Anyone tried XeroBank (formerly Torrify)

Jessup, I enjoyed your post. But I wanted to chime in on several comments you made.. First off, regarding Metropipe. This is a very good, reliable service.
You are right, in my opinion, they simply have 0% customer service. I mean it is basically non-existent. However: If one doesn't need support, then you are home free!! I know it sounds odd, but that is simply the truth. Once one has the basic services set up, there is really no further need for support. Service is fast and reliable. I haven't the foggiest as to why they lack support. It's been brought to their attention and yet they persist. Ultimately, it will contribute to their demise. Regarding their "reputation" none of the wild accusations against has ever been proven. Most of the stuff I've seen was on Privacy.li which is hardly a credible source. None of the bizarre accusations about them has ever been substantaited. As far as I'm concerned, it's fiction.

But COTSE....

Suggest you fire up your Newsreader, head on over to apas...ASAP!!
alt.privacy.anon-server.

You may well change your views on COTSE entirely...

 

That's cool, Steve. The only thing that can be changed is some sort of button to confirm you're really changing your useragent. At this time, you can change by selecting on your list, but that doesn't make you sure that your browser and OS were modified, by highlighting the new user agent.

I am not really inclined to change my browser and OS because this is not really an issue. If you want some privacy, the most logical thing to do is not change your browser and OS or even block them from other sites (this kind of action is not possible, considering that javascript, if allowed, can find out this information). And you can't turn off javascript by using NOSCRIPT, from all sites without being unable to perform some actions (like make a new register on this board, for instance).

As for the "Send Reffer" button, I don't understand.

If you leave unmarked, that means you're blocking all sites by default? No one will be able to see from where you're going? And what happens if you remove "Send reffer" button from your toolbar? This option (unmarked - Block all sites by default) is still recorded?

 

Hello Ballzo,

Thanks for the information about metropipe, I appreciate it.

Also: I went over to the alt.privacy.anon-server area and saw that some of these postings I had run across a few weeks ago. A lot of the 'voices' against cotse are the same ones as can be scattered around going back to April and unfortunately, if there is valid criticism against cotse, it has been obscured by the privacy.li nut cases (=owner of privacy.li?). It looks like a personal vendetta against Steve Gilda more than anything (and growing more intense by the day) but I'm not a cotse supporter one way or the other.

Comment on 'professionalism' look objective for the xerobank website: Steve, thanks for your comments. I think you may have overlooked my main point, which is that PERSONALIZING a website can be done without detracting from PROFESSIONALISM. Ultimately, when you buy a service, everything boils down to TRUST and if a place has a strange feel to it, then that's not going to reinforce trust. The fact that I can google your name (which you don't hide) and come up with information that doesn't make me conclude that you're a nut case, is powerful at building trust.

WEBMAIL: Steve, your comments are well taken, thanks. I'm not sure if you got my point as to why it helps not having an e-mail addy that is clearly a privacy/anonymizing one if one is doing things totally legal (including NO spamming), but if we're not communicating on that point, I'm sure it's because I'm unclear who the the 'average user' of xerobank is likely to be, and the kind of user I am is probably not your average user. But enough on that.

Comment on new user-agent add-on (prefBAR): This is a great example of how the best possible tool would be created by listening to what a variety of people's needs are in total, THEN creating something that satisfies those needs. Clearly, the add-ons that are available out there don't satisfy all the needs, there's a niche for something even better although I'm sure that Steve/xerobank have no time right now to pursue that avenue. But I agree with the comment that you need to be able to verify what the add-on is telling you regarding user-agent (one needs to be able to confirm/verify ALL aspects of one's footprints being left on the internet). I mentioned already that I would like to set the user-agent and not have it flip back to the default setting everytime I close the browser and prefBAR is an annoyance in that respect.


QUESTION TO ALL OF YOU RE JAVASCRIPT AND XEROBANK/TORPARK: I'm a little unclear as to what security/privacy vulnerabilities javascript still presents to the user when one uses xerobank. For some sites, I need javascript for the site to work. Does that mean that the user-agent settings used on prefBAR or other add-ons are useless in such situations?

