What happened to HTTPS?

[EasyBakeIndica]

If you actually think that the NSA is going to divert it's manpower from terrorism to fighting closet cannabis growers, than you need to go hide in a cave.

In the end, the internet does not provide any more security than phones or the postal service. All of these communications can be intercepted, and if the federal government decides it wants to get that information, it has the resources to get to it. Even Tor has been hacked.

ISPs don't have eyes on what you type. They have bots and programs which filter through all of that information. They haven't taught the bots how to become informants, yet. If they do, I'm sure there would be plenty of pedophiles being arrested long before we heard about growers being busted.

If we continue to let governments head towards a police state, than the days of ICMAG are numbered, regardless of what encryption we use.

Until you actually have evidence that ISPs are informing on their own customers, stop fear mongering. (From what we know, nobody has been detained based on domestic surveillance yet. Not to say that I agree with it.)

If you have any more specific questions about technical issues, you should probably e-mail a webmaster. They don't have time to read every post.

 

[Macster2]

It won't stop them from seeing that you visited icmag.com... But it would keep them from seeing the content you are viewing/posting.

Exactly what he wants

 

[GMT]

To be frank, if you have a large commercial op, dont post pics of it anyway. If you only have a few percy plants, then you're not worth the manpower. Ive been here a while, I have a few posts, and a gallery with quite a few pics, and I've never run any sort of proxy, encryption, or secret handshake server. If you're worried, dont post just read, I know I did for a while. In fact I think my first post was entitled "is this place safe?" the first year I was a little nervous, after that I slowly forgot to worry as what I'm doing doesn't make it worth it for anyone to track me down.

 

[trademanny]

To be frank, if you have a large commercial op, dont post pics of it anyway. If you only have a few percy plants, then you're not worth the manpower. Ive been here a while, I have a few posts, and a gallery with quite a few pics, and I've never run any sort of proxy, encryption, or secret handshake server. If you're worried, dont post just read, I know I did for a while. In fact I think my first post was entitled "is this place safe?" the first year I was a little nervous, after that I slowly forgot to worry as what I'm doing doesn't make it worth it for anyone to track me down.

..and you're probably right.

As someone else once said on here, I'd rather be paranoid & free than careless & locked up.

Either way, HTTPS is a very simple thing to enable, hell, I'll even buy the certificate for icmag if they want!

 

[EasyBakeIndica]

My anonymity is much more important to me than trying to convince myself that my ISP can't see what I'm posting. HTTPS is the opposite of anonymous.

There are ways of posting securely. Most people figure out their own way. Even the biggest growers know how to post without compromising their security.

In my opinion, trying to work within the boundaries of internet security is the wrong idea. If you actually want to feel safe, you need to start exploring outside of the box. (Wardriving, Phreaking, etc.)

As long as we're all randomly using combinations of proxies and public access, the feds will never be able to make any sense of it. As soon as we start lining up into a single file line (port 443), we make it easier for the feds.

 

[Macster2]

If you've noticed there are 86,000 members on this web site and I'll bet there are 5x that number in other web sites. When OG went down there were 500K(?) members . Law enforcement is political, perception is everything (exaggerated volumes of drugs when busts happen)
I'm sure these web sites are the last places LEO looks to take down grows sites as its a lot of work and unreliable.
If they could get arrests from web sites wouldn't pedophiles all be in jail?

 

[chimei]

SSL does protect a user. An ISP cannot tell with ANY type of packet inspector what you are doing on a site that you are communicating with via SSL.

They can ONLY tell what end point you are connected to. So there is total value in that for the end user being protected from their ISP and snooping,
if the entire conversation is through SSL.

Using a "proxy server" if NOT through an encrypted channel is leaving you totally open to analysis by your ISP.

So listen up, if any of you use this www.pagewash.com, and you are NOT using SSL to www.pagewash.com, your ISP can see EVERYTHING you send and receive from this "proxy".

All data that transfers between your PC and your "proxy server" can easily be picked out by deep packet inspection if it is NOT over SSL. There are many gateway products to do this.

SSL is of value for many.

Especially compared to those that use NON encrypted proxies and think they are protecting themselves.

I would much rather use SSL to this site directly. All the ISP will see is SSL connections to an IP. NO data.

This means, no pictures you upload, no postings you make, etc..

