Microsoft Edge's Private Browsing Mode Isn't Actually Private

JustAnotherOldGuy writes: The forensic examination of most web browsers has proven that they don't have a provision for storing the details of privately browsed web sessions. However, in the case of Microsoft Edge, the private browsing isn't as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser's WebCache file. The Container_n table stores web history, and a field named 'Flag' with a value of '8' shows that website was visited in private mode. An investigator can easily spot the difference and use this evidence against a person. The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief.

Re:First Post?

[blavallee]

I would say, it's just not a surprise anyone here. An antonym of privacy or security is Microsoft.

Well, they didn't lie...

[The+Atog+Lord]

So, InPrivate is to Private as InVisible is to Visible.

Re:Well, they didn't lie...

[sd4f]

Well, after all, flammable and inflammable mean the same thing so...

Re:Well, they didn't lie...

People don't know "inflammare" or "flamma", but they do know "flame" which means "fire".

Re:Well, they didn't lie...

[thunderclap]

So grammar nazi, you think you know ?. Well, you have no idea.

http://www.merriam-webster.com...

flammable

flamb()l/

adjective: flammable

        easily set on fire.

        "the use of highly flammable materials"

As for Flamma, its latin and is a verb there. Go ask them.

Why Do Flammable and Inflammable Mean the Same Thing?

There is a fairly clear reason for why both these words carry the same meaning: the prefix in- does not always function as a negative prefix.
Sometimes (and this is one of those times) it serves as an intensifier. It’s fairly obvious how this could lead to problems.

Surprisingly, both flammable and inflammable coexisted peacefully in English for hundreds of years before anyone decided to do something about it. Inflammable is the older of the two, with recorded use as far back as 1574. Flammable begins to appear in 1655, when Margaret Cavendish described oil as being “hot burning and flammable” in her Philosophical and Physical Opinions. One of the reasons there was little confusion about these words is that flammable was used much less often than inflammable.

But in the 1920s the self appointed, eagle-eyed language nazis of the National Fire Protection Association (NFPA) realized that many people were viewing the in- in inflammable as a negative prefix, and were at risk of consequently incinerating themselves at a much higher rate than was desirable. The NFPA advocated to have flammable used exclusively for warning labels (such as are found on mattresses, oil cans, and other things that will catch on fire if you put a match to them), and managed to slightly nudge our language toward a more sensible path. Though in the recent past flammable is used more often than inflammable, this pair still incites controversy—and clueless fools would want to look ignorant.

Re:Well, they didn't lie...

[jason777]

‘Inflammable’ means flammable? What a country!
-dr. nick

Re:Well, they didn't lie...

[Z00L00K]

And the prefix "In" to me feels more like it's a negation of "Flammable".

Re:Well, they didn't lie...

[piojo]

Are you using a different definition of "word" than I am? Because I've encountered "flammable" hundreds of times in technical documents and thousands of times in speech. Burden of proof is on you, and you're gonna need some strong proof.

And neither etymology nor Latin grammar has any bearing on whether a given word exists. (For example, I could look up "obtuse" and "argument" in Latin, but that doesn't mean your post would correctly be called an "argumentusus".)

Re:Well, they didn't lie...

[Livius]

Something is flammable if it can burn easily.

Something is inflammable if it can ignite easily.

Obviously lots of materials are both but they are different meanings.

Re:Well, they didn't lie...

[Zontar+The+Mindless]

Like "income" is a negation of "come", right.

I get it now. Thanks!

Re:Well, they didn't lie...

[AthanasiusKircher]

This is on the right track, but a few clarifications:

As for Flamma, its latin and is a verb there. Go ask them.

No, "flamma" is not a verb. Flamma is a noun, meaning a "blazing fire." Flammo/flammare is a verb. (Well, technically I suppose "flamma" could be an imperative of the verb flammo -- "Be on fire, you heathen!" -- but the normal dictionary entry for the verb is under flammo or flammare.)

There is a fairly clear reason for why both these words carry the same meaning: the prefix in- does not always function as a negative prefix.

Sometimes (and this is one of those times) it serves as an intensifier. Itâ(TM)s fairly obvious how this could lead to problems.

