Tracking seed orders on the web. Security hole? Fuckin-A right it is.

[OldPork]

OK I know most of us in the states order from seed companies that provide tracking numbers for our seed orders. So let me present a hypothetical situation which illustrates what I think could be a problem with this:

You think you've done everything right to cover your ass. You've used a money order and you are having your seeds shipped to a safe postal address which is not the location of your grow site. Yep you sure are sneaky...

You've been securely emailed a unique tracking number issued to you by the seed broker in the UK and you have been checking Royal Mail and you see your package has been dispatched to the USA for delivery... and now you know that you need to track your order on the web using the same tracking number not through royal mail in the UK, but though USPS.com in the USA.

It arrives in the USA and let's say is intercepted by US customs. The customs boys then ask the techies working for USPS to flag your unique tracking number in the USPS system and to get the IP address of anyone checking on that number and to pass it on to local law enforcement. Easily done my friends.

Now, unless you are using a program that hides your real IP address, LEO can find out where you live and who you are through a homeland security request to your ISP, even if you are having the package delivered somewhere else. You've played right into their hands. And all you had to do was track your seed order with an unprotected web browser. These fat-assed donut eating SOBs did not even have to get up out of their chairs to find you. Sneaky sneaky you...

They come to your house and discover your grow and charge you with a felony. They haul your ass out in handcuffs in front of your neighbors and kids. Big John down in cell block#9 is very happy because he is very excited to meet his new bride. YOU. That night, as he buries himself inside you, you cry out "MY GOD! He's GOT ME!!! AAAAAHHHHHH". The other inmates just laugh at your yelpings. Oh my sweet gawd awaken me from this heinous nightmare!

So that's why the OldPork protects his tender virgin asshole. He uses the TOR browser bundle, open source free software that uses overseas proxies to check on his seed orders. Remember fellas, when it comes to porking...it is better to give than to receive. ahahaha

 

[Stress_test]

That isn't a hypothetical situation really. It can and does happen regularly.
I used to own an internet service and frequently got IP trace requests from USPS and other government agencies.

Always use an "Elite Proxy" for anything that you want to try and keep private and update your proxies daily and change every time you check an order.

 

[ddrew]

Nobody passes the case to anybody else.
USPS has there own police force, called the postal inspectors, guns, badges, raid your house, same as regular cops.
Customs intercepts your pack and they CAN(but usually don't) do a controlled delivery to your address, guy knocks, looks just like a regular mailman(postal inspector) says he has a pack for you, you don't even have to sign for it, just take it from his hand to yours, once it's in your hands he gives the signal, and a bunch of postal inspectors come driving up and raid you.
SO basically it's worse then what you were saying, less steps to the bust.

 

[D.S. Toker. MD]

My asshole's burnin OP because you fellas have scared the shit out of me. Ive been paranoid all along that the tracking number must provide a direct path between the buyer and the shipper for anyone interested to follow.

If you consider the fact that i paid for it with my credit card , the show is probably all over but for the raid, guilty plea and sentencing.

 

[OldPork]

Thanks ddrew, less steps to the same result. BIG JOHN in cell block#9.
Dr. Toker, CVS has a special running on KY gel. Stock up this morning before they come get you

 

[ddrew]

The biggest buffer you can place between you, and something like this happening, is not having it sent to address you grow at, common sense I know, but people still do it.
(plus the PC stuff old pork is talking about, I'm not a tech guy, but yes, valid info)
I never thought about them tracing your true address from your IP you ordered from.

 

[OldPork]

The biggest buffer you can place between you, and something like this happening, is not having it sent to address you grow at, common sense I know, but people still do it.
(plus the PC stuff old pork is talking about, I'm not a tech guy, but yes, valid info)
I never thought about them tracing your true address from your IP you ordered from.

Actually not the IP you ordered from but the IP you are tracking your order from!
The seed vendors happily provide you with the tracking number, and the websites to check from, but they never warn you that this could be a security issue.

 

[Stress_test]

Actually not the IP you ordered from but the IP you are tracking your order from!
The seed vendors happily provide you with the tracking number, and the websites to check from, but they never warn you that this could be a security issue.

Almost correct.

Check your bank statements, if you order online through a secure server etc...
You are always given a confirmation number which also includes the IP and MAC addresses of the computer that the order is placed from.

If you have any doubts about what OP is saying then pipe up and I will prove to everybody just how easy it is for ANYBODY to locate your home/office or where ever you send even an email without even an IP addy or any special software.

This isn't anything new either, or even techy. I am sure some of the "old timers" remember mIRC? It was basic peer to peer internet relay.

