Anyone tried XeroBank (formerly Torrify)

To torrify P2P I am expected to pay for 3 months contract, that is 105$. This is very expensive and does not worth the trouble if you ask me. I was expecting something like 10-15$/month, and monthly contracts only. But hey, others might like it. Good luck.

 

I'll stand by my earlier statements, and Steve, thanks for clarifying a number of points. Much appreciated.

The debate will rage, the purists vs: the pragmatists. It is never ending, and in many respects highly speculative, technical, and theoretical.

Many of the alleged weaknesses atrributed to TOR, as an example, are theoretical in nature and have not been found in the wild.. yet..

But as I read today..

"Tor server operators don’t refuse to take responsibility for their users, crazed or otherwise, they can’t take responsibility, because they don’t know who they are. That’s the whole point - its an anonymous network."

It is doubtful that under the right set of circumstances any technology can be said to be 100% foolproof anonymous. Put it this way, depending on the severity of the threat or the crime involved, will certainly determine an entity's determination to gitcha... And come they will. It's probably a true statement that with certain offenses, there can, and should be no safe corner.

But beyond that services like Xerobank are excellent offerings for many, many people and WILL provide them with the privacy and confidentiality they are looking for.

Keep up the great work Steve!!

 

Doesn't look like it needs to securely delete it, nothing gets stored in there in the first place.

Firefox normally uses 2 caches, a small fast one in the RAM (which is automatically cleared when Firefox closes), and a larger slower cache on the disk (which can leave traces for a long time).

With the xB browser the disk cache is disabled.

Try pasting these two links in your location bar:

about:cache?device=memory

about:cache?device=disk

If you are concerned about other programs leaving traces of deleted files check out Eraser (free, open source), it can securely wipe files, and securely scrub unused disk space.

 

Thanks for that info hikuela

 

I have some suggestions and some complaints with regard to the xerobank setup as it now stands.

(1) Although Steve is catering to the paranoid, I get the impression that Steve is not that paranoid himself and as a result, may not see with the same eyes as his more paranoid customers are likely to see. There have been concerns voiced about signups needing javascript, for example. If real as well as potential security issues are FULLY explained on the xerobank site, then many of the paranoid will become a little less paranoid. However, I strongly believe that it should be possible to completely sign up for a xerobank account, including making payment, while on the TOR system, the anonymizer system (which force-disables javascript), etc. In other words, disabling everything on a browser that might be utilised to breach security should NOT prevent one from signing up. Constructing the xerobank signup setup to permit this would be a signficant step of good faith.

(2) If you choose a user name and a password, and then something goes wrong with the payment, I see no obvious way of getting back to that existing user name/password, and retrying payment. What seems to happen is that the user name then becomes taken but you can't associate a payment with it if the first attempt doesn't go through successfully. How long before these 'hanging' user names are deleted and can be used again? there's no indication.

(3) The strongest passwords consist not only of numbers and letters, but also symbols. Why doesn't xerobank allow passwords of this complexity, and why are the passwords relatively limited in length? Again, it's a mark of good faith to cater to the paranoid, because by doing that, you embrace a significantly wider segment of your potential clientele.

(4) Hmmm. I've read through the allegations of connections between metropipe and xerobank, and Steve's reply to it. But in addition to all the other uncanny similarities, I now see that money orders are sent to the same address as Metropipe payments.... which happens to be the same address as the unlinq virtual credit cards that Steve says he rejected (reason only offered via e-mail). Yeah, yeah, I know there's nothing sinister in all this, but the connection more and more looks like something stronger than just a former metropipe staff member hired by xerobank. Please, Steve, some further explanation?? The metropipe-xerobank connection seems stronger than "yeah, we're in the same circles so we know each other" kind of association.

