Anyone tried XeroBank (formerly Torrify)

Actually, there IS. We will shortly be offering a new service in our lineup where you can upgrade to get your own personal entry node into the XeroBank network, and the IP and server you are accessing are not leased under a XeroBank name. Interestingly, I suppose we could deploy a VPN that uses packet steganography, or even better, because we control the entry node you're talking to, simply data steganography. It may appear you are sending and receiving images or data files when in reality the files are filled with ciphered packets. That may be a fast(er) form of steg instead of trying to have a 2kbps covert channel (ugh).

 

True. However, my intended purpose was not to make a point, but rather to pose a question: are there any solutions to reduce the potential loss of relative invisibility that increased anonymity might provoke? Is this something Xerobank has given thought to, or perhaps even addressed?

True(ish). But you might be able to "blend in" and achieve some relative invisibility in the sense of avoiding the spotlight.

I am familiar with with these cases (there are more than one) as they are quite "close to home". This targeted harassment of privacy solutions is partly what prompted my concerns about the need for obscurity as well as anonymity.

As a side note, in Germany "criminal cases" are used by the media industry as a way to secure private data. A "criminal case" is filed as a joint complaint with a cooperative public prosecutor as a means to getting an exhaustive search warrant. When the "criminal case" is later withdrawn as baseless, the private plaintiff may still use the secured data in a civil claim although this claim would not have sufficed for a warrant to secure this data...

Cheers

 

You can hook up xb machine to your plus account without any problem at all. All you do is feed it your transaction ID and it will configure everything for you automatically!

Adamant strength against leakage. You wouldn't believe how much engineering went into this double firewalled segregated hardened OS. There is no other that can match the security.

This is no problem for xB Machine.

We don't care about steroid users. Criminals, as far as XeroBank is concerned, are those who violate the UN's Declaration of Human Rights. All else doesn't begin to matter unless we have a few valid court orders. Steroid users wouldn't be a blip on the radar, that is a personal choice that harms nobody but the potential user. Now if they are fake steroids and you're doing fraud, we'll be more interested in hunting you.

 

Interesting and promising. Great that you are recognising the potential need/demand for this.

I am surprised that ANY IP's and servers are leased under a Xerobank name though. I figured you might employ some organisational and legal "onion routing" with each server leased by a different SPE (Special Purpose Entity) in a different jurisdiction and administrated by separate Service Providing Entities, under a legally loose umbrella of Xerobank. Using service agreements that legally remove any administrative access to the leased servers from the leasing vehicles to various service providers would render any court orders on the leasing vehicles ineffective. Still, from what I have read in your previous posts, your setup makes the event of a coordinated set of effective court orders virtually impossible anyway, so this is more a theoretical excercise and no relevant concern.

Keep up the good work. As far as I can tell, you are WAY ahead of anyone else and I wish you well deserved commercial success.

Cheers

 

Hmm. Guess it's time to take a closer look at this. Does this mean that the VPN function is sandwiched in a DMZ between two FW's? Can you reveal more about the setup?

Cheers

 

A Reality Check

We talk about some really high-tech stuff in here, and of course there are many real and perceived foes we are protecting against. There are two distinct bogeymen as surveillance-adversary. The first is the all-seeing all-knowing highly-motivated agency that is coordinated, massively intelligent, infinitely resourceful, with surgical precision and unlimited attention to divide. Jason Bourne lives in this world. The second is the media pandering, buzz-word aware, politically-motivated agency that is inefficient, blundering, overtasked, with ham-fisted action and the attention-span of a goldfish. Commandant Lassard lives in this world.

Both of these are opposing ideas, yet we are conditioned to a jekyll/hyde mentality of trying to reconcile these two that we come across in the everyday news. Most of the time we avoid it, because it causes the uncomfortable effect of cognitive dissonance. The paranoids favoring the former, the skeptics the latter.

So when we talk about some technology like covert data channels and packet steganography, we're choosing to believe in Jason Bourne's world where we are being monitored and hunted by such an adversary. When we talk about how shockingly oafish some other org is, we're choosing Commandant Lassard.