That's not quite right. "In-" is NOT an intensifer. It's derived from the Latin prefix "in" which means "into" or sometimes "on/upon." Hence, in Latin "inflammare" means "to set INTO flames" or "to light on fire," whereas "flammare" simply means "to burn."

(For comparison, think of a word like "intimidate" -- it doesn't mean "more timid." It means to MAKE fearful, to force someone INTO timidity.)

This distinction hasn't really carried over into English in the case of flammable/inflammable, especially since the fire prevention folks started using "flammable" to mean "easily set on fire," which would be a better fit to "inflammable." (If we follow the Latin origin, "flammable" would be better suited to mean, "capable of being burned" (at all).)

Surprisingly, both flammable and inflammable coexisted peacefully in English for hundreds of years before anyone decided to do something about it.

It's not exactly surprising if you know anything about Latin or the history of English. As I just noted, most such pairs actually meant different things. And if you want to see real confusion, read the etymology page for "in-" at the link above. Centuries ago, you had examples like "implume" which mean "to put feathers on" (as in "tar and feathering" or something) from the "in-" = "into" meaning. But "implumed" generally meant "unfeathered," from the "in-" = "not" meaning. THAT was confusing since the same word meant two different things.

But in most cases "in-" was either used in one sense or the other, and when it was used to mean "into," it was generally clearly distinct in meaning from the form without the prefix. (E.g., note that "implume" didn't simply mean "feathered" -- it meant to ADD or put INTO feathers.) I think it's really the fire prevention folks who should be blamed on the confusion, since they took the word "flammable" (which was never popular, never had a clear meaning, and was basically obsolete in the early 1900s) and started using it commonly to mean something that "inflammable" properly should mean.

Re:Well, they didn't lie...

[AmiMoJo]

I prefer enflamable to avoid confusion.

Re: Well, they didn't lie...

[bill_mcgonigle]

This is an intense debate. No need to flame the situation.

Re:Well, they didn't lie...

[jittles]

No they don't. "Inflammable" is a word. "Flammable" is not. "Non-inflammable" is a word. "Non-flammable" is not.

Inflammable comes from inflammare. Flammable is a fucked up piece of shit that some retard tried to shoe horn in. It comes from flamma.

Inflammare is the root word, and "inflammable" and "non-inflammable" are the words. Flamma isn't a fucking verb and should not be used as a root to create a word with the same meaning as "inflammable". Further, adding "flammable" only increases confusion (of which there was none among non-retards) because the already valid and correct "inflammable" exists, as well as the valid and correct non-inflammable.

Hmmm my dictionary seems to disagree with you. It lists flammable as an adjective, and not a verb.

Re:Well, they didn't lie...

[jbengt]

In fewer words:
Combustible: will burn. EG paper, wood shavings, coal ...
Flammable: easily ignited. EG gasoline vapor, ether, ...
In the presence of sufficient oxygen and at normal temperatures.

FTFY

For liquids, in more words:
Flammable: Defined as liquids having closed cup flash points below 100F (37C) and vapor pressures not exceeding 40 psi (276 kPa) (2.76 bar) at 100F (37C)
Combustible: Defined as liquids having closed cup flash points at or above 100F (37C)

Re:Well, they didn't lie...

[TsarB0mba]

And the prefix "In" to me feels more like it's a negation of "Flammable".

"infamous" does not mean "not famous".

Re:Well, they didn't lie...

[lhowaf]

The flammable/inflammable controversy will go away soon since neither is included in the up-goer list of the ten-hundred most commonly-used words.

Re:Well, they didn't lie...

[Imrik]

No, but it does mean negatively famous.

Re:Well, they didn't lie...

[Kjella]

You come then it negates your income for the next 18 years.

Re:Well, they didn't lie...

[Jawnn]

Something is flammable if it can burn easily.

Something is inflammable if it can ignite easily.

Obviously lots of materials are both but they are different meanings.

[citation needed] Just sayin'...

Re:Well, they didn't lie...

[jason777]

You guys never saw that simpsons episode?

Re:Well, they didn't lie...

