IP addresses and information security

[Sancho1977]

How do you guys protect our information? Ive just been thinking about the IP addresses if were not using VPN. What happens with that data? Do the big ISPs hold on to it - and for how long? Just wondering. Thanx

[instfixer]

""Do the big ISPs hold on to it""" answer: could be forever
The government could if they wanted to, sniff or access all the traffic [perhaps you have heard of the NSA]

There was a server that was handling an "ECCIE forbidden subject" then all the subscribers that logged on, could be traced back to their IP address, then the government took them out one by one.

One is never anonymous on the Web

[newalhobbyist]

I think all parties all the way to Eccie itself log and keep copies of IP addresses. I can not remember the specifics but I think there was a thread about multiple accounts that strongly suggested that Eccie records IP addresses and uses the information to check possible multiple accounts against a single IP address. Multiple accounts from the same IP address would generally then be required to suitably explain this issue.

[The Slut]

I think in this day and age we should all assume that our IP addresses are being recorded for almost any website we visit.

[Luv4Fun]

ISP's hold onto it a long time. They use it for all sorts of LE stuff as well as copywrite protection infringement enforcement (torrent usage type stuff.) Actual length depends on the provider. The better question is, when and how do they release it. What do they do with it internally. And if you care at all, why not pay the ~$40/year for something like cyberghostvpn and be done with it.

To me, the net/net is that they are logging your use - and you really can't control what they choose to do with it. Your only option is to let them and trust it won't bite you in the ass (probably won't) or protect yourself.

[tallliwhacker]

The standard policy of all website servers is to record the traffic logging on to the website. This included individual IP (Internet Protocol) addresses.

As to redundancy and durability of information floating around the net, remember that the internet was invented by DoD (as the ARPANet) and was designed with incredible redundancy so that it would operate in spite of a nuclear attack on the US by the soviets.

Your individual IP address is recorded when you register, logon or post on most all sites.

Logging into this site is not illegal.

Your ISP will not release the IPs logged onto a particular site without a federal warrant.

The federal govt could give a shit about logging onto a fantasy pay for play site that involves adults only.

Using the internet to steal money, deal in forbidden subjects, commit fraud; those things are of interest to the feds, not this.

Hope that helps.

[Guest010415]

Eccie does track IP's for multiple log ins/handles.
Trust me, I found out the hard way when I did something stupid like log onto someone else' account, and two of my own.
I was permanently banned, then given the chance to "come clean" which I did, and was un-banned.
If you have more than one account, eventually they will find out and ask you to explain. Whatever you do, NEVER log on anyone else'!!

Quote:

Originally Posted by newalhobbyist

I think all parties all the way to Eccie itself log and keep copies of IP addresses. I can not remember the specifics but I think there was a thread about multiple accounts that strongly suggested that Eccie records IP addresses and uses the information to check possible multiple accounts against a single IP address. Multiple accounts from the same IP address would generally then be required to suitably explain this issue.

[honeydavis]

I heard phone companies give the govt ALL their records automatically on a regular basis in order to comply with subpoenas. Since the companies didn't want to hold on to their records forever in order to be able to hand them over when asked for them, they just give -everything- to the govt at regular intervals and delete their data after like 72 hours or so. At least that's what I've been told by someone in the telecom industry. I would imagine ISP's and search engines do something similar. For example. An incident where a couple was arrested and questioned for browsing certain random items on amazon comes to mind.

And I would be careful about using VPN's... it'll give you a false sense of security if you pick the wrong one. I hear the sites that do that for free sell your info. And who's to say they won't cooperate with the govt if asked for records? I imagine a lot of companies would give in if certain agencies put enough pressure on them. In order for a VPN to work, they would probably have to be out of a foreign country that doesn't cooperate with US Govt... but at the same rate, if you go around browsing the internet with an IP from a country that isn't friendly to the US, you're gonna look like a terrorist, which is probably worse than just being careful about what you do or say on the net...it would only make the govt more interested in targeting you.

I'm of the personal opinion that nothing accessible via the internet can be kept secure from a good hacker... nothing.

What really bothers me is an article that I read the other day saying stores now have special equipment and are now tracking the MAC address on your cell phone as you walk around their building for marketing research purposes. They make a note of what area you're browsing and how long you spend in each part of the store....etc. All without permission.

Now THAT scares me. It's getting too much like Minority Report for my taste.

[stopdropandgo]

The MAC address tracking is simply WiFi routers. Turn the WiFi off on your phone and that should solve the issue.

