portland independent media center  
images audio video
newswire article reposts global

government | human & civil rights | technology

Microsoft's Really Hidden Files

******************************************************************
Microsoft's Really Hidden Files

By The Riddler

[6/11/00]

--( Description )-------------------------------------------------------------

MSIE v5.x saves hidden cookies/cache information to your HD. These files never get erased, which means they've been building up since the day you installed the **** thing. As I went through the files on my HD, I found personal information, incriminating websites, and even full readable e-mail from my hotmail account. If you think that's sneaky, wait til you hear this part: Some of these files can only be found using explorer (DOS won't list them). Likewise, some of them can only be found using DOS (explorer won't list them.) It took me a long time to find these files -- and an even longer time to learn how to erase them using windows confines.

--( Microsoft helping the FBI? )----------------------------------------------

Why did Microsoft go way out of their way to keep us from erasing these? Afterall, they're just cache and cookie files right? Just all your visited sites. Just your own personal e-mail.

I went on microsoft.com to see if they documented this. They didn't. See for yourself. They only mention the "c:\windows\cookies\" directory. And to make matters worse, they give people a false sense of security with the statement:

"All cookies are deleted after you close Internet Explorer."

I couldn't believe my eyes either. This is a myth, and it looks like Microsoft is behind it. Moreover, Microsoft conveniently pretends this is their only cookies directory. The truth is that this \cookies\ folder is just a decoy. (See also; dummy, trick, dupe, deceive, or fool.)

Here's what Microsoft really meant to say:

"All cookies in the decoy directory are deleted after you close Internet Explorer. Except there is no point to this since we've made copies of them and are storing them in four other directories. These directories are hidden well so don't even bother looking for them."

(Even that statement wouldn't be true.)

So what is their motivation to do this?

--( Instructions For Removal )------------------------------------------------

You would think a simple "deltree tempor~1" command would work, but don't do it. Not only does it take a mysteriously long time to process, but afterwards you won't be able to view source on a webpage. Besides, windows reconstructs the dirs on every boot anyway. (Those bastards.)

First thing you do is drop to DOS. (Heh, "drop to dos." I degress.) Anyway, type this line at prompt:

c:\windows\explorer /e,c:\windows\tempor~1\content.ie5\

(in all lowercase)

You see that jibberish listed under "content.ie5?" That's Microsoft's idea of making this project as hard as possible. (Earlier versions of MSIE simply called them "cache#.") These are your default folders that MSIE has created to keep your cookies and cache. Write these down. (They should look something like this: 6YQ2GSWF, QRMTKLWF, U7YHQKI4, 7YMZ516U, WQK6Z9UV, etc.)

Now that you have the names of the default directories, drop back to DOS. Note: Leave Explorer open, otherwise this next step will not work. (It's amazing what Microsoft tries to do to keep these files secret.)

Type this at prompt:

CD\WINDOWS\TEMPOR~1\CONTENT.IE5

CD DEFAULTDIRECTORY1 (defaultdirectory1 = first name you wrote down.)

DIR/P

You see all that garbage? That's your browsing history. Pictures from all those porn sites you've visited, cookies with your information on it, and of course your e-mail from your hotmail account. Browse through them to see what kind of records are being kept about you. I suggest using a hex editor. If it won't let you view the files with your browser, then you will have to copy them to another folder. (Don't ask me why this works but it does.)

Erase it all by typing "del *.*" Hopefully you knew that already.

Now check out your other default directories. (There should be 4 total.) Repeat these steps until you have erased all of your records.

Congratulations, you're almost done.

Your browsing history is located here:

c:\windows\history\history.ie5

(the filename is index.dat)

Use the same steps mentioned above to erase this.

Note that you will not be able to access this file. Even after you've closed IE, changed the attributes, and rebooted to DOS mode. (Makes you wonder.) Anyway, the way to get around this is to simply make a copy of the file. If you want to erase the file altogether its simple.

1) Make a file called "i.dat"

2) Copy i.dat over index.dat



The End

*****************************

Things that make you go "hmm..."

- The FOLDERS can not be seen by DOS while the FILES cannot be seen by Explorer. (eg, the "history" folder is not shown under DOS, while "index.dat" is shown under explorer.)

- This opens the door to the possibility of files that cannot be seen by neither DOS nor Explorer.

- Some say the registry is a nonexistant file. This is probably just another Microsoft-created-myth, as user.dat and system.dat seem to have encrypted registry properties. However, one may be able to pinpoint other "nonexistant" files given the time and motivation.

*****************************

So I'll ask again; Why does Microsoft go through all the trouble? I can see their excuse now: "We were only trying to protect your privacy." Yes, keeping secret records of our browsing history is a very good way to

protect our privacy.