[bunbun68]

Flammable comes from flammo, flammare, flammavi, flammatus. First conjugation verb. To burn. You also have conflammare, deflammare but these sadly didn't make it into the English language. Wouldn't it be nice to have deflammable fire blankets?

Perhaps next time you might want to consult a Latin dictionary first before posting?

Lewis and Short is available on line.

Re:First Post?

[I'm+not+evil.+See]

The rest of us have been here also, all along, but just in "Private Mode". There are actually 1203 "first posts" before yours. Look harder. :-)

all knowing edge delayed access to this old story

[sittingnut]

seems editors here used all knowing edge, which explains delay in accessing to this old story.

Be aware

[Travis+Mansbridge]

It's worth noting that other browsers' "private browsing" modes only hide the details of the session from the local machine. Using "incognito mode" in Google Chrome is not encryption and does not shield your privacy in any way from others on your network, your ISP, the NSA or Google themselves.

Re:Be aware

[Travis+Mansbridge]

* And, I'm sure, neither does Edge, I just wouldn't touch Edge with a 10ft pole regardless.

Re:Be aware

I don't know about other browsers, but Chrome on the desktop and mobile explains that as soon as you open a blank incognito window/tab.

Re:Be aware

[Blaskowicz]

That's a weird strawman, nobody said anything about encryption or interception.

There is a problem with Firefox's new private browsing window. It says protection against tracking is enabled. That's true as it does something like Privacy Badger does (although there's little indication of what is done) but you still leave your IP and browser fingerprint (afaik) everywhere and if you go on facebook or logged in google etc. you're of course tracked about everything you do since that is exactly what they are for.

People are at large non technical or not technical enough and are easily deluded into believing private mode browsing is safer. Like some tell me that your position isn't tracked when you use a dumb phone, which is entirely false.

Re:Be aware

parents, partner

If your parents and partner can use this against you, you're already fucked.

employer

Your employer is already recording your traffic, and private browsing will not stop them from knowing exactly what you're browsing.

librarian

Will probably be safe even if you don't use "private" browsing, because librarians are motherfucking hardcore about privacy.

the Law

Will just go directly to your ISP.

"Private" browsing, outside the use case of browsing without previously retained cookies, is a gimmick. Nothing more, nothing less.

Re:Be aware

[Misagon]

Chrome's Incognito mode does have a separate set of cookies - which is empty when you open the first Incognito window and are deleted when the last window is closed.
This means that web sites can't use cookies to track you between sessions. They could track you by your IP address, but the IP addresses are at a lower level than HTTP/HTTPS. If you are really paranoid then you would use something like Tor anyway.

However, there is one big flaw: All incognito windows are in the same session. If you forget to close the last window then the session will linger: when you open a new link "In Incognito Window" then the new link will be attached to the old Incognito session instead of a new one.
This could be remedied by supporting multiple Incognito sessions at once. I think that a straightforward model for the user would be to let each Incognito Window represent a separate session.

Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts. Commenting on cat videos requires much less security than my private emails.
It is also convenient to log out just by closing the window.

Re:Be aware

[null+etc.]

You can drag tabs from one window to another. So any "per-window" statefulness that you propose will just be terribly confusing and inconsistent.

Re:Be aware

[sacrilicious]

I'd be happy to have them disallow inter-window tab dragging in incognito mode (or to allow it but state that all session for the dragged tab will be tossed).

Re:Be aware

[farble1670]

Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts.

google already has support for multi-account. i have 2 gmail tabs open to my 2 google accounts right now. hint: click on your avatar in the upper right. you can also setup multiple "profiles" in chrome and switch between them. i do not prefer this though since it everything is sandboxed (history, extensions, bookmarks, etc).

Re: From the people who brought us 10

[guruevi]

Proof? I think security researchers looking into this would've noticed packets going out encrypted or not during privacy mode.

Beggars Belief

It "beggars belief" why this editor still works at /.

Re:They really did not care

[unrtst]

I'm not sure why I'm feeding the trolls (troll being the summary itself).