(5) The sooner you put up some help/faq files, the better! I know that you're probably overcommitted and overworked but you'll be answering the same questions less 'over and over again' once more support is put onto the site. Anonymizer really failed by becoming less and less transparent in how their whole system works as their help/support information became more and more nebulous. Steve, if you actively try to do the opposite of that, and provide a large amount of help information, including that which helps allay the fears of the paranoid, this would complement the user-friendliness of the Torpark/xerobank browser. That browser is incredibly user-friendly - it immediately set the whole system on a higher level than the potential competition after I tried it out. It doesn't require Geek knowledge to use. Well, if your faq/help/support files are similarly detailed yet explaining things simply, you're going to make the service attractive to more generalist types that were attracted to anonymizer, YET by maintaining your transparency+superior anonymity that the TOR system offers, you also distinguish xerobank as having a very different product than the competition. That's my suggestion and the rationale behind it. Here's an example of the kind of details worth including in the help/support/faq sections: I'm unclear whether the much touted javascript vulnerabilities even apply to the TOR/xerobank setup. If all the protocols go through the proxy, how can javascript in such a situation be used to switch to a non-proxied protocol to discern the originating IP? This may be common knowledge to some of you, but it's not an answer that is clearly found on the internet, and it's an example of something that may be making people unnecessarily paranoid because they just don't have the detailed knowledge cuz they aren't computer geeks!

(6) If it is not on the xerobank browser already, I'd really love to see an easy to use user-agent (all major parameters) spoofing feature that is easier to use or understand than existing plug-ins.

(7) If it is not on the xerobank browser already, I'd really love to see a feature where the current IP address/name is displayed 'on the fly' somewhere on the browser interface. With the current Torpark, I go to a proxy checker to find out what proxy I'm using, then I go to the site I was intending to but of course by that time, the proxy may have switched! I'm never clear what IP I'm displaying to the greater world.

Thanks for any feedback. The only reason why I will subscribe to this service this early and have some trust in Steve is that I googled his name, saw the kinds of stuff he's on the internet for (not all computers), and it gave me the impression that this was a pretty normal kind of guy, not like some of the privacy warlords who seem to have some significant mental problems!!!! He radiates the same level of sincerity of someone like Lance Cotrell, that makes Steve stand out, and that's why it's particularly important that he proactively address all metropipe-xerobank connections.

thanks for having the patience to read this long posting.

 

Just agreeing with your points, and adding an answer or two, and a bit of a security concern.

I've already voiced concern over needing javascript to sign up, with you 100% on that.

I tend to use weak disposable passwords for forums, and strong passwords of at least 40 characters for privacy stuff (easy way to generate a nasty long password which is easy to remember/recreate: md5 or sha). Makes it a pain for any TLA to brute force it.

Tools->Add-ons->Firesomething
The default useragent is the generic Firefox one (probably best for privacy, doesn't stand out from the crowd).

I've done a bit of testing though, and changing the useragent in FireSomething doesn't seem to work properly, I can add comments to the end of a User-agent, but can't alter the OS name / version number. A bug, but I'd think a very minor one, I doubt they'd be many situations when it'd be useful to need to alter them anyway (since most sites detecting the user-agent are going to be a pain to use with disabled javascript).

Been there, done that. Much fun involved.
On the old TorPark it used to display the IP address of your proxy in the Firefox status bar, whoever was providing the service didn't take kindly to an army of TorPark users using the system, and altered the system so instead of returning an IP address certain rude words were returned instead.

You don't really know what to do when your browser calls you a c*nt.

I'm guessing that's why Steve's skipped the proxy check in xB.

Personally I was never that keen on it anyway, think about it another way, some TLA monitors the proxy checking website, they know your browser will automatically check the service exactly every 600 seconds, then they can link up every exitnode you've used during your entire browsing session.

A handy alternative is to use either the default xB startpage, which will display your apparent proxy, or use the Google International English page, every time you visit google it'll display the normal google page, with a "Goto Google Deutschland" link at the bottom, if there is no link then you are using a US exit node. More useful to non-Americans, but useful anyway. It also always returns results in English, unlike using the google box in the top right.

Now for the security concern

Since I've just been looking at the xB add-ons I do have a security concern, NoScript has a couple of whitelisted sites, addons.mozilla.org and mycroft.mozdev.org. While I'm sure these two sites are perfectly legitimate, NoScript should still require user confirmation for them to run scripts.