--The Riddler

--( EOF )---------------------------------------------------------------------

No need to dish out $20 to buy a program -- I've just taught you how to do it for free. Actually, I've made a program cough*cough*batchfile*cough that gets around the traps and erases the cache. I'll send you a copy if your interested. If you have anything to add then please do. Thanks for reading, sorry for the length.

--the riddler



+++Posted Replies+++



Man, i tried that, but i kept getting errors at the part where you said:

CD\WINDOWS\TEMPOR~1\CONTENT.IE5

CD DEFAULTDIRECTORY1 (defaultdirectory1 = first name you wrote down.)

DIR/P

It kept saying too many parameters. Could I be typing it wrong? Please make it clearer

*******



Try typing the commands individually...

cd\

cd windows

cd tempor~1

cd content.ie5

cd [name of the first directory you wrote down]

make sure to leave windows explorer open while you do this.

*******



If you guys wanna see something that'll make you scratch your head, do this:

1) open up IE.

2) go to your history folder.

*now notice there is *NO* other folders there except for "TODAY" "SUNDAY" "SATURDAY" etc, etc..

3) okay now drop to dos and type this:

cd\windows

deltree history

4) now exit

5) go back to your IE, and now checkout your history folder.

you will notice a "HISTORY.IE5" folder mysteriously appears out of nowhere(!?)

(As if this wasn't strange enough, see what happens when you click on it.)

homepage: homepage: http://www.elizabethmustdie.com/h4x04txt/IE5HiddenFiles.htm

I've checked this out 05.Jul.2004 19:09

PHH

And it's true. If you have windows, I strongly suggest that you have a look.

Thanks for the post.

secure net access 05.Jul.2004 23:08

anonymous

additionally, there are files you can only see by booting from a dos disk 5.xx and earlier (using a command-line emulator from windows won't work).

Also note that deleting files using the del command won't get the information off your harddrive. all del does is tell the drive to delete the first character of the filename (by not having a first character, windows and dos know not to list these files). eventually the information may get written over, but a magnetic imprint of the data is left on the drive. To securely remove this information you must use a disk wiping utility of Department of Defense standards or better.

Case in point: don't use windows or magnetic harddrives if you are accessing secure or sensitive data.

To access information on the internet without being tracked, monitored or leaving a trail:
1. Use a used laptop bought with cash that has wireless capabilities.
2. use a public space that has free open wireless access
3. boot the laptop from cd-rom with a live OS - configure it to use only memory as ram-drive (not the Hard disk!) Make sure security on the browser is extremely tight... no history kept, no cookies etc.
4. access an https proxy with at least 128bit RSA encryption (stay connected no more than 3 minutes to any site [including proxies] at any given time).
5. through the proxy connect to at least 6 other proxy servers before going to the site you wish to contact (one of the proxies may be you or a computer near you to confuse routing. You may alternately route through one other proxy twice, but no more than twice.)
6. stay online no more than 9 minutes total at any given time. Each time a different domain is contacted the order of the last half of the proxies in the chain should change.
7. do all of this in a location well away from other people that can physically view any light being emitted from your laptop (power and hd leds included). Also beware that your monitor, hard disk, processor etc. all put out electro-magnetic radiation that can be captured and reconstructed into data rather easily. Be aware of this possibility. the possibility of capturing monitor data can be minimized by constantly changing monitor resolution and refresh rate. also change the sync polarity between + and -. other data is slightly harder to capture, and is less likely to be done at this period in time.

As you can tell by the extreme measures listed above, it is not easy to do anything on a computer 9especially a network connected one!) without the possibility of being monitored, tracked, etc.

You're kidding, right? 06.Jul.2004 00:04

Tech Support

Break out the tinfoil hats, the loonie brigade has discovered the IE cache!

Here's a clue: Tools Menu -> Internet Options -> Settings and turn your cache size down to 1MB, then delete the files. I know, this isn't as exciting as wacko theories about Microsoft and the FBI spying on you... The directories are recreated if you delete them because you're _not supposed_ to delete them as IE is built into Windows.

MacOS little better 06.Jul.2004 04:19

Mac User

Under MacOS 9, youŽll find the desktop files using some applications (e.g., ResEdit). Try opening Desktop DB or Desktop DF with DB Diver, and "wow!" check out what you share about yourself each time you burn a CD, etc.

Tech Support should read the post 06.Jul.2004 10:53

.

Before commenting

Did he say Tech Support! 06.Jul.2004 14:57

Bird dog

Or did he say Troll Support!