I'd appreciate an actual "private" mode, but none of the browsers do what I'd expect from that. My expectation would be that the browser would behave as if it is a clean slate, not store anything to disk, possibly encrypt or at least attempt to hide memory contents, and possibly attempt to hide other identifying details (screen resolution, "agent" header string, plugin list, etc).
Personally, I find little benefit to the make believe "private" mode in that it hides its actions from my own computer. I am not worried about other legitimate users of my computer finding out secrets about me (and if I was, I'd use something much more hidden than "private" mode - another vm with encrypted drives, powered off or in hibernate when I'm not using it).

With that in mind, this info seems to be quite an exaggerated diff between the various private mode expectations. Not that I care much as long as the behavior is what it is, but what I'd want to know is:
* can normal, unprivileged user accounts access these history records?
If not, then it's doing its job just about as well as any of the others.

Isn't this illegal in some states or countries?

[davidwr]

By "illegal" I mean a civil violation of warranty- and false-advertising laws that say products are supposed to meet their intended purpose, as a common everyday consumer would understand the term "intended purpose."

Re:From the people who brought us 10

[GrahamCox]

Wrong. I don't know about Google, but I do know about Safari. When it's in private mode, all of the data that is normally saved to disk for any purpose is stored in encrypted memory, so within a private session, you get the benefit of caching, go forward/back, etc. But once you close the private window, all that encrypted memory is erased and released. Apps using the NSURLSession APIs can do exactly the same thing.

Indifference

[rakslice]

I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

Signs of things slipping I've personally noticed in recent years:
- The faulty Microsoft web-based store (do they expect developers whose first experience with Microsoft is a web site that can't even sell a Windows upgrade are going to turn around and want to build things on ASP.net?)
- Contradictory descriptions of the different Windows SKUs (with respect to use as upgrades, new machine installs, usability by end users vs. system integrators, etc.)
- Software with seriously flakiness in features that worked in previous versions (e.g. Windows 10 Start Menu search and keyboard navigation), with broken help links, without an integrated installer (e.g. Lync, Sharepoint)

Re:Indifference

I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.

It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product. Microsoft's "business partners" are advertisers and law enforcement agencies, that's where the revenue is coming from.

The Edge behavior described in this article is very hard to explain away as laziness or incompetence. Intentional decisions were made during all phases of design and development to continue storing the user's history even when in private browsing mode. That isn't clueless management or devs taking the easy way out. That's purposely turning the end user's computer into a tool to be used against him.

Microsoft is now actively hostile to the end user and folks would do well to remember it.

Re:Indifference

[AmiMoJo]

The Edge behavior described in this article is very hard to explain away as laziness or incompetence.

To the contrary, that's the most likely explanation. Either a bad spec that someone followed, or maybe some debug code that was supposed to be removed later.

The end user is now the product.

If that were the case then this would screw them, because there are many other free browsers and most of them are more popular than Edge. To get users to sell to advertisers they need to produce a good browser.

Re:Indifference

[farble1670]

It smells more to me like they've made a concerted decision that the end user is no longer the target market. The end user is now the product.

ah yes, no /. article would be complete without a "you are the product" post now would it?

Re:They really did not care

[gl4ss]

well private mode is starting to be just "adblock disabled" mode for them...

I'm shocked

[frovingslosh]

Microsoft Edge's Private Browsing Mode Isn't Actually Private

I'm shocked! Shocked, I tell you!

On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

Re:I'm shocked

[rtb61]

It is not really all that funny. Not only is it not private it is marked as pretended to be so on analysis they can find out exactly what you wanted to keep private. That looks really, really bad, not only a failure of privacy but seemingly purposeful gathering of data for extortion purposes, obviously not run of the mill people but selected individuals via the scatter gun method, hide the invasiveness by targeting everyone so that the specific targets are unaware. Then there is how long they will keep the data for ie target every potential politician in high school and university so that decades down the track they can be extorted in compliance or destroyed. It is one thing to screw up privacy, it is quite another to specifically mark data as private and keep it.

Re:I'm shocked

[CodeArtisan]

On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.

Or anything connected to the internet.

Re:I'm shocked

[frovingslosh]

Using Microsoft products and expecting privacy is like hiring a Catholic priest to babysit your little boy and expecting him to be safe.

