Method circumventing new laws - SESTA/FOSTA

[SimplyEcstatic]

Thank you for literally agreeing with me, case closed

[mathguy]

Wow. I've only just now been able to get back on OH2 but this thread has gone so sideways and has a fair glut of bad information in it now.

Point wasn't about the side railed convo on VPNs.
Also, yes, you are completely and totally untraceable to virtually anyone if you use TOR "over" VPN for all "realistic" intents and purposes.

On the decryption topics. Can certain things be decrypted? Oh sure. Virtually everything. We are talking about within reason though. Not using supercomputer, gpu clusters, etc... months and months of time and teams of experts just to find one item.

But the main thing is this wasn't about individual hobbyists anyway (though you should use some common sense and protect yourself similar to things ck and others mentioned). Anyway, it was really about the site proprietors.

[mathguy]

I apologize for coming at your thread, it is a situation that could lead someone down the wrong path so I had to provide additional information.

No worries. I don't take offense to you posting your thoughts. I do have some corrections and thoughts to share below though.

If simply encrypting data and using a VPN meant you were entirely secure and invisible, there would be no more hacking and the FBI/CIA would be almost entirely useless since most criminals would just go this route. I am not trying to alarm anybody, and VPNs are still awesome since I doubt any of us are committing crimes on a scale that would draw attention from federal agencies.

I was not claiming this in the original thread. Yep, you can always crack something. The question is how much effort do you actually want to put into it?
Using most of the techniques I mentioned, particularly in concert, does make any reasonable means of identification incredibly difficult without monumentally large amounts of money, time, and effort.

I do however want you to be informed and be aware the information in this thread is not entirely accurate and absolutely do not create a website in violation of these laws using these means as your only security while inside the US. If it were this simple then so many websites would not have removed large portions of content and other websites would not have shut down and ceased to exist.

I was not saying it's simple, but, even further I want to go back to the point that this was for website operators, and only affected users tangentially. Users have always been breaking the law by engaging in an "illegal hobby".

And to be fair, many sites are just covering their butts, especially the big ones (the Twitters and so on's of the world), until such time that they can repeal the bills, get legal precedent established (this one is a lot more likely to happen), or simply find out that the government doesn't really care about "this kind of stuff" - at least not to the degree that it would take to crack a system like I described.

You even mention that in the prior quoted text above, about how none of the hobbyists are really doing anything that rises to that level of investigation anyway (which I agree with). I've said the same thing for some time now, and I still maintain that position to this day. I even maintain it not just for individual hobbyists but also for low flying under the radar or "safe hobby community" sites that don't push the limits too much. I will not change that position until I'm proven wrong.

Also to be clear with encryption, encrypted data does not mean it can never be decrypted and yes proton mail can decrypt data just like any other encryption service can decrypt their own data. They purely claim not to be able to because the process and idea itself is too complex for the general public to be expected to fully comprehend and it would be an international dilemma if they did such a thing without federal (or some comparable entity in other nations) involvement. The accounts literally decrypt the data upon receiving it which means each account has its own decryption formula. They claim they cannot decrypt it although it is literally decrypted constantly and was programmed by somebody in the company. If you do not believe me, then take a look at real world examples. Sony was hacked just a couple of years ago and a ton of ‘encrypted’ data was accessed and stolen including credit cards and personal information. When iCloud took a huge hit for celebrity photos, security was loopholed simply by gaining access to a person’s account which is the same as gaining access to the decryption code through much simpler means (I bet this makes some people rethink their password choices). Did you know one of the ways that China mimicks American companies and replicates products is by accessing and decrypting secure data from companies in the US?

This is the part I have the biggest "concern" about (if we could call it concern?).
Yes, things can be decrypted. No security expert worth their salt would admit that anything is absolutely 100% foolproof.

However, virtually all systems that use encryption today are based on a form of a public/private key method. Short of having the private key (which only the end-user has) you will never crack the type of encryption available today without massive clusters of supercomputers working for months, or years, to decrypt the data. Is it possible? Well, yea, it "can" be done. Is it likely? Almost certainly not and if done smartly nearly impossible.

Even services like Proton (as an example) if they dump their logs, like many TOR entry points do, and scrub them, or scrub keys, then you will not be decrypting anything without millions of dollars in investigations, months, or even years time, and security analysts using clusters of powerful servers (or a supercomputer) working around the clock. Who is going to do that to find a small "hobby" site that isn't doing anything different than they have been doing for the last 20 years or so that such sites have been around online (e.g. not doing anything dangerous or of a truly disgusting nature)?
Or even more ridiculous, an end-user "hobbyist" (1 individual)? No way. And after all that it still may not work.

That being said, yes, if a federal agency got a hold of your physical devices, laptop, desktop, phone, etc... and could get your private key data then, yes, you would be in a more perilous situation.

The thing is, as we both said above, the end-users (i.e., "hobbyists") are not really a target, and the website operators would know better and their information would not be public, the site would be entirely anonymous, and even then they would have a fail safe in place to destroy any data in the event that someone got near the point of being able to identify their private cryptographic keys.

---

As to the issue of traceable IP's. Anything can be traced. Yes. It can.
However, you are going to have an extraordinarily hard time doing it over things like a VPN and TOR network. It is for all intents and purposes impossible within realms of reason for the purposes of our argument to do so.

Could an agency, or team, theoretically, if they wanted to spend millions, months time, or even years, using a supercomputer, or clusters, decryptying, tracking, and so on, trying to track down an IP source, actually do it? Yes, it's possible. But it's still a big maybe, highly unlikely, and a huge effort.

Is anyone going to do that for anything but the most disgusting, most illegal, most repulsive content on the internet (i.e. child porn, terrorism, hate speech, extremely dangerous content such as teaching people how to make destructive things, etc...)? No. Absolutely not. That's really why I posted this and my point about how it will protect people. But, again, it was really about website owners, not "hobbyists". The hobbyists are not the issue with regard to new federal oversight. The issue is the safe harbor provision. Which worries website owners. So they need a way to get around it. Because it's them going down, b/c they are afraid (whether it's real justified fear or not) that are making it so users (man or woman) can't access a site.

This was just one possible way website owners could circumvent. And, yes, the hobbyist community would need to learn to use such tools simply to connect to the site but it's not really about the end-users at all. Not at all.