Anyone tried XeroBank (formerly Torrify)

Jim that hackers link that never resolves? Why would you assume that it revealed my IP address? If it was able to, it would have listed it. If it does not list it, then I can only assume that it does not have it. That Windows Media Player link was a failure too.....with the VPN anyway. I did not try it with Tor.

As for the VPN, I do not know of any test or anything that can reveal your IP while connected. I guess someone could hack into your computer, but if they did that then who cares about an IP address? I think you should consider taking that VPN out for a test drive. Compared to the free browser, it is the difference between night and day.

 

Any news about how to log in as root?

When I run knoppedix linux I can read and read FAT, and read NTSF, writing to NTSF is considered very experimental. But here in the xB machine I try to surf to my windows files via the file manager, it wont open at all. I guess the question should be, did you program the xB machine so that no connection can be made to the windows files for security reasons, or should I keep on trying? It could be great to have a truecrypt container file that I could open with files both under windows and linux.

Looking forward to your reply!

All the best,

Thor

 

You're wrong, sometimes you will have to alter Noscript settings to allow both Java and Javascript. Unless, of course, you want to stop using many pages out there.

Your argument is somehow equal to say: "Cookies are bad. I don't want them here! So I will block every single one of them!!!!!".

We don't have to do this. We may allow cookies and erase them after xB/Firefox is closed. The same thing about scripts like Java, from trusted sites.

What I am saying here is that the best course of action is to not trust anyone. Even sites like Wilders Security can have that sort of code. Are you going to gamble to see if your IP is being leaked or not?

So, anyone can set that Java trick who is working to bypass your proxy settings, ignoring all default configs of your browser. And we don't want they succeed. Right?

Right.

No, you're wrong again.

There's no protection against one script who is messing with your default proxy settings.

And why is that?

Because the browser was not developed to avoid direct connections. So, it doesn't matter in the end if we are allowing smart Java scripts who are bypassing proxy settings. This is happening only because the browser has a way to make these connections.

Like I said, it depends on the way the site was developed. But in these cases, either you place the domain on Noscript whitelist, or leave. There's no choice here. I don't allow any script here for fun.

Security is not being discussed here. What I am arguing is the fact that Firefox is incapable of recognize only proxy settings. Firefox acts like a hybrid. That's why he is being cheated by that Java trick, which bypass the proxy settings.

That is the major threat, in terms of privacy.

That specific Java trick is the only one that I am seeing with my own eyes capable of leaking my true IP on my actual conditions. The other one from Jedifrost is showing only localhost, and have failed to leak anything, like most of other IP tests out there.

What doesn't necessary means that no one will use the correct code in the future. That's a realistic view of things. Assuming that no one will find out that code and try to unmask Tor users it's a innocent perspective.

Firefox browser can make direct connections. Firefox browser was not developed to recognize only proxy settings.

That's the issue here. Forget about the rest!

 

I've been offline (by choice!) for a few days so apologies for not replying sooner...

IP Address Leakage via Java/Flash
This isn't just a Firefox issue since Java (at least Sun's version) is a separate process and therefore cannot be limited by changing Firefox (short of disabling Java and similar external elements completely). As such, I would agree with Steve that this cannot properly be dealt with via changes to XB alone.

The VPN option however is a valid countermeasure and if XeroBank make that a default, it should remove any concerns (though this does mean routing all network traffic via XeroBank, which is not always going to be appropriate - e.g. local router access) as does the firewall option. These have the advantage of not only addressing current discoveries but also dealing with any future ones (unless a plugin is developed that is capable of modifying firewall or network settings).

Active/Passive Monitoring - Does Using Encryption Draw Attention?
Encryption of network traffic is common enough (https websites, imaps/pop3s/smtps for email, encrypted IM, BitTorrent encryption) that any organisation attempting to routinely intercept and break it is likely to be kept very busy.

