Security In Mind, piggies at my door.

[VIKINGtrich]

Im not computer literate when it comes to all the technical talk....But would a proxy site like "HidemyAss" work? I really do want to be more careful online, but I'm not a computer programmer either...lol...

 

[VIKINGtrich]

Just fyi-

The majority of us (and I've been an IT assistant before) won't understand half the shit you are talking about.

When you write 3 pages worth of info, citing a billion different plug ins/programs/different version of operating systems, nobody is going to be able to fallow it, or even want to.

If you want to really help, explain what to do in 5 steps, and keep each step under 3 sentences.

And overall, if cops/leo is after your computer shit, trying to track your internet activities, you've already fucked up in some way.

Real world security/procedures is much more important then going to conspiracy theory internet security status.

Exactly man..All that shit was nothing more than mumbo jumbo from Mamby Pamby Land....lol...Seriously, most people have no idea what that shit means...blah blah blah blah proxy blah blah safe....lol....the awareness part is great, its the words that fucked me up....

..anyways, HidemyAss...good or bad? Will it keep me safe from spying eyes?

 

[sac beh]

Seriously, most people have no idea what that shit means...blah blah blah blah proxy blah blah safe....lol....the awareness part is great, its the words that fucked me up....

It seems the OP was taking advantage of this fact to give really poor security advice. Which is why the first rule is to never click links of unknown/untrusted sources, until you do some research of your own.

..anyways, HidemyAss...good or bad? Will it keep me safe from spying eyes?

Personally, Viking, I wouldn't trust any proxy site with my secure information. If you really have a need to obscure your location, Tor is the best option (see spurr's links above for info on how).

With a proxy site like hidemyass, you're entrusting your location and activities to a single website with unknown intentions, which makes abuse very easy and likely.

 

[Easygrowing]

First rule of security: Don't click on links to zip files from random dudes on the internet.
__________________

SO true S:B
Take care

 

[One Love 731]

Funny part is when the link burned my computer his response was "just take it to a shop and have them fix it" that's just what I want to do is take a computer full of evidence to some guy that knows how to see everything Ive ever done. I do feel bad though, I gave the guy -k which I have never done before, just don't believe in it. Oh well, I was slippin and now I'm headed back the right direction. Karma, One Love

 

[DIGITALHIPPY]

I think it's a good idea you are trying to help others, but, you are spreading FUD and have a few things mixed up. I will try explain what I mean in your post, and offer suggestions about how to do things 'right'.




If you're using any Microsoft based OS you already failed from a security viewpoint. You should be using *nix, at least Ubuntu, but better yet using BSD or some other hardened *nix OS, but, Ubuntu is good enough for most people and most windows users can learn it pretty easily. Ubuntu is freeware and open source. If using Ubuntu then make sure to WDE (whole disk encryption) and use > 1gig RAM and disable paging file.

If someone has to use Windows, then it's most wise to use TrueCrypt to encrypt the system as WDE (Whole Disk Encryption) and use the Hidden OS feature. That means LEO tries to access you computer they will be unable to, the whole disk is encrypted, and if they force you via court order to decrypt the disk then you simply give them the passphrase to "honey pot" OS. The honey pot OS is second OS installed that is not the one you use day to day. The honey pot OS will have no incriminating data on it. This is important due to the vast amount of data left on a Windows OS, and the fact with NFTS filesystems you can't be sure you securely shredded evidence like browsing history, documents, etc. There are many steps that must be taken to secure a windows OS, it's almost not worth the effort, mostly because windows is closed source so you can't trust it.

The best way to use Windows is to use Ubuntu and setup a virtual machine (VM) to run Windows. That way Windows will be setup to not be allowed to access the Internet, and you can still use windows programs (if they don't work under the windows emulator WINE in Ubuntu). TrueCrypt is available for Ubuntu, and it might be possible to setup a VM of Windows using TrueCrypt to encrypt the Windows VM a la WDE with hidden OS feature (untested, but I plan to test it someday soon).

There area many areas in a Windows install that you need to configured to make it more secure, such as disabling System Restore, Shadow Volume Copy, Write Behind Disk Cache, encrypt (or disable) SWAP (aka paging) file, setup a restricted guest account and only use the guest account, disable various services (see BlackViper services website), setup a firewall with "stealth ports" mode (windows firewall sucks ass; Comodo is good and free), setup a good virus scanner, malware scanner (like Malware Bytes and Super Anti Spyware), etc, etc, etc...

So, in short, for a secure computer use Ubuntu (or even Kubuntu), enable WDE when installing from Ubuntu Live-Cd and make sure the firewall has stealthed ports.