Now these could both be true without being irreconcilable. The natural order is the more elite the unit, the more sophisticated. ex: Deputy Barney can't find the internet, SS/FBI Special Agent can't find your encrypted partition, CIA/DOD agents can't find your hash collision, NSA/MI6 can't find anything they can't find. Inevitably, as you move up the ladder, you transition up the chain a little bit more.

Now just because I don't think some agency is out to get me doesn't mean I'm using a 1024 bit key instead of a 4096 bit key. At the end of the day, I'm not worried because when you get to the highest levels where non-colluding compromise could occur in theory, the game becomes one super-power versus another, which mostly puts us off the radar and back into safer territory. When everything is said and done, they have bigger fish to fry than trying to crack my network to see who is doing what. Especially considering the legitimate resources it would take.

 

Sure: https://xerobank.com/images/xBVM_diagram.png

The applications and user data are separated across different partitions. One cannot write to the other, so no sneaky bugs can get in. The user partition is encrypted automatically. When an application tries to get internet access, it has to ask permission from the firewall. The firewall then has to ask permission from the xB Machine Virtual NIC, which then has to talk to the VM NIC, which finally then talks to your physical NIC. Nothing gets out without permission, and the programs can't be tricked into giving out info because 1) they don't have it, and 2) They can't be bugged to ask for it even if they did have it.

 

Re: A Reality Check

Completely agree from a static look at the present situation.

The potential problem looking ahead is that there are no longer any real checks, balances or disincentives to expand the current legitimate resources. On the contrary, there are huge financial and corporate incentives to massively expand these resources. The only obstacle to such an expansion was the fundamental individual right to privacy. The same Industry Lobbies (mainly Media and Defense) that have so effectively managed to persuade our politicians to compromise these once constitutionally protected rights are now pushing their political puppets (muppets) to hand out enormous public contracts for surveillance systems and services. A piece of cake compared to driving through the effective demotion of the constitution. How much easier to award funding for the noble cause of cyberfighting "Terrorism" and child molesters than to justify expenditure for weapons systems and military aggression on foreign soil (and, believe me, the defense industry has caught on). Thus we are in for an exponential expansion of the "legitimate resources", who will in turn seek justification for their existance by casting an ever larger net over a population that no longer has any real constitutional protection against its own government.

There are clearly many more Commandant Lassards than Jason Bournes out there, but we will see an increase in the employment of civilian subcontractors with real skills. Current EU directives basically open the way for not only private interests working alongside law enforcement agencies as is common current practice, but even for what effectively amounts to these private interests acting as an unsupervised police force in their own right. Another element driving exponential growth of surveillance resources.

Whereas the extreme leading edge may include some pretty high tech proprietary solutions and gadgetry, there is enough highly sophisticated Open Source and commercial stuff around to make the future well funded and privately advised Commandant Lassard a real force to be reckoned with.

And don't forget the IRS, for whom the "War on Terror" has created a wonderful legal and technical infrastructure...

Therefore "The bigger fish" or "Privacy through obscurity" might be a moving, even plummeting target.

So, I hope XeroBank will continue to develop and lead the way for services that offer some integry protection in this possible and dark future.

Cheers

 

Good stuff. Nothing like a bit of brain.exe and RTFM before asking

A few questions that I hope haven't already been answered:

1. xB Machine appears to be an early beta. Does it have any particular known stability and/or security issues at present? Is there a roadmap?

2. I am currently playing around with a dedicated hardware Linux firewall for the home network, looking at Untangle, Endian, IPCop, Smoothwall, Trustix, et.al. The target is a dual firewall on separate virtual machines with VPN functions inbetween, hence my earlier question re the dual firewalls on xB Machine. On reading through your website, I noticed that the Premium Service has the option to include a preconfigured hardware firewall. Assuming this is Linux based, is there any chance for a home/Pro user to get the package to set up on his own dedicated hardware? Can you, if applicable, elaborate on what software, if any, the firewall is based?

3. Do I understand/assume correctly that xB VPN differs from OpenVPN only in being portable and pre-configured, or is there more to it?

4. On the credit card payment option, it is stated that:

This is not exactly ideal from an anonymity perspective. Personally, I would not want my credit card statements to show that I am subscribing to an anonymity service. An option to user define and/or pick from a list would imho be desirable.