It would be easier to monitor just a few specific addresses and known anonymity services could be targeted to see which IP addresses were sending data to them. Tor would almost surely be trickier than XeroBank since it has far more entry nodes in more countries, plus anyone participating has the option to act as a server which means that their own traffic will be mixed in with other users. In the case of such "active monitoring" though, being noted as sending encrypted traffic is still far better than having the traffic leaving your PC in the clear, and subject to casual inspection (plus potential data mining should an ISP place the interests of marketers above those of its subscribers).

In the case of "passive monitoring" where everyone's data is retained, such a policy has to be limited for practical reasons. Keeping full details of every network packet sent and received would likely require several exabytes per day for a medium-sized country (a heavy web browser could go through 1GB per week alone) so some limits have to be set.

To take an example, the United Kingdom Home Office (similar to the US' Department of Justice) covers interception of communications data with a draft (171KB PDF file) Code of Practice - Appendix A lists specific data to be retained which includes website URLs, email addresses sent/received, etc.

In the case of users of XeroBank, Tor and similar services, no URLs would be visible so no nothing revealing online activities could be logged - only the details of the first encrypting server used. To have any hope of determining users' traffic, full details of every packet would need to be retained and (somehow) decrypted. In other words, unless specifically targeted, users should have less visibility to wholesale data collection, not more.

The best solution ultimately is for all network traffic to be encrypted. As such, the current RIAA/MPAA "crusade on filesharing" and ISP traffic throttling is actually good news in the long term for Internet users since it encourages its wider use.

 

Whhhhhhhhhhhhoooooooooowwwwwwww!!!!

I think I found the solution for this problem! How the hell I didn't think about this sooner?

You just have to modify Java Cpanel from Windows and make Java go through the same proxy settings XeroBank is using!

Go to Java Control Panel on Windows, General - Network settings:

Instead of "Use browser settings" you have to leave the option "Use proxy server" selected. Go to Advanced... and fill these forms:

Advanced Network Settings

HTTP: Port: 0
Secure: Port: 0
FTP: Port: 0

Socks: localhost - Port: 9050

Leave this option unmarked:
"Use same proxy server for all protocols" (I think)

I tried that and when I checked both pages, already allowed on Noscript whitelist, they didn't reveal my true IP!!!!!!!

http://ha.ckers.org/weird/tor.cgi

http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf16 (127.0.0.1 - localhost again)

Listen to this!!!!!!!!!!

The first hackers.org link shows my Tor IP twice!!!!!! I checked Outpost blocked entries/log history and there's no sign of Firefox.exe!!!

We don't need a firewall to block this attempt! We need to configure Java itself to make connections using proxy settings! How the hell I didn't see that before?

Regarding Flash, I didn't checked because it is not installed here by default on my XeroBank. But this is a minor verification, since Flash can be blocked entirely for most sites out there (we can't say the same thing about Java, much more required, if we don't allow Java, many sites can't even work and we don't have a choice in the end).

All three tests are here:
http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

And according to Paranoid, Javascript can't leak anything (I quoted what he said, check my previous posts).

 

Intercepting and breaking is a very different thing from employing as an indicator of suspicious behaviour.

Certainly, and this is already being done.

Relatively seen, perhaps. On the other hand, it is documented that Tor servers are being monitored by national intelligence agencies (in addition to being operated by them as honeypots...). I don't know what the current status of the Xerobank nodes is in this respect.

If it is "far" better or not will depend on a number of assumptions, e.g. what is the content of your traffic, what is the policy and practice regarding "suspect" behaviour, who do you fear, etc.? To go from speculation to present reality: in the case of the perfectly innocent Jean Charles de Menezes, sending several sms's and walking on and off a bus, was sufficient indication of guilt to have 7 dum-dum bullets explode in his head without warning...

Or rather financial reasons. The ultimate limits will be set at the amount of our (tax) money that can be spent without protest. Experience indicates that this might be quite a bit. Just look at ECHELON, TIA, MATRIX, et.al. as indicators of the insatiable appetites for information about.

