need advice

well they deliver it too different ways, anonymous surfing goes via https and total net shield via SSH. SSH delivers a more secure connection than a https connection.

really you have to look at these products will deliver and cater for only a specific threat model. Anonymizer anonymous surf/Ghost surf will protect against against people watching your connection (so long as you click the 'encrypt via ssl' in the options', data retention (ie google web searchs) and websites at logging your true ip address. But its not an anonymous, its a privacy tool. yes its owned by a company that is contract to work for the USA various security agencys, so looking up bomb making sites and terrorists site for example may not be a good idea but for the average lay person its good enough and will foot the bill.

for true anonymous you need something like TOR, JAP, XB and secure tunnel whom are multi hop proxies and in the case of JAP and TOR these hops are independent of each other. these are better as they do provider better privacy and are harder to trace. they are better when they are located in countries that are have some good privacy laws. As such VPN's that are located in say sweden etc swissvpn provide excellent privacy as they have very strong privacy laws and provide a fair amount of anonymity if used correctly and are not used and abused.

have a look among the threads 'choosing a good vpn/anonymizer' and 'choosing a anonymizer' for some services/general advice.

 

Fuzzylogic, I do not agree. If by “anonymous” we mean the inability of an external entity (e.g., a website) to detect the true IP address of the visitor, then a product like Total Net Shield by Anonymizer is equally as anonymous as using TOR, JAP, XB, etc. And, in both cases, the true IP address of the user is only known by the proxy server (i.e., the first one in the connection series, if more than one is used).

 

Pleonasm,

That's like saying the deadbolt chain on your door is the same as the high security vault because they both appear to have the same end: keep someone out.

However, Anonymizer/Ghost Surf is like the chain on the door: you're not getting in there... unless you push... with your hand. Very very weak implementation and bad security practices, purposefully designed to be easily compromised. Just like TSA "Security" locks that all open with a universal TSA key. No real security, just the illusion of security. They only keep out the honest. And in this case, with anonymizer, you may be asking the wolf to guard the henhouse.

warning: memory of questionable integrity
I spoke with Roger Dingledine, tor project founder, last year, at a party. We were discussing the differences between anonymizer and xerobank. Naturally he wanted to see a whitepaper, but he also was concerned if xerobank was only interested in "warm fuzzies" like anonymizer was, or if they also had the security to back it up. At that point I asked how well he knew lance cotrell, and was given an indepth explanation. Needless to say, he seemed dismayed at the existence of anonymizer at all, especially under that false moniker.

 

I simply fail to understand why people cannot grasp a basic concept. Tor is an entirely different class of service than anything else out there. It's open-source software that both the consumer and the nodes place on their system to communicate to each other. There is no single entity/person that oversees the service and is capable of tracing packets from their source IP to their destination. Yes, some will argue that a government can do that if they chose, but then that would apply to any service and not just Tor. And it would be exceedingly uncommon for it to happen.

Any paid service you use, there is some person (or persons) associated with the company that can trace your traffic. Tor is UNIQUE. The technology speaks for itself. I don't know how many times I can explain this. If a service allows people to inspect the traffic, regardless of how difficult the process is, then it doesn't compete with Tor (and it's not even close). You can call it anonymity vs. privacy (or whatever you want). Tor is a different class of service than JAP. JAP is a different class of service than XeroBank. People need to stop lumping all of these things together like they're the same type of service. They all have their advantages and disadvantages.

This is precisely why people lose their freedoms and are becoming more and more like helpless babies. They fail to see the obvious ways they can protect themselves. If Tor is not supported, there is a chance that it can be lost to faster services that are not as secure. Can you imagine what a huge loss it would be to internet anonymity if Tor was gone? I promise you Xerobank will not fill the void. We all lose freedom if Tor is gone.


