Anyone tried XeroBank (formerly Torrify)

How much can you store on the file vault?

 

(Quote from post #127 in this thread, dated 7 JUL 2007)

Steve, can you kindly provide a link to your comparative analysis of commercial anonymity services?

Thank you.

 

I realize I said I was done with this thread, but I have one more thing to say. Praise is like a box of chocolates. It's best when done in moderation. Don't hope the trust is deserved, demand it. You have the power. I'm speaking as the guy who put several of the nails in the coffin of Privacy.li.

From Steve's description, he obviously has put a lot of thought into the design of the service (multiple hops, offshore servers, layered encryption, etc.), and he clearly values privacy and freedom. But some of his thoughts on cooperation are not in line with my thinking. He shouldn't be so eager to cooperate on anything because the reality of a situation is rarely in line with how law enforcement is going to present the information to him. He needs to be savvy and understand the subtleties of how information can be manipulated to try to manipulate him. He needs to have a full understanding of the subtleties of each of the activities on his prohibited list. If he doesn't, he could find himself quickly overwhelmed in trying to figure out the right course of action. They'll throw words like "child pornography" or "terrorist" at him very loosely, and if he doesn't understand these subtleties, he could make mistakes.

The people behind a service like this are ultimately likely to be the weakest link. The technology itself can be stellar, but if the people are flawed, your service will acquire those same flaws. That's why you have to have faith in those people.

Ultimately time will tell how the service works out. I personally have no problem tearing apart any such service that doesn't live up to expectations. And to tell you the truth, if I'm hearing stories of arrests/convictions for child pornography, terrorism, fraud, etc. of people using XeroBank, I'm going to take that as a flaw in the service and not as justice served. Just a word of warning. Silence is golden as far as these types of services are concerned.

And now for the praise. Steve is saying the right things. He seems believable and honest. The technology looks great. He seems to have a very good system in place. So, I hope it works out.

 

No limits. It will be metered like your usage. You get say 75GB per month. Each service has a ratio at which it consumes your GB balance. I think for storage it is 1:1, so if you have just a normal account with 75GB/month, you can store the full 75GB. You can upgrade your accounts too, so you could hit 1000GB if you were so inclined.

Oh it's way outdated by now. I posted up my findings prior, but in another thread they were updated. Does anyone have that link?

Malwaretesting,

It's a lot more complex than I said... I can't say much more publicly, because that gives potential legal attackers more leverage than they need, but rest assured we are very interested in protecting client privacy. Haven't had a user's identity compromised in the last six years.

 

LOL!,,,,That is awesome! Almost sounds too good to be true. I am very excited about that!!!

 

I wouldn't try storing files over 5GB yet, but otherwise, yeah, storage would be unlimited in theory.

Here is a preview of the new control panel. We're all just running testing on stuff. Most of the changes we have to make are cosmetic. Some are functional stuff.

edit: and another

 

It may be important to note that the Xerobank network has been operational for nearly a year. This is not an entirely new service. May be new to people's awareness but they've been around for awhile.

In that time, it would be more than reasonble to expect that a number of scenarios must certainly have occurred including legal challenges, investigations, subpoenas, requets for logs, possible arrests etc. and invasions against Xerobank users. I doubt they've been immune to that.

Topletz has stated publicly on several occasions that usage of Xerobank has never resulted in a Xerobank member being identified or succesfully prosecuted.

And if he isn't being totally forthcoming, one would certainly conclude that there would be accurate information to the contrary such as media coverage, user reports, or solid, verifiable, credible information that people have been outed for using Xerobank. Unless they've been spirited away to an Egyptian prison, which would be unlikely in all cases.

News spreads pretty quickly regarding seizure of the equipment of Tor nodes and investigations. Reference the recent spate of German investigations and seizures.

The Hushmail fiasco was a fairly public event, albeit aftet the fact. But it was no secret.

I realize that like a mutual fund, "past performance is no guarantee of future results."

To the best of my knowledge, people have been outed as a result of improper usage of Tor. That's not Tor's fault. Reference derangedsecurity's revealtions of year ago. email usernames and passwords transmitted over insecure connections and sniffed by a maliciuous exit nodes. But Tor has remained resistant.

Looks like thus far, Xerobank has maintained a similar security track record and has successfully protected it's users.

But time will tell, won't it?




Granted, like a mutual fund, "Past performance is no guarantee of future results."

 

Heh. I object to the mutual fund reference

Mutual funds consist of typically public securities, the securities markets are operating at strong-form efficiency, meaning they are manipulated by wallstreet traders and insider deals.

