Anyone tried XeroBank (formerly Torrify)

Steve,

Had a quick peek at your FAQ and I'd like to suggest the following additions:

Can other browsers (e.g. Opera, Safari, Konqueror) be used instead of XBBrowser?

(looking at the FAQ it seems that users would have to get XeroBank Pro or better to be able to choose another browser)

How many servers/relays are used to anonymise traffic? Does this number vary between different products and can users change it?

(Tor uses 3 relays - a previous post by yourself suggested that XeroBank used one less. The VPN product by virtue of its name - VPNs using just one server - suggests one relay only. Allowing users to increase performance by selecting fewer relays or anonymity by selecting more would be a useful option).

How can payment be made without a credit card?

(although the FAQ mentions acceptance of cash and IMOs, no instructions are given on how to actually make payment with these - e.g. what address to mail to, what information to include to ensure that they get credited to the right account).

 

I am signed up for a year of the premium service. I can't seem to get thunderbird to send email after I have followed your guides on the site. I set up an alias, configured thunderbird as per instructions, but when I try to send an email I enter in my password and it keeps refusing it. Do I have to add an smtp server in my profile? Or just use the smarthost?

I have filed support tickets trying to resolve this issue, but I haven't had any luck in getting a response. Is there something that I am doing wrong? I can connect to gmail just fine, so it's not like my campus is blocking SMTP connections... I paid a lot for this and should get some help in a reasonable time frame... Any help is appreciated.

 

I've signed up for a 3 month premium account but the tech support option has never worked and after contacting sales numerous times the issue is still not resolved. Seems like I just wasted $90 since until my technical issues are fixed I cannot trust the service.

 

You may try to contact Steve on his personal email:

arrakistor
@
gmail.com

I'm sure he will answer any complaints...

 

Whew. Just got a ton of work done. Had a DDoS against our support system so I wasn't able to see some of the tickets. Blocked the DDoSers.

Paranoid,

That whole document is getting a rewrite. It's about to be irrelevant with the new features we are adding, including the specific issues you mention. Regarding VPN, they are 2 hops through xerobank between you and the internet.

SirRollsAlot,

You do have to add an SMTP server to your profile. Email me offlist at arrakistor at gmail dot com and if you're having trouble I'll manually add it to your account.

Seag33k,

Sorry you're having trouble! Definitely contact me if your support tickets aren't showing up. I'm always happy to help. My email address is right above this sentence.


Guys, you wouldn't believe what is going on. SO much to look forward to.

 

An easy-to-use and currently functional anonymous P2P network?

 

Ok I sent an email Steve! Thanks for looking into it. Now I'm kinda glad I paid for a whole year lol!

 

Xerobank from Saudi

I was having problems with connect to TOR from Saudi, and i did a search and found that it had to do with the directory info, and that i had to do it manually. (http://archives.seul.org/or/talk/Sep-2007/msg00015.html)

It worked when i followed the instructions for Tor + Firefox, but i cant get it to work with Xerobank. Any suggestions?

 

I've purchased the xerobank plus option and downloaded the browser from my user panel but when I extract and run it I get the proxy is refusing connections message, looking at netstat I am connected to the xerobank server. I'm just wondering have I set it up right as that is all I did with the trial which worked or is there something else which needs to be done with the paid option?

Edit: The email doesn't connect either.

 

Re: Xerobank from Saudi

I was unaware that the xerobank browser needed any configuring. But you might want to consider trying xerobank Pro. It is awesome. I am visiting my parents right now and running it on my father's computer. I have it on a USB stick. The Pro account covers everything on the computer. But there is also the Plus account for the browser only. The plus account is fast too. Way faster than tor. And from all that I understand, the Plus and Pro accounts are more secure than tor as well. Have you tried a 3 day demo "Plus" account?

 

Diggi;

Have you successfully configured and connected with your XB Plus account yet?

Are you still in ned of assistsance?

B

 

caspian, have you tried to anonymize P2P softwares as well?

I think many users will ask the same question about Emule and other P2P clients. In my opinion Emule is the best, I don't use others.

How's the speed when you tried to download any files? Since you're saying XB Pro/Plus covers anything, english users who have their privacy violated by companies like RIAA are going to use specially for this (and most of all, because Tor was not designed to this purpose).

About this subject, check out this thread.

 

First, it is only a Pro account that covers everything. The Plus account just gives you the browser. But it is a lot faster and better than tor.

I haven't really used much in the way of P2P software. I tried Hello a while back and you could share photosets and chat while you watch pictures come through. I have shared mostly with rapidshare in groups.

