook years ago, an EEEPC if memory serves, that had a true dual OS system.
The main OS was Windows XP, but at start-up you press a designated key on the keyboad (If my memory is being true to me) and you'd boot into a stripped down version of Linux. I don't recall what the window manager was, but there was a web browser, ftp client, and a handful of other apps.
There was a separate dedicated storage for the Linux OS, so you could download files and whatnot. The secondary OS was minimal but very functional and it booted up FAST. 20-30 seconds from power on.
Try cramming a raspberry pie or whatever inside your laptop, hook to main screen, keyboard, touchpad, power and voilà!
Book of HJS 4:21 "Mmm... pie."
All these "Insightful" posts are like saying `Walk through a contagion/pestilence zone, but, carry a vial of aspirin/etc. in your underwear.'
Yeah, that _might_help, but, you are still at the mercy of chance/infection---WTF! ^.^
Your answer is a $200 Chromebook OR cheapie Android phone. But then again, who the fuck says that shiz is resistant to anything more than monkey farts---I know I know, hyou said your shiz is elsewhere, but the point lays, nothing is secure but your Mother's Love. --King Fucker Chicken out
Use a live-linux CD. That is a very safe solution. Especially when you put it together yourself.
Does something like this exist at all (if so, I've never seen it...)?
No.
And if not, isn't this a major oversight?
Not really. The market for people looking for a device like this is tiny. You simply wouldn't have enough customers to make building a device profitable. Everyone I know in your scenario either boots a second OS from USB or carries a tablet with a Bluetooth keyboard.
That's what I've wanted plenty of times, and it would solve the OP request. The Linux board (raspberry pi or whatever) would be an external gadget and would use the laptop as a pure peripheral. The laptop would have a setting that turned it into a passive HDMI monitor plus USB keyboard and mouse. It could add a USB device port (B connector) for that purpose, that completely isolates the laptop's internal computer from the keyboard.
Glue a Raspi to the back of the monitor. Include a slide out screen so the laptops main monitor will have like a slide out mini screen. Run the raspi power from the laptop battery somehow. Regulate it. badda bing... 2 systems, one machine, and would look cool if you 3d printed a new screen bezel to support the mods.
Package 2 SBC's, kbd, screen, etc. and connect them with a KVM switch.
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
You could always run pfsense or Untangle...something like that in a VM and use it to securely route and monitor your workstation VM.
Why are there no true dual system laptops or tablets?
The market is too small. It costs too much. Service and support is a nightmare. If your boss is serious about security, he wants you using a dedicated system, ideally one that is chained to your desk, with no Internet access, whatever.
If you want the ultimate in isolation, carry a tablet to use in "exposed" situations. You can even run your "sensitive" laptop system to consult it and check things, then type responses to email on the tablet.
Can't get more secure than an air-gap :-)
Comment removed based on user account deletion
No market because users really hate this and users control the IT budget.
How should it be? Yeah.
How is it? See above. Seriously and soul crushingly.
Don't rely on some internet that you don't trust and just tether your phone. Unless you're in the middle of the desert somewhere in this day and age the transfer rate is probably more than adequate. Or VPN into work.
There is no such thing as a trusted wireless network.
After writing that down 100 times, learn what https, VPN, and SSH are there for.
Free the inner Minix OS for the user!
Tron to the rescue!
and separate power buttons to power up the machine in either windows or linux.
I always figured it was Asus admission that windows was unreliable and you could still get on line when windows inevitably started throwing BSODs.
https://www.qubes-os.org/
There are no such laptops (assuming that's even true, didn't bother to check,) because there isn't enough demand, and it's too easy to have a something that would function that way, without having to have a special-purpose device; you just take a laptop, and duck-tape (yes, duck, not DUCT, look it up if you don't believe,) a tablet to the back of the screen, facing out, and use them according to which is cerrtified to handle sensitive info. Of course, THAT would be a little bit like having a cop whose beat is in a landlocked city with no bodies of water, no lakes, rivers, or streams nearby, let alone an ocean, carrying a handgun with a harpoon strapped to it, in case of, you know, shark attack. The original question here seems to be similar to, "why are there no handguns that also shoot harpoons". You simply don't have a real need for something like that given the different situations in which you'd need ONE, versus the other.