For the most part, i think what happens in the past is a good indicator for the future, and that extends to behaviors. Sometimes the behaviors appear unexpected, but only if you didn't have enough information about the system in question. If the behavior yields apparently inconsistent results, always check your premises.

For Hushmail they didn't act inconsistent with their AUP. For Anonymizer, they didn't act inconsistent with their true motivations. As for Tor, if my talk gets accepted at defcon, you'll REALLY see some amazing things.

 

I have a question. There was a discussion elsewhere about using a service to change an IP address. A guy posted this:

I'm not sure that I understand what a MAC address is, but is this an identifier that is sent out with an IP address.....one that can pinpoint an ISP?

 

MAC address

 

Thanks. I looked at that but I just don't have the background or knowledge base to understand it.....at this time, anyway. Does a website see your MAC address? And if so,, can they determine your location or who you are?

 

To state it simply, your mac address is a hardwired serial number to identify your network card or network device.

I'll have to brush up on it, but with xerobank vpn for windows the most they can do is fingerprinting with a mac address, not de-anonymization. The reason is that your normal mac address is not the one you use with XeroBank VPN, it is virtualized due to the virtual network adapter.

If you are using xB Machine, you get a random MAC address automatically, every time you run the program.

No worries, we're on top of it... if anyone is.

 

Thanks for explaining that. So with the VPN, what the outside world sees is a XeroBank MAC address? And with XB Machine there is a random one assigned.

Is a MAC address something that a website normally sees? If you had a MAC address in front of you, would it tell you where a person lived? Or does it just identify a particular machine....like a serial number?

 

No, you wouldn't normally see it. It is just like a serial number.

 

That sounds interesting - any projected timeline for this?

It is nonetheless a little trickier and since many sites have an automated procedure based on past abuse (e.g. blocking access to address X after 10 suspect actions), having more exits does provide a real benefit.

Infiltrating a datacentre (as opposed to buying/setting one up) would mean having to keep one or more staff under agency "influence" (doable but risky) - a junction tap would remove that human factor but you'd likely need multiple ones to cover all traffic (since any decent datacentre will have multiple connections, ideally exiting the facility at different points). A safehouse for processing traffic would be necessary to reduce it to manageable levels but itself would present an element of risk.

Compare that to a compromised router configured to send encrypted copies of very small amounts of traffic to a dropbox (a hijacked system owned by a third party, a newsgroup posting or an email account accessed anonymously) - this would be almost risk-free in comparison but would impose severe restrictions on the quantity of data collected. That makes it more plausible in my view.

That would seem to be a problem for satellite communication since the signal has to pass through the atmosphere in the first place. Satellites do allow for narrowbeam transmission (an eavesdropper has to be between the transmitter and the satellite to intercept) which gives them an advantage for private communication though.

That should require significant processing capacity so covertly installing a capable unit in a datacentre would seem tricky - law enforcement pressure or co-operation by the ISP would seem to be prerequisites here.

I've split my response off to the The Tor Bandwidth Abuse Challenge thread.

But the http headers (aside from cookie data) are not unique to a user. So yes, you could target Russian Firefox users or Turkish Opera users, but that is as specific as HTTP header fingerprinting can get.

That's something we can discuss in the Bandwidth Abuse thread.

I would also suggest covering in detail, those cases where XeroBank does decide to comply with information requests. The ideal disclosure policy would include:

• an indication on the website of the number of cases under consideration (without giving any further details);
• a brief summary of each case when complete providing non-personal information like the originator of the request, the category of the abuse (fraud, terrorism, copyright-infringement, etc) and whether it was accepted or denied;
• for requests that were accepted, a more detailed explanation why - including the ethicist's report where applicable.

Doing this would give existing (and potential) customers a clearer idea of what XeroBank considers abuse and when it would be prepared to act.

The website has improved a lot though since I last viewed it (the blog and "rogue's gallery" team page being welcome additions). If you can provide a similar level of detail on the technical and legal sides, then that would address the concerns I raised previously.

Assuming that the majority of your clients are not fraudsters though, including details would provide more reassurance that XeroBank is serious about protecting them against frivolous (or "misplaced") requests.

Whoops - I fell for that one.

This sort of information is well-nigh indispensable in helping people to judge a commercial privacy provider (and is as important as the technical aspects). Put it on your website!

Again, solid useful information worth putting up on XeroBank's site. Having a step-by-step list of what (and who) is involved in getting information on a subscriber (and pointing out how much harder it is compared to other commercial services) could be a significant selling point.