Going even a step further, one could use a Live-CD or Live-DVD as their OS (see link below). So, they could use Windows for normal stuff they don't worry about, and use a Live-CD or Live-DVD for anonymity related stuff. Using the Tor Live-CD below is a great way to go. Live-OS's leave zero data on the HDD, they only use RAM...however, using Live-OSs limits their usability big time, e.g., you can't save files, bookmarks, etc (unless using a Live-USB but that kind of defeats the purpose of using a Live-OS unless the Live-USB is encrypted). Thus, for usability we are back to Ubuntu with WDE with Microsoft inside VM that isn't allowed to access the Internet if one needs Microsoft.

Here are two great resources:

1. Tor Live-CD/Live-USB:
Incognito + Amnesia = The (Amnesic) Incognito Live System: https://amnesia.boum.org/ (the SSL cert is not from a SSL cert authority, it's self signed, so you will need to accept it in the browser)

2. Setup secure VM browsing with Tor inside Ubuntu:
"More Secure Tor Browsing Through A Virtual Machine in Ubuntu" I uploaded that PDF to this post.




It's easy enough to remove meta-data from pics...also, just disable GPS geo-tagging in the phone, the same goes for new cameras and all smart phones.




You are posting lots of misinformation and FUD. To remove meta-data read my posts on the subject in this sub-forum, or the other myriad of posts on the subject in this sub-forum.

If anyone is posting pics/video's without using Tor if they worry about anonymity then they failed anyway. Also, google doesn't know what ISP you use if you don't use google, and don't allow google via cross-site scripting.



What has "provided enough information"? Do you mean meta-data from pics? That claim smells like FUD to me, do you have any proof they got raided due to meta-data? And do you really mean "a bunch", that is more than half a dozen...



Do neither of those for security, simply download the free Ubuntu and install it on your HDD setting up WDE...



Please do not use that add-on, you need to use TorButton with Tor! It is a must for a myriad of reasons I don't fell like covering here.

Please read my posts in this thread, and use the add-ons I suggest in that thread for a sufficient level of security and anonymity:
https://www.icmag.com/ic/showthread.php?t=194459


If someone is using Tor but not TorButton with Firefox they are sticking out like a soar thumb and they are very vulnerable to a myriad of attacks on their anonymity. Not using TorButton with Tor is a major fail.




Just use the RefControl add-on I wrote about in that thread I linked to above. Done and done. Then you can visit FOO.com from icmag.com and FOO.com only sees a referrer for FOO.com.



That is total FUD man. Sure SSL can be broken, but it's not non-trivial and it's not done by LEA, nor by hackers. What is more likely to happen is MIM (Man In the Middle) attacks, SSL spoofing, etc. But it's not nearly as easy as you are implying. Current SSL is safe, more of a worry is SSL cert authorities, that is why using a self-singed cert is often a better choice.




Blowfish is NOT better "encryption than the military", no matter what bit length; Blowfish is old. The best option for strong encryption is using an algorithm chain, e.g. AES > Twofish > Serpent. And make sure to use a hash algorithm that adds salt, like SHA-512 or better yet use Whirlpool (third version).

FreeOTFE is not a good choice, people should use TrueCrypt if they want to make encrypted volumes, and they should use the "hidden volume" feature; which is analogous to the "hidden OS" feature in TrueCrypt I wrote about above. Also, with TrueCrypt you can use the encryption algorithm chain and hash algorithms I listed above; which are much better than using Blowfish.



You cannot "specify as many connections as possible" in Tor, you only get to use 3 nodes for non-hidden service surfing. I.e., your computer > Tor entry node > Tor middleman node > Tor exit node. There is no proven security or anonymity gained with node chains longer than 3.



No it does not. Tor uses standard encryption via OpenSSL (IIRC Tor uses TLS), and data is encrypted with 3 'layers', once at your computer, a second time at the entry node and a third time at the middleman node; then the exit node decrypts the layers and passes the data on to the website "in the clear".

If using HTTP with Tor (which is a bad idea if one can use HTTPS), then the data from the Tor exit node is not encrypted en route to the website. That means the Tor exit node can "sniff" all the data "packets" and see what is being transferred like passwords, posts, etc. That is why if using Tor then it's very important to try and use HTTPS, especially when entering passwords. For ICmag a Tor user should always use HTTPS. See the thread I linked to above for my directions on configuring NoScript to force HTTPS at ICmag and for Icmag cookies too.

On that point: cookies, especially HTML 5 cookies, aka EverCookies, are very dangerous for anonymity. See the thread I linked to for info about the only way to remove EverCookies (re: BleachBit).

