Anyone tried XeroBank (formerly Torrify)

Thanks Steve for your quick reply!

I should have said I'm using it through vmware - i don't know what i was thinking - tired...

Anyway - what I'd like to do is run p2p through it - but not sure what program i can run in vmware to do that securely? any docs/instructions?

And so I read your 'evil' traffic thing... Kind of odd. I thought this was to protect people from other people's determination of what is and what isn't 'evil'?

So for instance - if someone were to download say... oh i don't know - a copyrighted movie... would that be considered evil and tracked etc etc.?

I'm trying to get stuff at work that is all blocked normally (torrents etc.) for research and non-evil stuff of course - just wondering how you determine what's evil.

And also now.. how do I p2p on a mac secured by xerobank?

thanks

 

oh anon config still says 'not configured' even after clicking the little tool 'x' icon.

Sup?

 

As long as your Sony Mylo can run OpenVPN or SSH, I don't see why not. And running it concurrently? No problem in the XeroBank 2.0 network released at the end of march.

 

OK I get the use of a machine to analyze the traffic which replaces the need for human intervention and therefore doesn't compromise anonymity.

However, I can see this working for say, somebody firing off thousands of spam emails using a SMTP port etc. But how would you deal with other malicious users? Do you scan keywords etc?

Thanks

SVS

 

What is the operating system inside VMWare?

Sure. But xb has to "draw the line" somewhere. They aren't going to allow the service to be used for spam/scam/virus, threats, theft/hacking, or child porn. It would get shut down by upstream providers, and makes the service reprehensible for other clients as it would result in blacklisting. The scum can keep using Tor. Who cares about shutting down torrents? There isn't anything illegal about torrents per se. Torrents are an efficient and legitimate way of transferring files, especially large ones. It's just a protocol.

Just follow those instructions for Mac from my prior post, and your Mac software is automatically secured through XeroBank.

 

I don't think we could care less about keywords, etc. But, say, scanning our internal network or running a port scanner is a sure way to get your account quickly shut down.

 

You're using xB Machine! Ah.

Pause. We're putting out a new version in less than a month.

It has a bit torrent engine built into it.

 

Steve can you clarify this point a bit further?

I'm not quite sure I understand this.

You stated:

"But what about malicious traffic?

1. If an auditor agrees the above traffic is evil, it still may not be in the jurisdiction of Republic of Banana, and is not shared with them, but instead the proper upstream authority of locale.

2. XeroBank can see an "evil attack" originating from our networks, thanks to malicious traffic monitoring machine. We can then trace the live connection back through the system to find out what IP the incoming traffic originated from, and perhaps what Access card account was used. Does that get us an Identity? Typically not, but the originating ISP network would know the supposed identity of that IP holder."

OK. We're talking about malicious traffic, in whatever context XB defines it.

It sounds as though XB Security and live auditors "might" be able to trace malicious traffic through the system. In theory, XB could trace it to a live IP originating from XB but that it would be a difficult task to link that information to a specific account holder.

But your last statement is interesting:

"Typically not, but the originating ISP network would know the supposed identity of that IP holder."

Are you talking about the XB account holder's originating ISP?

In theory, could the originating ISP be linked to XB traffic? Perhaps I'm reaching too far here, or totally misunderatnding your statement.

The chain would go like this: User>originating ISP>XB OpenVPN>XB network>entry node>exitnode.

I guess I'm confused on your definition of "originating ISP."

Are you saying that the user's originating ISP prior to injection in the XB network could somehow be linked to XB traffic in specific situations?

I'm probably reading too much into that statement but perhaps you can add some clarification.

It sounds like an evidentiary chain could be created ultimately linking an actual XB user to a specific accoung with their originating ISP.

How is that possible? And have I read too much into this?

Ballzo

 

It isn't the job of the auditor to do traces, but yes, we can trace live traffic through our system. And yes, it would be a rather large hassle.

yes. I'm talking about the user's network connection to xerobank entry node. Has an originating IP address that belongs to *someones* ISP. So lets say I'm a BananaCom ISP customer, and i connect to xb. xb knows the original IP that is connected to xb, and that IP belongs to BananaCom ISP, and BananaCom knows which customer has that IP address.

Let me put on my security hat. Realize that the operational model hasn't changed for you. We are still the single entity you have to trust. You are trusting that we do as we say we are going to do once your traffic connects to us, and that we will not act in perfidy. It is unimportant how one could trace, calculate, identify, etc. That truly is the bottom line.

Take a look at Hushmail. Good reputation, and lots of trust. People assume that Hushmail doesn't have control of Hushmail, and thus some level of control is out of their hands. You're loading their software, that they control, onto your computer. All that crypto doesn't keep Hushmail out, it keeps 3rd parties out. The fact of the matter is that when you log into hushmail, hushmail could reconfigure their servers to capture your password and read your mail if they were so inclined. And for one person violating their terms of service by trying to do pharmacy-pills spam, they did. Well, the guy was trying to do something illegal where Hushmail was incorporated, and from that same jurisdiction, and Hushmail perhaps had some court order or not. Doesn't matter, the guy was violating the terms of service. Well, the guy knew what he was getting into. Hushmails other clients were protected, and this guy was foisted out. Hushmail isn't in the business of protecting spammers, but protecting people from privacy invasions. As I see it, it is one of those cases where you go "wow" and they stick to their guns. Bottom line? Hushmail does what they say, legitimate customer protected, illegitimate spammer is busted, and a bunch of raised eyebrows. The dust settled, life went on, and Hushmail still seems trustworthy.

 

Hi Steve!
Have you updated the Tor version inside xB Browser?

