Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers?

Posted by msmash on from the closer-look dept.

dryriver writes: This is not a question about dual-booting OSs -- having 2 or more different OSs installed on the same machine. Rather, imagine that I'm a business person or product engineer or management consultant with a Windows 10 laptop that has confidential client emails, word documents, financial spreadsheets, product CAD files or similar on it. Business stuff that needs to stay confidential per my employment contract or NDAs or any other agreement I may have signed. When I have to access the internet from an untrusted internet access point that somebody else controls -- free WiFi in a restaurant, cafe or airport lounge in a foreign country for example -- I do not want my main Win 10 OS, Intel/AMD laptop hardware or other software exposed to this untrusted internet connection at all. Rather, I want to use a 2nd and completely separate System On Chip or SOC inside my Laptop running Linux or Android to do my internet accessing. In other words, I want to be able to switch to a small 2nd standalone Android/Linux computer inside my Windows 10 laptop, so that I can do my emailing and internet browsing just about anywhere without any worries at all, because in that mode, only the small SOC hardware and its RAM is exposed to the internet, not any of the rest of my laptop or tablet. A hardware switch on the laptop casing would let me turn the 2nd SOC computer on when I need to use it, and it would take over the screen, trackpad and keyboard when used. But the SOC computer would have no physical connection at all to my main OS, BIOS, CPU, RAM, SSD, USB ports and so on. Does something like this exist at all (if so, I've never seen it...)? And if not, isn't this a major oversight? Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?

19 of 378 comments (clear)

  1. just run the 2nd OS in a VM and call it a day by iggymanz · · Score: 5, Insightful

    real exploits of that situation are rare

    1. Re:just run the 2nd OS in a VM and call it a day by mysidia · · Score: 4, Insightful

      Run BOTH systems as VMs of a more secure system such as a Citrix or VMware Client Hypervisor or Qubes OS.

    2. Re:just run the 2nd OS in a VM and call it a day by wbr1 · · Score: 3, Informative

      Or .. bring a decent tablet or chromebook. I have a gen 2 nexus 7 that I take for this. Has all my personal stuff, can get to work email if needed, great for personal banking/media/whatever in a hotel or airport. Small size, no potential for ANY exploit like an SOC that shares some other piece of HW and may have an unknown exploit leading back to storage on the host machine.

      --
      Silence is a state of mime.
    3. Re:just run the 2nd OS in a VM and call it a day by ctilsie242 · · Score: 5, Informative

      If truly worried, I'd just have a dedicated machine where the sensitive OS runs in a VM. You can even set up some secure remote access so you don't have to lug two machines around everywhere. In fact, I'd consider multiple separate VMs, one for each client, so a compromise doesn't mean everything is lost, just whatever is opened at the time.

      Attacks where something jumping across or out of VMs is extremely rare. It can happen, but this is not a big attack vector, relatively.

      Plus, if you store your VM on an eSATA or USB 3.1 drive, when done with it, just unplug the drive and toss it somewhere secure. $200 buys you a FIPS compliant external SSD with hardware encryption from Apricorn. This takes care of the DAR (data at test) element, regardless of the OS. From there, a PC with VirtualBox, Hyper-V, VMWare, or Parallels can run the VM.

    4. Re:just run the 2nd OS in a VM and call it a day by SvnLyrBrto · · Score: 3, Informative

      It'a not that it's not feasible. It's that there's not a big enough market/demand that any manufacturer has bothered to offer that bit of kit. So suggestions for how achieve a similar end result are entirely appropriate. And at the end of the day, "Here's my idea for a device I would like and poses no particularly difficult or interesting technical challenge, but is not offered for sale... GIMME!" is not "news or nerds" or for anyone else. It's banal and trite water-cooler chit-chat at the very best.

      If msmash and dryriver think it's such a good idea and are so put out that it doesn't exist; one of them should go get a job in product design at Dell or whatnot, do their own damn market research, and present a business case that there's enough demand for this thing to make it worthwhile to bring to market.

      --
      Imagine all the people...
    5. Re:just run the 2nd OS in a VM and call it a day by hairyfeet · · Score: 3, Insightful

      Not to mention there is a BIG issue with what he wants...how do you update it without putting it at risk? Who is gonna support it?

      You see I know how this really doesn't work because I actually have one that does almost exactly what he is suggesting and I use it for work...a EEE PC netbook. For those that do not know many of the EEE PC netbooks that came with windows have TWO start buttons, one boots into the main OS and one boots into a version of Splashtop...or at least it did before I upgraded to Windows 8.1. The problems with it were 1.- No software for the OS, which meant it was stuck with a really old version of Chromium and really old HTML based apps, 2.- No support so any vulnerabilities with the apps or the OS itself wouldn't get patched.