I do trust mozilla and mozdev, but if I were working for the bad guys:
1) I'd setup an exit node
2) xB user visits https://www.wilderssecurity.com using my exit node
3) I return the normal page, but with a 1 pixel iFrame linking to mozilla
4) xB automatically asks the exit node for the mozilla.com page
5) I poison the dns request, so mozilla.com points to an fbi IP address
6) xB fetches page from fbi.gov, and allows page to run scripts.

If no-one quotes this section of the post I'll delete it once it's acknowledged as a bug.

 

ShowMyIP does a pretty good job of Tor proxy detection, though it's nowhere near as "real time" as they claim (I've tried accessing it directly two days after shutting down as an exit node and it still reported my IP as being part of Tor).

This issue has been raised here (with some input from NoScript's author, Giorgio Maone). A counter-argument can be made that blocking the installation or update of other Firefox extensions by default would likely make NoScript very unpopular and cause many new users to remove it, rather than learn how to configure it. There needs to be a balance struck between prudence and paranoia that the typical user can live with (though the addons entry could be tightened up - see later).

Step 5 would be unnecessary if you were running a Tor exit node yourself - you would have to modify the Tor software to remove its own check for DNS hijacking but once done, you could arbitrarily redirect users to the URL of your choice. On the other hand, addons.mozilla.org is an HTTPS page (though a spoofer could get away with a plain HTTP fake - tightening NoScript's exclusion to https://addons.mozilla.org should handle this though) which means that a browser would download its certificate and verify it with the issuer - making spoofing impractical.

 

Thanks for the link to the NoScript discussion, your description of why NoScript has those sites whitelisted makes perfect sense, but only for a normal Firefox/NoScript user.

With xB the default option is not to check for extension updates (Tools-Options-Advanced-Update), so I guess there is a good reason why (I don't know if any magic was required to integrate them into 'Standalone Firefox' or what extension settings had already been altered to preserve anonymity. I'd guess it'd be like most things, 90% of it wasn't difficult, but one awkward problem took ages).

Since Steve Topletz disabled update checking for extensions I'd assume his plan would be to release a new version of xB if a critical bug was found in Firefox / Tor / an extension. I also think I remember him posting that xB automatically checks to see if a new version of xB has been released.

Anyway, for an anonymous browser, I can't see any benefit in allowing those two sites to be whitelisted, especially since update checking is blocked on xB.

 

Thanks Mr. Steve for all your highly informative discussion. I have two big questions....

1) You repeatedly stated earlier that no IP addresses are logged. Yet here in your privacy statement you directly contradict this:
http://www.xerobank.com/privacy.html
------------------------------------
Technical Logs
XeroBank collects IP addresses and browser information which are used when accessing XeroBank services and web sites. These technical logs are not personally identifiable, and XeroBank makes no attempt to link them with the individuals that actually use the service or web site. The log files are collected for internal system analysis and benchmarking purposes only and are being deleted after a maximum of 90 days. XeroBank may only store summarized access statistics not containing any IP addresses or other personal information.

2) Xerobank free browser: I've read this entire thread and another that was closed which pointed to this one. As you've made rather clear, Xerobank free uses the actual Tor network instead of your company's private network. Just to be clear... Is Xerobank free communicating with you, your team, the company or anyone else in any way shape or form about whoever is using it?

 

Thanks for feedback so far, hope Steve will also add his piece at some point.

Their credit card approval service is SO strict (overly so) that is rejects completely normal, legitimate credit cards that I have had no problem whatsoever using generally on the internet.

 

Good questions. Happy to answer, sorry for the delays to all.

We don't collect IPs. This is just some boilerplate stuff as we update the policies to reflect our practices. We would rather be conservative and say we do while we really don't, than the other way around. We will heavily log attacks against our system and network, but we need to perform audits to make sure all the systems aren't logging IPs or identifiable information.

So the short answer is we don't log IP addresses.

