Anyone tried XeroBank (formerly Torrify)

Discussion in 'privacy technology' started by Genady Prishnikov, Mar 6, 2007.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Re: Big Changes With Torpark (Torrify)

    Hopefully, you'll continue this conversation when possible. Picked up a few concepts.
    Thank you for coming here and clearing things up. You honesty and attitude was noted too:thumb:
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Torrify Plus Demo Accounts

    Torrify Plus demo accounts are now available.

    We are releasing 3-day demo accounts on the Torrify Plus service. We are just finishing up the automated system to dispense these accounts, but in the mean time we will manually set up the accounts for the first 250 who request them. When the automated system is set up, the remaining requesters on this email list will be able to get accounts by that method. As we expect to be flooded with requests, we will fill them as fast as possible, but keep in mind we are doing it by hand which takes us 15 minutes for each user. In order to curb abuse through demo accounts, the accounts have disabled access to https and smtp, and they do not include the IMAP email storage.

    Please let us know what you think!

    Thanks for waiting so patiently.

    Kind Regards,

    Steve Topletz
    Torrify Admin

    IN ORDER TO GET YOUR FREE TORRIFY PLUS ACCOUNT:

    1. Send an email to steve.topletz@torrify.com requesting the plus account, reference code #TPPROMO in the
    subject, and specify an email address to where you can receive large files sent (12MB).

    2. Wait to receive a email from us specifying your access method to the account.

    3. Surf and Enjoy
     
  3. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Re: Big Changes With Torpark (Torrify)

    Got it and installed as per instruction in your email.
    It works fine, much, much faster than Torpark on my USB stick.
    I rapidly changed the theme back to Firefox(default) ;)
    That's far more comfortable.
    Cheers,

    Gerard
     
  4. pifxxx

    pifxxx Registered Member

    Joined:
    Mar 16, 2007
    Posts:
    17
    Re: Big Changes With Torpark (Torrify)

    Is there any way for an ISP to block the serviceo_O
     
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I have noticed that Torrify is now XeroBank and has a new website up ( www.xerobank.com ). Their Pro service is a Tor enabled VPN which comes with: "...customized version of XeroBank Machine virtual operating system."

    Looks very interesting and I am going to be signing up for this or something very similiar soon (especially now that I am going to be using AT&T DSL :p), so I would greatly appreciate user feedback.

    Edit: I just noticed you can only use a money order when ordering 12 months of their Pro service and on top of that: " There will be a surcharge of 18% if you pay with a money order."
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    DEMO ACCOUNTS NOW AVAILABLE

    Here is the update we sent out. Demo accounts are now available for free, and fully automated. Enjoy!

     
  7. hikuela

    hikuela Registered Member

    Joined:
    Jun 4, 2007
    Posts:
    9
    Re: Big Changes With Torpark (Torrify)

    I've been a fan of Torrify for a while now, used a demo account for a couple of months, and was very happy with the concept, I'd gladly have become a paying customer.

    Not at all pleased with the way things have changed.

    JavaScript: www.xerobank.com requires JavaScript to work, all my secure browsing has javascript disabled, even the Torrify Plus demo account I'm using has JavaScript disabled by default. The Xerobank order form is horribly bugged without Javascript, and the site navigation dropdown menu is flawed.

    Forum: the Torrify forum (now a 404 error) was a great place, it was low traffic, but it really showed that Torrify was a trustworthy product, people significantly more paranoid than me asked good questions (which were answered to their satisfaction), knowing that a privacy software has been judged worthy by people more paranoid than me meant I didn't need to start analysing packets myself. It gave a feeling that Steve Topletz really cared about privacy.

    A website where users can't see questions other users are asking makes me a bit paranoid (eg. someone pointed out that Germany is bringing in data retention laws by the end of the year, the Torrify Demo SSH server is in Germany, I only know this because someone more paranoid than me used the Torrify forums, and his question was public).

    A forum is even more important for a commercial operation, using the Torrify Plus Demo (listed speed of 200-500kb/s) I was getting very good browsing speeds (490+kb/s), and could connect anytime. If Xerobank doesn't have a forum how do potential customers know that they are not handing their bank details over to a company which ignores customer questions and provides a frequently unavailable 200kb/s connection.

    Money Order: can't get them in Britain, we have Postal Orders only available in Pounds Sterling (I presume US Money Orders are unavailable everywhere outside the US), on the forum it was stated that they'd accept cash through snailmail. US Dollars can be obtained anonymously just about anywhere in the world, and registered mail is fairly cheap. Maybe I'm too paranoid, but I don't want to use my creditcard for privacy related things, besides, all my privacy stuff goes firstly through Relakks, adding an extra layer of hassle to Big Brother, creating a link between my realworld bank account and Xenobank would be a backwards step for me.

    Anon Creditcards: not Torrify's fault, but the anon CC recommended by Torrify has a 404 error on the Fee Schedule when buying a CC with cash/snailmail. Again, not Torrify's fault, but I feel uneasy sending cash to a company with 404's, which makes it even more important that XeroBank accepts easy available anonymous payment.

    Free version: I can understand the views that some people on this forum have expressed about someone trying to make money from donated bandwidth, but the free version of TorPark (stand-alone Firefox with embedded Tor) was an amazing thing. I've installed it on a few of my friends PC's, it was completely non-geek friendly. While a free user-friendly Tor browser isn't relevant to "Xerobank the company", it really made "Steve Topletz's privacy website" something I'd trust (with my privacy and cash). The original TorPark website was purely for the free (and only) version of TorPark, then the site was primarily promoting the free version, with faster non-free versions (coming soon). Both were fine, the site still looked like it was a privacy website first, and a commercial site second.

    The current Xerobank site looks very much like a commercial site, no mention of a free option on the main page, and the browser page is split into a left and right section, the left "Get It Now" asks for money, and right has "Free 3-day demo accounts!" in bold, implying the free version is only a demo. My first impression was that they'd stopped the free version entirely, until I read the writing on the image.