It always seemed to me that an important way of breaching a user's privacy is to fetch the time on a websurfers/webposters computer. This is done via javascript, correct? Is that information also automatically transferred as part of the user-agent parameters? Apart from constantly resetting the time clock on one's computer, how else do you mask TIME? Does the Xerobank/Torpark browser+addons address this in any way? Also, using xerobank, what SERVER time is obtainable... only the exit node server's time?

Thanks for the continuing discussion.

 

I have done some tests here, and if you have Javascript activated, your browser and OS are revealed no matter what circumstances.

For example, check this site:

http://gemal.dk/browserspy

And mark the option "Browser information" (but first, allowing gemak.dk on NOSCRIPT's whitelist in order to perform this test).

If you change your useragent to "blank", this information is already sent by GEMAL.DK.

User Agent: -
Browser Name: Mozilla (you see? gemal.dk knows I am using Firefox!)
Operating System: Windows NT 5.1 (and also knows I am using Windows XP...)

If you don't change your "useragent" to blank:

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Browser Name: Mozilla Firefox 2.0.0.3
Operating System: Windows NT 5.1 - Windows XP

How do you change your useragent to "blank"? It's simple.

In the address bar type:

about:config

Then right click and click "New" --> "String". Type or paste this into the box that pops up:

general.useragent.override

Hit "Ok" and then type in what you want your new browser and OS to be or you could even go with "Googlebot 2.1". Now this will change your user agent to the google bot. To change the user agent back to the original one just right click on the string and click "Reset".

However, I was experiencing some problems with one board like Wilders Security. Some buttons and functions used by Javascript (Rich Text Editor) were not available after I change my useragent to "blank". So I reset again, and now my browser and OS are visible to everyone.

My point is, there is no need to hide my browser and OS, or change them to some unknow browser/OS, if I need to secure my privacy. I don't want to be found among a lot of people. If they are scanning my browser, and can tells I am the only one who is using an exclusive browser/OS, my privacy is no longer secure. You got it?

This is one of the two reasons to change your browser/OS/useragent. The other one is telling all viruses/malwares that your system is unknown for them and therefore, they can't infect you by detecting previously your kind of browser and OS. Something like that (I lost the explanation).

So, if you're allowing Javascript, there's no way to hide your real browser/OS. If Javascript is not allowed on NOSCRIPT whitelist, they can't access this information. Period.

Like the "useragent", this information can be obtained by Javascript. But, unlike the first one, I consider important to hide my GMT more than hide my browser/OS.

There's one article about Windows XP unauthorized connections:

http://metabolik.hacklabs.org/alephandria/txt/jennings_windowsXP_en.htm

According to this old article, is really simple to verify, by using a firewall, how Windows XP tries to do about 16 different connections - not authorized - with Microsoft computers.

Some connections could be identified, like the one who tells Microsoft what DVDs are being played on your computer (did someone authorize them to know that?), and other who allows even the remote control of machine (I, Robot?); in other cases, however, was not possible to determinate the reason of connection.

There are only two ways to verify the existence of spies hidden on computers and machines like printers (remember the article "Is your printer spying on you" from EFF — Electronic Frontier Foundation who says every printer has some system who may identify his owner?), the reverse engineer (forbidden on several countries), and the opening of source-code from softwares, which gives you freedom to depurate and recompile them.

The first alternative is practically impossible. The amount of data and chances of hiding using strong cryptography, for example, plus these kinds of activities, by terms of license or laws, makes no other choice but drop this possibility.

The second alternative seems to be the only effective way to provide results. Making a choice for free or open-code softwares it's more than an ideological or economic choice - it's a necessity for those who needs security and transparency.

Rmus said on his post:

Perhaps this connections is related to our computer's clock:

4) UDP - time.windows.com for clock regulation

If we can block this by using a firewall, perhaps all sites cannot see our current time?

