XeroBank vs Perfect Privacy

I tried PP openvpn for a few days now, both my ebay and paypal accounts got locked the very same day I accessed them through the Perfect Privacy service, ebay sent me a message stating that my password has been tampered with, while Paypal locked my account under "..Your account has been randomly selected for a security check up..."
Any advice?

 

Homer,

We can't reverse the traffic stream back to an incoming IP without very serious work, live during the stream. Definitely nobody external to us can do that unless they are a global adversary, and even then they will still have lots of trouble. We use channel multiplexing and stream mixing technologies. When we run a server, you can't tell which stream goes where or belongs to whom, unless there was only one or two people using the system, which definitely isn't the case

 

The difficulty is not in question, it is still nonetheless possible, and as you have already stated - necessary in cases of serious crime.

A government agent with a warrant, sitting at a console in your data centre, would not be external.

Either you can or cannot successfully investigate serious crimes committed through your servers. Which is it?

If you can, then so can other parties who may coerce you to cooperate with their demands - ethical or otherwise (ultimately you must obey the law). If you can match "A" to "C" for the purposes of criminal investigation, then you (or others coercing you) can do likewise for less reasonable purposes (NSL), such as branding your customers as potential "criminals" merely because they connect to an "unfriendly" country.

If you can't, then you are basically admitting that your TOS/AUP is unenforceable, and that criminals can have free reign on your networks. The upside to this is that I am actually wrong; my privacy is in fact 100% secure; and I may connect to any country I wish with complete impunity, "unfriendly" or otherwise.

Its a nice dream.

Although this does bring us back to the question of why multiple hops are necessary in the first place, if this multiplexing makes identification virtually impossible anyway.

So I must conclude that identification is merely difficult rather than impossible, which is why multiple hops are necessary to provide an additional layer of difficulty ... whilst still being possible. And this possibility means that additional hops will not actually permanently protect me from being identified as a customer connecting to an "unfriendly" country.

My ultimate conclusion is therefore that I might just as well connect directly to that "unfriendly" country in one hop and be done with it, safe in the knowledge that the "friendly" country's government agent will not be given cooperation by the "unfriendly" country to spy on me. Meanwhile I must live with the knowledge that as far as my "friendly" country's government is concerned, I am a "suspect" no matter what I do, one way or another, simply because I choose to deny them unfettered access to my private communications. But there is little they can do about it either way, whilst they lack any concrete evidence of "wrongdoing" (FSVO: "wrong"), thanks to the protection of my privacy afforded to me by the "unfriendly" country that will not "cooperate" with others to spy on me.

QED.

 

Sure he is. He doesn't have access to decrypted data streams or internal systems. All he can do is look at encrypted streams. No system access. He's just as SOL in langley as he is at the datacenter. But if you've got the NSA coming after you, nobody can help you for long.

Your questions are somewhat technical, and we have covered this in great depth here before. Please look into the logs or pose your question at the XeroBank forum so we don't waste anyone else's time here.

 

Again I repeat, the data is irrelevant, so the fact that it is encrypted is moot. The question is whether or not customers can be identified by their IP addresses, and if it can be determined which destination addresses they connect to. Multiplexing or no, clearly they can, otherwise you wouldn't be able to enforce your AUP.

How would you deny a government agent access to your "internal systems", if he demanded that access backed up with a warrant?

And the IP addresses.

Presumably even the mighty NSA don't have much influence in Iran, hence my interest in that country.

Actually my questions were not directed specifically towards XeroBank (other than the OP where I asked about prices, etc.). I'm merely pondering the impact of jurisdictional considerations on VPN privacy services in general.

 

Yes they can. But not by anyone without internal access to a few different servers.

US/UK/EU government agent doesn't have jurisdictional authority. At least for xb.

For all other services, jurisdiction is a big big deal. It is their weakpoint. I agree. I did a post on this on my blog some time ago.

 

In your blog post you write: "we operate out of high-privacy jurisdictions like Germany".

But surely Germany is subject to the European jurisdiction I've been talking about, and it doesn't exactly have a great civil rights record on privacy:

Germany is clearly no more of a safe data haven than the UK or anywhere else in Europe.

 

Look at the date of the post. Just a year ago Germany was a privacy haven. Things have changed drastically since then. For those of us who deal with data retention laws, we know that we aren't forced to comply till January 2009.