The thread I linked to covers lots of topics about security and anonymity for Internet traffic, issues such as JavaScript, etc.




You do not need to configure a firewall/router to use Tor. Have you even used Tor before? You only need to configure firewall/routers (i.e. open incoming ports/port forward 9001 and 9030) if you are running a Tor node...

If using Tor one should configure their local firewall to stealth all ports, this defeats port scanners, etc. In fact, one should stealth all ports all the time, and if using online gaming, running a Tor node, etc., then one would need to forward specific ports.



What you wrote will provide much reduced anonymity and security, you didn't even discuss issues about Javascript that can fully break anonymity when using Tor. When using Tor it's imperative to use Firefox and TorButton add-on, and it's wise to use the other add-ons I listed in the thread I linked to above.




Done and done. Sorry if I seem kind of terse, it's just that the info you provided is very flawed and will make people worse off because they think they are anonymous and secure when in fact they are not. It's very important to know what you are writing about before suggesting tips to people that can make or break their freedom.




Really man, com one! That is such bad advise I don't even know where to start. Just use WDE via Ubuntu and no one will be able to access any data on your HDD. Better yet would be using WDE with hidden OS feature via TrueCrypt in case someone tortures you to get the passphrase, or you are court ordered give the passphrase otherwise facing jail time; but the hidden OS feature of TrueCrypt is only available with Windows IIRC.

Using a Live-CD/Live-DVD (I linked to above) is another route to take but one can't save data unless using an encrypted USB or encrypted container on the HDD.




Yes it is, if using proper methods. But the safer route is to use WDE, then one doesn't need to worry about evidence as long as one wouldn't be forced to give up the passphrase; and in the U.S. courts can't force you to give up the passphrase (AFAIK).

all "the real good hackers" use *nix, and there are too many windowz machines to seriousely get in trouble from.

if anything its the other 5,000 methods of getting busted that'll lead them to the pc, not the pc leading them to a grow.

show me ONE article where someone got poped from posting pics online.

ive been a microsoft engineer for WAAAYYY too long to actualy believe that stuff your spouting.
MCSE since fucking 2000.... MCP, CCNA, SQL code god. i use linux(redhat, knopsis and others) in my call-centers for old-ass aps.

i dont follow any of your advice, cuz *nix is just as sloppy,and just as easy to follow the user around(you dont think the NSA knows linux/unix?)

also, download "the nsa's guidebook for securing a windows pc" from your fav torrent site (sorry no links) its a fun read.

all that crap u just told them to do is JUST AS TRACEABLE through the ISP.
ip logging? hello? you really think that a proxy will stop a FBI/NSA/HS/DEA if they suspect anything?

 

[spurr]

Oops, I'll edit the main thread post, wicked, thanks for the info!

No problem, glad to help.

You need sdelete in the current directory of kill.bat if you want to be able to use it, and cipher.exe in your system32 dir.

Cipher.exe is not in all versions of Windows, that is why I mentioned it. It's not in Windows XP sp3, AFAIK, it's only in Windows 2000, pre-SP3 of XP and some version of Windows Vista and 7 by default.

What the hell, it's 2.9 mb 'compressed', I don't understand why they'd fill it with garbage, someone upload it to a different hosting service??

I doubt anyone uploaded it but you. Do you have the original upload URL?

You own this thread man, props . Muchos appreciated. (as ironic as that might sound) sslstrip, look'r up

I'm aware of sslstip and it's limitations, my point is still valid: using HTTPS with Tor is critical for sites where we enter personal info, like this forum, much safer than using HTTP. There Tor developers who troll the Tor network with Snakes-On-a-Tor, seeking out misbehaving exit nodes, ex., those trying to run sslstrip, MIM attacks, DNS hijacks, etc., and those nodes get taken down.

I'm obviously not an officer, but I know no one 'snitched' on anyone and they must have gotten this information somehow.

I never thought you were, I thought you reasons for starting this thread were altruistic; but your suggestions were misguided.

The backdoors will try to do a lookup for the 'server' to connect to, the code is all there, but it'll attempt to connect to the ill-legit windows updating thing that was patched via hosts file, which will make the 'backdoor' useless.

That is only when the OS tries to connect to a specific server, a backdoor would also allow LEA (for example) to access your OS, or keyword loggers that MS has admitted to using to catch pedophiles (and connect to Windows servers, a separate issue than what you wrote about above). Albeit such tactics are non-trivial, but they exist.

I was under the impression tor encrypted it's content using openssh, with each node's private key.

Yup it does. But at your computer (local Tor), entry node and middleman node; then the exit node decrypts the traffic and sends it onto the destination in the clear. Which is why using HTTPS (or SSL for IRC, etc) is important.

