Anyone tried XeroBank (formerly Torrify)

Well this is the issue. You can't escalate privileges or use functions that don't even exist for the administrator. There is no way to block outgoing ports, and that isn't done at the application layer, which is where xB Browser exists. That is done by the operating system, not a program. There is no xB Firewall (yet, haha).

But then again, there doesn't need to be. In 2008, it won't matter. Everyone will get XeroBank Pro and then these exploits will be completely nullified.

No, they won't. As long as they don't do something ridiculous like turning on scripts for websites they don't trust, we block Java and Javascript. There is a reason xB Browser blocked the hacker.org website you visited from running scripts. You want to turn off your security? I'm not going to stop you. But I guess I could. I could have a "super-noob" mode that just doesn't allow you to decide to trust any websites, they are all blocked.

Sure there are. You can do it with Java, Javascript, Flash, Adobe PDF, Adobe Flash, etc. The trick is to not let those scripts/plugins load. And you simply do that by NOT MESSING WITH THE NOSCRIPT SETTINGS. Notice how those tests and that website don't work if you don't modify the xB Browser settings you're given? It is a hint. Don't run them.

It isn't Firefox that is doing the breaching. The plugins are loaded as DLLs, which are essentially their own programs and don't have to listen to anyone else's settings, and you can't make them unless you plug the hole at the OS/Network level. Which xB Pro service does using xB VPN.

But you know, Jim, you do make a good point in your fervent refusal to listen to me: People just don't understand how software works, or the basics of security. Maybe there does need to be a super-noob default setting. We blocked plugins and javascript prior, but then used noscript to allow users to make the decision. Jim makes a strong case for refusing to let the user make decisions about their own security. Doesn't matter, he'll get to have his cake and eat it too when he installs xB VPN when we start giving out free 30-day trials.

 

Steve,
sorry, but again, you're missing the big picture.

You can't force all users to block "everything" which can threat their privacy (I will not mention the word security here, because if we are allowing scripts from unknown sites, we, alone, are taking the risk of having malicious codes executed). And even if that was the case, I am only talking about that specific code from hackers.org. Forget about others!!!!!!! Please.

Let's take the example of saving logins/passwords/cookies.

Speaking for myself, I don't think it's a good idea to erase logins/passwords after I close Firefox. My life will be very bad if I do that. Form informations are not essential. OK.

However, I never keep cookies stored here. Never! Not a single one.

Cookies are a threat to our privacy the same way that any exploit who might leak our true IP. However, if you decide to block all cookies or force users to erase them after the browser is closed, you're not giving them a choice.

A choice who is built on Firefox. Perhaps a second version of the xB browser could do that (removing the option to keep any cookies stored, and forcing all users to comply with this), not the only one available.

Speaking of passwords: We may very well use a master password (which is not working fine, because if you use her along with the Secure Login (auto-login feature), it will keep asking the master password dozens of times (each time you enter a different board/site). It should ask only once after you open the browser (before you start doing anything, even surfing on the web), and leave that way.

Don't you get it? What you are proposing here it's to lock all of us on a bunker and that way we can't be infected by any diseases.

Instead of preventing us from this particularly threat, you think it's best to remove our legitimate choice to allow scripts from being runned. Someone should develop a vacine to avoid the viruses from working in the first place. Because we all are going to be infected, anyway. Why keep fighting against this?

It doesn't matter if we are allowing scripts out there (or being infected by all kinds of viruses, the goods and bad ones). As long as the viruses are not functioning!!! We are immunized in the first place!!!

If you bother to check Firefox you will see that, even by removing Tor button from our sight, we may very well change the network settings (some malicious and not identified user can do that and you don't even know it) and make direct connections, not using the proxy settings.

Frankly, I don't know why is this so hard to understand.

People are not allowing scripts because they are ignorant.

They are doing that in order to use the internet.

I will say this again: most of websites out there needs Javascript/Java, and we don't have a choice. As a matter of fact, we have. We may not use them. It's that what you want?

Sure there are simple ways to verify if some site is trusted. But the bottom line is: we can't trust 100% anyone.

My point is, that Java specific trick can be used by any site, even by Wilders Security (which is not allowed here on my computer to run scripts, and can work very well without them). And I don't want to leak my true IP, by all means.

What I was proposing here was a browser entirely modified (and 100% sealed) to block any attempts to connect into both remote ports, 80/443 (HTTP/HTTPS), using TCP protocol.

I am sure there's a way to modify Firefox do behave this way. But hey, there are no browsers modified to perform only proxy connections.