    It may seem petty, but it's clearly a shift of emphasis from wanting to promote privacy, and make money on the side, to making money as a primary goal. Not that there is anything normally wrong with that, but when it comes to privacy, I'd rather trust it to someone who has privacy as a primary concern.

    Long term accounts: monitoring accounts which haven't expired has already been raised earlier on in this thread, but I'm not overly pleased with the answer. With Relakks I pay an extra 1 euro/month for the benefit of not having a long term trackable account, I'd be willing to pay a slight premium for the same service (although I don't actually know your fee's, since I can't see them without JavaScript), but for any privacy related product I'd not feel comfortable having a long-term account.

    Nameless/faceless corporation: maybe it's just me, but if I'd not previously known about Torrify I'd think the Xerobank website was somewhere between a scam and a corporation trying to make money from the paranoid, poor contact page, no forum, looks too commercial. It's hard to believe Xerobank is run by a member of Hacktivismo, a group I have immense respect for, the site seems too dodgy.

    Overall: if Xerobank allows cash accounts through snailmail I'd probably give the VPN service a try for a month, but considering for the past few months I've been eagerly awaiting the Torrify VPN this is a major letdown.
     
  8. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Re: Big Changes With Torpark (Torrify)

    Hello hikuela, If you will look at this thread, you will see I also have serious questions for Steve and the bunch at Torrify (now XeroBank).....
    https://www.wilderssecurity.com/showthread.php?t=176606

    Genady
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Big Changes With Torpark (Torrify)

    Yeah, this was mentioned to me by roger dingledine of the tor project. While AJAX is pretty, most people are scared of javascript because with current designs is can hard anonymity. I'll speak with our programmers about a different solution. What technologies would you be willing to use? How about faxing or emailing in an order as well? Tell me how I can make you happy, I'm sure you're not the only one with such concerns.

    I care like crazy! :) Okay, I've gotten 10 comments, out of 2000 users, so far from people who want the forum back. I tell you that was seriously time consuming because 90% of the questions were the same thing, and people didn't bother to search if others had asked their questions prior. BUT! You're right. It adds a level of transparency and interactivity. What we have done is switch to an interactive wiki and ticket system. And we are adding FAQs, manuals, and video tutorials. I would love to take time to sit down with each person and talk with them about anonymity and torpark and whatnot, but we have a few million users and thousands of registered user members on the forum so I don't have enough Steve to spread around to everyone, equally.

    We have contingency plans. We don't want to mention them to the german government because then they could plan and legislate around them. But suffice to say, if the legislation goes through, we will switch to our different methods and publicly announce it for as long as it will last. It is an issue of strategy.

    Hmmm. This begs the question is it our purpose to provide a public feedback areana as well as listen to public concerns? Is that not what Wilders Security Forums does? It would be hard to trust XeroBank's forums, because in theory we could just delete posts that spoke ill of us like privacy.li does. If I was in the customer's position, I would want a forum that was on neutral territory. I would like to know how many others feel that way or feel differently. Please let me know.

    Let me see if we can do Postal Orders. Fear not, we will be adding more payment methods. The site isn't nearly close to complete, it is merely online and functional. I think we are also going to be adding Pecunix, and if e-gold gets well we will add e-gold and 1mdc. I would also like to add Loom and eCache. All of these are API interface issues we need to address.

    You see, on normal payment systems, you just have the payment processor and you get the signal from them that the item is paid for. Ours is complex. It anonymizes the transaction from us so we don't know who owns an account. Instead of an account holder being the identity of the account, we use disposable one-way transactionID that get secure hashes generated from them. This makes it mathematically very difficult to reverse a transaction. While this is so much better for our cient's anonymity, it is difficult to program around. So each new payment we add is less than easy. But rest assured, we are working on it. What you see now is not even close to the final incarnation of XeroBank.

    Didn't we get rid of that?

    Now this is a thing a lot of people get mixed up on. XeroBank is not charging for other people's donated bandwidth. When you pay for XeroBank service, you get access to the private high-speed XeroBank network. It no longer uses the Tor network when you go to the paid version. The free version is just that, free all the way around.

    You totally got it. Torpark was never started as a commercial venture. It was only after I got 30,000 complaint of "Man, this is so slow. Is there anything we can do to speed it up??" And you know, it dawned on me and I thought "Yeah, there is. We can build it bigger, better, stronger, and faster. We have the technology!" and so we did. The rest is about to become ancient history.

    Let's go over that. Now on the main page, you want to see a free xB Browser download? We have the "free demo" on the Plus written. And we still of course offer Torpark (XeroBank Browser) straight up. Nothing is written in stone yet on site design. So do please comment more. It is the customers opinion I care about most, not that of my fellow programmers. To hear them tell it, the best website design are some tables and pages full of text with no images!

    Let me ponder that for a while.

    I don't understand. Monitoring accounts? Are you saying you want a monthly account payment option? The issue of account term is due to scammers. With most anonymity services, >50% of the clients use fraudulent payment to steal services. If you increase the payment outlay, you get less fraud/abuse, which makes the service viable. If you decrease your payment period, the cost of account goes through the roof because people are much more likely to abuse. Now if you are saying you want to pay a premium and have a monthly account, we can take that up with the board of advisors for XeroBank. I don't think that is unreasonable or out of the question, but then again the premium it costs to make it possible may be!

    Sorry for that. I've been programming day and night on XeroBank Browser and not dedicating as much time to the website. We added a contact page, and the customer support system is up and running but we haven't written a public front end for it. We will also have a live chat option!