But with a xerobank pro account, all of these programs already anonymized by default. So why do anything extra? The way I understood it, my entire system was covered.......better than with tor. But of course I keep cookies cleaned off all the time.

I have a 10M connection without xerobank. It is a good bit slower when I am connected to xerobank. But it is WAAAYYYY faster than tor. Tor is more of a toy for me to click on and play around with, or occasionally if I want to post to a group and not show my usual xerobank IP, I use tor. But I guess I should learn how to anonymize some of these programs just so I'll know.

 

Re: Xerobank from Saudi

Anyone have any clue?

 

Re: Xerobank from Saudi

On what grounds have you made this judgement? Given that XB Pro uses 2 relays (noted by Steve above) compared to Tor's 3 and that a non-anonymous method of payment (like credit cards) can be traced to an individual more easily than multiple encrypted connections, I would argue the opposite - though the difference is likely small enough not to matter for the vast majority of users.

Speed is certainly a different issue but Tor relies on volunteers donating bandwidth and this has the twin downsides that (a) most users can't donate much (upstream bandwidth is the key restriction, most broadband accounts offer far lower upstream rates) and (b) most people prefer to take rather than share, so you have hundreds of thousands using the bandwidth offered by (at the last count) a little over 2,300 nodes.

 

Still no luck. I think now the problem is related to one I had earlier with actually downloading the software, I posted a support ticket for that and although it still shows open the problem went away and it would let me download the xerobank browser anyway I'll put in another support ticket and see what happens.

Here's screenshots the first showing that the browser is actually connected to xerobanks server and the second showing the proxy refused message.

http://pHosted.com/0711/31.JPG

http://pHosted.com/0711/52.JPG

 

Greetings again.

The issue with the browser is that, IMHO, the connection (XeroBankPlus.exe) is not getting a successful connection, or the connection opens before a "+++CONNECTED+++" is returned. the xB Browser is currently not checking for that. No big deal right? Maybe. Hit "Refresh" a couple times and see if that fixes the problem. If not, we'll need to run it in debug mode.

You know what? Perhaps I should have two browser versions. One that is debug and the other that isn't, instead of a bunch of crazy configuration options. Thoughts?

Another thing, I think I'll make 2.0.0.9a look for "+++CONNECTED+++" before opening the browser window, or at least trying to push some inetc through the proxy to pump-prime the well.

Of course, when the XeroBank 2.0 is ready, it won't matter at all anymore!

Steve

 

Re: Xerobank from Saudi

Tor has to have three because none of the parties are trusted. Any of them could be logging or colluding, thus you need three. If the party you are connected to is trusted (ie, a single entity) then you don't need three hops because you know they aren't logging/colluding since it is explicit.

We are blinded from knowing who owns what account. I'm not sure it is even possible to figure it out without disabling every account in the system. I'll run that through the whitepaper we're putting out. For the true paranoids, you can pay us by gold or money order or cash etc. So, the extra layer is there if you want it, but 99.5% of users don't exercise that option.

Steve

 

Re: Xerobank from Saudi

It's a classic arguement. I'm not sure there is a right and wrong here. It's a matter of comfort level. I understand your points fully and respect them.

But I don't agree.

What's good and bad about Tor is that anyone can be a Tor node. And ultimately "Anyone" probably IS a Tor node. Malicious forces, governement agencies and entities, intelligence gathering networks. They set up Tor exit nodes all the time.

It's a given that malicious entities in all likelihhod probably DO operate Tor exit nodes. And that is bound to make one uncomfortable. The content of your traffic is in the clear and can be snooped and read. The counter to that, is with Tor, while your traffic "can" be read, the exit node operator can only be aware that it came from a middleman, and has no idea where the traffic orginated. Nonetheless, it can be read as it is in the clear.

So a Tor entry node, from what I understand IS aware of where the traffic came from. However it only knows it is going to a middleman hop.

Tor relies on trust from three nodes.

XB relies on two. An entry node, and an exit node. And if they are trustworthy your risk vector is significantly smaller than with the Tor network. With a controlled network such as XB there cannot be any possibility of collusion.

With XB Pro, one's traffic travels over a Virtual Private Network which is encrypted all the way through.


The speed issue is a no-brainer. XB is hands down consistently much faster than the Tor network which is a huge plus.

I have great respect for Tor.

My feelings are XB offers much greater advantages in the long run, than Tor.

Just my $.02 worth.

