Just wondering why do you have IE7 open? You can access settings via Internet Options in Control Panel. I know with IE8 you can access and manage Add-ons through Programs tab in Internet Properties even after changing Set Program Access and Defaults. I'm assuming it should be the same for IE7, but not completely sure. Internet Explorer also gets removed from your Start Menu. Are you sure you didn't see any changes in the Internet Properties box when you unchecked the IE box? [Enable access to this program] As far as Windows XP updates that continue. Malicious Software Removal Tool (MRT.exe) will update until 7/1/2015 and Microsoft Security Essentials (MSE-prior install) updates until 7/14/2015 from what I've read. Any newer versions of MS Office should continue to receive updates to. NOTE: Would not recommend to open and use Internet Explorer on XP.
KeyPer, yes you're right, I guess I've just likened tools>options (FF) which I access all the time, with Internet Options from the IE browser. (hope that makes sense) Since I've always done it a lot in FF I don't give it a second thought, but I will now. Thanks for yet another little tip. I still think it can't call out because I have it blocked in Kerio and I still think it's pretty much strangled but you can't be too sure with Billyware and broadly speaking that's what this thread is all about, strangling "legitimate" spyware and finding the best tools to that end. Yes you assume correctly. Clarifying...When I click "Enable access to this program" in the Add and remove Programmes... > Set Program and Access defaults > Custom> Choose a default web browser > IE > enable access to this program ( unchecked ) I don't see anything that's changed (generally) in Internet Properties unless it's deeper in with the many radio buttons you can opt for or not. All the "broad" settings look the same. The addons look the same, pretty much all enabled except the dreaded Messenger.. What was I supposed to see? I haven't done ANY updates whatsoever for years. Since that (dis)Advantage tool idiocy I passed on M$ because it was trying to install it every time I went to M$'s website to update. Not only that, I was on dial-up and it was a royal pain up the butt to get anywhere as it was soooooo slow. When I opened it yesterday I had Kerio disable all traffic, plus it's blocked in the ruleset.
@Reality An example of a change when Enable access to this program box is checked and unchecked in Set Program Access and Defaults. NOTE: Screenshots of IE8
OK. I don't have the "delete browsing history on exit" with the checkbox. Perhaps it only appears when other settings are enabled, or files are present. ... for example under the accompanying " settings " I have "never" for temp internet files though it requires me to have at least 8 MBs for disk space . I have 0 days to keep history, and theres no files to view or objects to view.
I agree that additional defense, external to the browser, is advisable. I should have written "IMO, nowadays the MITM proxying really needs to also occur with the browser" https://support.mozilla.org/en-US/k...give-ability-store-passwords-set-cookies-more "When working with a single site you can also click the Forget About This Site button to delete everything Firefox has stored for that site. Warning: All history items (browsing and download history, cookies, cache, active logins, passwords, saved form data, exceptions for cookies, images, pop-ups) for that site will be removed."
@ Noone_Particular. You said back a bit, don't be in too much hurry to get a whitelist going in Proxomitron. Unless there's another step in this chain that should precede this, I can't go any further with Proxo until I do as browsing (still using FF) to a some of my regular sites are either half unusable or impossible altogether. The only way I can get things to work is to bypass. Obviously that's not what I want. After trying all sorts of the usual things like disabling plugins and restarting the browser the results were inconsistent. The issues are https (Hushmail) and unable to get videos to play on a news site I go to. I can't get Hushmail account to work consistently. After going through the procedure with certificates discussed earlier on in the thread, when I finally did get in, I could only get to the login page, and nothing else. Then after messing around some more I got to the inbox, but no links would work. In the end I tried so many things I gave up in frustration and disgust....but that was yesterday and this is today. I'm kind of thinking, bypassing in Proxomitron is a big deal and makes me feel very open and vulnerable since the intention is that it is to cover many bases. That is, plugins or extensions that will be discarded because they either leak or are no longer needed or both, but as you've intimated earlier, it has a learning curve. In the light of your feelings that HTTPS is broken how do you have Proxomitron set to deal with it or what are your recommendations about it in general, about when we go to HTTPS sites? Questions I'm asking are ones like, whats the point of HTTPS Everywhere, if HTTPS is broken or am I missing something? In light of this, I haven't installed the ProxHTTPSProxyMII plus I found the instructions a bit unclear, so Ive left it for now or at least until I get a better understanding about how we should deal with it in general. I haven't even tried youtube yet. As far as FF goes and aside from the extensions discussed that should be kept, like Request Policy, Prefbar and Better Privacy there's some add-ons I don't mind losing but there's a couple I really hope to keep. They're Ghostery and Self Destructing Cookies. ( I just love to see those little suckers disappear) . Ghostery seems to be "fighting" with Proxomitron though and I really hope I can get them to play nice together and that I just need some enlightening on it from someone. The reason I love Ghostery is it actually shows me who the trackers are and what they do or what widget is used behind a particular feature. For me, I've found its a great tool to learn whats going on. I'ts also easy to block/unblock something if you don't get it right. Because of Ghostery, I know what Player is playing a particular video because it made it easy to see what I needed to enable to get the video to play in it's list that you can see at the click of a button. As I'm using Proxomitron, I find the proxblox list could do with further explanation. I'm not sure where to start in that list and what the implications are as I try things. I don't really know what to block and what not to. My intention is not to allow ANY content that's not needed for a website to present it's page for what I want to see. Is there an easy way to undo something in the proxblox list or do you have to go through the Proxomitron interface and delete it from the notepad file?