Anybody can trace the origin of an email in seconds without an IP.

Let's say that you want the physical addy of the vender you ordered from so you can go say hello?
Give me even 1 email and 30 seconds: I will print you a map...

Now consider that I am what most would consider a techy or guru or whatever, but I would never order anything online that the gov might decide to hang me for if they discovered it. I damn sure will never order anything online with a credit card and absolutely NEVER would I log onto a government site from my own computer, and I would check my Proxy and make positive sure that it was an Elite overseas proxy the U.S. Gov has no access too.

I am shocked that all these discussions about secrecy and stealth, so many never even considered the security breech in internet purchases and tracking.

 

[OldPork]

Yep then I think it is agreed. Use a proxy when BOTH ordering and tracking...
You can bet that USPS is capturing every IP addy that checks on a tracking number.
This way when contraband (or worse) is found, all they have to do is check the logs. Now I really don't think they'll waste much time on seeds...but if they want you they can get you.

 

[Dojo]

all that for souvenir seeds? I would like to think they would be more focus on a REAL crime...Anytime i read about a grower getting busted its ALWAYS a snitch, smell, opening the door at the wrong time, some crime some other person commited that put you on the radar,gf,ect....

Iunno I havent heard of no one getting busted Tom Cruise MI3 style....it seems to always be somthing else...but shit maybe im wrong

I can imagine it now.....

Customs agent: Hey Joe we found these 20 souvenir seeds what you wanna do?

Agent joe: We need to pull our best resources to catch this scum bag that is growing a PLANT!

Customs agent: So we should notify USPS of the seeds and set up a sting so when the stoner answers his door well naab his ASS!

Agent joe: Yes !! (dick hard)

 

[CANNATOPIA]

HIGH! I just have to say out of all the Times I have looked into Tor & all the Threads I have read about it ,this is the least confusing & the easiest to get going. I am now a TOR user & I thank you very much for this informative post with link. Nice work & very funny OldPork!

 

[OldPork]

all that for souvenir seeds? I havent heard of no one getting busted Tom Cruise MI3 style....it seems to always be somthing else...but shit maybe im wrong
I can imagine it now.....
Customs agent: Hey Joe we found these 20 souvenir seeds what you wanna do?
Agent joe: We need to pull our best resources to catch this scum bag that is growing a PLANT!
Customs agent: So we should notify USPS of the seeds and set up a sting so when the stoner answers his door well naab his ASS!
Agent joe: Yes !! (dick hard)

Yes friend Dojo, that is exactly how it happens. Consider this case:

Columbus, IN - Police say an intercepted order of marijuana seeds prompted investigators to arrest a Columbus doctor and his wife on drug possession charges, RTV6 reported Friday.

Investigators found more than 30 marijuana plants in the home of Dr. A.T. and P.T. (names editted out) , police said.

Authorities searched the home after customs agents in Chicago intercepted a package of marijuana seeds from England. Police said they believe they had ordered the seeds on the Internet.

The case will be examined by the Bartholomew County prosecutor's office, RTV6 reported.

Followup: This was a 2005 case and this skilled and respected urologist has his medical license revoked (for a time). Chicago customs notified the local police and they raided his home. All because of "Agent Joe" who received a commendation and is still on the job.

 

[OldPork]

HIGH! I just have to say out of all the Times I have looked into Tor & all the Threads I have read about it ,this is the least confusing & the easiest to get going. I am now a TOR user & I thank you very much for this informative post with link. Nice work & very funny OldPork!

Thanks Cannatopia, the Tor bundle is pre-configured to work correctly with Firefox so you don't have to be a guru to set it up. Even if you have Firefox already installed, it will keep things separate and install the TOR-secured Firefox browser in it's own folder with it's own shortcut.

 

[Stress_test]

Yep then I think it is agreed. Use a proxy when BOTH ordering and tracking...
You can bet that USPS is capturing every IP addy that checks on a tracking number.
This way when contraband (or worse) is found, all they have to do is check the logs. Now I really don't think they'll waste much time on seeds...but if they want you they can get you.

Ummm? Anybody ever heard of Marc Emery?

It is rather odd that OP posted this thread... I have been working on an article and thread topic in regards to this issue and "Proxies".

Few people, including techies, really have a comprehensive understanding of internet security/privacy unless they have expanded their education beyond basic networking.