B

 

Refreshing over and over didn't solve the problem so I ran in debug like you suggested and I think this bit is the problem:

Reading private key file "F:\Data\XeroBank\XeroBank.key"
Offered public key
Server refused our key
Server refused public key

So what next

 

Steve,
why did you remove the Flush Tor Circuit button from the free xB browser? This option is still available via menu, but the button itself was not there anymore. I know it's logical to remove this button since all paid versions fro xB don't rely on Tor. However, we are talking about the free browser.

caspian was explaining about the Pro version and according to him (and your site), this service covers the entire machine. What's that supposed to mean? Sorry if it's a newbie question.

Some people might believe xB is an Internet Service Provider. But according to you, it's something else (please elabore if it's possible). Unfortunatelly xB is not an ISP, I am sure most people will choose this kind of service instead of others, if they have the chance. I mean, I wish you were an ISP from my country.

Assuming xB is only "donating" his bandwith with a better connection to people who are willing to pay the price, how could you provide a secure and safe way to connect all devices on our computers, if you're not a provider?

I don't know if you saw this thread:
https://www.wilderssecurity.com/showthread.php?t=190073

Pay very attention to what was explained there. My firewall was the only responsible for not revealing my true IP while I was using xB browser and making that specific test allowing Javascript.

I know what someone might say (turn off Java! turn off cookies!). Well, we can't turn off cookies. We might well accept them (and they can be erased after FF/xB Browser is closed).

What we can't do is decide to turn off Javascript because if we do that, we can't surf on most of sites out there. Assuming that people are paying for a service they need to be sure that will not happen any undesirable leakage while using normal softwares. Even P2P softwares (a good target these days) can be included on my question.

 

Re: Xerobank from Saudi

Paranoid, I am sadly lacking in knowledge so maybe I should clarify. I am a musician and I love art and music videos and all of that stuff. If I had to choose between anonymity with a dull, flat internet experience, and no anonymity with lots of sparkly, colorful fun stuff, I would choose the latter. From all that I have heard so far, I cannot watch videos and enjoy all of the artsy fun stuff that I like with tor because I have to block that capability to be secure. Now unless I have misunderstood something, I do not have to worry about any of that with xerobank pro. So if I am correct, and I am hoping that I am, ......I can actually have my cake and eat it too. I guess what I should have said is that for a person who needs all of the art and video stuff, xerobank is more secure.

 

XB and Tor

Which is why Tor can claim an advantage in terms of security - you don't need to trust the relays. Any setup that assumes an element of trust has to be less secure.

I did word my post fairly carefully on account of your previous statements here. While it is reasonable to accept that XB cannot identify CC holders (and I'm sure the details you supply on the likelihood of this will be useful), any payment system that can be linked to an individual is going to be a weakness compared to a free service.

I'd agree (and have stated) that the differences are unlikely to be significant for most users, but any objective comparison between XB and Tor needs to consider such points.

I'd agree - and that is why when someone posts asking what anonymity service to use, I always ask them to consider from whom they wish to protect themselves. In the case of their ISP or anyone with local network access, any encrypted service (including basic VPN) should suffice. For repressive regimes or commercial trackers (Google Analytics, WebTrendsLive, Nielsen NetRatings, etc) most anonymizer services should do. For the TLA body of your choice with undisclosed powers to compel information disclosure from network providers, then Tor is really the best choice.

Agreed - but the strength of Tor as mentioned above, is that you don't need to trust the nodes. There is no way for a node to pick up more than a fraction of the traffic, no way to target an individual person, no (known) way to crack the encryption used and no way to identify a person unless their traffic contains personally identifiable data (and this applies to any anonymizer, XB included).

Now I'd agree based on the information that Steve has supplied, that XB is almost surely the most secure commercial anonymity service which should suffice for all but the most paranoid. However from a pure security perspective, Tor still has the edge.

Just to clarify matters, that site uses a Java applet to reveal the real address, not Javascript. Javascript has to be allowed for a Java applet to run, but if you are filtering Java (or have not installed it), then you would not be affected even with Javascript allowed. I have yet to encounter a single case of Javascript alone being able to reveal an IP address and I don't think it is likely to happen, without the language being extended specifically to "address" this, gnark gnark!

You can disable Javascript by default and only allow it for sites you trust (I manage with this). I don't think it is possible, let alone practical, to filter out Javascript to look for "hostile" code simply because of Javascript's flexibility - there are too many ways to obfuscate or encrypt it.

 

Re: Xerobank from Saudi

The important thing, is to decide your own comfort level. Not everyone is interested in the extra work needed for iron-clad anonymity so being able to decide what your priorities are is the key thing. Security can certainly become an obsession - there are more than a couple of cases of that elsewhere in this forum.