FWIW, I found that Ghostery will "claim credit for" blocking stuff which is already being blocked by RequestPolicy and/or AdblockEdge. No harm, no noticeable slowdown for me while the redundant extensions are enabled, and... as you pointed out, Ghostery brings to the table a "lookup", a refcard of Who's Who among trackers.
Thanks for your input. Just wondering how would I be able to tell which extension blocked something before another?
I haven't looked at Ghostery in quite a while. I don't think Proxomitron will directly interfere with it. It might remove some connections before the traffic ever reaches the browser but that would be all. I'd suspect that Request Policy is competing more with Ghostery than anything else. I don't see the Self Destructing Cookies add-on being a problem with Proxomitron either. It might clash with PrefBar if you use the "clear all" function to clear sessions. That could be clearing the settings it stores. Regarding ProxHTTPSProxyMII, the only place that I can test it is on a virtual XP install. Won't run on my primary system, even with KernelEx. On XP, the Visual C++ 2008 Redistributables need to be installed first, then Open SSL, then ProxHTTPSProxyMII. The entries for OpenSSL in the ProxHTTPSProxyMII config.ini needs to be edited to point to the OpenSSL executable. The real complication will be firewall loopback rules. I haven't been able to get to those. I've run into some unexpected complications on the virtual system as well, not with ProxHTTPSProxyMII itself but with what it requires. It requires Open SSL, which requires Visual C++ 2008 Redistributables. The virtual system I've been using is a dual boot, modified 98SE and XP-Pro with 98 on "C" and XP on "E". I installed the Visual C++ 2008 Redistributables on XP from the desktop only to find that the installer put half of the files on the 98 drive along with half of the registry entries it created pointing there. Needless to say, it doesn't work. I've tried it several times with the same results. For some reason, this installer seems partially hard coded to the "C" drive, even though the 2 virtual drives use different file systems. I'm going to have to rebuild the virtual system so that XP believes it's on the "C" drive, which 98 also requires. Bootloader games. Fortunately, linux utilities like a GParted CD run just fine on pre-MS versions of VPC. Regarding HTTPS, without ProxHTTPSProxyMII it's a choice between not filtering HTTPS or fighting with certificate errors in the permissions manager. Blocking STS which Proxomitron doesn't understand will let more sites work but it's a work-around, not a solution. As far as HTTPS Everywhere is concerned, I've disabled it. Even with STS, I find it very hard to believe that certificate authorities can't bypass or defeat certificates that they issue. HTTPS is "supposed to be" encryption that makes the content unreadable to everyone except the parties involved. Then look at the noise that law enforcement and 3-letter agencies are making about products that don't have backdoors or master keys made for them. You don't see them making this noise for HTTPS or STS. If it truly prevented them from seeing the content, they'd be screaming about going dark, CP, terrorists, and the rest of the usual rhetoric. The fact that they're not complaining tells me that HTTPS is not an obstacle to them. It would also explain the computing power they're putting in NSA data centers, enough to utilize a backdoor/bypass to read HTTPS in near real time. I have no direct proof of this, but their lack of a reaction to HTTPS in general and STS in particular makes me believe that it was defeated even before it gets implemented on any scale. IMO, the push to HTTPS is little more than a "feel good" response that's good for publicity but does little else. From a privacy perspective, HTTPS stops the little guys but that's about all. Against any adversary that matters, I consider it no better than straight HTTP. Regarding ProxBlox, I'll try to get a little guide made as soon as I can. Hopefully I'll have time to get the virtual system rebuilt so I can do it there and get ProxHTTPSProxyMII included in the picture. I can't get it to run on my physical box, OS limitations. On my primary system, I'm using a much heavier filterset as a core that's completely inappropriate for a new Proxomitron user. Most of the ProxBlox allowances that I need are already made. Between that and the browser version I'm using, what I see will be different than what you'll see. I might be able to set up another instance of Proxomitron, a clean install and use that for material for a guide. It won't be exactly the same but should be close.
