Slashdot Mirror
Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers?
dryriver writes: This is not a question about dual-booting OSs -- having 2 or more different OSs installed on the same machine. Rather, imagine that I'm a business person or product engineer or management consultant with a Windows 10 laptop that has confidential client emails, word documents, financial spreadsheets, product CAD files or similar on it. Business stuff that needs to stay confidential per my employment contract or NDAs or any other agreement I may have signed. When I have to access the internet from an untrusted internet access point that somebody else controls -- free WiFi in a restaurant, cafe or airport lounge in a foreign country for example -- I do not want my main Win 10 OS, Intel/AMD laptop hardware or other software exposed to this untrusted internet connection at all. Rather, I want to use a 2nd and completely separate System On Chip or SOC inside my Laptop running Linux or Android to do my internet accessing. In other words, I want to be able to switch to a small 2nd standalone Android/Linux computer inside my Windows 10 laptop, so that I can do my emailing and internet browsing just about anywhere without any worries at all, because in that mode, only the small SOC hardware and its RAM is exposed to the internet, not any of the rest of my laptop or tablet. A hardware switch on the laptop casing would let me turn the 2nd SOC computer on when I need to use it, and it would take over the screen, trackpad and keyboard when used. But the SOC computer would have no physical connection at all to my main OS, BIOS, CPU, RAM, SSD, USB ports and so on. Does something like this exist at all (if so, I've never seen it...)? And if not, isn't this a major oversight? Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?
real exploits of that situation are rare
End thread.
It would be complex, expensive, huge and stupid. Dual boot, encrypt both partitions.
That second system you are looking for, to browse and email and such, it's in your pocket.
It's called your phone.
The need you are describing is apparently not widespread nor strong enough for anyone to invest in implementing it in the way you describe.
Use your phone.
'If the women don't find you handsome, they should at least find you handy.' — Red Green
#DeleteFacebook
Just carry a second laptop around! 2 Surface Pros are still less weight and size than just 1 typical laptop from 4 years ago!
Virtualization is the obvious answer. Inside your VMs you can run Linux, or Windows, or whatever. It's quite safe. You should run your work-related stuff in one VM, and your personal stuff in another VM, and not use the native OS for anything except the virtualization software.
This is the most secure option you will find, and modern virtualization platforms (VMware, etc) will even let you set flashpoints where the VM is saved, and if there's an issue, you can rewind to the safe point and continue.
There's little to no performance penalty as long as the hosted OSes run natively on Intel.
- Vincit qui patitur.
SoCs are just liveCDs for lazy people.
Both products could allow you to run a complexity separate os. It would require a powerful laptop as you are splitting resources.
Problem solved.
Or use Hyper-V or ESXi and just run your stuff in that.
This isn't a hard problem that hasn't been solved many times over.
If it is that important that you don't trust a dual boot, you probably aren't going to trust anything that is in 1 package.
That being said, I carry 2 laptops (personal and business) and 2 phones. I have 2 phones as well, same reason.
It could be worse, it could be Monday.
Let me introduce you to qubes os (https://www.qubes-os.org/) and purism (https://puri.sm/)
There are 2-in-1 laptops (that flip into a tablet) but generally for various reasons they use the same chip. Just dual-boot or VM whatever you need. You can run Android or Linux on your x86 and boot Windows in a VM when you truly need it. Apply encryption to the hard drive with a strong password or even have your VM in a hidden partition/sectors of your system or if you have serious trouble with customs of various countries, have your data only available on a separate hosted server.
A system with 2 separate chips does exist somewhat, it's called a MacBook Pro, you can use the secondary system to fetch e-mails and the like when your laptop is closed.
If you want actually a secondary tablet on top of your laptop, simply glue one onto the back of the screen. There are plenty of laptops and tablets that are thin and light enough.
Custom electronics and digital signage for your business: www.evcircuits.com
A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.
From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS lets you do a VM per window and color codes them. And something like BitVisor has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)
But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.
