XeroBank vs Perfect Privacy

Discussion in 'privacy technology' started by [H]omer, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. [H]omer

    [H]omer Registered Member

    Joined:
    Nov 21, 2005
    Posts:
    36
    The location of those servers is more significant than the number of hops. I consider multiple hops in (what amounts to) a single "cooperative" jurisdiction, to be less secure than one or more hops in an "uncooperative" jurisdiction.

    If a VPN service provider incorporates his company in (what I assume is) an uncooperative country like Panama, then that only really helps the owner of that company to avoid prosecution, it doesn't really help his customers who connect through servers in cooperative jurisdictions (e.g. Germany). Customers are legally responsible for their own actions, and it is the laws relevant at the exit point (and the customer's home country) which apply, not the laws of the country in which the VPN service provider has incorporated.

    Exactly the same can be said about anywhere else, but the governments of the West have a very specific agenda that threatens my civil rights pertaining to my online activity. The "threat" from Iran is of a very different nature that is irrelevant to that activity. Weighing up the balance of those two threats, I find the threat from my own government (and its allies) to be far more significant. I've never even seen an Iranian, much less witnessed an act of terrorism first-hand. Iran may well be my government's enemy, but they've given me no personal reason to be mine. Indeed I find it's my own government that's increasingly becoming my "enemy", as they systematically revoke my civil rights, and our society degenerates into Marshal Law. Iran has not attacked me in this way, or any other way, so until they do then I won't consider them a "threat".

    If you research that error message, you'll find this is a common problem that affects many people, not just those using tor; PP; or any other VPN service. Where many different people share the same IP, if one of those people abuse the system (DDoS; spam; etc.) then that IP may end up on a DNSBL, and subsequently people sharing that IP will find their online activity inhibited in certain ways. If you've ever had an Email rejected by a receiving MX server and wondered why, then this is one possible explanation, since one of your ISP's or Email service provider's other customers may have been sending spam through the same MX server you use to send Email. Certainly with PP this is not a serious problem, since you have the ability to simply switch servers on the fly, and that DNSBL record will be purged once the abuse activity stops.
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    This is an oversimplification. Some countries have MLATs, some don't, some have intelligence services, others rely on local governments and investigation units. This extends also to defining your attacker. If you are against an intelligence agency with superpowers, mlats don't matter, nor does the term "uncooperative". Perhaps you would be surprised to learn that US intelligence services have agents in strategic network positions to help them monitor traffic in "uncooperative" areas. Well, sure, but who can help such a person fleeing from NSA? That was already outside of the threat model. The answer is there is no quick "cooprative" vs "uncooperative" classification. You need to know how each country handles the other, at what level of interest and resource for the subject of surveillance. Unfortunately such intimate knowledge of how signal intelligence works and is processed is neither public nor available to the public.

    I'll disagree. That quite specifically prevents a country (like germany) from being able to submit a court order based on traffic streams (they know the traffic but not the user) to discover a user identity/incoming IP address.

    Getting back to routing traffic through countries like Iran... a little wakeup check. Those are the strong censorship countries that are always spying on users. Those are the countries that will execute you for being seen talking to a woman who is not your wife. You think you've got more privacy and security routing through Iran? You're routing directly into a honeypot.
     
  3. [H]omer

    [H]omer Registered Member

    Joined:
    Nov 21, 2005
    Posts:
    36
    Here's a handy reference:

    http://travel.state.gov/law/info/judicial/judicial_690.html

    I might be inclined to use that list to determine which jurisdictions I trust more than others, since AFAICT the root of the "problem" is who does or doesn't cooperate with the US (Ground Zero for the spread of our "Big Brother" culture). Every country has one kind of agenda or another, but ultimately it boils down to which one of those agendas actually impacts my life most negatively, and in the context of my privacy and civil rights - that's the "West", not Iran.

    As I've already stated, none of the options are "safe", but some are "safer" than others. I can't prevent espionage, but I can make life as difficult as possible for my assailants, rather than just give up and grant them unfettered access to my private communications. Seeking the "safe harbour" of uncooperative jurisdictions won't prevent espionage, but it is currently the maximum resistance I can offer, AFAICT.

    So you say, but I find your overconfidence in the infallibility of multiplexing obfuscation rather disturbing. If you (i.e. the server admin) can ascertain that information for the purposes of enforcing your AUP, then others can also obtain that information from the same source, by coercing that admin with legal demands, if that "source" (i.e. the server, not the company) is within their (or their allies') jurisdiction. You could incorporate your company on the planet Mars, but if the connecting server is located in Germany then those connecting through that server are subject to German laws ... as is that server's admin.

