The Internet, Grass City and Your Security

Discussion in 'General' started by pungent, Oct 6, 2007.

  1. I thought this topic comes up around GC enough that I should post this its own thread. It contains some good information for those interested in doing all they can to remain anonymous and keep their real identity dissociated with what they view and post here on the city. Following all of these rules is only for the paranoid in my opinion, and there is still room for a few more rules in order to make it nearly impossible for anyone to trace anything. If I take risks though, I like to be informed about the risks I'm taking, so here is some information.

    The most important habits that will help keep your business your own about what you view and post on GC or any other website are these:

    ------------------------

    1) Use an proxy service
    2) Use SSL encryption --> https://forum.grasscity.com instead of http://forum.grasscity.com
    3) Set your browser to warn you when you click a link that takes you from an encrypted page to an unencrypted one so that you don't accidentally click a link that switches without notice.
    4) If you live in the United States, the closest you should come to identifying who you are or where you live should be giving the state you live in. This includes your choice of user name and password for this site, don't include any information that would ever help anyone identify them with you.
    5) Follow the board rules and don't request hookups, trade phone numbers or arrange meetings between members.
    6) Don't post any pictures with any people who know you or identifiable landmarks in them.
    7) Strip EXIF information from photographs from your camera that you post here
    8) Clear your internet browser cache of all locally stored web pages, cookies, images and browsing history regularly

    ------------------------

    Read further if you are interested in explainations of how these work:

    No matter where you live, if you don't use a proxy to surf the web there are a number of people who CAN see what you visit and what you post. They do not have to have access to the website or it's database which are hosted in Holland, they only need access to a single piece of network hardware somewhere in the network path between you and the site you are connecting to. Every time you visit any website, your connection is likely to be routed through 5 to 30 network devices between your computer and the website you connect to. None of these devices are owned or operated by you or the website you connect to. They are mostly routers and firewalls owned by ISPs between you and the site. These ISPs have complete access to view anything you view or post that is not encrypted and passes through devices owned by them, and so does anyone who can convince one of these ISPs that they have the right to know what is passing through.

    A proxy service is a middleman computer that you connect to, and it connects for you to sites you want to visit. You use it by changing your browser settings to send all of your web page requests to the proxy instead of to the site you want to visit. The proxy changes your IP address to it's IP address and requests web pages on your behalf. The information from the website is delivered back to the proxy and then the proxy delivers it back to your browser. When using a proxy service, an ISP can see that you have connected to a server that they may know is a proxy, and that the proxy server connected to grasscity.com, but it can no longer know the IP that initiated the request through the proxy server.

    The server that hosts forum.grasscity.com has a useable SSL certificate. This means that with or without a proxy server you can surf the city using a connection that is encrypted starting at your browser all the way to the grasscity server. IP addresses are still exposed if you are not using a proxy, but the contents being sent or received will be encrypted. This is the standard kind of encryption used by all professional ecommerce sites to protect your credit card data when you buy things online, and is fairly secure. If anyone ("the man") has tools to break this encryption it would likely require a considerable amount of time and very valuable resources.

    The SSL certificate on the GC server is a self-signed certificate. This just means that grasscity didn't get it signed by a big corporation who charges a lot for validating that people are who they say they are. Because of this, when you first connect you will be prompted with browser pop-up windows saying the certificate is not valid and isn't for grasscity.com, it is for localhost.localdomain. You can still opt to use it just the same, and it will encrypt your connection just as well.

    If you are trying to surf encrypted, be careful of following links that other people post to other parts of this forum because they will often link to http://forum.grasscity.com/whatever_you_clicked[/URL] (not https://) and silently not be encrypted unless you have your browser set to warn you when you leave an encrypted page for a non-encrypted one.

    Through working with alot of medical related data, I've had to follow strict rules about deidentifying personally identifiable information that we share with other entities. Deidentified according to HIPAA is showing nothing more specific than the state a person lives in with their test results and diagnoses. That seems to me like a good rule of thumb for posting to grasscity as well if you live in the United States.

    Requesting hookups, trades via mail, and even planning to meet up for a smoke just increases the chance that you have made these plans with an authority using his membership to identify people for other purposes.

    Hopefully it is self evident why you shouldn't post pictures including yourself, people you know, or identifiable landmarks where you live or grow.

    Digital cameras usually imprint some text information (called EXIF data) in the picture files they produce that can be used as a type of fingerprint from YOUR camera, or at least your model of camera. It's safer to discard this information in the case anyone ever wanted to use a picture as evidence against you.

