Hello, I do not know which level I am in between careful to paranoid, but a few unrelated things have been bothering me. So I have posted the same here for your expert opinions. 1. I have seen posts in Windows privacy regarding removal of Cortana, Edge, Defender etc. However they involve using 3rd party software to "own" the components before they can be removed. Are these open source or has anyone seen the source code of them? If so which one is the safest? 2. Is there really a way to discover a backdoor in the system? 3. Software like Voodoo Shield says they have AI learning about machine processes. Is such a thing good or bad w.r.t. data gathering. Same goes for software like Adguard etc. I know that I have to decide which risks to take and what are important but is there any collection of *safe* software that is guaranteed to be safe. Like experts going through open source Mozilla extensions and declaring them safe? 4. Is it better to rely on Windows built in tools like Defender, Firewall etc as MS anyway collects all data? Or is it better to install 3rd party software like Avast, ESET etc that I believe collects all user data? 5. And finally is there really a free lunch? Why are so many security software free? How do they pay their staff? Do they collect user data and sell them? I can understand software maintained by single person/developer, but what about a full sized company? Sorry if my questions are long and a little vague, they are more at a "to be or not..." than specific products. Finally before you ask me, this is what I am comfortable with (the ones that I can think off immediately) 1. My financial transactions should be safe 2. No company should be able to build my detailed profile. They may know which sites I visit, but not what I click or buy. 3. They should not be able to send targeted ads based on my emails 4. No one should be able to put my microphone/webcam on without my knowledge 5. My PC should connect to only those specified web sites that I prefer. 6. My cellphone should not record my conversations or put the microphone on surreptitiously. 7. No exe/dll files can run on my machine without my permission other than signed OS components. Thank you
This & this only. You'd have to have nation-state resources on an ongoing basis to make believe in one's privacy on Windows.
As said above, those tools are just automated GUI for known manual tweaks (which will take long time to do). Windows isn't open source so you will never know. You can investigate but you can't be sure at 100%. No leaks = no internet connection Assume everything with proprietary code as unsafe. You can only "trust" what they say based on their reputation. All the same to me, they normally just collect hashes of file, not the file itself unless they upload it for analysis. 1- by selling a businesses/corporations version or offering special services to them (certificates, etc...). 2- by selling some of your datas, customer lists is like diamonds to companies. 1- you have control only on your machines, if the other side is compromised, you are done despite having a fortress on your side. 2- they shouldn't but they can do. some tools allows sites to analyze your mouse movements on their pages... 3- You go to their sites and give your email, they have full power over you unless they offer you to opt-out. 4- if someone is determined and have resources, he will. 5- set your router for that and you also have some tools/apps that can do that 6- it shouldn't but it is not impossible. 7- so use the appropriate security software
Make believe is right. They have nation state resources devoted to a lot of make believe things. That reminds me, if you have two videos. One where the accused perpetrator of a crime claims responsibility for it, and one where he claims to be innocent. One has to be fake, but how would you know which one? If the one where he claimed responsibility was real, that would mean both the accuser and the accused agree, so neither side would have cause to make a fake one contradicting that. Right? So the obvious conclusion, the one where the accused claims responsibility HAS to be the fake one. Think about it....
That's highly unlikely though isn't it. That would require a level of stupidity that doesn't quite fit the profile of someone capable of masterminding the complex and perfectly executed plan he was accused of.
Would someone give the original poster a break? There is concern and there is paranoia. I’m sure there are some members of this forum that wear tin foil hats to stop the government from listening to their thoughts, so portray the world different to what it is. The reality is that no one is really interested in getting to you. Yes, no one cares that much. For every horror story of someone losing money, control of their email accounts, their computer mining digital currency or just no longer working, there are 100s of millions of users that have no problems. 2 stage verification protects your money, common sense protects your computer, and if you want to be an absolute deviant from virtue like me and do all the wrong things, a few security suites will protect you. There are better users here than me, and lots of posts on security programs, so look around and you can design your system to your level of concern.