All Proxies are NOT created equal. In fact 90% of the over the counter boxed proxy software being sold today is completely worthless. A waste of money and time and gives the user a false sense of privacy and security. They are nothing more than a server like ICMag, being sold as Level 3-5 proxies. In reality they are just open servers that allow relaying. ICM has the allow relaying because of this forum, messaging, chat. They are what is called "NON-ANON" or "Transparent" proxies.
These transparent proxies are non-anonymous proxies and spill your IP (of course if you use them for tunneling then is not problem). The proxy sends info (variables) to the remote computer/server (USPS). So HTTP anon (level 3-5) sends variables that server can identify that you are using a proxy ( i.e HTTP_VIA,HTTP_FORWARDED,HTTP_CONNECTION etc). Some sites like discussion forums have installed scripts to detect this kind of proxies and do not allow you access.

There is tons of free software available to search, locate, test and save Elite or ANON proxies ( level 1 and 2) which do not send variables and servers can't tell that you are using a proxy.

By variables I mean content that can pin-point your computer id and location as well as that of your ISP.
Such as:

1. HTTP_VIA - parameter tells the web server that you are accessing it via a proxy server. The information contained in it tells the website something about the proxy itself, not about your machine.
2. HTTP_FORWARDED - Shows the proxy address and port through which the request was made.
3. HTTP_USER_AGENT_VIA - This is similar to the previous. In some cases this variable shows via what proxy the request was made.
4. HTTP_CACHE_CONTROL ; HTTP_CACHE_INFO - The presence of either of these two variables can also tell the website that you are accessing it via a proxy. These variables contain information about the cache of the proxy server.
5. HTTP_CONNECTION: Close - in most cases, connection type "close" demonstrates that a proxy server is being used (browsers use connection type "Keep-Alive")

Anyway there is much to know about internet security/privacy. I am working on whittling it down to plain english "Internet Security for Stoned Dummies" and will post a topic when I am done.

In the mean time, keep your cards close and your IP covered. If you have any questions feel free to ask, I will answer as best I can.

OP, I didn't mean to hijack your discussion. It just caught my attention because I was working on my article when I saw your thread.

 

[Marlo]

OK I know most of us in the states order from seed companies that provide tracking numbers for your seed orders.

I must be missing something here. This isn't the case with seedbay is it?
I have never rec'vd a tracking # for any orders I've placed with the boo or bay.



MARLO

 

[dubdi3mond]

thanks oldpork, downloaded that TOR bundle... i had it before but this easy configuration version is wayy nicer

 

[OldPork]

I must be missing something here. This isn't the case with seedbay is it?
I have never rec'vd a tracking # for any orders I've placed with the boo or bay.
MARLO

No Gypsy doesn't send you a tracking link. Others do

 

[OldPork]

thanks oldpork, downloaded that TOR bundle... i had it before but this easy configuration version is wayy nicer

Yep, it is real easy to install and update with new versions as they become available. Just remember your original installation folder or you'll have multiple versions floating around on your machine. It does slow browsing down, but I guess security comes at a price.

 

[Stress_test]

Some food for thought:

Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy while web browsing to block cookies and withhold information about your browser type.

Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.

Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for:

1. Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. Tor recommends you use Firefox with the Torbutton extension.
2. Torbutton blocks browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others: they can be manipulated into revealing your IP address. For example, that means Youtube is disabled. If you really need your Youtube, you can reconfigure Torbutton to allow it; but be aware that you're opening yourself up to potential attack. Also, extensions like Google toolbar look up more information about the websites you type in: they may bypass Tor and/or broadcast sensitive information. (How many tool-bars and add-ons do you have installed?) Some people prefer using two browsers (one for Tor, one for non-Tor browsing).
3. Beware of cookies: if you ever browse without Tor and a site gives you a cookie, that cookie could identify you even when you start using Tor again. Torbutton tries to handle your cookies safely. CookieCuller can help protect any cookies you do not want to lose.
4. Tor anonymizes the origin of your traffic, and it encrypts everything between you and the Tor network and everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication. HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
5. While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust. Be careful opening documents or applications you download through Tor, unless you've verified their integrity.
6. Tor tries to prevent attackers from learning what destinations you connect to. It doesn't prevent somebody watching your traffic from learning that you're using Tor. You can mitigate (but not fully resolve) the risk by using a Tor bridge relay rather than connecting directly to the public Tor network,

Keep in mind that Tor doesn't encrypt you info being sent to the vendor, only between you and the Tor network. Once it leaves Tor network, it is wide open and the gov already knows which servers to watch; USPS?

I hate to say it OldPork but Tor really does NOTHING to offer security in the manner you want/need. It is another instance of false security.

I did give you rep for bringing the topic up and making others aware. But in the end Tor does nothing for you except slow your PC down and falsely ease paranoia slightly for the unaware.

 

[Bulldog11]

This stuff is way over my head.