LET ME PUT THIS ANOTHER WAY: AS LONG AS FIREFOX IS CAPABLE OF PERFORMING CONNECTIONS USING ANY OTHER SETTINGS THAN THE PROXY SETTINGS TO CONNECT INTO THE TOR NETWORK, HE IS NOT 100% ANONYMOUS.

Is that better?

This is not a matter of security or everything you might wanna call it.

It's a matter of recompile one software to behave this way. Don't even knowing how to perform direct connections (using other than proxy settings).

Because most of softwares out there were not developed to connect only into proxy settings. Therefore, they are not safe to browser anonymously. Again, I am talking about the free version, relying on Tor network.

This is not the same thing as leaking personal info while using cookies, passwords, etc. We are talking about IPs!!!!!

And xB/Firefox should never be allowed, under any circunstances, to make these direct connections. Forget about messing with all settings. It should be entirely sealed!!! Do you know what the word "sealed" means?

You keep talking that all plugins are doing this, but they are doing only because the browser is not preventing these connections.

The browser is responsible alone, not the plugins. They are only taking advantage from a breach of security found on the browser itself! A breach of security who is compromising anyone's privacy.

Each plugins/exploits are not running alone, and sending our IP themselves, like an external program. They are using the browser to do their dirty work. The browser is calling them. They are replying. The browser is sending that information back to the origin site. But hey, the browser was cheated to send that information back ignoring all proxy settings!

I rest my case. Sorry for keep repeating myself.

 

Hello

I'm trying to pimp up my xBmachine and have a few Q's:

1. Password for logging in as root.

2. Is there a simple way of reading files from my windows OS?

3. Is there a simple way to get the keyboard a bit more window, my special characters are all wrong.

Thank you!

 

Have there been any problems at xerobank lately? The last 3 days I keep getting kicked off of the internet. I have to disconnect the VPN and then reconnect to fix it. It has been a lot worse today.

 

Now there is a real problem. I was just surfing a few minutes ago and realized that I was not connected to the VPN. The VPN said that I was connected, but I was not. It was green and when I put my curser over it, it said connected to xerobank fast. But google showed everything in English so I checked my IP just to verify and I was not at all connected.

 

Jim, that code isn't specific to Hackers.org. Someone could host those scripts anywhere. So for the sake of argument, assume the whole internet has that script at every website.

We now allow you to change your cookie settings, no problem.

I'll check that out. Master Password is something we wanted to force people to use, and to enable password saving. But unfortunately, master password isn't yet something you can force. What we can do, it appears, is to encode everyone's xB Browser with a default master password, but then everyone wouldn't change it, and it would be a weak setup because the key.db would be the same for everyone. But this has nothing to do with what we're talking about.

I'm not forcing it to be that way. You can currently come out of the bunker to visit any site you *trust*... if you aren't trusting it, use it in the normal mode.

Haha. That's funny. It would be nice, I agree. I just don't think it is possible. There are a million ways to compromise, a billion script, a trillion variations to avoid heuristic scanning.

But again, Jim. It won't matter. Once you have xB VPN, you can surf without the need for any of these script blockers. You can view full flash, java, javascript, adobe, etc without it being able to leak your IP. This is what you're asking for and it is already done. The problem is solved by XeroBank VPN, you just don't have it in your hands yet.

You only *think* you can change the settings. Once you change them, and close xB Browser and come back you'll find that the default proxy settings are back.

I'll say it again. use xB VPN and you don't have to worry about it.

I'll say it again. It isn't the browser leaking. It is the plug-ins and scripts that the browser runs. Those things are not part of the browser.

No. They aren't part of the browser. Should the browser control what emails you're sending? no. They are both entirely different programs. One doesn't control the other. Flash/Java/QT/etc plugins are not internal of the browser. They are entirely separate programs that the browser just so happens to ask to run. If you click on an email link in your browser and it brings us your email program, it isn't like the email program then send the email through the browser. Two separate programs. When you play a flash game running on a website, you're running Adobe Flash Player, and the browser, and it just so happens that Adobe Flash Player is only being displayed inside the browser, not that it is running inside the browser.

 

1. probably either '', 'root', or 'xero' ... I'll ask

2. This is a problem for unix all around. I think they can read FAT partitions without problem, but NTFS could be an issue. But I think there was a new NTFS driver written for linux that could make that possible. The easiest way I know of is to email the files to yourself.

3. a bit more window? I don't understand.