    I'm quite prepared to believe it is technically difficult to identify someone on a multiplexed VPN stream, but the technical difficulty is not in question ... it's the legal and jurisdictional issues that concern me. Connecting to a server in an uncooperative jurisdiction is the most legal resistance I can offer to my assailants. Adding the complexity of multiple hops to that equation certainly won't do any harm, but it's of little use if it can be circumvented with the law, utilising the cooperation of multiple friendly jurisdictions. Yes it's difficult, but getting cooperation from Iran, or other "unfriendly" jurisdictions, is much more so.

    As someone with experience living and working in the Middle-East, I can tell you that these "censorship" issues are greatly overrated, unless one is an aficionado of pornography. Regardless, I'd rather endure a little censorship than the blatant violation of my privacy for specific agendas relating to such things as "Intellectual Property", for example.

    Let them. You seem to be missing the point that it isn't the action that matters, it's the motive, and the power to act on that motive. Tell me, what exactly could the Iranians do to me thousands of miles away? What would be their motive for taking that action? Who exactly would they share their findings with? Somehow I really don't think the Iranians would care that I was merely trying to evade Western surveillance, in fact I think they'd be quite sympathetic to my cause.

    So if the Iranians want to "spy" on me, then let them. I really don't care. Having some foreign "unfriendly" country spy on me, for reasons completely unrelated to the West's various insidious agendas, means nothing to me. It might matter if I was working for my own government's intelligence services, but as a private citizen who only wishes to protect my privacy from my own government, it's of zero interest to me what (if anything) these "unfriendly" countries see of my online activity.

    I'm too busy dealing with the problems in my own culture, to worry about judging another on the basis of something that is irrelevant to the actual predicament. Somehow I don't think I'm going to be stoned to death for bigamy any time soon. I'm sure the Iranians find some of our practises equally immoral. So which of these cultures has the moral high-ground? Neither, AFAICT. And how is this relevant to the problem at hand?

    If it is a "honeypot", then at least it's one that's unlikely to fall into the wrong hands, or at least an order of magnitude less likely than one located in the West.
     
    Last edited: Sep 7, 2008
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Excellent responses. Let's get busy:

    I see where the confusion is. Let me clarify it... Who is the administrator of the server? Where is the administrator located? For xb, the administrator is Xero Networks AG, the administrator is not located in Germany. The multiplexing is enough to obfuscate from external analysis by non-intelligence agencies. There's nobody in germany, or subject to germany's jurisdiction, to perform rubberhose decryption on.

    When it comes down to it, the corp needs to be willing to have integrity and say "no", not matter what or whom is attempting to compel. Because most corps exist for the purpose of staying in business and producing profit, I could see how that is a problem for them.

    I suppose that depends on if your traffic sensitivity is limited geopolitically. I don't like anyone spying on my traffic, but I would really detest having my traffic analyzed by a totalitarian gov than a republic, their aims are very different. Further, your risk in a honeypot isn't just passive logging, it's also stream injection, which a republic's isp won't typically be allowed to do without massive blowback. When there isn't a relatively free press, all kinds of evil practices can go on with that internet traffic. For example, it has been discovered that some chinese ISPs are doing traffic injection of malware to track people and perform additional investigations. That isn't very likely in a republic.
     
  5. [H]omer

    [H]omer Registered Member

    Joined:
    Nov 21, 2005
    Posts:
    36
    OK, I see your point now.

    If the server is in a datacenter in Amsterdam, but the server administrator is in China, and only he has root access, then even if the Dutch police raid the datacenter, they'll have no root access to the server, regardless of whatever legal powers they posses, and thus will be forced to use only external monitoring, which is insufficient to determine individual IP routes from a multiplexed stream using real-time analysis.

    However, from January next year you (the company) will be compelled by European law to perform logging on those servers, and the datacenter will have to ensure compliance from all its customers (you), or refuse you any service. Indeed it seems places like the UK are set to make out-of-band logging mandatory, and if this becomes commonplace across the rest of the EU then investigators won't even need root access to the servers. I don't track similar changes to the law in the US, but with initiatives like ACTA it seems like all MLAT jurisdictions will eventually be similarly compromised. In the mid to long term, I think avoiding such jurisdictions is inevitable. It'd certainly make me feel a lot happier.

    But in a privacy and civil-rights sense, the governments of the West are becoming increasingly totalitarian:

    On the exclusively Linux systems that I use, that's a minimal risk, especially with SELinux MAC context enforcement which inhibits even root access if it breaks policy (not that I'd ever run OpenVPN as root).

    Of course absolutely any system on the Internet could be a honeypot, in Iran or otherwise. I have no way of knowing, or even continuing to guarantee that any previously trusted system is still trustworthy. Like I said earlier in the thread, it's a question of who I trust more, my own country or some foreign power that's unfriendly to my government. Increasingly I find it's the latter, especially as any supposed "honeypot" in an unfriendly country would be unlikely to forward their findings to an MLAT jurisdiction. It's more likely they'd just be motivated by curiosity or paranoia. Let them look, I don't care. I've still accomplished my goal of thwarting my assailants' efforts.