If you read between the lines it's very clear!

yo try linux 07.Jul.2004 00:51

;alskdjf

do what that one poster said and run your comp off of a livecd for webbrowsing.... www.distrowatch.org

see if you have software to burn and ISO file, then download one (like knoppix or mepis) and try to use some linux :)

the linux penguin can delete your undeletable .dat files...

or if you can install tweakXP i thinks it has an option to edit the registry to allow you to open un-openable files (open as... txt)

"theres two types of computer operating systems; ones designed to allow you to do what you want to do, and ones designed to allow you to do what someone else wants you to do... "

Microsoft and the NSA: NSAKEY, Privacy Groups DISMISS Microsoft NSA Denial 07.Jul.2004 18:31

fascism watch

--------------------------------------------------------------------------------

"How is an IT manager to feel when they learn that in every copy of Windows sold,
Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude
easier for the U.S. government to access your computer?" -- Andrew Fernandes,
Cryptonym


[Turning red,] Microsoft added the key had not, and would not be made available to any third party. The software company said the key was labeled NSA because the NSA acted as the review body for the restricted export of encryption technology from the U.S., and that key was designed to be compliant with U.S. export laws. Microsoft said the NSA-labeled key was simply a "back-up" for the one used by Microsoft to allow it to update cryptography components (labeled "KEY").

But director of the London-based Foundation for Information Policy Research (FIPR), Caspar Bowden said: "Building in a 'back up' key makes no sense unless there is a revocation method for the primary (key). There is no revocation method."

--------------------------------------------------------------------------------


There is another story floating around that has "confirmed" that due to the scale of the Microsoft operation globally, that the U.S. surveillance establishment, like the NSA, has worked with Microsoft to create just such a regular undeletable record of individual uses of particular browsers. Convenient to a crimial elite that wants to surveille every bit of loyalist opposition, convenient to the 'prison planet' motif of a gangster globalism gone hawwire?

1.

See the NSA even make it easy for you to set up surveillance on yourself for them!

this link:
 http://nsa2.www.conxion.com/win2k/download.htm

reposted here:

National Security Agency
Security Recommendation Guides

Windows 2000 Guides
Download Page
Last update 16-Jan-04

Zipped Archive set of the Windows 2000 Security Recommendation Guides

Windows 2000 ".INF" Files
The following files are the Security Configuration Templates for the Security Configuration Editor and are provided in ASCII Text format. IMPORTANT: Please read our Legal Notice before using these templates.

A description of the files and how to modify the settings is available in the "Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Toolset."

Note: Follow these instructions to ensure that Microsoft Exchange will work with the Windows 2000 Security Recommendation Guides.

SCERegVl.INF (13KB)


W2kDC.INF (32KB)


W2k Domain POLICY.INF (4KB)


W2k Server.INF (32KB)


W2k Workstation.INF (31KB)


ISA.INF (1KB)



Security Recommendation Guides
The following files are provided in PDF format. IMPORTANT: Please read our Legal Notice before using these guides.

Microsoft Windows 2000 Network Architecture Guide (227KB)


Guide to Securing Microsoft Windows 2000 Group Policy (238KB)


Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool Set (972KB)


Group Policy Reference (769KB)


Guide to Securing Microsoft Windows 2000 Active Directory (428KB)


Guide to Securing Microsoft Windows 2000 DNS (372KB)


Guide to Securing Microsoft Windows 2000 Encrypting File System (199KB)


Guide to Securing Microsoft Windows 2000 File and Disk Resources (234KB)


Guide to Securing Microsoft Windows 2000 Schema (94KB)


Guide to Securing Windows NT/9x Clients in a Windows 2000 Network (146KB)


Guide to Secure Configuration and Administration of Microsoft ISA Server 2000 (1,469KB)


Guide to the Secure Configuration and Administration of Microsoft Windows 2000 Certificate Services (1,432KB)


Guide to the Secure Configuration and Administration of Microsoft Windows 2000 Certificate Services (Checklist Format) (1,167KB)


Updated 16-Jan-04 Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0 (2,731KB)


Guide to Using DoD PKI Certificates in Outlook 2000 (114KB)


Guide to Windows 2000 Kerberos Settings (369KB)


Microsoft Windows 2000 Router Configuration Guide (688KB)


Guide to Securing Microsoft Windows 2000 DHCP (337KB)


Guide to Securing Microsoft Windows 2000 Terminal Services (386KB)


Microsoft Windows 2000 IPsec Guide (1,330KB)


Guide to the Secure Configuration and Administration of Microsoft Exchange 2000 (7,266KB)




Windows 2000
Security Recommendation Guides
Zipped Archive
For your convenience the entire set of Windows 2000 Security Recommendation Guides in this release are also provided in a zipped archive format. A separate utility program is needed to decompress and extract the collection of files from the zipped archive. Programs designed to read ".zip" files are available from popular software download sites on the Internet.

IMPORTANT: Please read our Legal Notice before downloading this file.

Download
Zipped Archive
(16,716KB)








Windows 2000 Security Recommendation Guides:
Home Legal Notice Download Page

Security Recommendation Guides Home





2.


