Posted 02 January 2004 - 10:20 AM
"There's no such thing as complete security on the internet. Since internet connections are a two-way flow of data, every computer is basically an open pipeline to every other computer on the web."
Right now someone could be going through the files on your computer without you even knowing it. Mischievous hackers and virtuous legislators have made the internet a questionable place to discuss growing. Fortunately this primer can reduce the risks that the average closet grower is likely to encounter. Part I covers internet anonymity and Part II deals with general computer security. While no one is invincible against an all-out investigation, you can take some major steps to protect yourself and your computer from those who don't respect your privacy.
Note: This guide is not intended to assist with breaking laws, only to encourage safer surfing habits. Use it at your own risk.
Part I: Internet Security
One of the biggest goals in the quest for anonymity on the Net is to hide your IP (internet protocol) address. Each request you make to a website is stamped with the IP given by your internet provider. It functions like a return address on a piece of mail. Websites usually log IPs, and there are ways to trace it back to you. To see the IP you show to everyone on the internet, visit our snooper page or this one. Recognize the "client's address?" If it's your internet provider, you may want to start using a proxy server.
A proxy can add a big boost to your anonymity. A proxy server is a computer located elsewhere on the internet that acts as a middleman to retreive web pages for you. Many ISPs offer them to cache (store) popular web pages on their server so people can load them faster. The nice thing about some proxies is that they remove your IP info and replace it with theirs. By surfing through one of these "anonymous" proxies, websites will think your request came from the proxy, and not from you. Your IP is effectively laundered.
Proxy servers can be divided into two unofficial types: public proxies (caching proxies), and anonymizing services (Anonymizer, etc.).
By making a few simple changes in your web browser's settings, the web pages you request can be retrieved anonymously by a proxy. Don't worry if you're not sure how to make these changes, step by step instructions for the popular browsers are at the end of this article.
Here are a few sites that list public proxy servers:
Many proxies on the lists aren't usable. Some go down frequently while others restrict access to certain websites (censorship). And some of them don't pass the test...
Test Your Proxy
Not all proxies mask your IP. Many are "transparent" and transmit your IP info to websites-- obviously you don't want to use these proxies. To help you determine if your IP is showing, Overgrow has setup a test to show you exactly what information every website can see about you. Basically you're just looking for your internet provider's IP or domain name in each line, especially the following ones:
REMOTE_ADDR: the IP you transmit
REMOTE_HOST: your domain name (corresponds with your IP)
HTTP_X_FORWARDED_FOR: non-anon. proxies can show your IP here
HTTP_FROM: can show your IP
VIA: can show your IP
CLIENT_IP: this should be blank
If your IP shows up, look for another proxy. Eventually you'll find plenty that are anonymous.
Tips on using proxies:
Choose proxies in foreign countries - preferably ones with rational pot policies. To find the location and owner of a proxy, try whois at Holmes or Smart Whois.
Test your proxy before each surfing session. Occasionally a proxy that's worked fine for weeks will start transmitting your IP for no apparent reason. If this happens, use another.
Change proxies frequently. Some change them weekly, others daily. Frequent changing reduces the trail left behind that shows your surfing habits. Use caution with proxies on port 80 as they're usually run by ISPs. Many ISPs don't mind at all, but some reserve their proxies only for subscribers. While it's their fault for not requiring authentication, there's always the chance they could go postal and report you to your ISP
"If worst comes to worst and an intruder should gain physical access to your computer, the following techniques will help safeguard your personal data from being disclosed."
Part II: Computer Security
This sensitive data might include your grow logs, pictures, and any programs you'd like to hide. It may also include compromising data you didn't even know you had on your computer.
Wipe It Clean
A common misconception is that deleting a file actually deletes the file. Nope. All that usually happens is the file's name gets removed from the disk's index -- the data itself is still there on the disk! Eventually it gets overwritten with new files and programs, but there's still a chance it can be recovered.
