By Admin (Admin) on Monday, April 30, 2001 - 01:31 pm: Edit

"There's no such thing as complete security on the internet. Since internet connections are a two-way flow of data, every computer is basically an open pipeline to every other computer on the web."

Right now someone could be going through the files on your computer without you even knowing it. Mischievous hackers and virtuous legislators have made the internet a questionable place to discuss growing. Fortunately this primer can reduce the risks that the average closet grower is likely to encounter. Part I covers internet anonymity and Part II deals with general computer security. While no one is invincible against an all-out investigation, you can take some major steps to protect yourself and your computer from those who don't respect your privacy.

Note: This guide is not intended to assist with breaking laws, only to encourage safer surfing habits. Use it at your own risk.

Part I: Internet Security

One of the biggest goals in the quest for anonymity on the Net is to hide your IP (internet protocol) address. Each request you make to a website is stamped with the IP given by your internet provider. It functions like a return address on a piece of mail. Websites usually log IPs, and there are ways to trace it back to you. To see the IP you show to everyone on the internet, visit our snooper page or this one. Recognize the "client's address?" If it's your internet provider, you may want to start using a proxy server.

Proxy Servers

A proxy can add a big boost to your anonymity. A proxy server is a computer located elsewhere on the internet that acts as a middleman to retreive web pages for you. Many ISPs offer them to cache (store) popular web pages on their server so people can load them faster. The nice thing about some proxies is that they remove your IP info and replace it with theirs. By surfing through one of these "anonymous" proxies, websites will think your request came from the proxy, and not from you. Your IP is effectively laundered.

Proxy servers can be divided into two unofficial types: public proxies (caching proxies), and anonymizing services (Anonymizer, etc.).

Public Proxies

By making a few simple changes in your web browser's settings, the web pages you request can be retrieved anonymously by a proxy. Don't worry if you're not sure how to make these changes, step by step instructions for the popular browsers are at the end of this article.

Here are a few sites that list public proxy servers:
http://www.lightspeed.de/irc4all/eproxy.htm
http://proxys4all.cgi.net/proxy.shtml
http://www.ijs.co.nz/proxies.htm


Many proxies on the lists aren't usable. Some go down frequently while others restrict access to certain websites (censorship). And some of them don't pass the test...

Test Your Proxy

Not all proxies mask your IP. Many are "transparent" and transmit your IP info to websites-- obviously you don't want to use these proxies. To help you determine if your IP is showing, Overgrow has setup a test to show you exactly what information every website can see about you. Basically you're just looking for your internet provider's IP or domain name in each line, especially the following ones:

REMOTE_ADDR: the IP you transmit
REMOTE_HOST: your domain name (corresponds with your IP)
HTTP_X_FORWARDED_FOR: non-anon. proxies can show your IP here
HTTP_FROM: can show your IP
VIA: can show your IP
CLIENT_IP: this should be blank

If your IP shows up, look for another proxy. Eventually you'll find plenty that are anonymous.

Tips on using proxies:

Choose proxies in foreign countries - preferably ones with rational pot policies. To find the location and owner of a proxy, try whois at Holmes or Smart Whois.

Test your proxy before each surfing session. Occasionally a proxy that's worked fine for weeks will start transmitting your IP for no apparent reason. If this happens, use another.

Change proxies frequently. Some change them weekly, others daily. Frequent changing reduces the trail left behind that shows your surfing habits. Use caution with proxies on port 80 as they're usually run by ISPs. Many ISPs don't mind at all, but some reserve their proxies only for subscribers. While it's their fault for not requiring authentication, there's always the chance they could go postal and report you to your ISP

By Admin (Admin) on Monday, April 30, 2001 - 01:32 pm: Edit

Several free services exist solely for anonymous surfers. The more popular ones like the Anonymizer may be under close scrutiny of law enforcement, hackers, or the administrators themselves."

Anonymizing Services

The smaller offshore services can come in handy, especially for WebTVers who can't make browser changes. To use an anonymizer you simply go to their website and type in your destination URL. You're then taken to your site through their proxy with your IP automatically masked-- no browser changes needed. Some services even use HTTPS (secure HTTP with encryption) to prevent messages from being intercepted and read.

Here are two lists of anonymizer services:

http://proxys4all.cgi.net/web-based.shtml
http://www.leader.ru/secure/

You'll notice that many services modify the URL by adding their domain name to it. For example, if you use the Anonymizer to visit www.overgrow.com, the URL might change to:

http://anon.free.anonymizer.com/http://www.overgrow.com

If your proxy does this you can often just type their domain in front of your URL, instead of going to their website. For example you might type: http://anon.free.anonymizer.com/ in front of http://www.overgrow.com (you need to add the "http://" part). This trick won't work with services that encrypt your URL.