Yes, XeroBank has it's place. Tor can be too slow for a lot of people and a lot of things. But Tor is more secure and anonymous than XeroBank. And, frankly, if I find that a paid privacy service is denigrating or downplaying the historic importance of Tor to further their own service, regardless of how good that service might be, I'm going to be angry about it. I don't think you want to see that happen. Ask the guys at Privacy.li. Scratch that. They have no idea who I am or what I did to them.

So, what am I saying? Get a clue people. Don't take for granted that Tor is always going to be around. You have to fight for the good things sometimes.

So, you lump them all together as anonymous services and then gloss over the most important fact. JAP nodes are not truly independent and there is a way to trace traffic through them. Tor nodes are truly independent and there is nothing built into the software that would allow someone to trace traffic through the nodes. This is the critical fact. What I object to is all of these services being lumped together.

If I seem like I'm being hostile or talking down to people, tough. People are making critical mistakes in their posts, and I've tried to point them out politely, to no avail.

 

Steve, again, if we define “anonymous” as the inability of an external entity (e.g., a website) to detect the true IP address of the visitor, and if “tool A” and “tool B” both mask a user’s true IP address to the external entity, then both are equivalent with respect to providing anonymity. Each tool may, of course, have it own additional and unique advantages/disadvantages (e.g., speed, cost, ease-of-use, quality of technical support). If you see things differently, please do post your own definition of anonymity and illustrate how that definition is (or is not) achieved by various services.

That is a bold accusation. Can you kindly elaborate, and provide specifics?

P.S.: “Anonymizer” is the name of a company, not (any longer) the name of a product/service. When discussing “Anonymizer,” please clarify precisely which product in their portfolio you are referencing.

* * * * * * * * * * * * * * * * * * * *​

I am sincerely not trying to be pedantic, but allow me to ask: precisely how can one service be “more anonymous” than another? Either your true IP address is – or is not – known by an external website. It’s “black and white,” not “shades of gray” – right?

If I am guilty of making a "critical mistake" in my post, please do politely correct my error.

Thank you.

 

Pleonasm

Very serious accusation... sure. Let's call it an indictment against Anonymizer's basic service. I did a talk on it last year at defcon, and it is available for you to see on Google Video.

And yes, critical mistakes. 1) You could close your eyes, and that would also be a service that makes you anonymous by that definition. 2) Yes, anonymity is not a binary state, it is analog and there is greater and lesser anonymity. There isn't a metric for measuring it yet, but we're kicking the idea around. Anonymizer / Ghost is very weak anonymity.

malwaretesting,

I have some doubts about Tor. Last year one of the XeroBank guys found a critical flaw in Tor that practically was a backdoor. That there are attacks against Tor is not a terrible surprise, that they are this critical and didn't listen to advice makes you wonder. This year you will see XeroBank release a horrific attack that allows attackers to hijack Tor and remotely execute code for full compromise of tor users. And naturally, that includes unmasking their anonymity. We'll also be doing this with other OpenVPN providers as well, I think.

 

It depends on your definition of "anonymous". With Tor, there is no mechanism built in that allows anyone to connect a source IP to the final destination. It's just that simple. Most other services have what I would call a "backdoor". There is a way for the people who operate the service to trace the traffic. Some other services try to do what Tor does, but they are nowhere near as widely used as Tor, and their source code is not subjected to as much scrutiny. Services that attempt to do what Tor does are almost always free and open source. JAP was similar until they introduced the backdoor.

If your definition of "anonymous" is just referring to keeping your IP address from the destination site, then I would argue you are too narrowly defining the term. To me anonymous means you, and only you, know what you are doing. Even if there is some flaw in Tor now, it's true purpose is to do exactly as I described. Flaws can be corrected.

With XeroBank, and every other service, someone can snoop on your traffic if the people behind the service were so inclined. I'm not saying they would, I'm saying they can. That is the fundamental difference. Every other service was designed with the mindset that there is a way to trace traffic. Tor was designed with the mindset that there will never be a way built into it to trace the traffic.

To me, this just seems obvious and common sense. With Tor, trust is all but eliminated from the equation. With any other service, you have to have trust in the people behind the service. Clear now?