    Your web browser most likely stores copies of web pages you visit and images they contain. It uses them when you visit the same page repeatedly because it provides a faster browsing experience than downloading the information that has already been downloaded once recently. Most browsers also store a history of website URLs that you have visited recently. And browsers store and use cookies that help the website differentiate you from another user on the same site. Most often these cookies indicate who you are logged in as, and keep you from having to login again every time you click a link or change the web page. Stored in these cookies is the site that created it -- in this case grasscity.com. When you click the "Log Out" button on the forum.grasscity.com web page, it deletes these from your browser for you but you can also do it manually from a browser configuration menu. I delete all of these traces of what websites I visit regularly in case anyone ever wants to take a cursory look at my computer to see where I've been lately.

    ------------------------

    I'm careful, but not paranoid about it because I really just don't think anyone cares enough -- even "the man" -- to spend the time and effort to weed little old me out for prosecution just because of something I posted on this forum. If you openly claim to live in the US and post giant grow operations, I would not be so casual if I were you. but... I'm sure you're already taking extra precautions without my advice anyway...

    Many years ago, when I was young immature and living with my parents, the local cops came to my house and threatened to bust me for selling MJ several times. They were pretty casual about it though, and ultimately had much bigger fish to fry and left me alone. This was in a very small town with only 2 stoplights. I really don't think "the man" cares so much about my handful of plants for personal use. Especially not enough to go to all the trouble to find out who "pungent" on grasscity.com is and come find me... That is unless I just openly divulge plenty of information to make it so easy they can't stand not to bust me. But that is an informed risk that I take. I've broken several of the rules I've posted here, but like I said it was an informed risk and mine to take.

    If anyone sees any errors in the information I've posted here, please feel free to correct me. I am human, and I am fallible... If you have questions about what I've posted, feel free to ask those as well.
     
  2. We don't need to worry about it. The server is based in Amsterdam
     
  3. That has no relevance to any of the threats I've posted unless the "we" you speak of is also based in Amsterdam.

    I've added some more detail and rewritten my post to be a little more formal in the meantime. Read it or don't, I only posted as an FYI for anyone who is interested.
     
  4. crazy stuff man...

    cant be to careful
     
  5. Haha Pungent, you are going to set one off here. I've seen threads about this issue and there is quite a debate.+rep for the good info and for bringing up multiple points of this broad issue. Yes we are all taking some risk by being on this website by our own choice and we know that law enforcement has bigger and better shit to do with their time than finding out who we really are. But if you post yourself standing in your growroom and post your real name and growroom address, expect a kick on the door. But nobody here is that stupid right:D
     
  6. a couple questions that came to me in PM about this:

    this is probably not a very big threat at all unless "the man" already had a lot of good evidence against you and needed a way to tie your camera to a picture. but any photo/image file editor should be able to remove EXIF data. Often you can look at "properties" for an image and just delete anything you find that you would rather not stay with the image file.

    I don't exactly use a proxy service myself, like I said I break some of these rules... You should be able to google and find a blue million, or post up a thread here asking people which ones they use. since other people have suggested using proxy services too i assume someone will respond.
     
  7. It would be worth talking GC into renewing their security certificates.
     
  8. Overgrow was in Canada and supposedly partly in Europe. That didn't stop anyone.
     
  9. yep

    on the exif shit unless you paid for the camera with a check/credit or got a warrenty with your name on it it's not a huge threat

    lol pay in cash for the sucker and walked out without a hitch and the camera is untraceable unless they bust your door down find your grow and link the uploads to that exact model found in your home

    but yeah always strip the info hell open your images in a hex editor to make damn sure all the info is stripped if your level on understanding warrents it
     
  10. there might be a couple other far out circumstances where it could be used against you, but yah. i agree.

    working in the network security field is all about evaluating risk and how security measures affect the usability of your systems. The best security for your computer might be to sink it to the bottom of the ocean, but you can't use it down there too well can you?

    everyone will have to make their own judgments about what is important to them, how much work they are willing to do to be secure and the risks they are willing to take. for instance i didn't mention anything about encrypting your own hard disk to protect from having deleted files excavated later by "the man." well, that's an important aspect of data security, but i seriously doubt too many folks who visit here are willing to go through the technical challenges of implementing it.

    i just wanted to provide some detailed information, because i find in my work that most people don't understand the risks and make uninformed decisions as a result.
     
  11. ^ fuck yes lol friend of mine lost 3+ years worth of misc. pictures videos 'n classic programs after his encryption software failed

    he's one smart mofo but with added layers of protection come more possible failures as per murphy's horrible yet oh so true law
     

  12. All so true.

    Good idea on the SSL encryption idea. Didn't know they had that active on this site.

    Stephen King refers to Perfect Paranoia as Perfect Awareness.
     
  13. Good thread man! :hello: :yay: :metal:
     

Share This Page