I think it needs to be clarified that using a proxy server is ONLY beneficial if it is through an encrypted channel.

Instead of, just use a proxy server.

 

[EasyBakeIndica]

Nobody ever said 'just use a proxy server'.

When I downloaded Tor, it was a package of software.

I don't personally use proxies all the time. I have other methods of concealing my identity.

Why is it better to provide a hidden service Web site with HTTP rather than HTTPS access?

http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-661c176442a2474e63cb88a909edb7ea1a0b424d

Put simply, HTTPS access puts the connecting client at higher risk, because it bypasses any first-stage filtering proxy..

Generally, a person using a Tor client will access HTTP via a first-stage proxy such as Privoxy, which has the ability to filter both the browser's request and the server's response. However, for HTTPS access to function correctly, the connection must be direct from the browser to the server, to protect the encrypted SSL connection under the hood.

Without the proxy forging the SSL encryption keys (causing the browser to pop up an invalid certificate warning box), there is then no way to filter things from the HTTPS connection before the server or browser sees it -- potentially allowing the browser to send identifiable user information to the server, or the server to send an exploit for a browser bug back to the client. For more information, see Privoxy's FAQ entry (4.15) on the subject. http://www.privoxy.org/faq/misc.html#AEN895

Since hidden service connections are already encrypted end-to-end over the Tor network, using HTTPS for encryption serves little purpose. If there is a reason to encrypt the connection at the hidden service's end, such as if the real hidden service is located remotely from the Tor relay, then an application such as http://www.stunnel.org can be used in client mode to wrap plain HTTP into HTTPS at the Tor relay exit point.

These objections all apply to HTTPS, TLS, SSH, and generally all cryptography over Tor, regardless of whether or not the destination is a hidden service: for client security, Tor depends on the client being well behaved or at least being able to shim a proxy in when it isn't, and client cryptography wrecks the second option. However, if a web server needs strong authentication, it is basically forced to use HTTPS currently (much as SSH must still use its own crypto & auth layer), as there is no mechanism for the Tor Onion Proxy to provide authentication. There have been some proposals made but no code currently exists to do this.

 

[~fvk~]

Isn't it shitty that we have to go through the same measures as pedophile freaks in order to be truly safe? As the time drags on I'm sure things will start to get much worse... 1984 to the core, yo.

 

[chimei]

Nobody ever said 'just use a proxy server'.

You said in your first posting in THIS thread: Try proxies.

You even linked to an example site without using HTTPS in the URL, which if a user actually used the site you posted by clicking on your link and did NOT then switch to HTTPS their traffic would be fully readable by their ISP.

Here it is again but with HTTPS:

https://www.pagewash.com/

If you want to actually help out others that do not understand, I think it would be of more help to be a little more specific in regards to WHAT type of proxy protects a user.

Non encrypted proxies (which there are many out there) do NOT protect a user period, ALL data through deep packet inpection can be recorded and logged REAL-TIME, this includes HTTP running on NON-Standard ports.

Saying "HTTPS access puts the connecting client at higher risk" is not really helpful and just spreads more misinformation. What you posted does not really explain how HTTPS is putting a user at higher risk from having their DATA LOGGED.

potentially allowing the browser to send identifiable user information to the server, or the server to send an exploit for a browser bug back to the client. For more information, see Privoxy's FAQ entry (4.15) on the subject.

We are not talking about local exploits here, or an untrusted server on the other side here. We are talking about "man in the middle" snooping here. Which ISP's do partake in. SSL protects you from this.

1. USING SSL removes "Man in the middle" snooping that can be done by a end users ISP or ANY other entity on the way to the destination. A deep packet inspector cannot gather ANYTHING other then the IP of what you are connecting to. Far from enough evidence to build a case on. - Which is of VALUE! Why do you think they even offered SSL access here to begin with??

2. Using a proxy though a NON encrypted means is of ABSOLUTLY ZERO value even if traffic is on a non standard port. A deep packet inspector at the ISP level can easily capture ALL data that transfers between your endpoint and this or any other site even if there is a proxy server between you.

I just use a shell account, run an SSL tunnel from my workstation to the shell and use a proxy server on the shell to surf with.

My ISP only sees connections to my shell and it looks like encrypted SSH traffic period.