And this brings us rather nicely to the example of JAP's disclosure. To quote from a previous post of yours, "1:1 is a bad track record, and oblivion compared to 300 : 0... we're prepared to fight back, not send it to a lawyer and ask for the most diligent way to cave." The court order that JAP received was to monitor access to a child pornography site, so would it be a fair statement to say that XeroBank would have complied with a similar order to the best of its abilities? Would it agree to provide a similar level of future monitoring provided it was restricted to a single URL or IP address? And finally, would users be told at any point that this had happened? (the JAP project were barred from publicising the court order initially but were able to indicate that something was amiss by a rather obvious amendment to their source code).

I would also echo Malwaretesting's concerns about abuse not being black-and-white even with something "obvious" like underage pornography, you have countries setting different age limits (from fourteen to eighteen) and "terrorism" is a word of almost infinite application (sidenote: the first use of the UK's "anti-terrorist" Regulation of Investigatory Powers Act to compel suspects to reveal encryption keys was used against animal rights activists). Providing more detailed definitions would make it easier for XeroBank to show consistency in enforcing its AUP.

You also mention that XB blocks the seeding of torrents. What happens if someone wants to create a torrent of their own content (e.g. a game modification) or publicly distributable data? Are any other network activities similarly blocked by default?

Lacking real-world experience of this myself, I'm happy to take your word for it.

Elegantly fenced.

Aside from "Some XeroBank clients...may be protected under diplotic immunity" it seems quite well put together. I suspect the requirement to use PGP-encrypted email would deter most LEOs though.

 

Let's get xb2.0 launched first.

I think that is correct for a certain portion of folks, like the hardcores and the due diligencers, but most people aren't going to pay attention to that at all. They are indiscriminate of practically all aspects from what I've noticed about marketing. Just look at TV ads. I saw an advertisement for some antacid that acts 2 hours faster than the other, but the other acts in 24 hours. They were really stressing the fact that you got relief two hours faster. They're really confident that people won't recognize that their product takes 22 hours to work, focusing on you getting back 2 hours. Really crazy stuff. If this is any indicator of society at large, they just need the warm fuzzies and brand name exposure.

I *guess*... but does give some sense of impropriety. I mean, that is okay for the pirate bay to do, but it isn't like Fedex or Starbucks is putting their legal dealings and court cases on their website.

I'll mention it.

While I can say that "I don't know" because I'm not the legal guys, I think that might count as a fishing expedition unless the website was specifically built for that purpose, and that links to that address did not exist in any search engine, and had a single and specific target in mind.

I'll mention it.

I would suggest posting it to rapidshare or some other. It probably won't work if they just try to do uploads, because the uPNP service won't be able to traverse the proxy hops for more than a few minutes exposure at a time.

No, I don't think so. It isn't that torrents are blocked, per se, it's just that uPNP isn't supported.

Let's say that the US government is a client. China sends a court order through panama, requesting a tap on the US government. Well, sorry, it doesn't matter if you have panama or not, because the US has sovereign immunity. I guess if that didn't come out correctly in the leo doc, maybe there is a better way of saying it. Some folks can't be tapped without some serious letters, and we'll honor that.

Nah, they have message encryption. But what a fiasco if they tried to send the stuff plaintext... that would open up all kinds of violations, like a doctor handing off patient records to some third party. can't do it.

 

(Quote from 6 NOV 2007, post #243)

Steve, can you kindly provide a link to the whitepaper?

Thank you.

 

I would really love to, but it isn't even close to being presentable. We've reworked a lot of thing, changed them around to see what works best. So every time we do that we're like, hey, that totally obliterates what we just wrote. I'm dying to have one by defcon if we're really lucky.

 

Steve:

Would you describe how this Yahoo cookie works so those who don't use xB can also destroy it? To my knowledge, "special" cookies can only be created, or created in effect, through the use of plug-ins, extensions, or OBJECT-style links to external software. For example, Adobe's Shockwave Flash plug-in maintains its own cookie database, and Windows Media Player's GUID can be queried via OBJECT and JavaScript, "effecting" a cookie (individual identification).

Can you define "massive"? I've read about Tor and the high liklihood of government-run [exit] nodes. But what percentage are you thinking, and how did you arrivate at said figure?

Every now and then, I see people discussing tracking internet users via their MAC addresses. According to everything I know about networking, this isn't "inherently" possible.

For those who want a more wordy explanation: IP addresses are the internet's unique addressing scheme. MAC addresses are Ethernet's unique addressing scheme. You can therefore know the MAC address of another person's PC only if that person's PC exists in the same Ethernet LAN that you exist within.

