Anyone tried XeroBank (formerly Torrify)

Steve: do you know if there's any way to block specific URLs from being accessed while you're using XeroBank? Some sort of block who might work the same way we do rewriting HOSTS file to redirect them to 0.0.0.0.0 or 127.0.0.0.1 on Internet Explorer.

I mean, this block should not show any warning, the only thing will happen is: XB will not find anything while is trying to access that URL, like it doesn't really exist.

 

Howdy Jim,

It sounds like what you are looking for is a local firewall. Can you tell me more about the application of needing to block yourself from certain IP requests? Does this request blocking need to happen locally, or should it happen on remote requests? If I understand what you are trying to do, I can be of more help.

Jim, that also reminds me. I wanted to speak with you. Drop me an email.

Steve

 

What I am trying to do here is to block my own access to certain sites, for example, who might contain spywares or even porn (I want certain websites to be blocked/blacklisted completely). Maybe some plugin can do that?

The problem is, some websites can be viewed only by changing the URL. Let's say you want to block Yahoo completely. If you type yahoo.com, when XB will try to conect on them, you will see nothing, like it's an invalid address. However, if you try to connect on yahoo.co.jp you will see a valid address. Perhaps there's a way to prevent this?

Well, I don't know how the HOSTS file works, but it's the only way that I am aware of, who might block you from acessing any sites (which are redirected to nowhere). And for me, only works on Internet Explorer.

This is what I am trying to accomplish here.

Just for the record, it's also a block who might prevent other sites from acessing the same address.

Steve, I sent you an email.

 

Steve, I just found out an extension which will solve the problem of export all our usernames and passwords from XeroBank/Firefox when it's necessary to make an upgrade to a new version (and we don't have to fill all over again).

In case you have forgot, we have to remove the current XB version in order to install another, and all setings are lost in that process.

So, it's possible to export/import all passwords into a single file, and also our bookmarks (bookmarks can be done directly from Firefox and doesn't require any extension to do that). The only thing that can be lost are form field entries, but it's not something important and takes less time to be filled again.

* I must say I am still looking for some way to make KeyPass (or some other solution) to fill all password fields from XeroBank (on this board, for example) and don't have to let my passwords available to everyone who can access my machine. There must be some way to lock all of them in a way that no one can have access even by using brute force to break the master password.

Unless someone has invented some extension that can work this way (using a master password who can access all the other passwords list, like KeyPass do), the best choice is to keep saving passwords on Firefox. Most people do that, we can't deny.

Password Exporter 1.0.6

This extension allows you to export and import your saved passwords and rejected sites between computers. Your passwords will be exported to an XML or CSV file and can be encrypted.

NOTICE: The "encryption" is mainly to prevent casual users from stumbling upon your passwords. It will in no way stop someone who actually wants to see them, as they could just import your file anyway.

Link: https://addons.mozilla.org/en-US/firefox/addon/2848

And here's another one I was looking for:

BlockSite 0.6

BlockSite is an extension, which automagically blocks websites of your choice. Additionally, this extension will disable all hyperlinks to these websites, by just displaying the link text without the clicking functionality. This extension should by no means be used for parental control or access control purposes, just because it isn't secure and can easily be disabled or even removed. This extension adds the site blocking functionality that was removed from Adblock Plus.

Link: https://addons.mozilla.org/en-US/firefox/addon/3145

Like I said, my passwords are saved on Firefox and when the browser is closed, they are the only thing (along with form fields) which are not erased.

So I need to login each time. There's another extension who can make our life more easy. I only need to click once on Secure Login button to make a new login automatically.

Link: https://addons.mozilla.org/en-US/firefox/addon/4429

 

Jim,

You're in for a pleasant surprise with xB 2.0.0.8a.

Steve

 

While back you said something about a nice feature in xB 2.0.0.6b yet your site still list 2.0.0.6a, now you're talking xB 2.0.0.8a. Where is xB 2.0.0.6b ?

Any plans for Linux in the future ?

 

It should be clear, that there was no v2.0.0.6 b but that soon there will be a new v2.0.0.8 a as the follow-up to the v2.0.0.6 a.

 

Yes, the way it works is we follow the firefox scheming. That is the "a" version. If we come out with a new build before Mozilla comes out with a new Firefox, it goes to version "b". So when I speak about a new version, it will be whatever is in the latest.

