I've disliked IE for a number of years because of the way it tries to steer your selection of privacy options, obfuscate the real function of some of the controls, etc. I didn't trust it, but now some of my suspicions have been confirmed.

I diiscovered, as have others, that it's possible to look into Windows protected storage, and when I did that on my computer I nearly fell out of my chair. It had my full name, which it picked up from a secure online order website. It had my credit card number, my address, telephone number, and on and on went the list. Very surprising to me was the fact that it must have been holding a lot of this data for several years! It's been that long since I've even thought of some of the things I saw. Oh, and long forgotten passwords to sites were right there as well.

I should mention that I've been an internet privacy freak for a long time. I use Firefox unless I need to use a site where it won't work. I use Tor, and clear all history at the end of every session, if not before. There's no automated way to do that with IE, but I've been conscientious about deleting cookies, all offline data--everything that I can delete.

On top of that I use CCleaner about once a week, and always clean everything it finds. What I found yesterday showed me that there is a lot of data that it misses.

The ominous things about the existence of this data include the fact that MS sees fit to record it all and keep it permanently on hand, and that if there are individuals capable of gaining access to the data without authorization, you can believe Microsoft can do it, too. And if MS can do it, then <name your agency> also has the capability.

With all the information that's become freely available on the internet has also come the risk of privacy invasion on a scale unimaginable in prior years. We'd all probably have coronaries if we saw what Google knows about us!

PP

I won't use Internet Exploder unless I am searching for sites - some just don't want to open in firefox. I refuse to maintain MS ID's, they just looked like a rort from day one.

Lugh, thanks for Storage Explorer. I haven't used it yet, but it sounds like a very useful utility. I've known for years about protected storage but didn't stop to wonder what it contained, or consider that it might not be so secure. I also foolishly took Microsoft's word that "deleting all offline content" really did so. Ha! I'll never make that mistake again.

Naf1, I used Jon do/JAP for years, but it didn't stop this information from being stored on my computer. I think most of it resulted from sessions when I wasn't using JAP, but not all, I don't believe.

I don't like to use anonymity utilities when I'm conducting normal business, especially when I have to identify myself. It would be giving the bad guys a leg up if they had captured data sent via normal channels that they could compare with similar data sent through proxies, etc. Before anyone dismisses this as paranoid ravings let me say that I don't believe that anyone wants to spy on me badly enough to do that. It's just that there are automated utilities running out there with awesome capabilities. Google has a lot of them. And every little piece of data you send likely goes through several of them.

I'm with you, no1uno. I don't use IE unless there's no alternative.

PP

I found that even with the newest versions of firefox, certain exploitable vulnerabilities still exist as corroborated by scareware occasionally appearing at the same exact time as visiting questionable sites.

What I do now is run firefox through a program called Sandboxie, which sandboxes it and any child processes it spawns.  I have my ff link set up so it automatically opens through it.  So now if it wants to save files or edit registry entries outside of its typical working directories, I have to approve it first.  I assume the settings can be altered to be more or less strict, but I haven't gotten into the documentation much.  The free version starts giving a 5 sec splash screen after so long but the full version shouldn't be that difficult to come across.

far fuckin out!!!

 how can one "be sure" they are 'safe?'

Linux live disc with no hard disk access, riding through tor on a hijacked wifi connection with a forged MAC address somewhere in another state.

Even then you could have been followed with someone monitoring you (packet monitoring, TEMPEST variants, even just watching your screen with binoculars,) hardware keyloggers, etc..  If someone really wants to get to you, they can, but you can make reasonable efforts.

Quote

with a forged MAC address somewhere in another state.

how can i do this? Is it as 'easy' as you make it sound?  

I meant literally drive into the next state and forge your MAC address before connecting to the wifi so there are no possible records that could trace something back to your hardware.  

Forging your MAC address isn't the least bit difficult.

Tor has potential flaws like traffic timing but it requires being able to see the traffic at an exit node and potential entrance nodes.  I don't believe there are any major known flaws in the tor code itself, but platform specific flaws could aid in traffic flow spying (eg. if there are several nodes running on versions of Windows vulnerable to remote attacks, an attacker could get in that way and start monitoring traffic patterns on multiple nodes.)

The way onion routing works, no individual node knows who a packet originally came from or where it is ultimately going, just the previous and next node.  The exception being the endpoint who connects you to the open Internet.  Since they are sending your data in the clear they can monitor your activities (and a number of embassy email passwords were scarfed up and released this way) but have no way of knowing your identity unless you reveal it in your traffic.  In other words, don't do two things through one route that you wouldn't want linked together (eg. don't leave your mom a comment on facebook then go threaten heads of state.)

One of the most interesting features of Tor is hidden services (when the fucking dns is working correctly, at least.)  The server locations stays anonymous to all the visitors and the visitors all stay anonymous to the server.  Yes, most of them cater to underaged erotica, but a few interesting ideas have sprung up.  There are places that allow you to host any content you want, regardless of legality and copyright, anonymous discussion boards, an outlet to wikileaks, even a few attempts at an anonymous currency.  Some guy was even selling weed using it, although I don't know what sort of precautions he took to disguise the physical mail's origin.

While the tor protocol is considered relatively sound, running a hidden service that is in violation of laws in your jurisdiction is still potentially very dangerous because your http daemon or cgi programs on your site may be exploitable in a way that can reveal the real location of your server.  Even services implemented correctly can cause potential leaks, like the port command on an ftp server which can be used to send a packet to an arbitrary system, revealing your server's real IP address.