“Common sense is not so common.” — Voltaire
This question originated in a patent writing effort I was a part of 3 years ago. Basically, we were drafting the patent document for an invention on one PC that had no internet connection at all - to keep the invention safe from prying eyes until the patent could be filed. And we were using another computer with internet connection in a different room to look up stuff on the internet, like patent writing regulations, patent formatting guidelines, patent filing deadlines, technical stuff and so on. It was a pain in the ass because to keep the invention to be patented confidential, we had to write the patent on one computer with no internet whatsoever, and do everything internet related on a separate computer, going back and forth between the 2 machines for weeks. So I thought - why not make a computer that can go on the internet WITHOUT potentially exposing the entire machine to the internet. Having a 2nd mini-PC inside the main computer that can go online but cannot expose the rest of the computer to any would-be hackers seemed like a great solution for this. There are many real-world situations where you DO need the power of a full Win 10/Core i7 PC to accomplish something, and DO need to look stuff up on the internet all the time while you are doing this - technical details or technical knowhow for example - but are constantly fretting that exposing the ENTIRE PC or laptop to the internet could result in your work being stolen. So I came up with the idea of 2 computers in one casing - 1 large, fully featured computer that is not seen by the internet, and 1 much simpler SOC computer that CAN see the internet and be seen by the internet. Its kind of like using little netbook computer alongside your main laptop for internet stuff, but the netbook is built into your main machine, and can run parallel to it when needed.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
You're trying to solve a problem in hardware. We're about twenty years past that. Hardware doesn't do anything anymore.
Back in my day, "drivers" were a bad thing -- there were modems, and there were winmodems, that latter needed software drivers. That logic has flipped. Now hardware does nothing without software driving it.
You're trying to double your hardware, and then add more hardware to switch between them. That's just not the equation anymore.
And in truth, you wouldn't want that. You wouldn't want to be using your SOC to browse the web, and then not be able to get that document/data/image onto your work hardware to, you know, actually work with it.
As far as protections are concerned, you're either using your SOC to access the internet to get sensitive data anyway (like e-mail) and hence you've secured absolutely nothing, or you're getting a file to transfer to your work machine, and hence you've breached your own security anyway.
If you know what you're doing, and it sounds like you could, then it's not difficult to secure your work data from your internet connection. Think about the easy things -- like a second hdd/ssd for the work file.
Secondary storage drives are easily turned off in device manager on a whim.
Don't visit terrible sites at all. Don't walk down dark alleys with your 10-year-old daughter ever.
Know how to clear buffers, and generally know that all's clear before spinning up that work drive.
But most of all, know:
that Ethan Hunt can always break in,
that there aren't as many Ethan Hunts as you've been led to believe,
that most of the time, Ethan Hunt doesn't actually harm you when he gets what he wants.
You aren't actually responsible for the edge cases, so don't expend all of your energy defending against them.
My now-ancient ASUS G50VT included ExpressGate. Based on Splashtop, burned into the BIOS ROM, manageable. Rudimentary Firefox browser, email client, Skype, and obviously hard to update. But it ran independently of any OS installed on storage.
Splashtop is now done, but it was also used by ASUS on some motherboards, and then endured obscurity, competition, and finally turned into something else.
It did work. It was pretty minimal, and could have been cool. And it certainly is possible today, even in BIOS, with flexibility and update capabilities, but somehow I don't see any of this on the market.
The obvious solution would be to embed ChromeOS or something similar, fairly lightweight and useful. This could let you keep your primary OS invisible.
Cost?
deleting the extra space after periods so i can stay relevant, yeah.
actually some companies have indeed exactly tried that, with products such as SplashTop:
some of the first Dell laptops to feature "Latitude On" where exactly that: a special custom SOC in a specially modified mini-PCIe card, that was able to run some restricted Linux (a web kiosk and a few built in apps. basically a distant ancestror of the chromebook concept), while accessing the nornal regular laptop screen and keyboard (but not much beyond that and certainly no access to any Sata mass storage).
it had a few minor advantage (mainly, instant power-on, and lower power usage of the SoC compared to the main CPU)
but a lot of disadvantage (complexity and restrictions due to the switching concept)
and cannot be used at the same time as the main CPU with Windows.
eventually, later version of "Latitude On" evolves into exaclty what you're suggesting: the mini-PCIe card evolved into an SSD with a Linux installation on it, and the main CPU simply dual booted into either the Linux installation on SSD or the Windows installation on SATA HDD.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I've always thought it would be pretty neat to have ESX running on a laptop and swapping between the different OSes as needed.
I already have such a secured device, appropriately configured, with that added bonus that I can use it when my laptop's battery is empty, or the laptop is smashed up, or confiscated or in my checked baggage, or in front of me on the desk.