Let's put things in perspective:

• The tactics discussed to "break" anonymity using Flash or Java are really more curiosities at this stage. They are not in anything like widespread use and any mainstream site that tried to employ them would be "outed" fairly quickly with a good risk of public backlash.
• Even if successfully used, your real IP address would not reveal your individual identity unless your ISP was prepared to divulge it to the website (you may wish to check with your ISP as to their policy on passing on such information). The main benefit of anonymity services like Tor or XB is that they conceal your activities from your ISP or anyone with access to your local network (e.g. a nosy neighbour on a wireless or cable connection) and that they frustrate data collection from "commercial trackers" and advertisers (as long as you block third party cookies).

In terms of "vulnerability", Tor and XB are on the same level here as both are subject to these tactics and both can be tightened using one or both of the following options:

• Blocking ActiveX, Java and Flash by default - either in browser settings or via a filter - and allowing them only for sites you trust. As mentioned above, it seems unlikely that a mainstream site would risk a possible public backlash by using such methods, so this option on its own should suffice. It does make good security sense to block/filter these elements (and Javascript too) by default anyway, since one technique being increasingly used by malware writers, is to attack and modify existing websites to include a hidden link to their own sites triggering some type of malware payload. Blocking by default will protect you even if a site you trust is compromised in this way.
• Use your firewall to limit your browser to Tor/XB access only - this has the advantage of covering any possible exploits found in future, either via abuse of other webpage elements or via any browser vulnerabilities. This also is a "once off" task in that when you have set up the firewall rules needed, you should rarely need to update them (assuming you keep a copy of your firewall configuration for any upgrades or reinstalls). However if the XB browser intergrates the Tor client, then this may become rather tricky since all you can do then is limit it to "known" XB entry nodes - however Jim Verard seems to have done it so maybe he could clarify things.

 

Re: XB and Tor

That's exactly what you're doing when you set a domain to be added to the Noscript whitelist. And assuming that most people (myself included) don't have too much idea how to filter those evil codes, we are not safe by only using a single browser without a firewall who might prevent direct connections like you explained on the other thread. And that's why I was asking if xB was acting like one ISP or something similar.

From what I heard on this link, the Javascript method no longer works, it returns only "localhost" or 127.0.0.1 (internal IP) instead of your true IP. See for yourself:

Test:
http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf16

Another code:

http://stud1.tuwien.ac.at/~e9125168/javas/jhostip.html

That's not the issue here. Most sites can work very well without being allowed on the whitelist (and that way, they can't break your anonymity using any techniques). Wilders Security for example, is not on my Noscript whitelist and I can use everything here.

My point is, most of websites also requires Javascript/Java/whatever enabled in order to be used. I wish it wasn't that way, but it's impossible. Just like cookies. You can't decide to block all of them and expect to keep using most of services.

You may be able to disable Flash plugin, however, a large number of pages can't work without Java engines. So, in this case, you don't have a choice. You either choose to enable these functions, or you can't even use the whole website.

Flash plugin is required for Youtube, for example, but you are able to download all the contents from that site and run on your own computer (FLV files).

But if you're trying to make a new register on some website who might be using a Flash image to validate the form, you can't make the register unless you have Flash plugin installed. I choose to not install this plugin here and I can live without him. I can't say the same thing about JS.

The only way to filter that code:

http://ha.ckers.org/weird/tor.cgi

Was using a firewall and following your rule to avoid direct connections who are actually bypassing all proxy rules from the browser.

I never see any of these tatics to "break anonymity" working, until now!

So I am not going to discard the possibility of that tactic spread all over the world and used by "trusted" sites to break anonymity of people behind Tor. Two quotations can fit this situation:

Everyone is prepared to reveal any informations if required from authorities. Any ISP will not hesitate to disclose personal informations on fishing expeditions, because they are not concerned about privacy and never swore to trully protect yours, because privacy is not their primary concern, it's something they just put on dead letters and never care about it (their only real policy is to keep logs and enhance surveillance practices and improve data retention). No one is concerned about this subject these days. That being said, I think everyone should be concerned if have been sold out, or would be, sooner or later.

Like I said before, someone might be using this method and most people don't even know it. Internet is a very large place. I am not checking every single page that I am visiting for strange codes who might be revealing to the owners my true IP. Assuming most of people don't respect anyone's privacy, and most of privacy policies are awful, the last thing you should think is that you're safe on this environment.

You're not.