Regarding the free version of xBB, it connects to update.xerobank.com to check for software updates to the browser. This goes back to the earlier question of why we have updates turned off for the browser and extensions. We are on the security advisory list for Mozilla, so if there is a security update, we know about it before it goes out, and write a new version of xB to be released typically before the new version is officially released. That is how we came out with xBB 2.0.0.4 a few days before mozilla released firefox 2.0.0.4. We are actually about to release a new update to 2.0.0.4b, which you will probably get notified of by a popup. That is the only "phone home" that it does. It grabs a file and checks the latest version, but doesn't send any info back. And no, that server doesn't log IP addresses

Regarding the javascript issues: we have a new webform we are about to release which solves that. Further, you will be able to pay by Cash, International Money Order, and Bank Wire. We will also try to integrate Western Union/Moneygram payments.

Additionally, in xBB 2.0.0.4, your changes will be saved. That problem is fixed.

EDIT: I was also thinking, who would like to have a google search from our IPSpy page? I thought that might make sense.

 

Steve-

Any feedback appreciated (with thanks to the others for their input) on-

--- If you choose a user name and a password, and then something goes wrong with the payment, I see no obvious way of getting back to that existing user name/password, and retrying payment. What seems to happen is that the user name then becomes taken but you can't associate a payment with it if the first attempt doesn't go through successfully. How long before these 'hanging' user names are deleted and can be used again? there's no indication.

--- The strongest passwords consist not only of numbers and letters, but also symbols. Why doesn't xerobank allow passwords of this complexity, and why are the passwords relatively limited in length? Again, it's a mark of good faith to cater to the paranoid, because by doing that, you embrace a significantly wider segment of your potential clientele.

---- If it is not on the xerobank browser already, I'd really love to see an easy to use user-agent (all major parameters) spoofing feature that is easier to use or understand than existing plug-ins.

--- If it is not on the xerobank browser already, I'd really love to see a feature where the current IP address/name is displayed 'on the fly' somewhere on the browser interface. With the current Torpark, I go to a proxy checker to find out what proxy I'm using, then I go to the site I was intending to but of course by that time, the proxy may have switched! I'm never clear what IP I'm displaying to the greater world.

 

Right now, they won't ever be deleted. However, when we get to that particular potato on our plate, we will make sure all abandoned or broken checkouts are deleted.

No particular reason yet. We will fuzz-test the login shortly to see if we can break it using special characters and passwords up to 1024 characters in length. When we are satisfied, we can release it.

I agree. I think I found one, but it didn't have any presets for other browsers. I'll try to set one up shortly. If you have a suggestion on a particular one, I'll listen.

Well the problem with that is when you are using the Tor network it doesn't work properly. You have multiple IPs at any one time, so it really isn't applicable. But using our xB service, I can understand that. And I think we can accommodate that.

 

I'm confused with your first paragraph. You say you don't really log IP addresses. Yet you also say you want to be conservative and "say we do while we really don't, than the other way around. We will heavily log attacks against our system and network, but we need to perform audits to make sure all the systems aren't logging IPs or identifiable information."

If you really don't, then say you don't. Why the need to be conservative? And aren't all these machines under the control of your company? Why the security audits to make sure they "aren't logging IP's or identifiable information."?

Now I am all for stopping attacks against the network. I am all for thwarting child porn and fraud. And I've seen you've written quite a bit in this thread earlier about the concept of "live traces" or something like that. Now if you say that attacks are heavily logged against your system and network, then by that same token logs (hence voiding the notion that "no logs are kept") are nevertheless being kept and wouldn't all other traffic also get caught up in these logs?

Also as far as responding to legitimate court subpoenas and ISP complaints, I understand your answers. And I also understand the concept of "live trace" as applied to this issue. So there's heavy anonymity involved. You say IP's are not logged. No identifiable information is being kept. And herein lies the issue: a court will expect you to obey that subpoena. So therefore there'd have to be a weakness of some sort in your service to allow efficient response to subpoenas. Otherwise for all intents and purposes you technically respond to legitimate subpoenas, but in practice it's a free haven for criminals to operate unstopped.

BTW, unrelated suggestion: on the front page where you mention the different xerobank deals: plus, pro and premium. How about a 4th category on there? FREE XB browser.

 

I would agree, that this is necessary. My account is blocked too since payment did not work out right.

What about PrefBar?