For others that are instersted in setting up an SSH tunnel, take a look here for a start:

http://www.bstpierre.org/Articles/SSH+SQUID-HOWTO/SSH+SQUID-HOWTO.html

This assumes you already have a shell account and the ability to run services on your shell account.

 

[wishbone420]

try fireproxy is wonderful too. it use tor among other things.

 

[EasyBakeIndica]

Saying "access puts the connecting client at higher risk" is not really helpful and just spreads more misinformation. What you posted does not really explain how HTTPS is putting a user at higher risk from having their DATA LOGGED.

You've obviously missed my entire point. However, if you actually think that there is anything you can do to be 100% safe from being spied on, you're not thinking very hard.

Some of us realized that anonymity was key, from the beginning. It doesn't matter if they can see everything you type, if they have no idea who you are.

See, we realize that all of these communications can be intercepted. There are ways of dealing with that. FYI - Every military operates under the assumption that they are being listened to, this does not keep them from communicating.

In the same way, 'criminals' know they can be listened to. This does not keep them from using the phone, mail, or internet. They just have to be smart about it.

Setting up something like HTTPS would only fool others that they were safe, and didn't have to take any security measure for themselves.

 

[Macster2]

Tried tor etc.but it slowed everything way down. I've posted pics of grows that were a reasonable size here and on OG (and Leo has the servers) Worrying about this is a waste of time and effort.First the servers are in Holland Second it takes court orders and subpenous to obtain the information.
Pictures and threads are not evidence as it all could be fiction or wildly out of date or posted by someone else in your name.
We all could use Lothar as he is a lawyer and knows all this stuff. He sayed he never used a proxy and never worried.
Leo doesn't have the time or inclanation to use this information to obtain warrants

 

[chimei]

You've obviously missed my entire point. However, if you actually think that there is anything you can do to be 100% safe from being spied on, you're not thinking very hard.

Some of us realized that anonymity was key, from the beginning. It doesn't matter if they can see everything you type, if they have no idea who you are.

See, we realize that all of these communications can be intercepted. There are ways of dealing with that. FYI - Every military operates under the assumption that they are being listened to, this does not keep them from communicating.

In the same way, 'criminals' know they can be listened to. This does not keep them from using the phone, mail, or internet. They just have to be smart about it.

Setting up something like HTTPS would only fool others that they were safe, and didn't have to take any security measure for themselves.

The whole point of my post that YOU chose to respond to was that SSL was
of value, re-read my post a few times.

If you think ISP's are not already doing deep packet inspection and snooping on what their customers are doing then ignore what I have said and move on.

You bash on the original poster, offer no help other then to use a proxy server. (though non encrypted means no less) Then try to say SSL is of no value. You really understand what you are talking about I can see.

You then go on to respond to my posting saying "Nobody ever said 'just use a proxy server' When YOU DID with your first response.

Then you post links to something that has NOTHING to do with the point I was making, meanwhile your followups are condensending.

A jerk, and a moron to boot.

 

[EasyBakeIndica]

You then go on to respond to my posting saying "Nobody ever said 'just use a proxy server' When YOU DID with your first response.

Try proxies. (www.pagewash.com)

Close, but no.

I wasn't posting information for you and trademanny. I was posting information for everyone else. You two are the only ones with your panties in wad.

I offered a fair explanation to why HTTPS was useless. Most of the users on this site take care of their own security, and HTTPS would make that harder.

 

[trademanny]

OK, EBI.. we get it, you're a genius..

 

[EasyBakeIndica]

So I won, and we're all retarded???

*EBI has a 'Happy Gilmore' Flashback: http://www.youtube.com/watch?v=3LAnmnS0-9g*

 

[Smurf]

I was casually reading this thread and came across this statement & was surprised to think that some people may think this to be true?
NEVER under-estimate law enforcement agencies.

I'm sure these web sites are the last places LEO looks to take down grows sites as its a lot of work and unreliable.
If they could get arrests from web sites wouldn't pedophiles all be in jail?

The world's longest-running and most sophisticated internet pedophile ring
were lauded as "the untouchables"........

THE AUSTRALIAN March 08, 2008

Face haunts pedophile-busters

IT'S a face that haunts police around the world.

A young girl, probably now nine, who has grown up from infancy on film - thousands of pictures and movies shot of her being molested by an abuser who then shared the images with a network of like-minded internet pedophiles.