Addendum: Let me put it another way. Anyone with a broadband connection and an interest in promoting internet anonymity can be a Tor node. They download the open-source software, run it on their system, jump through a few hoops, and they're a Tor node. Now compare that to other services, and you'll answer your own question. Who runs the servers/nodes on other services? How do you know who they are or what their objectives are? No paid privacy service can have truly independent nodes/servers. Regardless of where they are or how physically separated/isolated they are, one company is still in control of all of them.

Is it a correctable flaw? When it is corrected, will they still be able to meet their stated goals for the service, as I described above? If it's correctable, then I don't see this being a huge issue.

Have you told the Tor developers about this issue? Have you told anyone? I fail to understand why you would come here and give these vague descriptions that are completely meaningless without specifics. You accused others of spreading FUD. This sounds like FUD to me.

Is it your intention of publicly announcing this to try to take a slice out of Tor, and possibly have that slice go your way?

The things you say sometimes strike me as a guy who will do anything to further his service. If you were really concerned about internet anonymity in general, you would want to see Tor succeed.


Addendum:

Let me put it another way, what kind of impact would it have on the service to correct the flaw that you found? Would it require a fundamental reworking/rethinking of the entire model? Or is it something simply correctable that won't have any impact on the way consumers currently use Tor?

 

That's not true at all. Tor just has logging turned off. It doesn't stop any node from logging the connections or traffic.

Not exactly. Trust is inherently required for all anonymity systems that have any links where the traffic is unencrypted. While it may not be obvious with tor, you are trusting them. Specifically, you're trusting the Tor exit node. You are trusting it not to tamper with your traffic, read it, inject malcode into it, etc. which is very foolish.

Absolutely, loud and clear. They know the attack vector and didn't protect it, so now the exploits get revealed, just like last year, and afterwards we'll show them the error of their ways and how to fix the problems and potential ones.

Heh. Well, if it wasn't true, terrible, and provable, I guess it would be. Until then, this is kind of an "i told you so." However, patience is a virtue, and maybe they'll figure out the hole and how to close it before the conference.

No, I don't think they are overlapping markets, but the tor commnity would certainly be safer by using janusvm or xb machine software to access Tor network. There are critical design flaws to tor that may not be able to be overcome, but alas I am not on the tor development team and all solicited offers to help have been rebuffed or unanswered. They think they don't need help and I'm fine with that. First impressions are lasting, and I don't go where I'm not wanted.

There are easy fixes and there are the right fixes. There is more than one vulnerability we will be disclosing.

Yes. Just last year we submitted a bug, and it was classified as a design flaw, which is very rare.

It will change everything, including the way people think about Tor. Or ignorance and hope may set in, and nobody gets affected. You can't predict the masses all the time. In which case, they'll get compromised again and again.

 

You just refuse to acknowledge some of the great benefits of Tor. You use this forum like your own personal advertisement.

Yes, a Tor node can choose to log. But of what benefit is it to the two random hops you're going to be taking before getting to the exit node. All they'll be logging is encrypted data. And yes, the exit node can alter your data. But so what? What difference does it make to me? If someone alters my data going to Wilders Security, why would I care? It wasn't tied to my real life anyway. It's just some fictitious guy named malwaretesting that's going to be affected. I don't do anything on Tor that would cost me more than $100, and that's about it. So what? I don't do anything relating to my real life on Tor. What I don't want is malwaretesting to be tied to my real life. And Tor does that for me. I'm sure you'll find this sentiment common. If malwaretesting is compromised, I don't give a crap. And that's about all an exit node could do.


You're just not getting my point about logging and tracing (or you're choosing to ignore it). With Tor, there is no central figure that law enforcement can go to to ask for a trace. They can't go to the Tor developers. They have to hope that the person went through 2 or possibly 3 compromised nodes. With your service, they know precisely what door to knock on. With Tor, they have to go to all of the individual countries and hope that they find something. With your service, if you agree with law enforcement, it can be done from one location.

Sure.