Dialectician. Archology.
Find/build a Live CD version of Linux that doesn't mount your hard drives, and you're pretty close.
You want a second OS? Use a VM. You want to keep your confidential files private? Encrypt them and only decrypt them when you feel like it's safe to do so. You don't like people trying to spy on you when you're connected to public wifi? Use a VPN. Everything you listed already has solutions readily available and that frankly are better options than booting into a completely different OS.
A few years ago, some laptops used to come with HyperSpace or Splashtop, pre-installed cut down linux systems that could be used to surf the net, Skype, play music, etc. They didn't use separate SOCs, but HyperSpace at least could use virtualization to run both your main O/S and the HyperSpace O/S at the same time.
I think they were primarily intended to get around long boot times in situations where you wanted an instant-on web browser, and not as a security measure when connecting to a hostile local network.
This is beyond niche and solved by access policy. What OP is describing only describes a way to make a weird, less secure (more attack surface area) edge case for the IT department to deal with.
--
"Insert witty quote here."
basically what you're asking for is perfectly reasonable but "not considered financially viable". even for EOMA68 (for which i'm the copyright holder of the Certification Mark), if you are expecting to have the power of a "modern" intel-based laptop in the form of a physically removable Computer Card where you would be able to isolate "work" from "external stuff", it's going to take another 4-5 years before the power reductions and performance increases from are sufficient so that it's actually even possible to fit a complete "high to medium performance" quad or octal core 3+ ghz computer plus 8 to 16 GB of RAM into such a small space.
the only *hardware*-level system that i ever heard of which had some form of dual (independent) processor system in it was about three to five years ago, it was announced here on slashdot: it was something like Lenovo or Dell who had put in an independent processor that could boot from the "BIOS" (if it's a full operating system it's hardly a BIOS but you know what i mean) into a complete and self-contained GNU/Linux OS with its own web browser.
aside from that, the only viable suggestions that you will get (and there will be some which will get lots of +1 moderations) will be dual-boot, or hypervisor-based (not that that means much any more with the spectres and meltdowns coming out the woodwork) virtual machining, or external USB memory-stick-based GNU/Linux OSes, and so on and so forth, all of which provide physical access to the drive, consequently *in theory* could actually maliciously be exploited and end up damaging the drive.
unless the work OS hard drive is removable. or the work OS hard drive *IS* the external USB stick and you swap over the USB sticks from work to "other" and back again. that would actually do the job that you're looking for, albeit with the performance penalty associated with some forms of external USB media, so you would have to do your research.
sorry it's not better news! honestly, though, if you absolutely really want to use the on-board (internal) drive, do consider virtualising the entire windows OS and sandboxing it... *and* sandbox the "other" OS as well. so that's 3 operating systems: the hypervisor / manager one (which you NEVER permit access to the internet) and that one should without a shadow of doubt be GNU/Linux-based. then you run Windows under QEMU (please don't use oracle virtualisation products), *AND* you run the "other" OS also under QEMU (or other suitable hypervisor system, do investigate XEN etc.) but... like i said: for all of these, you have to take into account the fuckups by Intel in the design of their processors where they prioritised profit over security: spectres, meltdowns and much more yet to be discovered.
Buy an old laptop (an older one with plenty of room in the shell) Gut it. Buy a nice ARM single-board computer (for your main OS, windows 10 for ARM since you mentioned win10) Buy a raspberry Pi for your secondary OS. Buy a cheap KVM switch, gut it. Get some batteries, a charging unit, etc. Have fun soldering.
You think the most common OS on the planet by device installations, most commonly distributed in a heavily modified binary blob, is significantly more secure than Windows 10. How cute.
If you're worried about the dangers of free wifi, check your open ports and use a VPN, problem solved.
"When information is power, privacy is freedom" - Jah-Wren Ryel
As others have said, run both the "secure" and "internet" OSes as virtual machines under a plain-jane hypervisor or host-OS that you use only to run the VMs under, and nothing else.
Unless someone exploits a bug or you do something stupid or careless - like carelessly access the internet from your host OS - you should be fine.
Locking down the host OS or hypervisor and keeping it patched is left as an exercise to the reader.
==
That said, there are no doubt cases where having a "two in one" computer is better than having two seperate computers or having two VMs running on the same hardware, but the number of such cases is small enough that it's no wonder there's not much of a market out there for such devices.
