Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Hardware

Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers? 378

dryriver writes: This is not a question about dual-booting OSs -- having 2 or more different OSs installed on the same machine. Rather, imagine that I'm a business person or product engineer or management consultant with a Windows 10 laptop that has confidential client emails, word documents, financial spreadsheets, product CAD files or similar on it. Business stuff that needs to stay confidential per my employment contract or NDAs or any other agreement I may have signed. When I have to access the internet from an untrusted internet access point that somebody else controls -- free WiFi in a restaurant, cafe or airport lounge in a foreign country for example -- I do not want my main Win 10 OS, Intel/AMD laptop hardware or other software exposed to this untrusted internet connection at all. Rather, I want to use a 2nd and completely separate System On Chip or SOC inside my Laptop running Linux or Android to do my internet accessing. In other words, I want to be able to switch to a small 2nd standalone Android/Linux computer inside my Windows 10 laptop, so that I can do my emailing and internet browsing just about anywhere without any worries at all, because in that mode, only the small SOC hardware and its RAM is exposed to the internet, not any of the rest of my laptop or tablet. A hardware switch on the laptop casing would let me turn the 2nd SOC computer on when I need to use it, and it would take over the screen, trackpad and keyboard when used. But the SOC computer would have no physical connection at all to my main OS, BIOS, CPU, RAM, SSD, USB ports and so on. Does something like this exist at all (if so, I've never seen it...)? And if not, isn't this a major oversight? Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers?

Comments Filter:
  • by iggymanz ( 596061 ) on Wednesday March 28, 2018 @09:58AM (#56340885)

    real exploits of that situation are rare

    • I was going to suggest the same thing. If you are too paranoid for a VM solution and would rather have separate hardware, bring another laptop.
      • by wbr1 ( 2538558 ) on Wednesday March 28, 2018 @10:09AM (#56341007)
        Or .. bring a decent tablet or chromebook. I have a gen 2 nexus 7 that I take for this. Has all my personal stuff, can get to work email if needed, great for personal banking/media/whatever in a hotel or airport. Small size, no potential for ANY exploit like an SOC that shares some other piece of HW and may have an unknown exploit leading back to storage on the host machine.
        • I agree. Want to be safe? Carry a small tablet. You can add a bluetooth keyboard if you hate on-screen keyboards like I do. I would be wary of online banking on an unsecure network...
      • Why not install Ubuntu on a USB drive [ubuntu.com] and simply boot from it? Why require a second, lesser processor, less memory, and greatly limited storage be included inside the laptop?

        If you want to run Windows on the hardware securely, take a look at Microsoft's "Windows to go" offering?

    • by mysidia ( 191772 ) on Wednesday March 28, 2018 @10:03AM (#56340949)

      Run BOTH systems as VMs of a more secure system such as a Citrix or VMware Client Hypervisor or Qubes OS.

      • That's just a waste of recourses needlessly complicates things. The fact that the poster is even asking this means he isn't exactly tech savvy and thus doesn't need overcomplicated solutions that will only make his life harder.

        The poster only cares about one OS being secure. There's no reason to run his main OS as a VM as well.
      • I'm amused you imagine either of those are more secure in any way, the same exploits *proven* to cross VMs work just as well on those. Guess the marketing droids count you as an effective market

      • by Wolfrider ( 856 )

        --Came to post this and found your recommendation. ;-)

        https://distrowatch.com/table.... [distrowatch.com]

    • Re: (Score:2, Informative)

      by whoever57 ( 658626 )

      You could also add a VPN and have the VM communicate with the Internet via the VPN.

      • by AmiMoJo ( 196126 )

        Now go ask the IT department how hard it is just to get staff to connect to the VPN before browsing some Facebook on the work laptop and you will understand why no-one sells machines like the OP describes.

        If the company actually cares about this they will just disable all wifi access except to their trusted network with a valid certificate. Ordinary users won't be able to understand what the hell this feature actually does.