Still, practicality does dictate the application of certain selection criteria, and encrypted traffic might well be one.

Presently, billions are being spent and fundamental constitutional rights violated in order to monitor the population. I would offer that wider use of encryption is more likely to result in a ban on encryption than anything else. Certainly, a ban on encryption is no more un-constitutional than monitoring, analysing and retaining private information without specific probable cause, evidence and court order.

Or perhaps more likely than a ban, mandatory submission of your keys to the authorities. Isn't this the slippery slope that the "Regulation of Investigatory Powers Act" in conjunction with the EU directives on Data Retention is leading us down?

They're after YOU! Get a grip! ...or a nick that doesn't insult the truly paranoid


Note: The ultimate purpose of all security is to avoid unpleasant consequences in a trade off between the cost/inconvenience of the security measures and the perceived risk and relative damage associated with whatever one is protecting against. When we talk about anonymity, we usually define this with respect to the destination IP and/or the traffic content. In this context, Tor and proprietary VPN onion routing solutions like Xerobank both perform well. Since our own governments are presently ramping up surveillance levels significantly, one must take a view on to what extent measures to achieve content anonymity might raise ones profile from relative obscurity to relative prominence in this surveillance context. No hard facts here, just plenty of room for speculation and more or less irrational fears.

Cheers

 

If you are referring to the "NSAFortMeade" Tor node, then that seems more likely to be a prankster winding users up rather than the real "black helicopter brigade". The more people that use networks like Tor, the harder it becomes to comprehensively monitor them and any government involvement (Tor started as a US Navy project) only serves to legitimise it.

The only assumption I make is a desire for a basic level of privacy - "normal" Internet access is like living in a glass house where you don't know who is watching, only that anyone can see everything.

An exabyte (1,000TB or 1,000,000,000MB) of hard disk storage would cost £200,000/US$400,000 if you used 1,000 1TB drives at current prices. Those drives would need to be maintained and the data indexed and backed up. You are looking at an operation the size of Google for one day's worth of data for a medium-size country (and multiply that by a factor of five at least for the US). And that is only considering web traffic - not VOIP or P2P protocols. Even the likes of the NSA are likely to struggle with such data loads (especially with their existing power problems).

Attempts to control encryption have been tried and have failed (including classifying encryption software using larger than 64-bit keys as munitions under the Wassenaar Arrangement). The reality is that banning encryption outright would kill ecommerce and greatly harm businesses that rely on it - it is not an option for governments.

The UK Regulation of Investigatory Powers Act 1998 does include provision to require users to provide their encryption key but most encryption is done using session keys, which are created randomly and deleted after use. How this can be dealt with practically by law enforcement has yet to be seen.

 

I am rather using conjuncture from known facts and events. German authorities are monitoring Tor nodes, and a number of published reports exist on the unwarranted harrassment (including home searches, seizures and arrests) of Tor server operators. Note that these are current events and not stories from the 1930's or East Germany in the 80's.

We also have the very current story of Dag Egerstad, who was operating 5 Tor nodes and sniffing the traffic for passwords, etc.
http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html

From the undisputable facts that intelligence agencies monitor Tor nodes and that there are people out there that analyse the traffic on the Tor servers they operate, it is not unreasonable conjuncture to assume that an unknown number of Tor servers are being operated as honey pots by hackers, criminals and intelligence agencies. AFAIK this is generally accepted in the security community.

According to Torprojekt, there are an estimated 500 Tor servers. Not a whole lot to monitor, and no significant expenditure to subject to some pretty comprehensive traffic analysis, deep packet inspection and tagging. Heck, even the cost of building and operating an entire network of this magnitude is modest in current national security terms.

I am sure you will agree that, given the unknown objectives of a Tor node operator, it is advisable practice to use encryption to the destination IP when using Tor?