For additional security some proxies can be chained together. DeleGate and CGI proxies often allow chaining. To chain two proxies simply type a second (different) proxy's domain after the first one, followed by your URL. For example:

http://proxy1.com/http://proxy2.com/http://www.overgrow.com

Some proxies use "-_-" to separate addresses, like this:

http://proxy1.com/-_-http://proxy2.com/-_-http://www.overgrow.com

Avoid ProxyMate and LPWA. The creator of these services, Lucent Technologies, is a major weapons and wiretapping equipment supplier for our friends in the US government, military and FBI. It's likely these services are closely monitored. You'll also want to avoid the Onion router service, which is run by the U.S. Navy. Just like with public proxies, know who owns your proxy server, and also verify its anonymity.

Are proxies safe?

Even if a website (or proxy) knew your real IP address, an IP alone can't identify you. only your ISP. To identify you someone would need to compare the website's (or proxy's) logs with your ISP's logs (assuming those logs haven't been deleted yet), so they can find your username, phone number, etc. In the U.S. this often requires a court order, so it's not a simple task. But keep in mind an internet signal passes through many computers on its way to a website, and someone along the way could be watching and logging IP data. (To see the path your data takes use TraceRoute.)

So hiding your IP with an anonymous proxy adds an extra hurdle in the way of a malcontent. Those with fixed internet connections (DSL, cable modems, etc.) should definitely use a proxy. That's because the IP for a fixed connection is always the same, unlike a dial-up connection, which give you a slightly different IP each time your connect, making it a little harder to hack and track.

Which is better, public proxies or the services? Generally speaking, a good offshore public proxy is probably safer than a service like the Anonymizer, which is teeming with folks who are hiding for one reason or another. This makes them tasty targets for web vultures. Meanwhile there are thousands of public proxies out there with "legitimate" users, so it's much easier to blend in with the crowd. For maximum safety try using a public proxy in conjunction with a lesser-known anonymizer, perhaps chained. Keep in mind that HTTPS webpages will strip away HTTP anonymizers, leaving you with just your public proxy.

One more word on proxies: don't abuse them. Never use them to spam, hack, or send threatening messages to [email protected]. Mis-using them will force them to close their doors to the public or start transmitting IPs.

Other safe-surfing techniques

Turn off cookies, java and any multimedia components. Cookies are text files that many web sites store on your hard drive to track your surfing habits. Letting a website store information on your computer without your approval is an obvious no-no. Here's the procedure to turn off cookies. If a website requires cookies to navigate simply turn them back on. Java, ActiveX, etc. can hide malicious codes and should also be turned off.

Avoid Micro$oft. The Internet Explorer browser is integrated too deeply with Windows to trust with your personal info. Plus it has frequent security bugs, holes, etc. Use Netscape, or - even better - the Opera web browser. Opera is a full-featured, user-friendly browser that is definitely faster than the other two. It's also much smaller and only takes a minute or two to download. If you must keep the Exploiter on your computer, consider using Opera as a second browser for your cannabis-related surfing.

Use a fresh internet connection for your cannabis surfing. In other words, disconnect when you're done surfing the weed sites, then reconnect and continue surfing. This gives you a new IP on a dial-up connection, and reduces the chance that someone along the datastream can associate your pot posts with the "real you".

Surfing at work may jeopardize your corporate-slave job. Many companies have the ability to closely monitor employees computer usage and internet activity. Even if management is lenient about surfing, it's a wise move to clear your browser's cache and URL history regularly.

Open an anonymous email account. Don't post the email address your ISP gave you!. There are dozens of free email services that let you enroll using bogus information. This site lists 'em all.

Use public computers for extra anonymity. Many universities, libraries, and cafes offer internet access for little or no cost. Use them for your most sensitive communicating.

Watch what you say. Many growers refer to "a friend's" garden to avoid incriminating themselves in their posts. Remember, it's not illegal to discuss illegal things, at least in the U.S. Proper marijuana-related websites are hosted somewhere with kinder laws. Say what you want, but remember Jackerspackle's Law: don't say anything on the internet that you may regret later.

Encrypt your most private communications. Your email service can read your messages, even the ones you deleted. Also, email can travel through many mail servers on its way to the recipient, and any of them may be looking at messages. For maximum security use PGP to encrypt email. Both parties will need to load the PGP software, but your messages will be virtually unreadable to privacy invaders, including law enforcement. Here is an easy introduction to using PGP and the software can be downloaded free.