Regarding Linux, we haven't gone there yet, but we will I think. xB Machine is meant to be a solution for Linux and Mac users, as it is more comprehensive in security. At the end of the day, though, it is a 300MB download, not 12MB like xB Browser.

In this new version I'm building, lots of changes. If it is up to me, we'll have a version "c" built before Firefox goes to 2.0.0.9.

 

Ok, thanks

 

http://bp3.blogger.com/_t08BpL1TpxA/Rx18y1RR94I/AAAAAAAAACU/hDJxb-06Xhk/s400/xBBrowser.jpg

Greetings.

According to Steve's blog, XB 2.0.0.8a is available now. So I download this file, and tried to install.

hxxp://update.xerobank.com/beta/xB Browser Installer.exe

It's a file with 9 MB. The problem is, the file (XBBrowserInstaller.exe) is not working properly. It says that needs 0 KB to be installed (the free version). And if you proceed to install, no files are created on XeroBank directory.

The solution is simple. You need to rename the file to XBBrowserInstaller.7z to unpack all files and create a new directory by yourself.

I see that this new XB has Password Exporter and BlockSite extensions suggested before already installed. That's a great addition to this browser. FF is updated along with Noscript and other extensions. Noscript is configured the same safe way as before.

Still, remains the yahoo.com address on the cookies blacklist, and the Google (and other search toolbars available right after you open the browser).

I decide to remove yahoo from the blacklisted cookies (since I use one of their services, the Yahoo Groups) and remove all search bars installed from the XB directory (they are .xml files placed on the xB Browser\App\Browser\firefox\searchplugins directory). The reason for that: I don't trust toolbars installed on browsers and I don't need them here every day, specially Google, Yahoo, Amazon and Wikipedia.

That applies to Useragent, Images and Send Referrer buttons from PrefBar, which are placed aside of the navigation bar by default. Send Referrer is now uncheck here and all three are removed from my sight. Instead, I choose to place the Clear Cookies button, along with the extension named Secure Login which provides me the autologin feature.

 

That didn't work for me, I hope it will be fixed soon.
Thanks for the heads up about the toolbars.

 

The new installer did not work for me either.

Renaming the file to .7z instead of .exe made it possible to extract the files into a folder but some weird behaviour of the browser makes me think that installing it the way it might be supposed to shold be better...

Btw - besides the install not working properly: How may I install the trial-version onto different sticks? Do I have to install as a member the second time?

Keep up your good work anyways!

BR
zikarus

EDIT: Having read the latest post from Steve in his Blog I tried out the even newer installer and this updated one does what it should...

 

g'day folks.

so, the xerobank "terms of service" says "XeroBank services are not intended to be used for illegal filesharing" and "Clients who violate the XeroBank Terms of Service will not be protected by this document" is found on the Client Secrecy Guarantee. Aaah the all important Client Secrecy Guarantee.

What I want to know is-what is the criteria for understanding what exactly is classified as illegal filesharing considering different countries have different laws on this and further, you say information is on different servers in different countries?

Xerobank will likely have a spotlight at some stage and be targeted by MPAA/ RIAA etc.. My impression is that Xerobank would fully cooperate with any requests they may have in relation to "illegal file sharing/downloads"- after all- isn't that what the agreements on the website are basically saying?

Could you help a potential client/ user of xerobank pro understand this better?


Thanks

 

Hi raymondp..

Yours is an excellent question. In lieu of Steve's expert reply, let me weigh in and try and alleviate some of your concerns.

I quote the following from the Xerobank website:

"Requests from Authorities
XeroBank has built its privacy networks to have client account data separated, segregated, and encrypted on multiple servers in multiple countries so no single party can compromise a client and their data. Most internal account transaction details are not mathematically reversible due to one-way operations. Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction. In the case that such authorities can validate claims of violation of XeroBank's Terms of Service, we will attempt to terminate the client account the abuse originated from. If XeroBank is served with court orders of all appropriate jurisdictions for all specific servers, we may be forced to attempt to trace live data connections. A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances. Violation of XeroBank's Terms of Service invalidates the Client Secrecy Guarantee. XeroBank will not aid or protect criminals. If fraud or hacking is detected within XeroBank's networks, we will proactively notify and cooperate with authorities to track and identify the criminals involved. XeroBank is not a service to mask abusive or threatening actions; thieves and criminals beware."

It behooves Xerobank customers to examine this notice very closely.


Xerobank data is encrypted and resides on multiple servers in many countries/multiple jurisdictions. It does not reside in one country, in one location on a single server. A single subpoena served in a single location would likely result in nothing for an entity, whatsover.

