Two Online security questions, can you track my location!?

O

Operaghost

[H]ard|Gawd
Joined
Jun 4, 2004
Messages
1,315
Ok first of all.

I've installed some online anonymity programs, and I'm curious how well they are working.
Can anyone here figure out my general location?

Is there a website that will run a trace on me and tell me where it looks like I'm coming from?

Secondly,

I signed up on this new forum today and it said it has encrypted pm's. But that there is a key stored on thier server, and then a passphrase key stored on mine.

So I enter a passphrase, and it then tells me I have to download the key and store it safely on my computer. And to back it up to disk. That it is currently residing on thier server and the "completion" of the encryption won't be until I download and store the key, thus deleting it from thier servers.

Now, I'm a total noob when it comes to secutiry and encryption and such. Does this sound normal? I'm skeptic because well this forum's subject matter is a bit illegal depending on where you live, so I'm a little skeptic about matching something on thier server to my computer. That basically links me to them if they ever get subpeoned by authorities right?
Or is this normal and sounds legit? I want to have safe encrypted PM's on thier site if this is standard procedure, but if it sounds a little fishy, then perhaps its best I not worry about encrypted pm's?
 
Well, usually on forum software, the software stores your IP address. As just like the software we are speaking on right now, if you are a Mod or Admin of this site, (if the settings allowed) they would see your IP address with each post.

Now whether or not someone can track your entire location based on your IP address, I am not to sure, I am sure someone can fill in that gap.

Forum software with encryption keys? I have actually never heard of that before, but it seems like an interesting idea.
 
The closest someone can find out where you might be located is if they find your IP and use any of the many web sites that will give you the longitude and latitude of your IP address. Then they can go into Google maps and find an approximate location. It's not really that accurate but it gives a big ball park of where you might be.
 
It all depeneds on who is tracking you. Yes you can do a geo search on an IP and get a good idea of where you are but if big brother wants to find you they can get the IP table logs from you're ISP and bam they got you.
 
I'm skeptic because well this forum's subject matter is a bit illegal depending on where you live,
Click to expand...
where would hardforum discussions be illegal? china?

and it all does depend on who is looking for you. if its another user on the net- realistically they cant even find you if you gave them your ip address. but if its a government agency, who has access to the internet network backbone or ISP, then no matter what you do they can find you. you would need to tunnel your entire internet traffic thru several SSL servers all over the world to even make it more difficult for them. or obfuscate it over an encrypted TOR network.

for instance, it is a little known law that came about in the US after 2001- all US data carriers have to have protocols in place in their network structure to immediately give realtime access to any traffic passing over their network to any government agency that requests it. legally- you would need a warrant for this, but realistically if the FBI calls a company like ATT for instance and says "give us access to this..." its in the interest of ATT to do a favor for the government instead of protect the rights of the people. its the FBI- so no skin off ATTs back if it turns out that the FBI didnt have a right to the information.

heres some scarry reading for you
http://en.wikipedia.org/wiki/NarusInsight
 
so no skin off ATTs back if it turns out that the FBI didnt have a right to the information
Click to expand...

Except that illegally obtained evidence is not admissible in court and you probably have legal recourse to sue your ISP which people obviously are.
 
except for the countless times evidence is collected in a manner that is not strictly by the book and allowed in court anyways. its all up to the judge- if they procure a sound byte of you doing something like trading nukes with some dude in a cave in pakistan; whatever way they collected that sound byte isnt going to matter. even if they did it illegally you will still be thrown in jail.

having a legal recourse after you have been arrested, thrown in jail for several weeks, had the police turn your house upside down and confiscate your property is much different then just having them follow the rules to begin with. even if they dont have enough evidence to convict a person in court doesnt mean that they cant make your life hell for a good long time.

and its not to say that whatever information they get from the quasi-legal wire tapping would even be used to charge you or have anything come about it. the point of the matter is that i dont want anyone listening into my business behind my back in the first place, no matter how harmless the business is that i am involved with.

the majority of americans never actually read the wording of the many laws passed by our previous president regarding warrentless wiretapping and the myriad of unconstitutional practices approved by that administration. the worst part about it is that none has and probably ever will be brought to justice for OKing such laws that are so clearly against everything the country is supposed to stand for.
 