 

It is all a canard, FUD that Xerobank spouts. They offer nothing security wise that can not be found cheaper someplace else. The fact of the fact of the matter is; if there is a suspected security issue in regards to terrorist activity or child porn the exit servers will be compromised, the US, Panamanian, or whatever, government will cooperate and Steve will find himself compelled to give up information under FISA or any other laws are now on the books.

They have a exit server in the Nederlands too. They have to retain logs. His contention that all they will see is an encrypted stream is true, but as you say, it is moot. All any EU, Asian, North, Central, or South American jurisdiction needs is a court order from another jurisdiction that there is suspected illegal activity taking place and that is the end of it. Steve for all his talk and claims will, as I have said before, roll over in a heart beat. Anyone would. He does not want to be held on obstruction of justice, contempt of court, or aiding and abetting. Any suspected illegal activity taking place and he will have to establish he is innocent and not a party to that activity by his full cooperation. His web site already states they will cooperate with LEA's and not be a party to illegal activities. So what is the point of paying more for something if you all you want to do is keep your ISP from snooping on where you are going on the web? As I said, it is really all a canard – FUD – nothing more ('Pay no attention to that man behind the curtain.').

If You want a German exit point, go with Steganos. They are in Germany and have been offering VPN services for a few years now. If someone has something they need to hide from possible on demand government scrutiny; pay services such as Xerobank have nothing to offer to make you immune to discovery.

Steve is a business man. There is nothing wrong with that. What he is selling is a service. It is all marketing. It is a bit like buying a car. It is transportation and there are all kinds of bells and whistles you can get; very fancy or very plain. But at the end of the day all it does is get you from point A to point B. They all do it and none will save you from serious injury of death is you get hit by a 40 tonne lorry on the motorway. In this case, the 40 tonne lorry is the government.

 

At which point it's game over for VPN privacy services in Europe, not that the current situation is any more tenable, given previous government actions.

So this brings us right back to the dire need to completely avoid the US; the EU; and their political allies, in at least one of the hops taken to the destination IP (preferably the last or only hop).

I'm not saying that multiple hops are completely redundant (anything that makes life more difficult for government spies is fine by me), but AFAIAC at least the exit point would need to be in an "unfriendly" country, and AFAIAC any other hops would be redundant if they were inside "friendly" countries. Multiplexing and multi-jurisdictional complications will certainly slow the process of invading our privacy down, but it won't stop it completely if those jurisdictions are cooperative with such demands, so by far the best defence is complete relocation to "unfriendly" jurisdictions that offer zero cooperation to such processes. By all means let's have multiple hops ... contained completely within these "unfriendly" jurisdictions.

I think in the near future all privacy services will need to be relocated completely outside of the US/EU/allies boundaries of jurisdictional control. Of course the result will be that VPN privacy subscribers will "look suspicious" for connecting to such countries, as far as those subscribers' respective governments are concerned, but this seems to be the increasingly unavoidable price for communications freedom and privacy. And as I've said before, we're all "suspects" now anyway, in the present political climate. At least, with a VPN service located in an "unfriendly" country, we'll be "suspects" with our privacy intact.

 

XB does seem to be one of the few (or only?) VPN services offering multiple hops, which is useful, but only if they avoid jurisdictions such as the US; the EU; and their allies, IMHO. So overall I'd agree that XB's services are not as compelling as Steve makes out (he is understandably biased after all), but by the same token I'm disinclined to dismiss XB out of hand either. However, I do find XB's prices rather prohibitive.

I suppose it is difficult for him to discuss these issues without plugging his own company's products, but his enthusiasm does somewhat come across as spammy hyperbole. I'm not knocking Steve personally ... I'm sure he's a perfectly nice guy, but he clearly has a vested interest, so it's hard to be sure of his impartiality. In particular I'm immediately suspicious of those who imply any given security measure is infallible, and Steve does tend to lean in that direction, so that worries me.

Personally I have an extremely pessimistic and paranoid view of security, and live by the creed that nothing is safe, but some measures appear somewhat safer than others. Protection requires that a specific threat is identified, and right now that threat is (as you say) the government (i.e. the governments of the "West", who have implemented the telecommunications equivalent of Marshal Law). Any solution to that threat must therefore require circumventing those laws, and AFAICT the only way to do that is to circumvent the countries that enforce those laws. This means connecting to servers located outside that jurisdiction. I simply don't see any alternative, short of political revolution.

 

Hillsboro,

It is clear that you have knowledge, but a lack of understanding to accompany that knowledge. I would love to respond to all of your points, but not on this forum, as it is inappropriate here.