Also, anyone with a REAL need for that level of security, i.e., government and military personnel, would not be able to use the "secure" device in anywhere other than a secure facility, under normal circumstances, i.e., in a SCIF, (or whatever they call it,) which normally would make the "secure" device redundant, since the SCIF will likely already have one.
Our reign has gone on long enough. Indeed. Summon the meteors.
Its 2018 and as it turns out getting everything to work perfectly on everything is still reasonably hard?
Do you have directions that work to get this installed. The directions include SD card booting which obviously isnÃ(TM)t possible.
The included instructions are fine. They're not talking about booting off the SD card, they're taking about putting the ROM on the SD card so that you can install it. And by "SD card" they obviously don't mean a physical SD card; they're talking about android's "SD card" partition which is your internal storage (great terminology decision there, Google!).
The big steps are unlocking the bootloader and then flashing TWRP recovery. Once you have TWRP installed there are a number of ways you can copy the ROM over for installation. You can even connect a USB thumb drive if you have the appropriate dongle.
Just don't forget to download and install the google apps zip as well, assuming you want them. Otherwise you will have a google-less tablet.
Bring your own so you don't have to get in free wifi
Hardware is absurdly cheap. Our company runs on $200 refurb workstations and $300 refurb laptops and $1000 refurb servers. If we need another OS, it's cheaper and easier to just use a different device.
I don't respond to AC's.
A $35 Raspberry Pi type of a device would suffice with a USB connection to the input devices, an ethernet connection to the network, and an HDMI connection to the putput devices. Most of the hardware is already built, but for the interface bridges, and the Linux OS distribution is already in widespread use.
You can never be sure the manufacturer didn't cut some corners and/or made any honest mistakes when implementing such a touchy beast. You'll never be sure if the manufacturer didn't share with both OSes in a risky way some keyboard/video/multimedia/networking component that can run some code injected by the untrusted OS (that is even if they properly separate everything you mentioned as separated: OS, BIOS, CPU, RAM, SSD, USB).
Plus by your design the "attacker OS" has already access to keyboard and video so how do you know it isn't using it? Just trust the manufacturer? You can just as well trust directly the primary box. You might "feel" oh, Macbooks or Chromebooks or ipads or android or windows boxes are a can of worms and not to be trusted but any half-baked and barely used contraption like you are suggesting will be orders of magnitude worse.
I want to tell you about my real experience of dual-booting. Main idea: use linux for web and windows for gaming.
- 1st stage - dual booting - I had a 6 month cycle where I would start browsing in linux and reboot when I wanted to play.....but at the end of the cycle I would only stay in windows (and the cycle would restart due to Windows reinstallation)
- 2nd stage - virtual machine - I discovered PCIe vitualization in 2011; I would have 2 input/output sets of KVM connected to the same PC: one for linux (VM host) and one for guest (VM gaming). Now I could leave linux running while I would play games, and getting back to linux would be just like switching to another PC. Linux only needed Intel IGP, and Z68 and Z87 chips would provide 2 USB controllers each, allowing to map physical USB ports to host and guest. Unfortunately USB3 screwed everything, as it did not allow me to do these splits (and Intel HW seems most reliable in VMs). I even had a separate NIC for Windows.
3rd stage - 2 PCs - now I use an intel NUC for linux and the big PC is just for games.
While using the VM approach, I did think about what was needed for a laptop to be able to do this (I even choose an i5 thinkpad over i3 because of VT-d support, but never did any tests). But no manufacturer would provide a KVM integrated in a laptop. Any SW solution would mean some kind of compromise....I would say best approach is a linux VM inside Windows (or reverse, depending which needs 3D HW acceleration). Any other approach means having 2 devices (or if provided by OEM, a vulnerable platform...there were a few motherboards with a small linux in firmware).
PS: I also was thinking about a keyboard+screen combo for connecting to any PC. So having a portable screen+keyboard to debug "friends" PCs. If that would be made, then, if battery is not required, 2 NUCs are small and portable enough for a laptop bag.
there are so many solutions to this problem.
- have multiple users for different purposes, each user can have heir own security settings, rules, etc
- run a VM
- have an external stick/drive/dvd/etc to boot your ultrasecure OS from
- etc.
no need for some weird implementations vendors might come up with, which would turn out to not be secure at all after the get cracked by hackers, not to mention that each implementation would be different and the lack of a standard would make it very hard to work with - all for nothing.
On a long enough timeline, the survival rate for everyone drops to zero.