Been polishing your tinfoil hat today have we?

its all up to the judge
Click to expand...
However judges don't like having their decisions overturned so the issue is not as cut and dry as you are representing it is.

even if they dont have enough evidence to convict a person in court doesnt mean that they cant make your life hell for a good long time
Click to expand...
This also doesn't work out so well for the gov't in the long run, just look at all the money they had to pay the "person of interest" in the post 9-11 Anthrax investigation after the real culprit was found.

I have read a copy of Comcast's Legal Response hand book. I didn't see anything in it about freely giving out subscriber information to any agency that asked. In fact, it seemed to me that it established procedures for rightfully obtaining information after appropriate documentation is furnished which seems reasonable to me.
 
there are always two sides to any argument, but history dictates that what is written on a piece of paper and what is actually practiced are often two different things.

im not some conspiracy theorist here and i take offense to that statement, but if you fail to understand how these giant telecom companies are run and structured and blindly trust that whoever is transporting your data all over the world is going to act in your interest 100% of the time, you are lying to yourself and everyone listening.

hiding your life savings under a rock in the desert solely because "no one would look there" is similar to saying that "my data is safe because i trust the end user it is going to". well there are often 100 intermediaries in between you and the end point which you may or may not know about and which may or may not be trustworthy.
 
but if you fail to understand how these giant telecom companies are run and structured and blindly trust that whoever is transporting your data all over the world
Click to expand...
I happen to work for one of those "giant telecom companies".

hiding your life savings under a rock in the desert solely because "no one would look there" is similar to saying that "my data is safe because i trust the end user it is going to". well there are often 100 intermediaries in between you and the end point which you may or may not know about and which may or may not be trustworthy.
Click to expand...
Straw man argument. I never said that at all. Typically your data is only going to transit a couple autonomous systems on its way to a destination through the carrier backbones at near light speed. You really think the gov't is tapping OC-xxx backbones at will and analyzing all that traffic in real-time? I think your overestimate the technological capabilities of the intelligence community. Even if they collected and stored it all, good luck analyzing and utilizing the info in a timely manner. Most intel collected falls on the floor. Always has, always will.

If you really want to "stay off the grid", you need to stay off the grid. Trying to maintain anonymity whilst "online" is virtually impossible. There is always a trail.
 
Operaghost said:
I signed up on this new forum today and it said it has encrypted pm's. But that there is a key stored on thier server, and then a passphrase key stored on mine.

So I enter a passphrase, and it then tells me I have to download the key and store it safely on my computer. And to back it up to disk. That it is currently residing on thier server and the "completion" of the encryption won't be until I download and store the key, thus deleting it from thier servers.

Now, I'm a total noob when it comes to secutiry and encryption and such. Does this sound normal? I'm skeptic because well this forum's subject matter is a bit illegal depending on where you live, so I'm a little skeptic about matching something on thier server to my computer. That basically links me to them if they ever get subpeoned by authorities right?
Or is this normal and sounds legit? I want to have safe encrypted PM's on thier site if this is standard procedure, but if it sounds a little fishy, then perhaps its best I not worry about encrypted pm's?
Click to expand...

That sounds like standard public key encryption stuff. The public key can be used to encrypt something that only the private key can decrypt. The public key cannot decrypt the message. This is how PGP works. I've never heard of it being used with forum PMs like that though.
An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.
Click to expand...

The main issue here is that the forum server is generating the key pair. They say that they're deleting the private key after you download it, but you can't really be sure of it. If they keep a copy of that key, they can decrypt any message encrypted with your public key. It would be more secure if they had you generate a key pair yourself, then upload the public key to them (so they would never have a copy of your private key to begin with).