1) "XeroBank has built its privacy networks to have client account data separated, segregated, and encrypted on multiple servers in multiple countries so no single party can compromise a client and their data."

2) "Most internal account transaction details are not mathematically reversible due to one-way operations. Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction. "

In other words, due to the way the payment structure is set up, Xerobank has no way of knowing exactly who the individual customer is. XB has paid close attention to this "separation" process thus further protecting client's anonymity. XB offers choices now that will assist prospective customers in seperating their identity from payment, and will likely offer even more choices in the future.

3) "If XeroBank is served with court orders of all appropriate jurisdictions for all specific servers, we may be forced to attempt to trace live data connections. A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances."

Read that last staement carefully. Though not impossible, an entity would be hard pressed to submit subpoenas for a data stream that exists in many countries. It would not be totally impossible but would be enormously complex.

4) "A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances."

This next sentence is significant.

5) "Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction. "


Clearly, XB will not, and cannot be a responsible party to clear legal violations.

But if you read carefully it would be no easy feat to track down individual user activity and tie it to one specific account and one individual.

Steve, and the XB team have gone to great lengths to protect the privacy of it's customers with a solid network of protection. They have an enormous amount of integrity.

I hope this allays some of yoiur understandable concerns.

B

 

raymondp,
you may find some answers here, on posts #37 and #38 of this thread.

There's something I want to ask you, because I am confused. I thought XeroBank was a Firefox portable browser which have Tor inside, and tools to gain access to this network.

Every IP reserved to the free version of XB is identified as a Tor node (every one of them are identified as Tor exit node by https://torcheck.xenobite.eu ).

Now, look what XB FAQ says:

Are you saying that XB uses his own network to gain access to Tor network? Somehow I am too dumb to understand what you mean. Could someone please elaborate how this change of resources is possible? I mean, you're using 50% from XB network and 50% from Tor when you surf on the web?

If someone wants to track you down (let's say RIAA is trying to do that), it will see only Tor network or XB's?

Some people here were saying that the paid and high-speed services from XeroBank has some unique IPs (I don't have the confirmation right now if that's true). Perhaps XB is entirely dependent of Tor network only on the free services?

 

I have a xerobank Pro account. You should try it.....you'll *NEVER* go back. But when I have my VPN in the system tray and open the xb browser, a box pops up and says that it recognizes that I have xerobank VPN and to make sure that it is connected. My xerobank browser now shows the IP 88.198.241.108 gwde5-2.meshmx.com (Not Tor). If I have the VPN icon in the system tray and it (my VPN) is disconnected, xb browser shows my true local IP. So it appears to rely soley on my Pro account. If you have a paid account, Plus or Pro, you are using xerobank and NOT tor. If you are using just a free xerobank browser, then you are creeping along with tor.

But here is a question. If I am running my VPN and I want to post to a google group or something like that with a different IP......or maybe just have an extra layer of security (not that I need it with the VPN).....what happens if I use firefox with privoxy and Tor, over top of the VPN?

I know this is probably a silly question for most, but I am new at all of this. Are my activities encrypted twice? Once by Tor and then again by xerobank? And then would my requests travel to xerobank, then to tor, and then on out to wherever from there? That just sounds like an interesting question.

 

Greetings everyone. Sorry about the delays. Apparently you Windows Vista users are having a bit of trouble with the installer, as were those of you who downloaded the first versions. The issue was the 7z extractor required external DLLs, so I switched it to an extractor that had the DLLs inside it. The other issue was that it wouldn't download your account data, and that was because of the privilege levels that Windows Vista requires. We had set the user priv levels to 'user', but apparently to create a directory or files in C:\Program Files\XeroBank, you have to have admin access. Go figure.

Anyway, those problems are fixed now. But it gets better. Here comes xB Browser 2.0.0.9a even sooner, apparently.

I didn't get all the settings in the xB Browser just the way I wanted them, but let's be honest, it was all about the installer.

