|
Post by gulli on Aug 7, 2011 8:46:17 GMT -5
I have a few questions about KNOS that I would appreciate having answered. I'm not a computer expert by any means but I have taken the time and effort to learn about computer security so that my XP desktop that I bought in 2004 has never been infected.
1) If I understand things correctly, when using Firefox (or similar program) as your browser you could save pages under bookmarks while using the browser but these would be lost when you close the browser. Therefore you would have to export your bookmarks to your USB stick before closing your browser to save them and the next time you use the browser you would have to import them again. If this is so it means that anything you add in your applications like new email addresses, preferences etc would have to go through a similar tedious saving and reloading process.
2) Again, if I'm understanding how KNOS works it would seem impossible to install add-ons to Firefox because their installation requires a restart of the browser. I would sure miss something like AdBlockPLus and have to endure the visual pollution of annoying ads.
3) How can you print in KNOS when you won't have a driver for this OS?
4) Would it be possible to say visit a malicious page that has a nasty (hidden) javascript which resides only in memory and then proceeds on subsequent pages to log keystrokes and capture screen shots and send all of this to some bad guy in eastern Europe?
5) While Kevin has a sterling reputation for integrity and is extremely knowledgeable, I really have no way, due to my lack of expertise, of evaluating his claim that KNOS is as secure as he says. Have there been any independent evaluations of KNOS by security researchers? Have any white hats/black hats been given a shot at trying to determine if KNOS has any weaknesses?
Thank you for reading my post and for any feedback!
|
|
|
Post by Kevin McAleavey on Aug 7, 2011 22:08:38 GMT -5
I have a few questions about KNOS that I would appreciate having answered. I'm not a computer expert by any means but I have taken the time and effort to learn about computer security so that my XP desktop that I bought in 2004 has never been infected. Greetings and congratulations on that, no small task! Be happy to give it a try ... Absolute security does come with a slight level of additional effort. It does however eliminate the need to scan and secure the system, so many of us consider it a reasonable tradeoff. And while you probably don't need any of those additional add-ons, it is quite possible to add them in KNOS if you really want to. One can do it the way you describe, or better yet, use our built-in feature called "Backup App settings" under the "System tools" item on our menu. You then end up with everything (including your authorized and manually-installed add-ons) saved into an archive which you can simply unpack right back into the KNOS folder once you've rebooted and everything goes right back the way it was the last time. KNOS also comes with its own password manager as well as KeePassX so you can keep all of your information as well across a reboot. We make it easy, painless, and fully automatic on the "save" side although the absolute of security is slightly diminished by saving and returning data to it. The "hard way" retains that higher level of perfection but I can understand that the "lazier" method is what people want. KNOS does come with Evolution email, but we do recommend using the web interface to your email since Evolution is a PIA like Thunderbird. But you can use those if you want to. When using KNOS, you can save all of your settings on a USB stick if you wish or to a cloud service as KNOS was originally designed for and supports. In our corporate and government versions, the entire home directory and all settings are actually maintained on a server and are automatically mounted without any effort at all on the end user's part by a process called "remote mounting" in the industrial version of KNOS. For home users, that isn't there at the current time thus the need to use a USB stick as a substitute for it. You'll be pleased to know that KNOS comes with CUPS printing and drivers already built-in for most of the popular printers out there. You configure printing from either the menu or the "printers" icon on the KNOS start page in the browser. So yes, printing is included. If a specific model isn't on the list, one of the other similar models has worked so far for everyone. KNOS also includes support for scanners and printer/scanner/fax combos. We provide all the drivers, there is nothing to install on your part. Happens all the time in Windows. But it won't work in KNOS. In order to intercept keystrokes, you need a kernel shim to do that and we don't allow it. We don't speak Windows here. Same for screenshots. You can take lovely screenshots manually via a menu choice, but browsers cannot. The mechanisms are in a separate container from the browser. This scenario was the whole reason behind KNOS in the first place. We haven't really oriented KNOS for a mass market as yet - our primary customers are corporate and government and have the means to evaluate KNOS themselves. The only reason for a retail release is because so many people who saw our beta tests wanted access to their own copy for friends and their own use and so we released a special single user retail version for those interested. Later this year, we are planning to release a full consumer version that will be installable on hard disk or as an OEM version for computer builders. Those who have the current release will get their upgrade under our annual subscription plan as part of the subscription. So no, no major "published reviews" as yet out there. During our lengthy beta and release candidate tests, we had a number of black hats and security professionals who actively participated in our testing and development and after a few early things found in the BSD code in our first beta, they've come up empty-handed in finding any additional potential holes in KNOS. Our other testers also beat the hell out of KNOS looking for flaws and similarly came up empty handed. You're MOST welcome ... hope this helps.