As a two-year Queensland-led investigation culminated last weekend with the arrest of 22 people in eight countries, the relief and celebration at busting one of the world's longest-running and most sophisticated internet pedophile rings was muted by the knowledge that the girl was still out of reach of protection.

Despite the best efforts of Task Force Argos, the Queensland Police Service's much-lauded child sex unit, and their international counterparts, including the FBI, there are only two things the investigators know about the girl: the country in which she lives and that she is now in real danger.

It is a terrifying truth that yesterday choked up one of Queensland's most case-hardened policemen.

The Argos chief, Detective Superintendent Peter Crawford, briefly excused himself from his office during an interview when asked about the girl - a "collector's item" for pedophiles who prize the series that captured her abuse over possibly seven years.

"It is obviously distressing for police to see a young child abused and continued to be abused over a long period of time and not be able to identify or remove them from harm," he later said.

"Some of these people are collectors, they want a whole series of a particular child growing up, being abused."

One of Crawford's inspectors, Jon Rouse, who led the investigation - codenamed Operation Achilles - is blunt about her possible fate.

"The thing is the offender knows we are closing in, we are very worried about her safety," he said.

Over the next weeks, months and possibly years, police will be analysing more than 400,000 pictures and video files seized in the weekend raids to widen the net on offenders and save more victims.

Already, 40 children - including a four-year-old Brisbane girl - have been rescued through Operation Achilles and its investigatory spin-offs.

The significance of the bust cannot be underestimated.

More than 2500 'customers' in 19 countries of child sex websites have been identified, with 100, including a US reserve police officer and an Australian federal bureaucrat, arrested and charged.

But it is the hardcore network of 22 people, including possibly a few more now under investigation, that is regarded as the coup by investigators around the world.

They were lauded as the untouchables of the international pedophile community.

"They were held-up around the world as the lead players, the ones who could defeat any law enforcement agency, anywhere," Crawford told The Weekend Australian.

And they were not new to the internet.

While the scope of charges in the various countries have largely been restricted to the past two years, it is believed some have been producing and trading child pornography for a decade - since the explosion of the internet.

The reason they had not been caught, or even detected as a network, was their level of security. To get into the inner sanctum, a member had to go through stages of passwords, highly-sophisticated encryption and codenames. Even the location of their IP servers was disguised. Most, it is believed, didn't even know the real location or identity of each other.

There was even a guidebook providing the dos and don'ts of avoiding detection and protecting hard drives in the event of a raid. Police had not seen anything like it before.

"What made this group different was the level of security used to protect their identity and restrict membership of the group," Crawford said.

"They would change their passwords on a regular basis, they would change their encryption keys on a regular basis and use codenames even within the group."

The level of protection, and years of operating with immunity, allowed them to trade freely and speak openly.

Other, less organised groups often communicate in coded language and trade in parallel, unrelated areas of the internet.

This one didn't. They boasted among themselves of being able to "defeat" any law enforcement agency in the world.

"This is the greatest group of pedos to ever gather in one place. And I'm honoured just to be a part of it," one member crowed.

But their seeming invincibility was to be their undoing. It all began to unravel in January 2006 when New Zealand police, who like Argos officers are constantly trawling the internet, came across them.

Police who do this sort of "borderless" work are largely vocational, and don't worry about jurisdictional rivalries.

They share pretty much everything and often do a lot of each other's primary investigation because when they initially scope an internet target, they usually don't know where the person is actually located.

In this case, the NZ police had done enough to recognise there was a group trading in large volumes of child pornography and an Australian may be involved.

Crawford said Argos did a preliminary investigation to establish that it was a job worth doing. "To be honest, we were not sure if we could break through the security, but we wanted to try," he said.

Crawford is guarded about how it was done, but Argos officers were then able to infiltrate the group.

Argos investigators are empowered to trade child pornographic material, under very strict guidelines, to secure their bonafides with a pedophile ring. In this case, it wasn't needed.

"We were able to come up with a number of reasons and stories as to why we didn't - that is our general strategy," Crawford said.

For the next six months, the Argos officers worked day and night monitoring the group and collecting material. In June 2006 the officers intercepted videos of two girls - aged 9 and 11 - being abused by a man, later found to be their father, somewhere in Europe. The material was sent to Interpol headquarters in France and after more information was provided by Argos, the Belgian abuser was identified and the girls removed.