See this entery in the Tor FAQ:

• "Can exit nodes eavesdrop on communications? Isn't the bad?" (link)

Most users will only contend with what they have in front of them and not venture much further than that. I'd be greatful if a user decided to install tor and did 2 out of the million things mentioned here.

I wrote about various attack vectors, such as data recovery/storage, online security/anonymity, etc. People need to fiugre out their thread model, if they think they will get raided than they have a higher threat model than someone who just wants to protect their IP address. Once people know their threat model they should act accordingly.

If people only care about online anonymity, then using TorBrowerBundle (TBB; link) is a easy as it gets; TBB is an "out-of-the-box" solution for using Tor. TBB is available fro Windows, Max and Linux, it includes (depending upon the Operating System used): Tor, Vidalia, Firefox, Polipo, TorButton, HTTPSEverywhere, NoScript; along with a Windows version that includes Pidgin for anonymous IRC. TBB runs in portable mode; i.e., no install and no tracks left on the HDD expect for cookies, bookmarks, etc. Along with TBB, using a firewall that will stealth ports (like the free Comodo) are a must. That's two steps, and if people think that's too much then they are sorry, lazy mofos and I have no sympathy for them if they get their IP logged by LEA, their ISP, etc!

I would love for anyone to find that batch file online, I wrote it myself, 100%. It's a batch file, not a program. I'll 're-write it' to utilize other programs, but those are definitely being prioritized in my awesome apps list.

A batch file is a program I did find refence to the file "kill.bat" that calls sdelete online yesterday, but I can't find the URL now for some reason.

If you did write it I have two questions for you:

1. Why did you add all that echo text? That must have taken a lot longer then writing the few simple lines of code.

2. Why didn't you include any errorlevel code (i.e., %errorlevel%)? Any batch file that calls other programs lacking error checks is pretty flawed. Here is info on adding errorlevel to the batch file so it exits properly (with errorlevel) if it can not find cipher.exe and/or sdelete.exe http://ss64.com/nt/exit.html

The reason why I added the check for cipher is because I know it's not included on most systems, only newer ones (vista and 7) but can be found on windows server os's from 2000.

Supposedly it can be found on XP too, but at least not sp3. It has been on Win 2000/NT for some time, since at least 2005, AFAIK.

As far as I recall, secure blowfish has never been broken unlike rsa? I may be wrong, but I can't recall a single instance where blowfish has ever been broken.

"never been [publicly] broken" isn't the same thing as being considered secure in today's world of supercomputing. That is why BlowFish is not available on current (high quality) encryption solutions, nor used by any government agency in any country I know about.

Use noscript to permit and deny javascript and other scripting languages from running on your computer with firefox, easily done. Shouldn't be a problem if you're running another operating system.

Yes, NoScript runs on all OS that run Firefox. But, using Tor without TorButton is a major fail, with or without NoScript. TorButton is a must for browsing, as is Firefox, when using Tor. Mike Perry (author of TorButton) is working on a TorButton for Google Chrome (Incognito Mode), but that won't be ready until later next year. Once Mike is done with his TorButton for Google Chrome, Firefox will be dropped by the Tor Proejct (Firefox has more than few bugs that hinder Tor, ex., socks flaws which is why we need a HTTP/S proxy such as Polipo or Privoxy, and Firefox is very slow in updating their software).

I don't know if this will work, but 0/43 antivirus programs threw any warnings with my zip downloaded from uploading.com....
VirusTotal analysis security in mind.zip (downloaded from uploading.com) <--- give it a second, it takes a while to queue

I didn't find any issues when I scanned it either, but the fact the file host (uploading.com) tries to install that exe means it's a very unsafe file host.

 

[spurr]

Just fyi-

The majority of us (and I've been an IT assistant before) won't understand half the shit you are talking about.

That is why I took the time to explain it in detail; there is only one way to learn: which that is to take the time, and effort, to learn.

When you write 3 pages worth of info, citing a billion different plug ins/programs/different version of operating systems, nobody is going to be able to fallow it, or even want to.

It's their own ass on the line, no skin off my back. And FYI, a few people have already thanked me for my posts, just because you see no value in it doesn't mean others feel the same.

I didn't write what I did as a 'how-to', I only wrote what I did as a 'heads-up'. Anyone with a little bit of intelligence can use the info I provided, it might take a few days to understand it all, but isn't your safety worth it?

What I wrote is about the best, all-in-one location of that type of info one can find without already knowing a lot about computer security and anonymity.

