Knoppix 7.3 CeBIT Edition
Go Live!
Knoppix 7.3 comprises the current state of Debian GNU/Linux development and comes with the current hardware support of kernel 3.13, a new update function, and extended security and privacy features.
Keeping a distro current with GNU/Linux development can be quite difficult. Debian's boot system and hardware support via udev can make it difficult for the developer of a Linux distribution to figure out what needs to change just to boot up. Lucky for me, Knoppix's boot system again proved to be a big timesaver. Knoppix completely works around the Debian default startup systems (Upstart/systemd) by using knoppix-autoconfig
, a single shell script that does all the work of preconfiguration (Figures 1 and 2). Kernel support for devtmpfs had to be enabled to get the new udev hardware detection and removable device support working again, but the rest of the transition to the Debian testing branch (pre-jessie) went pretty smoothly.
Knoppix on Flash – Now with Update
Many modern netbooks and ultrabooks do not even have a DVD drive anymore, so Knoppix is commonly used on a USB flash disk instead of a DVD. Because creating a bootable USB flash disk is probably the first thing you want to do, Knoppix 7.3 now prominently shows an icon for the Knoppix flash disk installation program at the top left of the desktop when booting from DVD (Figures 3 and 4). Even though the Knoppix DVD version is read-optimized by a sort list, which tries to reduce the slow seek speed of the laser read sensor, flash memory boosts startup and the working speed of Knoppix by a factor of at least five. Startup time from loading the kernel to a full desktop with Compiz takes less than 15 seconds if you have recent computer hardware and fast flash pen drives.
One of the features most asked for last year was the ability to upgrade. Flash-knoppix, the Knoppix flash disk installation program, now scans the target drive for an existing Knoppix installation (Figure 5) and offers to replace just the main compressed filesystem and kernel, instead of installing everything from scratch.
You have an option to keep just personal data (your /home/knoppix
directory containing all your files and settings; Figure 6) or additional software outside your home directory (which is not recommended, because software packages installed by the user could be incompatible with the new system).
For the update to work, be sure to make enough space available on your flash pen for the full content of the DVD the first time you install. A first partition of 4.5GB should be fine. The Knoppix writable data partition, which is new since Knoppix 7.1, can then spawn over the remaining capacity of the flash drive (Figure 7) with optional encryption (Figures 8 and 9) that protects your passwords and personal files if you ever lose your flash drive or it gets stolen.
EFI and Hybrid CD/Flash Boot
Booting from flash is quick and easy because all changes and stored files are written to the data partition automatically. Some computers still can't boot from flash drives, though, either because they are too old (i.e., the BIOS does not have an option for booting from USB) or because they have boot firmware like EFI that does not allow booting from external hard disks.
An efi
directory on the first partition of the Knoppix-installed drive contains all the files needed to boot on an EFI-aware computer. If the EFI firmware is set to "Secure Boot," booting from anything but the "allowed" operating system is impossible. If in doubt, choose the "CSM" boot option in your computer's BIOS. CSM in EFI is the official abbreviation for "Compatibility Support Module," but it means "boot normally" (with the traditional boot record and bootloader from disk).
If your computer still can't boot from a USB drive, Knoppix 7.3 includes a very small (12MB) CD-ROM ISO image in the KNOPPIX
directory that you can burn to an empty CD-R. In this way, you can start your computer when both the boot-only CD and the USB flash drive are attached. After first starting from the boot-only CD, the system automatically switches to the USB drive and continues booting from there. This workaround is known to work well even on Macs, which have restrictive USB boot capabilities.
Security and Privacy
Security and privacy have always been at the top of Knoppix architectural design, even before last year's increased awareness of security resulting from various surveillance revelations. The popular Firefox browser – named Iceweasel in Debian – comes with the NoScript plugin in sharp mode. With only a few preset exceptions, NoScript asks for attention and permission whenever your browser loads a web page with "active content" that would trigger plugins or execute potentially dangerous scripts, including JavaScript.
A yellow message on the bottom status bar tells you when content has been blocked. You can disable checks for a website you trust during a browser session only or permanently (e.g., if you want to watch flash movies that require plugin activity and access to the computer hardware). NoScript makes online banking and Internet transactions a lot safer, because it also catches cross-site scripting attacks and warns even in the case of "suspicious" content.
Many users asked about a firewall in Knoppix. In other operating systems, a firewall is necessary because they have open ports reachable from the Internet. Knoppix, however, is preconfigured with no services running on the external network interfaces by default (unless you explicitly start Samba or VNC, the remote desktop server). A port scanner thrown at a Knoppix system with no firewall running will not find any attackable open port.
However, Knoppix does have an easy-to-use firewall setup script (Figure 10) that allows you to add filters that let services either run locally only or be accessible from the local network only. The firewall comes with three levels of complexity, from easy to expert (which lets you add your own iptables rules). Again, starting a firewall is not required for normal use of Knoppix as a secure client to access the Internet. In the case of video conferences, for example, a firewall can even be counterproductive, depending on the software used.
All accounts are blocked on Knoppix, with no "backdoor" password – not even for the default, unprivileged knoppix
user. Therefore, a "login" is impossible. If you manage to start a screen locker, you are effectively locked out. (For this reason, I disabled the automatic lock screen features of various desktop managers.) The only ways to "break in" to a Knoppix system is to be logged in already, to start the secure shell server (SSH) and set a password, or to start the VNC server so remote access is possible (Figure 11). By the way, the knoppix user is allowed to execute programs as root using sudo
for recovery tasks.
Privacy is the main goal of the Tor network (Tor = The onion router) by making it difficult for malicious or advertising websites to detect your location and identity. Using a complex mesh of participating routers on the Internet, Tor effectively suppresses the ability to trace your physical address. Websites only see the address of the so-called "exit node," which is a random computer enabled as a router inside the Tor network. Tor can be enabled by a starter application in the Knoppix menu and has to be set up as a "proxy" in the web browser of your choice.
A single-click option for Tor has already been added to Firefox and Chromium, so enabling Tor is quite easy (Figure 12). However, please be aware that Tor is not designed to be used for secure transactions and authenticated services. If you need to access an authenticated service, such as online banking, I recommend turning off the Tor proxy for this purpose.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.