Perhaps some become confused about this because they know that their ISPs can see their MAC addresses. That's only true, however, because most types of internet service effectively extends each customer's local Ethernet LAN all the way to the ISP itself. I.e., the customer PC generates IP packets, wraps those IP packets in Ethernet packets, and dumps those Ethernet packets on the customer's home Ethernet LAN. The DSL/cable modem then wraps those Ethernet packets in ATM/DOCSIS packets and sends those ATM/DOCSIS packets to the ISP. At that point, the ISP strips away the ATM/DOCSIS layer, yielding the Ethernet packets inside. Then it strips away the Ethernet layer, yielding the IP packets inside. Those IP packets, which contain no references to the MAC address of the PC they came from, are then sent to the internet. Hence making it impossible for anyone on the internet to know the PC (or NAT) MAC address of anyone else.

Of course, client software, like a web browser, can be asked to reveal the MAC address of the PC it's running on. But in this case, it is either a "feature" (i.e. JavaScript, which the user can disable), or an exploit (in which case, it's usually corrected by the software maker if reported).

Inherently, though, there's no MAC address tracking possible on the internet. Even the authorities can't seem to get this fact straight. One particularly bad example I remember seeing long ago: http://www.foxnews.com/story/0,2933,247903,00.html. They state that "both the IP address assigned to the Bandy computer by the Bandy's Internet service provider Cox and the MAC address of the Bandy computer were matched to the [Yahoo group] postings." Not possible, unless Yahoo was exploiting browsers or sniffing with Java/JavaScript/whatever. Which I can't see them having the balls to do, given all the privacy advocates out there.

So, there.

Of course, if it turns out I'm wrong about this, then I shouldn't be working in IT. Should I. But I've seen enough packet sniffer output to be pretty confident I'm correct.

 

Yahoo uses three methods I think. The first is a regular cookie. wiping that is no problem. The second is a flash object. You have to find that one. The third, I think, is a Document Object Module, which is turned off in xB Browser.

Can't clarify on it. At least not yet. Just talking about it is risky, sadly.

Well, yes and no. If you're on the local network I think you can sniff at the mac. If you were trying to find someone behind a corporate proxy, this might be what you would use if you had mixed it with a couple other exploits. The other thing is your ISP knows your mac, that's how cable modems work. so for them it is no problem.

Your explanation is succinct.

Yahoo operated with perfidy, they have no ethics.

 

Not hard to find. They're easily found in %appdata%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys and %appdata%\Macromedia\Flash Player\#sharedobjects. Locations may vary by OS, of course.

This one is new to me. Are you talking about this?

Where is the information physically stored on disk? And how do you disable it in Firefox/Mozilla? (I know I can Google this information, but you can likely recite it off the top of your head even faster. )

I saw something about a Tor exploit talk being planned for Defcon. I'll assume that's where the s%*t is scheduled to hit the fan?

Yes. That's what I said.

Eh? If you're trying to find the MAC of someone behind a corporate proxy, the same rules I described before should apply. At least, I'm assuming by "corporate proxy" that you mean this:

[them] --> [TCP/IP over Ethernet] --> [corp_proxy] --> [TCP/IP only] --> [the internet] --> [you]

To find such a person's MAC, you'd have to get it through an exploit like described in my last post - such as tricking one of their clients into reading it from their OS/NIC and sending it to you.

Touche.

 

about:config // dom.storage.enabled

The one scheduled so far isn't going to be anything I don't think. I have serious doubts, considering the wording. Ours, if accepted, will truly unmask tor users and turn tor into a trojan/rootkit.

 

Thanks kindly!

Incidentally, I'm googling Tor at the moment, and located a post - perhaps by you under another name - that excerpted part of a document called "How to Create Torpark." Further googling revealed no copies in unabridged form.

If it still exists (perhaps updated to account for the added tweaks being done in the world of xB), would you be willing to post it? Or does that collective knowledge represent something you'd rather not share in order to maintain xB's leg up over similar alternatives?

ATM, I have little interest in Tor, but am absolutely fascinated by the privacy-oriented tweaks such a document might contain. (Especially considering that the excerpt I found showed, IIRC, "step 31" ... indicating there's lots of knowledge to know.)

That sounds positively dreadful.

 

comicbookguy,

It is way more complicated than that now. We have a whole automated build process that picks different profiles for tor or xb, controls external java stuff, writes/rewrites/deletes anti-privacy stuff, jesus. It's about 400MB in build process/library.

steve

 

Fair enough. Is the old HtcTP doc still around and postable? Even if outdated, I'd still enjoy the peek.