Like I wrote to the OP:

People need to figure out their thread model, if they think they will get raided than they have a higher threat model than someone who just wants to protect their IP address. Once people know their threat model they should act accordingly.

If people only care about online anonymity, then using TorBrowerBundle (TBB; link) is a easy as it gets; TBB is an "out-of-the-box" solution for using Tor. TBB is available fro Windows, Max and Linux, it includes (depending upon the Operating System used): Tor, Vidalia, Firefox, Polipo, TorButton, HTTPSEverywhere, NoScript; along with a Windows version that includes Pidgin for anonymous IRC. TBB runs in portable mode; i.e., no install and no tracks left on the HDD expect for cookies, bookmarks, etc. Along with TBB, using a firewall that will stealth ports (like the free Comodo) are a must. That's two steps, and if people think that's too much then they are sorry, lazy mofos and I have no sympathy for them if they get their IP logged by LEA, their ISP, etc!

If you want to really help, explain what to do in 5 steps, and keep each step under 3 sentences.

LOL, that isn't possible. Not only in regard to the amount of info I would need to post to teach people from the ground up; but also due to my posting style. You must not read many of my posts if you think I am not long winded

I am long winded for a reason: it's very important to not only tell people 'how', but also 'why'.

A person ignorant about guns is far more dangerous with a gun, than a person well informed about guns is with a gun...the former is far more likely to shoot their foot off.

And overall, if cops/leo is after your computer shit, trying to track your internet activities, you've already fucked up in some way.

Plain ol' FUD spreading that is! FUD = Fear Uncertainty and Doubt. The whole reason I feel the need to teach people the 'whys', along with the 'hows', is so they don't fall victim to basic missteps like logging in via HTTP and not HTTPS.

Real world security/procedures is much more important then going to conspiracy theory internet security status.

I wholly disagree, they are equally important in today's world of online activities; ex. do you use FaceBook? And if a person doesn't care about their online security/anonymity then chances are they lack in their real-world security/anonymity.

What I wrote is far from "conspiracy theory internet security status", lol. If you think I am part of the tin-foil hat crowd you have a LOT to learn...

 

[gaiusmarius]

thanks spurr your time and effort explaining these things is much appreciated. i need to study up on those links. is chrome open source too?

peace out

 

[DIGITALHIPPY]

Just fyi-

The majority of us (and I've been an IT assistant before) won't understand half the shit you are talking about.

When you write 3 pages worth of info, citing a billion different plug ins/programs/different version of operating systems, nobody is going to be able to fallow it, or even want to.

If you want to really help, explain what to do in 5 steps, and keep each step under 3 sentences.

And overall, if cops/leo is after your computer shit, trying to track your internet activities, you've already fucked up in some way.

Real world security/procedures is much more important then going to conspiracy theory internet security status.

for once....
im with this guy.

especialy the last 2 parts.
if LEO is asking, your 2 late.
if you go into pentagon mode....your never going to be able to do it, ISP's keep cache for warrents(usualy for child porn offendors)

TWC seams to keep cache of activites for 30 days.
verizon i think had a clause where they dont delete any cache, like google.

 

[mcattak]

Damn spurr...You a Jeopardy champion or something...Always telling it the way it is...

Thanks

mc

 

[spurr]

thanks spurr your time and effort explaining these things is much appreciated. i need to study up on those links. is chrome open source too?

peace out

Yes it is

 

[spurr]

Just fyi-

The majority of us (and I've been an IT assistant before) won't understand half the shit you are talking about.

When you write 3 pages worth of info, citing a billion different plug ins/programs/different version of operating systems, nobody is going to be able to fallow it, or even want to.

If you want to really help, explain what to do in 5 steps, and keep each step under 3 sentences.

And overall, if cops/leo is after your computer shit, trying to track your internet activities, you've already fucked up in some way.

Real world security/procedures is much more important then going to conspiracy theory internet security status.

for once....
im with this guy.

especialy the last 2 parts.
if LEO is asking, your 2 late.

That is the whole point of staying anonymous while posting online; so LEO doesn't even know about you or your IP address. Also, if LEO knows your growing say via power bills or smells outside your home, and raids your home, if you use WDE then they can't get squat from your computer.

Both of you have strong misconceptions about computer security and anonymity.

if you go into pentagon mode....your never going to be able to do it, ISP's keep cache for warrents(usualy for child porn offendors)

My ISP has no idea what I do online when I'm using Tor. I could be here, or looking at kiddy porn, or reading the Wall-street Journal online, and they are none the wiser. That is one main reason to use Tor: to prevent ISPs from spying on what you do online. The ISP is a major source of online snooping, ex. using carnivore (from the FBI) and in the US since the inception of the Patriot Act many ISPs are like a tattle-tale to the feds (incl the DEA). That siad, Tor exit nodes can also snoop on your data if you don't use HTTPS...