 

I actually spoke with the COTSE people a year ago. They seem fine, but we had a few disagreements on practices, such as their logging, and also not letting people know who COTSE is, as they could just be a honeypot with no culpability. However, I tried their service and I was pleased with it for the most part. Anyone who was caught off-guard about the 5-day logging issue didn't read the fine print. They said that is what they do, of course, but some folks are misled by saying they don't keep the logs. Well, semantics.

Heh. I elaborated about that above, regarding the name. So maybe I'm not getting what you mean by personalizing. Can you give me an example of a professional but personalized website? What kind of personalization would you like to see?

Are you saying you think people will think you are guilty/suspicious if you are using a service that has high security protocols and privacy protection?

So you are saying when you reopen xBB, that prefbar settings aren't saved?

Javascript can be used to determine your internal network address, ex: 192.168.0.1, etc. This could be identifying information, which is bad.

I'll ask. However if javascript is asking for it locally, and you allow javascript to run on your machine, I would assume it would be reading the server time off your own machine.

Steve

 

Steve, You and I both know a big question around "logging" is semantics. COTSE logs and admits it. Others Log and lie about it. Even your service will have some sort of logging, otherwise how do you prevent abuse? You'll go back to the old "personal identifiable" thing. But, an IP can be a "personally identifiable" pointer within hours. The big issue regarding logging is, indeed, semantics and how you define the term. The privacy.li people have smeared Gilda for years, but COTSE runs a fair service with honesty.

 

I suggested in the first instance that a link on the main xerobank site that shoots over to a blog by you/others involved in your project in which various security issues are discussed.... Or a link that goes to a monthly newsletter. Just something that suggests that there are humans behind the scenes who are NOT privacy.li types!!!! The main xerobank page can stand as it does.

Yes, in the greater world! Possibly this is because of how frighteningly security oblivious the average Joe is. Also, for political dissents in other countries (in Africa), I have seen people who have posted using a free anonymizer on discussion forums being dismissed in a similar way, because it was a forum where people could see their IP, it resolved to an obvious anonymizer name (the cloak?? if I recall), and after that the person's posting were dismissed no matter how good their message was. I can imagine a letter to the print media (one that normally accepts 'pen name' submissions) sent from an e-mail address that is clearly a remailer type e-mail would more likely NOT be published, while the same letter sent from hotmail or some 'normal' appearing e-mail WOULD. But again, if you're aiming for a different kind of audience/client, none of this is relevant. That's why I asked what kind of audiences you were aiming for. If you're looking at a completely different clientele, it really makes no sense for you to take those comments on board.

That's what has been happening to me, but only for the User-Agent setting.

So Steve, what I'm implying from this is that there's no way to workaround it... turning off javascript is the only option?

Basically, the Xerobank browser provides no greater BROWSER security than using the Anonymizer (which mandates javascript turnoff) with maximum security settings, wouldn't that be true? The greater security advantages for Xerobank lie in the shifting TOR nodes, lack of logs, etc., if I'm reading you correctly.

I was of the understanding that the server time and the my computer time are 2 distinct user-agent parameters?

Thanks Steve for continuing to spend your valuable time coming on this and other boards. I assure you, it makes a positive difference.

 

Jim, thank you very much for the insightful posting. I appreciate the time you took to share your knowledge with us.

I tried gemal.dk (a GREAT test site) on my old torpark browser. I have javascript turned on but nothing about my browser/operating system is getting through to them. I've never changed my user-agent intentionally to BLANK that I can recall BUT I do have some other add-ons (modify headers, etc) also installed so maybe there's some other old setting I haven't gotten to yet that explains why I'm getting nothing.

Definitely true.

What you say makes complete sense, which makes me more confused why my old Torpart browser isn't revealing anything. But let me investigate this some more.