It's an APP, what did you expect?

Modern app appers know that only apps can app apps, and privacy is something only LUDDITES use, so apps like Edge app everything you app so every apper can app your apps while apping other apps!

Apps!

Feature...

[Livius]

not a bug.

This is Microsoft we're talking about. Misrepresentation about their products is what they do.

doesn't fit the criteria

[raymorris]

You're thinking of "implied warranty of fitness for a particular purpose ", as it's called in the Uniform Commercial Code. There's also warranty of merchantability. Let's look at each in turn.

The terms and conditions can explicitly and clearly disclaim the warranty of fitness for a particular purpose, and I'm sure Microsoft's terms do so. They can't disclaim warranty of merchantability so easily. If they do disclaim fitness for a particular purpose, that's the end of that. If they didn't disclaim the warranty, UCC has two conditions. First, the seller must have reason to know what purpose the buyer intends to use it for - browsing porn without having the address bar later autocomplete xvideos.com? National security level espionage? Secondly, the seller must habe reason to know that the buyer is relying on the seller's expertise to recommend an appropriate product.

Microsoft doesn't know whether you intend to use it to avoid having autocomplete accidentally embarrass you or if you're trying to foil expert forensic investigators. Since they don't know which purpose(s) you might use it for, there is no warranty of fitness for a particular purpose.

On to warranty of merchantability. This applies even when the seller does NOT know what purpose you plan to use it for. Because the seller doesn't know, he warrants only that it's useable for SOME purpose. If the mode successfully avoids accidental embarrassment from autocomplete, accidentally hitting the back button down-arrow, etc, then it is useful for SOME purpose and therefore the warranty of merchantability is met.

Suppose some warranty was NOT met (and not successfully disclaimed). Then you could sue Microsoft for actual damages. If you prove that an accidental autocomplete during a business presentation got you fired, they would need to compensate you for the lost pay.

Lastly, you mentioned false advertising. What exactly do Microsoft's ads say about the feature? I suspect they do not say "prevents forensic examiners from determining anything about your browsing history".

Re: First Post?

Exactly, it wouldn't have surprised me if they sent private browsing data direclty to their Redmond office.

impossibru!

[Gravis+Zero]

you're telling me that a corporation that is notorious for their flawed software has made a flawed browser?! impossibru!

Re:Private mode and forensics

[vux984]

Even so, if you put the safety on on your gun, that doesn't make the weapon truly and completely safe and nobody is suggesting it does.

But can you imagine if putting the safety on merely lowered the muzzle velocity by 5%?

Or a door lock that simply turned a red LED on some dashboard somewhere labelled locked, and nothing else.

There is not, and never will be, a truly "private" browsing experience, regardless of browser.

But some browsers actually do a little more than next to NOTHING to remove the session history from the local PC.

GEE WHIZ WHAT A BIG SURPRISE!

[kheldan]

Microsoft has gone full-blown Big Brother/1984; is anyone at all surprised that their newest browser is also spying on you?

Go right ahead and mod me down to negative one troll, Microsoft shills, I expect it of you; wouldn't want your corporate masters to be angry with you, now would you? By the way I'm going to just keep on lambasting Microsoft ad infinitum, and anyone that doesn't like it can, quite frankly, suck my dick.

Re:GEE WHIZ WHAT A BIG SURPRISE!

Hey man, I was a Microsoft sympathizer for the longest time (and a *BSD fanboy, but that's beside the point). However, I installed Windows 10 last week, and it impressed me so much that I downgraded back to Windows 7 after a couple of days, never to return. After using the UI that's worse than GNOME's wildest hallucinations and having to edit group policy and stop services to get the system where I want it to be, I had enough.

Honestly, compared to Win7, Win10 feels like Windows 3.11 with a factory-provided backdoor.

Re:GEE WHIZ WHAT A BIG SURPRISE!

[The-Ixian]

The browser knows which pages you are browsing to and writes that information to a cache file. BIG BROTHAR GET OUT OF MY COMPATUR!

Re:GEE WHIZ WHAT A BIG SURPRISE!