Jim, oh my. When you use the free version of xB Browser, you are using the public Tor network. When you have a xB account and enter that data into the browser, you get switched over to the private broad-band speed XeroBank anonymity network. Never shall the twain meet. At least not unless you program it that way somehow. And yes, unique IP addresses. We are shortly going to be adding 30 new IP addresses in the USA.


caspian, if you use Tor on top of XeroBank, you are lowering your speed an anonymity. When before you were using XeroBank as your exit node, and know we don't monitor your traffic, you are now sharing your plaintext traffic with an untrusted party. Further, all your bandwidth loses speed, traveling through Tor. The essence of Tor was to make the originating node unknown, and you don't need to use XeroBank to accomplish that, as the Tor network provides that. So I suggest you use one or the other, but not both as it automatically gives you the worst situation. That is of course unless you were seriously worried about entry nodes and middleman and exit nodes in the tor network doing logging.

 

Thanks Ballzo and Jim for your posts: I very appreciate much what you've shared.

And so, when, say, banking online through xerobank pro service- would you always be able to maintain the same I.P (for those sites that are quite particular about that sort of thing??)

Also, would I be able to choose which IP address I want for a session-
--{sorry if it seems like a stupid question}-- it would be good to know though.

I don't think it is prudent to pay through credit card- even if there is an intermediary and you wouldn't know who made the payment- it still could be traced. After you go through the account setup, will it say where to send cash to. Whats the process for paying with cash then getting activated and downloading whats needed for OS X?

Thanks again.

 

Hi raymondp;

You wrote:

"And so, when, say, banking online through xerobank pro service- would you always be able to maintain the same I.P (for those sites that are quite particular about that sort of thing??)

This may or may not be a matter of preference, but personally, I see little need, albeit it may be harmful to do your standard banking online anonymously. Unless you have some mysterious off-shore account.....

Your bank knows who you are anyway, right? They need to know who you are. Why anonymize yourself with your own bank? Let's say, hypothetically, you are "Raymond in Dallas." You established your online bank account with an IP address in Dallas. And now you're logging on to your bank account with an XB IP address in Germany. That will certainly throw up red flags for your bank. I tried making a credit card payment once, in error, anonymously, with an account that had NOT been set up anonymously. Had all sorts of trouble and the payment was refused.

It would be a different matter entirely, if you originally established your account with a different IP other than where you are.

Your physical statements are sent to: example: Dallas. But you're logging in from Germany.

There may be something I am not seeing, or another angle I'm not aware of, and if so, perhaps someone would be kind enough to point that out.


"I don't think it is prudent to pay through credit card- even if there is an intermediary and you wouldn't know who made the payment- it still could be traced."

I personally disagre, but this IS truly a matter of choice and comfort. I believe XB still uses Dalpay. Because of the way the system is intentionally set up, if you make a CC payment with Dalpay, Xerobank itself, has no way of knowing who you are. The Xerobank user account and the payment are segregated and seperated and the information cannot be connected. It is a very, very tight system.

But if one isn't comfortable with that, ultimately a cash payment can be made. That probably affords the best anonymity, but also exposes one to the greatest security risk ie; cash sent by mail.

Best,

B

 

Steve! Glad to see you back.

I noticed that XB website still doesn't have any product manuals (specially for XBBrowser), so I am going to ask a couple of questions about xBConfig file.

Configuration Wizard has the following options:

Generates XeroBank INI Files

Preferences:

Disable Warnings
Disable Splash Screens
Disable Tor Management
Wait for Circuit Before Starting (enabled by default)
Network Uses Proxy/Firewall
Create Debug Logs

Tor:

Circuit Timeout - 180
Control Port - 9051
SOCKS Port - 9050
Tor Commands (blank area)
Delete Dir Data on Exit (disabled by default)

What these options do, exactly?

I noticed that, if you disable the option "Wait for Circuit Before Starting", XB browser will start more faster, however, even after the browser is started, you have to wait a few seconds to see some sort of pop-up or warning telling you the Tor network is activated (and I was worried about this option being worse than the usual one Steve enabled. You know: if your old videogame don't have any load time, instead of finding this a good thing, you may also think he is somehow malfunctioning. It makes you feel different when you see some engines (and effort) to start something.).

I find this more effective (even if it's a little vague) since every time XBBrowser is opened, the delay is nothing less than 15-20 seconds, and still remains that problem I told you about (memory crashes on XP SP1, see my other posts on this same thread for more details).

Regarding XB, today, for the first time, I noticed what you did about Yahoo traces on the UserData directory. I tested XB by placing a .xml file there. The first thing he do after started: ask if you want to delete this file. That's great! I was thinking this option was working without any knowledge of the user. This file is placed on a unique directory by Yahoo if you select the option to remember your login (I think).