 

Huh? That doesn't sound right, do you have a bunch of trackbacks? Go to network settings and see if the Network Connection # is active. Which version are you using? Email me and lets get it sorted right now.

 

Steve,
I will not quote, but answer you directly basing on the info I received about this matter (thanks to Paranoid2000).

Then, again, XeroBank (or should I say Firefox?) is not modified to make only proxy connections instead of direct connections. Therefore, users of the free version will need a firewall with that set of rules (TCP protocol, Outbound, ports 80 and 443, block it - Firefox.exe) to avoid leaking their true IP.

And you can't solve the problem by blocking everything. Some day you will have to allow any site to run scripts. And when that day comes, your true IP could be leaked if you don't care to set these rules on your firewall (and I will say this again - the browser itself is the only one who is leaking).

All plugins are cheating the browser because he wants to be cheated. Because he is not sealed to avoid direct connections. Is that so hard to understand?

If you don't believe me, try to make that test from hackers.org and enable your firewall with that set of rules.

Your true IP will not be leaked even if you allow your browser to run that script. And the only blocked file will be Firefox.exe on your log records. There will be no other file blocked in that attempt (Java.exe, etc.). That's it.

 

Jim,

I don't think you're listening to my comments. Repeating someone else's quotations is not a valid argument, especially when they are nullified over and over again. Perhaps you should have Paranoid2000 explain these responses to you. I'll say this one last time in very clear english:

1. The browser is not the problem, it is the plugins like ActiveX, etc. The browser does not, and can not gain authority over plugins and force them to use the browser's settings, as Adobe etc never designed them that way.
2. We stopped you from running scripts on hackers.org for a reason. You decided to trust hackers.org to let them run code on your machine, by your own actions, not any programming/design mistake, and so they can compromise your anonymity because you let them run those scripts.

If a robber comes to your door, and says "excuse me sir, i want to rob your house", and you open the door, it was not the door that made the mistake. You clicked to let those scripts run. If you had not selected to let those scripts run, your anonymity wouldn't be compromised. hackers.org would be powerless against you.

 

Thank you for checking up the root for me, it's none of those two.

2. when I run knoppedix linux I can read and read FAT, and read NTSF, writing to NTSF is considered very experimental. But here in the xB machine I try to surf to my windows files via the file manager, it wont open at all. I guess the question should be, did you program the xB machine so that no connection can be made to the windows files for security reasons, or should I keep on trying? It could be great to have a truecrypt container file that I could open with files both under windows and linux.

3. When I use characters like ? : ' - / etc they are at different locations then im used too. Not a big deal but if I could set them to behave like my english windows does that would save a lot time while typing.


TIP! If you wanna get FTP into firefox in the xB machine you can download it as a plug in "fireftp", but make sure to go to Edit -> Preferences -> Advanced and change the cache to 10 MB instead of 0 before you try to download the plugin (or you get a download error - 228 )

Thats all the drama for today...

All the best everyone,

Thor

 

I am reading every single line of this thread.

No, they are not. And he is not wrong.

I have all the proof I need here. You haven't done that test. I have it.

Frankly, I don't understand why you're refusing to see the obvious. I will not insist on this subject anymore, the answers are here (for those who are willing to see).

That's not the point. I don't care who is controlling each other.

All I said was that the information about your true IP is being leaked because Firefox have a way to make direct connections. Firefox browser was not designed to avoid direct connections.

If someone is telling the oposite, it's talking nonsense. There are no extensions (or modifications) to avoid direct connections.

If someone have built a new program (no matter what kind) which can't send outbound traffic using these ports (the only ports used by that Java trick are 80/443), no matter how hard all plugins tried, they will not be able to leak any data.

Trying to hide the Tor button, like you're doing here, it's not the most logical course of action. On the contrary, you're not doing a favor to anyone. And all sorts of plugins have nothing to do with this.

I know this new xB version is saving all proxy settings each new session.

I also know: if someone decided to mess with the browser, when others starts the browser, all proxy settings will be there again.

But you haven't modified xB/Firefox to avoid making direct connections at all.

In my opinion, since no one have done this modification the Tor button should be there, to remind us the Tor network is activated.

Of course my firewall settings are preventing this from happening, too (even if I disable my Tor button, I will not be able to access the internet), because I am blocking browser direct access the same way I've done to not leak my true IP. The rules are the same!

If this Tor button is not there, someone can gain access to your xB browser and deactivate the proxy settings (while the browser is running, of course, not after it's closed) and you don't even know it.