The scenario you mention is best solved by either a VM solution or, if there is a strict legal requirement that even a VM can't solve, using two computers. Why two computers? Because the cost of geting a 2-in-one computer that is certified to meet your legal requirement is probably way more than the "cost" - including the "pain in the butt cost" - of buying and using two computers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have a USB LTE modem so I generally don't have to worry about using someone else's internet. I also have a VPN capable router at home so I can connect to the open WiFi and have my traffic encrypted back to my home network. And the VPN will run over LTE just in case I don't trust the local LTE.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Strange that nobody suggested using a VPN.
If you care at all about security, you have no business connecting EITHER system to third-party WiFi (whether open at a coffee shop or closed at some other business) without employing a VPN.
The VPN should either terminate at your home/company router (hopefully you trust your own company's IT department to maintain a secure environment) or with a trusted third party. (i.e. your IT/security people should vet the company's security).
For your specific case (per your followup comment) that alone should have been sufficient.
But if - as you had stated originally - the Internet access was for personal stuff, and you want to avoid mixing business and personal uses, you could use a VM to keep the uses separate.
The two-computer system you used has a flaw, that could have been alleviated with a VPN. Somebody snooping on your second computer's connection might reasonably be able to determine what you were working on based on your searches and visited sites.
For your actual use case, use a single computer with a VPN. For your hypothetical use case (personal use as well) use one or two VMs and use separate VPNs to connect to the Internet from each.
Or, do your part in reducing e-waste and improve your experience by buying a 3-5 year old laptop of much higher specification for ~$150.
There is no XUL, only WebExtensions...
The market is too small for a hardware-based dual system as described.
For basic isolation -- I use my SmartPhone !! (with tape over the microphone & camera).
For even more isolation - I access YOUR PC at the coffee bar table next to me via the credentials I gathered via my pineapple that offered "Free WiFi".
The solution does exist. Due to the expense of having extra hardware to do this (the level of isolation you want) - most people dual boot using an encrypted file system or a local VM. TruCrypt had this feature -- a secret file system within another one hidden and accessible only via which passcode that you type in at boot time. This way if something ran amuck it couldn't access those other files.
I use a VM running on my PC to access external stuff - yeah that's backwards as the data I want to protect is on my main OS (because I use it the most). Convenience. For trippy things I spin up a VM in the cloud and go from there.
and with all due seriousness -- for really encrypted stuff I have an encrypted Folder that contains these files and requires a second password to access them. I mainly use MS-Word/Excel encrypted files, and for lots of files I'll store them in 7Zip password protected archives. Once I even created an encrypted Virtual Disk and spun up a VM to access the files. Turned out to be a pita and haven't done it since.
To physically switch control of screen, keyboard, camera, microphone and so on. Otherwise non-work untrusted app can present work UI and steal your credentials. Even with a switch you could forget to flip it. A physical separate device is still best for security, even at the cost of a slight inconvinience.
My untested hypothesis would be 3 fold.
1) There isn't a huge market for such a thing so the cost of it would be prohibitive.
2) There is more profit in making hardware that will be bought by the 90% then the 10%
3) There are probably some work around that get you near what you want. ( also, my guess would be such systems probably do exist for military use , but you would probably be hard pressed to find them and unwilling to the pay the price if you could get one.).
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Let's take a step back and look at the problem you're trying to solve, as it sounds like the switching mechanism you describe might be over-engineering things a bit. You want to use sketchy public wifi with a mission critical work computer?
My first inclination would be not to risk using it in public places to begin with, or do my web browsing with a different personal device.
Otherwise, a VPN connection and VM would be the most elegant solution. Solves the trust issues with the local network, and (mostly/arguably) solves the risks you take any time you use a web browser.
/* No Comment */
It appears that whomever wrote the article has little idea of how VMs work.
He talked about CAD and his files being "visible to the internet" while online in another response. He is proposing a hardware solution any disagreements he responds to with attacks "the ENTIRE system faces the internet" not believing FDE works and demanding proof etc.
He's an engineer that doesn't know how computers, the internet, or the market works but believes he is smart enough to know the solution and wants validation for how smart he is. Other hardware engineers in this thread are being gentle with him. The security and internet savvy people are not.
Have you ever heard about them?
How would separate hardware be more secure?