There are many "undelete" utilities out there that can easily recover deleted files. For peace of mind use a file-wiping program. File-wipers overwrite deleted files with random data to make them nearly impossible to recover, even with forensics software. A good file-wiper comes with PGP. Another good free one is BC Wipe. Both programs allow you to choose how many times to overwrite each file with random data. Choose at least 10 "passes" to totally shred a file.
Both PGP and BC Wipe can also wipe "file slack" and "free space". File slack is the unused space in a data cluster that's at the end of most files. It can contain data from a previously deleted file. Free space is any unused disk space on the hard drive, including any files you "deleted" the old way. It may take all night to wipe a large hard drive clean, but for some it's definitely worth it.
Another security risk is Windows' "swap file". Windows frees up RAM memory by temporarily moving data over to the swap file on your hard drive (it's written back to RAM later if needed). Someone could easily scan your swapfile looking for passwords, grow logs, or something copied to the clipboard. The BC Wipe program can wipe the swap file clean. Also don't forget about Windows' recent documents listing (the one in the Start menu at "Documents") at: C:\Windows\Recent.
Encrypt Your files
Any files or programs you want to hide from prying eyes should be encrypted. Encrypted files are basically useless to law enforcement. Many encryption programs are available, but PGP is recommended here because of its widespread use and effectiveness. Bankers, businessmen, and politicians all use it regularly. The files you encrypt are de-crypted using the special password you select. Be sure to choose a long and complicated passphrase. Simple passwords are easy to crack.
Some programs can create an encrypted virtual drive on your hard drive to can hold files and even entire applications in total secrecy. The virtual drive is given a new drive letter like E:\ and can be used like an ordinary drive, except it's opened only with your password. There are no external hints of what files are inside. Scramdisk and also PGP can create encrypted virtual drives.
Part III: More Tools
Firewalls: A firewall is a security program that blocks unauthorized access to a computer (or network). A firewall inspects each packet of internet data entering or leaving your computer's ports and decides whether it should be allowed to pass or be blocked. Firewalls protect against all sorts of hacking, like Trojan horses, probing of your ports, spoofed IP's, and cracking of Windows' File & Print Sharing passwords. Trojans, for example, can secretly send info about your machine to someone else on the net.
Steve Gibson runs an outstanding site that is constantly updated with the latest firewall information. He recommends the new free release of Zone Alarm. Firewalls should be standard equipment on all new computers, but until that day it's well worth the few minutes to install a good one. Be careful with simple "port monitor" programs. Some of them open all your ports, which can attract the attention of passing port scanners. A good firewall works on a lower level while it monitors all port activity.
Anonymity 4 Proxy (A 4 Proxy) - Excellent proxy management program that automatically tests and grades each proxy's anonymity according to several variables. It has a database with hundreds of verified anonymous proxies, or use your own... sorts them by speed, even finds the fastest one for each website. Highly recommended.
Evidence Eliminator - a complete wiping "suite" that cleans everything - cache, cookies (except the ones you want), swap file, file slack, free space, as well as any files you specify. Highly recommended.
Window Washer - another wiper that cleans the cache, recent-documents history, auto-complete data forms, etc., and can selectively wipe cookies.
Junkbuster - Program that blocks cookies (selective) plus it can block unwanted advertisements and webpages. Also blocks the "referer" field, which tells websites the URL of the site you just clicked from.
It's sad that governments hunt and oppress growers for such a petty, victimless crime. Your safety on the internet will depend a lot on the political climate in your area. Fortunately most growers have four factors in their favor:
First, the ever-growing number of cannabis enthusiasts on the net provides "safety in numbers". Investigations are costly and time-consuming, so "mass busts" are impractical, especially with the international readership here.
Second, the profusion of other "vices" on the 'net - from credit card fraud to child porn to illegal weapons sales - gives marijuana sites a relatively low priority among investigators. (The highest priority, incidentally, is national security and terrorism).