        Only tech savvy nerds will use such a complex set up, and they won't trust anyone els

    • by ctilsie242 ( 4841247 ) on Wednesday March 28, 2018 @10:44AM (#56341267)

      If truly worried, I'd just have a dedicated machine where the sensitive OS runs in a VM. You can even set up some secure remote access so you don't have to lug two machines around everywhere. In fact, I'd consider multiple separate VMs, one for each client, so a compromise doesn't mean everything is lost, just whatever is opened at the time.

      Attacks where something jumping across or out of VMs is extremely rare. It can happen, but this is not a big attack vector, relatively.

      Plus, if you store your VM on an eSATA or USB 3.1 drive, when done with it, just unplug the drive and toss it somewhere secure. $200 buys you a FIPS compliant external SSD with hardware encryption from Apricorn. This takes care of the DAR (data at test) element, regardless of the OS. From there, a PC with VirtualBox, Hyper-V, VMWare, or Parallels can run the VM.

      • by DoraLives ( 622001 ) on Wednesday March 28, 2018 @12:24PM (#56342009)
        This is the answer.

        My own implementation presumes Windows as the (very) weak link in the chain, and it's run as a VM inside of Linux. I've given up on ever trusting Microsoft again, in light of the recent, ongoing, and ever-doubling-down, privacy horrors, endless stream of newly-discovered exploitable vulnerabilities, and forced corporateware installations associated with Win 10. So ok. So no Win 10. I went the other way. Win 7 Starter Edition SP1, stripped down to the ground floor, no Windows Updates, no antivirus, no anything, just the bare OS, to run the proprietary software (if the software demands an x64 OS, well then, we'll move up the Win7 hierarchy one notch) that demands Windows, to run smoothly enough, hassle-free. This Win7 VM is considered to be laying on the floor with its legs spread, and it only runs the programs it must run, and nothing whatsoever else. No games. No VOIP. Certainly no web browsers. It's drawbacks are obvious, but with adult supervision, nothing that cannot be dealt with, and it's lightning fast in its stripped-down state.

        If he wants a second Linux VM running alongside the Win7 VM inside the first one, well then, ok, so he shall have it. Whatever suits the situation most appropriately.

        Toss in a TAILS USB stick with encrypted persistent storage for situations that seem a bit sketchy for the above "standard" setup, and we're good to go.

        Again, your answer is the correct one.
    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Wednesday March 28, 2018 @11:42AM (#56341673)
      Comment removed based on user account deletion
  • by casings ( 257363 ) on Wednesday March 28, 2018 @09:58AM (#56340889)

    End thread.

    • by Falconnan ( 4073277 ) on Wednesday March 28, 2018 @10:11AM (#56341029)

      That very much depends on how you define security.

      If you define security as aboslute safety and isolation, then you are correct. However, that is not the definition of security in the real world. In the real world, security is the achieved by incremental decreases in risk of harm to a system. What he proposes would have the potential to increase security by this measure. However, this only works if the following is true:

      • There is no buffer on the keyboard, nor any memory of any kind that could harbor malware for delivery
      • Likewise, the monitor
      • The two components would need to have separate NICs
      • The battery unit would likewise need to be isolated if the electronics inside are in any way programmable

      That said, this would actually open up a potential new avenue of attack, and decrease security, unless the isolation is nigh total. If I recall correctly, even being in proximity, there have been proof-of-concept demonstrations that two air-gapped computers can still transmit data to each other under the right conditions.

  • Because.... (Score:3, Insightful)

    by Luthair ( 847766 ) on Wednesday March 28, 2018 @09:59AM (#56340895)
    It would be complex, expensive, huge and stupid. Dual boot, encrypt both partitions.
    • Re: (Score:2, Interesting)

      by dryriver ( 1010635 )
      What is so COMPLEX and HUGE and STUPID about adding a small SOC chip into a workstation replacement laptop that already costs 2,500 Dollars to buy? Is there really NOBODY who would benefit from a having a 2nd small and cheap computer integrated into a Laptop computer?
      • by nnet ( 20306 )
        Maybe ask the people that found the Intel Management Engine exploits....
        • What you are referring to is PART of the main CPU. Of course it is hackable when the ENTIRE system faces the internet. In my proposed solution, NONE of your main machine faces the internet. A small, cheap 2nd Computer-On-A-Chip faces the internet INSTEAD of your MAIN HARDWARE. It is inside the same casing so you don't need to carry 2 laptops or netbooks around. But there literally is NO way to access the main hardware FROM this 2nd little Internet Computer.
      • The COMPLEX and HUGE (i.e. "impossible") task is keeping the STUPID ape at the keyboard from subverting the security model for his convenience. "Hey, that looks like a cool-and-useful toolbar, and it includes free animated cursors and icons!" .. [CTRL-C] {switch to protected machine} [CTRL-V]
      • by brettw ( 27391 )