Thanks for the link. It's a little dated though so if anyone knows anything more recent that's of interest I'd like to know, but I still say this tool is very intuitive for those trying to get a handle on whats going on and thus makes the choice to deal with the content much easier. On the one hand we want to cover as many vulnerable areas as possible but on the other less is more, and the less add-ons we have the better. There's always going to be some overlap, but as long as they "share" the overlap nicely, and get the job done it's ultimately another nail in the coffin of the spy machine.
There was controversy over 'Ghostery' when the original developer sold it. (Note:This is old news) I would suggest not using extensions that perform similar tasks in their main function. (redundancy) You could also use DNS servers to block certain content. Keep your browser as private/secure as possible and reduce entropy for better control over " fingerprinting". This can be debatable, but there are users who prefer using a browser just because of it's faster speed over the competition and yet they may be sacrificing privacy in the process. (note: default settings) NoScript extension in TBB (haven't checked latest version) had noscript.STS.enabled set to false. If Proxomitron and Request Policy work well together, then that may be all you need in the area of filtering. (I would ask noone on this)
Thanks noone, for all your time spent on this. I was going to respond to your post late last night, but my eyes wouldn't stay open so that was that. ProxHTTPSProxyMII is too far above me at this stage, and in light of your thoughts on HTTPS in general I'm wondering whether it's worth mucking around with it at all. For now I'm going to spend time where it's likely to give me better results. Ive also disabled HTTPS Everywhere. In Proxomitron under the HTTP tab should I just uncheck the "UseSSLeay/OpenSSL to filter securePages" option? While one person looks at something and see's irrefutable proof another person will look at the same thing and flatly disbelieve it and still others will lay somewhere in between. That's humans for you. Very often it's not a case of just one thing that constitutes undeniable proof but joining up the dots that matter, and seeing the broader picture. The whole surveillance idiocy is so full of smoke and mirrors that that in itself is a huge red flag for ALL to see, and that's only the start. Yet people sail along willfully ignorant that one day they'll pay a horrible price for trading good old privacy and security for the latest fancy gadgetry or flaunting all on silly Facebook. I strongly believe this grand scale theft of our privacy is NOT by accident but by design. Well thats really the crux of the matter isn't it. When you don't control ALL parts that are integral to keeping the encryption secure, then you have a potential gaping hole. In other words its back to the "trusting the 3rd party " issue again. If I ever had even a little trust that there was any integrity in govts and their associated TLAs it has long since departed never to return. Absolutely NOTHING would surprise me about their antics and control mechanisms. Well just as time allows, but that would be really appreciated thanks!
DNS servers have been a known security risk. I think they are supposed to be being hardened with a new DNSSEC protocol. I would guess that means some kind of authentication takes place. I have often thought when websites are registered with the DNS authority, they should be required to provide their certificate so when the client requests a site address be resolved, the DNS server also returns that certificate data along with the website's ip address so then the client application can compare it to the one on the website it connects to. That would provide an added layer of website authentication.
Thanks again for your input. Would you have a link for that? I only heard about Ghostery in the last couple of years but just fairly recently decided to give it a try. I wouldn't like to think I'm using something that had or has something not right about it. Also you say "sold".... my understanding is that means it's closed source or proprietary or more likely to be. Is that right? IF so, then I'm much more likely to distrust it. Anything that can't be audited by "whosoever will or can", IMO has to be questioned, especially if it has anything to do with your browser. How much Ghostery actually does overlap I don't know, but none of the others actually tell me what the thing is I'm allowing or not allowing, for example, Ghostery tells me Brightcove is needed to play certain videos. With Noscript I'd be guessing and have to go through sometimes many ever populating menus until something finally works. I find there's a limit to my patience. That's where Ghostery helps and saves time as well as teaches the user who's doing what. I fully realize you can't have it both ways. If you want tighter control then you have to be prepared to do some work. I hate the sneaky creepy way sites track you and profile you, enough to give this a fair shot at getting things to work. Absolutely. As long as it's not ridiculous Im willing to have a little less speed if it means I'll gain privacy. Unfortunately FF is becoming more and more unwieldy. Certainly some of it would be extensions but I suspect there's more to it than that, like plain out bloatware? Anyway I'm keen to leave it altogether and use just SeaMonkey when I get more fluent with things. This is a transitional period for me. Noone also has Prefbar, Flashblock and Better Privacy which were discussed back in Page1 see Post #6 and Post #12.
