From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I understand the rationale behind you doing this, I've done it myself.
Your company sends you abroad for a week or two. You want to access your Netflix account but don't want to do it on the company computer. On the other hand you don't want to carry two laptops with you.
As others have said, tampering company hardware can get you in trouble with the IT department, and it's enough to get you fired in some cases.
If you value your job get permission to do it or get yourself a tablet.
The answer here is very simple. Your employer will find out what you're doing.
So obviously you should be asking them, if anyone. Not us Lemmings.
The big takeaway is that you do not own this computer. It is not yours, it is being lent to them for a very specific purpose. And what you want to do, hell what you're already doing, is way outside of that purpose.
How would you feel if you lent a friend your conputer to check their email and found out they had bypassed a lot of your security mechanisms (passwords) to set up their own admin account?
What about when you begrudgingly get a MFA app on your personal phone because your employer's too cheap to shell out for a yubikey or hardware token? How would you feel if their app also rooted your phone just for shits and giggles?
What you're proposing is not only dangerous to your career, it's also potentially illegal. And also just downright unethical.
I’ve seen many people fired for doing less on a work laptop. Do not modify the physical machine. I’m surprised they don’t have USB locked off already. I’d get a personal machine.
This was my first thought as well.
Be happy you can boot from a USB. Do NOT fuck with the machine unless you want to look for another job.
Danger Will Robinson! Do NOT fuck with company hardware!
You are going to potentially set off a shit ton of alarm bells, and risk your job, by even attempting this.
First of all, almost all such devices come with a BIOS lock. You'd need to get the password before you could even begin this (again, do not do it!)
Secondly, they'll be able to tell something is up from the foreign UEFI entries.
Thirdly, if that doesn't expose you, Intel IME will. Doesn't matter what operating system you're running.
And you're going to create some royal fucking headaches for a lot of people in your company.
Let's start with security. Remember when I said you'll set off alarm bells? Well, I mean some mother fucking alarm bells. Security will have a god damn aneurysm over this, and they will believe you may be doing this to bypass security, possibly for nefarious reasons. A foreign hard drive with its own OS looks shady as shit.
Then there's the regular tech people. You're going to cause various headaches for them too. Not least because under many service agreements, the company itself may not be authorised to open up the workstations themselves. Many workplaces rent their workstations nowadays, and it is not uncommon to see this language in their SLAs.
Then there's the fact that the OS image on the original drive potentially cannot be trusted any more, so they have to wipe the fucker clean and do a fresh image install.
TL;DR, You are giving your company several solid reasons to fire you for cause by doing this.
He already boots linux via USB drive on it, I guess the difference to booting from PCI/M.2 drive would not be that different, in terms of security, or did I miss something?
I was thinking about the technical details and didn't stop to consider the implications, nice answer.
Also unexpected lost in space reference.
I have to second the get your own laptop.
The company I work for has software that does hardware / software inventory regularly. So additional hardware added can and will show up.
Also, when hired we are told in in uncertain terms that tampering with the laptop can and will be grounds for termination.
Booting off of an external drive is ill advised as many work laptops have restrictions to the USB/thunderbolt ports as well as modifying bios settings.
Lastly, using corporate hardware (be it a cell phone, or a laptop) should never be used for personal use. It's a good way to lose your job. I know more than one person in my career that lost their job either from texts sent from a work cell phone, or using their work computer for personal things. It's just not worth it.
I have a recommendation, buy a personal laptop that isn’t tied to your company.
I had a work laptop and did the "external USB" thing. One day, at work, I'm messing with my Linux on a public wifi, having unplugged from the corporate LAN.
A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.
Corporate security got to my laptop before I did.
I didn't get fired.
I don't work there anymore, though.
Yeah, this is just a terrible idea. The risk is far greater than any potential reward you might be getting.
DO NOT install a second M.2
Use the external drive
If the internal drive is in there, you could be asked at work to turn it in. It is not a good look to ask to remove an internal drive.
Stop using work devices for personal business
Yes, and especially don't fuck with the hardware or core boot/OS configuration. That'd the kind of stuff that can get you fired in most orgs I've been in.
Is Linux likely to mess up the stuff in Windows: probably not? It does require you to do likely-unauthorized things to the device to install, including potentially circumventing some controls required in the work device.
Whether it causes issue or not, circumventing those policies or controls is not going to land well if you get caught at it.
I would get a second device
You're better off doing it the current way. Or better still just get one for yourself if you use it that much.
IT will ask you the next day what you did to thier computer.
From a technical perspective I'm curious - how would they know a drive has been added without physically inspecting the laptop?
I'm glad you asked, people provided some great answers.
Good rule of thumb is just don't mess with company property at all, cuz they'll know. For example I simply turned a wall TV on one weekend so my skeleton crew had something to do, and I was asked why a few days later. If it's electronic they can track it.
Intel IME can snitch on this kind of thing. Completely independent of the OS too.
Microsoft system administrators have full access to any physical device information, this includes a report on new internal devices or changes. Your company may not be so serious about security, but why on earth are you willing to risk your livelihood on this?
Not just Windows sys admins ... I have this access to MacBooks, tablets, and phones in my company.
Windows, MacOS, Linux, iOS, Android ... If it's in use in an enterprise environment that knows what they're doing, they have full access to the device.
The drive is visible to the OS so if they have any kind of management software in place which looks for hardware changes it will be noticed.
Quite interesting. Thank you for the information!
You shouldn’t do this. Why would you do this
Want to elaborate on why it's such a bad idea? I'm curious now
Provided the user doesn't put their windows password in, then things should not be accessed.
This likely breaks your company's terms of use. This can definitely lead to termination, especially since the other OS would likely not be monitor-able by them (opening them up to potential liability, along with the myriad of other issues)
You run the risk of getting your ass fired. It's not your property, you're not supposed to mess with it, let alone installing additional hardware and another OS which could then lead to issues with the work side of things.
So you're saying it will mess with the other partitions?
This is essentially OPs question, but I didn't see you answer it in that way.
Well for one thing the laptop doesn't belong to OP so it's not their's to mess with.
I was more looking for a functional reason, not just a "cos I said so" from the employer.
I thought maybe some of you work in cybersec had a real answer or a cve/attack vector etc.
One doesn't need to work in cybersec to know that the vast majority of attacks work because the targeted users have personal dum-dum moments.
Forget the technical details. I work in a corporate security department and if yours finds out what you're doing there's high odds they would absolutely hate it. I mean it likely isn't an issue for org security (assuming they're using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don't.
I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)
Data loss/leak prevention would vehemently disagree. It's a potential exfiltration point, especially if the org is blocking USB writes.
Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks
Not to mention you really can't hide that other drive from windows, and I'm sure a lot of the security tools would start screaming about new storage added when not expected. Data Loss Prevention is a big deal and random storage showing up doesn't often mean the user has good things planned.
Exactly. This is a terrible idea. I'm fairly certain that anyone caught doing this would be immediately fired at some companies.
If the second internal ssd is there when windows boots, it will leave a trace. IMHO booting off the external drive is the best option if you want it to leave no trace on the windows partitions.
Also, it's possible any booted device will leave a trace in the bios or uefi boot logs, which your corporation may have configured to ship to their audit logs or something similar.
Thanks for the information. And good point - I will check to see if there's any logs in the BIOS. Is there any way to know if boot logs are being sent? Is that a BIOS setting, or something that would be configured in Windows?