BR
zikarus

 

I have been amazed reading this thread. It all goes down better with sweet honey, but the double-talk is incredible. He has sidestepped every issue with easy brush-offs claiming technical problems (the static IP), hiring a Metropipe employee (the whole HUGE coincidental net involving Metropipe), boilerplate HTML (the collection of IP addresses), that whole, "Say we do while we really don't," concerning IP's (to be 'conservative') and more.

I haven't been back to comment, but his explanation of the name change is different than from those those associated with TOR. He made it sound like he was playing technical support for the whole TOR network because of the name of his software (TorPark) and it was such a burden. Well, Steve, when you name your browser after the name of the network, yeah, that could be a problem. However, it was that very name (TorPark) that confused people and gave your browser the success that it has had and has allowed you to begin this big commercial enterprise. You can't have it both ways.

There's so much I could comment on in this thread, but I am just amazed that, apparently, some people accept all this because of his well-mannered words. It would be funny if it weren't such a serious matter.

Genady

 

Because I would rather under-promise than over-promise. Now if you are getting at that I might actually be logging, that is antithetical to our purpose. This will get answered below.

While I trust my own administrators, I know we have some paranoids out there. We are to be the shining beacon that everyone says "Yeah, that is the way to do it," then I think we should lead by example. Unlike the other guys, we are not going to say "trust us blindly," we want you to know that we aren't logging. So for your peace of mind, we will have auditors who will be able to audit our practices to make sure everything is as we say it is.

Technology is wonderful. When we identify an attack, we can define what it is that makes it an attack, and simply log that action. Nobody else will get caught up in the logs.

Ah ha. And here is the great genius. Legitimate users are protected by the client secrecy guarantee, illegitimate (Scammers) are not. Since the scammer isn't protected, we will be the first to throw him to the wolves.

Regarding the subpoena, lets address that. Who can issue a subpoena? Do they have jurisdiction? Probably not. We are a Nevis LLC. They will have a hard time even interacting with our court system. Let us assume they then have the subpoena, sorry guys, we don't have the logs you are looking for. Assume they then get a court order to log. Sorry guys, we don't have any servers in Nevis, wrong jurisdiction. Assume they then get a court order for the right jurisdiction, oops, the incoming connections are encrypted, as are the outgoing, as they bounce from one jurisdiction to another in our system.

What they need is court orders for all jurisdictions on the circuit the person is using. This is a huge hurdle. And the more likely case is, they will just confiscate the server at the datacenter, and not be able to recover any data from it. Just like tor servers, except ours exist inside multiple levels of encryption, rendering them useless to confiscation.

[/QUOTE]

Free browser is on the front page. Go to the left and look down. That takes you right to it.

 

Genady, your true colors are showing, but I'll humor you anyway:

No, I think what gave it the success was the fact that it is so amazingly easy to use, the first of its kind, and that the Tor Project wasn't addressing the needs of windows users. Often times when they released a version of Tor, it would be weeks later before they got around to making a binary for windows users. Thus Torpark was born.

And yes, having over 2 million users is a huge burden. Imagine just 0.5% of those people asking for help or wanting to ask a question. And they weren't asking for Torpark support, almost all the problems were for Tor because it wouldn't connect to the tor network for some reason or another. And, of course, there are a few thousand times more users of Torpark than simply the Tor+Privoxy binary, but I'm not here to debate it since the user numbers are so shaky.

Regarding the naming, when it all started it wasn't an issue. Tor Project didn't have a problem with it until we both started to get too much crosstalk on our support. Tor Project never had a problem with Tork, TorDNS, Torbutton, Torcap, transproxytor, etc. etc. You've never heard of most on them? Well that is exactly the point. You've heard of Tor and you've heard of Torpark. Nobody is confusing Tork, Torbutton, etc with the tor project, at least not significantly. The real thing that Tor Project and Torpark had in common wasn't just Tor onion routers, it was lots of positive press. And why? Because I give my users what they want. You want javascript-free ordering? Done. You want a clarified privacy policy? Done. Offshore servers? Done. Encrypted email systems? Done. Credit Card orderings? Done. You want distributed jurisdictions? Done. You want a better user agent switcher? (it's gonna be) Done.