      Luckily for me I bought the AMD Brazos version that had no issues with 8Gb of RAM and VM support so in the end it was better to just upgrade to 8.1 and use a Linux VM when I needed a separate OS, as the VM can easily be updated or changed out if the distro dies, with these micro-OSes? They always end up out of date and poorly supported, they just aren't a great idea.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:just run the 2nd OS in a VM and call it a day by green1 · · Score: 3, Interesting

      What makes chromebooks less useful than tablets?

      Modern Chromebooks run all android apps in addition to their normal stuff, they also are capable of running full Linux distros in parallel with ChromeOS.

      I use a Pixelbook as my primary, and only, personal computer at this point. I've not run in to any situations where I wished I had a tablet instead, nor any where I wished I had a different type of computer. The Pixelbook has actually surprised me. When I bought it, I assumed that I'd spend all my time in Ubuntu on it, but that's just not the case, I almost never bother to switch to Ubuntu, and instead do everything I need on ChromeOS, either online, in android apps, or in a shell. The times I need to open Ubuntu are few and far between.

    7. Re:just run the 2nd OS in a VM and call it a day by DoraLives · · Score: 4, Interesting

      This is the answer.

      My own implementation presumes Windows as the (very) weak link in the chain, and it's run as a VM inside of Linux. I've given up on ever trusting Microsoft again, in light of the recent, ongoing, and ever-doubling-down, privacy horrors, endless stream of newly-discovered exploitable vulnerabilities, and forced corporateware installations associated with Win 10. So ok. So no Win 10. I went the other way. Win 7 Starter Edition SP1, stripped down to the ground floor, no Windows Updates, no antivirus, no anything, just the bare OS, to run the proprietary software (if the software demands an x64 OS, well then, we'll move up the Win7 hierarchy one notch) that demands Windows, to run smoothly enough, hassle-free. This Win7 VM is considered to be laying on the floor with its legs spread, and it only runs the programs it must run, and nothing whatsoever else. No games. No VOIP. Certainly no web browsers. It's drawbacks are obvious, but with adult supervision, nothing that cannot be dealt with, and it's lightning fast in its stripped-down state.

      If he wants a second Linux VM running alongside the Win7 VM inside the first one, well then, ok, so he shall have it. Whatever suits the situation most appropriately.

      Toss in a TAILS USB stick with encrypted persistent storage for situations that seem a bit sketchy for the above "standard" setup, and we're good to go.

      Again, your answer is the correct one.

      --
      Is it fascism yet?
  2. It's in your pocket by Syphonius · · Score: 5, Interesting

    That second system you are looking for, to browse and email and such, it's in your pocket.

    It's called your phone.

    The need you are describing is apparently not widespread nor strong enough for anyone to invest in implementing it in the way you describe.

    Use your phone.

  3. Duct tape another laptop to your main laptop by DontBeAMoran · · Score: 5, Informative

    'If the women don't find you handsome, they should at least find you handy.' — Red Green

    --
    #DeleteFacebook
  4. Virtualization is the answer. by Arkham · · Score: 5, Interesting

    Virtualization is the obvious answer. Inside your VMs you can run Linux, or Windows, or whatever. It's quite safe. You should run your work-related stuff in one VM, and your personal stuff in another VM, and not use the native OS for anything except the virtualization software.

    This is the most secure option you will find, and modern virtualization platforms (VMware, etc) will even let you set flashpoints where the VM is saved, and if there's an issue, you can rewind to the safe point and continue.

    There's little to no performance penalty as long as the hosted OSes run natively on Intel.

    --
    - Vincit qui patitur.
  5. Re: It's just easier to have a 2nd device by TimMD909 · · Score: 4, Funny

    I think you said the same thing twice. I also think you said the same thing twice. ;-)

  6. VMs divide up your resources dynamically by OrangeTide · · Score: 3, Informative

    A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.

    From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS lets you do a VM per window and color codes them. And something like BitVisor has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)

    But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.

    --
    “Common sense is not so common.” — Voltaire
  7. Re:Because physical security is a myth by Falconnan · · Score: 3, Interesting

    That very much depends on how you define security.

    If you define security as aboslute safety and isolation, then you are correct. However, that is not the definition of security in the real world. In the real world, security is the achieved by incremental decreases in risk of harm to a system. What he proposes would have the potential to increase security by this measure. However, this only works if the following is true:

    • There is no buffer on the keyboard, nor any memory of any kind that could harbor malware for delivery
    • Likewise, the monitor
    • The two components would need to have separate NICs
    • The battery unit would likewise need to be isolated if the electronics inside are in any way programmable

    That said, this would actually open up a potential new avenue of attack, and decrease security, unless the isolation is nigh total. If I recall correctly, even being in proximity, there have been proof-of-concept demonstrations that two air-gapped computers can still transmit data to each other under the right conditions.

