T Nation

Internet Privacy Answered...

An excellent question was posed to me recently and I figured I would share the answer with my friends here at T-Nation.
[b]
Q- What precautions can I take to ensure privacy when ordering items online. Can I cover my tracks… etc?

Covering your tracks - Buying AA?s over the internet and how to ensure privacy.
[/b]
Well interesting question and I’m afraid to inform you and whoever else that reads this note, you cannot entirely cover your tracks and under most circumstances, no matter what precautions you take in your living room with your PC, the evidence exists elsewhere beyond your control.

A brief explanation on how your computer communicates with the internet and how that information is transferred, logged and stored.

Connection-
Your computer most likely connects to the internet via a modem, either dialup, broadband(cable) or DSL.
When you establish your internet account with your ISP, you provide them with a Name, Address and contact information. This information can be crossed reference at anytime to your account. Most ISP?s log connection traffic and if needed, they can tell whomever had authority when your connection was used (your username and your password) and what personal identifier was issued to your computer (an IP address that is significant only to that machine for the most of the time while you are using it*).
This IP address is logged and in most cases, used as an identifier not only with your ISP but all the websites/servers you access.

So, in English?
I connect to my isp from my basement, my computer sends my personal username and password to the company and it then permits me access to the internet and assigns me an IP address.
When I visit my favorite science supply site to order research chemicals. That site most likely logs my IP address, the same address that my ISP assigned to me when my computer connected.
Now, when you view a page on the internet, that page request is sent to the site and it returns the page to your computer, that information can be logged as well by ISPs.
Can meaning that under most circumstances the information being sent back and forth is not logged due to system performances. BUT, if your under suspicion, its as easy as checking a checkbox to log all traffic to your IP.

So the logs will look like this.
IP address,Date//Time//Action//address//response
10.10.115.225,June5,22:45,httprequest, www.fakesupplyname.com/sales/newstuff.html, sent.

That one line can be proven in court that “that” particular IP address visited that particular website at that particular moment and downloaded that SPECIFIC page.
ALL this without even looking at your PC.

What about proxies and encryption?
Proxies are ways you can restrict your IP address from being recorded at the science site. This means that even though your being logged at your end, they wont be able to log it at their end.
Using a proxy this way is difficult to set up and far to cumbersome. The other issue is back to logging, if someone is looking for something, chances are it will still be available from the logs at your own ISP?
IP address,Date//Time//Action//address//response

Encryption, the little padlock you see when you checkout of most commerce sites, ensures that any information being sent between the two computers cannot be easily read.
How does this effect your ISP logs?
They will show most of the same information, but, logging additional traffic will not be shown. Since most science supply companies use encryption, but only during the checkout phase, your ISP logs should look like this…

IP, Date, Time, Action, address, response (before you buy, just browsing)
IP, Date, Time, Action, Address (Checking out/purchase)
They can see that your on the site, at that time and your at the checkout, but cant see what your buying unless they can access the logs from the science site.
This means they can see the pages, but, smaller information on what details of the page cannot be logged, details like charge card numbers and transaction details.

Your computer?
Your computer does track information, BUT, in most cases of purchasing science supplies. All the information they need is provided to them from logs outside your home.

Legally, how do you stand.
Well so far we have seen how authorities can prove that “a” computer connected to the isp. That computer used a username and pw assigned to you. Connected to a website that sold science supplies and visited a checkout.
We have not proven the following…
Who did the transaction.
Where (address, physical location) the purchase was made.
Who was at the computer.
Who owns the computer.
Who received the good.

This is very important. You cant prove a crime if there is no evidence. Buying supplies online is not illegal if you never received the supplies.

Conclusion.
In all honesty, for personal use amounts, I would not put much thought into this since the expense needed to convict someone is immense.
The acquisition of logs, warrants and such is unlikely to happen for personal use. BUT, there are rare cases of individuals being tracked.
Can you do anything?
Nope. Even if you were to cover all your bases, the authorities will likely just grab you when you posses the items. Case closed.
At the end of the day, buy your supplies. Read up on secure shipping (I can dig up a post somewhere) and hope that uncle sam, Martha or whomever runs your country isn?t bored that day.
Bottom line, if the authorities want to catch you, chances are they will. Regardless of what you do at your end. The other equation is this? if they catch you, they have to prove it in court and as long as you have determination (aka money), you CAN beat any charge.

Note: This is under most normal circumstances, the advanced security expert can cover some of their tracks but it would require extensive tools, research and knowledge. These items are far more expensive, time consuming and not worth it because there will ALWAYS be evidence.

I hope this answers your questions. If not, send me more Smile

Regards,
maxx

This post was flagged by the community and is temporarily hidden.

Why not use a public internet connection?

How’bout this:

Get a laptop.

Get a wireless lan card, one on which you can change the MAC address. Change the MAC address of the card.

Drive to some urban location where you don’t usually go. Find an open wireless access point, or hack a WEP or WPA protected one. WEP can sometimes be done in minutes or less.

Once you’ve got access, do your browsing using a memory-only browser. That will prevent leaving traces on the laptop’s hard drive. You can also use a service like Tor to further anonymize the connection. Anyone sniffing and logging packets between you and your destination site will at best get giberrish. If for some reason they managed to obtain logs from your access point, the MAC adress would be a bogus one. Using the real MAC address of the laptop’s internal card might enable tracing through the manufacturer.