Even if my ISP is served with a warrant, they will have nothing to give to the Feds/LEO except encrypted data packets (thanks to Tor) and the IP address of the Tor entry nodes. The ISP can not see what I am doing, nor where I am doing it.

That said, "end-to-end correlation" attacks do work against Tor, but only powerful government agencies or very well funded groups would be able to carry out such an attack; and they would need to know about you in the first place, ex. via real-world activities. Such an attack is very non-trivial, and is not very effective/efficient.

TWC seams to keep cache of activites for 30 days.
verizon i think had a clause where they dont delete any cache, like google.

They can keep it as long as they like, nothing they have can show what a person is doing, or where they are doing it, if the person is using Tor correctly.

 

[spurr]

To all the naysayers about Internet security/anonymity:

I would like to point out that when cannabisworld and overgrow were taken down by the RMCP and DEA, they (most probably) got access to the servers hosting both sites, and that means they would have gained access to all IP address in the logs of both sites. Thus, if someone who used to post on those two sites didn't use a proxy like Tor, there is a very good chance their IP address is/was known to feds in Canada and the US.

Considering the feds in both countries have acted against cannabis sites in the past, I hope that gives naysayers pause about their false sense of security/anonymity in terms of not trying to hide their IP address from their ISP, Icmag, and any Internet backbones (that are all owned by the US, IIRC) their data packets traverse...

 

[spurr]

is chrome open source too?

peace out

I wanted to point out that you shouldn't use Chrome with Tor until TorButton is ready for Chrome; until then stick with the most current Firefox version with TorButton and ideally the other add-ons I listed.

 

[spurr]

Important anonymity issues with any proxy, incl. Tor:

Do not visit a site that knows your real identity, ex., your bank online, while at the same time visiting a site that knows your pseudonym, ex., you nic here at ICmag. This is bad if you do so because you will be using the same Tor exit node for both sites, and if it's a rouge exit node the node amdin can figure out (via timing attacks) that you are the same person who is visiting both sites, thus they can conclude that your real identity is the real identity for your pseudonym. That is called "associating non anonymous [i.e. onymous] and anonymous traffic" (read this mailing-list message for more info).

If a person has to visit a site that knows their real identity and a site that only knows their pseudonym, while using Tor, then make sure to use two different "circuits" through Tor (i.e. chain different entry node, middleman node and exit node) for both sties. That is accomplished with Tor via Vidalia by right-clicking on the Vidalia icon (in system tray) and choosing "New Identity".

When you choose "New Identity" via Vidalia all NEW traffic will be routed into a different circuit than OLD traffic. Ex., open up Firefox and surf to Icamg and log in, then open up a new tab in the browser and choose "New Identity" via Vidalia and surf to your bank and log in. That way both sites, ICmag and your bank, will be using two different circuits (chains of nodes) through the Tor network.

All that said, it's most safe to not visit a site that knows your real identity at the same time as visiting a site that knows your pseudonym...


It would behoove everyone who uses Tor to read this section from the Torwiki:

Anonymity and Security
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#AnonymityandSecurity

• What protections does Tor provide?
• Can exit nodes eavesdrop on communications? Isn't that bad?
• What is Exit Enclaving?
• So I'm totally anonymous if I use Tor?
• Please explain Tor's public key infrastructure.
• Where can I learn more about anonymity?
• What's this about entry guard (formerly known as "helper") nodes?
• What about powerful blocking mechanisms?
• What attacks remain against onion routing?
• Does Tor resist "remote physical device fingerprinting"?

It would also wise for everyone who uses Tor to check out the following links

The Tor users mailing list "Or-Talk" (here) and the Tor Blog(here) are also good places to read to learn about specifics regarding Tor.

 

[headiez247]

To all the naysayers about Internet security/anonymity:

I would like to point out that when cannabisworld and overgrow were taken down by the RMCP and DEA, they got access to the serves hosting both sites, and that means they would have gained access to all IP address in the logs of both sites. Thus, if someone who used to post on those two sites didn't use a proxy like Tor, there is a very good chance their IP address is/was known to feds in Canada and the US.

Considering the feds in both counties have acted against cananbis sites in the past, I hope that gives naysayers pause about their false sense of security/anonymity in terms of not trying to hide their IP address from their ISP, Icmag, and any Internet backbones (that are all owned by the US, IIRC) their data packets traverse...

Yet nobody got busted after overgrow was taken down.

IC is hosted in another country, will never be shut down.