My EUR 0.01 contribution: don't connect to untrusted networks and services at all and you won't need the pc inside a pc.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
In business unless you're working in IT, the security of your work laptop will be out of your hands as well as generally not your problem. If your work laptop gets compromised and you didn't hand out your credentials or physical access to someone then the IT dept didn't do their job properly.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I agree with other responders that running Windows in a VM would probably be sufficient, but I'm old, and tend to want some kind of physical solution. My first thought was having a laptop with a removable drive bay (Apple need not apply) and swap out SSDs between your "work" instance and your "don't care if it's pwned" instance.
Barring that, I'd encrypt my main Windows drive and boot Mint (substitute your Linux of choice, or even Windows) off a low profile flash drive for browsing and email in sketchy environments. I see low profile thumb drives are up to 128 Gb now. With two empty USB ports on your laptop, you could have an instance running on a quarter terabyte without touching your main drive.
Enlarging on that, now that I think about it, your Windows instance could contain a clean image of your "burner" OS, for easy restoration should it get pwned in an airport. Or to refresh regularly just on general principles.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I have many. Maybe 1/2 dozen. Most are not allowed on the internet.
Rent an instance on Amazon or Google or any of the other hosting services. The ones I've used allow me to RDP to the instance.
Insert standard boilerplate about remote system security.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
A lot of people are suggesting virtual machines -- but at least theoretically, you might not be allowed to install VM software on your business laptop. Perhaps you're only supposed to be using the apps approved for it by I.T., or ??
The cheap solution would be carrying around a USB drive that's set up with an OS (like Linux) designed to run entirely off of it.
This is what VMs are for.
But even putting that aside, why two completely different systems? That's not substantially different than just carrying two devices. Why not just select a different boot drive? If you're really paranoid this could be a hardware switch that completely changes which disk is at the end of a single sata connection, so there is absolutely no possibility of the system installed on disk having online content with the system installed on the other.
The Microsoft SurfaceBook has a detachable screen that becomes a tablet. I have no idea what capabilities the screen has when detached working as a tablet but if it were to have its own wireless networking, that would be the closest thing to what the OP asked for.
It would seem that the easiest thing to do would be to run the sensitive applications in a VM. Then make sure the VM isn't running when you take the laptop to an untrusted location.
Explain, please. Why is it not a need? For anybody?
I charge by the hour to prove negatives, payment up front.
Inheritance is the sincerest form of nepotism.
.
Your NIC with its DMA controller is IOMMU constrained inside the sys-net VM, so it wont let it write to memory outside its own memory space. The sys-filewall VM and its iptables and nat keeps all your internal user VM's safe from the network.
There's been a ton of replies already, but the only one that matters is missing.
What you want does not exist and will not exist because Microsoft aggressively stamps out any attempt to create what you're asking for. Want a Windows license? You can't ship with any other OS. End of story. The moment Dell created Latitude On, Microsoft was on the phone telling them, "No more," and every Windows license agreement since has included the new clause.
I'm not sure what led you to think 10 emails a day from a phone was any kind of hardship. On a recent trip I wrote thousands of word a day on my phone - I had other devices with me as well, the phone was simply more convenient.
People type on phones. A LOT. And the security on a smartphone is simply way, WAY better than any laptop OS at the moment is going to be for a very long time. When I was in China I brought a laptop but made sure it was never connected to the internet in any way (not even tethering) and used only my phone for internet access. At this point you could even dictate long emails on a phone with reasonable accuracy, though I still prefer typing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Assuming you don't need to run both simultaneously (which is sounds like based on the premise) why not have a system that can let you swap hard drives, be it via a physical switch between two PCIe SSDs, or physically via a caddy (Just don't lose it!). You're basically using the same system at that point and keeping your data physically separated. At that point you would have to have a persistent firmware based infection to be able to have your other data compromised.
------
"And may your days be long upon the earth."
The prime reason to run a specific OS is because some piece of software runs on it. I know of no situation where there is a specific need to run two or more pieces of software that only are available for different OSes.
Running dual boot is an annoying mess anyway. ... Being able to boot or run a lightweight system to use some features like a music player or something used to be feasible - the Olivetti Quaderno had an audio player and a calculator that would run in a minimal mode - but those days have long since passed, because if you need a seperate music player you can get a really neat one for under 10$. Or have one built into your headphones. Besides, smartphones.
Bottom line: Quit dual-booting. Use a VM or Docker or something and be done with it.