    Cash through the mail? Possibly. We are working on finding a bonded agent who can accept such payments on our behalf, but they have a large fee that the end user would have to pay because the expense is so high for them to open letter, cash checks, make deposits, send over transaction IDs, xB audit their work, show proof they aren't stealing the checks, etc. It isn't that it is impossible, we just have to find a way to make it economically viable for you. For example, the money order surcharge is something like 18%, which is exactly what it costs us. Is that something you can live with, when paying cash?

    <3 <3 <3 to you for paying such close attention!

    Best Regards,
    Steve Topletz
     
  10. hikuela

    hikuela Registered Member

    Joined:
    Jun 4, 2007
    Posts:
    9
    Re: Big Changes With Torpark (Torrify)

    I wouldn't really trust any client side code (JavaScript / Java / ActiveX / etc), anything fancy would need to be done serverside (php / perl / asp / etc). Having extra features for those willing to enable client side stuff is fine (like this forum, I can't click smilies to add them to a reply, and changing fonts is a bit of a chore, but the site is still 100% usable).

    Faxing / emailing orders, unless the email is with hushmail / PGP I'd think it'd less secure than submitting my bank details directly to your website. I'll go into more detail in the money bit in a few paragraphs.

    you raise a very good point, I shouldn't really trust the official forums of anything, probably a bad habit I've picked up from too much gaming (checking the support forum for any game gives a quick and fairly accurate indication on whether it's worth getting). Still, it was the official forums which made me trust Steve Topletz, but I do understand they can take more time than you have available.


    With Relakks there is a 20% charge (5 Euro/month, +1 Euro for 1 month accounts), that's with a creditcard though, last time I checked FindNot had no charge for cash, but required a minimum 12 months for cash accounts (which is the main reason I haven't tried them).

    I still don't know your fees, but 18% extra for cash doesn't seem too bad, (assuming the google cache fees from your old site are roughly correct) $10 for Plus is a good deal, $35 for VPN seems a bit pricey, but that's probably because it's much high speed than I need.

    I think this is more my problem than yours, I've been using TorPark for months, have visited your forums plenty of times, but always through a VPN, there is nothing in my real life / real bank statements which would make me look like a privacy freak. Likewise even if your privacy website is monitored by a TLA there is nothing to link it to me. I've no real reason to need 2 steps of privacy (Relakks + TorPark), but it's just something I've always done, and I'm willing to pay a few extra dollars / month to keep it that way.

    However, I still think they'd be more than just me wanting a way to anonymously pay you, so if a cash/snailmail system would cause you problems have a link to an anonymous creditcard payable with cash, or an e-gold clone fundable by cash.

    This leads me to my next question, I'll understand if you don't answer for legal / litigious reasons, but why did you get rid of www.unlinq.com. I'm looking at the site again, and the fees look very reasonable (basically 10%), although it does seem to have some odd restrictions.

    The 404 errors put me off their site, but I think I might give them a try anyway, more out of desperation than any other reason (the e-gold clones I've looked at want my real world address).

    It really pleases me to read that, but the current site really doesn't give that vibe.

    I should say that I also have a geek background, hardly an artist one, but I thought your old design was good (google cache). Certainly the design was clear enough that I didn't see any complaints about it when you got mentioned on the mainstream sites.

    I'd ditch the initial home page, copy the cached page, but with Xerobank free on the left, Xerobank Plus in the middle, and Premium on the right. Related products (crypto notebooks / credit cards / etc), as text links on the middle-right.

    With the usual text below each of the XeroBank options, but making it clear that xB basic is free, with the "Free Demo" mentioned under the Plus (and/or Premium).

    To be honest though, I think any design would do, as long as the first thing folk see is a zero-hassle free option then I'd assume you'd still get mentioned favorably on www.bbc.co.uk / slashdot / other high traffic sites.

    When the Xerobank browser boots up have a splash screen something like the one attached below.

    Maybe include a link in the bookmarks too.

    I don't have a marketing background, so what follows is my best guess:

    Guy reads his 50th privacy horror story on Digg / Slashdot / etc, and decides to look into the whole privacy thing. As long as xerobank is the easiest privacy solution and the website looks primarily non-commercial the answer to just about every privacy question asked on Digg / Slashdot would be www.xerobank.com.

    Guy would try "XeroBank Free" for a couple of weeks, get sick of the slow speed, by then he'd have seen the "Xerobank also offers high speed anonymous access" message a dozen times, and decide to check it out.

    Again, I'm not form a marketing background, but that's how I'd guess it would work.



    and <3 <3 <3 to you for bringing easy to use privacy to the masses.
     

    Attached Files:

  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Big Changes With Torpark (Torrify)

    What about... a mail webform? or html based wizard?

    Well what if we did non-credit card payment methods with mail forms. They could only be paid by WU, money order, and gold?

    I won't turn away trust. That is a compelling argument itself.

    Okay. Let me run that by the board.

    You're the customer. I think we can do that.

    What an easy question! Contact me off list and I can explain further.


    Although it was pretty web 2.0, and I did the design on that and loved it, the it didn't mesh with our branding strategy. Again, I can answer further off list.

    Cute.

    We will be adding many useful links. But writing the new browser took some time, so now I'm going to direct our programming team towards some other issues, including some of your suggestions.

    Shhh! Don't give away our strategy! ;)
     
  12. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Re: Big Changes With Torpark (Torrify)

    That's my first message here, I must say it's a honor to talk with the creator of this wonderful software called Torpark, which keeps my dream of privacy alive. But I have a lot of things to say, which are driving me crazy, since the last days/weeks.

    First, I agree it's a better idea to have that old forum. Some questions answered there cannot be placed only on some sort of FAQ.

    I hope you can understand my concern and read this whole message.

    I was looking the new XeroBank site and the old Torrify from Google cached pages, and here are both Privacy Guarantees. They are a bit different from each other, and I will show you the differences, and explain my question, and point of view.

    This is G o o g l e's cache of http://www.torrify.com/privacy.html as retrieved on 18 May 2007 09:01:22 GMT.