If you don't think they're overlapping markets, then you have a knack for rubbing people the wrong way for no reason at all. Why would anyone come here without the slightest shred of evidence and talk about a competing (or non-competing) service like you are? You're not providing any evidence. What do you expect people to think? If it is a non-competing service, then why not wait until you release the information to start talking like this.

It's a shame that your system is closed-source. Tor has had thousands of people evaluate its source code. How many have evaluated your system?

You'll excuse me if I demand proof before I take your word for it. And if I were you, I would lay off your claims until you provide proof that's widely accepted. That is unless it is your intention to spread FUD.

You had me on your side for a day or two.

 

That's what I think. The US gov is their (Abraxis) biggest and most important client. That pretty much says it all. Evidently the US government has already extracted everyone's personal data. and they can get all of it from any US company just for asking. They sucked it all out from ordinary citizens using ordinary connections. I would be shocked to hear that they have not tapped into *all* of the US "anonynity" services.

http://www.youtube.com/watch?v=qrBapXsLcro

 

Well evidently you have to block Java, javascript and flash to prevent someone from unvieling your true IP with Tor.....and that's just no fun, as far as I am concerned.

 

Not strictly correct. I've never seen a true IP being revealed with javascript alone. I almost always run with javascript on and some script filtering with proxomitron. Even without proxomitron, I've never seen javascript alone being able to do it.

I have seen it done with java alone, however I've never navigated to a site that required java. I've never needed java. It's used very rarely. Technically, you could even surf with java using Tor if you have the right firewall. I use zonalarm. I allow firefox to connect to 127.0.0.1. If at some point zonealarm is telling me that firefox is trying to connect to xx.xx.xx.xx, which is some general internet address, then I know something within firefox is trying to access the internet, whether it be a java applet, a media player, flash, etc. I just deny it access.

So, technically, there are ways to get around these issues. And I've never seen javascript alone being used for that purpose.

As well, there are other things you can do. You can turn off DNS requests on your system or route them through something like Tor-DNS-proxy. You can use janusvm or XBMachine, etc.

The point is, those things are of little concern to me. I've seen it happen a few times where something within firefox will try to bypass Tor. You can prevent it. It seems a little silly to me to completely avoid a wonderful product like Tor over this issue. But that's just me. If you spend one day on it and go to websites that purport to be able to reveal your real IP, you'll find effective ways to prevent it (e.g. the right firewall) and you can continue to use Tor.

 

You've got me seriously confused. Where do you think Steve lives? Steve, the voice of XeroBank, is in Dallas.

I think your perspective is a little off.

 

You may notice I'm just responding to the posts of others. Consider the possibility of a group creating superior innovation in design and implementation, and what that would look like if someone came to this forum and answered questions. It would probably come off as baseless claims and advertising, unless you knew the truth, the history, and had some proof. I can understand your position.

It's the exact same with XeroBank. One admin can't log all the nodes and get them to collude. It takes collusion among independent people. XeroBank can command admins, but they may be freelancers or consultants, and are thus not employees or an internal mechanism to the corp, and thus not required to comply. This is like me hiring you to paint my house, and then me telling you to make me a sandwich. You might say, "no, that's not something I will comply with. I quit. I rescind my keys and set them to revoked."

They can inject exploits into your surfing experience, allowing them to remotely monitor, track, alter, manipulate, log, and hijack your computer. That includes where your computer goes, in real life, and what networks it touches, in real life. Complete and total compromise. You should care a lot.

I just disagree, because it is more similar than I think you realize.

As is the same for XeroBank. Even if they went to Panama, if we disagreed with the search and thought it unethical, then they would then have to go get court orders for all the servers in all the jurisdictions. If an encryption key trustee revoker thought it was unethical or immoral, they could revoke the entire decryption process from our prerogative. There are many layers involved here, and it has been well devised.

It's true. But it doesn't mean the door will open, or if the door opens, that what they want is going to be inside, if it exists at all.