Regarding the VPNs, you are correct. If you were to use a VPN, you'd want one that doesn't log. Harder to find, and not free, but they exist.

Eccie logs IP addresses. Those logs are usually, as mentioned, to ensure no duplicate handles. But don't think for a minute they won't hand those logs over if it is requested of them.

As for the last comment Iwant to address, the federal govt may not care about the IPs used to post on some fantasy pay for play site, but local sure as hell will. The Southwest Companions case that blew up in New Mexico a few years ago is a good example.

[Glenn Quagmire]

PBS Frontline investigations paint a pretty cohesive picture of what is going on. I am pretty sure there is even more than what has been exposed already or not added to this story.

FRONTLINE: UNITES STATES OF SECRETS

It's a two parter. almost 3 hours long, but very interesting if you haven't been following some of this stuff closely. I guarantee you will utter an expletive or two watching it.


The first time you ever get a computer and go to Google, a cookie is piggybacked to a Microsoft internal system cookie and you are tracked and linked to previous data about you quite easily. It is said Facebook has compiled a billion data points on each user so as to direct advertise with pinpoint accuracy.

Vbulletin software by default logs IP information. I don't know how long the default retention is or what Eccie might have it set to.

It is scary what companies and our government are doing compiling data on each of us. That power turned against its citizens would be horrifying. Freenet is something I am checking out now. Not having any success with it, yet. The darkside is not just for criminals, but for anyone who wishes to not be monitored or censored.

[Guest121014]

Quote:

Originally Posted by honeydavis

I heard phone companies give the govt ALL their records automatically on a regular basis in order to comply with subpoenas. Since the companies didn't want to hold on to their records forever in order to be able to hand them over when asked for them, they just give -everything- to the govt at regular intervals and delete their data after like 72 hours or so. At least that's what I've been told by someone in the telecom industry. I would imagine ISP's and search engines do something similar. For example. An incident where a couple was arrested and questioned for browsing certain random items on amazon comes to mind.

And I would be careful about using VPN's... it'll give you a false sense of security if you pick the wrong one. I hear the sites that do that for free sell your info. And who's to say they won't cooperate with the govt if asked for records? I imagine a lot of companies would give in if certain agencies put enough pressure on them. In order for a VPN to work, they would probably have to be out of a foreign country that doesn't cooperate with US Govt... but at the same rate, if you go around browsing the internet with an IP from a country that isn't friendly to the US, you're gonna look like a terrorist, which is probably worse than just being careful about what you do or say on the net...it would only make the govt more interested in targeting you.

I'm of the personal opinion that nothing accessible via the internet can be kept secure from a good hacker... nothing.

What really bothers me is an article that I read the other day saying stores now have special equipment and are now tracking the MAC address on your cell phone as you walk around their building for marketing research purposes. They make a note of what area you're browsing and how long you spend in each part of the store....etc. All without permission.

Now THAT scares me. It's getting too much like Minority Report for my taste.

And apple is developing an iphone / ipad specific variant of this, called ibeacon, which it is yet to be determined if they are going to be opt out / opt in on this one, and its specific purpose is for market research like you are stating. Many retailers also employ facial recognition software with their security cameras for the same use. They record how people move about the store for product placement and such. But in these examples, nothing is really more at risk than when you sign up for a shopper card at the grocery store or pharmacy for discounts.

Absolutely ECCIE records IPs, its built into vbulletin, which they use to run the site - that said, its pretty meaningless. You can change IP's, use public proxies, VPNs, TOR, etc; but visiting here, I wouldnt worry about. An IP address isnt enough to convict you of anything, nor are they some super unique identifier that the cops can type into a computer and see your current location. Generally IPs are used to try and tie a person to a computer, and serve a warrant on that computer...generally.

Should you care about hiding things like your IP, sure, but that goes for any site, just like not allowing javascript on untrusted sites, and using tools that block ads and all the tracking that is done for marketing online. Its one piece of the puzzle, and not one I would overly worry about here.

If you are security conscious, you should always turn wifi and bluetooth off on your phone in public / untrusted areas, and turn them on as needed. There was a recent test done (in central park i believe) that showed a homemade drone with off the shelf parts could act as a wireless hotspot and steal any traffic off a phone. Because most phones send out a signal when not connected looking for wifi access points they have connected to previously. This device would capture that information, and then send out a signal saying "Hey Im BobsHomeNetwork134" and allowing the phone to connect to the device using that network name. By doing that, the drone could then see any traffic that the phone sent / received, and they showed all types of different info that was compromised from website logins to emails to personal info. That said, basically the same thing can happen at any public hotspot.