5. The password rules seem rather restrictive. Clearly, it is still possible to pick a strong password, and either way, you most certainly have protection mechanisms against brute force attacks. Still, just out of curiosity, is there a particular reason?

Cheers

 

Difficult and dangerous balance act to subjectively and sovereignly judge such matters, right? In real democracies (remember them?) this was a core issue resolved through a complex system of fundamental rights (remember them?), legislation, courts, etc....

Don't get me wrong. I believe we subscribe to very similar ethical and moral values, and I would personally feel much more comfortable with you making such decisions than any government or court I have ever encountered. Furthermore, as a user of the service, it would be in my own interest that the service was not abused by any user and thus possibly compromised for all. Just pointing out an intellectual, and given the context somewhat paradoxical dilemma.

Still, worth to ponder on. Perhaps some form of independent advisory body, consisting of men and women of true and demonstrated moral fibre?

Cheers

 

Stability problems? No. Compatibility problems? Yes. QEMU isn't yet playing very well on all machines but we've written an update (not pushed) yet that should get that fixed. There is a roadmap. It was released to the or-talk group and is publicly available in the archive.

I don't have that information in front of me.

Yes, there is more to it. First off, we've changed some of the actions of the OpenVPN GUI. For example, in our new build it does an auto-reconnect after 3 trackbacks, which typically indicates a stalled connection. It also implements a better set of icons for notification, and activates the usage of the prior-unused "reconnecting" icon. Additionally, our version is compatible with Windows Vista and will shortly be compatible with Windows Vista 64.

Live with it, or pay by some other method. Too many people will look at their bill and not remember what the service is and start issuing chargebacks.

In the early stages we wanted to avoid form breakouts, so that kept us from implementing special characters. Additionally, we are moving our password system to a new mechanism. The new parameters will be minimum 32 bits of entropy, 7 characters, which is revolutionary, actually. The rest should be fine, up to perhaps a 256 character size password (max hash). I really would like to implement a libcrack password check function, but doing that asynchronously would be too slow and too processor intensive I think.

 

I agree it is sticky. Consider that the UNDHR is our law book, and XeroBank is the judge. Independent advisory board? Maybe. We have such a board already. I'll give it some thought.

 

You've got to be kidding me! 50 a month? What are they for? How many xerobank customers are there? I am a little shocked.

 

Right... the terrorist are off the gird...

Privacy is gone out the window in much of the world. I am speaking of private communications between people. Nothing nefarious implied. But certainly people have a right to surf without being under scrutiny. 1984 has arrived. Everyone speaks of PGP and other encryption methods and wonders if and when it will be cracked. The simplest method is the Dianna one-time pad. It is an old method of sending coded messages and it is still unbreakable. Sometimes the best tricks are the old tricks. A text string to a usenet test group. It is useless to anyone but the person with the one-time pad key for that day.

As far as internet traffic... I think it is all being filtered... the key is not to call attention to yourself.

 

Found it! The planned LiveCD is a good idea. Do you see this as "live" in the sense of being able to boot up a VMachine on a host without any preinstalled player or as bootable from scratch (like Knoppix), or both?

If you ever feel like digging up and sharing some details, it would be very appreciated. A separate hardware FW with VPN functions can make sense for a lot of private users and the required hardware is cheap (old/cheap PC).

I see your point, and might even decide to live with it. Still, a default "ZeroBank" entry with a "fool proof" option to type in something else might be a simple solution that caters to the absent minded as well as the paranoid.

Cool.

Cheers

 

It is certainly prudent to assume quite extensive monitoring. At the very least your ISP has detailed logs of your DNS lookups, connections, etc. At the very worst, Data Retention, all your traffic could be stored for retroactive analysis.

Sorry, but I have to rant.

Conceptually, there is no difference between blanket Data Retention and the monitoring and storing of everything we say, do, write and think. It is purely a matter of technology, not of principle. Until last week (Germany) surveillance used to require 1.) probable cause, 2.) evidence of this cause and 3.) scrutiny of the claim by 4.) an independent judge/court. Not anymore. We are no longer citizens served and represented by a government subjected to our scrutiny, we are potential enemies of the State...