I will not explain this anymore. What bothers me is the fact that we have to rely on a firewall every time the browser is running. I am lucky to have one and also have found the correct rules and explanations of this forum. Most people (at least those who are using the free version and care about privacy can't say the same).

Like I said, we don't have a choice. Most of sites out there can't work without Java, Javascript, and other plugins. We are not allowing them for fun, you should know that.

Saying that it's our own fault it's a huge mistake. I never allow any script here from unknown sites.

Since I trust no one, I will not take the risk of leaking my IP without my knowledge. What should I do? Not use them? Stay on my bunker, because I am too affraid to allow scripts?

No, I will allow scripts from trusted (or at least, famous) sites like this one, and I will not let them leak my true IP.

Instead of locking my door, like you're suggesting, and never leaving my house (that's the same thing if we never allow any scripts, not for a single site), I will invite the robber to enter, going through my fake door, and he will be caught on my trap until I can get rid of him.

 

Steve I don't know what track backs are. I haven't had any problems in 6 months. I have had the connection go dead a couple of times, but when it did, I could not access the internet. This was different. I will send you an email.

 

LOL...That was a very good analogy.

 

All this time I was talking and didn't even realize I was using a word who matches with the name of this program.

XeroBunker?

The problem with Steve is the fact that he is already using his own sealed private network, and that way, he is incapable of leaking any data and can't even understand this situation regarding people using Tor (and his free browser).

Perhaps I am missing something here (I am not saying I am 100% right all the time), but saying that we must block all scripts, and that is our own fault these things happens (instead of admit the browser is incapable of preventing attempts to bypass the proxy settings and make direct connections) is too much for me.

To stay on topic: The Flush Circuit button was not removed in the previous xB versions. The name of the button is "RestartFirefox" which doesn't make any sense. It should be "Flush Circuit".

 

Jim I tried those links that you posted. The one from hackers.org does not have any effect at all. I cannot not get it to do anything at alll. It just says to wait, "it may take a few minutes".....but it never resolves. The other one shows my real IP while using Tor as long as the xerobank VPN is not connected. But when the VPN is connected, it cannot reveal it. It just lists the same IP again. Just out of curiosity, I hooked up an IPhantom to see how it responded. It was not able to show my real IP either with IPhantom. In fact, it could not even list the same IP again. It was unable to list anything. It was blocked.

There are some weird things about that IPhantom though. I cannot log into Myspace with it. When I go to Yahoo mail, the text and graphics (the little smilies) are completely gone. They do not exist. And yesterday, I tried to go to Youtube with it to download a video, and I could not get to youtube. All I got was a blank page. It did not say anything at all. Just a white page. Haha! So I have no idea wjat is going on there.

 

About that test:
http://ha.ckers.org/weird/tor.cgi

You're wrong. If you get the message "loading... it may take a few minutes" that's how you know your true IP is not being leaked (and your firewall working, preventing your browser to make a direct connection. I will repeat my answer from the other thread:

I assume you're using the free browser to perform that test, right?

Remember, that test from hackers is using both Java and Javascript.

There's also another test using Java.

http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf16

As you can see, this second test shows your Tor IP and 127.0.0.1, instead of your true IP. 99,9% of other tests on the internet have the same results, therefore, even if you don't have a firewall, your true IP is not being leaked.

And why is that?

Because this specific Java method no longer works, it returns only "localhost" which is sad, and good. It is a flaw in Java itself.

We can't say the same thing about that other test (from hackers.org).

Of course you must allow both sites (hackers and frostjedi) on Noscript whitelist to perform that test (and that's exactly the point, unfortunately people on this thread can't see what I am trying to show). You must assume that one day you will find a trusted site (running scripts) who will try to unmask you.

Everything I am saying applies to the free version, using Tor.

 

Jim I do not use the xerobank browser. I use firefox with noscripts and I also have a torbutton. I don't use the xerobank browser because I like all the cool animated gifs and videos and stuff. I am a musician and I love art and creative fun stuff. I go to youtube and google video and various places, and collest art and download some of those vids, so I need to be able to partially allow scripts when I want to. So the xerobank browser is not something that I would normally be able to use. But with Firefox and Noscripts, I can partially allow scripts.

Which is exactly what I did with that hackers.org link. The last time I tried, I waited about 10 minutes. It never resolved to anything. period.

