LTC License Validation Website

[ScottDLS]

It took the FBI over a year to find Ross Ulbricht and bring down Silk Road black market even with warrants and cooperation of international authorities. He was using Tor which is more powerful (and way slower) than most commercial VPNs, but still if you want to maintain a pretty robust level of privacy from the Government and hackers a good start is a decent commercial VPN.

That was On the job training. There was an extreme learning curve. They now have the ability to track it down in weeks or less. As for the remainder of your post. I remember when nobody believed the DOJ in co-ordination with the FBI and CIA would ever spy on a presidential candidate. We must not be naive in thinking there are limitations to the level of corruption our government will go to take away the rights of American citizens. The deep state does exist and is utilized for the elite to maintain power over the people. There is a concerted effort on the part of people in our government to put an end to the We The People part of the constitution.

Targeting specific individuals is much less difficult than creating a shadow database of disparate and unrelated web transactions and sorting them into a useful tool for gun control. Especially when you can just illegally get the 4473s. DPS LTC check will have no appreciable effect either way. Although I still think it’s a solution looking for a problem. As I discussed in my post gathering useful investigative information from individuals who use even the most basic precautions is very expensive in terms of time and money, especially when simpler (albeit illegal) methods exist already. Building a shadow geo database of LTCs to gun owners using the DPS check is highly impractical.

[TreyHouston]

Do any of you high-ranking members have any way of contacting the deputy director Skylor? Just ask him why he made the website.

[DocV]

I am pro 2nd amendment. Any laws or regulations added to such is anti 2nd amendment. If it is voluntary, fine. The minute they modify and make it compulsory, it is one more step in taking away our rights. One inch at a time folks, one inch at a time.

I read your post and thought yep, I agree but then I thought, hmm... background checks are already mandatory and LTC allows us to skip the insta-check- but the intent was always that a VALID LTC was required. The questions has been asked in the past how could they know if your LTC wasn't valid.

I don't like any further infringement but this is like checking to see a DL is valid... and LEO's do that with every traffic stop.

So I ask honestly- because I'm thinking I may have missed something.... what is it about this (if it became mandatory) that you object to ?

Given the intended purpose of the site, one possible objection is timestamping and IP geolocation stamping of an LTC ID apparently transferring a firearm. Hence, the information could be used as a "soft" firearm registry. Of course, that information is available to ATF via the current physical inspection process but automating the process adds an efficiency not yet acheivable.

Always use a VPN.

Not good enough. Anyone with access to tier 1 and tier 2 instrumentation (netflow) data can establish traffic endpoints.

Let’s break that down. You want to Geolocate and timestamp the individual purchasing the firearm based on the request to DPS for the validation during a (presumed) firearm transaction to build a soft registry of guns to their owners....So first you have access to (all) net flow data tier one and tier two ( by definition worldwide) and you’re monitoring...in real time presumably, ALL internet traffic. You monitor the endPoint of the DPS server serving LTC checks. Then by determining the timing of the request, from the https request from the VPN exit point you scan and geolocate every incoming request to every entry point of that VPN that happened at that time (+/- .50 sec or so) to see if it is near a FFL location (what about private sales?) Then presumably DPS gives you all the LTC numbers transmitted in the request(s)...or do you crack the https request? Well since you have the NSA onboard presumably for the monitoring, what’s a little cipher cracking of AES 256 anyway? Then you make the “soft” registry of LTC to gun how? With NICS you don’t even have the serial number transmitted anyway, so how is ATF even making a soft registry currently. Presumably by (illegally) collecting all the 4473s in real time and putting them in the registry, which would capture LTCs and non LTCs with significantly less effort than real-time monitoring of worldwide internet traffic and without needing the assistance of DPS or the NSA. Even monitoring the non VPN requests to DPS and correlating them to FFL locations would be mostly useless. Note for VPNs, all this effectively has to be done in real time because they don’t keep logs and the exit point traffic Is mixed with thousands of other people’s. I don’t think the DPS IP for LTC check is unique, so I guess your opening the HTTPS request headers to get the URL...maybe the full URL is exposed before negotiating the SSL session? Or does the VPN endpoint establish the SSL session with the generic DPS/Texas.gov IP then pass the full URL request...NSA needed again to crack the SSL in real time. It took the FBI over a year to find Ross Ulbricht and bring down Silk Road black market even with warrants and cooperation of international authorities. He was using Tor which is more powerful (and way slower) than most commercial VPNs, but still if you want to maintain a pretty robust level of privacy from the Government and hackers a good start is a decent commercial VPN.