A whole catalogue of constitutional rights and fundamental principles of democracy that had survived since the 18th century have thus been discarded.

But, not to worry, we can trust our governments with all this information. After all, they represent and care for us. It's all for our own good.

No way they will ever fumble and allow our data to be accessed by third parties...

No way they will ever be influenced by powerful lobbies and campaign contributions...

No way that the government will ever change and be replaced by a totalitarian regime that might use the vast mountains of retained information to exterminate potential dissidents and troublemakers. Never! As history shows, governments are always good and last in perpetuity...

Hitler, Lenin, Stalin, Franco, Mussolini, Ciaucescu, Tito, Honecker, Milosevic, Saddam, Amin, Castro, McCarthy... could NEVER happen again!

Right

 

Hey!

Just tried your xBmachine, wow, what a perfect tool! I'm very impressed, thank you for all the hard work and the fair price, he he. You probably couldn't make it any easier to use.

Does this mean i can install plugins and adons as i wish with the firefox, I know there is a ftp plugin somewhere, since I couldn't find any FTP program in there. Maybe I can just go ahead and install programs as i wish as well? Or would the configurations be messy for a LINUX total newbee?

Can I access working files from my windows drive? I tried but... ehmm.

Sorry for all Q's I did look for more info\FAQ but I couldn't find it, if I missed it just point me in the right direction.

Ok, so far so good, and the dealers, as in the famous hushmail case? Dealers and web-shop owners should rather use Tor instead?

Thank you once again for the wonderful xBmachine, i love it...

Thor

 

Caspian, my apologies, I misspoke. Sorry it took so long to reply.

Let me quote directly from Steve's blog:

"I am pleased to be able to release the following information. In the last 6 years, none of our anonymity network management's clients have been arrested or killed despite hundreds of investigations and inquiries. And probably, with documentation, in the last 12 months despite over 50 subpoenas, investigations, raids, etc. not a single client has been compromised."

Stats are useless unless stated accurately. I didn't. My bad. No intent to misrepresent here.

It's anonymity. All kinds fools and saints will use that technogy. It's gonna run the gamut of intentions, from bloggers in oppressed countries, to corporate whistleblowers, to fraudsters and child pornographers. It should come as no surprise that all anonymity services and technologies would fall under some sort of scrutiny if they feel that these services are being utilized to conceal any type of criminal activity or behavior they deem as objectionable.

B

B

 

I'm working on an argument/exposition, you might be able to help. interested? contact me off list.

Live as in booting to a tiny OS that runs VMWare/QEMU and will boot the pre-existing image. Maximum modularity.

Yes, you can install any plugins, flash, java, ftp. Anything you like. It isn't going to leak.

I would prefer if someone was going to do something illegal in their own country, they stay off xB. But if it is something guaranteed by the UNDHR, go right ahead regardless. Naturally I am not officially speaking on behalf of xB, these are just my personal opinions.

 

Steve,
Sometimes I am surfing on the web with XeroBank and suddenly the browser starts loading the Torcircuits again, even while the browser is still running. After that, he tries to open the browser again. If I close the browser while this is happening, he will open again (of course).

But the message who appears before this, on this Torcircuit window, it's what I don't understand: "URL Parts Error". It seems the traffic is somehow malformed (not sure this is the right term) and the connection is broken at that moment. This is not happening every time. It can happen today and next week, for example. But it's a new bug I never encountered before and who should be fixed (if it's possible).

 

Thanks for explaining that, B. I guess I just had not really thought about it. But raids? Sheese! That sounds pretty intense.

 

Great news.

We're pretty much done with 2.0.0.9a and there are some major long-awaited updates.

- Preferences are now saved and respected, including password settings, cache, noscript, etc.!
- Persistent correct network settings, so you can't mess up the browser and lose your anonymity! Simply shut the browser down and restart and the correct settings return.
- Major code cleanup. Significantly more stable!
- Removed Tor Button so you can't turn off anonymity.
- Firefox loads in turbo mode!
- Auto-Update for plugins and firefox is back!
- Auto-Update notification for XeroBank Browser is fixed!
- Checks for XeroBank Plus connection before opening browser, goodbye "Proxy Server Is Refusing Connections" (at least one reason why you get that error. Heh)
- Built-in firewall checker

Download 2.0.0.9a beta here

 

I am sorry, Steve, but that's not true. You're mistaken.