When did the 2.0.0.12 version will be available on your site?

What can you tell us about these Flash-cookies? I saw that xB 2.0.0.11 is now removing them, like the Yahoo .xml files that I told you? If it's working this way, they are being removed only when the browser starts?

I don't know how these Flash cookies works, but they can identify you when you return to a place like Youtube after watching your video? If that's true, there's no way to built a cookie removal tool inside the browser?

I am always removing cookies using the PrefBar extension available on the xB browser. There's a button called "Remove all cookies". My point is, I am removing them while the browser is running.

 

2.0.0.12 hasn't yet been put out. We have a pre version, but this next one is so much better. No more popup throbber, it tells you in the splash screen.

Next one will be out shortly, and *should* have an auto-updater built it so we can push in files like Tor version upgrades and SSH keys.

Everytime the browser starts we search for the SOL flash files and wipe them out. During the browsing session they aren't that big of a deal, but we don't want you to be tracked from session to session.

I was speaking with Window Snyder, the head of security for Mozilla, and I told her that Firefox completely misses flash cookies. So she suggested we submit a bug report and get that included as a feature in the next Firefox. Until they implement it, I'll be covering that base.

 

Steve, thank you very much.

You candor and forthrightness is both amazing and appreciated.

Let me see if I can restate this and sort of wrap my arms around what you are saying.

It sounds as though identification of legitimtely evil traffic say something like a Distributed Denial of Service attack launched through the XB network, would most effectively be identified, and stopped by live monitoring. Something that truly constitutes malicious traffic.

And given your statements, though live monitoring might be effective in stopping that traffic, it would be difficult to identify the actual account holder unless it invloved the originating ISP. In essence is that fairly close to correct?

Now having said that, it would seem regular anonymous traffic, after the fact, would seem a far more difficult challenge. True statement?

An entity would have to submit subpoenas for all relevant jurisdictions that XB traffic passed through, not simply the exit node. Again, no easy task. Correct?

That would pose significant challenges. And having said that, further identification of the actual account holder would not be easy, as there is effective segregation of IP stream traffic and actual account holder information within the XB network. This would also be very hard, as XB effectively does no connection logging.

Have I sort of got this right?

Thanks,

Ballzo

 

Always.

Correct.

After the fact? Impossible unless it was flagged for audit. No logs. It's either at that moment, future "sniping", but nothing in the past.

Correct

Correct.

So now a question for you: What do you think of our design and implementation?

 

Excuse me for asking a silly question and looking like a complete fool, but how can you download something from XB Machine? I tried downloading a small video once and it said there was not enough space.

 

But it sounds like XB could just give that info up without a warrant. If they decide to monitor someone for selling Growth Hormone or whatever, they could just monitor them and turn them in without a warrant.

 

Again I must ask though how would selling Growth Hormone appear in anyway different to regular browsing?

If you think about a scenario where the person was simply sending and receiving emails at an ordinary rate then how would this flag Xerobanks detection system?

MM

 

That's not foolish at all. What the issue is, is that you have two areas. one if for program files and xb internal stuff, which you won't have write access to and will always appear too small, and the other is your encrypted user space. Now the issue you speak of may have happened on either partition. Can you give me more info?

 

If it isn't a violation of xb's terms of service, then they don't care. Sell whatever you like as long as it is legal in your jurisdiction, Panama's jurisdiction (I think, not certain), and doesn't violate the TOS. If those three are satisfied, I don't think there is any issue whatsoever.

 

You noticed that too? Steve has even bragged about how they'll be happy to turn in people who are breaking this or that law. It makes you wonder where they draw the line? And that line thing is a problem because everybody has different definitions of whatever it is they draw the line at.

 

But, Steve, the TOS includes language that is debatable. For example, there are all kinds of debate about how much of a movie constitutes "fair use" - same goes for music. Is child porn a 15 year old girl fully-dressed but with a provocative pose? Some DAs have prosecuted for that very thing. The MPAA goes after people downloading TRAILERS! "Illegal" is sometimes very hard to define, it's not always black & white. So you have to wonder about your "Just follow the law and you'll be alright" lectures.

 

Genady, this point is fractal. It can go on forever to an infinite level, never moving forward. XeroBank doesn't give up any info without court order, unless it is an explicit violation of the TOS in which we typically handle it inhouse prior to gov involvement, and even then, it is hard to produce that data. No matter how detailed we are, there is always another resolution for debate. XeroBank is a trust domain. Trust isn't written in black and white, and paranoids always have another "what if" that they want satisfied. That requires inductive reasoning, for which the data isn't provided. So all you can do is employ deductive reasoning, and the data you have there is "how many subpoenas have we responded to, in six years?" and the answer is "none." There is some biblical passage that says you can know a tree by the fruit it produces. That is the same situation here. So, yes we are badass regarding what we will put up with, and the ultimate anonymity service, but as I said, it comes down to trust. This service is premium. This service is exclusive. It isn't for everyone, and some people just can't handle it, and those people need to be surfing at 20kbps using Tor with all the scum. Then you don't need to explicitly trust anyone, because everyone participating in the network is implicitly untrustworthy. Perhaps that is better suited to your liking, as there is no terms of service to Tor, because there is no service at all. Otherwise, you're always going to have TOS you can try to debate with.

 

Aw gee...thanks.

 

Can anyone tell me why just by installing Xerobank and not using it, it tries to connect to different IPs?

 

It would connect because it is registering an account for you. It would also be checking for updates as well.

 

So Metropipe and XB use the same servers? That means there are a lot more than 150,000 sharing them. So that should be a good thing right? The more the merrier?