    User Privacy Guarantee

    Torrify pledges to strenuously resist any attempts, legal or otherwise, to compromise our users' privacy; and, if not legally constrained, we will notify our users if such attempts are made. Torrify engages in best-practices in order to protect its users. Torrify and its operating associates will not under any circumstance willfully expose user data to anyone external to Torrify and its operating associates. Torrify operating associates are our payment processors, security auditors, and systems administrators.

    Data Security and Requests from Authorities

    Torrify has built its system to have customer account data separated and encrypted on multiple servers in multiple countries so no single party can compromise a user and their data.

    Subsequently, Torrify does not have any user data to share with network providers, legal authorities, or law enforcement of any jurisdiction. In the case that such authorities can validate claims of violation of Torrify terms of service, we will attempt to terminate the user account the abuse originated from.

    However, if Torrify discovers that accounts are used for Denial of Service attacks, we will all attempt to work together to bring abusers to justice. This is not a service to mask abusive or threatening actions, thieves and criminals beware.

    Security Audits

    Torrify employs independent security auditors to randomly examine our networks, hosts, and procedures to ensure that neither Torrify administrators or anyone else could be monitoring customer usage.

    Logging

    Torrify does not log user activities or IP addresses, but may capture non-sensitive statistical data used only to analyze network performance or locate problems.

    This data may be used to generate public traffic reports on Torrify network health. Under the extremely unlikely situation that Torrify is presented with court orders, to all involved Torrify associates in their respective jurisdictions, by multijurisdictional authorities, and if the account has not expired by then, Torrify may be legally compelled to attempt to monitor that specific user's account but no others. No "fishing expeditions" will be allowed under any circumstance.

    Offshore Servers

    Torrify servers are located in datacenters in multiple jurisdictions. Servers that are used to pass anonymized user traffic may be securely hosted from any country, because they do not contain sensitive information, and will cease to function if tampered with. Servers holding potentially sensitive information such as user settings and customer data are distributed, secured, hidden, and will never be stored in the USA or UK.

    Now,

    Secrecy - XeroBank - current Privacy Guarantee

    XeroBank Client Secrecy

    Privacy is the prerequisite of intellect, identity, and development. XeroBank's most valuable asset is the trust of our clients. We believe that privacy in communications, commerce, and information is the fundamental sovereign right of individuals and entities that enable them to live self-determined lives.

    XeroBank pledges to strenuously resist any attempts, legal or otherwise, to compromise our clients' privacy; and, if not legally constrained, we will notify our clients if such attempts are made. XeroBank engages in best-practices in order to protect its clients. XeroBank and its operating associates will not under any circumstance willfully expose client data to anyone external to XeroBank and its operating associates. XeroBank operating associates are our payment processors, security auditors, and systems administrators.

    Disclosure to Third Parties

    XeroBank does not forward, sell, rent, loan, trade, or lease any personal information collected at our web site or via use of XeroBank products and services, including email lists, to any third party. XeroBank payment systems are outsourced in an effort to maintain client privacy. Billing information will never be stored by XeroBank, as we use third-party billing processors. Third party payment processors use transaction IDs to associate account payments, so XeroBank does not know who owns an account, only that it has been paid for. Further, XeroBank has a contractual agreement with its 3rd party processor(s) to not disclose the payment data and associated transaction IDs to anyone, including XeroBank.

    Requests from Authorities

    XeroBank has built its privacy networks to have client account data separated, segregated, and encrypted on multiple servers in multiple countries so no single party can compromise a client and their data. Most internal account transaction details are not mathematically reversible due to one-way operations. Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction.

    In the case that such authorities can validate claims of violation of XeroBank's Terms of Service, we will attempt to terminate the client account the abuse originated from. If XeroBank is served with court orders of all appropriate jurisdictions for all specific servers, we may be forced to attempt to trace live data connections.

    A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances. Violation of XeroBank's Terms of Service invalidates the Client Secrecy Guarantee. XeroBank will not actively aid or protect criminals. If fraud or hacking is detected within XeroBank's networks, we will proactively notify and cooperate with authorities to track and identify the criminals involved. XeroBank is not a service to mask abusive or threatening actions; thieves and criminals beware.

    Security Audits

    XeroBank employs independent security auditors to randomly examine our networks, hosts, and procedures to ensure that neither XeroBank administrators or anyone else could be monitoring client usage.

    Logging

    XeroBank does not log client activities or IP addresses unless required by law, but may capture non-sensitive statistical data used only to analyze network performance or locate problems. This data may be used to generate public traffic reports on XeroBank network health. Under the extremely unlikely situation that XeroBank is presented with court orders, to all involved XeroBank associates in their respective jurisdictions, by multijurisdictional authorities, and if the account has not expired by then, XeroBank may be legally compelled to attempt to monitor that specific client's account but no others. No "fishing expeditions" will be allowed under any circumstances.

    Offshore Servers

    XeroBank servers are located in datacenters in multiple jurisdictions. Servers that are used to pass anonymized client traffic may be securely hosted from any country, because they do not contain sensitive information, and will cease to function if tampered with. Servers holding potentially sensitive information such as client settings and data are encrypted and secured against compromise by theft.

    THE DIFFERENCES:

    First, the new privacy guarantee adds this new information, when compared to the old one:

    If XeroBank is served with court orders of all appropriate jurisdictions for all specific servers, we may be forced to attempt to trace live data connections.

    I need your help here, because english is not my native language so I can't understand what you're trying to say with "live data connections". First you were saying "Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction. "

    What's the difference here?

    Now, look at this old old text:

    However, if Torrify discovers that accounts are used for Denial of Service attacks, we will all attempt to work together to bring abusers to justice. This is not a service to mask abusive or threatening actions, thieves and criminals beware.

    The current one:

    "A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances."

