Hello... I've been really paranoid with regards to my privacy since I've receive anonymous calls from a guy... From the threads here, I've learned that my ISP can really know which sites I've visited... My question, is how easy? Would that be as easy as just a few clicks or would they have to install expensive software and make mind-boggling procedures?

I'm from a third world country so im still using dial-up and using Prepaid cards (I hope you can relate to this! :) ) I have also used website copiers (during off-peak hours, when its free!)

Do you know of any free software that can prevent my ISP from prying? I've read about Secretmakerhttp://www.secretmaker.com will it help?

Thanks a lot,

Titing

as and added question, If my ISP would like to do so, can it know what password I use to log-on to this forum? what else can an ISP know about me aside from the sites I've visited... Thanks a lot!

Qute easy, they'd just have to grep the logs and yes, they could see the details of your user logon as it's passed in plain text. The software you point to won't help you with your concerns, you'd need to use an anonymous proxy like Tor (http://tor.eff.org/index.html.en) or JAP (http://anon.inf.tu-dresden.de/index.html) - or a similar pay service -- the two linked to are free and both services will prevent traffic analysis.

Thanks a lot! But somehow that information frightens me, Now I know my ISP can see what password I use when I open my e-mail account and all other stuff over the net. From where I come from, there are no laws regarding privacy over the net. A psycho ISP employee could weild a lot of power...

Hi titing3000 :-)

When you send an email everythings is transmitted in clear within internet:
your ID, your password (yes! :-( ), and the content of your email...

This is easy to check with a packet sniffer such as Packetyzer from Network Chemistry
http://www.networkchemistry.com/products/packetyzer/

And this is only an example.

For email one possible solution for you is to used Gmail (Gmail used SSL/TLS) + encrypted email with gnuPG (Thunderbird + Enigmail)...

But this is only for email ( not taking in account the DNS requests ...)

Thunderbird
http://www.mozilla.com/thunderbird/

Enigmail
https://addons.mozilla.org/thunderbird/71/

GnuPG
http://www.gnupg.org/(en)/index.html

If you need an invitation for a Gmail account just tell me...

To have a more complete privacy solution you may used Tor as said Dog but on dial-up line it will be slow... (may be this is the price for privacy?)

Tor:
http://tor.eff.org

:-)

{QUOTE-> Qute easy, they'd just have to grep the logs and yes, they could see the details of your user logon as it's passed in plain text. The software you point to won't help you with your concerns, you'd need to use an anonymous proxy like Tor (http://tor.eff.org/index.html.en) or JAP (http://anon.inf.tu-dresden.de/index.html) - or a similar pay service -- the two linked to are free and both services will prevent traffic analysis. <-QUOTE}


Aside from TOR and JAP...is there any other anonymous proxy to use that will not slow down surfing? ::) ???

Hi sweater :-)

{QUOTE-> Aside from TOR and JAP...is there any other anonymous proxy to use that will not slow down surfing? ::) ??? <-QUOTE}

With an "anonymous proxy" you're "anonymous" for the web site you visit...

This not prevent traffic analysis from the ISP (or the proxy itself...).

When you established a connection to this proxy:

1- the DNS request announce to the "whole world" where you're going

2- the communications between your PC and the proxy is done from your PC to your ISP server and many other "middle-man" servers to the proxy server itself...

These communications : PC <-> ISP server <-> "middle-man" servers <-> anon-proxy are in clear ...

The only things anonymous here is your IP address for the site you visit with the anon-proxy:

PC <-> ISP server <-> "Middle-man" servers < your IP is known> anon-proxy < your IP appear to be the one of the proxy> web site you visit

(you may check this with tracert to have an idea of this [beware: tracert do not give the exact routing of your connections...] See wikipedia about this...)

:-)

Unless encrypted. Assume nothing is private. That is just the way I think of it. Keep it in mind is the wise way to communicate over the net.

Also remember the hundreds of thousands of messages and data unencrypted and encrypted going across these servers. Who in the world has time to check all that.

Authorities are likely looking for key words and phrases with search tools and destination contact points for security reasons. They have no interest in most. You are a spec of sand on the beach as long as you are doing no wrong. Relax and enjoy life do not get worked up over such worrys. ;)

Sweater,

Using any type of proxy will slow your connection down. You are inserting one or more servers between you and the destination.

Now whether that slow down is acceptable is up to the individual.
A chain of proxies or JAP or TOR will be slower than just a single proxy.
JAP and TOR will be more anonymous than a single proxy.