|
|
|
Post by gulli on Aug 8, 2011 7:00:34 GMT -5
Thank you Kevin for taking the time to reply. I plan to replace my XP box next year (doesn't have enough RAM to run KNOS now anyways) so I'll maybe have a look at KNOS again at that time when you've brought out your newest version.
|
|
|
Post by Kevin McAleavey on Aug 8, 2011 19:01:51 GMT -5
Thank you Kevin for taking the time to reply. I plan to replace my XP box next year (doesn't have enough RAM to run KNOS now anyways) so I'll maybe have a look at KNOS again at that time when you've brought out your newest version. You're most welcome! Over the last few years, even the low end boxes have more than enough beach sand inside, so you'll be good.
|
|
|
Post by gulli on Aug 9, 2011 7:13:55 GMT -5
I only have 512mb of RAM which according to the info on your site isn't enough.
|
|
|
Post by Kevin McAleavey on Aug 10, 2011 2:08:47 GMT -5
I only have 512mb of RAM which according to the info on your site isn't enough. Sorry to say, that's correct. KNOS runs entirely in memory and that's the reason why we need a minimum of 1GB. That's what keeps everything safe since there's nothing left anywhere when you shut down a machine KNOS has run on.
|
|
|
Post by gulli on Aug 10, 2011 12:09:51 GMT -5
I was reading in one of your articles how you got tired of cleaning your Windows machines of malware. Using 20/20 hindsight what could you have done differently?
|
|
|
Post by Kevin McAleavey on Aug 10, 2011 18:47:44 GMT -5
I was reading in one of your articles how you got tired of cleaning your Windows machines of malware. Using 20/20 hindsight what could you have done differently? Many years ago, we were in the antimalware business and had a product called "BOClean." It detected and then fully cleaned up after all sorts of malware including rootkits. If you look up my name and "sony rootkit" on google, you can see how we even explained how to handle a rootkit without buying BOClean. In 2007 when we could no longer compete with free antiviruses, we sold BOClean to a company called COMODO. I had hoped with their larger resources, they could integrate not only my code and malware database into their product, but expand on it in a direction I had been talking about for a long time in order to make for an EFFECTIVE antivirus product. Alas, they didn't. Not only didn't they make use of the different design philosophy, they didn't even use any of the cleaning code in it either. Within a few short weeks after turning over BOClean to them, they were no longer even keeping up with definitions and that's when the "spending more time cleaning than using" mode began for me. Prior to that, upon encountering any malware, I'd simply update the BOClean database and just let BOClean do the cleaning. Once BOClean was no longer up to the task, the only solution available was to start developing KNOS since every antivirus and firewall uses the same approach which of course is ineffective. Nobody wanted to change their approach to malware and nobody was interested in making any changes to the nearly 30 year old way of doing things. Thus the only solution I saw was to eliminate the means by which malware can attach to an operating system and start with BSD's core and then build a malware-proof environment around it. I've been quite happy with the result as have those who've gone over to KNOS in their realms. An ever so slight change in how one starts their machine in exchange for being able to use it in peace is just so much saner in my book. But given Microsoft's design and how the AV industry works, I don't see much that can be done for Windows. Wish I had a happier answer ... actually we do ...
|
|
|
Post by gulli on Aug 11, 2011 13:29:18 GMT -5
I had BOClean on my WIN98 box and it caught a nasty for me one time so I'll give you a belated thank you for that. Since you've been very good at answering my questions I'll throw a couple more at you. I read some of your comments from this spring over at the DSL and Wilders forums. You didn't seem all that convinced of the merits of using things like live Linux cds because there was the possibility that malware could write to a swap file and then infect the native operating system. From what I've read while this is possible, it's a relatively rare event. Care to comment further? It would seem than KNOS only offers a small benefit compared to programs like Deep Freeze ( www.faronics.com/standard/deep-freeze/ ) that restore your computer to a pristine state upon reboot. Or programs like Returnil ( www.returnilvirtualsystem.com/returnil-system-safe ) that allow you to run in a virtual environment. Thanks again for taking the time to respond!