True, but you are living in one of millions of seemingly identical glass houses. Now you pull the curtains and put a search light on your roof. Of course there are compelling reasons to do this, and you are in your full rights (presently/still) to this privacy.

By connecting to , say Tor, you go from being one in a billion to being one of 200.000 (according to the most current info from Torprojekt that I have seen). Thus even a very primitive pre-selection process moves you from relative obscurity into the arguably most suspect 0,02 per cent of the internet population...

Security through obscurity is a flawed concept, but obscurity is nonetheless a potentially viable component and concern in a comprehensive security strategy.

Just to nit-pick, what you mean is a petabyte, the fifth power of 1.000 aka a quadrillion. To further nit-pick, the price at these volumes would probably be slightly more than half of your estimate. An exabyte, which is 1.000 petabytes, would cost around 200 MUSD, or in other words, two thirds of the estimated daily cost of the Iraq war...

The likes of the NSA might have a challenge to retain ALL traffic (apart from this being rather pointless anyway), but there is no shortage of willing helping hands to help them out. Most prominently Lockheed Martin, who are making a big comittment to this strategic future revenue source for defense contractors, but most of the big boys in the multi billion dollar government procurement business are pursuing this new(ish) area with enthusiasm.

You make a crucial point anyway. The unpracticality of retaining and analysing ALL data, even in an exponentially expanding surveillance infrastructure, leads to the obvious conclusion that certain criteria will be applied to decide what traffic and whom to subject to more detailed attention.

It might yet have to be seen how potential restrictions on encryption would be dealt with, but there is no real conflict between allowing encryption to protect against cybercrime whilst providing government access. The technical merits and risks might be questioned, but this applies to several present areas as well, where such concerns are indeed ignored. One can only speculate in technical solutions, but whitelists, blacklists, mandatory key submission, government allocated keys, mandatory retention of session keys, are just a few initial ideas. Banking, et.al. is already subject to comprehensive international regulations and controls. To "firm up" encryption matters through more regulations should not present any problems. Trustworthy parties would simply acquire Whitelist Certificates through a screening process, and encrypted traffic to the holder of such a certificate would be permissible for instance. There is great fiscal interest to monitor eCommerce more closely, and the "War on Terror" in conjunction with encryption restrictions might be just the ticket the IRS is looking for.

It is just inconceivable in the present climate that the same governments who invest hundreds of billions in surveillance infrastructure will just sit idly by and watch it being made obsolete through wide spread encryption. Wide spread use of encryption WILL provoke a counter reaction. I think this is a very safe prediction at the moment.


To summarise with a somewhat more on-topic overview:

From what I can see on the market, XeroBank is by a wide margin the most sophisticated (technically and legally) and truly committed of the private VPN solutions. It does not have Tor's disadvantages of limited bandwidth, often poor latency and potential rogue node operators.

The advantages of Tor is that it is free and that onion routing (3 - 4 nodes) make the probability that ALL nodes should be compromised reasonably low.

One does not exclude the other and, assuming the use of encrypted connections to the destination IP's, both offer reasonable protection against private interception initiatives. Personally, I would feel more comfortable with XeroBank.

If the concern is government surveillance, I would argue that the lower probability of rogue nodes make XeroBank the safer choice. Both solutions have the potential downside of promoting it's users into a presently small and visible substrata of the overall internet population. Each must decide for himself if this is a relevant concern or not.

If one is concerned about obscurity, a private entry node (e.g. in the form of an anonymously leased VPS as an entry-point VPN-router) could add some protection in this respect. Steve has indicated that XeroBank will be offering such a solution.

Cheers.

 

If you are referring to cases like TOR roundup and TOR, the feds and me then in neither case was the Tor network specifically targeted or monitored (indeed, in the second link, the German police were not even aware that the address in question was a Tor node). There will clearly be cases of abuse that can (and should) merit investigation but that is no indication of systematic surveillance.

One individual, not representing any government or agency.

Nothing stops someone from creating a Tor node as a honeypot, but that is not proof of systematic government observation.