[kheldan]

Apparently you haven't been reading the rest of the story. Their 'telemetry' can give them access to any file on your computer. Therefore they can get your entire browsing history. It's more spyware plain and simple.

Re:From the people who brought us 10

[WaffleMonster]

It isn't a surprise.

But in MS's credit Google and Apple both do the same thing too

How does other people doing "the same thing too" work to Microsoft's credit or speak in any way to merits of underlying issues?

This line of argument is nothing more than bandwagon fallacy. It's completely worthless.

Re:Private mode and forensics

[jason777]

Thats why I do my really serious browsing in a new VM that is read-only. After, I delete the vm. Then light the computer on fire.

Re:From the people who brought us 10

[Solandri]

Chrome Incognito mode is the same. One of the drawbacks being that if you accidentally close a tab, you can't undo it. That tab is gone for good. I don't think it's encrypted in memory though, so if Windows pushes it to the pagefile it could (temporarily) be written to disk.

Working as designed?

[Antony+T+Curtis]

Sounds like, from the description, that it is working as designed.

Re:Working as designed?

[The-Ixian]

Pretty much. Edge is very immature at this point. It is the classic "release it!" software distribution mentality.

Now, if they don't fix it, that's another issue.

Re:Private mode and forensics

[Livius]

Obviously the web site you visit knows you were there, but if a browser implies it erases its end of the session then it should do so.

Re: First Post?

[red+crab]

You always need to have the "Internet Explorer Enhanced Security Configuration" feature turned on for your privacy you insensitive clods!!

Re:First Post?

[hairyfeet]

Considering how much spying is baked into Windows 10 frankly the thought that anything done in that OS is "private" is beyond belief.

As the saying goes

One man's cache is another man's treasure.

You've blown it Microsoft

[DrXym]

How am I meant to browse for gifts and flowers for my wife (WHICH IS ALL ANYONE EVER DOES WITH PRIVATE BROWSING) if its not actually private? Oh and in case the wife does find traces of activity, yes cumgarglingsluts.com is a site that sells flowers and gifts. Way to ruin the surprise Edge.

Re:You've blown it Microsoft

[castionsosa]

It depends on who you are trying to protect from. If worried about another person on that machine, browse in a VM with encrypted filesystems [1], roll it back when done, and occasionally force a TRIM on the SSD to ensure any data on there is -gone-. With tools like Vagrant, one can even have the browsing VM be installed and provisioned, with one's bookmarks fetched/synced from another source.

If wanting to keep data away from ad-mongers, do your browsing in separate VMs and browsers. Banking goes into Firefox, everything else goes into a VM in Chrome that uses a VPN so IPs can't be correlated. Privacy-sensitive stuff, put it in a VM, or use a separate physical box so things like battery status can't be passed across the hypervisor barrier.

Re:First Post?

They invented unsafe OS with user processes running in kernel mode.
They invented the mail-transported virus, when outlook auto-executed attachments received by email
They invented web vulnerabilities with activeX (Execute code found on web pages - no need to look for buffer overflows when this sort of thing is designed in.)

So indeed, no surprise from microsoft here.

Re:Private mode and forensics

>>Then light the computer on fire
Good job your computer is flammable. No, inflammable. Damn!

PS, I've always understood both words to mean the same thing. What's with the suggestion that they have subtly different meanings. No,forget it. I couldn't care less. :-)

Microsoft invading even on Android OS of Google

Not just Win10. I am always reviewing the logs of my Router (a home brewed Ubuntu server box), and I was surprised when Android also connects to Redmond HQ of Microsoft. Here's the IP being contacted by Android but there are a bunch of other MSFT IPs.

some MS IP being contacted by by Android device:
40.113.87.220
111.221.77.144
23.102.224.202
204.79.197.200

WHOIS Source: ARIN
IP Address : 40.113.87.220
Country : USA - Washington
Network Name: MSFT
Owner Name : Microsoft Corporation
From IP : 40.74.0.0
To IP : 40.125.127.255
Allocated : Yes
Contact Name: Microsoft Corporation
Address : One Microsoft Way, Redmond
Email : IOC@microsoft.com
Abuse Email : abuse@microsoft.com
Phone : +1-425-882-8080

Makes one wonder why Microsoft keeps on connecting to Android devices 24/7 even at 2 am when everybody is asleep.