    Please Steve, never underestimate the power of these organizations. Have you ever heard of Pirate Bay?

    Violation of XeroBank's Terms of Service invalidates the Client Secrecy Guarantee. XeroBank will not actively aid or protect criminals. If fraud or hacking is detected within XeroBank's networks, we will proactively notify and cooperate with authorities to track and identify the criminals involved. XeroBank is not a service to mask abusive or threatening actions; thieves and criminals beware.

    Look at the context - "Denial Service attacks will not be tolerated, and we will work together to bring abusers to justice".

    The next time, you clearly say this "we will proactively notify and cooperate with authorities to track and identify". That brings me to the next example:

    OLD TORRIFY:

    Torrify does not log user activities or IP addresses, but may capture non-sensitive statistical data used only to analyze network performance or locate problems. This data may be used to generate public traffic reports on Torrify network health. Under the extremely unlikely situation that Torrify is presented with court orders, to all involved Torrify associates in their respective jurisdictions, by multijurisdictional authorities, and if the account has not expired by then, Torrify may be legally compelled to attempt to monitor that specific user's account but no others. No "fishing expeditions" will be allowed under any circumstance.

    NEW XEROBANK:

    XeroBank does not log client activities or IP addresses unless required by law, but may capture non-sensitive statistical data used only to analyze network performance or locate problems.

    This data may be used to generate public traffic reports on XeroBank network health. Under the extremely unlikely situation that XeroBank is presented with court orders, to all involved XeroBank associates in their respective jurisdictions, by multijurisdictional authorities, and if the account has not expired by then, XeroBank may be legally compelled to attempt to monitor that specific client's account but no others. No "fishing expeditions" will be allowed under any circumstances.


    Unless required by law? That's stunning. Now, call me crazy or paranoid.

    Please, Steve, you're giving up, man. I can see that. In my opinion, all data stored by your organization regarding the users should be permanently deleted from existence. I am not on the side of thieves and criminals who commit crimes of fraud, hacking or something. On the other side, I will never trust any justice, from my country or anothers.

    Proofs can be faked, judges can be bought and people can be convicted and have their rights destroyed. Tomorrow, and I pray to God this day never came, something bad can happen and softwares like Torpark can be forbidden. What do you know?

    I know you must be thinking, this guy is a lunatic. You're wrong. My country is a good example of intolerance. The Federal Constitution here (and I assume the rest of the world is the same) allow our freedom to say whatever we think, but on other half, anonymous thoughts are forbidden. There is a new project for data retention law, and all ISPs will be demanded to bring informations about our activities on internet.

    Several people are being sued by famous artists because they are using ORKUT to talk about them, using their right and freedom to speak what they think, which doesn't make anyone a criminal. I don't care what people think about me. They are allowed to say "you're an idiot". Someone can disagree my opinion, but I shall fight until my death to defend their right to have an opinion.

    And ORKUT is being demanded to bring all IPs from owners and users. Imagine if everyone was using Torpark since the beginning (like me). You will be forced to reveal these informations, sooner or later.

    The same problem applies to copyright laws, which are dated on these days when every people can use a P2P to download movies, games and other contents, instead of spend a lot of money on portable media (musics can be found on itunes for example, DVDs and games, I don't think so).

    So, RIAA and other companies actions are a very threat to our privacy and will not prevail, because some people are traced wrong (some old lady who never sees a computer, or a young kid of 10 years old). But, if we are talking about a corporation like Warner, Paramount, and others, do you really think they can't sue people who are using Torpark to share these copyrighted contents with others?

    Sorry Steve, you're my hero, but the idea of someone, by any reason at all, can trace people who are using Torpark, is not very pleasant. Before you ask me, I am not above the law. What I am trying to explain is:

    The laws can be changed, like the Rick Falkvinge was trying to do with Pirat Partiet, they are against the invasion of privacy of these companies and people who are not doing anything wrong but watching downloaded contents, and are chased like animals.

    A famous artist from here was suing Youtube and the judge demand all ISP from this country to block their adress, only because some other people were uploading a video where she was caught by a camera with her boyfriend (and the most stupid thing is, her face cannot be seen clearly on this video, and there is no sex at all, only insinuations of kisses and this kind of video can be showed even for kids).

    After several protests from all over the country, the judge step back his decision (and he was not wrong, his text was not understood, he was demanding Youtube to block the video, not ISPs to block Youtube). All ISPs step back on the same week.

    Now, imagine what damage a single person can do to a entire country, and people can't do nothing against their ISPs because it's a decision which not affects the internet service, speaking of consumer's law. And if you ask me, the judges were not unanimously demanding Youtube to remove this video from their site. 2 votes against 1.

    For the last time, I don't trust the justice, and I don't care about the laws. If I were on your place, instead of open any kind of holes to destroy the privacy of innocent people, my choice will be work to prevent these threats (and I am sure you are doing that somehow, don't take me wrong), whatever costs, and never share any data, by all means, even if you have to change your home for North Pole.
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Big Changes With Torpark (Torrify)

    All of the following is off the record, and Steve Topletz is just voicing his own opinions and possibly fantasies, and this entire post may or may not be a work of fiction, and does not necessarily represent the opinions or positions of XeroBank:

    Ah, and now that we got that formality out of the way...

    Uh oh! :) We are still revising. We are working on a couple different documents. The first is the privacy policy, which says what we do with your data and the tools you have. The second is the client secrecy guarantee which discusses how we deal with people who would like to compromise your privacy, legal or otherwise. We are currently playing with about 5 versions, but they are all incarnations of values we already hold. The wording is the only issue.


    What's the difference here?

    It means that there is the possibility for a court to get enough court orders from all the right jurisdictions, from which would be legally compelled to work with them.