You just removed the Tor button from our sight. XeroBank is still unsafe if you don't modify Firefox browser to not leak our true IP.

If there's a way to do that, is by setting xB/Firefox to never make direct connections to the internet. Only using the proxy settings.

I tried to make the test from this thread and my true IP was leaked allong with my Tor IP while using XB 2.0.0.9a.

My Outpost firewall was, obvious, disabled for me to perform this test, and Noscript was enabled for the domain Hackers.org. Assuming you are allowing a trusted site and you don't even know they have such bad script.

De-anonymizing Tor and Detecting Proxies

Like Paranoid2000 said before, the rules to prevent this from happening (and who should be applied to Firefox.exe file) are:

Browser Block Direct Web Access:
Protocol TCP, Outbound, Remote Port HTTP, HTTPS, Block It

HTTP = port 80
HTTPS = port 443

Unless both ports are completely blocked on Firefox.exe, your true IP will be leaked. I am talking about the free browser.

Check this post for more details

 

Jim,

You turned off your security against javascript/flash/qt/etc when you turn off no-script. That isn't a surprise. Why would you add a bad site to your trusted list? You wouldn't. You're assuming to do something totally compromising first (turn off noscript protection), and then open up ports after the fact (which makes no difference). I'm not saying it is impossible for you to mess up your settings, but I am saying you can't mess them up between sessions... unless of course you whitelist some evil sites to run scripts on your machine. This is like saying it isn't anonymity, simply because you could write down your real IP and email it to someone.

What you are talking about are firewall settings, this has nothing to do with a browser.

Additionally, Windows Firewall is incapable of blocking outbound traffic. It can only stop unsolicited traffic. So we aren't just talking about *any* firewall, either.

Steve

 

Steve,
that's right, I am afraid most people here are too naive to understand the implications of letting Firefox (or at least an anonymous browser, it doesn't matter if it's Xerobank or not) making direct connections somehow. This is just insane, and completely dangerous in terms of privacy.

We don't need to block this exactly exploit, we need to prevent from working. And your firewall is the only one doing this job.

First of all, we can't turn off Java/Javascript/ActiveX/whatever (Flash is not included here, because it's not installed on xB at first and can be blocked entirely, then you will be able to use 99% of sites out there, at least those who are not using Flash in a ridiculous way (taking control of the entire page)).

Since we don't know for sure how many sites are using that specific script (the script who reveals your true IP, and before you ask me, it doesn't make any harm to our computer, it's clean), we can't allow even one of them. Right? That's the problem. If we don't do that, we can't use the internet. Javascript functions can't be ignored sometimes!

Most websites can't work without Javascript. And like Paranoid said, Noscript can't filter specific functions. Only the plugin section from your firewall is capable of turn off Java and let Javascript activated, for example.

But that's not the point here! Please! Once again, I will try to explain this.

That specific script: http://ha.ckers.org/weird/tor.cgi uses a piece of JavaScript to instantiate a Java socket call back to the origin site. In doing so it bypasses the proxy settings of the browser, allowing you to de-anonymize people using proxies. It works great for Tor or just about any HTTP proxy.

It's a Java trick!!!!!!!! It's bypassing the proxy browser settings and removing our cloaking device!!!! And leaking our true IP, along with Tor IP, for them!!! If everyone starts using that code, every single one of xB users will be doomed!!!! (I am talking about the free browser).

Why people can't take this matter seriously? There's no other example of leaking our true IP that I am aware of.

So, let's fix this issue, no matter what costs! We can't keep relying on firewalls to do the dirty work that should be done by anonymous browsers.

Please, someone make an extension to not allow Firefox to make direct connections into these ports (80/443) and fix this breach of security!

It is insane to ignore this problem, since anyone can break the anonymity of people behind Tor/free xB browser. Even trusted sites!

If you don't use any firewall configured to limit your browser to connecting via the proxy application or IP address only, by setting these rules to Firefox.exe, you're not safe!

I can't speak for others. If people out there thinks it's best to have a false sense of security, fine. It's not my loss.