Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Windows Explorer will still work with IE removed. You'll lose the "view as webpage" options, active desktop, etc. It'll behave like the Windows Explorer of old. As for vulnerabilities in WE, there's vulnerabilities in everything. Unlike IE, WE doesn't require internet access. It doesn't need to be part of the attack surface. You can block internet access for Windows Explorer with a firewall rule, just as you can any other application.
    I assume these 3 rules would be like:
    Blocked TCP out
    Blocked UDP out
    Blocked TCP in
    You can easily combine rules like that. Make one blocking rule for both TCP and UDP, both in and out. Put it above the DNS rules and any other global allow rules. I've heard from various sources that Kerio has a limit as to how many rules it can work with. As far as I know, no one has specified exactly how many rules that is. I've never run into that limitation and have had rulesets with 80+ rules. Either way, combining rules like those 3 into 1 streamlines the ruleset, making it easier to understand at a glance. It also slightly reduces the work that the processor has to do.

    Another one that bears watching is Rundll32.exe. This is easily abused by malware that's built as a DLL. There should not be any unlimited permit rules for this executable.
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The NTFS file system is a 2 edged sword. On one hand, it lets you set permissions regarding who and what can read or write to certain files, directories, etc. It can control execution permissions for different directories. It can store larger files than FAT32. The NTFS file system can repair itself in ways that weren't possible on FAT32. This is much less an issue than it used to be, thanks to improvements in hard drive design and reliability. I've used FAT32 exclusively for everything and have never lost data.
    On the other hand, it makes it possible to store data, usage tracks, and malware without the user being able to see it with explorer. The NTFS file system is what made Windows rootkits such a threat. Fat32 has a file size limit of 4GB. Most files are well below this size. Some ISO image files, movies and videos can exceed that size. The files created by VirtualBox and VPC can contain entire operating systems and can exceed that size. No operating system files will. My XP systems are FAT32. In addition to the reasons above, I keep them FAT32 so that I can access them with a 9X system or DOS. It opens up a lot of possibilities with dual or multiboot systems.
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Yes.
    Again, the voice of reason. It's done.
    How might that get into the ruleset? I looked at all the extensions on the Applications column on my ruleset and I don't see any. Regarding WE, I have an entry for that already.
    EDIT: A better question perhaps would be, what would be a legitimate but limited use of Rundll32.exe.?
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It would prompt you for access. The prompts would be no different than any other application as far as the firewall is concerned. The problem here is that Rundll32.exe literally runs DLL files as executables. An internet firewall can't determine what DLL is initiating the request. As for legitimate functions for Rundll32.exe, see http://dx21.com/coding/libraries/rundll32/default.aspx. Note the letters above the listings. They're all for separate command lines that Windows uses with Rundll32.exe. The vast majority of them aren't part of most peoples "normal usage". That listing doesn't include what other applications or malware can use it for. Rundll32.exe is a difficult application to control. Classic HIPS with the ability to whitelist specific command line parameters can do it. On mine, I defined separate user and administrator modes with classic HIPS (SSM) and don't allow Rundll32.exe to execute in user mode. Dealing with Rundll32.exe would take several web pages to cover completely.
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Don't laugh :)
    Pure guess: 512 rules. Reality? Who knows.
    In txt format, rule numbers go from Order = "4194304"; increasing by 4194304 throughout the set. Within 32 bits, 512 rules should fit. Whether that could be processed, no idea. Have fun!
     
  6. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    When I install things, I generally close everything I can have no internet connection. I booted with no modem this a.m. to install SamSpade and while I was at it I wanted to go back and work from Post #88
    First, that colour scheme sure was wild. It's now has something much more tame.

    Following your instructions I got up to trying to extract that 7z file to the Proxomitron folder, (I just double clicked on it) this is what I got below. What the hang IS this :( I've seen it a couple of times in the last year or so and I've just cancelled out of it saying I aint going down this road.

    Install on demand 3.png

    I just did a StartPage search on What is install on demand component and it looks like I'm not the only one who's balking.
    http://itknowledgeexchange.techtarg...h-installations-tossing-away-your-legitimacy/

    So what do I do to get your filters into Proxomitron?
     