I applaud you trying to help people, obviously you can't be too safe. But realistically the majority of people will either pass it by or laugh at its complexity. No skin off your back, sure, just time wasted.

I tried to find a news article where a grow bust occurred due to an ISP snooping, forwarding the info to LEO, them investigating, securing a warrant, and then busting the person. I couldn't find one. In order for your theory to be correct, there would have be not one, but multiple dozen cases where it is shown that your internet activities alone initiated an investigation which lead to a grow bust.

Your notion that it is important to have your computer locked out DURING a bust makes no sense to me. If you get raided, and they find your grow in full working order, them finding out that you posted in a grow forum about said grow isn't going to hurt your case. Just like if you own tons of illegal guns and they find out you posted pictures online of the guns. It's not like you can say "that 13kw grow downstairs isn't mine, its my friends that left it here"

You aren't taking the real world statistics into mind. Given our economy, and how busy LEO is to begin with, not to mention the thousands and thousands of tips they receive, the amount of LEO who literally sits around and looks through what random people are looking at online is very small. And even if it wasn't, how many millions of people have ISPs? What are your odds of being selected. ISPs sole purpose in life is to make money. They do what they have to in order to keep LEOs happy, beyond that, they could care less what you are doing online.

The bottom line is people need to 100% focus their security on real world scenarios first, not being anonymous online where they essentially already are.

I DO think that if you are already being investigated and THEN they look into your internet activities (again couldn't find an article to support this) then ya, that could hurt your case. But if they are already investigating you, you've done something wrong.

You are an online version of Mel Gibson in Conspiracy Theory and that is totally fine, but don't say everyone else is risking there freedom by not taking it to the extreme you are.

 

[HUGE]

Tag

 

[spurr]

To all the naysayers about Internet security/anonymity:

I would like to point out that when cannabisworld and overgrow were taken down by the RMCP and DEA, they got access to the serves hosting both sites, and that means they would have gained access to all IP address in the logs of both sites. Thus, if someone who used to post on those two sites didn't use a proxy like Tor, there is a very good chance their IP address is/was known to feds in Canada and the US.

Considering the feds in both counties have acted against cananbis sites in the past, I hope that gives naysayers pause about their false sense of security/anonymity in terms of not trying to hide their IP address from their ISP, Icmag, and any Internet backbones (that are all owned by the US, IIRC) their data packets traverse..

Yet nobody got busted after overgrow was taken down.

IC is hosted in another country, will never be shut down.

You don't know people didn't get busted via IP address logs; it's better to be safe than sorry. To your second point, it's not only about Icmag, it's also about your ISP that sees everything you are doing if you don't use a good proxy like Tor, it's also about Internet backbones that log data, etc.

The goal is to leave as few bread crumbs to your doorstep as possible...

I applaud you trying to help people, obviously you can't be too safe. But realistically the majority of people will either pass it by or laugh at its complexity. No skin off your back, sure, just time wasted.

If I can help one person that's good enough.

And it's not complex for basic level online anonymity, did you not see my last message to you? If a person only cares about online anonymity, then they only need to download one file, that's it (but ideally they would also install the other 6 Firefox add-ons I listed). Once a person downloads the TorBrowerBundle file to their computes they simply decompress the file and click on one program (onion icon) that auto-launches all other programs, which are all are pre-configured to use Tor; and none of it is installed...it can't get any easier than that. If people think that is too hard or complex then I doubt they would be able to use the Internet or log onto Icmag.

Why are you posting in this thread? What I mean is you seem to be trying to dissuade people from even trying to control their information and anonymity. How does that help anyone? How are you helping anyone?

Your disagreement has been noted, what is gained from continually posting your opinions other than spreading FUD?

I tried to find a news article where a grow bust occurred due to an ISP snooping, forwarding the info to LEO, them investigating, securing a warrant, and then busting the person. I couldn't find one. In order for your theory to be correct, there would have be not one, but multiple dozen cases where it is shown that your internet activities alone initiated an investigation which lead to a grow bust.

Your line of reasoning is very flawed. Firstly, I did not propose a hypothesis (i.e. laypersons usage of the term theory), everything I wrote is fact. Ex., ISP snoop and log data and connections in case they are served with a warrant, Feds snoop online activities, etc. The goal to not provide any info (ex. connection logs to ICmag via your IP address, etc) to an ISP, Internet backbone, Feds black box (aka carnivore), etc.

Why would you need to find a news article about a grow bust happening to understand that it can happen? Also, many times court documents are sealed or redacted, thus it's probable you would not read about a bust that happened via ISP logs. It happens with electric company bills, so it's not a huge leap to realize it can happen with ISP logs too.