The trail then led to a professional Italian filmmaker and website creator, who allegedly produced more than 150 made-to-order videos filmed largely in Ukraine. The 42-year-old sold his catalogue - films featuring girls aged nine to 16 - for an average price of $79.

Discovery of the website spawned Operation Koala, named in recognition of its Australian origins and it spread across 19 countries and more than 2500 customers, who paid to download images, were identified and millions of files seized.

In Australia, the Belgian website produced 48 targets and, to date, nine people have been arrested in Queensland alone.

It also led to 24 children being rescued.

One of them was the four-year-old Brisbane girl, whose grandfather had subscribed to the site.

One of the areas of contention between law enforcement agencies around the world is the targeting of subscribers; some forces prefer to target only the big fish, but Argos investigates every single subscriber.

"The difficulty for us is that some people think that a subscriber type of operation is of no value," Crawford said.

"But any one of those people could be a high level sex offender. When we go to knock on that door, we don't know what is behind it."

When police knocked on a subscriber's door in the outer Brisbane suburb of Kallangur in late 2006, they also found the abuser. The 47-year-old man had convinced his daughter-in-law to return to work on the premise he would babysit his four-year-old grand-daughter. He filmed the abuse and was charged and jailed.

Argos officers were still able to keep their cover inside the secretive network despite publicity surrounding the European website and subsequent string of busts and arrests around the world.

"The filmmaker, his website were just one of many providers for this group, and they just continued on," Crawford said.

In August 2006 the Argos officer who had infiltrated the group moved to Washington DC to operate from the FBI's hugely-resourced Innocent Images Unit.

The FBI was stunned that this group - which included 12 Americans - was not only trading in child pornography but generating it.

Many of the victims were children of the offenders. For the next 18 months, the FBI and the undercover Argos officer, as well as another officer sent over to give him support, played the game and collected evidence. They had access to some of the most powerful internet tools on the planet to then track the real locations of most of the members.

In recent weeks they decided they had enough evidence and could go no further without raiding the homes, seizing the computers and then starting the interrogations. The 22 men, some of whom had previous sex offence convictions, were then brought down in simultaneous raids in Australia, the US, Britain, New Zealand and Germany.

"In a lot of cases, these guys were live online on their computers when police went through their doors," Rouse said.

Among the arrested was an Australian federal government employee, a father of three who is accused of being one of the "key administrators" of the group.

The man, 29, was in charge of vetting new members and monitoring material that was posted within the network. It is believed his children were not victims.

Police won't talk about the man for fear of jeopardising his prosecution, as well as that of a 50-year-old Victorian man, who is also allegedly part of the group.

Several more members are still in the shadows, including the abuser of the unknown young girl who has appeared in thousands of pictures and videos, and whose image now haunts police officers across the world. Her nationality has not been disclosed in the interests of the operation to rescue her, but police say she is not Australian.

It is a subject that no one likes to discuss.

"There has already been too much said about her, What has happened to her, I can't bear to talk about," one officer said.

But Crawford and his team will not give up looking for her. "There is a lot more work to be done, that little girl has not been rescued," he said.

------------------------------
Another from 2 years ago......

Geelong Advertiser (March 17-2006)

9 people charged in four countries after an international investigation spanning eight months.
Officials in the United States say streamed videos of live molestations and photos of victims as young as 18 months were swapped by members of the ring.
"These are the worst imaginable forms of child pornography," US Attorney-General Alberto Gonzales said following the arrests of the four Australians, 13 Americans, 10 Canadians and two Britons.
"This international undercover investigation revealed an insidious network that engaged in worldwide trafficking in child pornography," Mr Gonzales said.
More arrests are expected.
Queensland police say a 38-year-old Brisbane man is believed to have been an administrator of the pornography swapping chatroom, which gave him the power to decide who accessed the images.
Police allege he had an estimated 80,000 images in his possession.

To think that these bastards aren't getting busted is ridiculous.
Now see what the cons do to them inside!

 

[slipperysamus]

wow those poor little kids. Id rather be watched if it means that the law can better hunt sick fucks like that

 

[green_tea]

so will the https (with SSL ) ever be turned back on?