        Well, there is at least one person (clearly). But there needs to be a market, and I think this thread contains plenty of reasons why that market is very small.

      • by Luthair ( 847766 )

        Open your existing laptop, how much empty space is inside? How complex are the existing logic boards?

        You're asking for a system that has a second SoC, RAM and a hard drive. Then has additional circuits so the system can share the battery & charging, a circuit to share the display, either share or duplicate the antennas, and likely you want to be able to use ports on the system too. All this in addition to the circuits and software for switching between the two systems.

      • Re:Because.... (Score:5, Insightful)

        by AmiMoJo ( 196126 ) on Wednesday March 28, 2018 @11:02AM (#56341413) Homepage Journal

        Most people would just buy a tablet and optional Bluetooth keyboard for this purpose.

        Integrating a second SoC into a laptop is actually more complex than you probably realize. For example, how are you going to do things like share the screen between the SoC and main GPU? Okay, you need an extra video switch... But the screen power and backlight are also controlled by the main laptop chipset, so you need to split that out and allow the SoC to access that functionality as well. Same for the keyboard, trackpad, USB ports, wifi, battery charging system, audio subsystem and amps...

      • You misspelt Raspberry Pi [amazon.com].

        Why waste engineering time to add a SoC when there are dozens of dirt-cheap alternatives?

    • SplashTop (Score:5, Informative)

      by DrYak ( 748999 ) on Wednesday March 28, 2018 @10:22AM (#56341099) Homepage

      actually some companies have indeed exactly tried that, with products such as SplashTop:

      some of the first Dell laptops to feature "Latitude On" where exactly that: a special custom SOC in a specially modified mini-PCIe card, that was able to run some restricted Linux (a web kiosk and a few built in apps. basically a distant ancestror of the chromebook concept), while accessing the nornal regular laptop screen and keyboard (but not much beyond that and certainly no access to any Sata mass storage).

      it had a few minor advantage (mainly, instant power-on, and lower power usage of the SoC compared to the main CPU)
      but a lot of disadvantage (complexity and restrictions due to the switching concept)
      and cannot be used at the same time as the main CPU with Windows.

      eventually, later version of "Latitude On" evolves into exaclty what you're suggesting: the mini-PCIe card evolved into an SSD with a Linux installation on it, and the main CPU simply dual booted into either the Linux installation on SSD or the Windows installation on SATA HDD.

    • by X10 ( 186866 )

      "Expensive" because building a laptop for a market of half a dozen customers is expensive.

      • There are millions of people around the world who work for major corporations and DO travel with confidential shit on a laptop computer. What makes you think the market for this is SMALL? These are people whose EMPLOYERS pay for their hardware. Wouldn't those employers cough up an extra 100 to 200 Dollars to keep stuff safe that could do Millions of Dollars in damage if stolen?
        • by jon3k ( 691256 )
          Because there are less expensive but acceptable options. Most people just use Bitlocker or if you want to get really fancy use an encrypted VM. People have accepted that's "good enough" security.
  • It's in your pocket (Score:5, Interesting)

    by Syphonius ( 11602 ) on Wednesday March 28, 2018 @09:59AM (#56340905) Homepage

    That second system you are looking for, to browse and email and such, it's in your pocket.

    It's called your phone.

    The need you are describing is apparently not widespread nor strong enough for anyone to invest in implementing it in the way you describe.

    Use your phone.

    • The need you are describing is apparently not widespread nor strong enough for anyone to invest in implementing it in the way you describe.

      More simply, it is not really a need.