Re:Microsoft invading even on Android OS of Google

This is very likely specific to your phone or some app you have installed (neither of which did you mention). Without context your assertion means nothing.

Re:Microsoft invading even on Android OS of Google

[Lotharus]

Did you notice why all Apple products connects to Apple Inc.. servers 24/7 ?

Yes, this is how push notifications work and is openly documented here: https://developer.apple.com/li... Relevant section:

Each device establishes an accredited and encrypted IP connection with APNs and receives notifications over this persistent connection.

(Emphasis added)

Re:Microsoft invading even on Android OS of Google

[farble1670]

I was surprised when Android also connects to Redmond HQ of Microsoft

You don't say what type of phone you have, or what apps you have installed. it's a very, big stretch to say this has anything to do with Android proper.

But anyway, step 1: disable the Exchange services app that's pre-installed on many devices (my Nexus 6P doesn't have it any longer, good riddance). I've seen it in the logs spewing connection failed messages even though I've never configured or used it.

Re:Microsoft invading even on Android OS of Google

[farble1670]

Check all your Samsung devices with Android OS and check all TCP connections of your Apple devices. Android OS phones home to MS and Google 24/7 while all Apple devices connects to Apple servers 24/7 too.

Sigh. They aren't "phoning home". How do you think things like push notifications work? They keep a persistent connection open.

The only thing that still baffles me

[koan]

Is why anyone believes things like MS's browser not being "private" is a mistake, or Apples "goto" fail was a bug (some of many fails for both corps) or that there isn't an obvious collusion between the gov and the tech sector, and all the spying and dirty tricks you see are not "bugs" or "mistakes" they were planned all along.

Eisenhower warned us, we didn't listen, it came to be, now we are "proper fucked".

No shit ...

[gstoddart]

So, Microsoft came out with brand new technology ... tells us how awesome, secure, and private it is.

And, shockingly, it isn't.

Why anybody is surprised that Microsoft hasn't really got a mature enough product to know how secure it is makes no sense.

Why anybody would believe that after all these years Microsoft suddenly wrote a secure browser is beyond belief.

Did anybody believe Edge was magically safe and secure just because Microsoft said so?

Re:No shit ...

[The-Ixian]

It seems to me as though the "private" browsing bit has been an afterthought in every browser to date and it is left as an exercise of the developer to define what "private browsing" even means.

What doesn't surprise me is that every browser does private browsing differently.

MS made a mistake and mingles private cache data with non-private cache data. I can see how that could be a simple "efficiency bug". As we all know, most developers are not security experts, we see it over and over again.

The real question here is: now that MS knows about the flaw, will they fix it? Let's hold the pitchforks at bay until we know the answer to that, shall we?

Re:No shit ...

[gstoddart]

I have no doubt they'll fix it, or do something to it ... my point is Microsoft, or any other company, when introducing a piece of software makes the claims of how safe, and secure, and fast, and private, and awesome it is.

But until that's proven in the real world, it's just marketing claims.

So, I don't care who it is ... come out with your new product and claim all those things, and it's a wait and see.

But in the case of Microsoft, whose track record with security doesn't make me automatically think I believe them, I'm going to assume even more that there's no reason to trust the claims. Because over and over we see security is done as an afterthought, falls short, and then people act surprised.

If Adobe suddenly said tomorrow that Flash was now safe and secure, I'd not believe them either, because they have a rather long history of not knowing how to make Flash secure.

Re:No shit ...

[SharpFang]

Considering they record browsing mode along with the cached data, that doesn't look like a mistake.

Re:Private mode and forensics

[c]

Thats why I do my really serious browsing in a new VM that is read-only. After, I delete the vm. Then light the computer on fire.

When it comes to furry porn, one can't be too careful.