    Regarding the live data trace, that means that if under some remote circumstance that we were served all these court orders, we still could not identify the account holder (at least I don't think. We will have our auditors try to crack the system. for security reasons, I am segmented from having enough information to compromise the system.) Because of this, they may want to trace which account the data is coming from (your internet activity), and if so they would want to run a live trace through our system to find out who it is that is connected to our network. Highly unlikely, but I think it is important to say that it is possible, however remote.




    We have extensive experience with anonymity services. No such thing has happened yet, and our guys get police requests from datacenter all the time. It won't get them anywhere. Getting all the right servers at all the right data centers, then all the right keys to decrypt, and our captive participation... hope beyond hope. Again I'm not saying it isn't impossible, but it is very remote. I'm not out to criticize the PirateBay, but if they put all their servers in the same jurisdiction and datacenter, that is very very foolish.


    We are just moving to a stronger stance. The required by law bit is compliance. We can't just illegally operate and expect to stay in business by refusing court orders. Neither can any other anonymity service. The difference is we will say it, and we will talk with great candor about how we will act in such a circumstance. I like the idea of disclosure. Further, unlike the other guys, we will say "no" if the case isn't legitimate, and we will hand it off to our lawyers. Most people simply hope that their anonymity service will protect them, and the simple answer is they don't, and they turn over logs all the time. XeroBank is stepping up to bat, saying when you are a legitimate client of ours, you WILL be protected, and we have legal representation to answer court orders. The other guys just roll over and hope nobody finds out.

    And still, under no circumstance will we allow a fishing expedition. I stand by that 100%. It will not be allowed, not even if it is the stake of


    Regarding information that we store about our users: we don't. We don't store any information about them. We don't have it, we don't ask for it. We are anonymized by our 3rd party payment processors. And what links an account to a customer? A transaction ID. And when the account is paid for, the transaction ID is destroyed.

    First off, we won't play nice unless there is a legitimate issue going on. Then we have to verify it. We don't take it on their word of "trust us", because we don't. We need to see proof. And further, we need to see a court order if it is coming from some authority. We won't accept snoop and swoop, nor will it avail any agency that tries it.

    There are many countries where such technology is forbidden. We aren't that far off. But then again, you can't confuse the free browser with the XeroBank paid services. The browser is free, will always be free, and will use the Tor network for as long as it exists.

    We are very familiar with situations like this. Hacktivismo fights against such situations. Privacy is the foundation of intellect, the place where you can develop your self, your ideas, and your identity. If there is no privacy in your head, then intellect is fiat.


    Exactly. And that is what we will do. Off the record, as Steve Topletz the privacy guy, I also say "To the death." And I mean it.

    Nah. First off, good luck to the requesting authority. If they continue using the xB browser, they will be fine, paid or free version. Tor won't have the logs to give up, and neither would we. Even if we did somehow have logs, we would refuse their requests because they are illegitimate, and we would see them in court. I personally have no reservation on being held in contempt, and a lot of the XeroBank employees are very much "to the death" guys if it comes down to it.

    I don't expect it to come down to it in the near future, but if it ever does, we would be happy to show our colors. We would rather go out of business than violate our integrity.

    How will they find out who owns the XeroBank account? But it gets better. Those are requests from businesses. Those slide right off our backs, we tell them "hey, we are an anonymity service. Sorry. Can't disclose any info without a court order." They won't get anywhere. Further, they probably don't have any jurisdiction to order us to do anything. And really, the only people they can complain to is our upstream providers. And after a short while, they won't even be able to do that. We have a lot of strategy, no worries.

    Imagine what we can do when we say "NO". They can try to turn us off, but it won't work. We just reroute to different datacenters. But anyway, I wouldn't worry about P2P issues, etc. Those are just grumbles from upstream providers, and are normal everywhere now. You just deal with it with some nice words about how we are an anonymity service, and they typically move on. If they don't we have answers for that too.

    I agree. You have to be sovereign in your own mind. But what we have done isn't open any holes in the privacy curtain, but deftly dodged the spears. There are all sorts of strategy and tricks that we can't disclose due to plausible deniability. That is why XeroBank is incorporated in Nevis, all our servers are encrypted, all our data is distributed, our risk is scattered and segmented, we don't log, we don't monitor, we don't have user information to store, we are in multiple datacenters in multiple jurisdictions, and we have hot backup systems in place ready to move if some server gets seized. Our residency, effectively, is that we have a toe in country A, an elbow in country B, our ear in country C, etc. And you need the whole body to act together to do something like compromise a user's identity. Good luck making all our operational jurisdictions and agents work together if XeroBank doesn't want them to. And for those that are super paranoid, and we welcome, we suggest you pay in digital gold currencies and order by mail/email, etc. And we'll have that option shortly.

    Once again, none of these comments necessarily reflect the opinions of XeroBank, and may be the complete and fanatic delusions of Steve Topletz, who has no love for spy agencies or anyone who would like to compromise privacy of legitimate xerobank clients.

    Wow, my response has been pretty long winded. Sorry. I'm sure I've said stuff that I'm not supposed to!
     
  14. Ballzo

    Ballzo Registered Member

    Joined:
    Sep 30, 2004
    Posts:
    36
    Xerobank is a new offering in a pre-existing market of Privacy services that have been around for some time. The league includes 1) Cotse 2) Privacy.li 3) FindNot 4) Metropipe. Steve Topletz, innovator of Xerobank has extensive experience with TOR, thus his credentials, I feel are excellent. Xerobank, if I may, seems very closely modeled if not exactly, after Metropipe. MP doesn’t get alot of exposure, just sort of quietly humming under the radar. They offer several tiers of service. “Tunneler Gold” which one must setup to anonymize individual applications, and “Tunneler Professional” which anonymizes your entire Internet connection, all apps under broadband speeds. Their service uptime is nearly 100% and speeds are simply amazing.

