Anyone tried XeroBank (formerly Torrify)

Discussion in 'privacy technology' started by Genady Prishnikov, Mar 6, 2007.

Thread Status:
Not open for further replies.
  1. sharper

    sharper Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    1
    I cannot connect to get the same message as posted by own3d
     
  2. SirRollsAlot

    SirRollsAlot Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    24
    Does XBVpn cover all connections when connected? If not, how can I setup a firewall, or other alternative, to stop inbound traffic that is not on the xbvpn?
     
  3. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes, xB VPN blocks all uninvited incoming connection attempts, removing the need for a personal firewall that blocks incoming-only traffic.
     
  4. xXx 0wn3d xXx

    xXx 0wn3d xXx Registered Member

    Joined:
    May 21, 2007
    Posts:
    6
    Can you please help with this issue ?
     
  5. uli1971

    uli1971 Registered Member

    Joined:
    Apr 4, 2008
    Posts:
    1
    Hi,

    what is about the problem if the connection with your server is lost by:
    - your server
    - my ISP (he disconnects every 24 hours)
    - my PC

    I have some software that try to reconnect automatically after the connection is lost. Does this software then send and receive data with my real IP with your xbvpn-software? Or is every connection blocked till the reconnection to your server?
    Does your prog reconnect automatically and is it possible to start the connection at the startup with my windows xp-system, so that no connection without xbvpn is possible?

    Thanks,

    uli
     
  6. SirRollsAlot

    SirRollsAlot Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    24
    Also, is there a way to not let any outbound/inbound traffic on all network connections unless connected to the XBvpn?
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    SRL,

    Sure, I think that can be done. We are rewriting OpenVPN GUI component of xB VPN from scratch for more security. This would be something that would be the equivalent of removing ALL routes unless xB VPN is connected. Currently, when you're connected, all traffic in/out goes through xB when regarding external networks like the internet.

    ULI,

    1) No data will exit your machine.
    2) No data will exit your machine.
    3) No data will exit your machine.

    Owned,

    Problem solved?
     
  8. xXx 0wn3d xXx

    xXx 0wn3d xXx Registered Member

    Joined:
    May 21, 2007
    Posts:
    6
    Problem solved, XeroBank is once again fully functional. Thanks.
     
  9. SirRollsAlot

    SirRollsAlot Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    24
    That would be nice. Actually, would this include all data leaving your PC, so it wouldn't depend on if the destination was going over the Internet or a local network? Assuming I am on a college campus and I access the Internet through their LAN, I would want the XBvpn (as a toggle-able option) to block all info from entering or leaving the PC - total lockdown. Granted, I could just shut the computer off, but the LAN might be able to get into my computer, or at least listen to it, when on. I didn't know if this was something for XBvpn or a firewall(software).

    EDIT: The whole point would be so that if a program on my computer is not configured to access something over the VPN, it then fails to access anything outside my computer.
     
    Last edited: Apr 6, 2008
  10. fuzzylogic

    fuzzylogic Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    149
    this thread has been very quiet lately, i'm wondering whats happening with xerobank 2.0 beta and when that maybe running in the near future. also when will accounts be upgraded to the new network?
     
  11. eternalbeta

    eternalbeta Registered Member

    Joined:
    Dec 2, 2003
    Posts:
    54
    Well, I've more or less given up on Xerobank unfortunately, first I tried tried to run a trial version of Xerobank but that didn't work.

    Because of that Steve asked me to PM him to enable him to create a demo account for me. I've send him a username as requested but that was over a month ago and I've never heard anything anymore from Steve.

    I then applied for a slot in the Xerobank 2.0 BETA program but no luck there either.

    So I went back to RELAKKS. It may not be ideal but at least they give you a free month of trial (you're surfing encrypted on the net in 3 minutes) and it costs only 50 euro/year or if you wish 6 euro per month which is also quite a difference compared to Xerobank.
     
  12. jessme

    jessme Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    3
    You might want to look at Swissvpn at USD5.00/month. It is a little more reliable that Relakks and offers EAP-TTLS support too.