Re:Because Microsoft are the new NSA

[LVSlushdat]

Call me a conspiracy nut, I don't care, but *somebody* has got to step up to the plate to fill that giant NSA datacenter in Utah.. I suspect MS has partnered with the NSA to do that very thing, and the way MS is trying to shove Windows 10 down the throats of all of the poor schlubs who still use Windows makes this "conspiracy theory" damn near a sure thing. Given that and the way they're force-feeding the telemetry crap on Windows 7/8/8.1.... Sooooooooooooooo glad I quit sucking on the MS teat...

Re:They really did not care

[Hognoxious]

It's private in the sense that they know that that they're tracking you and you don't.

Re:They really did not care

[castionsosa]

Sadly, with LSOs, various browser fingerprinting mechanisms, and many other items, the only thing that might might equate to a "private mode" would be to turn on automatic rolling back of a VM when it shuts down, or perhaps having a VM which uses a provisioning script to auto-install the browser and generate a new machine ID every so often, fetching and reloading one's bookmarks and other essential add-ons from a provisioning server. At least with Vagrant, cracking off a new VM configured how you like it for browsing isn't too bad.

Samsung/Android incognito mode fails, too

[leroybrown]

I'm not sure if it's Android in general or Samsung specifically but I've noticed that my Galaxy S6 Edge uses word-completion suggestions culled from browser usage in incognito mode.

Re:From the people who brought us 10

[The-Ixian]

As a matter of fact, isn't the browsing history the basis for the (in)famous crashsafari dot com?

It's a closed-source browser

[edtice1559]

There are a lot of posts talking about what an incognito mode should do. Normally we refer to it as 'porn mode' here on /. which does seem to be the intended use case. There's a lot of reverse-engineered information out there about what these modes actually do. In reality, it's insane to trust any closed-source browser with this type of task. If you really care about this feature, you'll want to use an open-source browser where the source code can be audited to determine exactly what it was *intended* to do. (New security issues pop up all the time WRT things not behaving as intended, but that's a separate issue). And the behavior should be documented so you can decide if it meets your need.

Re:It's a closed-source browser

[farble1670]

^^^ this.

private mode is good for keeping pr0n sites out of your web history.
private mode is not so good for hiding your illegal activities from determined law enforcement agencies.

the sooner people figure that out, the better.

Re:Private mode and forensics

[The-Ixian]

And yet, no browser that I am aware of flushes the DNS cache on the system (even though they could if they were truly trying to make a "private" experience).

Re: Private mode and forensics

[The-Ixian]

Yeah, because inspecting the browser's cache file is within the skill level of so many people....

its microsoft

its microsoft, enough said, TOTAL FAIL

The real question...

[bfpierce]

Is why are you relying on your web browser to provide you with the security to break laws, that's not what private/incognito are for.

It's to prevent other users on the machine from seeing your browser history...

Does anyone actually use edge?

[bored]

I put in the little effort to setup classic IE on my win10 tablet because edge was basically unusable due to the fact it doesn't have an ad blocker. I really have no idea how people can surf the modern internet without an ad blocker, the auto-playing videos and popups everywhere make it completely insane.

At MSFT the security badge goes in before

[WillAffleckUW]

At Microsoft the security badge logo goes on the package before the security is added, comrade.

Trust in the computer!

Re:Private mode and forensics

[The-Ixian]

Yeah, you are right. After thinking about if for 2 seconds (which I apparently didn't do when I posted...) you would need to be running as an administrative user in order to flush the system DNS cache. On a shared system this could also lead to unexpected results.

Still, this highlights the point, no browsing is truly private.

Re:Private mode and forensics

[desdinova+216]

well with that, I think the appropriate reaction is to nuke it from orbit, just to be sure.

Re:Private mode and forensics

[IronChef]

I was doing this for a while, but realized that a sufficiently advanced attacker could learn things from the combustion products. I now throw the computer into a volcano.

Re:Private mode and forensics

[avandesande]

I was going to suggest throwing it into a black hole, but hawking readers are easy to get on newegg.

Re:First Post?

[Lodlaiden]

Haven't we all been there at one time or another?

Found the problem

[hoggoth]

> The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief

> Microsoft

I think I found the problem.

Some of their hosts aren't too well secure, either

[BoogieChile]

Apparently....https://urlquery.net/report.php?id=1454188045917