We suffer more in our imagination than in reality. - Seneca
People that I know, have a laptop for work and a phone for personal email. They don't want both in the same case...
... add yet another component into the system that could be compromised and possibly even install a persistent and unremovable threat. Brilliant.
I had a netbook years ago, an EEEPC if memory serves, that had a true dual OS system.
The main OS was Windows XP, but at start-up you press a designated key on the keyboad (If my memory is being true to me) and you'd boot into a stripped down version of Linux. I don't recall what the window manager was, but there was a web browser, ftp client, and a handful of other apps.
There was a separate dedicated storage for the Linux OS, so you could download files and whatnot. The secondary OS was minimal but very functional and it booted up FAST. 20-30 seconds from power on.
Does something like this exist at all (if so, I've never seen it...)?
No.
And if not, isn't this a major oversight?
Not really. The market for people looking for a device like this is tiny. You simply wouldn't have enough customers to make building a device profitable. Everyone I know in your scenario either boots a second OS from USB or carries a tablet with a Bluetooth keyboard.
Package 2 SBC's, kbd, screen, etc. and connect them with a KVM switch.
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
You could always run pfsense or Untangle...something like that in a VM and use it to securely route and monitor your workstation VM.
Why are there no true dual system laptops or tablets?
The market is too small. It costs too much. Service and support is a nightmare. If your boss is serious about security, he wants you using a dedicated system, ideally one that is chained to your desk, with no Internet access, whatever.
Comment removed based on user account deletion
Don't rely on some internet that you don't trust and just tether your phone. Unless you're in the middle of the desert somewhere in this day and age the transfer rate is probably more than adequate. Or VPN into work.
Considering this "story" has, as of this post, 299 comments and most other stories are under 50, the editors would seem to know what they are doing. Ask Slashdot, like very other story here, is intended to generate discussion. The more buzz, the more successful it is.
There is no such thing as a trusted wireless network.
After writing that down 100 times, learn what https, VPN, and SSH are there for.
and separate power buttons to power up the machine in either windows or linux.
I always figured it was Asus admission that windows was unreliable and you could still get on line when windows inevitably started throwing BSODs.
There are no such laptops (assuming that's even true, didn't bother to check,) because there isn't enough demand, and it's too easy to have a something that would function that way, without having to have a special-purpose device; you just take a laptop, and duck-tape (yes, duck, not DUCT, look it up if you don't believe,) a tablet to the back of the screen, facing out, and use them according to which is cerrtified to handle sensitive info. Of course, THAT would be a little bit like having a cop whose beat is in a landlocked city with no bodies of water, no lakes, rivers, or streams nearby, let alone an ocean, carrying a handgun with a harpoon strapped to it, in case of, you know, shark attack. The original question here seems to be similar to, "why are there no handguns that also shoot harpoons". You simply don't have a real need for something like that given the different situations in which you'd need ONE, versus the other.
Also, anyone with a REAL need for that level of security, i.e., government and military personnel, would not be able to use the "secure" device in anywhere other than a secure facility, under normal circumstances, i.e., in a SCIF, (or whatever they call it,) which normally would make the "secure" device redundant, since the SCIF will likely already have one.
Our reign has gone on long enough. Indeed. Summon the meteors.
Do you have directions that work to get this installed. The directions include SD card booting which obviously isnÃ(TM)t possible.
The included instructions are fine. They're not talking about booting off the SD card, they're taking about putting the ROM on the SD card so that you can install it. And by "SD card" they obviously don't mean a physical SD card; they're talking about android's "SD card" partition which is your internal storage (great terminology decision there, Google!).
The big steps are unlocking the bootloader and then flashing TWRP recovery. Once you have TWRP installed there are a number of ways you can copy the ROM over for installation. You can even connect a USB thumb drive if you have the appropriate dongle.
Just don't forget to download and install the google apps zip as well, assuming you want them. Otherwise you will have a google-less tablet.
Hardware is absurdly cheap. Our company runs on $200 refurb workstations and $300 refurb laptops and $1000 refurb servers. If we need another OS, it's cheaper and easier to just use a different device.
I don't respond to AC's.
You can never be sure the manufacturer didn't cut some corners and/or made any honest mistakes when implementing such a touchy beast. You'll never be sure if the manufacturer didn't share with both OSes in a risky way some keyboard/video/multimedia/networking component that can run some code injected by the untrusted OS (that is even if they properly separate everything you mentioned as separated: OS, BIOS, CPU, RAM, SSD, USB).