The other one did. When I tried it without the VPN, using tor only, it showed the tor IP, and then below that it showed my actually IP. But when I tried it with tor overtop of the VPN, it showed Tor, and then below that it showed xerobank. When I tried it with xerobank alone, it showed xerobank, and then below that it showed xerobank again, hehe!

Now when I tried it over top of IPhantom, it did not show a second IP underneath. I refreshed it several times and tried again, but it would not even show another one.

I guess IPhantom is kind of like a VPN too, but it is here in the US. They say that they do not keep logs, but if they were approached by authorities to monitor someone, they would have no choice but to monitor. And I guess here in the US, downloading music could be enough reason. There are a couple of other problems too that I don't understand.

 

Steve, it was showing track backs when I looked in the logs. I do not know what that means but I saved 3 logs.

However, I think the problem is resolved. I had used a product called Uniblue Registry Cleaner (or something like that) and I think it messed things up. So I reformatted my computer, deleted xerobank from my USB stick, and downloaded it again. Everything seems to be working fine now so I guess it was something that I did.....although I am not quite sure what it was. Caspian

 

Jim,

1. The XeroBank browser has scripts blocked for hackers.org .
2. You change that and allow the scripts to run - which reveals the real IP address.
3. You're upset because the IP was revealed.

Am I missing something here? If so, can you try to lay it out as simply as I did above?

 

Jim,

I can see there is some sort of communication cross-talk going on here. I really want to help address your concern so please contact me off list and we can get the issue resolved.

Steve

 

Maybe he wants a browser that can freely use flash and java or whatever. I know I would. But with the VPN, I don't have to worry about anything on my computer.....yahoo messenger or voip or browser. I can use any browser I choose.. I can download the PeeWee Herman browser if I want and use it, hehe! I think it's the coolest thing I have ever seen.

 

Just to clarify your answer.

1. The XeroBank browser has scripts blocked for hackers.org .

2. Someday we will have to change that and allow scripts of any trusted site to run - which may reveals the real IP address only because the browser can't stop this attempt to bypass the proxy settings. The browser was not designed to recognize only proxy settings. If the browser can make direct connections, and in the end is a hybrid on this subject, the browser itself can't avoid your IP from being leaked on that Java trick.

3. I am upset because I have to rely on a firewall every time to do the job who should be designed to the browser itself, which is incapable of prevent his own sabotage.

Of course this problem only affects the free version, on my conditions stated above. As for VPN and everything else (caspian), please read this thread. And if that hackers test stops loading, then your true IP was not leaked. At least for me, it's working this way.

 

Okay. So we are in understanding. But Jim, keep in mind, what about programs that aren't just the browsers, but ANYTHING you run on your computer that may phone home or try to tell on you. For example, Adobe PDF does this, etc. Any program you run can request direct internet access, such as your antivirus, word processor, photo viewer, mail program, etc. So, for the demanding user who wants tomorrow's technology today, XeroBank is the answer.

And guess what, we are already planning the technology you want, but it is a super-hack and I can't say any more at all.

 

Jim, I'm trying to understand your position, and frankly I'm having trouble. And I've wrestled with this for days..

Don't worry, it's not you, it's me!!

Out of the box, the XB/free browser version does not leak. Previously, I'd seen those scripts you referenced. Tried them out on my box awhile back with the default XB browser settings in place. My IP address is not revealed. I did not change or alter the default NoScript settings. I have no need to.

Unless I'm missing something, the crux of your arguement seems to be that there are certain circumstances under which you need/want to disable NoScript to properly view a website. And if you do, there exists the possibility that your true IP address is leaked. Have I got that right or did I blow it? On that point please clarify... That seems to be the heart of the matter.

You wrote: "Someday we will have to change that and allow scripts of any trusted site to run - which may reveals the real IP address only because the browser can't stop this."


When I read that I said, "Aha. Jim is turning off the protection already in place in the Xerobank browser."

If so, for me that's a given. Some people complain that their web experience is diminished if they disable Javascript. The sites I access don't use that, or at least minimally so for me it's simply not an issue. My web experience is not at all incapacitated or lessened by my use of NoScript. Disallowing Javascript, to the contrary offers me safety and protection. Security often times is a trade-off. Better security may cause a minor inconvenience to the user.

If allowed to run, scripting potentially allows an entity all kinds of opportunities to extract data from an IP connection via the browser.

NoScript is one of many tools that protect a connection from revealing that data via the web browser through Javascript.

If you remove that protection, how can we say that the XB browser is unsafe? That's no fault of the XB browser. If we leave the front door open on our homes, how can we complain that our homes were vandalized?

Best,

B