Not entirely true. It's not as easy as it sounds. We have to contact all admins of relevance, across all jurisdictions, who would consult with the ethicist and key trustee. At any point, those things could fail if the smell of the situation doesn't pass muster. However, there is also a double edge to that sword, we are only going to agree if the person is doing something truly malicious, in which case they have no legitimate right to our protection because they've abused the trust relationship. It took them making themselves untrustworthy by explicit action, and only in that circumstance is it possible, so the point is moot.

Good question. The genie was out of the bottle last year. Imagine we did what you suggested above, then fast forward to a year later. That is where we are now, and we have a new vulnerability because our warnings weren't taken seriously. We'll try and inform them again, and we're announcing that we are going to prove it.

It isn't. Our code is either entirely GPL or fully source viewable.

If you consider that our components are open-source, publicly available, and non-proprietary, you would find that they are evaluated by the entire open-source security community over a decade. That would probably be thousands. Now if you're just counting people who've downloaded the source like you've done with Tor, then the number rises to millions. We've had about 8 million downloads since last year alone.

No problem. I highly respect demands for proof before trust is issued. This is serious stuff we're talking about here. I'm a big believer in proven technologies and proven people. To level such a serious claim, you might need amazing proof. Proof so strong, you would practically have to have already done in the past what you claim you will do in the future, and get it publicly acknowledged by the people it was claimed against. To have such proof would just be incredible, yes?

I present such incredible proof here:

1. The exploit
2. The acknowledgement
3. A summary

Tor is an amazing piece of software, but it has it's own shortcomings that cannot be overcome with its implementation. It is a wonder of socialist networking and community work, but the goal it purports cannot be accomplished without engaging in the solutions that both XeroBank and JanusVM independently arrived at. Until it does, it will always be especially vulnerable to attacks due to the huge attack landscape it provides.

I hope to have you on my side again. I'm on your side and working hard to protect you, even from unknown and incredible threats.

 

It's interesting. But it was patched a long time ago. I assume you have a new vulnerability up your sleeve. There have been numerous patched vulnerabilities in Tor and every other piece of software ever created. It's a part of life with computers. There will be more vulnerabilities and more patches.

The fact that you posted a vulnerability that has already been patched (in September of last year) has me a bit confused.

 

So, you're saying someone is more likely to be able to remotely control/monitor/track my computer with Tor than without it. In other words, Tor is like a gateway into your computer, but surfing without Tor, I can be carefree.

The only issue is whether running Tor makes it more likely that these things will happen. In other words, is a Tor exit node more able to compromise you than some random compromised web site? I doubt it.

I browse sandboxed, and, no, I'm not worried. I have numerous other security precautions in place. Even if your exit nodes are more friendly than Tor exit nodes, you can't protect customers from any of the above things when they visit compromised websites. The consumer needs to learn how to run a hardened system. That's the bottom line.

Okay, I'm going to go back to your quotes. You stated clearly that you would be happy to help in some investigations, such as child porn and bomb threats. How would something like that happen with Tor? There is no central entity that can do that. The Tor developers have no control of the traffic that runs through Tor. No one does.

I'm not condoning the above actions, I'm just stating the power of Tor. Law enforcement can't just call up a bunch of Tor nodes and have them collude together to catch someone. You're talking about a task of enormous difficulty and complexity in catching some random person through Tor if you don't have the capability to globally monitor all traffic.

 

No problem. Let me explain:

What you see above? That was Kyle's vulnerability from last year. It was the worst vulnerability in Tor ever found, and allowed for full remote compromise of every tor client, for every version, every operating system, ever. Just a huge catastrophe, it could hardly have been worse.

Kyle, who is on the XeroBank team, has another vulnerability this year that will compromise all Tor clients again. And again, we are offering a solution like we did last year that will prevent the compromise. We'll see if anyone on the tor development team listens once the vulnerability is out. If last year is any indicator, they won't. I hope they listen, but I think it unlikely because it's just too much work for them to stop what they're doing and go back to the drawing board. The most we can expect is for them to say "Yeah, they were right, and their solution works. You should use their software," but that is as equally unlikely for a variety of reasons.