I thought that the initial server I connect to to access the internet is ONE time parameter, and the time that my computer is set at, constitutes a SECOND user-agent parameter. But I might be wrong on this. I simply set the time on my computer to a time other than where I am located, but if my dialup access server is conveying another time parameter, that pretty much defeats what I'm doing, huh?

 

Genady, I agree with what you're saying. Frankly, for what I need privacy for, I'm not worried at all about criminal subpoenas (which, I assume, would demand that such logs start being kept) because I don't do anything that even borderlines on illegal. What I worry about are civil court subpoenas, obtained by highly paid, well sourced corporate lawyers who find sympathetic judges. The goal is simply to shut people up. Very specifically (and now you know where I'm coming from), I'm speaking about Chinese government business arms who help their political friends in other countries by hiring lawyers to get civil subpoenas to find out who is putting up politically critical websites. The amount of money they can give to legal pursuits can run high into the millions. They don't even need to pursue civil justice once they personally get the information they need to via the subpoenas, because a civil court case doesn't frighten people into silence nearly as effectively as what can be done under-the-table with that information (mainly sinister anonymous threatening to the person who nearly gets a heart attack when they find that their anonymity has been breached, and in this way).

From what I've read, as well as what I've experimented with Torpark/Xerobank, it would appear that if such civil subpoenas were served, they ultimately would uncover nothing of significance but Steve, you're the ultimate authority here. Am I correct? And is this the kind of stuff that you see is acceptable using xerobank for (or even considered it being used for)? Such political outing of information utilizes discussion forum postings, website uploadings, emails to the media, blog postings, etc. It tends to NOT utilize usenet because usenet is not used AT ALL by the circles that I've been helping out which are mostly young people who became acquainted with the internet via webpages and discussion forums (BBS boards).

 

Following on to the last posting, I'm obviously looking for secure/encrypted communication for different protocols, normal looking e-mails that can't be traced back to the user (we do NOT spam), and the ability, when I am posting the words of different writers on discussion forums, to retain their respective individualities by using different user-agents rather than lumping them all together. Now you also see why any system that screams "ANONYMIZING" is counterproductive, compared to if the whole anonymizing process is discreet.

Thanks for hearing me out on this. It should explain better why I've been asking some of my odd questions. Jesup.

 

Jesup, there's no need to turn off Java and Javascript on your browser (and you can't surf anywhere this way). Here some informations about NOSCRIPT:

NoScript needs to have Java enabled to allow it to filter Java. You can leave Java disabled but then an end-user would have to manually enable Java in some instances:

Q: Have I got to disable Java and/or Plugins from Firefox options to browse safely with NoScript ?

A: NoScript had nothing to do with Java or plugins like Flash, but since version 1.1.0, NoScript can block Java, Flash and other plugins (J+F+P) on untrusted sites (only JavaScript and Java are blocked by default).

Just configure what kind of content you want to forbid using NoScript Options|Advanced. Keep in mind that some sites use Java applets (or Flash movies) to deliver rich content, hence if you meet some web page you need to use but you find some functionality is missing, consider the evenience you're blocking some crucial applet or movie.

Steve, all websites used to test our anonymity security were unable to show us some proof of they can really know our real IP.

For example:

I am running TOR/Xerobank and using this proxy IP: 88.20.200.4 from Greece. Imagine that my real IP is 210.400.381.0 from Venezuela.

The only information obtained by gemal.dk about my IP, from their site and Javascript allowed on NOSCRIPT whitelist was: 127.0.0.1 - localhost. And 88.20.200.4 which is the current proxy IP I am using, from your browser.

* Please note I am using a modem router, a DSL connection shared with a second computer on my home.

You can make this kind of test on all these sites. They will give me the same answers.

http://www.showmyip.com
http://www.whatismyip.com
http://www.leader.ru/secure/who.html
http://support.xerobank.com/IPSpy
http://bcheck.scanit.be/bcheck
http://www.jasons-toolbox.com/BrowserSecurity
http://www.privacygrade.com

That doesn't make me sure my real IP is not being revealed, if you and other users keep saying that our IP can be revealed somehow.