    Last edited: Aug 27, 2014
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    My mistake. For some reason, I assumed that you had 7zip. It's similar to standard zip files but Windows doesn't understand the format. The site I used doesn't allow me to upload zip files without purchasing a premium account, but did allow a 7z archive.

    edit
    Link removed. Incomplete archive.
     
    Last edited: Aug 28, 2014
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Just a reminder. If you don't want Windows XP tracking your ' recent documents ' then you also need to set that in your Limited User Account as well.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Although MRUs, recent documents, etc are separate from internet privacy/anonymity, they are very much intertwined, especially when the seizure of your equipment "as evidence" is factored in. The NT versions of Windows are designed to record and store user activity records, with each new OS storing more than the one before. These records are not needed by the user or the operating system. They serve one purpose, monitoring the user and storing the records for authorities or whoever else gets access to that system. Back when 98 was the current OS, the user could eliminate usage tracks simply by running MRUBlaster and wiping the "recent" folder. Now these records are stored in multiple ways and locations, in files, hidden folders, the registry, the event log, alternate data streams, etc. Each needs to be addressed in a different way. If you eliminate one and miss another, it only proves that you are trying to hide usage records. Windows user monitoring is designed for that exact purpose, creating multiple copies of your activity records, making it hard to find and eliminate them all. This is one of the primary reasons that I stay with 98, very few usage tracks, and the tools needed to eliminate them are already part of the OS.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I apologize for the previous Proxomitron configuration archives posted earlier. Both were badly incomplete. Missing from the previous archive:
    the 3 lists that the ProxBlox component requires
    the javascript file used by ProxBlox
    A valid certificate for Proxomitron for filtering HTTPS
    The DLLs required by Proxomitron to filter HTTPS

    This archive should be complete. The archive is 368KB. Its hashes are:
    MD5 46f584cd4228b23cc6d0e9f821770d75
    SHA-256 22a7c1dfa90570fa6f205b668bdea28d7cc634e483209576b3a8a8e73883b3bc

    This filterset is configured for Tor. It sends the same user agent as the Tor Browser. It will also work on the non-Tor instance of Proxomitron but will advertise itself as TBB until the user agent is changed. This filterset is a starting point that needs to be fine tuned.

    Installing the filterset.
    After downloading and verifying the archive against the hashes, shut Proxomitron down completely. Back up your existing configuration file. Extract the archive to the Proxomitron folder. Allow it to overwrite any existing files. Start Proxomitron. The ProxBlox component used in this filterset uses 3 additional lists. Proxomitron will automatically import the 2 .txt lists, ProxBlox.txt and ProxBlox-extjs.txt. The 3rd list has to be added manually. See screenshots below.
    Prox-config import.png
    Open the main Proxomitron interface. Click on "Config". Select the "blockfile" tab. Click "Add". On the "Choose a Blocklist file" interface, set the "Files of type" dropbox to "Anything", otherwise the needed file won't be visible. Select Count.ptxt, click OK. This will return you to the interface shown below, left.
    Prox-config import2.png Prox-config import3.png
    Rename "NewItem" to "Count". Click OK. On the interface shown above, right, click on the "save last config" icon (green floppy image. To verify that the config is properly loaded, click on "Web page", then "Headers". In both lists, the top filters should refer to ProxBlox. Check the configuration, blocklist tab. Verify that these are in the list of blockfiles:
    Count
    ProxBlox
    ProxBlox-extjs
    If you want Proxomitron to filter HTTPS, go to the HTTP tab and check the "Use SSLeay/OpenSSL..." option. Click OK. Go back to the main interface, select "File" then "save default settings". The filterset should be active.
     
    Last edited: Aug 29, 2014
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Just for for clarity, you might want to put, Blockfile tab in stead of blocklist .... and where I've put * you might add in > Open Lists folder >

    In the Lists folder, I dont have that Count.ptxt available in the Proxomitrons selector box. I checked where I extracted it to, and the file is in there. Is there another way to get the file in?
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    In the "Choose a Blocklist file" dialog, did you change the drop box on the bottom from Block Lists to Anything? Are the 2 ProxBlox files visible in the blocklist?
     