We have to do lots of research and work to keep people safe. And we give it all away for free to enhance tor users' security. It just unfortunately takes these kind of events to effect change. Just like New Orleans knowing their walls were too weak, it took a catastrophe to change anything. Had they not been recalcitrant before and expecting others to bail them out afterwards, the whole problem could have been avoided. Incidentally, the 17th street canal in new orleans is leaking again because they didn't properly fix the problem... We're waving our arms and loudly shouting about the impending flood that will wipe out Tor users. The wall broke last year, and they put a bandaid on it. The wall is going to break again this year. Will their solution be to patch another bandaid in place? I hope not, but we'll see.

 

Hmmm. Yes. Tor can be turned into a backdoor to not only access your system but what is worse, the attacker can do so anonymously and with encryption thanks to Tor itself. It's the perfect trojan, if you can trick tor.

an anonymous gateway, yes.

no. you just need to run it in a well implemented environment that, as you say, sandboxes tor and the browser from the entire operating system. and can somehow recognize imposters/injected code.

Definitely. Every bit of traffic over a tor exit node is for a tor user. Perhaps 0.01% of normal web surfing traffic alone is for Tor. So if I wanted to specifically attack and unmask tor users, i would certainly pose as an exit node and inject malicious traffic.

Not with xB Machine. Even a compromised website can't break out of xB Machine.

Kind of. They need to run a hardened system, but people need to learn to make hardened systems that follow all the rules of Portable Privacy i detailed in my presentation. Suffice to say that it is easy to use, transparent, intuitive, fail secure, zero configuration, and pleasing to the eye. That is why we designed xB Machine. I can say quite surely it is the most secure operating system on the planet, and almost as easy to use as windows/mac. And of course, it is free and open source and works with both tor and xb network.

Kind of, as well. Sybil attacks can allow attackers to control the tor network and the traffic that goes through it. You may be surprised to learn that there are massive amounts of nodes colluding already. For them to track a user would be trivial. If I wanted to track tor users, i would simply create 2000 virtual nodes and add them to the tor network. Then i have a 50% chance of being able to fully track and unmask any user at any given time. Over a period of time, that would increase to nearly 95% if the user keeps using the network. That is trivial for any medium sized business.

But lets get back to your statement. A priori, the user would have to be involved in bomb threats or child pornography. So yes, tor's only advantage in their decentralization model is that it can protect child pornographers and bomb threat makers. Otherwise, all things being equal, both protect everybody else. So if you're a bomb threat maker shopping for anonymity, your only choice is Tor. If you aren't, you're free to choose from some good solutions without worry to your anonymity.
Another problem is that tor users have no legal defense to stand up to subpoenas or court orders. We do. You would be correct in stating that the footing is unequal.

Let's quit dancing and just go directly to checkmate: For $20k I could compromise nearly a majority of the tor network and its traffic for a whole month. I don't have to get a court order, I don't have to consult anybody, I don't have to get any decrytion keys or request anyone's logs. I can do this automatically and legally. All I have to do is keep renting and registering more and more nodes. That is the problem with public participation anonymity networks: their integrity can be bought, publicly and legally. If integrity can be bought, does it truly have the integrity that it purports?

What's worse? Now imagine that there are only 600 truly independent and legitimate tor nodes, and the other 1400 are colluding. They have a 84.4% chance of catching all traffic at any moment, and 100% over a small amount of time... now what would it be worth to any intelligence agency to be able to do this? Do the math. An intelligence agency has unlimited resources, spending $10k/month on nodes wouldn't even cause them to blink an eye. Monitor the entire Tor network of 100k or 200k independent thinker and potential "criminals" for only $10k/month? Would ANY intelligence agency say "no thanks"? Of course not. Has this happened yet? Game theory states that they already have done it. By the numbers alone and the low cost of monitoring, you must operate under the conclusion that Tor already has been converted into a honeypot because it is so easy to do so, and so attractive. Game over.