    • So you are stuck in a hotel room in China for 9 days, and write 10 emails a day on your phone? Why not do this on YOUR LAPTOP while enjoying EXACTLY THE SAME SECURITY as doing it on your phone? Minus the tiny touchscreen keyboard you suggest people should use.
    • I imagine there must be apps that let you "remote desktop" into your phone which is sitting in your pocket.

      Actually it's better if the phone is in your briefcase/backpack. If it's sitting in your pocket it's best to have it turned off or in airplane mode to reduce the emissions to body tissue...

  • by DontBeAMoran ( 4843879 ) on Wednesday March 28, 2018 @10:00AM (#56340909)

    'If the women don't find you handsome, they should at least find you handy.' — Red Green

  • by the_skywise ( 189793 ) on Wednesday March 28, 2018 @10:00AM (#56340913)
    Just carry a second laptop around! 2 Surface Pros are still less weight and size than just 1 typical laptop from 4 years ago!
    • ChromeBook. I love my Surface Pro, but for less money, hey.

  • by Arkham ( 10779 ) on Wednesday March 28, 2018 @10:02AM (#56340929)

    Virtualization is the obvious answer. Inside your VMs you can run Linux, or Windows, or whatever. It's quite safe. You should run your work-related stuff in one VM, and your personal stuff in another VM, and not use the native OS for anything except the virtualization software.

    This is the most secure option you will find, and modern virtualization platforms (VMware, etc) will even let you set flashpoints where the VM is saved, and if there's an issue, you can rewind to the safe point and continue.

    There's little to no performance penalty as long as the hosted OSes run natively on Intel.

    • It appears that whomever wrote the article has little idea of how VMs work.
    • I've seen this pretty regularly in doctors offices lately. Instead of some network-enabled software that pushes data to a backend, they all virtualize a desktop on some (maybe remote) server.

      The only downside I've seen to virtualization is if you should need some graphically intense application to work. Don't even try running something like Starcraft II in a VM'd Windows. MS Office sure, but no 3D games.

      • The only downside I've seen to virtualization is if you should need some graphically intense application to work. Don't even try running something like Starcraft II in a VM'd Windows. MS Office sure, but no 3D games.

        This hasn't been the case for years. IOMMU [wikipedia.org] makes it possible to passthrough your GPU to a VM, allowing near-native performance.

        My primary home computer is a VM host (running Arch), and I have a handful of VMs on it for various purposes. One of them is a Windows 10 VM, to which I passthrough a GTX 970 (thinking about upgrading), and gaming benchmarks suggest it's within 5% of running Windows baremetal.

  • If it is that important that you don't trust a dual boot, you probably aren't going to trust anything that is in 1 package.

    That being said, I carry 2 laptops (personal and business) and 2 phones. I have 2 phones as well, same reason.

  • There are 2-in-1 laptops (that flip into a tablet) but generally for various reasons they use the same chip. Just dual-boot or VM whatever you need. You can run Android or Linux on your x86 and boot Windows in a VM when you truly need it. Apply encryption to the hard drive with a strong password or even have your VM in a hidden partition/sectors of your system or if you have serious trouble with customs of various countries, have your data only available on a separate hosted server.

    A system with 2 separate

  • by OrangeTide ( 124937 ) on Wednesday March 28, 2018 @10:10AM (#56341023) Homepage Journal

    A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.

    From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS [qubes-os.org] lets you do a VM per window and color codes them. And something like BitVisor [bitvisor.org] has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)

    But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.

    • there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures.

      Actually, hypervisors can flush cache and TLB when switching guests, which prevents leaking. The guest OS can use the full spread of CPU technology as it sees fit and still can't pull off things like spectre and meltdown.