Don't necessarily base your setup on what I choose. The first rule for making your own security (and privacy) policy is choosing what fits your needs. Ghostery and Request Policy both perform the same basic task but each is based on a different security policy. IMO, Ghostery can be compared to an AV based security package (default-permit) while Request Policy, when used with all the lists deselected is default-deny. Ghostery basically compares all of the 3rd party connections to a blocklist and blocks what it considers undesirable. Request Policy as I run it blocks them all except ones I choose to whitelist. To continue the comparison, RP is more like a classic HIPS for connections. You have to decide what you need/trust and allow it. Ghostery attempts to identify trackers but tells you what it blocked and why. Both have good and bad points. LIke AVs, Ghostery needs constant updating and is reliant on the vendors servers. Like AVs, it will never catch them all. Request Policy doesn't differentiate between trackers, adservers, and content stored on other servers. You have to make that determination and decide what to allow. On some pages, that can be dozens of connections. Some are obvious. Some aren't and require trial and error. Request Policy is definitely more inconvenient, especially if you're building your own whitelist. RP has the ability to eliminate all 3rd party trackers, ads, etc, but will require a lot more input from you to do it. It's also easy to allow more than you need. Choose what fits your needs. Regarding the other extensions, I keep FlashBlock to make flash content individually "click to play". There is an overlap with Prefbar in function. Among other things, PrefBar can globally enable and disable flash with a single click. For me, Better Privacy has become unnecessary. I've applied the tweak from the Unofficial Proxomitron Forum mentioned in post 92 to permanently eliminate stored flash content. This change works for me because I seldom use flash and none of the content that I do watch requires anything to be stored. This tweak breaks all flash content storage, including settings. If you regularly use flash player or use any flash games, this tweak is not for you. I keep PrefBar because it gives me quick, easy access to options I use and adds others that I like. It's as much for convenience and usability as it is for anything else. The options to enable/disable flash, plugins, java, javascript, etc are largely duplicated by ProxBlox. On PrefBar, the options are global while ProxBlox is site specific. The main thing that you need to focus on is making the package fit you and your needs. Some people like fine grained control over everything. Others find it unusable. The Request Policy vs Ghostery decision is just one example. Are you comfortable with determining what should and shouldn't be allowed or would you rather a vendor make that decision? It's the same with deciding whether to make a classic HIPS or an AV the core of your security package. Are you comfortable with deciding what can and can't run? With Proxomitron, specifically ProxBlox, you'll be deciding what content will be allowed on a per site basis. If you're not comfortable with it or find it's more hassle than you want, it's the wrong choice for you. Don't try to fit yourself to a policy or package. Make it fit you. Using a package that doesn't fit you is like making promises that you can't keep. It's nothing but problems in the long run.
Flashblock does not work with JavaScript disabled or with NoScript installed. (source:addons.mozilla.org) I myself don't use it, but many do. Better Privacy I don't use, but many do. There are no (settings.sol) files that I'm aware of on my system even though I use flash occasionally. When I do click on Flash Manager settings the .sol file is created in AppData. On Ghostery > More info here: https://en.wikipedia.org/wiki/Ghostery
@ Rocklobster, thanks for your thoughts on DNS servers. @ KeyPer, thanks for the link. Well, that IS getting a little too close for comfort. In Ghosteries favour, they do have the opt in, something I am much in favour of as opposed to opting out, which I totally despise as obnoxiously taking possible liberties. Like in the hopes people either a/ can't be bothered with the rigmarole of opting out, or b/ and worse, don't see the the option at all because it's buried somewhere. Reading the article there does seem to be a definite dual purpose going on and for that reason, it will eventually go. @NoOne, where I'm concerned, I'm not. What I am doing though, is seeing many similarities such as, you use Kerio, you give sensible reasons why FF is becoming a dubious prospect and brought to notice good solid reasons why proxomitron is worthwhile exploring as an option. These are big players, and that is why I'm drawing much from your advice. Some things are above me though, and so those will either get left or wait until I get more knowledge. Default deny is what suits me and it's what I'm working towards as is site specific settings. Whether I understand how to achieve that or not doesn't alter the fact that working to that end makes the most sense and much more so because I'm a strong advocate of privacy. How can I tell if the content requires storage? As always, thanks guys for your comments and advice.
DNS Nameserver Spoofability Test : https://www.grc.com/dns/dns.html (should you trust the domain servers you are using?) Please read and consider the following points before proceeding to bottom of page and clicking on Initiate Standard Spoofability Test button. If you decide to take the test check results including DNSSEC Security to see if your server is supported.