As a caveat, you must realize that it is a known problem, but that you can't determine if this was intentional in design or not. Why did they not wait until they had 1 million potential signup before creating the network? Maybe because they need to test the software first, which is a reasonable excuse. Maybe they need funding first and have to prove themselves with only a few thousand nodes. But you have to know your rational limits, and a low amount of nodes in a public participation network is a serious issue. It didn't start as a public participation network, I think... it started as a private network for naval research labs. That would be a good use. But as a public network you run into a gamut of problems.

Do I have hard proof for this assertion? No. It just makes sense statistically, economically, and most important, it is in accordance with game theory. It's like a deal. What adversary would spend countless hours trying to hack the network, or break encryption, when they could literally just buy their way into it for cheap? Would you buy tickets for a $1,000,000 lottery if you had a 1/100 winning? Absolutely. How many tickets would you buy? Hell, I would buy all 100 tickets. This isn't a design flaw itself, it is an implementation flaw, and perhaps an unavoidable one for a while. I wager to say that the current Tor network is a test. A wading pool. Getting the software to work right on a small pond before it is ready to graduate to the global pond. I would have done it differently, but roger gave notice about the limits of the privacy, and everyone has an opinion.

 

There is a conflict of interest here so wide you could drive a truck through it. You are a competing service, whether you like it or not. Vulnerabilities and exploits happen all the time. They'll happen to your service as well. It's a fact of life.

It's not your place at all to be saying this, especially on this forum without any corroboration. I'm sorry, but you can't be objective. Your position with XeroBank makes you hard to believe, to put it mildly.

You're telling us that you, one of the founders of XeroBank, has concluded that Tor, a competing service, needs to fundamentally change the way they operate or all Tor users are at stake.

You are now part of a paid service. Prior to XeroBank, you would have been believable. In my mind, you've forfeited the right to be on the forefront of a movement to fundamentally change Tor. Who else do you have in your corner? I haven't seen anyone else saying the same things as you are. You can't spearhead this campaign.

I think you need to take a step back and reconsider what you're doing. The number of posts you've had on this forum can only be categorized as free advertisement. I think you're crossing the line with your attacks.

Addendum:

I've just read your previous post. Were you saying any of this stuff when you were doing the Torpark project prior to XeroBank? It's funny how all of this is coming now that you're with XeroBank. I take back what I said about you spreading FUD. You're the FUD master. I guess we should all hop along and start using XeroBank now, because obviously we have no other alternatives that will actually work.

I seriously hope the moderators on this board limit your ability to continue promoting your product and denigrating other products. Last time I checked, this isn't a XeroBank forum. You don't see any other privacy services here, do you?


So, you're product is clearly the best right? Are there any other products out there that are any good? There must be at least one other one that can compete, right?

 

I use Zone Alarm too. So if I am using Tor and ZA says java is wanting to connect to something other than 127.0.0.1, and I deny it, then it cannot reveal my true IP? I didn't realize it was that simple.

I have used the Tor, Privoxy, Vidalia bundle only. I thought that it automatically routed the DNS requests through Tor. No?

But anyway, I do think that Tor is awesome, and I think the EFF is awesome, but I just need something faster. Maybe if I was going to express an opinion about something in an email to CNN or something I could use Tor, but I would never get anything done if I used it all the time. I bounce around doing searches constantly. If Tor were my only option, I would have to forgo my privacy......which would really suck.

 

But XeroBank is not a US company. And Steve does not have unrestricted access to XeroBank. At least from what he has described, there are checks and balances from within their organization designed to prevent any one person from compromising the integrity of their business.

 

Would using Tor inside of Sandboxie prevent any of this?

 

When I tried those sites that purport to reveal your IP and I turn on java, a java applet downloads. When it tries to connect to the internet. ZA warns me that FIREFOX is trying to access xx.xx.xx.xx. Same with other things loaded in firefox. Now, if firefox previously had general internet access, then you switch to Tor, you won't get the warning, because you had previously granted access. You have to close then restart firefox everytime you want to switch from unproxied internet access to using Tor.