  • by dryriver ( 1010635 ) on Wednesday March 28, 2018 @10:12AM (#56341033)
    This question originated in a patent writing effort I was a part of 3 years ago. Basically, we were drafting the patent document for an invention on one PC that had no internet connection at all - to keep the invention safe from prying eyes until the patent could be filed. And we were using another computer with internet connection in a different room to look up stuff on the internet, like patent writing regulations, patent formatting guidelines, patent filing deadlines, technical stuff and so on. It was a pain in the ass because to keep the invention to be patented confidential, we had to write the patent on one computer with no internet whatsoever, and do everything internet related on a separate computer, going back and forth between the 2 machines for weeks. So I thought - why not make a computer that can go on the internet WITHOUT potentially exposing the entire machine to the internet. Having a 2nd mini-PC inside the main computer that can go online but cannot expose the rest of the computer to any would-be hackers seemed like a great solution for this. There are many real-world situations where you DO need the power of a full Win 10/Core i7 PC to accomplish something, and DO need to look stuff up on the internet all the time while you are doing this - technical details or technical knowhow for example - but are constantly fretting that exposing the ENTIRE PC or laptop to the internet could result in your work being stolen. So I came up with the idea of 2 computers in one casing - 1 large, fully featured computer that is not seen by the internet, and 1 much simpler SOC computer that CAN see the internet and be seen by the internet. Its kind of like using little netbook computer alongside your main laptop for internet stuff, but the netbook is built into your main machine, and can run parallel to it when needed.
    • by cdecoro ( 882384 )

      This question originated in a patent writing effort I was a part of 3 years ago. Basically, we were drafting the patent document for an invention on one PC that had no internet connection at all - to keep the invention safe from prying eyes until the patent could be filed.

      Purely out of curiosity: did you ever file the patent application? If so, what is the application number? I'd be interested in

    • So the question came from you not knowing basic security?

    • by twdorris ( 29395 )

      There are many real-world situations where you DO need the power of a full Win 10/Core i7 PC to accomplish something, and DO need to look stuff up on the internet all the time while you are doing this - technical details or technical knowhow for example - but are constantly fretting that exposing the ENTIRE PC or laptop to the internet could result in your work being stolen.

      No, there aren't. There are *some* situations where that *might* be of interest, but there are not *many*. You are fooling yourself into thinking that the size of your personal need is somehow indicative of the market size of that solution. It's most certainly not.

  • by holophrastic ( 221104 ) on Wednesday March 28, 2018 @10:12AM (#56341043)

    You're trying to solve a problem in hardware. We're about twenty years past that. Hardware doesn't do anything anymore.

    Back in my day, "drivers" were a bad thing -- there were modems, and there were winmodems, that latter needed software drivers. That logic has flipped. Now hardware does nothing without software driving it.

    You're trying to double your hardware, and then add more hardware to switch between them. That's just not the equation anymore.

    And in truth, you wouldn't want that. You wouldn't want to be using your SOC to browse the web, and then not be able to get that document/data/image onto your work hardware to, you know, actually work with it.

    As far as protections are concerned, you're either using your SOC to access the internet to get sensitive data anyway (like e-mail) and hence you've secured absolutely nothing, or you're getting a file to transfer to your work machine, and hence you've breached your own security anyway.

    If you know what you're doing, and it sounds like you could, then it's not difficult to secure your work data from your internet connection. Think about the easy things -- like a second hdd/ssd for the work file.

    Secondary storage drives are easily turned off in device manager on a whim.
    Don't visit terrible sites at all. Don't walk down dark alleys with your 10-year-old daughter ever.
    Know how to clear buffers, and generally know that all's clear before spinning up that work drive.

    But most of all, know:
    that Ethan Hunt can always break in,
    that there aren't as many Ethan Hunts as you've been led to believe,
    that most of the time, Ethan Hunt doesn't actually harm you when he gets what he wants.

    You aren't actually responsible for the edge cases, so don't expend all of your energy defending against them.

  • by rickb928 ( 945187 ) on Wednesday March 28, 2018 @10:17AM (#56341069) Homepage Journal

    My now-ancient ASUS G50VT [asus.com] included ExpressGate [computerhope.com]. Based on Splashtop, burned into the BIOS ROM, manageable. Rudimentary Firefox browser, email client, Skype, and obviously hard to update. But it ran independently of any OS installed on storage.

    Splashtop is now done, but it was also used by ASUS on some motherboards, and then endured obscurity, competition [phoronix.com], and finally turned into something else.

    It did work. It was pretty minimal, and could have been cool. And it certainly is possible today, even in BIOS, with flexibility and update capabilities, but somehow I don't see any of this on the market.

