this post was submitted on 05 Feb 2024
57 points (79.4% liked)

Linux

48390 readers
946 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I currently have a Dell laptop that runs Windows for work. I use an external SSD via the Thunderbolt port to boot Linux allowing me to use the laptop as a personal device on a completely separate drive. All I have to do is F12 at boot, then select boot from USB drive.

However, this laptop is only using 1 of the 2 internal M.2 ports. Can I install Linux on a 2nd M.2 drive? I would want the laptop to normally boot Windows without a trace of the second option unless the drive is specified from the BIOS boot options.

Will this cause any issues with Windows? Will I be messing anything up? For the external drive setup, I installed Linux on a different computer, then transferred the SSD to the external drive. Can I do the same for the M.2 SSD – install Linux on my PC, then transfer that drive to the laptop?

Any thoughts or comments are welcome.

Edit: Thank you everyone! This was a great discussion with a lot of great and thoughtful responses. I really appreciate the replies and all the valuable information and opinions given here.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 93 points 9 months ago (4 children)

Forget the technical details. I work in a corporate security department and if yours finds out what you're doing there's high odds they would absolutely hate it. I mean it likely isn't an issue for org security (assuming they're using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don't.

[–] [email protected] 39 points 9 months ago (1 children)

Exactly. This is a terrible idea. I'm fairly certain that anyone caught doing this would be immediately fired at some companies.

load more comments (1 replies)
[–] [email protected] 39 points 9 months ago

Not to mention you really can't hide that other drive from windows, and I'm sure a lot of the security tools would start screaming about new storage added when not expected. Data Loss Prevention is a big deal and random storage showing up doesn't often mean the user has good things planned.

[–] [email protected] 8 points 9 months ago* (last edited 9 months ago)

I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)

Data loss/leak prevention would vehemently disagree. It's a potential exfiltration point, especially if the org is blocking USB writes.

Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks

load more comments (1 replies)
[–] [email protected] 80 points 9 months ago (13 children)

Stop using work devices for personal business

[–] [email protected] 26 points 9 months ago

Yes, and especially don't fuck with the hardware or core boot/OS configuration. That'd the kind of stuff that can get you fired in most orgs I've been in.

Is Linux likely to mess up the stuff in Windows: probably not? It does require you to do likely-unauthorized things to the device to install, including potentially circumventing some controls required in the work device.

Whether it causes issue or not, circumventing those policies or controls is not going to land well if you get caught at it.

load more comments (12 replies)
[–] [email protected] 66 points 9 months ago* (last edited 9 months ago) (4 children)

Danger Will Robinson! Do NOT fuck with company hardware!

You are going to potentially set off a shit ton of alarm bells, and risk your job, by even attempting this.

First of all, almost all such devices come with a BIOS lock. You'd need to get the password before you could even begin this (again, do not do it!)

Secondly, they'll be able to tell something is up from the foreign UEFI entries.

Thirdly, if that doesn't expose you, Intel IME will. Doesn't matter what operating system you're running.

And you're going to create some royal fucking headaches for a lot of people in your company.

Let's start with security. Remember when I said you'll set off alarm bells? Well, I mean some mother fucking alarm bells. Security will have a god damn aneurysm over this, and they will believe you may be doing this to bypass security, possibly for nefarious reasons. A foreign hard drive with its own OS looks shady as shit.

Then there's the regular tech people. You're going to cause various headaches for them too. Not least because under many service agreements, the company itself may not be authorised to open up the workstations themselves. Many workplaces rent their workstations nowadays, and it is not uncommon to see this language in their SLAs.

Then there's the fact that the OS image on the original drive potentially cannot be trusted any more, so they have to wipe the fucker clean and do a fresh image install.

TL;DR, You are giving your company several solid reasons to fire you for cause by doing this.

[–] [email protected] 8 points 9 months ago (1 children)

He already boots linux via USB drive on it, I guess the difference to booting from PCI/M.2 drive would not be that different, in terms of security, or did I miss something?

[–] [email protected] 9 points 9 months ago* (last edited 9 months ago)

The security implication from a USB boot are probably more severe but also more the fault of the people configuring your work machine. It is expected that people will plug things like pen drives in, to a degree. It is your job to block it with configurations.

The real problem is that once you start adding or removing internal hardware, that configuration no longer stays a trusted one because they've meddled with the components.

[–] [email protected] 6 points 9 months ago

On top of all that, most hitting contacts I've seen contain language saying that if you use company resources to make a thing, that thing, the company owns that thing. Seems likely that in addition to firing they could compel you to turn over the drive and wipe it.

load more comments (2 replies)
[–] astraeus 51 points 9 months ago

I have a recommendation, buy a personal laptop that isn’t tied to your company.

[–] [email protected] 41 points 9 months ago (18 children)

You shouldn’t do this. Why would you do this

load more comments (18 replies)
[–] [email protected] 34 points 9 months ago

IDK about other places, but the document we make our users sign make it clear that modifying the internal hardware is a fireable offense.

The laptop isn’t yours, use a personal device for personal stuff, and work device for work only.

[–] [email protected] 29 points 9 months ago (8 children)

The answer here is very simple. Your employer will find out what you're doing.