{QUOTE-> ...For email one possible solution for you is to used Gmail (Gmail used SSL/TLS) + encrypted email with gnuPG (Thunderbird + Enigmail)... <-QUOTE}

Food for thought: Can GMail be trusted any more than your ISP?

Your ISP knows everything! How can they possibly not know, unless all your traffic is encrypted? Your internet traffic passes through their servers everytime you surf the net.

Well, there is no 100% foolproof security solution in this world.

{QUOTE-> 1- the DNS request announce to the "whole world" where you're going <-QUOTE}
DNS requests are resolved through TOR.
{QUOTE-> 2- the communications between your PC and the proxy is done from your PC to your ISP server and many other "middle-man" servers to the proxy server itself...

These communications : PC <-> ISP server <-> "middle-man" servers <-> anon-proxy are in clear ...

The only things anonymous here is your IP address for the site you visit with the anon-proxy <-QUOTE}
Your ISP will know your IP (duh) but won't know what your final destination is.

Tor is set up so that no one agent knows both your IP and your final destination.

{QUOTE-> Unless encrypted. Assume nothing is private. That is just the way I think of it. Keep it in mind is the wise way to communicate over the net. <-QUOTE}

I think that would be a great advice.... I guess I should'nt mess with any of the ISP representatives here... they might find ways to blackmail me....

So how do you know if its encrypted? ??? When I order thru the net, using my credit cards, is that safe?

Hi AJohn :)

{QUOTE-> Food for thought: Can GMail be trusted any more than your ISP? <-QUOTE}

Gmail used SSL/TLS : combined with encrypted email this is a reasonable solution. Please note that I don't trust my ISP : Bell Sympatico. (Eastern Canada)

- They are M$ "pal"...
- They makes traffic analysis
- and so on...
but they are not "!"$%||;-((# !!!" as AOL (AO Hell) ;-)

:)

Hi titing3000 :-)

{QUOTE->
So how do you know if its encrypted? ??? When I order thru the net, using my credit cards, is that safe? <-QUOTE}

Check in your browser: in Firefox the address field is in yellow when you are in a crypted connection (HTTPS port 443 on the server)...

Instead of paying directly with your credit card why you don't use PayPal ?
http://www.paypal.com/

With the PayPal service the seller have no information about your credit card... That's better, no?

:)

Hi Brinn :-)

{QUOTE-> DNS requests are resolved through TOR.

Your ISP will know your IP (duh) but won't know what your final destination is.

Tor is set up so that no one agent knows both your IP and your final destination. <-QUOTE}

I'm running a Tor server...

DNS request are (hardly) resolved within Tor as you know. I have to combined Tor with Privoxy (as usual) and FreeCap for some applications.

And there's still DNS leaks. The only way I found to avoid this is to block
all DNS requests with my rules set firewall (LNS). Even my Exit policies deny
port 53 there are some DNS leaks from Tor...

:-)

I have no problems with DNS leaks. Something is amiss with your configuration.

Hi Brinn :)

Tor have DNS leaks.
I block these leaks with my FW.


;-)

Your setup is incorrect. I have no such problems. My computer doesn't even make the attempt at a DNS request when I have Tor switched on. I've parsed my firewall logs and find no DNS leaks.

List everything you use that needs internet access. If you use Firefox, list all the extensions you use. A copy of your Privoxy main configuration might show something too. Let's see if we can diagnose this.

{QUOTE-> So how do you know if its encrypted? ??? When I order thru the net, using my credit cards, is that safe? <-QUOTE}

As far as I see from the lots of posts titing3000 just got confused.

So titing3000, as dog said - use Tor or Jap and all your problems are solved. They provide encrypted connections and that is their main purpose. If you use one of them nobody can see the content you exchange and this includes all usernames, passwords and mails. And since you are on dial-up (which is slow) it is slightly better to use Tor because it's a lil bit more secure (dns, more intermediate nodes, etc.).

Just go to Tor's homepage and learn how to make it.

For a dialup connection, JAP would be an easier choice than Tor since the Tor client has to download a list of servers to start with, which can take at least a few minutes on a good dialup connection (it is several hundred K in size and growing).

As for DNS requests in Tor, these are done by the exit server (i.e. setting an exit policy blocking port 53 access is a *very bad* idea since it prevents anyone from accessing domains, making your system effectively useless as an exit node). The oft-discussed issue of DNS-leakage is a SOCKS v4 problem which can be addressed by using Privoxy or other SOCKS 4a software as a proxy.