Homer,

The view of allies is over-simplified as it doesn't take data obfuscation and observability techniques into account. Again, I'm happy to discuss it on xerobank forum at length. Otherwise, I can't participate in bench-racing during amateur hour. Let the umbrage taking begin!

 

My questions are not directed specifically at or about XB, they are general queries regarding jurisdictional considerations, therefore I don't see the point of limiting my discussions to just one privacy service company's own forums, especially as I'd prefer impartial advice regarding the relative merits of more than just one company.

However, if I ever become an XB customer, I'll be sure to pay those forums a visit.

 

Well, here is the problem. You're right: everyone (else) is suffering from those problems. xb isn't. because of that it limits the discussion of success or dissent to xb. We could infact discuss some other service, but the thread title is xerobank vs. perfect privacy. So if it isn't about either of those two, it isn't pertinent to the thread. It isn't going to be about PP because they aren't multijurisidctional, and it isn't going to be about xb because that discussion goes on our forum. So you're talking about a topic with no subjects, or you're discussing the purely theoretical, which is academic because the internet isn't flat.

 

As I said I don't think you are doing anything wrong in that you are marketing a service and you do know what you are talking about. Unfortunately, we live in a changing word thanks to much of the FUD and Orwellian style of a certain political regime that has resulted in the loss of many personal freedoms we once took for granted. Especially for those in America and there has been some backlash from the rest of the free world in this regard. Nevertheless you have to function under these constraints too. So at the end of the day it is hard to stay off the grid in a police state where the the court have allowed the constitution to be subverted fir the so called greater good (Orwellian, Yes?). That there is lays the rub. You mentioned Germany. Germany is a republic and much of the constitution there is similar the American one in regards to personal freedoms and privacy rights. So we have come full circle, IMHO.

You have a lot of good things to say and ideas, but Ministerium für Staatssicherheit (Stasi) like agencies are coming into there own again and holding sway. I know of what I speak as I was living in West Germany during the 70's and early 80's and saw this first hand (I am in my 60's). To those of us who lived in close proximity of this, the parallels are all rather concerning. The only difference is it is more subtle where you are. Still the courts have abandon the constitution in favor of the States mandates of the need to protect the people and therefore certain freedoms must be sacrificed for the greater good.

Least someone say this is all political and forbid to be discussed here I would like to say this is, IMHO, very on topic in regards to security and privacy and it is at the very heart of the topic being discussed here because without personal freedom there can be no real personal privacy

 

It's statements like that which make me question your impartiality and objectivity, especially as there is clearly a potential jurisdictional problem with at least one of your servers (Germany). PP suffers from the same issues of course, but they also offer more secure alternatives. XB may well also offer similar alternatives, but I won't know unless you volunteer that information.

That is indeed how this thread started, however it rapidly became a more generic discussion of the relative merits and detriments of connecting to countries like Iran, and more general jurisdictional considerations. You may have noticed that I did actually change the subject line at one point, to better reflect the direction in which the discussion was progressing.

If a thread develops organically, whilst still pertaining to relevant subject matter, then that seems perfectly acceptable to me, and I don't think it's up to anyone but forum moderators to decide otherwise.

The anti-privacy laws which are being forced on citizens in the West are not "theoretical", neither are the measures those citizens are using to circumvent those laws. The countermeasures that Western governments might use to undermine that circumvention may be mysterious (to me at least), but refusing to acknowledge that threat is an extremely irresponsible attitude. Those "theories" need to be explored, if a solution (pre-emptive or otherwise) is to be found, and that is exactly what I am doing.

As I've already stated earlier in this thread, "I'm no security guru", I'm just someone who is concerned for his own privacy, as our civil rights are being revoked one by one. I bow to your superior technical knowledge of security issues, but my concerns are not purely based on technical considerations, they are mainly based on political issues that may have technical solutions. Naturally I want to utilise the best technical solutions to those problems, but I can't do that unless others describe to me what they are, and back that up with some assurances based on details, rather than sideline my political concerns because they are supposedly "theoretical", whist making vague and boastful claims of technical superiority.

It's not surprising that you'd choose to join a discussion that contains the word "XeroBank" in the title, but please don't expect to take over that thread; shut it down; then move it somewhere else for your own convenience. I'm not an XB customer, and I have questions here that extend beyond just that one company. The general principles of VPN security, and the legal and political ramifications of utilising those services, interests me far more than the advertising literature of a single company, so if you're uncomfortable discussing matters of a more theoretical and generic nature, then I'm sure no one is forcing you to contribute to this thread.