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    1/ Yes
    2/ No
    See what you make of these:
    Proxomitron1.png Proxomitron2.png Proxomitron 3.png Proxomitron4.png
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm assuming that you haven't downloaded the ProxBlox configuration separately from their forum. It looks like only part of the archive was extracted. In image 4, I see just one of the 3 DLLs. The 2 primarily responsible for filtering HTTPS aren't there. I can't tell from the screenshot if proxcert.pem and default.cfg came from the archive or if they're the originals. There should also be a ProxBlox.js in the HTML folder. I'd suggest unpacking the archive to a folder on your desktop and copy each file to its location manually. Make sure that Proxomitron is not running when you do.
     
  15. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    What about Search Companion? It uses the Internet connection periodically.
    Microsoft Windows does not collect any query information when Classic Search is used.
    I think on DEFAULT settings (Internet search behavior) How do you want to search the Internet?
    When 1st radio button option is checked and you click-on Search the Internet you'll be connected
    to msn.com and microsoft.com along with Svchost.exe accessing out to UDP port 53.
    There is a list of default search engines listed in 'Search'. In this case msn.com was set as default.

    To Change to Classic Search for the Internet Through the User Interface:

    Click Start, and then select Search.
    Click Change preferences from left menu.
    Click Change Internet search behavior.
    Select With Classic Internet search in radio button.
    Choose your preferred Internet search engine from the list provided and click OK.
    On the File menu, click Close.

    Use Classic Search in Explorer:

    There ia a registry tweak that allows you to disable the new Search Assistant and use the traditional search
    interface in Explorer.

    Windows XP offers a search feature that enables users to search all of the files on a hard drive.
    Users concerned with privacy may wish to disable this feature. There is a registry modification
    you can make to turn off all search functionality.

    CAUTION: Before making changes to the registry, you should back up any valued data
    on the computer. You can also use the Last Known Good Configuration startup option if you
    encounter problems after manual changes have been applied.


    Note: Don't know if it would be good idea to post registry tweaks on forum. What do you think?
     
  16. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    I think that's a good point to bring up. Im not sure what Ive done, but it doesn't seem to try and go out online. Soon I'll go through your list and see whats what. I thought I'd set a rule in Kerio, but maybe it comes under Windows Explorer's umbrella, not sure. I DO NOT like things trying to get out on the internet. When I search the net, I use the search engine Im using at the time not something through M$. I ike to use the windows search feature for my computer only.

    As long as noone_particular doesn't mind, I think it's it's OK as long as you do what you've done, putting clear red cautions. Also I'll add a caution myself for anyone who wants to post up registry edits...check and make doubly sure what you've posted has complete instructions and correct information. I know it's easy to overlook, but don't assume people know every single movement you're supposed to do. I have no problem going in there as long as it's with baby step instructions.

    I'll come back soon on your post noone.
     
    Last edited: Aug 29, 2014
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I've never used search companion. I think it does fall under Windows Explorer as far as the firewall is concerned. There's an easy way to find out. If you have a blocking rule for WE, temporarily set it to alert you, then run a search. On my OS, the windows search has nothing to do with the internet. Another undesired feature that I don't have to deal with.

    As for registry tweaks, there's all kinds of them on the forum. It would be good to include the usual warning about messing with the registry. Beyond that, this thread isn't mine. Whether I "mind" or not doesn't matter. The only thing that I really want to see is a group effort to bring the material together.
     
  18. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Windows Search allows you to search contents of computer, but only indexed locations whereas
    Search Companion does not rely on indexed locations.
    Testing Windows Explorer through traditional 'Search' and clicking on the Internet option results in WE
    wanting access to a windows.com site on TCP port 80 and also accessing UDP port 53.
    Testing Search Companion results in Windows Explorer AUTOMATICALLY connecting to same
    windows site using same protocol and port.

    Obviously blocking WE through a firewall outbound connection rule would work.
     