[fragtasticator]

Quote:

Originally Posted by TX_JD

And apple is developing an iphone / ipad specific variant of this, called ibeacon

The answer to all this tomfoolery, of course, is Airplane mode, right? I mean, theoretically that shuts down all incoming and outgoing signals, yes? Or you could just turn the phone off.

Or buy a non-smart phone, I guess.

I still have my motorola razor flip phone from 2003, lol.

Who knows, something like that might be a hot commodity in the future!

[GneissGuy]

Quote:

Originally Posted by tallliwhacker

Your ISP will not release the IPs logged onto a particular site without a federal warrant.

That's a bad assumption.

Many ISP's have given up IP addresses without a warrant. Sometimes, it's just a request from some government agency with the legal formality and theoretical protections involved in a warrant.

Sometimes, it's some form of legally questionable technical interception. Sometimes, it's a warrant that names one person, but is improperly used to snoop on everything at that ISP.

Sometimes, it's simply illegal wiretaps via various means, including hacking or corrupting someone inside the companies involved.

[GneissGuy]

ISP's record the mapping between IP address and subscriber information for a long time. For instance, they know that 123.456.78.90 at noon on 01/01/2014 is Billy Bob Jones at 123 Main St., Anytown USA.

They don't necessarily keep the data that Billy Bob connected to www.bob.com, but it's possible. That gets to be a lot of data. It probably happens at least in some circumstances, especially with NSA type stuff. The numbers dialed on phone calls are usually kept for a long time.

Recording and keeping the actual web page data is a lot less likely. It probably happens when there is a request for a specific person or web site, but it's probably happens in a "future" sense, i.e. they don't record it until after they get a request.

Some limited things like text messages are more likely to be retained and kept on a long term basis.

Big brother is getting more intrusive all the time, so more and more stuff gets recorded and kept as time goes on.

Criminal hacking for profit is also growing all the time, including generalized snooping for blackmail, identity theft, hacking, etc.

[Guest121014]

Quote:

Originally Posted by GneissGuy

Recording and keeping the actual web page data is a lot less likely. It probably happens when there is a request for a specific person or web site, but it's probably happens in a "future" sense, i.e. they don't record it until after they get a request.

Actually this is starting to happen already, fulltime recording of all traffic that at some point crosses the US backbone. This is what the giant datacenter in Utah was built for. One of the largest crossovers for the US backbone to the internet is outside of Vegas, where they were able to add a "hidden" room, much like the hidden AT&T room in SF years ago.

The goal (at least at the time of construction) was to start recording all traffic that they could (and build subsequent datacenters near the other crossovers), and basically build a google like interface for all the 3 letter agencies to be able to search on a persons web history. The big deal with doing this, is that SSL is no longer secure. What makes SSL a secure encryption method for web usage is how hard it is to break in realtime without having some sort of man in the middle attack in play. With that data "recorded" they can "replay" your webtraffic in their environment to break the SSL, almost at will. Its quite a frightening proposition.

Now....what does this have to do with coming to EECIE? Not much. Unless you are into some really big time shit (human trafficking, big time dealing, etc) you likely arent going to be target with one of these systems. That said, you never know. And the problem isnt who is watching us, it is who is watching the watchers. We arent far from the days (in my opinion) of when they use these systems, and otherwise minor cromes, if crimes at all, against us. When they decide they want to go after you for something else, and they tell you that you can talk, or they can expose to your family how you post on a hooker board. Or they start prosecuting people based on the books they buy from amazon, etc. We have already seen the start of this with the IRS going after people that attack our current administration, its not a stretch to think that using our web history against us isnt the next step.

I could go on and on, but theres not a whole lot of gain in me doing so, and I dont want to sound like a tin foil hat crazy.....I just happen to work in InfoSec, and I know how such things can be used, and with the convergence of what our govt is doing to monitor us, the way they have been going after people for differing opinions, and how human nature tends to act when they have such tools at their disposal, it frightens me.

Last thing: protect yourself. Use any tools you can. But also know NONE are 100%, but just because there is nothing that is a 100% solution, doesnt mean you shouldnt use anything. Do what you can to make it harder to gain information on you, and be proactive in protecting yourself. Just remember, convenience and security are nearly antonyms - its VERY hard to have both, so every time you want something "easy", say keeping in touch with old friends via facebook, remember, that comes at a cost. I cant tell you which pieces are worth the trade off, because that is a personal thing, and there is nothing wrong with using such systems, as long as you know what you are giving up to do so.

Just like everything else, be educated.