Privacy Groups Dismiss Microsoft NSA Denial
September 7, 1999 (7:41 a.m. EST)
By Guy Middleton, TechWeb News

Microsoft moved swiftly on Friday to deny allegations that it included an NSA (U.S. National Security Agency) back door into the Windows operating system.

"The report is inaccurate and unfounded. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party," the company said in a statement.

The key, which works with the Microsoft Cryptographic API (MS-CAPI) is labelled as "NSA key".

Andrew Fernandes, chief scientist with Cryptonym of Morrisville, North Carolina, was quoted last week as saying the inclusion of the key made it easier for the NSA to compromise a Windows user's security, without their knowledge.

"Microsoft takes security very seriously. This speculation is ironic since Microsoft has consistently opposed the various key escrow proposals suggested by the government because we don't believe they are good for consumers [like they ever cared for that!], the industry or national security," said Microsoft.

Microsoft added the key had not, and would not be made available to any third party.

The software company said the key was labeled NSA because the NSA acted as the review body for the restricted export of encryption technology from the U.S., and that key was designed to be compliant with U.S. export laws. Microsoft said the NSA-labeled key was simply a "back-up" for the one used by Microsoft to allow it to update cryptography components (labeled "KEY").

But director of the London-based Foundation for Information Policy Research (FIPR), Caspar Bowden said: "Building in a 'back up' key makes no sense unless there is a revocation method for the primary (key). There is no revocation method."

Microsoft said the back-up key was there should the original ever be lost due to a natural disaster. The company also acknowledged the name of the key was "unfortunate".

"I don't believe them -- what kind of natural disaster are they talking about? A meteor destroying all the earth's structures?" said Privacy International director general, Simon Davies."Microsoft's argument is inconsistent with its operating procedure -- it could hold a single key in multiple locations, that is a standard security procedure." He added that to compromise user security, "it's not necessary to share access with the NSA -- simply complying with their requirements will do that."

"It goes right to the heart of the deal between (software companies) and global operators. Ultimately we need to be more open about how these systems are developed. Microsoft should have taken this opportunity to talk to us about the requirements of the U.S. government," said Davies.

 http://www.techweb.com/wire/story/TWB19990906S0003

3.

NSA Builds Security Access Into Windows
September 7, 1999 (7:31 a.m. EST)
By Duncan Campbell, TechWeb News

A careless mistake by Microsoft programmers has shown that special access codes for use by the U.S. National Security Agency (NSA) have been secretly built into all versions of the Windows operating system.
Computer-security specialists have been aware for two years that unusual features are contained inside a standard Windows driver used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions including the Microsoft Cryptographic API (MS-CAPI). In particular, it authenticates modules signed by Microsoft, letting them run without user intervention.

At last year's Crypto 98 conference, British cryptography specialist Nicko van Someren said he had disassembled the driver and found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with U.S. export regulations. But the reason for building in a second key, or who owned it, remained a mystery.

Now, a North Carolina security company has come up with conclusive evidence the second key belongs to the NSA. Like van Someren, Andrew Fernandes, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY." The other was called "NSAKEY."

Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to the "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge.

But according to two witnesses attending the conference, even Microsoft's top crypto programmers were stunned to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. This discovery, by van Someren, was based on advance search methods which test and report on the "entropy" of programming code.

Within Microsoft, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.

No researchers have yet discovered a programming module which signs itself with the NSA key. Researchers are divided about whether it might be intended to let U.S. government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by the NSA's burgeoning corps of "information warriors."


--------------------------------------------------------------------------------
"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude easier for the U.S. government to access your computer?"
-- Andrew Fernandes
Cryptonym

--------------------------------------------------------------------------------


According to Fernandes of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onward.

"For non-American IT managers relying on WinNT to operate highly secure data centers, this find is worrying," he added. "The U.S government is currently making it as difficult as possible for 'strong' crypto to be used outside of the U.S. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers.

"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude easier for the U.S. government to access your computer?" he said.

Van Someren said he felt the primary purpose of the NSA key might be for legitimate U.S. government use. But he said there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy," he said on Friday.

Fernandes said he believed the NSA's built-in loophole could be turned round against the snoopers. The NSA key inside CAPI could be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorized third parties, unapproved by Microsoft or the NSA. This is exactly what the U.S. government has been trying to prevent.

A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website.

According to one leading U.S. cryptographer, the IT world should be thankful the subversion of Windows by NSA has come to light before the arrival of CPUs that handle encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPUs with encrypted instruction sets already been deployed, we would have never found out about NSAKEY," he said.

 http://www.techweb.com/wire/story/TWB19990903S0014

?? 18.Sep.2004 21:23

me

well, i tried this and none of it worked in windows xp. the files were not found, the folders did not exist, ect .. does anyone know how ti find these files in xp? if so get back to me thanx