    If you want an Openvpn based system. There is Findnot which is run out of Singapore, and Steganos out of Germany. These two have been around for a few years.

    The idea of secure email and storage on Xerobank is nonsense. Remember Hushmail? And what happens to the files and emails you have stored if Xerobank goes bust? Secure storage is something like Truecrypt files on tape or DVD and PGP for email through a public server or using a web-based email dead-drop method with enrpyted files sent through Tor.

    Steve rambles on about DNS leaks with PPTP such as on Relakks, but Steve has a very clear agenda and engages in a lot of hyperbola and very little substance as witnessed by your lack of followup from him. Someone here mentioned that Xerobank looked like a one-person operation. Too much hard sell from Steve using Wilders forums every time someone asked a question about anonymous services; there is Steve popping up to sell Xerobank and offer nothing else. A couple of the long time contributors on Wilders have suggested he buzz off with pitching his Xerobank sales line.

    Doesn't it seem strange that Xerobank doesn't seem to have a WORKING support email or forum and people have to PM Steve to get support because of lack of response through Xerobank? There is always some excuse for things not working as they should.

    Xerobank asks Lexus prices but so far has offered Yugo quality and service.
     
    Last edited: Apr 20, 2008
  13. eternalbeta

    eternalbeta Registered Member

    Joined:
    Dec 2, 2003
    Posts:
    54
    Well, Steve hasn't taken the time to answer the posts over here although he did contribute actively to the XeroBank 2.0 BETA thread in the mean time, so you may be right.

    In any case, I'm trying out SwissVPN at the moment, as per your suggestion, and up till now it seems much more stable than RELAKKS, much less dropping the connection and also the speed is acceptable, so thanks very much jessme.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Hello folks. Been really busy, I've been building a new version of xB installer that combines xB Browser, xB VPN, xB Mail, and xB Machine into a single installation system, AND works with both XB 1.0 and XB 2.0 networks. I think we're just about ready for a release of it, but xB Mail and xB Machine will be disabled on the installer till we release the XB 2.0 network. In addition, I've been invited to be the keynote speaker at an ethics and technology conference at the United Nations in New York, so the planning around that has only decreased my availability.

    Eternalbeta, did you get my response about xb 2.0? I've got an XB 2.0 Access Code for you here. Trials are shut down, as are purchases of xerobank Plus service.

    As a note, I have been informed that Xero Networks AG will be offering a low priced VPN-only service in the near future, and will not be part of the XeroBank brand.

    Jessme, let's just get some perspective here. Doing things yourself, and having others do them for you set two entire universes of protocols, and is like comparing apples to ostriches. It's kind of like doing extensive taxes: If you have the ability to do everything we do for yourself, and the time to do it, go right ahead. I think that is best. But if you don't know how to do it, and you want features you can't provide for yourself, and don't have the capability and legal protection and technical proficiency, xb is a really great option.

    And again, your implication about Hushmail goes back to both trust, AND terms. First off, the person that got busted was violating hushmails terms of service. Hushmail didn't do anything wrong by tracking the guy down, because he threatened hushmails ability to operate a legitimate business. Did they violate his rights? I don't think so. He knew the rules of the game and broke the rules. Should hushmail have protected him? No. If you want to do illegal activities, go to Tor or some seedy privacy service, where the speed is intolerable, service is poor or non-existent, and you can't trust the exit node operators. Commercial services don't exist to protect crimes, they exist to protect the privacy of legitimate users. I think the only question was if it was a crime. However, the TOS declared it so, and the user agreed and did it anyway, banking that Hushmail didn't know how to administer their own network to catch violators. The violator was wrong and paid the price. So really, when you shop a privacy service you should be reading the fine print on TOS and privacy policy, in addition to looking at what jurisdiction the service is subject to. At the end of the day, Hushmail's integrity is enhanced, not only for themselves, but for legitimate clients. They said they would do something and they did it. They played by all the rules they set up.