    Of these offerings, one must be very careful in Googling information as there isn’t much, and what is there is comprised of wholly unsubstantiated rumor, arguements and rage, slander and innuendo. Cotse and Privacy.li appear to take most of the heat. Ultimately, as Privacy Services, you will never know much about the players and who they really are, for obvious reasons. So you don’t really know them.. But you need to count on them.. The Anonymity Purists are very vocal in their total disdain and dislke of Privacy Services. Why? Simply put, depending on your anonymity needs, how do you REALLY KNOW if the service can be trusted? It’s an important point.

    The purist community will rely on the anonymous remailer network for email and TOR for all the rest. These are not commercial enterprises, but protocols and technologies controled by no one, and if implemented properly offer essentailly iron-clad anonymity. And they are 100% free. They can be a pain to learn and work with but are totally solid. See, it depends on what one wishes to be anonymous from… That is a critical, central point. People’s anonymity needs have a very, very wide range that can only be open to the imagination. From political dissidence in oppressed countries, to corporate whistle-blowing to severely criminal and subversive activities. The remailer network and TOR are simply anonymous offering no concern for legal penalties or objectionable illegal behavior. Privacy services on the other hand… How far will they go to protect an individual especially under compulsion of a subpoena or some other type of legal pressure or duress to give up your identity?

    Any way, that’s the crux of the argument. The purists believe it is suicidal to trust your “privacy testicles” to one, and only one source.. And they tend to disbelieve any notion that a paid for service that by nature, must keep some records, can operate “With No Logs” considering that to be a sham.. Privacy services DO HAVE Abuse policies. How can that be accomplished with “No Logging?” So they caution us to be very wary of them. Personally I believe that reputable, privacy services, because of their fast-broadband speeds will only continue to grow in the future. And I’m looking forward to Xerobank to be one of the better offerings…
     
  15. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Thanks for the post. It's always nice to read other's thoughts :D
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Ajohn,

    Regarding special characters, they can cause lots of problems as some functions may interpret them not just as a username, but as escape characters. If we test it out and it doesn't seem to be a problem, we can allow them.

    Steve
     
  17. crash79`

    crash79` Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    114
    Location:
    Isle of Bute Scotland
    I purchased the Plus programme but I have not yet received the promised email with instructions etc. Meanwhile I downloded the free version but it won't open because of a trojan horse. Rather disappointing.
    It states in the receipt that if I don't receive the email within 8 days and I fail to contact them the order will be cancelled immediately. I think I will go down that route and forget it.
    John
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Crash,

    There is no mention of any email for downloading the software. I think you have misunderstood. Simply log into your account and download the software from 'Profile'. Your virus scanner is giving you a false report of a virus, as sometimes they are rather overzealous about encrypted networks and programs that can terminate processes.
     
  19. Ballzo

    Ballzo Registered Member

    Joined:
    Sep 30, 2004
    Posts:
    36
    That's how it's done!!
     
  20. hikuela

    hikuela Registered Member

    Joined:
    Jun 4, 2007
    Posts:
    9
    mail webform / html wizard / email / fax, I was a bit unclear before, I didn't have a privacy issue creating the account online, just issues with JavaScript / funding the account. I'd wouldn't really feel comfortable sending a username over fax / unencrypted email.

    Creating a username/password over SSL would be fine.

    For most people to use xB Plus / Premium they'd need to create a connection between their home to your servers, so obfuscating the connection when creating the initial username/password wouldn't really achieve much.

    For the folk who either want to hide their link to a privacy service behind a generic VPN, or for the extra paranoid folk who want to chain up multiple privacy services, requiring JavaScript would be a problem, since it could reveal the home IP, rather than the IP of the generic VPN.

    Findnot seem to have thought the system through (email optional, no name asked for (only by the payment processing companies)). I'm still not a big fan of findnot, they seem more interested in money than privacy, and that not warning users about PPTP encryption being easily brute forced unless exceptionally long passwords are used seems pretty shady, but their account signup process seems well thought out.

    Opening an account with cash/snailmail would still be the absolute most anonymous way, but WU is also pretty good.

    Throughout europe there is something called www.paysafecard.com (also accepted by FindNot), it's like a special virtual creditcard buyable anonymously with cash over PayPoint counters (PayPoints are generic bill paying machines, there is literally a PayPoint in just about every small convenience store in the UK). Unlike real creditcards, the Paysafe cards are accepted almost nowhere, except online casinos and findnot.

    I've gone on a bit too much, basically all I'm after is:

    A way to get a username/password/download link without using JavaScript, and a way to pay you without having to use my real name / address, real IP or real bank details (and the 3rd party payment processor shouldn't require JavaScript either, which isn't very easy to check).

    Short term / 1 month accounts so by the time the authorities get the properly legal documentation to monitor username X the account will already have expired.

    Unfortunately it seems a lot harder than I originally thought.
     
    Last edited: Jun 10, 2007
  21. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Hey Torrify, does the xBB securely delete the information it goes through (such as cache)? I see it uses FireFox for that...?
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This looks to be an interesting option (though the real paranoid should consider travelling to a non-local PayPoint to pick up theirs...) and probably far cheaper to process than cash or money orders. The one gotcha seems to be that cards are available for fixed amounts only (£10, £25, £50 or £75 in the UK) and a monthly charge is applied (2 EUR) after 3-4 years.
     
  23. Ballzo

    Ballzo Registered Member

    Joined:
    Sep 30, 2004
    Posts:
    36
    I think from Steve Topletz's perspective the user IS protected. Payment is made through a CC processor over a secure connection, and those records are unknown to Xerobank. It seems as though people are flying in naked, but according to Steve, that is not the case. Java/Javascript or not, the process, according to Steve is protected.