All traffic in Tor is encrypted except for the last stage (between the exit server and the website) - this can't be encrypted since the website in question is expecting traffic in the clear. In theory this means that an exit-server operator can monitor which sites are being accessed but they have no way (without co-operation from the other 2 relay servers) of finding out whose traffic it is - unless that traffic includes personal information (e.g. your real name). Your ISP would only be able to see encrypted traffic going towards a Tor server.

JAP is similar (encrypted traffic in, clear traffic out) but it uses fewer relay servers (only one with the default Dresden service) so the operator could track users if they wished - it is however better than any commercial proxy/anonymising service where the payment method gives the operator a link to your real identity (there may be some offering anonymous means of payment, but most don't - Paypal is not anonymous!).

HTTPS encryption (used by most sites for credit card details) will conceal data but not the connection itself (so your ISP will be able to tell you are visiting www.myshop.com but not what you did there). HTTPS can be run over JAP/Tor, which is what happens when you visit a https: site using these systems (in which case, the exit traffic would be encrypted also).

It is highly unlikely that an ISP is going to attempt to blackmail its customers by revealing private data gleaned from traffic analysis but there is the risk of such data being sold to marketers, collected by governments (many Western countries now require ISPs to log such data) or being disclosed due to subpoenas/court action. As such, routine use of anonymising proxies like JAP/Tor should be considered basic privacy self-defence - but do bear in mind that further steps need to be taken to counter user tracking via cookies or surreptitious HTTPS connections (http://www.wilderssecurity.com/showthread.php?t=31087).

Hi Paranoid2000 :-)


A)

{QUOTE-> For a dialup connection, JAP would be an easier choice than Tor since the Tor client has to download a list of servers to start with, which can take at least a few minutes on a good dialup connection (it is several hundred K in size and growing).
<-QUOTE}

«In 2003, JAP was backdoored by the German BKA. The backdoor was removed afterwards, but it led to people distrusting the software.»
Ref.:
http://en.wikipedia.org/wiki/Java_Anon_Proxy

It's true that Jap is better for a dialup connection when it's online... ;-)

{QUOTE->
As for DNS requests in Tor, these are done by the exit server (i.e. setting an exit policy blocking port 53 access is a *very bad* idea since it prevents anyone from accessing domains, making your system effectively useless as an exit node). The oft-discussed issue of DNS-leakage is a SOCKS v4 problem which can be addressed by using Privoxy or other SOCKS 4a software as a proxy.
<-QUOTE}

I'm running a Tor server with this exit policy:
accept 22, 80, 119, 143, 443
not 53 ...

If not allowing port 53 in my policies makes my exit node useless
how to explain:

1- that this policies is possible in the Tor server parameters?

2- that many Tor server have this policy with to complains from anybodies
[check in gmane.network.tor.user, the mailing list for or-talk accessible from NNTPS Gmane server]

3- I'm giving 50 KBytes/sec on the bandwith I pay and be sure
this bandwith is fully used by Tor users (more than me...) on ports
allowed by my policies. [I Have my firewall log to prove this. ;-) ]

??? Did my exit policy is wrong? :o May be !

I'll ask this question in the or-talk mailing list !!! :o


DNS leaks with Tor is a real problem and I hope it will be fixed. Using sock4 third party programs such as Privoxy or FreeCap solve only one part of this problem.

Personnaly I'm working on this issue with the best of my knowledge and, as far as I know, even with an exit policy blocking port 53 there is DNS leaks from Tor and not only my applications... (blocked by a special rule on my firewall.) This may be checked with a packet sniffer for example.

May be a solution (for a future release of Tor) is to used the Distributed Hash Table technics to deal with the translation URL <-> IP ...

B) About the HTTPS connexions problems (and leaks) It's seems that the same problem happen with GMAIL used within a web browser...

Ref:
"Using Gmail (with Tor) is a bad idea Fabian Keil" in or-talk mailing list.

I hope that titing3000 will find a solution with all these posts.

Best regards,

:-)

{QUOTE-> «In 2003, JAP was backdoored by the German BKA. The backdoor was removed afterwards, but it led to people distrusting the software.»
Ref.:
http://en.wikipedia.org/wiki/Java_Anon_Proxy <-QUOTE}The "backdoor" wasn't removed but the German police's attempt to collect data with it was overturned on appeal - see AN.ON erneut gegen Bundeskriminalamt erfolgreich (http://anon.inf.tu-dresden.de/strafverfolgung/anonip4.html) (German, Babelfish English translation here (http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=de_en&url=http://anon.inf.tu-dresden.de/strafverfolgung/anonip4.html)).