Your notion that it is important to have your computer locked out DURING a bust makes no sense to me. If you get raided, and they find your grow in full working order, them finding out that you posted in a grow forum about said grow isn't going to hurt your case.

What is one your computer can be very valuable to LEO, ex., your login details for a cannabis site, your Internet browsing history, pics of past grows or other grows (ex. at a different house our outside) that they can use to add on to jail time, address of other growers (like email, postal, phone numbers), etc.

The fact most people do not understand the risks, and thus do not take sufficient steps to protect the data on their computer makes me very reluctant to give my personal info to anyone which can be associated to me being a grower.

It's becoming more and more common for LEO to either take computers from busts (so they can use computer forensics to search the computer for incriminating info) or to simply clone the HDD so they dont' need to take the computer but they can still use computer forensics to search for said incriminating info.

The issue of online anonymity and real-world computer security (ie. WDE) are separate but linked. It is very simple to use TrueCrypt to setup WDE on a existing OS/drive, any school kid could do it. It's also very simple to use Tor correctly via TorBrowerBundle. And everything I suggested is FREE.

Just like if you own tons of illegal guns and they find out you posted pictures online of the guns.

You are not seeing the big picture. See what I wrote above about incriminating info/pics/etc on a computer that can add jail time to a sentence, or get your friends busted due to your laziness about computer security and online anonymity.

You aren't taking the real world statistics into mind. Given our economy, and how busy LEO is to begin with, not to mention the thousands and thousands of tips they receive, the amount of LEO who literally sits around and looks through what random people are looking at online is very small. And even if it wasn't, how many millions of people have ISPs? What are your odds of being selected. ISPs sole purpose in life is to make money. They do what they have to in order to keep LEOs happy, beyond that, they could care less what you are doing online.

You are making far too many assumptions and using too much flawed logic without understanding the issues involved. See what I wrote above. But most importantly, how does what you are posting help anyone? Answer: it doesn't, all it can do is hurt people, no matter how remote you think the risks are, they still exist and the solution is both simple and free.

The bottom line is people need to 100% focus their security on real world scenarios first, not being anonymous online where they essentially already are.

If you think people are "essentially" anonymous online your know very little about cookies, webbugs, ISP logs, data mining, and the myriad of other legal attacks against anonymity online. There is a multi-billion dollar industry for online tacking info and online usage data info for millions of people, why do you think the founder of FaceBook is so rich? How do you think online ads are tailored to your location (ex. city/state), or your online shopping habits, are possible?...think about it.

That is such a big issue, user tacking, that US feds are trying to setup an "op-out" button that all websites based in the US would be forced to implement. The op-out button would prevent the tracking of people, and thus prevent the selling of users online habits, most visited websites, etc. If you don't trust my word, then simply read the New York Times, last week they had a huge article about online tracking of users by ISPs, websites, etc., and the selling of said online tracking data to "clearinghouse" websites that re-sell the data to marketers, private investigators, etc.

I DO think that if you are already being investigated and THEN they look into your internet activities (again couldn't find an article to support this) then ya, that could hurt your case. But if they are already investigating you, you've done something wrong.

You are putting the cart before the horse. The whole reason to use Tor for online anonymity is to put the horse before the cart. You want to make your online activities anonymous BEFORE you get investigated. And you want to setup WDE for you computer BEFORE you get raided.

You are an online version of Mel Gibson in Conspiracy Theory and that is totally fine, but don't say everyone else is risking there freedom by not taking it to the extreme you are.

LOL, suuure I am. Nothing I suggested was "extreme", what the OP suggested in terms thermite was extreme Nothing I wrote is untrue, nothing I wrote is hyperbole, nothing I wrote is "conspiracy theory", nothing I wrote is beyond the pale. Everything I wrote is basic, simple steps (expect for using Ubutnu and VMs) to take to insure your anonymity and security. That said, everything you wrote was FUD and nothing you wrote will help anyone because I have not suggested disregarding real-world anonymity and security.

Please, stop posting in this thread if you have nothing useful to add. You will only seve to endanger and hurt people with your FUD and many misconceptions.

 

[spurr]

@ headize:

I see you use the US based image host Imageshack for uploading pics of your grows. Dude, that is such a fail it's not even funny. Using a US based image host to host images of illegal activities if just asking to get your ass investigated. And I am sure you used your real IP address to upload those pics too...<spurr shakes his head>

The one good thing about people like you, is it takes heat of people like me, who are smart about our online anonymity and security. Ignorant criminals help informed criminals because the cops usually get ignorant criminals before informed criminals.