My old Dell Precision M4300 had a tiny Linux subsystem on a dedicated board and a separate on switch that would boot in to that rather than the main OS. It was limited but useful from time to time. Sadly, like so many hardware / firmware solutions it was never updated. I guess the closest I've got now is my mSATA drive which I could boot off if I so desired. That could then be configured not to see the main hard drive, or just areas of it, but a serious hacker could easily find there way around the main drive.
And why oh why hasn't someone already invented a laptop computer with an integrated bar fridge? Sometimes, I'm hanggliding over the sahara desert, and it gets real hot. I have to stop working on my CRM bugfixes, close my laptop, get out my entire, separate bar fridge, and open it up to get a refreshing cold beverage. Why can't I just get a laptop that has the bar fridge integrated? It makes hanggliding in hot parts of the world such a hassle, especially when I've got deadlines to meet!
Seems like the real threat to your confidentiality is not logging in to a bad wifi, but crossing borders with a computer that has more on it than it should. Carry a tablet and leave the computer locked up somewhere, besides it's nice to have a map you can actually see.
Sounds like as a nerd you OP need to take some business courses. Engineering is only 50% technology; the other half is economics, and the latter is the gatekeeper for most "crazy ideas".
Markets - where and how big are the markets for this? Mostly tiny compared to broader PC or mobile markets
Substitutes - my Mac running parallels gives me a perfect facsimile on standard Mac hardware; that's precisely what most people in this market like me do
SoC development costs - the MINIMUM cost to develop an SoC is $10M-$20M. That must be amortized with sales of PC units below $1K-$2K where the unit cost of the SoC is limited to $50-$200 of the BOM cost
PC Hardware development costs - typical development costs are in the $5M-$15M range (this is completely separate from the SoC costs!) so you need to sell a lot of PC units to amortize this cost as well.
The net result is it's doubtful you'd ever recover the costs given the smallish market size plus there are cheaper substitutes already available that are more compelling to most people.
HP has tried this it was nightmare on my laptop. It had a browser only boot. The biggest issue was most of the time i didn't shutdown my laptop. So first I had to boot up the laptop, then shut it down, then make sure I tap or hold a button to get it to boot to that special mode since it wasn't an option when I shutdown windows.
Why jou dont buy a SECOND SSD (or HDD) with your private OS, whatever it is ?
It doen't take long to swap a SSD form a laptop. In less than a minute, you boot on a new system, and you will be sure that the data from the firs one is safe in your pocket...
OS based on a flash card. this was their lightweight corporate system, so it must have sold millions. my account manager told me that almost nobody used it.
http://www.dell.com/support/article/us/en/04/sln284203/what-is-latitude-on-featured-on-some-dell-laptops
Just block chain the hell out of it. Block chain solves everything.
No one cares enough to bother with this. Certainly not business people who certainly donâ(TM)t know what an SoC is.
Sony VAIO Z23A4R had exactly this.
I've done something like this. Removed the optical drive and replaced with a disk tray with an SSD running linux. Primary hard drive with the work stuff was encrypted so the secondary OS had no access to it. For personal use in less secure places I'd just press F12 at boot time and select the second disk.
Caddy was about $15 from a well known chinese site. A 128gb SSD isn't that expensive either and it took me half an hour to set it all up.
Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?
So the idea is to stick a second, much less powerful computer, like a raspberry pi, inside a mainstream laptop to avoid exposure of proprietary data on untrusted networks?
Microsoft and Ubuntu already addressed this isdue, but no one cares - Ubuntu called it "running from a USB stick", Microsoft called it "Windows to go" - a complete computing environment on a USB drive.
Take your laptop, boot off the USB drive, enjoy a computing environment completely isolated from your laptop HD. You can place this environment on an SDXC flash card or low-profile USB device that barely projects out the side of your laptoop, then choose how to boot.
Why shove a raspberry pi in an i5 laptop?
Ken
https://phandroid.com/2013/01/09/hands-on-asus-transformer-aio-all-in-one-pctablet-running-windows-8-and-jelly-bean-video/
I saw it at a Gaming PC conference
It's a real large size android tablet that talks wirelessly to a Windows PC giving you the tablet touch screen experience on both systems. When docked video from the PC is overlays with zero latency. When undocked it switches seamlessly to an android app that streams video from the PC side to the tablet.