You have to make sure that ZA asks you for permission every time you open Firefox (i.e. that purple "?" all across the board). You know how ZA will first ask you if it can access 127.0.0.1, then it will ask you if it can access xx.xx.xx.xx. That xx.xx.xx.xx access is what you want to deny. If you have previously granted firefox general internet access (xx.xx.xx.xx), you have to close then restart firefox, then make sure to deny general internet access to firefox (through ZA). Only allow firefox to access 127.0.0.1.

I can't vouch that there's no other way to obtain an IP, but every one of those sites that I've tried, ZA has stopped the applet.

Correct. But by turning off DNS requests entirely, Tor will still have internet access, but a lot of other things won't. For instance, firefox won't be able to access the internet at all except through Tor. It's not something you need to do at all when using your browswer. It's just something I do sometimes with certain programs that might leak DNS requests. Firefox isn't one of them.

My speed through Tor is more than acceptable. Every post I've had on this board has been through Tor. I can actually do some things with Tor that I'm not going to post here because I don't want to get flamed. But it's more than acceptable for me. To each his own.


Addendum: I want to add that 99.9% of the time I surf with Java off. I literally have never seen a website that required it. Javascript, on the other hand, is often required. I'm not saying you don't have certain websites that require Java, but have you tried shutting it off and just leaving javascript on? My experiences can't be that much different from yours.

 

I think Steve is seriously pushing his luck on this forum. I think he needs to back off big time because every time an anonymization service is brought up, he's there. And he's not only pushing his product, he's critiquing others in ways that don't seem right to me.

I'm wondering if we're going to see a XeroBank rule on this forum sometime soon.

 

Sort of but not really. Tor provides free access to the tor network via method A. We provide access to the tor network via method B. We provide access to the xerobank network via method C.

We've found another vulnerability to compromise method A, and again suggest tor users move to method B. None of that suggests users to move to method C. However, we've discovered a vulnerability in method C, which many other anonymity networks use as well. We will also be disclosing this at DefCon as well, assuming we get ours patched in time. We don't mind finding the bugs, even if it is in our own network.

It's a fact of science, not a point of contention. The Tor network access implementation was not securely designed in compliance with the universal OSI network model. Because of this they are always defending on layer 7, and attacks can happen anywhere below layer 7. They need to move it to lower layers like 3. This isn't easily done unless you use JanusVM or xB Machine. Even xB Browser is vulnerable to such attacks. What we are doing is upping the game that Tor plays, defending against future attacks that don't even exist yet.

Profits and anonymity are not in opposition to each other. They actually help each other. If you want I can provide you the post link.

Kyle Williams, and if asked to agree, Martin Peck, and if asked for concurrence on the problem, even the Tor developers themselves will admit the issues I'm talking about.

No. Back then I thought as most did, that tor was an amazing wonder with supernatural powers of anonymity. I had understanding of how it worked and its security properties and how to use it, but I did not understand the necessary implications of it as I do now. With experience comes wisdom. With exposure comes knowledge. What I've told you in the above is a recent revelation. It is a sad certainty of statistics, I suggest you don't shoot the messenger.

That won't help Tor. Luckily you have the power of exponents on your side. As you increase the number of tor nodes, monitoring the entire network becomes prohibitively expensive. Increasing the number of nodes to perhaps a million, not just 2000, would make it impossible to compete with and relegate it to being tracked by global adversaries only, instead of making it possible for any group to buy it.

I think they are free to come here and discuss the Tor network or any other network, or anonymity technologies, or privacy enhancing techniques. But they don't. Now why is that? We're all worse off for them not being here, and we're all better off for everyone's contributions, some more than others.

I think if you were measuring anonymity, if there were such a metric (there isn't) you would find similar levels of anonymity between Tor, XeroBank, DiClave, and KryptoHippie.