    The real revelation wasn't that Hushmail would follow through with their TOS, but the full repercussions of when an untrustworthy client uses a trusted system: The trusted system has the ability to liquidate an untrustworthy client by removing their protection. That was the shock. In Tor that isn't the case because all parties are untrustworthy: you would be upset to find out the exit node was injecting/reading your stream, but should not be surprised.
     
  15. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Sounds like something a good insider would be invited to. Is that supposed to be reassuring?
     
  16. JohnSmith5d75

    JohnSmith5d75 Registered Member

    Joined:
    Apr 13, 2008
    Posts:
    7
    the concern about hushmail was their "trojan"ing of the encryption client to completely and covertly nullify the user's privacy. they could just as easily terminated account for abuse, but instead implemented a covert key stealing mechanism that has no ethical justification (at least, in most eyes).

    but you are correct; this is about trust, and the potential for that trust to be betrayed, either by hushmail or zerobank, regardless of the justifications.


    Tor solves a different set of problems than xerobank; Tor provides strong anonymity because it is decentralized, and you don't need to trust any particular entity in whole. xerobank can never provide that level of assurance. as for speed, i think your distinction between free and commercial is bogus. there are other reasons for this effect; consider bittorrent, which is free, and rapidly became the dominant protocol on the internet because of a robust design. Tor might be able to get there, or some other decentralized anonymity service. It doesn't have to be commercial to be fast, although centralized trusted third parties are definitely easier to configure for fast service.


    the rest of this is all an elaborate straw man. if you will intentionally and actively violate user privacy over jurisdictional or legal measures, you expose yourself to the types of abuse of trust that plagues all trusted third party proxy services. whether that is an acceptable risk or not is a question for each user to decide for themselves, but to try and equate your services on the same footing as decentralized, strongly anonymous services is misleading and more than a little dishonest.

    It almost appears that you ride on the good name of Tor (wasn't xB Browser Torrify once?) to peddle a poor imitation. Not cool.
     
  17. eternalbeta

    eternalbeta Registered Member

    Joined:
    Dec 2, 2003
    Posts:
    54
    Steve, unfortunately I haven't received anything anymore from you after your PM of March 20th, 2008, 05:22 PM in which you asked me to pick a username to set up a demo account and to which I replied on March 20th, 2008, 05:33 PM.
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I have to disagree with most of that, but Tor does indeed try to solve a different problem. Tor does not provide strong anonymity, and their software even says so as a disclaimer. And yes, you are trusting a particular entity in whole: the exit node. They can insert anything into the stream they want, including things that will cause your network to break anonymity and "phone home" naked. You're just a tiny vulnerability away from full compromise with Tor, there are a lot of attack vectors inside it, especially for windows users. This was demostrated last year at defcon when the entire tor network was compromised. But guess which tor clients weren't compromised into exposing network data... the ones running 1) XeroBank's XB Machine, and 2) JanusVM.

    What level of assurance are you talking about? Tor can never compete with commercial anonymity networks until they stop allowing untrusted parties to handle plaintext/exit node traffic.

    Torrent traffic didn't succeed because they are robust, they succeeded because everyone who takes is automatically forced to give. You have a ~ 1:1 ratio or even more. With Tor, you have 1 user giving resources for every 150 users consuming resources at any time, and because networking resources are planned socialistically instead of capitalistically. I'm sure torrent clients, if they don't already, will learn to cut off people who aren't sharing. Tor can't afford that, because not every user can be an entry node/exit node as that doesn't fit the user's security framework. It will always suffer the tragedy of the commons, no matter how robust of efficient the protocols.
    It is a law of economics, as sure as the sun shall rise until they change those two issues.

    As soon as he started violating the acceptable use agreement, he was no longer protected because he was proved to be untrustworthy. But there are some other considerations here. 1) Was what he was doing a crime in his jurisdiction. 2) Was what he was doing a crime in Hushmail's jurisdiction. 3) Was hushmail compelled by a court of competency to cooperate? If either 1 or 2, it becomes hushmail's prerogative to send a message to other "criminals" (I personally don't think what he was doing was criminal) but under condition 3) they have no choice but to cooperate.