I believe you've chosen wisely. Though I would go with Comodo FW/D+ v 5.10.31649.2253 (just the FW, not full CIS suite w/ the AV version), not Kerio 2.1.5... which is a good little FW I used to use back when I had 512 MB of RAM and a single core Celeron CPU on my Dimension 3000, but Comodo can do so much more to keep your XP setup not only relevant but thriving past it's EOL. It'd learn to utilize a default deny HIPS regimen, as well as an SRP one. Also I'd use Firefox 27.0.1 instead of 28... before the fingerprints that culminated in the nightmare that was 29 began infiltrating into it. 28 may look like the good ol' Firefox we all knew and loved on the surface, but under the hood some of the changes had begun. 27.0.1 was the last version I trust. If you can't find it I'll get it to you. Same with Comodo. Learn how to harden the LP & GP, and disable any services not absolutely needed. Along with a few registry tweaks as well you can completely close all ports without even a router or firewall. I'd also purchase the paid version of Sandboxie and set up very tight/restricted sandboxes for all internet facing apps, an isolated sandbox for any new files introduced/downloaded to your box, and a realtime sandbox for new files introduced via external means (USB/disks/etc...). Shadow Defender too. Imaging (I prefer Macrium Reflect). And Malwarebytes Anti-Executable which seems about ready to go instead of EMET and taking on the attack surface of .NET Framework in the process. Also keep an eye out for something called OpenEMET that a buddy is working on, that can take advantage of the app-specific mitigations EMET can without needing .NET FW. Here's the site: http://voidmain.realplain.com/ Comodo D+ also has buffer overflow protection (shellcode injection protection) similar to what ASLR does.
Pretty much agree with most points you make, although not so much on having to use HIPS/firewall such as Comodo. A good hardware firewall and tighten up Kerio rules would probably suffice. If one wants to use HIPS/firewall be knowledgeable in how to answer pop-ups correctly. Control/limit JavaScript use in the browser. Keep browser(s) updated with latest security fixes but be aware of changes that may alter privacy. Could add but would limit number of browser extensions. Avoid using plugins that have a history of being exploited. Recommend running in LUA on daily basis, admin account when needed.
Luciddream and Keyper, thanks for your responses. This thread has never been far from my mind but I've been taking pause partly because of offline commitments and seeing this whole security/privacy/anonymity issue as a FAST moving target. It's been hard to keep up, or decide what to do in light of the next raft of vulnerabilities which Ive been reading about in these forums. In particular there's been much going on with TOR that is making me wonder. Recently just read somewhere about Comodo and questionable goings on there. I've also considered the general concept of what mirimir keeps saying, compartmentalization. I can really see a lot of sense in this, but with the effort involved to be up and running and then tally that with your needs or threat model, I'm probably better to keep on the path I'm on at this stage. The question of a complete hardware upgrade is ever present as well. The OS possibilities are a worry. For windows you're forced into what you can't lock down. I wouldn't want to put a MAC near the internet. There's Linux but there's more coming out about that being vulnerable. Ironic, isn't it ...when $'s aren't an issue you're stalling because you're wondering what built in backdoors there are, and you're hearing of more horror stories with that . When I 1st came to wilders, that type of thinking was definitely considered out on a limb....but not anymore. KeyPer, if there's a concise list somewhere of plugins with a history of exploitation, I'd like to see it...also what is LUA... sorry if it's been mentioned earlier and I've forgotten... Lucid, I remember that discussion on going back to 27. I'll see what I come up with on finding that. I really love Sandboxie. I've somewhat dug into it, but need to spend much more time. If there was a bricks and mortar near me, I would not hesitate for one moment to purchase this program. I can't think of ANY program at all that gives you much more for the amount of effort you need to put in.
MrBrian is right and if I may expand on it. A standard user account, previously called a limited user account in Windows XP, restricts what you can access on your computer. This does not mean that if you operate from a standard user or limited user account, you will be immune from harmful exploits, but general thinking is it reduces number of possible ways malware can infect your system. If malware does manage to infect a "restricted" account then hopefully the damage will be less severe than if one was operating from an admin account. Hopefully one has setup other security measures so you have layered preventive protection. Image backups in case a restore is ever needed. Note: Some programs that you install may not run properly in a "restricted" account. The program may need admin rights to work. With any OS your looking at vulnerabilities/exploits. Maybe try a Linux live CD or some run Windows in Virtual Machine. I've given up on Firefox. (actually sometime ago) Maybe v24ESR was my last installed version. Now Mozilla is working on a sandbox. I'll stick with Sandboxie for that. I would recommend changing the default settings in Sandboxie though. Don't have a list of plugin exploits, but recall Java and Flash as having history of exploits.