Even with PGP be careful about downloading email attachments. Some of them have been known to hide viruses and trojan horses which the anti-virus programs don't detect. If you have any doubts about an attachment, be safe and open it at a public terminal.

By Admin (Admin) on Monday, April 30, 2001 - 01:33 pm: Edit

"If worst comes to worst and an intruder should gain physical access to your computer, the following techniques will help safeguard your personal data from being disclosed."

Part II: Computer Security

This sensitive data might include your grow logs, pictures, and any programs you'd like to hide. It may also include compromising data you didn't even know you had on your computer.

Wipe It Clean

A common misconception is that deleting a file actually deletes the file. Nope. All that usually happens is the file's name gets removed from the disk's index -- the data itself is still there on the disk! Eventually it gets overwritten with new files and programs, but there's still a chance it can be recovered.

There are many "undelete" utilities out there that can easily recover deleted files. For peace of mind use a file-wiping program. File-wipers overwrite deleted files with random data to make them nearly impossible to recover, even with forensics software. A good file-wiper comes with PGP. Another good free one is BC Wipe. Both programs allow you to choose how many times to overwrite each file with random data. Choose at least 10 "passes" to totally shred a file.

Both PGP and BC Wipe can also wipe "file slack" and "free space". File slack is the unused space in a data cluster that's at the end of most files. It can contain data from a previously deleted file. Free space is any unused disk space on the hard drive, including any files you "deleted" the old way. It may take all night to wipe a large hard drive clean, but for some it's definitely worth it.

Another security risk is Windows' "swap file". Windows frees up RAM memory by temporarily moving data over to the swap file on your hard drive (it's written back to RAM later if needed). Someone could easily scan your swapfile looking for passwords, grow logs, or something copied to the clipboard. The BC Wipe program can wipe the swap file clean. Also don't forget about Windows' recent documents listing (the one in the Start menu at "Documents") at: C:\Windows\Recent.

Encrypt Your files

Any files or programs you want to hide from prying eyes should be encrypted. Encrypted files are basically useless to law enforcement. Many encryption programs are available, but PGP is recommended here because of its widespread use and effectiveness. Bankers, businessmen, and politicians all use it regularly. The files you encrypt are de-crypted using the special password you select. Be sure to choose a long and complicated passphrase. Simple passwords are easy to crack.

Some programs can create an encrypted virtual drive on your hard drive to can hold files and even entire applications in total secrecy. The virtual drive is given a new drive letter like E:\ and can be used like an ordinary drive, except it's opened only with your password. There are no external hints of what files are inside. Scramdisk and also PGP can create encrypted virtual drives.

Part III: More Tools

Firewalls: A firewall is a security program that blocks unauthorized access to a computer (or network). A firewall inspects each packet of internet data entering or leaving your computer's ports and decides whether it should be allowed to pass or be blocked. Firewalls protect against all sorts of hacking, like Trojan horses, probing of your ports, spoofed IP's, and cracking of Windows' File & Print Sharing passwords. Trojans, for example, can secretly send info about your machine to someone else on the net.

Steve Gibson runs an outstanding site that is constantly updated with the latest firewall information. He recommends the new free release of Zone Alarm. Firewalls should be standard equipment on all new computers, but until that day it's well worth the few minutes to install a good one. Be careful with simple "port monitor" programs. Some of them open all your ports, which can attract the attention of passing port scanners. A good firewall works on a lower level while it monitors all port activity.

Anonymity 4 Proxy (A 4 Proxy) - Excellent proxy management program that automatically tests and grades each proxy's anonymity according to several variables. It has a database with hundreds of verified anonymous proxies, or use your own... sorts them by speed, even finds the fastest one for each website. Highly recommended.

Evidence Eliminator - a complete wiping "suite" that cleans everything - cache, cookies (except the ones you want), swap file, file slack, free space, as well as any files you specify. Highly recommended.

Window Washer - another wiper that cleans the cache, recent-documents history, auto-complete data forms, etc., and can selectively wipe cookies.

Junkbuster - Program that blocks cookies (selective) plus it can block unwanted advertisements and webpages. Also blocks the "referer" field, which tells websites the URL of the site you just clicked from.

Intermute gets rid of cookies (selective), referers, Java, JavaScript, ads, animation, and more.

Conclusion

It's sad that governments hunt and oppress growers for such a petty, victimless crime. Your safety on the internet will depend a lot on the political climate in your area. Fortunately most growers have four factors in their favor:

First, the ever-growing number of cannabis enthusiasts on the net provides "safety in numbers". Investigations are costly and time-consuming, so "mass busts" are impractical, especially with the international readership here.