|
|
|
Post by gulli on Aug 30, 2011 15:44:06 GMT -5
|
|
|
Post by gulli on Aug 31, 2011 6:47:20 GMT -5
There is an issue with Diginotar certificates and Google SSL which puts one at risk for a "man in the middle attack" which of course has nothing to do with what kind of operating system you are running www.dslreports.com/forum/r26257657-Fraudulent-.google.com-CertificateThis necessitates an upgrade to your version of Firefox. How could I upgrade my Firefox if I was running KNOS? Would I have to download a new ISO file from you with the updated version?
|
|
|
Post by Kevin McAleavey on Oct 28, 2011 1:23:40 GMT -5
There is an issue with Diginotar certificates and Google SSL which puts one at risk for a "man in the middle attack" which of course has nothing to do with what kind of operating system you are running www.dslreports.com/forum/r26257657-Fraudulent-.google.com-CertificateThis necessitates an upgrade to your version of Firefox. How could I upgrade my Firefox if I was running KNOS? Would I have to download a new ISO file from you with the updated version? My apologies for missing this ... yes, those certificates would be an immense problem in Windows given the way Firefox and other browsers work in that environment. We learned a long time ago from several COMODO fiascos that allowing the end user to live with bad certificates was a major security problem (even though the Diginotar eipsode was nowhere as serious as the previous ones) and designed KNOS to work around the issue in two different ways. Since the BSD operating system is designed for servers rather than desktops, it provides its own mechanism for certificates which browsers are forced to respect. This is called "ca_root_nss" and is an integral part of KNOS. Whenever a browser or other program is first started, KNOS goes out and automatically pulls down the latest root certificates and updates its internal database which all other clients read from. In addition, as an extra measure, we configured Firefox to automatically check for certificate or authority revocations which is normally disabled in the default Firefox configuration. When you first start a browser in KNOS, there's an apparent "hang" for a few seconds on that first start while we pull in that update and check it. That's why that happens. So the only reason why we didn't have to do any of that is that we anticipated this in our design since this wasn't the first time for this problem. But yes, if there were a real security issue that would require a replacement copy of KNOS, we would indeed do that and put out a notification on the product home page that you see each time you start KNOS. That's also the reason for our "maintenance" which is covered in the subscription for KNOS. That also includes an upgrade to the next version within that year if we do so as well. But here, there was no need to.
|
|
|
Post by rustleg on Oct 31, 2011 13:35:22 GMT -5
I had a look at the certificates in Firefox and I was surprised to see Diginotar is still a valid certificate authority. I read your explanation in this thread but I'm not sure I understood how this would prevent Diginotar authorising a SSL session as it doesn't look as if Firefox has revoked it.
|
|
|
Post by Kevin McAleavey on Oct 31, 2011 18:54:48 GMT -5
I had a look at the certificates in Firefox and I was surprised to see Diginotar is still a valid certificate authority. I read your explanation in this thread but I'm not sure I understood how this would prevent Diginotar authorising a SSL session as it doesn't look as if Firefox has revoked it. By default, Firefox is configured to use OCSP ("Online Certificate Status Protocol") but by default, they turned it off in their standard setup. The end user had to know to check a box marked "When an OCSP server connection fails, treat the certificate as invalid." If that box were checked, an invalid certificate would indeed fail and Firefox thought that it would "confuse users" and so they decided that it was better to just ignore the problem. As a result, they had to remove the entire certificate chain in order to provide a less confusing message. Firefox uses only TLS 1.0 protocol although 2.0 and 3.0 have been around for quite a while now. Around the time we released KNOS 8, there were also serious security problems with the encryption in TLS 1.0 but since Firefox didn't support the secure 2.0 and 3.0 TLS protocols, we decided that given all these bad designs, we'd just handle the TLS stuff at the kernel level since BSD already had all of the infrastructure already in place for SSL and unlike Firefox, it's dynamic. So we chose to go that route since the KNOS kernel's SSL structure using ca_root_nss handles all of the setup anyway. In setting up SSL, OCSP is used and since diginotar no longer exists, the certificates don't either any longer and what will happen is that KNOS will default the connection to an untrusted http without the "lock." All of this is in addition to what's in Firefox, and running beneath the "userland" layer. Another advantage of this is that if a certificate authority revokes a certificate an hour ago, when you connect to a site that used that invalid certificate, it will not be valid since we check the nss stores at connection time. This is regardless of what's going on in Firefox' certificate stores which are ignored by KNOS. Like I said, we saw this coming a few times before. Hope this helps.
|
|