    Secondly the way he describes it it would be extremely difficult for an entity to identify, or force Xerobank to reveal the identity of a given user. Steve may wish to comment on this, but if this in anything like the supposed MP model the user connects to Xerobank, let's say, with Pro, through a secure, encrypted VPN. An entity "could" know where you are, but not WHAT you are doing. Past that point, connections are made with perishable session ID's that expire after the connection is termintated and Xerobank would keep no session logs, or so they say, thus records of that session and what your activies were are simply not there. Don't quote me on this, but I believe I read that all users share a common IP, so the session ID would be the only unique identifier. Steve, if you read this, would you care to comment on how this is done? It's important...

    If an entity had a suspicion, they would have to produce subpoenas that would apply to ALL the datacenters in ALL appropriate jurisdictions which would be no small feat. That would be costly and time consuming, but probably not totally impossible.

    Point being? It may not be impossible for an agency to get Xerobank to cough up your identity, but it would be so small feat....

    Now having said that, hikuela is absolutely right!!

    From Steve's point of view, from the "inside" the whole process may be secure.

    However in unsafe wourld, we don't know that do we? And the user would like to do certain things to further protect his identity.

    In the Torpark offering, Steve enjoined people to disable Java/Javascript as with these protocols one's identity could be compromised or sniffed.. Now with Xerobank, people are FORCED to complete the transaction with J/JS. That's not good. No doubt XB is pretty busy these days, but this issue needs to be addressed as a priority... Another model needs to be developed and rolled out ASAP.

    XB also needs to allow people to have additional payment choices that allow them to anonymize payment. Snailmail, MO, anonymous CC, cash. These need to be implemented quickly!!!

    The current system of payment will not give the potential customer the security they are looking for in funding their account. This needs to be addressed.

    My last point is simply this. People PLEASE read this very carefully:

    At it's core this is a PRIVACY service.

    In the final analysis this CANNOT be an ANONYMITY service. None of them can. It's not possible. To jump through all kinds of technical hoops is simply moot. One may have a "reasonable" sense of security, but the nature of the beast is that it will never be 100%. Private, yes. Anonymous, no.

    Remember, anaonymous means your identity could NEVER be determined.
    Friends, that's TOR pure and simple. No way out there..

    But even TOR states in it's it's disclaimer, "Do not rely on this for strong anonymity." But that's the best there is... I don't believe anyone's ever been coughed up using TOR. But again, nothing is impossible... But TOR is as ANONYMOUS as you will get.

    If you want speed, you'll give up anonymity. If you want ananonymity, you'll sacrifice speed.

    No disrespect intended towards Steve and Xerobank.

    "Privacy" and "Anonymity" are NOT synonymous.

    In the final analysis any privacy service can go a long way towards protecting or concealing one's identity. But if an entity REALLY REALLY wants you, depending again on WHAT YOU ARE DOING, they could, in theory, establish an evidentiary chain through force, torture, or compulsion where one's identity "could" be revealed.

    A privacy service MUST know who you are.

    An anonymity technology NEVER needs to know who you are.









    Opening an account with cash/snailmail would still be the absolute most anonymous way, but WU is also pretty good (I'm guessing if I give the address of a hostel they'll have no effective way of verifying the senders address, but it's probably legally better if you completely ignore this point - as long as no-one quotes it I'll edit it out in a couple of days).

    Throughout europe there is something called www.paysafecard.com (also accepted by FindNot), it's like a special virtual creditcard buyable anonymously with cash over PayPoint counters (PayPoints are generic bill paying machines, there is literally a PayPoint in just about every small convenience store in the UK). Unlike real creditcards, the Paysafe cards are accepted almost nowhere, except online casinos and findnot.

    I've gone on a bit too much, basically all I'm after is:

    A way to get a username/password/download link without using JavaScript, and a way to pay you without having to use my real name / address, real IP or real bank details (and the 3rd party payment processor shouldn't require JavaScript either, which isn't very easy to check).

    Short term / 1 month accounts so by the time the authorities get the properly legal documentation to monitor username X the account will already have expired.

    Unfortunately it seems a lot harder than I originally thought.
     
  24. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Correct.

    If an entity is already monitoring you, they would see you are connected to the XeroBank network, but could not see what you do or where you go. If they were on the other end, and receiving traffic from you, they would not be able to trace it back through XeroBank unless the connection was live, and they had a court order, and the court order was for the right servers in the right jurisdictions. That would only get them to the way you are connected to XeroBank, but still not get your account data. Only that *somebody* was using the connection.

    Correct. The most likely case is the are able to get a court order for seizure of some server(s) at a single datacenter in their jurisdiction, but nothing else.


    Agreed. And now we have a solution that should be implemented and kill two birds with one stone. You will be able to order by a webform that allows us to interact via email. From there you can also pay by gold, money order, etc (But not credit card).

    This comes down to quantum theory. You can't observe something without modifying it. You can't exist on the internet without a web presence of *some* sort. The question is, what is a reasonable level. If you are trying to hide from the NSA and they are hunting for you, you have no hope. And anyone who says otherwise is lying to you. If you want to keep yourself, your email, data, and your legitimate activities private from anyone less than the NSA, XeroBank is a great place to put your trust into.

    I disagree but we will get to that. Tor can be compromised and has been shown in the past to have been so, especially by Sybil attacks. However, it may interest you to know that XeroBank has an onion routing system that we have developed and will release in the future.

    Or even by means of technology we are yet unaware of.

    However, regarding identity: we don't need or want to know who you are. We would rather not know. We will certainly have anonymous payment methods we accept as well. Cash and snailmail is fine, but is the customer willing to have their cash lost along the way? I think we have a better method. We will be able to sell certificates to other retailers. You can purchase the certificate from them and use that to fund your account. How about that?

    You can always download a demo, and anonymize yourself from us like that. We won't mind. But then again we don't log your IP anyway.

    Such accounts would have a large premium on them since legal efforts end up costing us money. A huge amount of fraudsters prefer such accounts.
     
  25. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Did you see my message?
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.