  8. To Explain Where This Question Came From by dryriver · · Score: 4, Interesting

    This question originated in a patent writing effort I was a part of 3 years ago. Basically, we were drafting the patent document for an invention on one PC that had no internet connection at all - to keep the invention safe from prying eyes until the patent could be filed. And we were using another computer with internet connection in a different room to look up stuff on the internet, like patent writing regulations, patent formatting guidelines, patent filing deadlines, technical stuff and so on. It was a pain in the ass because to keep the invention to be patented confidential, we had to write the patent on one computer with no internet whatsoever, and do everything internet related on a separate computer, going back and forth between the 2 machines for weeks. So I thought - why not make a computer that can go on the internet WITHOUT potentially exposing the entire machine to the internet. Having a 2nd mini-PC inside the main computer that can go online but cannot expose the rest of the computer to any would-be hackers seemed like a great solution for this. There are many real-world situations where you DO need the power of a full Win 10/Core i7 PC to accomplish something, and DO need to look stuff up on the internet all the time while you are doing this - technical details or technical knowhow for example - but are constantly fretting that exposing the ENTIRE PC or laptop to the internet could result in your work being stolen. So I came up with the idea of 2 computers in one casing - 1 large, fully featured computer that is not seen by the internet, and 1 much simpler SOC computer that CAN see the internet and be seen by the internet. Its kind of like using little netbook computer alongside your main laptop for internet stuff, but the netbook is built into your main machine, and can run parallel to it when needed.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
  9. Actually, there was at least one by rickb928 · · Score: 3, Informative

    My now-ancient ASUS G50VT included ExpressGate. Based on Splashtop, burned into the BIOS ROM, manageable. Rudimentary Firefox browser, email client, Skype, and obviously hard to update. But it ran independently of any OS installed on storage.

    Splashtop is now done, but it was also used by ASUS on some motherboards, and then endured obscurity, competition, and finally turned into something else.

    It did work. It was pretty minimal, and could have been cool. And it certainly is possible today, even in BIOS, with flexibility and update capabilities, but somehow I don't see any of this on the market.

    The obvious solution would be to embed ChromeOS or something similar, fairly lightweight and useful. This could let you keep your primary OS invisible.

    Cost?

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  10. SplashTop by DrYak · · Score: 4, Informative

    actually some companies have indeed exactly tried that, with products such as SplashTop:

    some of the first Dell laptops to feature "Latitude On" where exactly that: a special custom SOC in a specially modified mini-PCIe card, that was able to run some restricted Linux (a web kiosk and a few built in apps. basically a distant ancestror of the chromebook concept), while accessing the nornal regular laptop screen and keyboard (but not much beyond that and certainly no access to any Sata mass storage).

    it had a few minor advantage (mainly, instant power-on, and lower power usage of the SoC compared to the main CPU)
    but a lot of disadvantage (complexity and restrictions due to the switching concept)
    and cannot be used at the same time as the main CPU with Windows.

    eventually, later version of "Latitude On" evolves into exaclty what you're suggesting: the mini-PCIe card evolved into an SSD with a Linux installation on it, and the main CPU simply dual booted into either the Linux installation on SSD or the Windows installation on SATA HDD.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  11. Re:Because.... by AmiMoJo · · Score: 4, Insightful

    Most people would just buy a tablet and optional Bluetooth keyboard for this purpose.

    Integrating a second SoC into a laptop is actually more complex than you probably realize. For example, how are you going to do things like share the screen between the SoC and main GPU? Okay, you need an extra video switch... But the screen power and backlight are also controlled by the main laptop chipset, so you need to split that out and allow the SoC to access that functionality as well. Same for the keyboard, trackpad, USB ports, wifi, battery charging system, audio subsystem and amps...

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  12. Re:Dude... by twdorris · · Score: 4, Insightful

    You have a dog in this fight. You need to stop replying and start listening. Take the advice/comments you like and ignore the others. Your use case is simply too narrow to justify development. At some point you'll need to accept this and move on to the other (seeming reasonable, IMO) suggestions. For example, if you really have a big ol' 17" CAD laptop that you have to lug around, then an extra, thin, light weight tablet is *not* going to be noticeable to you...and given that no commercial application like what you're looking for has been maintained beyond initial release due to lack of interest as a previous commenter pointed out, you should probably start to acknowledge that no matter how good the idea might seem to you and your specific situation, it's doesn't apply to enough other people to justify it.

    And, BTW, referring to the extra IC as "little" and "small" over and over again isn't going to change the effort, complexity or market reality one bit. You're trying to trivialize the issue with verbal trickery. It's lame. Stop.