    The obvious solution would be to embed ChromeOS or something similar, fairly lightweight and useful. This could let you keep your primary OS invisible.

    Cost?

  • I've always thought it would be pretty neat to have ESX running on a laptop and swapping between the different OSes as needed.

  • I already have such a secured device, appropriately configured, with that added bonus that I can use it when my laptop's battery is empty, or the laptop is smashed up, or confiscated or in my checked baggage, or in front of me on the desk.

  • Find/build a Live CD version of Linux that doesn't mount your hard drives, and you're pretty close.

  • by mrun4982 ( 3875585 ) on Wednesday March 28, 2018 @10:29AM (#56341133)
    You want a second OS? Use a VM. You want to keep your confidential files private? Encrypt them and only decrypt them when you feel like it's safe to do so. You don't like people trying to spy on you when you're connected to public wifi? Use a VPN. Everything you listed already has solutions readily available and that frankly are better options than booting into a completely different OS.
  • A few years ago, some laptops used to come with HyperSpace [wikipedia.org] or Splashtop [wikipedia.org], pre-installed cut down linux systems that could be used to surf the net, Skype, play music, etc. They didn't use separate SOCs, but HyperSpace at least could use virtualization to run both your main O/S and the HyperSpace O/S at the same time.

    I think they were primarily intended to get around long boot times in situations where you wanted an instant-on web browser, and not as a security measure when connecting to a hostile local networ

  • This is beyond niche and solved by access policy. What OP is describing only describes a way to make a weird, less secure (more attack surface area) edge case for the IT department to deal with.

    • A completely separate Computer-On-A-Chip that has NO physical connection to the rest of the system but is inside the same laptop casing for convenience lets you attack that system how? Where precisely is this "more attack surface area" you are talking about? You can hack the hell out of the SOC included, the SOC is NOT physically connected to the main motherboard, RAM, CPU, SSD or anything else. Precisely how can you hack one component, and then get from that component to a completely UNCONNECTED system? Wh
  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Wednesday March 28, 2018 @10:30AM (#56341147) Homepage

    basically what you're asking for is perfectly reasonable but "not considered financially viable". even for EOMA68 (for which i'm the copyright holder of the Certification Mark), if you are expecting to have the power of a "modern" intel-based laptop in the form of a physically removable Computer Card where you would be able to isolate "work" from "external stuff", it's going to take another 4-5 years before the power reductions and performance increases from are sufficient so that it's actually even possible to fit a complete "high to medium performance" quad or octal core 3+ ghz computer plus 8 to 16 GB of RAM into such a small space.

    the only *hardware*-level system that i ever heard of which had some form of dual (independent) processor system in it was about three to five years ago, it was announced here on slashdot: it was something like Lenovo or Dell who had put in an independent processor that could boot from the "BIOS" (if it's a full operating system it's hardly a BIOS but you know what i mean) into a complete and self-contained GNU/Linux OS with its own web browser.

    aside from that, the only viable suggestions that you will get (and there will be some which will get lots of +1 moderations) will be dual-boot, or hypervisor-based (not that that means much any more with the spectres and meltdowns coming out the woodwork) virtual machining, or external USB memory-stick-based GNU/Linux OSes, and so on and so forth, all of which provide physical access to the drive, consequently *in theory* could actually maliciously be exploited and end up damaging the drive.

    unless the work OS hard drive is removable. or the work OS hard drive *IS* the external USB stick and you swap over the USB sticks from work to "other" and back again. that would actually do the job that you're looking for, albeit with the performance penalty associated with some forms of external USB media, so you would have to do your research.

    sorry it's not better news! honestly, though, if you absolutely really want to use the on-board (internal) drive, do consider virtualising the entire windows OS and sandboxing it... *and* sandbox the "other" OS as well. so that's 3 operating systems: the hypervisor / manager one (which you NEVER permit access to the internet) and that one should without a shadow of doubt be GNU/Linux-based. then you run Windows under QEMU (please don't use oracle virtualisation products), *AND* you run the "other" OS also under QEMU (or other suitable hypervisor system, do investigate XEN etc.) but... like i said: for all of these, you have to take into account the fuckups by Intel in the design of their processors where they prioritised profit over security: spectres, meltdowns and much more yet to be discovered.