This, by the way, can also happen with Tor's client (Tor's developers may be US-based but the US administration has shown itself more than willing to act "extra-legally" in the past). Both are open source so such attempts could be detected, and it should be noted that the JAP team went out of their way to make the modifications required as obvious as possible.{QUOTE-> 1- that this policies is possible in the Tor server parameters?

2- that many Tor server have this policy with to complains from anybodies
[check in gmane.network.tor.user, the mailing list for or-talk accessible from NNTPS Gmane server] <-QUOTE}Because DNS queries will be routed via another Tor exit node allowing port 53 access instead. This may slow web access further though since a separate path would have to be opened for these.{QUOTE-> DNS leaks with Tor is a real problem and I hope it will be fixed. Using sock4 third party programs such as Privoxy or FreeCap solve only one part of this problem. <-QUOTE}If you are running an exit node, then the Tor server will do DNS lookups in order to service incoming requests (although if you block these via an exit policy, these will go to another node instead). This is actually useful since your ISP, even if it was keeping track of DNS lookups (quite impractical, considering the volume of traffic involved) would have no way of telling which were from you and which were from your Tor server - thereby giving you anonymity via deniability ("It wasn't me, guv...").{QUOTE-> May be a solution (for a future release of Tor) is to used the Distributed Hash Table technics to deal with the translation URL <-> IP ... <-QUOTE}I think it unlikely that Tor will try to change or replace DNS - it would pose too many problems.{QUOTE-> B) About the HTTPS connexions problems (and leaks) It's seems that the same problem happen with GMAIL used within a web browser...

Ref:
"Using Gmail (with Tor) is a bad idea Fabian Keil" in or-talk mailing list. <-QUOTE}I don't know why that should be. Tor will provide good anonymity with any web-based email service - the only way GMail could find your real address is by using Java (hence the need to filter Java/ActiveX applets by default) and this applies to any webpage. Https: page are far harder to filter (Proxomitron with SSLeay/OpenSSL or Firefox extensions being 2 filters that can handle HTTPS) so this may have been what Fabian was alluding to.

Hi Paranoid2000 :-)

Thank you for this complete answer.

Things are more clear for me now.
So I'll checked this and I'll changed my exit policies.


Best regards,
:)

Glad to have helped - and thanks for contributing to the Tor network. :)

{QUOTE-> If you are running an exit node, then the Tor server will do DNS lookups in order to service incoming requests (although if you block these via an exit policy, these will go to another node instead). This is actually useful since your ISP, even if it was keeping track of DNS lookups (quite impractical, considering the volume of traffic involved) would have no way of telling which were from you and which were from your Tor server - thereby giving you anonymity via deniability ("It wasn't me, guv..."). <-QUOTE}
It might work in court but your ISP might not care who's looking up what, only that it's coming from your computer. Also, your ISP might not appreciate you farming out your bandwidth like that (even if it's for a good cause). Right now, I'm contributing 200megs/day to Tor. I'm ramping that up slowly. Eventually, I'd reach my soft limit on monthly bandwidth and my ISP will contact me.

I'm trying to find the balance point: Soft limit minus my personal usage equals bandwidth contributed to Tor. :D

Move over to Sympatico -- They've never complained about Bandwidth usage. ;) I'm a heavy user taking from my experience. :lurking:

Hi Dog :)

Good news !

Anyway I have an unlimited bandwith usage with them.

Thanks for this information.

:)

hey hum.....
I have a suggestion.....

It's ISP that know what the hell you doing right?

Here the deal:

After you connected. Use VPN tunneling with encryption program to do all the connections. Thus the VPN server is like a ISP, but hosting it underground and "Private", with the 128bit encryption, I don't think it's "that easy" to see shit you doing......

By the way, you can use the "Windows Internet Connection Settings" to link up all those VPN together, so, it can goes "all and massive connection run underground".... runnign on port 8080..... hehehehe

this had been done by a Japanese already, although they make it a Japanese Commercial Program now, I still have a English very first version they released, and it sure work, all it need is "man power", with that, no one can "sniff" whatever we are doing for real.

P.S. Thus I believe that the program could have intergraded the BT technology, and it'll be great.