Third, most countries have fairly decent civil-rights laws that protect citizens from their governments. In the U.S., for example, privacy laws usually require at least one court order to track someone down through their computer, while the First Amendment of the Constitution guarantees your right to discuss growing (assuming you don't actually admit to growing. ;-)
Last, there are the safe-surfing techniques we looked at. These factors make the chance of being harassed very slim. In fact, we know of no growers who have been busted from posting on a marijuana site. But we want it to stay that way, so play it safe.
Changing Your Settings
Proxies - Cookies - Cache
Browser settings for proxies:
Just like any computer on the internet, a proxy server has a unique IP address and a corresponding domain name. It also has a port #. You can use either the IP or the domain name in your browser, since they're interchangeable. For example the IP of the Spanish proxy, linux.softec.es, is 18.104.22.168 and the port is 8080. Most proxies use ports 80, 3128, 8000, or 8080. Proxies are often listed with the port # tagged on to the end of the address: linux.softec.es:8080 (or 22.214.171.124:8080). Go back to the article for some lists of proxies on the web.
For Opera version 3 or 4:
Select Proxy Servers,
Put a check at HTTP and enter the proxy, and enter the Port #.
For Microsoft Internet Explorer 5:
Select the Tools menu,
Choose Internet Options,
Click the Connections tab,
Double-click on your dial-up connection,
Put a check at Use a proxy server,
At Address enter the proxy, and enter the Port #.
For Microsoft Internet Explorer 4.0.1:
Choose the View menu,
Select Internet Options,
Select the Automatic Configuration "Configure" button,
Enter the proxy in the text box.
For Microsoft Internet Explorer 3:
Choose the View menu on your web browser,
Choose the Options,
Tick Connect through a proxy server,
Click the Settings button
At HTTP Proxy enter the proxy, and in Port: put the port #.
For Netscape Navigator version 1, 2, or 4:
Choose Options from the browser's menu,
At HTTP Proxy, enter the proxy, and enter the Port #.
For other browsers, try http://proxys4all.cgi.net/setup.shtml.
Cookies are usually stored in a file called cookies or cookies.txt or MagicCookie.
For Opera version 3 or 4:
Select the Preferences menu,
and de-select Enable Cookies.
While you're there also deselect Enable Referrer.
For Microsoft Internet Explorer 5:
Click the Tools menu,
Select Internet Options,
Click the Security tab,
Highlight the Internet icon and click Custom Level.
Scroll down to Cookies and select disable or prompt.
For Microsoft Internet Explorer 4.0.1:
Go to the View menu,
Choose Internet Options.
Click on the Advanced tab,
Scroll down to Security.
Under Cookies, select either Disable All Cookie Use or Prompt Before Accepting Cookies.
For Netscape Navigator 4.0:
Select Preferences from the Edit menu,
Either select Disable Cookies or check Warn Me Before Accepting a Cookie.
For Netscape Navigator 3.0:
Select the Options menu
Go to Network Preferences,
Ynder Show an Alert Before, check Accepting a cookie.
More info on cookies at: Cookie Central
Cache and URL history
The cache stores recently viewed web pages for quick loading later. The URL history lists the websites you visited. Delete them, or better yet, wipe them.
For Opera versions 3 and 4:
Select Preferences, Cache, and check the Empty On Exit box. Or wipe the file manually, which is located in the Cache folder wherever you installed Opera. While you're there wipe the following URL history files: vlink.dat, global.dat, and opera.dir. To turn off URL history select Preferences, Generic, and deselect History, Direct Addressing, and Global History.
For Internet Explorer 4 and 5:
Select Tools, Internet Options, and click Delete at Temporary Internet Files to clear the cache, and click Delete History to clear the URL history. Change "Days to keep pages in history" at zero and you won't have to worry about wiping it regularly. The technique for wiping the cache depends on your file wiping program. If yours doesn't find the file automatically, wipe it manually at C:\Windows\Temporary Internet Files. For URL history check C:/Windows/History
For Netscape Navigator 3 and 4:
Select Preferences, Advanced, and Cache. Click on Clear Memory Cache and Clear Disk Cache. Also on that screen is the current location of where you can find those files to wipe.