  19. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Correct. Was I supposed to? If it was mentioned back aways that I should have done so, I've either missed it altogether, or it's slipped by me while I was doing other things.
    Is there a way to tell where proxcert.pem and default.cfg came from? In the meantime do any of these screenshots tell you anything?. File sizes?, dates?
    Image 1 is your last 7z I downloaded and extracted to the desktop into a Folder called "Unpack", with a view of all the files.
    Prox Image1 Unpack.png

    I closed (non Tor) Proxomitron and navigated to the Program Files to get this.
    Image 2 is the (non Tor) Proxomitron I initially extracted your last 7z to, and what files are in the pertinent areas youre speaking of. All those files appear to be there which I've circled in red.
    Prox Image2.png
    IN light of what these screenshots show I have to ask, what would be the point of dragging them from the desktop Folder to the Proxomitron Folder if they're already there?
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This isn't making a lot of sense. 2 questions.
    1, Are you completely shutting down Proxomitron or just closing it to the tray? It has to be shut down so that it's not in the tray, not running at all.
    2, Are you sure that this is the same instance of Proxomitron that you're using?

    If yes to both, go back to the "Choose a Blocklist file" interface and type in count.ptxt. See if Proxomitron finds the file.

    Edit
    If you're launching Proxomitron with SocksCap, verify that SocksCap is pointed at the correct instance of Proxomitron.
     
    Last edited: Aug 30, 2014
  21. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Agreed.
    Yes. When I said "I closed (non Tor) Proxomitron and navigated to the Program Files to get this." I clicked "exit program" on the tray menu, which takes the icon off the tray. If it means anything... I just checked TaskManager after I exited Proxomitron. Nothing under the Applications Tab, or the Processes Tab. When Proxomitron is in the tray only it shows as a process. When the Program is Opened, it shows as an App and a Process .....
    Yes. Obviously you can't see that from the 2nd and 3rd screenshot. Its the same instance I extracted your 7z to, as can be shown in the tray menu screenshots. Just to doubly doubly check, I put Tor version in the Tray and those extra files (ProxBlox) are not there.
    Tried that and no that doesn't work.

    My understanding is that Proxomitron instances are "separate" from each other. After thinking about this, the only conclusion I could come to is that the two first instances of Proxomitron which I had extracted to the D drive and were still there, were somehow "getting in the way" and some pathways were leading back to them. Just an uneducated guess. I decided to just take all instances and backups off there and move them to a thumb drive. I then loaded up my C drive Non Tor Proxomitron and we now have those files. When I clicked on the add button in Proxomitron, I noticed it gave me a new file selector box, probably because it was pointing to those instances I had moved. Anyway, I followed your instructions in post #110 and so this part is now completed.
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Can I assume that Proxomitron is now working properly? You can verify if ProxBlox is installed properly by visiting a site like arstechnica, or one with more scripts, objects, etc. You should see 2 small square icons in the top right corner, one green containing an "A", one red containing a "B". The "A" button gives access to the interface from which scripts, objects, etc are allowed. The "B" button bypasses ProxBlox for that page. When you hover the mouse over them, you should see script information. Clicking on the "A" button brings up the lower part of the interface shown below. Clicking on "Advanced" brings up the check boxes shown below.
    [​IMG]
    From here, external scripts (scripts to other sites) can be individually whitelisted. The checkboxes allow you to whitelist the specific items by host, subdomain or specific path. If desired, you can whitelist scripts for the entire host while whitelisting java applets only for the specific path.

    Before we go any farther, make sure that the ProxBlox menu is visible. On sites that are clean, the ProxBlox icons may not be visible.
     
  23. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    It appears Proxomitron is not working properly yet. First, I've stopped noscript so it doesn't interfere. I couldn't get Startpage to get the url for arstechnica (havent got a link) as I couldn't get past an untrusted screen FF gave me. I had to do a bypass on Proxom. to get Startpage.. Got onto Arstechnica and theres no A and B icon top right. What about prefbar, would that be interfering?
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If Proxomitron is set to filter HTTPS, your browser will see the certificate for Proxomitron instead of the StartPage certificate. Proxomitron is now handling the certificate duties. You need to accept Proxomitrons certificate in the browser. Proxomitron doesn't filter when in bypass mode.
    Here's the link to that site.
    http://arstechnica.com/

    NoScript will interfere with Proxomitron. Disabling javascript in the browser will interfere with the ProxBlox component. There are other interactions between PrefBar and some of Proxomitrons functions. I'll cover those in a later post.
     
  25. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    I've never done that before, how do I do it?

    I did get onto Arstechnica and didn't see the little A and B icons.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.