However, that's a moot point unless they've got some sort of client-based system for sending PMs into their forum software. If JoeUser sends you an encrypted message by typing it into the "New PM" page just like here on [H], then the message is going into their server unencrypted. The server is then encrypting it and sending you the encrypted result, so that you can decrypt it with your private key. If this is the case, the server has the message before it's encrypted, so they have no need for your private key to decrypt it. The server may only be storing encrypted messages, but the original unencrypted message is going to the server at some point. If the topic is really something major, LEOs could be monitoring the messages as they come into the server.

The public and private keys are related mathematically (in that the private key is able to decode what the public key encodes), but I'm not sure if they're generally "linked" in a visible way. If it came down to you getting arrested and charged with something, it would be easy for them to encode something with the public key and see that your private key decodes it, thus linking your private key to that public key. However, I'm not sure if they could easily look at the public key and see a link to your private key file (the private key by definition cannot be deduced from the public key, or it would completely destroy the security of this system). Keep in mind that the forum software is keeping a table showing that the public key is for your forum account, so it's already tied to you in that way. With PGP keys, you do enter your name and email address, but it's done with the idea that someone can easily find it to be able to send you encrypted stuff. I don't think it's required that you have that info in there, but the sender has to have some way of knowing that key 0xDEADBEEF is linked to you so that they can use the right key to encrypt stuff to you (even if it's just memorizing the link between that key and you).

If you wanted to do this more securely, you could generate a standard PGP key pair yourself and post the public key. Each user wanting to send you a PM would need to encrypt the message with your public key, then paste the resulting encrypted blob into the PM text box. You would then get the PM, copy the text out, and decrypt it with your private key. This way the server would never be seeing the original message or the private key, so they couldn't decrypt it. However, you'd need to download the public key for each user you wanted to PM and generate the encrypted blob of text outside the forum PM itself. If they're doing all that stuff with public keys already, it seems like it should be easy to associate a user-generated public key with each account though.

Also, obligatory xkcd. Security
 
apt 3b, 1439 main street, chicago il - AMIRITE???

but really though, if you are using the internet for illegal purposes you are running a risk.
you might think you are mitigating that risk but all the same the FBI may come crawling into your window one day.
As for this encrypted stuff you describe, I don't know of any forums that do anything like that,
but yeah, if I was a law enforcement agency i'd probably love to go fishing for suckers like that
 
Operaghost said:
Ok first of all.

I've installed some online anonymity programs, and I'm curious how well they are working.
Can anyone here figure out my general location?

Is there a website that will run a trace on me and tell me where it looks like I'm coming from?

Secondly,

I signed up on this new forum today and it said it has encrypted pm's. But that there is a key stored on thier server, and then a passphrase key stored on mine.

So I enter a passphrase, and it then tells me I have to download the key and store it safely on my computer. And to back it up to disk. That it is currently residing on thier server and the "completion" of the encryption won't be until I download and store the key, thus deleting it from thier servers.

Now, I'm a total noob when it comes to secutiry and encryption and such. Does this sound normal? I'm skeptic because well this forum's subject matter is a bit illegal depending on where you live, so I'm a little skeptic about matching something on thier server to my computer. That basically links me to them if they ever get subpeoned by authorities right?
Or is this normal and sounds legit? I want to have safe encrypted PM's on thier site if this is standard procedure, but if it sounds a little fishy, then perhaps its best I not worry about encrypted pm's?
Click to expand...

hahaha. security is inversely proportional to how much effort somebody feels like putting in to find you. and when security matters, there is none to be had on a computer. simply put, you shouldn't ever even type what you don't want to come back to you. and free your computer from the lame privacy software. your comp hates it, i promise you
 
You must log in or register to reply here.
Back
Top