Several free services exist solely for anonymous surfers. The more popular ones like the Anonymizer may be under close scrutiny of law enforcement, hackers, or the administrators themselves."
The smaller offshore services can come in handy, especially for WebTVers who can't make browser changes. To use an anonymizer you simply go to their website and type in your destination URL. You're then taken to your site through their proxy with your IP automatically masked-- no browser changes needed. Some services even use HTTPS (secure HTTP with encryption) to prevent messages from being intercepted and read.
Here are two lists of anonymizer services:
You'll notice that many services modify the URL by adding their domain name to it. For example, if you use the Anonymizer to visit www.overgrow.com, the URL might change to:
If your proxy does this you can often just type their domain in front of your URL, instead of going to their website. For example you might type: http://anon.free.anonymizer.com/ in front of http://www.overgrow.com(you need to add the "http://" part). This trick won't work with services that encrypt your URL.
For additional security some proxies can be chained together. DeleGate and CGI proxies often allow chaining. To chain two proxies simply type a second (different) proxy's domain after the first one, followed by your URL. For example:
Some proxies use "-_-" to separate addresses, like this:
Avoid ProxyMate and LPWA. The creator of these services, Lucent Technologies, is a major weapons and wiretapping equipment supplier for our friends in the US government, military and FBI. It's likely these services are closely monitored. You'll also want to avoid the Onion router service, which is run by the U.S. Navy. Just like with public proxies, know who owns your proxy server, and also verify its anonymity.
Are proxies safe?
Even if a website (or proxy) knew your real IP address, an IP alone can't identify you. only your ISP. To identify you someone would need to compare the website's (or proxy's) logs with your ISP's logs (assuming those logs haven't been deleted yet), so they can find your username, phone number, etc. In the U.S. this often requires a court order, so it's not a simple task. But keep in mind an internet signal passes through many computers on its way to a website, and someone along the way could be watching and logging IP data. (To see the path your data takes use TraceRoute.)
So hiding your IP with an anonymous proxy adds an extra hurdle in the way of a malcontent. Those with fixed internet connections (DSL, cable modems, etc.) should definitely use a proxy. That's because the IP for a fixed connection is always the same, unlike a dial-up connection, which give you a slightly different IP each time your connect, making it a little harder to hack and track.
Which is better, public proxies or the services? Generally speaking, a good offshore public proxy is probably safer than a service like the Anonymizer, which is teeming with folks who are hiding for one reason or another. This makes them tasty targets for web vultures. Meanwhile there are thousands of public proxies out there with "legitimate" users, so it's much easier to blend in with the crowd. For maximum safety try using a public proxy in conjunction with a lesser-known anonymizer, perhaps chained. Keep in mind that HTTPS webpages will strip away HTTP anonymizers, leaving you with just your public proxy.
One more word on proxies: don't abuse them. Never use them to spam, hack, or send threatening messages to [email protected]ouse.gov. Mis-using them will force them to close their doors to the public or start transmitting IPs.
Other safe-surfing techniques
Turn off cookies, java and any multimedia components. Cookies are text files that many web sites store on your hard drive to track your surfing habits. Letting a website store information on your computer without your approval is an obvious no-no. Here's the procedure to turn off cookies. If a website requires cookies to navigate simply turn them back on. Java, ActiveX, etc. can hide malicious codes and should also be turned off.
Avoid Micro$oft. The Internet Explorer browser is integrated too deeply with Windows to trust with your personal info. Plus it has frequent security bugs, holes, etc. Use Netscape, or - even better - the Opera web browser. Opera is a full-featured, user-friendly browser that is definitely faster than the other two. It's also much smaller and only takes a minute or two to download. If you must keep the Exploiter on your computer, consider using Opera as a second browser for your cannabis-related surfing.
Use a fresh internet connection for your cannabis surfing. In other words, disconnect when you're done surfing the weed sites, then reconnect and continue surfing. This gives you a new IP on a dial-up connection, and reduces the chance that someone along the datastream can associate your pot posts with the "real you".