In an attempt to give some practical advice appropriate to "normal" threats, and a realistic incremental improvement: 0. General Encrypt all drives, from new if possible. Bitlocker is OK for Windows, particularly with TPM. Backup. Really, backup. Have a bulk disk which is not normally connected, preferably off-site and rotate. Consider getting Yubikeys - used for login authentication, and two-factor on decent websites (U2F or OTP/Authenticator). If you are not already, become more familiar with sandboxing and virtual machine technology. If your machine is reasonably powerful, then you should never be browsing from the host machine but from a virtual machine (because any malware then has direct access to your data). There is Sandboxie for Windows (not sure what it does about Edge), Firejail for Linux, and VirtualBox or VMWare for virtual machine operation. A/V and other add-ons all have merits and risks, particularly since they are opaque and often extremely intrusive. 1. My financial transactions should be safe Cold boot your machine onto a Linux LiveCD or usb pendrive. Only use it to access your bank's website. Shutdown after access. 2. No company should be able to build my detailed profile. They may know which sites I visit, but not what I click or buy. This is tricky, you will need to decide how much effort and inconvenience you are prepared to go to. Running Firefox with Multi-Account containers provides some level of site isolation, but the full suite of protection from referrers and fingerprinting is involved. You may also need to change behaviours. 3. They should not be able to send targeted ads based on my emails Get an email service that respects your privacy and preferably, offers aliases. ProtonMail or Tutanota offer encrypted email. 33mail provide an alias service. 4. No one should be able to put my microphone/webcam on without my knowledge Tape up the webcam. If you are operating in a virtual machine, then you have more ability to prevent access to these services. 5. My PC should connect to only those specified web sites that I prefer. Not sure what you mean here, this sounds like you want to restrict outgoing in a firewall. This is quite involved, depending on what you want - are you prepared to maintain this? 6. My cellphone should not record my conversations or put the microphone on surreptitiously. a) put it in a tin container, off. b) put it in the trash and get yourself a dumbphone where the risks are lower. Smartphones are likely the biggest threat of any of your technology, normally you have no realistic control of the software or what's actually running. They are a sophisticated minicomputer with huge intrusive potential. 7. No exe/dll files can run on my machine without my permission other than signed OS components. AppLocker will do this for you on Pro/Enterprise. SSRP will do for the exes, Dll monitoring is a regal pain you will find. Sandboxie can restrict the environment your apps actually get.
Wouldn’t it be easier to only use a computer only once, then use a nail gun, like in the show Silicon Valley, to destroy the hard drives and RAM?
Personally I think this step is quite challenging. For most people securing, hardening the OS and programs should be enough. Keep in mind this livecd should be up to date. Booting from several years old LiveCd means that TLS libraries has a lot of known vulnerabilities such as Heartbleed. Multi-Account containers and Ghostery (and others) may be not enough to prevent tracking by Facebook. I know this from my experience. Some ads showed in my fake Facebook profile when I browsed something in other tab (other container). You need at least not connect to social media and other IT tech giant accounts while browsing sites you don't want they to be aware of. Connecting from the same IP at the same time is enough for them to match a potential connection, even if they don't have that proved by cookies, fingerprints.
Regarding booting a LiveCD, I don't agree that this is hard, and in a way, it's essential to get familiarity with any of the Linux distros. The process is only a) download Fedora or Linux Mint iso. b) burn to DVD c) boot up on the DVD drive d) open firefox on the banking site. If you are not going to any other sites then it doesn't matter if your browser is slightly behind the times because you have to assume your bank is not actively hostile. Limiting tracking by FB and others is sadly not straightforward as hopefully we've indicated. But you have to start somewhere and work out over time.
This is actually very easy in uBLock Origin (and uMatrix as well). You can also use First-Party Isolation and/or the add-on Temporary Containers in Firefox.
It's easy, but time consuming and you need to change habits quite a bit. Hardened OS (be it Windows or Gnu/Linux) and programs are quite resistant to typical malware, so I assume we're talking about quite capable adversary, not script kiddies. This capable adversary can do MITM attack, and if somebody has vulnerable TLS library in web browser or other internet facing program it can be exploited. Aside from TLS libraries for some transactions on the most popular e-commerce site in my country I need to go to their site, then it redirects me to payment processor, then it redirects to my banking account. Not all retailers require this, but some do. I need to do this on the same browser session in the same Firefox container. So there is some likelihood other vulnerabilities (Javascript API?) in my web browser are going to be exploited. Ghostery didn't do the job, so I assume uBlock would not do this either. Maybe uMatrix would do the job. Container isn't enough from my experience.
I think we're trying to improve facilities and behaviours over time, no? Checking certificates and resisting MiTM and... - and gasp - if the sites ever deigned to use U2F. It's not that hard to then move to a full updated Linux distro booting from a usb3 stick. Personally, I separate my banking transactions from things which use credit cards. The credit cards limit my online payment exposure, and are not linked to my bank accounts. I never pay for anything from my bank account, for online shopping. I agree with the use of uBO, FPI or TC. It's just that that's the next level up. Again, not necessarily that hard, but nevertheless needs some learning and getting used to. And, they still don't prevent all the other types of fingerprinting, as we know. I do not know the OP's level of experience and amount of effort that's acceptable.
It seems that you are not familiar with uBO's Dynamic Filtering (something not available in Ghostery). As clearly said on the mentioned wiki site, uBo's default settings are not sufficient. And yes, uMatrix would definitely do the job (as uBO does). Any examples? This wiki site shows what is separated (and what isn't) between containers. And here is what FPI does. I don't see how Facebook would be able to circumvent that. But anyways, uBO and uMatrix are sufficient. EDIT: I hasten to add that containers and TC do not protect against fingerprinting. That's why they should be used in combination with blockers like uBO.