According to Vidalia, there are closer to 3,000 Tor servers - many in Europe and North America but there are enough located in other countries to require a global network monitoring capability (only the US is likely to come close to having this).

If you have the option to, then yes - and that is the advice given by the Tor project themselves. Of course, for web traffic, you can only do this if the site in question offers https so there may be little choice, but as long as proper security precautions are taken (filtering web traffic of active content, not disclosing personal information) then there is little danger involved.

While the curtains are a suitable metaphor, I'd disagree with the searchlight.

With your network traffic being encrypted (and compared to no encryption, you could reasonably, though arbitrarily, argue that it requires 100,000 times the effort to view) that could be argued as a benefit outweighing the potential cost.

There is no obscurity involved in having your network traffic and web access in full public view.

Thanks for the correction - I don't normally work with numbers that large.

If run as a government project, it would likely cost far more - I only put forward hard disk costs.

Any commercial body would almost surely be more selective in order to cherry-pick the most "profitable" data (most likely e-commerce related activity) so are less likely to do wholesale data retention themselves.

If you take Wassenaar as an example, the initial restrictions on encryption have effectively been dropped (originally only public domain software was to be excluded - now any commercial software is).

There is a conflict in that any weaknesses or backdoors created (or mandated) for government use would (inevitably) result in criminal compromise - either through requiring the use of weaker algorithms or via accidental disclosure of government access methods. "Escrow" encryption was argued for by the Clinton administration in the US and was roundly rejected on these (and other) grounds.

It provoked a counter reaction when Phil Zimmermann first released Pretty Good Privacy. However the genie is pretty well free of the bottle and governments can either try to slow the spread of encryption or take the draconian path and criminalise it completely. The second is unlikely to happen in democracies unless voters can be persuaded first that Encryption = The Big Evil, despite their routine use of it for online banking and shopping.

For government surveillance, I'd suggest that systems spread across many juristictions would be a greater challenge and Tor would seem to have the advantage here. XeroBank does appear to be the best of the commercial options but it would be nice to see more information about their network infrastructure (e.g. how many nodes and in which countries they are located). As it stands, you can't even tell where the company is based (Saint Kitts and Nevis) from their website without doing a domain lookup.

That could be an interesting feature - allow users to rent a server from the hosting company of their choice and for XeroBank to configure it for them as an entry node (to avoid mistakes compromising security or privacy). Indeed XeroBank could take this further by offering discounts to those prepared to share their bandwidth with other XB customers...

 

Hence the clearly stated conjecture. However ECHELON is proof of systematic government observation, and Egerstad is proof of how easy it is even for one individual to gather valuable private information through a honeypot. Egerstad came forward in order to provoke awareness about certain risks, otherwise his exploits would still be unknown.

From these and other facts, it is not far fetched to conclude a very high likelyhood that several Tor servers are operated for such purposes. It is certainly much more probable than the assumption that the people who devote significant resources to ECHELON and other complex ventures for systematic government observation, would refrain from exploiting this veritable treasure chest of information.

five hundred
three thousand
schmauzend... either way modest numbers

Global monitoring is often done in multilateral cooperation, take ECHELON. The five agencies participating in ECHELON are the National Security Agency in the U.S., the Government Communications Headquarters in the U.K., the Defence Signals Directorate in Australia, the Communications Security Bureau in New Zealand, and the Canadian Security Establishment in Canada.

There are many examples of multi-lateral ventures and mutual assistance agreements relating to surveillance programs that retrieve private data without judicial warrant.

The second generation Schengen Information System, SIS II, is being
developed. It will cover 27 European countries.

Another, U.S. initiated program is the “Multi-State Anti-Terrorism Information Exchange” or "MATRIX".

A further example is the interim agreement signed between Europol and the United States, concluded without democratic oversight and without publication, which will give an unlimited number of U.S. agencies access to Europol information, including sensitive information on the race, political opinions, religious beliefs, health and sexual lives of individuals. This agreement contravenes both the Europol Convention and the E.U. Data Protection Directive. Still, it has been signed...