Surfing at work may jeopardize your corporate-slave job. Many companies have the ability to closely monitor employees computer usage and internet activity. Even if management is lenient about surfing, it's a wise move to clear your browser's cache and URL history regularly.
Open an anonymous email account. Don't post the email address your ISP gave you!. There are dozens of free email services that let you enroll using bogus information. This site lists 'em all.
Use public computers for extra anonymity. Many universities, libraries, and cafes offer internet access for little or no cost. Use them for your most sensitive communicating.
Watch what you say. Many growers refer to "a friend's" garden to avoid incriminating themselves in their posts. Remember, it's not illegal to discuss illegal things, at least in the U.S. Proper marijuana-related websites are hosted somewhere with kinder laws. Say what you want, but remember Jackerspackle's Law: don't say anything on the internet that you may regret later.
Encrypt your most private communications. Your email service can read your messages, even the ones you deleted. Also, email can travel through many mail servers on its way to the recipient, and any of them may be looking at messages. For maximum security use PGP to encrypt email. Both parties will need to load the PGP software, but your messages will be virtually unreadable to privacy invaders, including law enforcement. Here is an easy introduction to using PGP and the software can be downloaded free.
Even with PGP be careful about downloading email attachments. Some of them have been known to hide viruses and trojan horses which the anti-virus programs don't detect. If you have any doubts about an attachment, be safe and open it at a public terminal.
Here's a basic document that may be helpful as an initial primer for members concerned about privacy/security issues. Feel free to edit-feedback appreciated. changling
Hello fellow privacy seekers. This info is intended for those who seek
anonymity while browsing at little or no cost. It is very basic and intended primarily for home users of Windows 9.x using Internet Explorer. Info on Netscape should be contributed at a later date.
An important part of the process includes securing your PC from hackers, government or otherwise. Let’s start with a few basics that should get you on the anon path within an hour or so. Later updates will cover issues in more detail.
1.Secure your machine. If you don’t already use antivirus software, or would like something less cumbersome than most commercial products, try InoculateIT Personal Edition. (http://www.antivirus.cai.com). This barebones program is free for non-commercial users, as is the tech support and updates.
2.Install a firewall. Some are free for personal use. Check out Zonealarm (my favorite) at http://www.zonelabs.com. This product shows you the IPs of whoever may be trying to gain access, and can even stop VBscripts. You can also try http://www.Sygate.com, or http://ealaddin.com/...l_fire wall.asp.
Be sure to test your firewall, as they are not all created equal. One excellent online testing program is Shields Up at http://grc.com/default.htm, (might as well pick up the freeware program OptOut while you’re there and read The Anatomy of File
Download Spyware too. A couple of other free online testing programs are http://scan.sygatetech.com, and just for the hell of it
check out HackerTracker the online port scanner at http://www.lockdown2000.com/. You just might be surprised to one of those IPs snagged by your firewall ending in .gov, as once
happened to me!
3.Take control of cookies. Cookie Crusher is a a very cool user friendly program that can be configured to allow cookies you may need for to access certain websites, like Yahoo mail, and automatically block cookies you never want. I like to toggle the controls to accept cookies needed for various web mail sites, and then delete them from my hard drive when I'm finished.
It can also be configured to automatically reject pesky cookies you will never want to accept. . Many will argue that cookies are harmless and can always be deleted, but there’s too much we may not know about them for my comfort. Hippie3 pointed out several years ago that the Shroomery cookie stored members ISP addresses.
Cookie Crusher is available at http://www.thelimitsoft.com . It is a shareware program with a 30-day free trial period. There are others that also strip banners, like AdSubtract (www.adsubtract.com ) which offer freeware versions, but are more complex to use and will act as servers which might snag your real ISP.
4. Anonymous proxies. A proxy server downloads web pages to your computer, and some are faster than your ISP. Proxies substitute their ISP for yours, but many are transparent and will reveal your real ISP in email and Usenet headers. You want a proxy that doesn't do this: an anonymous, or non-transparent proxy.
(Note: Some ISPs, like AOL, don't want you to be anon. You will need to
download a different browser, or better yet, get rid of AOL!)