    Countries like China and Iran certainly have agendas that don't align with my own, but AFAICT neither China's communism nor Iran's fundamentalist religious doctrine have any bearing on my privacy, nor even my civil rights as they pertain to the country I live in. If those countries, for all their extremist ideologies, can assist me to escape my own country's unique brand of totalitarian extremism, then I trust them to provide that specific service far more than I trust my own country to uphold my rights, since those countries have agendas that are irrelevant to that specific goal.

    You haven't been paying close enough attention to political developments in the West. This is not conspiracy theory. The legal frameworks and policies for a complete reversal of democracy are already in place.
     
    Last edited: Sep 7, 2008
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    100% Exact.

    Now you're getting it. Here's the next part: With each connection, we can pick a multi-hop circuit that breaks the logging trail. If the Netherlands logs, we use an entry node that doesn't, and even if they secretly do we already multiplex the traffic. So even if netherlands logs, the outgoing traffic only gets reversed into multiplexed encrypted streams that can't be demuxed except by an intelligence agency monitoring the entry nodes as well as the exits. At that point, you've automatically elevated the effort required by the attacker to a point outside of the threat model: if you are less than an intelligence agency, you have no chance against us. Thus the burden of xb is met.

    Couldn't agree more. However, I think of it kind of like i think of expatriation: If you leave, you're giving up and your lack of a presence make totalitarianism that much easier to attain. The end result of that people will hop to cooler spots until the whole world is hot with totalitarianism. You keep your traffic and the world safer by digging into a foxhole. I would hate to think my traffic is safest under the sword of sharia law.

    Having a system in place, and using it are two different things. Although admittedly one typically follows the other. The trick, for us, is to know when take our hand off the burner. It is our job to know when what tools and laws and methods are being used. That's what allows us to still operate where we do. We know the DCs. We know the govs. We know their MO and how they deal with enacted laws.
     
  7. [H]omer

    [H]omer Registered Member

    Joined:
    Nov 21, 2005
    Posts:
    36
    Which pretty soon won't be any MLAT jurisdiction.

    Which in MLAT jurisdictions will be possible, if difficult.

    Basically it still sounds to me as if there's no way to avoid being compromised unless at least one hop is outside MLAT jurisdictions. Again, the difficulty is not in question.

    Well I'm only "leaving" in the sense that I'm circumventing surveillance. I'm still a citizen with voting rights, and the power to speak out against injustice ... whatever little good that may do me in a totalitarian regime, since the will of the people seems to mean very little to Western politicians these days. I can't believe that the majority would actually have voted for RIPA; ACTA; The Patriot Act; the DMCA; or Software Patents, for example, had they actually been given any say in the matter. The fact is that my "powers" are no more effective in my own country than they would be if I emigrated elsewhere. I'm not leaving, but I might just as well, since AFAICT nothing short of revolution can turn back the tide of totalitarianism in the West now.

    It's a nice sentiment, but that foxhole won't do you any good against the approaching tanks. There's only two solutions - run or fight, and AFAICT the ordinary citizens of the West have no ammunition left to fight with (politically speaking). We can either keep running or take to the streets. Eventually the latter may actually happen, but until mainstream support for dissidence grows sufficiently to make that viable, I guess I'll have to keep running. I don't plan on being an army of one. I'll just continue being a "surveillance fugitive" until the system finally claims another martyr.

    Is it any safer under the sword of Bush?

    It's coming.
     
  8. scrty001

    scrty001 Registered Member

    Joined:
    Aug 15, 2008
    Posts:
    82
    I have xerobank as well and I was wanting to know if it would be possible to change my IP address. Xerobank normally gives you a canada or netherlands IP so if you use the method you're using, you can change that canada or netherlands IP? So, if you go to check your IP it will display one of those PP IP's?

    Is there any advantage to anonymity with method? Or it's just to change your IP?


    Thanks
     
  9. Geko21

    Geko21 Registered Member

    Joined:
    Sep 9, 2008
    Posts:
    1
    Steve, I will ask a question fully realizing that it is not possible for you to give an affirmative answer, but I would nevertheless appreciate some bit of honesty here. Has your company ever been in a difficult situation regarding authorities - i.e. have you been forced to assist in a government investigation against a customer of yours?
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No investigation yet has ever compromised the identity of a xerobank customer.
     
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    I am not too sure about anything except that I can tunnel through the VPN and, from what I understand, it goes through Xerobank and then on to the tunneler server, and then out from there. As far as it being any more or less secure, I don't know. But it seems like it should be okay. I don't think I'll be using it that often, but it is fun to use here and there. I get a kick out of it, anyway.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.