About the passwords, I think there's a substitute for KeePass on Firefox (unfortunately it's not easy to use at first and requires a Professional license to work correctly). I still have to do more tests, but it seems that the extension RoboForm protect all passwords using a similar engine.

https://addons.mozilla.org/en-US/firefox/addon/750 (download link is broken)

http://www.roboform.com/faq.html#security (official website)

What I always want was a auto-login/form-field feature with a master password protecting a bunch of usernames/passwords for plenty of websites you have visited, and if you lose your master password to gain access to the control panel, you lose your passwords too. And nobody can have access to this control panel, and break your master password to gain access to your data.

Firefox is a waste because of that. Anyone can have access to your machine and see all your usernames/passwords. Roboform is already here, I will check it soon. For now, it's installed as a real software and works inside of XeroBank. KeePass was only dealing with IE, and not working at all.

 

It's not just a question of anonymising yourself with your bank (after all any site where you have to identify yourself, including this forum, will know to some extent "who you are") but of ensuring that third parties (your ISP and anyone else with access to your network connection) cannot see or record your online activities.

There is a downside that some bank websites may require you to login again should your IP address change, but if you can complete your transactions within 10 minutes, this should rarely be an issue.

Also note that banks/credit card companies are as likely to include adverts and third party trackers as any other site, and since they tend to use HTTPS throughout you will need to use a Firefox plugin or Proxomitron (configured to filter HTTPS) to stop this (see the Dangers of HTTPS thread for more info).

 

Not So! Firefox has a "Master Password" option you can use to encrypt all your passwords. For a session you just enter the password once and it fills in all the form data. Sounds like it has *exactly* what you want.

 

Raymondp,

We always get this. It is safe to pay by credit card. We are blinded from the transactions. We do not know 1) Who owns what account, 2) We do not see the payment data.

Essentially it works like this:
1. You create an account. The account creates a bill #.
2. You pay the bill # via credit card to a third party.
3. As soon as you pay the bill #, the bill # is destroyed from the account and it is set as active.
4. We only see that the account was activated, not who paid for it or what the bill# was.

 

Geez! I thought the master password was a "single" password to use on every website, not a password who is actually protecting all the others! I am ashamed!

If works this way, we don't need KeePass or even Roboform to provide security!

Anyway, I just found out a tool who promises to break this master password by using brute force. More info here:

http://www.securityxploded.com/firemaster.php

It will take about 18 hours to break the master password by using the following path, according to him:

FireMaster.exe -b -n 12 -a "abcdefghijklmnopqrstuvwxyz" C:\directory where the file key3.db from Firefox is located

My computer it's quite fast, even for today standards. I know my password uses 12 chars, but between the letters, there's a space. I know FireMaster will not break the password, if this space means something.

But will be a worthless attempt if this password can be decrypted in the next 24 hours using a single computer like mine. Assuming most people uses minor (and not capital) letters, the chances of this command line breaks a password is very high.

After 2 hours running, here's a statistic which is being showed after each 5 seconds on the DOS Prompt from FireMaster:

Completed password count: 492mi.000.000, still remaining: 99q.246tr.114bi.436mi.149th.456

Brutecrack speed: 90.142 cracks/sec

Each 5 seconds, the number of completed password count increases 1 million and the remaining decreases a million.

 

The password recovery speed stated by FireMaster (about 17 hours) was incorrect. I don't understand why this number was showed in the first place, but according to this URL:

http://www.lockdown.co.uk/?pg=combi&s=articles#classA

My computer should take nothing less than 300 years to break a 12-lower case password. On the best chances, it will take 3 years (typical for medium to large scale distributed computing, Supercomputers) or 30 years if you're using a Workstation, or multiple PC's working together. So, it's a perfect system, if there's no way to find the password using other means (assuming each program works the same way FireMaster does, while using brute force).

The only thing is bothering me is the fact that every time you have to make a new login, you have to enter your master password. I wish this was only required once after the browser is started, and the next time should be only after it's re-started.

Oops: Something is wrong with this program or with Lockdown's statistics. I run FireMaster again and the information was now corrected (I guess I didn't look very well at first time):

Breaking: 100.000 cracks/sec

Should take: 11486818,5 days = 31.470 years.

I am not using Pentium 100 MHz to break this one. My PC has a few years old. And works at this speed: 100.000 cracks/second.

Lockdown says:

A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100

B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100

C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100

D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.

E. 100,000,000 Passwords/sec
Workstation, or multiple PC's working together.

F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.