The reason I have success is no mystery: I listen to users, understand what they want, and I give it to them.

 

Hello to all of you. I'm new in here and the english is only my second language, but I have a question to ask:
- Until last week when I used the XB browser (free version) and every time I shut it, my AVG anti spyware warned me there was a Trojan named "KillProc.dll" in XB browser temporary folder, classified with high risk and advised me to delete it. Suddenly, yesterday and today when I used the same XB browser, and when I shut it off, the same AVG anti spyware stopped to detect the same trojan. I know that it is there, but what I don’t understand is why the AVG stopped to detect it. Can somebody explain it to me, please?
Thanks in advance,
Darthy

 

Welcome to the forum's Darthy,

It's looking like an AVG specific false-positive. Who else has it flagged - http://virusscan.jotti.org/
Hey Steve, if I understood a bit more I'd have some 'haggling' of my own to offer!
Seriously though, thank's to everyone for the informative discussion.


Steve

 

I am interested in this product, but I registered for the free trial a couple days ago and dowloaded the browser and user keys etc. but it never would work. Everytime i start it i just says:

“The proxy server is refusing connection/Firefox is configured to use a proxy server that is refusing connections.* Check the proxy settings to make sure that they are correct.* Contact your network administrator to make sure the proxy server is working.”

The unregistered (slow and free) edition works fine for me, but the free trial edition wouldn't work. I even dowloaded it a few times and made sure my user and keys matched the single downloads, is there some special instructions I am missing I don't know if I'm doing something wrong, or the service just isn't working.

Also it would be helpful to have a "cancel subscription" somewhere on your user profile when you log-in I am very wary of ordering subscription services that take money every few months unless I am certain I can cancel it hassle free if I no longer want the service.

 

I'd be tempted to ignore the warning. From my understanding, xB works like this:

You run xB Browser, 30 seconds later you've got Firefox on the web. 20 minutes later you close down xB and return to normal.

Behind the scenes:
You click the xB Browser
xB runs Tor.exe as a process, which links up to the Tor network
xB then runs standalone firefox, preconfigured to use the ports opened by Tor.exe
When you close xB it uses the KillProc.dll to close Tor.exe down

Perfectly innocent, but anti-virus/malware software is probably right to list KillProc.dll as something of interest.

Programs are perfectly entitled to close themselves down, it's perfectly normal (Firefox - File menu - Exit), but when a program closes down another program, then it's suspicious.

In this case it's just over-cautious anti-malware, but I'd imagine similar methods have been used by nasty malware to close down firewalls / virus checkers / etc.

 

Has anyone tried xerobank with peer guardian 2? I've got the latest version of peer guardian 2 using block lists of both anti-p2p and government computers. It's already successfully prevented tor from connecting to government nodes, such as NATO C3. I love this program.

http://phoenixlabs.org/pg2/

 

There wouldn't be a great deal of point in using PG with Tor or XeroBank since all it could do is block access to entry nodes - it couldn't prevent such a node from subsequently routing your traffic via a "government" middleman or exit node.

If however you are running BitTorrent and only using Tor/XeroBank to anonymise tracker access, then PG2 would make more sense in that it could block subsequent data uploads/downloads involving direct connections.

Note that government participation in Tor is generally a Good Thing - it increases the diversity of traffic handled, provides more network bandwidth and enhances Tor's legitimacy for ordinary users. Tor itself started as a US Navy project and other government agencies have a need for online anonymity just as users do.

 

Torrify, I have some questions.

1. Are these paid services available for outside U.S. ?

2. Did you have any plans to translate Torpark/Xerobank browser to other languages? I believe your old support forum was doing that work on a dedicated section.

3. The same question for your main page. If your paid services are available for outside U.S. why didn't you put your instructions on other languages?

I understand english a bit, however, I don't know how to make a international payment, and most users never bought anything from outside.

Just a few people have international credit card, for example, which is more expensive than a national credit card, not recognized by stores like Amazon.

What I am trying to explain is, if your services are available for other countries you may need to explain in their own language how to contact your services.