Perhaps this information is only available on the webmaster/admin Control Panel, which reveals a lot of the users habits. I don't know.

What I know is, Java/Javascript are enabled here on my Xerobank and I need to put some boards and sites on my NOSCRIPT whitelist, giving them free authorization to use Javascript (otherwise, I can't use them at all).

Actually, Flash Player is not installed on my Xerobank, and I can't see videos from Youtube, for example. My fear is, if I install and turn on Flash, my IP can be revealed?

My thread:

https://www.wilderssecurity.com/showthread.php?t=178401

I hope someday anyone can explain this subject to newbies like me. I decided to use Xerobank from now on, instead of regular browsers. With all these unanswered questions, I still don't feel myself secure.

I need to be sure there's no way to reveal my real IP, otherwise, it's worthless to keep thinking I am anonymous by using Xerobank. Don't you agree?

If you remember correctly, Steve, lots of people on your previous board always ask you about other sites like Hotmail, Gmail, Yahoo, and if they can be trust and never reveal their true IP. I don't trust these companies, so I don't have any e-mail from them (unfortunately, I am alone in the crowd).

This is one of your threads, about Yahoo, and proves that this subject is far complex. This is another way used to get our identity.

https://www.wilderssecurity.com/showthread.php?t=177223

This kind of information should be shared, not erased. We need a full and detailed explanation in order to prevent these actions, not being traced and have our IP revealed without any knowledge. That's my point.

Steve, can you give us some explanations about the exit nodes? What are they? What they do? I was looking this thread

https://www.wilderssecurity.com/showthread.php?t=176813

And you may see in TOR's list, some IPs attributed to Xerobank users don't have exit nodes. Correct me if I am wrong. This may represent some kind of vulnerability or disadvantage?

 

This is damned important, thanks for sharing. Ideally, the "best of" the old Torpark forums should be distilled and incorporated into the Xerobank FAQs.

 

Oh that reminds me about the log issue. I was thinking of FindNot, not COTSE. Those COTSE guys seem pretty stand-up from my experience.

Genady, when I said we don't log, I mean it. Unless our system detects abuse and we see it happening, or we get abuse notifications from upstream, there is no logging. In which case, both of those were violations of the TOS and thus nullify the CSG, and we would have to log and try to terminate the account. Logging is a huge hassle in our setup, as we aren't some one-hop stop like the other guys. We would rather not be hassled as we would have setup and dismantle the logs each time, for each instance on each account. That costs time and money, and isn't profitable. It is more economical to simply not log at all, and have smart algos to notify us if there is suspicious network activity that could be abusive.

So a development/news blog would make you feel good? I could probably do that. I'll check with PR about it.

Not entirely. xBB allows you to have javascript for websites you trust, and implicitly denies all others from running it, unlike anonymizer. Btw, yahoo is fully blocked from running anything (i set that up). xB Machine, however, you won't have to turn off flash, or javascript, or java, or any other plugins. You will be able to browse full rich medias at broad-band speed without the possibility of leaking your personally identifying information. Ooohh, the suspense is building...

Regarding server-time and computer-time, YES, those are PII data that can be snatched from the useragent. So if you are in an odd timezone, you can be profiled.

Civil subpoenas wouldn't get very far. They might be able to seize a server, but the server is heavily encrypted, and the decryption capabilities are not in their jurisdiction. They essentially get nothing but a waste of tax-payer money, and a few thousand dollars worth of equipment they eventually have to return. Fine: server abc is down, turn on server xyz to take its place, send a copy of the subpoena to lawyers, move ahead full steam. Now, if this is some subpoena over something like child pornography or financial fraud, we would want to help them out and they should work with us. We'll investigate validity into such a claim if they can provide specifics. If they don't want to play nice and seize a server, they shoot themselves in the foot. We don't like criminal use of our system as it is expensive. The bottom line is we won't stand for any illegitimate requests for data, such as for political reasons or anything that doesn't violate the universal declaration of human rights (which we recognize as our standard), and our servers and structure are amazingly resistant against such coercive attempts.