So obviously you should be asking them, if anyone. Not us Lemmings.

load more comments (8 replies)
[–] [email protected] 27 points 9 months ago

apparently you are unaware of how much monitoring goes on in corporate IT. you're lucky they haven't already found the mac address yet booted with a different os, or maybe they're already onto you.
I would stop doing what you're doing immediately and hope it's not too late

[–] [email protected] 25 points 9 months ago (1 children)

I had a work laptop and did the "external USB" thing. One day, at work, I'm messing with my Linux on a public wifi, having unplugged from the corporate LAN.

A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.

Corporate security got to my laptop before I did.

I didn't get fired.

I don't work there anymore, though.

[–] astraeus 13 points 9 months ago

Yeah, this is just a terrible idea. The risk is far greater than any potential reward you might be getting.

[–] [email protected] 22 points 9 months ago

The big takeaway is that you do not own this computer. It is not yours, it is being lent to them for a very specific purpose. And what you want to do, hell what you're already doing, is way outside of that purpose.

How would you feel if you lent a friend your conputer to check their email and found out they had bypassed a lot of your security mechanisms (passwords) to set up their own admin account?

What about when you begrudgingly get a MFA app on your personal phone because your employer's too cheap to shell out for a yubikey or hardware token? How would you feel if their app also rooted your phone just for shits and giggles?

What you're proposing is not only dangerous to your career, it's also potentially illegal. And also just downright unethical.

[–] [email protected] 19 points 9 months ago

Any thoughts or comments are welcome

If this is a corporate decide your cyber security team have really dropped the ball by enabling you to change the boot order.

[–] [email protected] 19 points 9 months ago (1 children)

DO NOT install a second M.2

Use the external drive

If the internal drive is in there, you could be asked at work to turn it in. It is not a good look to ask to remove an internal drive.

load more comments (1 replies)
[–] [email protected] 19 points 9 months ago

I understand the rationale behind you doing this, I've done it myself.

Your company sends you abroad for a week or two. You want to access your Netflix account but don't want to do it on the company computer. On the other hand you don't want to carry two laptops with you.

As others have said, tampering company hardware can get you in trouble with the IT department, and it's enough to get you fired in some cases.

If you value your job get permission to do it or get yourself a tablet.

[–] [email protected] 17 points 9 months ago (2 children)

If the second internal ssd is there when windows boots, it will leave a trace. IMHO booting off the external drive is the best option if you want it to leave no trace on the windows partitions.

Also, it's possible any booted device will leave a trace in the bios or uefi boot logs, which your corporation may have configured to ship to their audit logs or something similar.

load more comments (2 replies)
[–] [email protected] 16 points 9 months ago (8 children)

IT will ask you the next day what you did to thier computer.

load more comments (8 replies)
[–] [email protected] 15 points 9 months ago

This is just a bad idea in general.

[–] [email protected] 14 points 9 months ago (1 children)

You can buy a used ThinkPad T480 for like $75 on ebay. A lot cheaper than having to explain your shenanigans to Maude from HR.

[–] [email protected] 7 points 9 months ago

Honestly, this is good advice. It's much better to keep personal computer activity on a personal device, whether that's on a ThinkPad or anything else.

[–] [email protected] 13 points 9 months ago

I would get a second device

[–] [email protected] 13 points 9 months ago

I have to second the get your own laptop.

The company I work for has software that does hardware / software inventory regularly. So additional hardware added can and will show up.

Also, when hired we are told in in uncertain terms that tampering with the laptop can and will be grounds for termination.
Booting off of an external drive is ill advised as many work laptops have restrictions to the USB/thunderbolt ports as well as modifying bios settings.

Lastly, using corporate hardware (be it a cell phone, or a laptop) should never be used for personal use. It's a good way to lose your job. I know more than one person in my career that lost their job either from texts sent from a work cell phone, or using their work computer for personal things. It's just not worth it.

[–] [email protected] 12 points 9 months ago

You're better off doing it the current way. Or better still just get one for yourself if you use it that much.

[–] [email protected] 11 points 9 months ago (1 children)

I’ve seen many people fired for doing less on a work laptop. Do not modify the physical machine. I’m surprised they don’t have USB locked off already. I’d get a personal machine.

load more comments (1 replies)
[–] [email protected] 9 points 9 months ago (1 children)

Looking at the replies I'm happy I line in Germany where none of this is legal without signing a document that explains in detail how exactly you are surveiled.

[–] SheeEttin 7 points 9 months ago

None of these answers talk about watching you or your actions, only the device and the network.

[–] [email protected] 8 points 9 months ago

Damn my laptop has secure boot and extra on top , I believe the usb ports are physically disabled.

I assume everything is watched on what I'm doing. Can't remember the wording but i can't do shit without getting in a heap of trouble.

Browser add-ons are like a 2 week process to get approved

[–] [email protected] 7 points 9 months ago* (last edited 9 months ago)

In most cases, work laptops have software(s) installed to automatically keep track of these activities, and flag it to security team of your organization. At that point, it will either lead to a formal warning to you, or termination/forced resignation.

From organization point of view, this is to avoid any accidental (or intentional) leak of confidential data, and/or accidentally (or intentionally) infecting your (work) system with malware/ransomware.

The latter had happened in one of my previous organizations, and the person responsible was terminated from job immediately.

[–] [email protected] 6 points 9 months ago

As many companies now use Bitlocker encryption, you’ll probably Bitlock your work partition by trying to install the second drive internally. IF YOU MUST boot to another drive, keep it external. And DO NOT unlock or mount your work partition in your personal OS. Really, though, you shouldn’t do this at all.

load more comments
view more: next ›