Thanks for stopping by though.

 

Homer - while I agree with almost everything you're saying, and am finding the intelligent discussion between you & SteveTX very informative and interesting, I feel that ^ statement seems to contradict the aim of what you're trying to achieve.

We've established that your ISP/govt. would see you establishing an encrypted connection to a very unfriendly nation like Iran...

..now on top of the possibility of this raising several red flags, they can't establish what you're doing with that connection without a) being able to access your computer or b) being able to access that Iranian server.

Now since the perceived advantage of Iran is that they're unfriendly and therefore wouldn't comply with any requests for data, hypothetically we could assume that your govt's next step may be a) electronic and/or physical surveillance? I don't think we can assume they wouldn't investigate your connection once they became aware of it, nor be unable to find legal grounds to do so.

If we can assume you're merely wishing to preserve your privacy, not to do anything immoral/break the law, then having the govt. watching you electronically or physically perhaps isn't beneficial to your objective of establishing/maintaining privacy - irrespective of the legality of your online conduct - they'd be sticking their noses in your business.

Of course that is entirely speculative... but what isn't. I'm not trying to attack you personally, but rather questioning the logic behind using Iran versus Russia, Netherlands, ?, etc. They may be slightly more receptive to requests from your govt., but they may not raise any red flags to begin with.

So in an effort to lighten the mood, I'll say this: God help you if you buy your lawn fertiliser in bulk

 

Yes, there are some uncomfortable choices to make:

1. Be a good little citizen, don't use VPN at all, and allow the government unfettered access to all your private communications
2. Use VPN, but only connect to "friendly" countries, thus raising a small amount of suspicion for attempting to evade surveillance, but risk being monitored at the exit point
3. Use VPN connected to an "unfriendly" country, thus raising red flags (with other possible consequences), but rest easy in the almost certain knowledge that your government has no access to the exit point, unless they're prepared to risk espionage in a hostile country to obtain that information

Of course the "possible consequences" of "3" is a Tempest attack (monitoring electromagnetic emissions) or other forms of more direct surveillance, but then there are counter-surveillance techniques for dealing with Tempest and others, and even if the government successfully penetrates my defences, they'll have wasted a huge amount of resources just to discover that all I'm doing is watching videos on YouTube (and other equally innocuous activities).

What the government undoubtedly fails to realise, is that I'm not protecting my privacy because I have something illegal to hide, I'm doing it out of principle. Let them waste their time and taxpayer's money discovering that fact if they want to.

You may argue that the government wouldn't escalate their attempts if I didn't give them "due cause" to do so, by connecting to an "unfriendly" country, but as I've said before - in a society that has degenerated into a state of near-Marshal Law, all bets are off. The fact is they don't actually need an excuse (they have an agenda), and (given recent changes in the law) they clearly don't even need warrants to carry out their surveillance, so provoking them with "suspicious" behaviour is a moot consideration, since we are all "suspects" all of the time anyway.

None of the above three choices are "safe", but as a point of principle I prefer option "3", because it's the option that makes life as difficult as possible for my assailants. IOW I'm making a stand, and I'll live with the consequences.

Also consider the possibility that in the future a much larger number of people might be using such services, possibly even using the most radical solutions available to escape this Surveillance Culture. Under such circumstances, the governments of the "West" would find themselves overwhelmed and impotent in the face of such resistance, forcing them to either back down or escalate to military action (actual Marshal Law). In either case we win, because the latter scenario would result in revolution. I can't predict which one of those two scenarios is most likely, but I do predict that at least one of them will happen, if the governments of the "West" continue with their present agenda of destroying our democracy and freedom.

 

I'm pretty sure Tempest attacks are *much* more difficult to do (at least discretely from a non-suspicious distance) against flat screen (non CRT) monitors, as they emit far less radiation.

 

As much I believe Steve Topletz is a person of integrity and high professional standards, still I would never confide my privacy to a company having their servers in US and/or EU. By default I consider them honeypots. Not because they surely are, but because they might turn to ones any day without any warning. I don't think Germany is any better than US or UK (remember JAP backdoor story and Tor exit nodes raid).

If I could chain servers in Cuba, Venezuela or Libya maybe I would feel a little bit more secure from Big brother's eyes, but I would never feel completely safe with any service where all my privacy relies on one person operating the exit point.