That answer is incorrect. NoScript, as I've configured it in xBB, by default blocks all plugins, including java, flash, windows media player, and it also blocks javascript by default. Again, this is with xBB, and makes no warranty about anyone else's configuration. Hey, I did it the right way, I can't say about how other people set their system up.

The honest answer is that nothing is unhackable. Given enough time and money and knowledge, it can be hacked. Even quantum computers already got popped, and there were so many claims it was impossible. The statistic shows nothing is impossible, just improbable in a certain period of time, and a certainty within an infinite period of time. Not a comforting thought, unless you rely on the idea that the amount of time will be thousands or millions of years after you are dead. In which case, you can hide in the past. So is your IP safe this year? Yes. Is it safe in a thousand years from now? Pretty good chance. Is it safe in a million years? Maybe, maybe not.

Nah, it can easily mean that the tor node isn't in our immediate catalog, since those things can wink in and out of existence. I can't say the script is perfect right now, I notice some bugs we will get to, like anything else, it's a process.

 

"...have smart algos to notify us if there is suspicious network activity that could be abusive."

Again, semantics. One persons "smart algos," is another persons high-tech LOGGING.

 

Do you call a router a high-tech logging device simply because it has a small buffer, which constantly gets overwritten, where it stores data before forwarding it? How about a cellphone, or a printer, or a calculator? I'm just wondering, because you seem to be the only one playing semantic games, by stretching the meaning of "log" to be any handling or analysis of data regardless of storage or monitoring or encryption... which is expanded so far that it has excluded the actual meaning of the word "logging".

Perhaps you want a statement like "Our computers log and monitor all traffic for approximately the last 10 milliseconds, and retain these logs in volatile memory for 50 milliseconds, at which time the data is destroyed by overwriting for the next data set, which takes approximately another 10 milliseconds" ?

 

Yeah. Steve.

I'd also echo Jim's suggestion that those old Torpark forums were very useful. Ideally one would distill the more relevant discussions down to FAQs and incorporate them thus within the xerobank site.

While forums can be very time-consuming to the administrators. I wonder if you could reduce this overhead time management with strategies like the following:

(1) People can get to the forums only through links placed WITHIN the FAQs AND forum 'rooms' are arranged according to the FAQ categories.

(2) Clients/potential clients would often proceed to a forum only if there's nothing in that FAQ section that addresses their question. That keeps the level of postings down in the forum (not true if FAQs and forums are totally separated).

(3) Clients/potential clients would more likely post new questions/discussions topics only if no one else in the forum has mentioned the problem. A banner on the forums stating that any issues already addressed on the FAQs won't be answered by any support staff might further decrease your overhead time dealing with forums.

(4) Periodically you could purge the forum of discussion topics as you work the results of the discussions into new sections/questions within the FAQs.

I can't see that ticket-based support (while very useful in the early stages of the product) would ultimately be LESS time-consuming than incorporating the same information onto FAQs. Moreover, once you have an area where your users can interact, you start developing a loyal community of users and I've seen elswhere how a loyal cadre of clients can do a lot to help others in the forums and thus take some of the worldload off xerobank staff.

It's obvious how one can spoof computer-time. BUT it sounds like server-time cannot be spoofed?

 

For me personally, if I saw roughly this depth of explanation of logging on the FAQs, I'd probably be satisfied. Most privacy services "can't be bothered" explaining things to clients/potential clients in any detail in their FAQs/support. The more you distance yourself from that kind of attitude, Steve, the more you will continue to set yourself apart as offering something different than everyone else.

 

Well, you apparently find that sufficient to identify and track down abusers, yes? You can't have it both ways, Steve.