There are some web based anonymous proxies. Some are can be very slow and may also log your real ISP. (This is one place Cookie Crusher alerts come in handy.) If you use a web based proxy list, try
http://www.cyberarmy.com/lists/proxy/. To test if a proxy is anon, open
another window and visit http://www.all-nettools.com/tools1.htm. Go to the Network Tools Proxy Test page. The Proxy Test button is at the bottom of this page. Switch back to the proxy list; copy a proxy, (Note: do not copy the port#; if there is a : after the proxy, don't copy that either), then switch to the Proxy Test page. From the Explorer menu bar click Tools, Internet Options, Connections, Settings, and check "Use a Proxy Server". Click the Advanced box, and paste the proxy you copied in the first box: HTTP. Type the Port # (e.g. 8080) in the corresponding Port box. Click OK until you’re back to the main
screen. Click the Proxy Test button. If the proxy isn’t open, you’ll get an error message and the page will not display. Simply switch back to the Proxy List and make another selection. Then go back to the Proxy Check page, and click Refresh. If the proxy is open but isn’t anon, you should get a message saying, "proxy server detected", and your real ISP may also be displayed. If you found an anon proxy, the message will read "proxy server not detected", and will display the address of the proxy you selected. You can save some time by trying all proxies listed at a specific port, say all the 8080 ones first. When you find an anon proxy, run the SMARTWHOIS to see where the proxy is located, and who owns it.. Avoid Proxies that end in .gov, just to be safe.
Your goal is to find a reasonably fast proxy that will say, "proxy server not detected" (and of course isn't your real ISP). So try testing with the proxy on and then off. Also, a proxy that is anon today may not be tomorrow, so check frequently. Occasionally delete your Temporary Internet Files from your browser’s cache.
If you are into Instant Messaging or want to share files via FTP, try the freeware program RAZIUS EXPRESS (http://www.mercurypr...om/products.htm).
Think this is too much of a hassle? Well, it can be labor intensive to do on the cheap, but please take a moment to read the short paper, The IP Address: Your Internet Identity at http://consumer.net/IPpaper.asp.
Once you have taken some precautions, you can browse the Web with relative reassurance of anonymity. There are some hang-ups however. If you need to go to an HTTPS area, your real ISP will be visible unless you put the anon proxy in the "Secure" proxy settings box, but then you probably will not be able to access that page.
Enough about anon browsing for now. Hippie3 already explained how to set up an anon email accounts in the Security thread. Anon Usenet posting and using remailers like JACK BE NIMBLE, etc. will be discussed later. For those who don't care to do all the legwork on the cheap, check out the for pay program at http: www.zeroknowledge.com. There’s a 30-day free trial offer. This program pretty much has it all of the above in a neat package, but can sometimes be incredibly slow or lose its connection while you're in the midst of a situation where you'd rather it didn't. It’s worth a free trial though, and is generally
more reliable and less labor intensive than any of the programs mentioned in this paragraph.
For those who just want to surf using free web based software and aren’t all that concerned about the web site offering the tools knowing your true ISP, here are a few usable links. Some are free; most offer a free trial basis. You might want to set use an anon proxy to go to these places if you’re paranoid, because they will know your ISP. It’s probably be a good idea to set up an anon email account too, as some services will require it.
http://www.cotse.com/anonimizer.htm (CGI based proxy)
(retrieve mail from your POP3 account over the Web
through an SSL connection)
http://www.newzbot.com/search.html (find the newsgroups your
ISP won’t tell you about. Searches for open public news servers. Not secure.)
(NNTP server based in Germany.
(free anonymous web browsing, email, and Usenet tration required; most info may be fabricated. Highly recommended if you like to use Outlook Express.) posting. No choice of nyms though. All posts will read from “Anonymous”.)
Good luck in your quest for anonymous web browsing. Please do not email me with any questions, as I simply won’t have time to respond.
Posted 27 October 2005 - 05:04 PM
Posted 13 November 2005 - 01:05 PM