The Mother of all major blanket surveillance projects is probably DARPA's "Total Information Awareness" or "TIA" (later conveniently re-badged Terrorism Information Awareness...). To give you an impression of the data retention ambitions about, TIA was specified to "quickly analyze multiple petabytes of data", several years ago...

TIA was discontinued in 2003, but lives on in an estimated 18 separate programmes, collectively known as "Evidence Extraction and Link Discovery" or "EELD" including: NSA's NIMD (Novel Intelligence from Massive Data) and CIA's "Quantum Leap".

I agree that the people who brought us the 30.000 $ spanner are capable of some silly spending, and that harddrive cost is only one element of many in overall surveillance infrastructure cost.

Still, I'm not sure if you are aware of the kind of resources that are available for surveillance investment.

The US is budgeting to spend between 130 and 180 billion $ annually on anti-terrorist measures until 2010. That will buy you a few HDD's...

You misunderstand my reference to the commercial "helping hands". I am referring to them as suppliers of technology to the public sector, not as independently data mining for their own purposes.

It would be even more reasonable to argue that the effort required to uncover the content would be close to infinite, assuming proper encryption. That's not the point. There are two very different risks. One is having the content of your traffic read, the other is ending up on a government Watchlist due to the nature of you traffic.

To return to the Jean Charles de Menezes example, the UK police had no knowledge of the content of his sms's and phone conversations when they determined that his phone behaviour was suspicious enough to warrant blowing his head off with a barrage of gunfire. Actually, if they had known the content of his messages, they would have known that he was completely innocent and hopefully spared his life. This illustrates the concept of risk through "behaviour" as a different issue than risk through "content".

Of course there can be. It would depend on the nature of your traffic if anything might flag as strongly as using, say Tor. There may be no guarantee of privacy, but there certainly can be obscurity.

Me neither, but I do work with multi-billion Euro public sector project financing, which is why I see nothing extraordinary or unlikely in the prospect of multi-exabyte (or even zettabyte) data retention centres.

Of course there is a meritorical conflict on the very basis that government cannot guarantee the exclusion of accidental disclosure. This is however inherent in all government retention of sensitive information and universally ignored politically. There is however no conceptual conclict.

By current standards, the Clinton government was a democratic and libertarian government. Very different premises. PGP was introduced in a very different political climate than today's.

Why would criminilisation of encryption (for traffic to non certified parties) be any more draconian than blanket data surveillance without judicial warrant, which has gone down without any public protest whatsoever? Voters in general don't know the meaning of their Banking being encrypted, only that they are told it is "safe".

Yes indeed. Although sharing bandwitdh could introduce new security and discovery risks unless you personally know and trust the other users. Since bandwidth ought to be the major cost anyway (hardware requirements for a pure VPN-relay VPS must be modest and the software can be open source), an alternative would be pooling a number of VPS-customers, producing a number of alternative entry nodes and/or even the option to create a little private onion routing (with the resulting increase in bandwidth requirement).

Cheers

 

root's password is randomized every time.


Btw, if anyone wants to try the very very beta xB Mail I created last night, it is available for download.
It has not got any security settings on it yet, so no complaints. Suggestions are welcome, naturally.

Download available here: http://update.xerobank.com/beta/xBMail beta.exe

I'll be back to clarify all of the above questions/comments later.

 

Well, at first I thought the xBmachine was the most useful privacy solution I ever had in front of me. To be able to sure java, flash and other risky "content" with less worry about my IP to be revealed sounded great. But to have a linux OS without root login also means that you can\t install any java, flash, truecrypt or other tools. That makes it pretty pointless as far as I can see.

FTP was also important to me, and this was the only thing I mange to install as a firefox plugin without root. However the xBmachine is so isolated I can't understand how i would have any files to upload. You can't browse your hard drive, no CD/room, no USB, SD card, no nothing. Ok, you can email the files to yourself, but then u would have to send them from your own IP anyway. Thats an security risk too.