Genady

 

Forums and ticket-based support are two very complementary things. I believe PGP has a similair form of support, on one hand an automated ticket-based system and on the other hand a community-driven support forum with occasional pop-ins from PGP employees. Any questions that have been answered in the FAQ or by the ticket-based system are of course referred to by knowledgeable users and employees. I'm sure there would be no problem to find enough enthusiastic and knowledgeable forum members that are willing to take the time to discuss, suggest and contribute in various ways just as is the case with the PGP forums...

As for the logging issue, I would like to know the exact 'way of working', setup and configuration of XeroBank's servers. Also of interest would be to know what the exact procedures are for access to the servers. Can the cleaning lady simply walk in and mirror the HDD:s if she feels like it, can any individual employee log in and monitor user activities on his own, etc, etc. I think there is a higher possibility of employee/outsider abuse than government abuse, although the latter shouldn't be neglected either, but by dealing with possible employee/outsider abuse you're also automatically dealing with many forms of possible government abuse...

Answers I would like to see are: the servers are held in secured facilities (high-res pictures of the facilities and servers would be nice), no one can just walk in there unless he gets explicit authorization to do so, the HDD:s are full disk encrypted to disable any off-line attacks/mirroring, the administrator interface is 100% fully self-maintanable, no active administration is required nor done unless troubleshooting/user-tracking is specifically requested or agreed on by higher authority and no single administrator can get full administrator access by himself unless he gets a one-time "master key" from higher authority, however, despite this limited administrator access the actions of our administrators are carefully monitored...

 

Finding abusive traffic is not the same as tracking down the abuser who generated it. I suppose you don't know that, since I haven't fully elaborated for you: We have separated the traffic from the account (via no logging), and the account from the identity of the client (via transaction ID). It is sufficiently difficult to make tracking legitimate clients very unattractive, while shutting down abusers is easy.

 

Great question. For communications servers, it doesn't matter. The drives are encrypted, the operating system is virtualized within the encryption, the operating system is hardened, the machine is firewalled, the file system is additionally encrypted per file, the logins are by key exchange only. So let the cleaning lady come by and mirror a drive full of bits she will never be able to unlock. Not that we would encourage that, of course, but good luck if you can get your hands on one! I'll find out the specifics, but the communications servers' datacenters I do know about require key card access, are highly monitored. The login and keys are only had by the assigned admin and the CSO, and the keys are changed at random but maximum. All the incoming data is encrypted, all the outgoing data is encrypted, except for exit nodes naturally. We can put these servers in any jurisdiction, but prefer to avoid circuits with hops in the same jurisdiction.

The servers with client data, such as a keys server, and a username server, etc, have their data segregated from each other, across multiple unfriendly jurisdictions. They have all the same stats as the above servers, but the machines are locked down physically, and in very secure data centers, where we are able to monitor what goes on.

In addition, we have some independent auditors who get to run through some systems every random to max days. These auditors make sure the admin of that server, and the CSO, aren't doing anything against our wishes. The auditors are rotated, and the keys change behind them. When we ramp up, we will set up the auditors to be able to publish reports on our website, with digital signatures.

 

That will be a nice feature.

 

This page here reveals techniques for exposing TOR user's real IP's:
http://uk.geocities.com/osin1941/exposingtor.html

No, this isn't groundbreaking stuff. Question is: does Xerobank run ALL protocols through TOR, even HTTPS?

 

Well, I have to stand up for Steve on this one. That page shows techniques for revealing uninformed and uneducated Tor users real IP addresses - sorta, maybe, kinda. The headline screams as if ALL Tor (and therefore XeroBank users) are at risk and that's just not true.

Genady

 

I don't know if this can prevent these further attempts to leak all these informations described on your article, but I am using on my Outpost firewall (thanks to Paranoid):

https://www.wilderssecurity.com/showpost.php?p=1020429&postcount=9

Maybe these firewall blocks are necessary in order to prevent XeroBank/Firefox browser to send out informations who may compromise our true IP.

Steve, I was looking your main site today and XB FAQ was finally created. That's nice. Could you please try to explain for me, what is "fishing expedition"? English is not my native language.