Yes, some learning is certainly necessary but as you said: not that hard. And regarding fingerprinting: Those measures don't prevent fingerprinting per se. However, the real problem - as I see it - is not first-party but third-party fingerprinting which tracks you all over the net. If you block those third parties - and be it only via filterlists/hosts files - fingerprinting is much less a problem as it seems to be at first glance, IMO. EDIT: Specific sites like Facebook have to be blocked manually - as shown earlier - as they are usually not in the filterlists like other trackers.
My experience. I used Firefox Multi-Account Containers and Facebook Container, Ghostery, CanvasBlocker. It wasn't enough. I don't know whether FB matched me by fingerprinting browser or not. I assume that IP address is enough for potential matching, which is quite not right because sometimes hundreds of people can share the same IP address.
Okay, I had added a remark to my previous post that fingerprinting is still a problem. But again, with uBO's Dynamic Filtering or uMatrix it is very easy to block any network requests to, e.g., Facebook (or any other 3rd parties for that matter) - irrespective of any filters in the available filterlists. That's the crucial point. And this means: game over for Facebook.
I think the safest way is to have no HDD/SSD installed. Boot from a Live Linux distro on a pen drive and have the pen drive on ones person or secured/hidden. I remember the 1st time I booted & surfed from a CD (many years ago) from my tower with no HDD. I laughed & laughed for 5 min. It blew my mind.
@XenMan Oh yes they are interested in getting to you, me, the op and everyone else. They have spent two decades turning our computing devices into spying apparatus that still also functions as computing devices so we will keep using them. Almost every new feature has a duel purpose. 1) Candy to bait the user into using it. 2) Exfiltrate as much personally identifiable information about the user and his/her activities as possible. That is not tin foil that is fact and it is getting worse. What you do on your computer is not enough for them, they are now tracking your every move constantly all day long using the real time location tracking devices built into your smart phone. That not only means everywhere you go is logged, it also means anyone else who was also there is logged along with you. Well, assuming everyone has a phone, which nearly everyone does. Now if anyone does not believe a big screen map exists, with all our little location dots swarming all over it, each one identifiable, each one with the ability to turn on the camera and microphone remotely by big brother they have to be delusional because that is exactly the purpose of it all I guarantee you. Everyone should watch this video by Bruce Schneier where he explains what it takes to be a good security analyst. https://www.youtube.com/watch?v=eZNzMKS7zjo You have to think like they do. That is exactly what I do. I think like they do which is why I am usually right.
I used to work in law enforcement and read, and heard, this sort of stuff regularly. At my fingertips I had access to financial records, housing and communications. Even heard concerns about video security infringing on civil rights. What are the facts? No one has the time to look at everybody. There is so much data and so few people to access it that there is not the man power to even look at the referred jobs, let alone bother with the data from the millions of people of no interest. As for video, one place I worked created 600 hrs/hour of video. No one is going to sit down and work out who is going where and when, let alone source at least 2000 staff to monitor all the cameras. Law enforcement can’t even access a locked phone, such as the case with Apple a few years back, so if your phone is locked in your pocket you are safe. There are a lot of phones so it must be a big board; more likely a computer screen you can zoom in on. Pinging phones is easy and common, but these still need warrants for the telcos. Trust me, they are difficult to deal with. From a law enforcement and common sense perspective; if you aren’t doing anything wrong, why would you care if you are being monitored?
That is why they are implementing AI. AI can scan through millions of data in a blink of an eye, correlate, compile, create cross references and build a dossier of each and everyone if us. Computers do it. They have facial recognition technology it can listen for spoken key words etc. That was a few years ago, a lot has changed since then. Now they can bypass the phone lock and download from phones remotely. There is a big kickup right now about the extent to which British police are doing that. https://www.privacyinternational.or...-secretly-downloading-content-suspects-mobile Because the profiles created on everyone are not going to be used exclusively by law enforcement in pursuit of a criminal. If they were, Google and all the other big tech wouldn't be up to their neck in it. These profiles will affect every aspect of peoples lives not least in their eligibility for jobs. Have you got kids or Grandkids? Do you want a profile to be created on them, every where they went, whose house they visit, who else was there? Your kids could be linked to known drug dealers or other criminals without them even knowing they were associating with one, just because AI computers detect they were in the same location, same house, whatever. The intrusive surveillance capabilities don't stop there it will be correlated with online activity, Facebook, web browsing history. That means all kinds of things, political persuasion, religious beliefs, sexual orientation, who they spent the night with which civil rights groups they support, which anti government demonstrations they attended, what kind of medication they take, the possibilities are endless and no mistake they make will ever be forgotten by AI.