Until decentralized systems like Freenet or I2P gain their maturity and stability I'll keep on using Tor.

 

I'm still not sure about Iran, but as long as you're comfortable with the pros/cons of the route you're taking, then that's all there is to it.

Thanks for posting those links - regarding the EU (pdf), I do wonder how long it'll be before all of the member states have adopted that legislation? The timeframes they cited don't appear accurate (i.e. Germany = supposedly 2009). That aside, it's sounding more like the U.S. every day!

Speaking of the U.S. & deprivation of privacy/liberties, this article does make you wonder how deep the rabbit hole actually goes. It'll be a sad day when any/all of the points mentioned within, come to pass. Quite an interesting article. You'd think that under significant political pressure, that their allies would soon follow suit....causing yet another global domino effect. No wonder we're all getting paranoid...the internet's going to hell in a Walmart handbasket. This article at infowars.com is also rather alarming (to be taken with a grain of salt).

The Tempest attack, is quite shocking in how simply it appears to be carried out. I'm almost certain they used that on the tv show Numb3rs, as the concept sounded immediately familiar (lol, terrible I know). Free YouTube streams costing the taxpayer thousands of $$... that would be amusing.

I do hope that your vision of the future comes true - i.e. people wake up en mass at some point & realise it's all gone too far - but I can't help but think of the boiling frog story (the frog heats up so gradually it's cooked before the thought occurs to jump out of the pot). Thankfully it's been disproven, so there's hope for us all yet

 

You never know, Steve might be planning a holiday sometime soon

Me neither. Although I think I'd rather be able to put a face to a service I was using, than to not know anything about the people behind it. Unbeknownst to us, Steve could well be the PR guy for an occult society , but who/where are the people behind the likes of Tor (node operators) and even other for-profits? I haven't seen them offering assistance, conjecture, nor even plugging their services on here... which is a pity. What do Tor operators have to gain from providing such services for free, anyway? Where are all the Tor nodes located? I'd like to believe it's a humanitarian/philanthropic gesture, but I can't help but be wary of a free lunch.

I guess there's no way to be 100% content with either Tor or paid services? I would like to see XeroBank with a few more *interesting* hops like those mentioned above..though having said that, I don't know enough about its inner-workings to make a qualified comment . It's great to get feedback about the various services available for the privacy-conscious though, so I hope people keep reporting here about their experiences.

 

I vote to scrap the Internet, and start again with a protocol like "RFC 1149: A Standard for the Transmission of IP Datagrams on Avian Carriers" (carrier pigeons). This protocol was successfully tested in 2001, so we know it works. In fact it's already been updated to "RFC 2549: IP over Avian Carriers with Quality of Service", which includes an "Air Miles" rewards system.

However, we will need to come up with a bullet-proof security system.

http://news.nationalgeographic.com/news/2008/04/images/080429-pigeon-picture.jpg

 

Haha, I think that's all a bit high-tech for me . Although, with all the Avian Carriers around here, I could probably start a global ISP overnight...I'll give it some serious thought.

 

I have a Perfect Privacy account. I got it for the Tunnel. I like the idea of being able to choose from several IP addresses to something completely different when I want to. I run it through my Xerobank VPN. I tried Moscow and it's pretty cool.

XB VPN is definitely my primary privacy tool though and I am thoroughly convinced that it is superior. And I don't see how anyone can argue that 3 hops is no big deal. It would take some serious effort to get subpoenas from all 3 places at the same time. It would require time, resources, and money. I would think that it would take a very *serious* crime for anyone to go to that much trouble. So in that case I am not the least bit concerned.

And please lets not pretend that having the business set up in Panama is not helpful. Sheese!

I still think Iran is a scary idea. Anything that goes through them is subject to whatever they feel like doing. I don't know much but I have heard that they filter a lot and I am wondering if they may even hack into your system. They are no friend to freedom of speech or press, and they certainly don't care about human rights. What is really scary is if you live in the US and it is discovered that you are communicating through Iran, you will be an automatic target. No one would stick up for you. You will lose your privacy.....the very thing you are trying to protect. I bet they could hack into your computer and you wouldn't even know it. I wouldn't touch that with a 10 foot pole. I may be wrong but I am going to avoid that option.

Again, I do have a PP account, and I like the tunnel, but I did notice one thing. When I do a search in Google, I get the same message that I got when I tried Tor. It says that my query looks suspicious and they refuse the search. I guess I could just use Yahoo search when I turn on the tunnel insted of Google. No biggie.