Second, the profusion of other "vices" on the 'net - from credit card fraud to child porn to illegal weapons sales - gives marijuana sites a relatively low priority among investigators. (The highest priority, incidentally, is national security and terrorism).

Third, most countries have fairly decent civil-rights laws that protect citizens from their governments. In the U.S., for example, privacy laws usually require at least one court order to track someone down through their computer, while the First Amendment of the Constitution guarantees your right to discuss growing (assuming you don't actually admit to growing. ;-)

Last, there are the safe-surfing techniques we looked at. These factors make the chance of being harassed very slim. In fact, we know of no growers who have been busted from posting on a marijuana site. But we want it to stay that way, so play it safe.

By Admin (Admin) on Monday, April 30, 2001 - 01:34 pm: Edit

Changing Your Settings

Proxies - Cookies - Cache

Browser settings for proxies:

Just like any computer on the internet, a proxy server has a unique IP address and a corresponding domain name. It also has a port #. You can use either the IP or the domain name in your browser, since they're interchangeable. For example the IP of the Spanish proxy, linux.softec.es, is 194.224.102.2 and the port is 8080. Most proxies use ports 80, 3128, 8000, or 8080. Proxies are often listed with the port # tagged on to the end of the address: linux.softec.es:8080 (or 194.224.102.2:8080). Go back to the article for some lists of proxies on the web.

For Opera version 3 or 4:

Click Preferences,
Select Proxy Servers,
Put a check at HTTP and enter the proxy, and enter the Port #.

For Microsoft Internet Explorer 5:

Select the Tools menu,
Choose Internet Options,
Click the Connections tab,
Double-click on your dial-up connection,
Put a check at Use a proxy server,
At Address enter the proxy, and enter the Port #.

For Microsoft Internet Explorer 4.0.1:

Choose the View menu,
Select Internet Options,
Select Connections,
Select the Automatic Configuration "Configure" button,
Enter the proxy in the text box.

For Microsoft Internet Explorer 3:

Choose the View menu on your web browser,
Choose the Options,
Select Connection,
Tick Connect through a proxy server,
Click the Settings button
At HTTP Proxy enter the proxy, and in Port: put the port #.

For Netscape Navigator version 1, 2, or 4:

Choose Options from the browser's menu,
Select Preferences,
Select Proxies,
At HTTP Proxy, enter the proxy, and enter the Port #.

For other browsers, try http://proxys4all.cgi.net/setup.shtml.

Disabling Cookies

Cookies are usually stored in a file called cookies or cookies.txt or MagicCookie.

For Opera version 3 or 4:

Select the Preferences menu,
choose Advanced,
and de-select Enable Cookies.
While you're there also deselect Enable Referrer.

For Microsoft Internet Explorer 5:

Click the Tools menu,
Select Internet Options,
Click the Security tab,
Highlight the Internet icon and click Custom Level.
Scroll down to Cookies and select disable or prompt.

For Microsoft Internet Explorer 4.0.1:

Go to the View menu,
Choose Internet Options.
Click on the Advanced tab,
Scroll down to Security.
Under Cookies, select either Disable All Cookie Use or Prompt Before Accepting Cookies.


For Netscape Navigator 4.0:

Select Preferences from the Edit menu,
Choose Advanced
Either select Disable Cookies or check Warn Me Before Accepting a Cookie.

For Netscape Navigator 3.0:

Select the Options menu
Go to Network Preferences,
Choose Protocols.
Ynder Show an Alert Before, check Accepting a cookie.

More info on cookies at: Cookie Central

Cache and URL history

The cache stores recently viewed web pages for quick loading later. The URL history lists the websites you visited. Delete them, or better yet, wipe them.

For Opera versions 3 and 4:

Select Preferences, Cache, and check the Empty On Exit box. Or wipe the file manually, which is located in the Cache folder wherever you installed Opera. While you're there wipe the following URL history files: vlink.dat, global.dat, and opera.dir. To turn off URL history select Preferences, Generic, and deselect History, Direct Addressing, and Global History.

For Internet Explorer 4 and 5:

Select Tools, Internet Options, and click Delete at Temporary Internet Files to clear the cache, and click Delete History to clear the URL history. Change "Days to keep pages in history" at zero and you won't have to worry about wiping it regularly. The technique for wiping the cache depends on your file wiping program. If yours doesn't find the file automatically, wipe it manually at C:\Windows\Temporary Internet Files. For URL history check C:/Windows/History

For Netscape Navigator 3 and 4:

Select Preferences, Advanced, and Cache. Click on Clear Memory Cache and Clear Disk Cache. Also on that screen is the current location of where you can find those files to wipe.