For anyone in a similar situation like me I can only recommend JanusVM instead, probably not as secure but it will make a VPN to Tor and yo can do all thing I wanted above.

Here is the link, its also free and open source

http://janusvm.peertech.org/

All the best everyone,

Thor DK

 

Guys,
is there a way to access FTP protocols while using XeroBanK? I tried and the website seems to be loading forever, and don't know where to go. I believe FTP sites are not working here.

I am asking this because I want to upload files to my host, using XeroBank only.

 

Maybe it's worth considering two versions of xBmachine? One that is completely locked down as now, and one that makes root access possible. Like Thor, I would also like to be able to set up shared folders, and be able to install VMWare Tools, which I believe requires root access.

As far as TrueCrypt is concerned, I would have thought it makes more sense to hide xBmachine inside a TrueCrypt volume than installing TC on the xBmachine? Makes general sense. Nobody can even see that you have xBmachine on your system, and with "double wrapping", you get "plausible deniability" as well.

Cheers

 

Steve, I sent you another message here, in case you didn't see it. But I have a question. What is the difference between XeroBank-Fast and XeroBank-Reliable?

 

"XeroBank - Fast" is UDP, "XeroBank - Reliable" is TCP.

 

Why don't you just sudo whatever it is you're trying to do, to get root privs?

Steve

 

Which of the following setups would be more secure and anonymous:

Using School's LAN and connect to XBVPN->log in to Logmein[dot]com(ssl) to control home computer on cable ISP->start another instance of XBVPN on that machine-> log into GMail via web interface(ssl) to send an email....

-or-

school LAN connection-> logmein[dot]com(ssl) to RC home computer-> XBVPN on home PC -> then to Gmail

-or-

school LAN and connect to XBvpn-> logmein[dot]com to RC home pc -> then to gmail.



I think the first choice would be best, but I don't know if any other encryption is self defeating during this process. I would just use xeromail, but it isn't working yet. Any ideas?

 

Consider them as risk domains. What is better? One solid link, or three solid links in a chain? For anonymity purposes, three *seems* better, but it may not be because if your communication is compromised anywhere along the way (such as your home computer) then all your links are worthless. So, with a direct connection to xerobank, you have only a single point of possible failure, which is your local machine being monitored locally (think keylogger). If you have three links, you have three more areas where the data is decrypted and encrypted again, unless your local connection to the final internet exit is encrypted end to end.

So, the result is thus:

either
1) Use XeroBank only
2) Use as many chains as you like, as long as the source and destination have end-to-end encryption.

And if you've ever touched that gmail account with a non-anonymous IP address, ever not cleared a google cookie before accessing it from one session to another, ever sent or received a personally identifying email through that account, then it is all pointless because the account is then tainted. Google never forgets.

P.S. - I've been informed that XeroMail had completed the upgrade on Friday.

 

Thank you for your answer, I have now tried several sudo guides, none of them deliver the result expected. I would be great full for a mini tutorial on how to install java in the xBmachine, then maybe after that I could figure out how to install Flash and more on my own.

 

What is the difference between using the XBvpn with XB browser on a home computer vs. using the XBMachine? Don't they do the same thing?

 

I just checked xBBrowser 2.0.0.10a.

Tor button doesn't work anymore. I tried to make it work, and failed. Now, Steve configured xB to not mess with the network proxy settings between seasons.

That means if you change them, you may disable your cloacking device, but when you restart xB/Firefox, all previous configurations (and your cloacking anonymous device) will be there again.

However, it's absolutelly necessary to stay using a firewall following Paranoid2000 rules to prevent any further problems of disabling all proxy settings (no matter how).

I was explaining that Tor button was helping you to know when the proxy settings were activated, but I realize he is worthless in the end.