    Heh. Are you aware we are significantly decentralized? And if such an anonymity metric was ever devised... well let's not getting into imaginary measuring sticks... it is my opinion that the anonymity is stronger at xb. My team could break Tor's anonymity (and did), but we couldn't break our own, if that is any generic measurement.

    I think you have it the other way around. The name Torrify LLC was originally not xb's, when i was writing most of the software. The point was for it to be a free torrified browser, in addition to other tor-enabled softwares that were being devised by me, thus the naming convention. However, we realized some people were misunderstanding that with Tor, including even the name Torpark, so the names were languished until purchased by xerobank, and then phased out. Now, xerobank has nothing to do with tor at all, except that xb browser still support the tor network if you want to use it for that, and is by far the most popular of all tor-enabled browsers.

    I now saw that the Tor project has started being "inspired" by my browser and specifically it's source code and released their own browser code named... Torpedo. I thought that name was just so appropriate on many levels. Clearly, we both influenced the other to some degree.
     
  19. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    PMed again.
     
  20. eternalbeta

    eternalbeta Registered Member

    Joined:
    Dec 2, 2003
    Posts:
    54
    You've got a reply
     
  21. JohnSmith5d75

    JohnSmith5d75 Registered Member

    Joined:
    Apr 13, 2008
    Posts:
    7
    Ok, "stronger" anonymity, particularly traffic analysis, which XeroBank and other such proxy services cannot provide.

    you are either ignorant or intentionally misleading with your comment. Tor has always encouraged the use of SSL/TLS to prevent exit nodes abusing the content of your traffic. Wouldn't you say the same to your users? You can sniff their traffic just as easily if it is not encrypted.

    If something an exit node (or other site) injects into your traffic exposes your address, that is just as much a problem for XeroBank as for Tor. That is an implementation or software failure, not a design flaw.

    Do you have details about this attack? Based on your description you confirm my statement above. The secure implementation / software was not affected.


    It doesn't matter for encrypted communications, which everyone should be using anyway. If it is not important, then a secure application using Tor will not care about crap getting injected anyway, you use a different node. Like i said, speed is a different issue, but to claim decentralized structure is a weakness is to misunderstand or intentionally mislead about the benefits of Tor.

    there is a distinction between not servicing criminals (terminate account) and implementing a covert mechanism to completely nullify user privacy. I am amused that you see no distinction between the two.

    Look at the way CALEA compliance mechanisms were abused in the Athens wire tapping case. There is no need for such covert mechanisms, they betray the trust of users, and they expose vulnerabilites, and they are prone to abuse.


    Now you are spouting bullshit. Please look up the definition for decentralized. You are not decentralized because you control your routers. That is a centralized control point of a distributed system. Distributed does not mean decentralized, and the decentralized part is what is critical to a stronger anonymity system that resists traffic analysis and trusted third parties.

    What is this team you speak of? Please back up this "we can break Tor any time we want" posturing with some actual evidence. I see nothing but deceptive and misleading comments in your reply.


    That doesn't sound like something they would do. Can you prove this too?
     
  22. jessme

    jessme Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    3
    What double-speak Steve uses. Never a straight answer to a straight question. Doubt me? I invite people to go here and read the faq for this service.

    http://perfect-privacy.com/

    No double-speak. No obfuscations. No P.T. Barnum marketing. Just straight answers and service all for the princely sum of €99.95/12 months.

    And no. I have no business or personal interest in Perfect-Privacy. My only interest is seeing the dissemination of information regarding established options out there without all the smoke and mirrors and Orwellian scare tactics.

    I think JohnSmith is right. It is time for Steve to either backup his statements about TOR and quit treating people like empty headed fools.
     