Start here...
How the NSA can break trillions of encrypted Web and VPN connections:
https://arstechnica.com/information-tec ... nnections/
that was written in 2015.

Given the purpose of the DPS endpoint, or end points, is known, there would be no need to decrpypt encapsulated layer 4.

[ScottDLS]

...
Start here...
How the NSA can break trillions of encrypted Web and VPN connections:
https://arstechnica.com/information-tec ... nnections/
that was written in 2015.

Given the purpose of the DPS endpoint, or end points, is known, there would be no need to decrpypt encapsulated layer 4.

I read the article and like most of the (known) NSA attacks on commonly used web/vpn protocols it depends on flaws in key generation and obsolete (Clinton era) cracks of purposely crippled (export controlled) PKE schemes. Undoubtedly there are many unknown flaws they are able to take advantage. But read closely and you'll find that most if not all of the "trillions of web sites" and "many" vpn connections that they can break rely on some (previously) undiscovered flaw in the encryption protocol and/or are still extremely computationally and financially expensive. Especially for building a flawed database of LTC to gun geolocated database. The timely location and tracking of VPN to device to DPS website geodata still suffers from the extremely difficult challenges that I noted (you're monitoring web traffic worldwide (Tier 1/2) in real time to catch the specific request to DPS web site and tie it to the end user IP geolocated in real time. Then you (NSA) hope that DPS is using a flawed and obsolete key certificate of <512 bits that they have already cracked for (on the order of) $100 million, so they can open up the packets to catch the LTC number. So maybe it works for FFL's where they know the end point, but again, like NICS checks, you just get a person (LTC #) and time...with no tie to the gun, until you pull the 4473. Which begs the question, why don't you (NSA) just (illegally) do that and build away at your database, which you can't use (legally) for prosecution anyway.

The interesting thing about modern PKI encryption schemes is they are very well tested in the public domain and there are non-government actors of some talent trying to find flaws and publish them (as could conceivably lead to a Nobel prize). With respect to Diffe-Hellman which was the first published description of the mathematics of a PKI implementation...

(side note, I spent some time around 2008 talking with Prof. Marty Hellman about another tech related issue, though I have read his PKI work and spoke briefly about that too)..

...Hellman has said that after he published his paper with Diffe, that GCHQ (England's NSA) came out and said..."we already invented that, but classified it a State secret"... to which most people said, "yeah sure...too bad, they published first".

Anyway, my point being, the cracking of PKI schemes, absent a flaw in the key generation is still (as far as publicly known) virtually impossible. And don't forget, the Public/Private keypairs are only used to exchange the (ephemeral, for that SSL session only) shared, symmetric cipher keys, so successfully decrypting data in real time depends on a confluence of unlikely factors. On the other hand, the NSA supposedly records everything for later decryption of that which they are interested in...but again that limits the applications where this could be useful.

Another interesting thing, the newest key generation schemes I've heard involve Elliptical Curve cryptography, where you have an equation that describes the graph of an ellipse. Apparently solving these complex polynomials for the two points on the ellipse is even harder than factoring large primes. Read up on these and you'll find that the NSA is accused of putting a flawed Elliptical Curve scheme out there, but supposedly got caught by public researchers. That's why some people prefer non-government symmetric ciphers vs. NIST standard AES256 or 3DES. Some non-gov ones are IDEA, BLOWFISH, TWOFISH,...