I expect that some day Firefox will be modified to recognize only proxy settings. Even if the Java issue is solved, it remains the fact that the browser itself can have an internal bug who triggers direct connections. And that, from a privacy perspective, it's very dangerous.

I experienced something like that today when I was trying to export my passwords (using xB 2.0.0.8a).

After I configured Password Exporter to be enabled (or something else here), the next time xB/Firefox was started, everything was reseted (including cookie options). The only settings not erased were the login/passwords.

I closed xB/Firefox and everything returned to normal. WTF

But when this happened, the browser was making direct connections. Perhaps this was a bug in the options, I don't know.

That's why XeroBank should behave like XeroBunker. If someone wants to mess with the browser, fine. Be my guest. But should learn how to recompile, and not modify a single option from the menu. The issue here is that is too easy to mess with everything (by negligence, or not).

Either that, or you may use xB Machine or whatever different and better than the free browser itself (relying on Tor), to make sure nothing is being leaked. Or use a firewall (that's what I do here).

There's also another modification (despite of personal ones) that Steve have done with Noscript 1.8.

Previous xB versions have these options enabled:

- Forbid "Web Bugs"
- Forbid META redirects inside <NOSCRIPT> elements

Now, they are disabled. And the Prefbar button "Send Referrer" was enabled again.

Well, the "referrer" thing was explained a long time ago, and it's up to Steve or each one of us to activate or not. I choose to disable here, to not send any referrer traces.

But I noticed that, even by doing this, most of sites were redirecting requests. So, it was not a big deal, after all.

Now that I have forbid web bugs and meta redirects, these requests are not working anymore, and you have to click on the redirect link because it has frozen your screen. You see, when I enter here, I have to click everytime, because I am not being redirected.

Perhaps Steve can explain to us why he have disabled these options now, and enabled before. I don't know what they do exactly. All I know is they were activated before.

And how do I know that?

Because I write down the way Steve have configured Noscript, in case I need to apply the same settings on my non-anonymous Firefox browser.

 

The do and they don't. xB Machine is a totally secured operating system, it is for those james bond situations where it absolutely positively must be hardened against attacks. It has encrypted partitions, isn't capable of leaking, a linux environment, and can't be bugged as nothing is allowed to be installed.

Your regular machine, however, has all of those faults. xB VPN and xB Browser get you to be able to do all the anonymous encrypted surfing you like, but it doesn't mean you can't get viruses and trojans, and it doesn't automatically encrypt your partitions, and it doesn't have a self-destruct like xB Machine does.

 

Good news.

For xB Pro/VPN customers experiencing disconnects/stuttering, please switch to "XeroBank - Reliable". We will shortly be disclosing the reason why only US customers are experiencing these issues.

We've found and are working on correcting some bugs in OpenVPN GUI, and will be rewriting the whole thing from scratch. This will result in significant security increases.

Additionally, we will be opening up a XeroBank entry node in the US, for faster speeds. No worries, we won't have our exits in the same jurisdiction, ever.

New design for products and specifications coming up. XeroBank SVN has been updated to include xB Browser version 2.0.0.4a,4b,5a,6a,8a,9a, and 10a.

New updates for xB Machine coming. And we may have a new friend working on the xB Machine and xB Browser open-source software.

Steve

 

Then I will grab the opportunity to make a wish-list of features that I think also could be interesting to other users of xB machine.

- FTP program
- Java and flash since the browser doesn't leak IP anyway.
- USB support for memory stick, it would be great to be able to move info in and out of xB machine, make backup of thunderbird emails etc.
- Truecrypt, always nice to pack info down encrypted before moving in or out of xB machine

What else.... Well maybe an option if the user wants to set a root pass himself or use the random on every startup solution used today?

Thats all I can think of that would make the machine better in general, of course I have some more personal wishes too, but thats up to me to solve on my own.

Now let's wait and see what Santa can do for us this x-mas, ho ho ho

All the best,

Thor / Denmark