  • You think the most common OS on the planet by device installations, most commonly distributed in a heavily modified binary blob, is significantly more secure than Windows 10. How cute.

    If you're worried about the dangers of free wifi, check your open ports and use a VPN, problem solved.

  • I have a USB LTE modem so I generally don't have to worry about using someone else's internet. I also have a VPN capable router at home so I can connect to the open WiFi and have my traffic encrypted back to my home network. And the VPN will run over LTE just in case I don't trust the local LTE.
  • Strange that nobody suggested using a VPN.

    If you care at all about security, you have no business connecting EITHER system to third-party WiFi (whether open at a coffee shop or closed at some other business) without employing a VPN.

    The VPN should either terminate at your home/company router (hopefully you trust your own company's IT department to maintain a secure environment) or with a trusted third party. (i.e. your IT/security people should vet the company's security).

    For your specific case (per your fol

  • The market is too small for a hardware-based dual system as described.
  • For basic isolation -- I use my SmartPhone !! (with tape over the microphone & camera).
    For even more isolation - I access YOUR PC at the coffee bar table next to me via the credentials I gathered via my pineapple that offered "Free WiFi".

    The solution does exist. Due to the expense of having extra hardware to do this (the level of isolation you want) - most people dual boot using an encrypted file system or a local VM. TruCrypt had this feature -- a secret file system within another one hidden and acc

  • To physically switch control of screen, keyboard, camera, microphone and so on. Otherwise non-work untrusted app can present work UI and steal your credentials. Even with a switch you could forget to flip it. A physical separate device is still best for security, even at the cost of a slight inconvinience.

  • My untested hypothesis would be 3 fold.

    1) There isn't a huge market for such a thing so the cost of it would be prohibitive.
    2) There is more profit in making hardware that will be bought by the 90% then the 10%
    3) There are probably some work around that get you near what you want. ( also, my guess would be such systems probably do exist for military use , but you would probably be hard pressed to find them and unwilling to the pay the price if you could get one.).

  • Let's take a step back and look at the problem you're trying to solve, as it sounds like the switching mechanism you describe might be over-engineering things a bit. You want to use sketchy public wifi with a mission critical work computer?

    My first inclination would be not to risk using it in public places to begin with, or do my web browsing with a different personal device.

    Otherwise, a VPN connection and VM would be the most elegant solution. Solves the trust issues with the local network, and (mostly/arg

  • Have you ever heard about them?
    How would separate hardware be more secure?
    My EUR 0.01 contribution: don't connect to untrusted networks and services at all and you won't need the pc inside a pc.

  • I agree with other responders that running Windows in a VM would probably be sufficient, but I'm old, and tend to want some kind of physical solution. My first thought was having a laptop with a removable drive bay (Apple need not apply) and swap out SSDs between your "work" instance and your "don't care if it's pwned" instance.

    Barring that, I'd encrypt my main Windows drive and boot Mint (substitute your Linux of choice, or even Windows) off a low profile flash drive for browsing and email in sketchy envi

  • I have many. Maybe 1/2 dozen. Most are not allowed on the internet.
  • by hAckz0r ( 989977 ) on Wednesday March 28, 2018 @12:40PM (#56342163)
    Hardware virtualization will get what you want. Qubes/Xen can run an HVM with just about whatever OS you might want to use. When surfing the Internet you can run a TOR like OS (whonix) for anonymity, or run a one time use VM instance for resilience against being hacked/malware. Everything shares the same start menu and desktop environment. You get Fedora, Whonix, and Debian right out of the box as easilly as installing a package. Need Windows, install your media, and then just a click from the menu, and up pops Edge, Word, or Photoshop. Need Kali to test your network? Install it and Click the menu. Need to test a new OS? Install it and try it out.

    .
    Your NIC with its DMA controller is IOMMU constrained inside the sys-net VM, so it wont let it write to memory outside its own memory space. The sys-filewall VM and its iptables and nat keeps all your internal user VM's safe from the network.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...