{QUOTE-> After you connected. Use VPN tunneling with encryption program to do all the connections. Thus the VPN server is like a ISP, but hosting it underground and "Private", with the 128bit encryption, I don't think it's "that easy" to see shit you doing...... <-QUOTE}The ISP supplying the connection for the VPN server can see what sites are being accessed and since you'd be the only user, it would be easy for them (or other interested parties) to identify the source of your encrypted connections. This method is only useful therefore for avoiding casual observation by your "home" ISP (and is, BTW, on a par with most commercial anonymity services).

With Tor, your encrypted connection is sent via 3 relays before being decrypted and each relay has incoming connections from other users as well - making it far harder to match (encrypted) incoming and (clear) outgoing connections, even for someone with the ability to monitor significant portions of the Internet.

no, although I'm the server, I basically provide the list of IPs that connects to me, for any connection, the packets itself will determine the shortest route, right?

then every packets will fine it's own way but not only connect through me, otherwise I'll call myself a proxy, not VPN-ISP, so the packet can leave the VPN from anyone to the destination, and most likely they might properly get cut into around 3~5 pieces(that I mostly found for least ones), only 1 piece is missing and it'll gonna take them real good time to reverse that part.

by the way, I dont expect that "VPN" will only have myself as an user also....

{QUOTE-> then every packets will fine it's own way but not only connect through me, otherwise I'll call myself a proxy, not VPN-ISP, so the packet can leave the VPN from anyone to the destination, and most likely they might properly get cut into around 3~5 pieces(that I mostly found for least ones), only 1 piece is missing and it'll gonna take them real good time to reverse that part. <-QUOTE}Aside from not being able to understand half of what you are saying, the only conclusion I can draw is that you are unfamiliar with how Internet Protocol works.

If you send encrypted data via a VPN to another server, the ISP providing the connections for that server will see data coming in and will know where it came from (since every packet will have its source IP address included). The ISP will see non-encrypted connections going out and will be able to link the non-encrypted and encrypted connections together quite easily (via network analysis) unless you were sharing with hundreds of other users (of course, you would have to persuade such users that you were a trustworthy guardian of their anonymity first - not an easy task).

How packets are routed and whether they are fragmented or not, won't make the least amount of difference.

{QUOTE-> The ISP supplying the connection for the VPN server can see what sites are being accessed and since you'd be the only user, it would be easy for them (or other interested parties) to identify the source of your encrypted connections. This method is only useful therefore for avoiding casual observation by your "home" ISP (and is, BTW, on a par with most commercial anonymity services).

With Tor, your encrypted connection is sent via 3 relays before being decrypted and each relay has incoming connections from other users as well - making it far harder to match (encrypted) incoming and (clear) outgoing connections, even for someone with the ability to monitor significant portions of the Internet. <-QUOTE}

Paranoid, You seem to be saying that your ISP can see what sites you are connecting to even though you are using a VPN. This is not so. Once the encrypted connection between my PC and my VPN server has been made, all communications are hidden from the ISP. They only see the initial connection to the VPN server.

In regular browsing, without VPN, your ISP can see all connections to an ssl-protected site, but cannot see what is taking place during the encrypted session. Is that what you are talking about? Because using VPN, they cannot see anything but the initial connection to the VPN server and nothing else as the VPN receives and sends all packets on your behalf and routes them to your PC via the encrypted connection. Maybe I misunderstood you, or your post wasn't clear as I think you already know this.

On edit: Paranoid, It's late here. I see now that you made the distinction between the ISP "providing the VPN connection" and the "home ISP". Sorry. But maybe my post will help others still confused by the whole VPN thing.

Genady, thanks for speaking out those points that I missed,

even with like 5~10 people, once I controlled my own VPN Service, the program will only use port 8080 to transfer data encrypted behind the tunnel,

yes, the ISP may still see who is connected to me, but can only assume I have a http server since I basically masked everything under it.

They can't see what you transfer but only where you connected to, just another peer, ain't that enough, and hell they know what you've been doing.

yes, although they can record all the encrypted packages, with 128bit encryptions, how long do you think they will need to grauntee a full recover of the info.

And I'm say, making a VPN not provide from ISP but using a 3rd party program, not Windows neither.

{QUOTE-> I see now that you made the distinction between the ISP "providing the VPN connection" and the "home ISP". <-QUOTE}That's correct - it's the ISP for the VPN server that will be able to determine which sites are being accessed by whom (with a little network analysis).

as far as your request are not send direct from you through your ISP to the site, the problem "you think your ISP is spying on you" is taken care, because he'd only communicate with another peer encrypted,

no matter your commmunication is "recorded and analysted", it's encrypted anyway.