Delivery of items is difficult to anonymize. A PO Box rented with no or fake id might do it; or have the package delivered to a co-worker who’s on vacation and pick up the box from his office before he comes back. Anyway, the internet anonymity thing is our main concern here.

Once you’re done with your browsing, drive away and never come back to use this particular access point again. If you’re truly paranoid, destroy the wireless card and “scrub” the hard drive with a data eraser that uses the Gutmann 35-step anti-forensic analysis techniques. You can also destroy the hard drive after that.

If you need to keep documents, use software like the free TrueCrypt drive utility that allows you to hide encrypted containers within other encrypted containers. If forced to reveal your password by law enforcement, you can give access to the first “plausible deniability” container and there’s no way of knowing if there is or isn’t another encrypted container within. You can’t be forced to give a password that might not even exist in the first place.

Did I miss anything?

Good responses.

Public internet would work provided you can cover the email authorization.

The point im trying to make is, if authorities are willing to invest the time/money into aquiring the trail. Even using public internet has risks.

There will always be evidence, time and money will determine the availability of that evidence.

Either accept the risk knowing that personal consumptions are generally not targeted or, accept a lesser risk and use a public access terminal (library).

If big brother is going to target you, using the library, wireless AP or cellular internet card will not stop them from obtaining enough information to charge you.

Its proving this all in court that it will come down too.

Of ALL of the internet privacy cases ive seen, 99% of them result in the accused accepting charges because its too costly to defend them.

I personally KNOW of cases where identity was not proven in court and those cases cost in excess of 25k in legal fees.

If uncle sam is determined enough to watch your isp, watch your email, its almost a guarantee they will have physical evidence againts you when you aquire the items.
This is far more important than any electronic evidence presented.

good discussion none the less.

This post was flagged by the community and is temporarily hidden.

If I ever catch a case you can bet I’ll be on the couch for awhile Bushy. Thanks alot bro :wink:

This post was flagged by the community and is temporarily hidden.

i would love to move to the UK. its been my dream for about 2 years now.

The UK gives me a hard on.Long live the queen!!!

sombitch

[quote]biscuite wrote:
The UK gives me a hard on.Long live the queen!!!

sombitch[/quote]

Yes sounds good my friend from BAMA. You and I can move over there into bushys pad. Workout together at Bushys gym, no rent to pay, access to Bushys chems, call each other mate or bloc all the time, drink beer at Bushys local pub. Life would be great. LOL.

JW

Sounds like bushy has a hell of an estate.

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

Bloc

LMAO!

C’mon Bush we can spoon, I’ll do the dishes;-)

[quote]bushidobadboy wrote:
JWpushheavy wrote:
bloc

WTF?

Dude, you and Bis are both welcome, but first you might wanna learn how we converse over here :wink:

“bloke”

bushy[/quote]

I stand corrected. Yes you are right. I have been overthere once in England while I was in the service. Totally different world, in a good way.

JW

[quote]pookie wrote:
How’bout this:

Get a laptop.

Get a wireless lan card, one on which you can change the MAC address. Change the MAC address of the card.

Drive to some urban location where you don’t usually go. Find an open wireless access point, or hack a WEP or WPA protected one. WEP can sometimes be done in minutes or less.

Once you’ve got access, do your browsing using a memory-only browser. That will prevent leaving traces on the laptop’s hard drive. You can also use a service like Tor to further anonymize the connection. Anyone sniffing and logging packets between you and your destination site will at best get giberrish. If for some reason they managed to obtain logs from your access point, the MAC adress would be a bogus one. Using the real MAC address of the laptop’s internal card might enable tracing through the manufacturer.

Delivery of items is difficult to anonymize. A PO Box rented with no or fake id might do it; or have the package delivered to a co-worker who’s on vacation and pick up the box from his office before he comes back. Anyway, the internet anonymity thing is our main concern here.

Once you’re done with your browsing, drive away and never come back to use this particular access point again. If you’re truly paranoid, destroy the wireless card and “scrub” the hard drive with a data eraser that uses the Gutmann 35-step anti-forensic analysis techniques. You can also destroy the hard drive after that.

If you need to keep documents, use software like the free TrueCrypt drive utility that allows you to hide encrypted containers within other encrypted containers. If forced to reveal your password by law enforcement, you can give access to the first “plausible deniability” container and there’s no way of knowing if there is or isn’t another encrypted container within. You can’t be forced to give a password that might not even exist in the first place.

Did I miss anything?
[/quote]

You wear your black hat well pookie;-D

This post was flagged by the community and is temporarily hidden.

[quote]bushidobadboy wrote:
JWpushheavy wrote:
bushidobadboy wrote:
JWpushheavy wrote:
bloc

WTF?

Dude, you and Bis are both welcome, but first you might wanna learn how we converse over here :wink:

“bloke”

bushy

I stand corrected. Yes you are right. I have been overthere once in England while I was in the service. Totally different world, in a good way.

JW

Hey, no worries MATE, I know you’re a great BLOKE, in fact I’d call you one of my MUKKAS. A top GEEZER no less!

:wink:

bushy[/quote]

MUKKAS?

[quote]maxx power wrote:
I hope this answers your questions. If not, send me more Smile

Regards,
maxx
[/quote]
If ISPs just randomly assign IP addresses how can anyone connect that particular IP addrsss (at the time it is logged) with a particular user? For example, if I am piggy-backing (making a wireless connection) off a wireless router from a local coffee shop how can anything be proved in court if one is careful about user_id’s and information, etc.?