  23. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Sorry, I disagree again. Modern applications against traffic analysis are based on a theoretical idea of how the internet should be mapped out, but not on reality. Regarding traffic analysis, it doesn't matter if tor uses 1 node or 50 nodes in a circuit, unfortunately. It's good in theory though, it just doesn't work well in practice. In reality, all traffic passes through very few IX cores, so the powerful attacker can ignore nodes and just watch traffic flows. Simply watching the flow pattern automatically identifies the client machine. Game over. To get around that, you have to do frequency and bandwidth shaping and mutliplexing. Tor does not multiplex, XeroBank does. It's even worse for tor because they do subnet matching, ensuring that IXes you have to watch are minimal. Oh and not to mention tor has very low crowding on machines, less than 100 active circuits on a machine. Think of it like being the only person using the tor network. Inefficient resource usage combined with a resource shortage and too high distribution. It is very socialist in many ways, including that it sounds good on paper but doesn't work well in reality. It is great that the tor network exists, it is a step forward, but people oddly attribute supernatural abilities to it, and accord it much too much trust because prior to that they never had it so good. If something better came along would you know it?

    I encourage end to end encryption on all sensitive connections, regardless of networks. That is a best-practice no matter where you are, and isn't a distinction between Tor or XB. Tor users should automatically assume the exit nodes are sniffing their traffic because any malicious person can join Tor for that specific purpose, and they do. That isn't the case at XB. We are a single entity, we don't do logging or exit node sniffing except for malicious traffic (snort) and users are protected by a privacy policy at the cost of xb's reputation and legal consequence. You'll get no such protections from Tor, naturally.

    I disagree. You're point concedes maliciousness as a prereq. Tor exit nodes can be malicious because anyone can be one. XeroBank nodes can't because nobody is allowed to be one, and we control and administer all the nodes, and they are secured and audited regularly.

    As for Tor, that isn't a software failure. No amount of software can keep the exit node from not knowing it's own traffic. That is a design flaw.

    XB's and JanusVM's implementation of Tor clients mitigated the attack by malicious exit nodes, the attack vector wasn't shut down and still exists by design.

    And sure, here is proof from last august when the network got entirely compromised.


    Who said decentralization of structure is a weakness? Lack of exit node assurity is the weakness.

    There is a big difference. Mostly in muscle flexing. If one were to use such a service to commit financial fraud, it is irrelevant to terminate the account. That doesn't stop the fraud after the fact, nor does it discourage crime. The criminal can just get another account, cuz hey, they just stole $50k. Being able to trace back through the system sends a message that they can be gotten to. Limiting ones punitive abilities to merely terminating an account encourages criminal abuse. Now for regular abuses, sure, just kill or suspend the account.

    Sure our network is distributed, but the decentralization is in control of the logging/trace mechanism. It isn't implemented by a single person. First it is controlled by a snort program which may flag traffic, then it gets sent to engineer, then an ethics advisor, where a decision is made. The decentralization you're talking about would be good for tor if the controlled all the exit nodes and decentralized all the middle and perhaps the entry nodes. decentralizing the exits is bad and leads to the worst abuses, but they exist by volunteers so they don't have any choice.

    One of the guys who demonstrated the tor compromise attack i've linked you above, and a few others of us. Some of their identities will be displayed on our new website in a couple days.

    Absolutely. I'm always happy to back up what I say. Infact it is in their SVN history where they copied my xB Browser/Torpark code to their server and started abstracting how the code works. No wonder they were prior asking me to write papers to explain the process to them! Then they even used other projects that had copied my code already such as ToasT and Democrakey. Such is the life of open-source projects, and to think they all develop without looking at each other for influence is a little too unrealistic.
     
    Last edited: Apr 24, 2008
  24. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Huh? ToasT and Democrakey? How did I miss this? So Democrakey is a portable anti-virus plus Tor? Other than the anti-virus, does this offer anyting that I do not have with XB Pro? I can't seem to find ToasT. Is there a website?
     
  25. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Democrakey and ToasT are dead projects that copied old xb browser code. obsolete, even if you found find them, and no, they aren't going to protect you better than xb pro :) For antivirus just use anything you like (hello kaspersky).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.