Plus by your design the "attacker OS" has already access to keyboard and video so how do you know it isn't using it? Just trust the manufacturer? You can just as well trust directly the primary box. You might "feel" oh, Macbooks or Chromebooks or ipads or android or windows boxes are a can of worms and not to be trusted but any half-baked and barely used contraption like you are suggesting will be orders of magnitude worse.
I want to tell you about my real experience of dual-booting. Main idea: use linux for web and windows for gaming.
- 1st stage - dual booting - I had a 6 month cycle where I would start browsing in linux and reboot when I wanted to play.....but at the end of the cycle I would only stay in windows (and the cycle would restart due to Windows reinstallation)
- 2nd stage - virtual machine - I discovered PCIe vitualization in 2011; I would have 2 input/output sets of KVM connected to the same PC: one for linux (VM host) and one for guest (VM gaming). Now I could leave linux running while I would play games, and getting back to linux would be just like switching to another PC. Linux only needed Intel IGP, and Z68 and Z87 chips would provide 2 USB controllers each, allowing to map physical USB ports to host and guest. Unfortunately USB3 screwed everything, as it did not allow me to do these splits (and Intel HW seems most reliable in VMs). I even had a separate NIC for Windows.
3rd stage - 2 PCs - now I use an intel NUC for linux and the big PC is just for games.
While using the VM approach, I did think about what was needed for a laptop to be able to do this (I even choose an i5 thinkpad over i3 because of VT-d support, but never did any tests). But no manufacturer would provide a KVM integrated in a laptop. Any SW solution would mean some kind of compromise....I would say best approach is a linux VM inside Windows (or reverse, depending which needs 3D HW acceleration). Any other approach means having 2 devices (or if provided by OEM, a vulnerable platform...there were a few motherboards with a small linux in firmware).
PS: I also was thinking about a keyboard+screen combo for connecting to any PC. So having a portable screen+keyboard to debug "friends" PCs. If that would be made, then, if battery is not required, 2 NUCs are small and portable enough for a laptop bag.
there are so many solutions to this problem.
- have multiple users for different purposes, each user can have heir own security settings, rules, etc
- run a VM
- have an external stick/drive/dvd/etc to boot your ultrasecure OS from
- etc.
no need for some weird implementations vendors might come up with, which would turn out to not be secure at all after the get cracked by hackers, not to mention that each implementation would be different and the lack of a standard would make it very hard to work with - all for nothing.
On a long enough timeline, the survival rate for everyone drops to zero.
And why oh why hasn't someone already invented a laptop computer with an integrated bar fridge? Sometimes, I'm hanggliding over the sahara desert, and it gets real hot. I have to stop working on my CRM bugfixes, close my laptop, get out my entire, separate bar fridge, and open it up to get a refreshing cold beverage. Why can't I just get a laptop that has the bar fridge integrated? It makes hanggliding in hot parts of the world such a hassle, especially when I've got deadlines to meet!
Seems like the real threat to your confidentiality is not logging in to a bad wifi, but crossing borders with a computer that has more on it than it should. Carry a tablet and leave the computer locked up somewhere, besides it's nice to have a map you can actually see.
Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?
So the idea is to stick a second, much less powerful computer, like a raspberry pi, inside a mainstream laptop to avoid exposure of proprietary data on untrusted networks?
Microsoft and Ubuntu already addressed this isdue, but no one cares - Ubuntu called it "running from a USB stick", Microsoft called it "Windows to go" - a complete computing environment on a USB drive.
Take your laptop, boot off the USB drive, enjoy a computing environment completely isolated from your laptop HD. You can place this environment on an SDXC flash card or low-profile USB device that barely projects out the side of your laptoop, then choose how to boot.
Why shove a raspberry pi in an i5 laptop?
Ken
https://phandroid.com/2013/01/09/hands-on-asus-transformer-aio-all-in-one-pctablet-running-windows-8-and-jelly-bean-video/
I saw it at a Gaming PC conference
It's a real large size android tablet that talks wirelessly to a Windows PC giving you the tablet touch screen experience on both systems. When docked video from the PC is overlays with zero latency. When undocked it switches seamlessly to an android app that streams video from the PC side to the tablet.