Anyone tried XeroBank (formerly Torrify)

Moved the auto-updater to the front of the installation, enforced version-checking the installation download. We will shortly be adding a surreptitious anonymity-checker into the programs to let you know if you aren't anonymous at some time. Not that I think we'll need it, but it sure is nice to know it is there. I think I may install this only in VPN or only in xB Browser and xB Mail. We should probably release xB Mail beta. Anyone want to try that out?

 

xB VPN has now been integrated into the installer. Next we have to encode the credentials grabber for VPN and XB2.0 users. This should be no small feat. Next, to integrate xB Mail into the installer. Ah, things are coming together today.

 

Ballzo,

Thank you for taking the time to share your story and feelings. Points are all well taken. Especially as to actual proof of Metropipe allegations.

But do we really know much about XeroBank? I asked Steve who OWNED XeroBank and, you probably noticed, he chose not to answer. I think this is a critical question for a service that you are asked to TRUST just based on the word of a "consultant" to the company. (That was Steve's description in a recent interview.) He certainly seems to be more than that as we all know he developed TorPark. But since it turned commercial, a lot of people would like to know, if trust is THE issue as Steve insists (and I agree) then he should tell us who actually owns this company we're being asked to trust. Simple. Maybe he won't answer because I am the one who asked. If he just won't answer at all - that's a red flag.

Thanks again, Ballzo. I appreciated the tone of your post; and your points, as I said, were all well taken.

 

Genady, I don't know all the board, but the memberships will probably be listed on the new website. What difference would it make who owns the company?

 

If you really have to ask that question, you don't '"get it," but I am guessing you do understand how important it is to know who owns a company that you are using for privacy and is only worthwhile if you can trust the company. That's a no-brainer. My best guess is that it's a good way to dodge the question; otherwise you would simply answer the question. Is it a secret?

 

Genday, I think you need to be more realistic. The CEO of Lexus doesn't make any difference in how it's engineers design airbags, or which colors the marketing team picks. They have their own job which doesn't affect the clients in the slightest, and that is to manage the health of the company. Same thing here. I wouldn't be working for XeroBank if I didn't have the utmost confidence, control, and oversight of my projects, just like any other team member.

 

Genady, thank you for replying.

Steve, let me toss this one back to you.

I hear you loud and clear. Many will continue to have doubts, whether justifiable or not.

You have thrown your hat in the ring with Xerobank. I sense you have confidentiality agreements to maintain in order to assure their protection as well.

Having said that, are you absolutely assured of the integrity of the XB Management Project? Indeed, are they trustworthy and totally committed towards advancing complete anonymity and privacy protection?

Thanks,

Ballzo

 

Adamantine

 

Lexus is a public company. People don't have to put their blind trust into their company. Anybody buying a Lexus knows that someone is ultimately accountable.

You're asking for trust based on the fact that you are one of the developers. That's actually backward. When people buy an iPod and support Apple like a cult, does that mean they know the names of and have faith in the designers of the iPod? Do they know the lead project manager for leopard? Who do they do they know? Steve Jobs. Period. Apple is also a public company.

If you are providing a product that depends on blind trust yet refuse to reveal who owns the company and is ultimately accountable - that's not right; especially when you have said in the past that trust in XB is the key. Well, who owns the company? That's basic. Trust can begin with knowing the answer to this basic question. Keeping that a secret speaks volumes.

Take a look at PGP:
http://www.pgp.com/company/management.html
I know there are real people, with real names behind this company. Hell, nobody cares who's actually working out the bugs in the program. PGP is open and upfront. Same with Anonymizer, COTSE and some others. But give money to, and blindly trust, an outfit with my privacy that won't even reveal the identity of the owner when asked? The person - or persons - who actually own the company and pocket the money I give them? No way. Everybody won't care - but if asked - I can't imagine a legitimate company refusing to answer the question.

Bruce Schneier said at RSA '07 to never put your trust in any company who is offering to sell you some kind of "security" but won't let you know where the money goes and who owns and operates the enterprise. Follow the money. For some reason, you want to keep the ownership of XeroBank a secret. That's a problem.

 

Genady, ballzo is right, it isn't my place to reveal anything before XB wants it to be revealed. I honor the trust of my employer about as much as the secrecy of our clients. However, trust isn't blind, there is a chain of trust that allows you to trust unknown parties. It goes from the users, to me, to the board. This is just like signing keys.

So if you distrust either me, or either the board, you should reject the whole chain without further speculation; but if you trust one you can trust the other at the expense of the former's reputation. Consider the alternative: what if the board was trustworthy, but I wasn't. You would be in a significantly worse position than if I was trustworthy but the board wasn't. However, the chain would fail because of explicit distrust for either. I vouch for the board, and assuming I'm trustworthy, so is the board to some degree similar to my own level of trust. This isn't like a public corp where when things go wrong and suddenly nobody is responsible and the CEO resigns with a golden parachute, we're all signing each other's key after careful consideration. I fully accept the weight of the responsibility of trust.

 

Steve, thank you for taking time to answer these questions. It is appreciated.

Genady, I sense your discomfort with this and I respect your feelings.

Unfortunately, this is probably as far as this issue will go.

Xerobank is in the process of constructing what will undoubtedly be viewed as the most powerful commercial anonymity network on the planet. Across-the-board anonymity solutions for individuals, businesses and governments that will leave the alleged competition in the dust. The network will be rock solid. Steve has been extremely candid in terms of XB's privacy policy which is utterly thorough, detailed and very refreshing.

Trust is a raw issue in contemporary culture. It is exacerbated by continuous, egregious violations and abuses that range from our bedrooms to the highest levels of businesses, financial institutions, and governments. People have become automatically distrusting and inherently suspicious.


That one doesn't trust an individual or institution does NOT make that individual or institution inherently untrustworthy.

It simply means that party does not satisfy the personal criteria the individual holds for trust.

Trust is a highly personal, subjective phenomena.

Hypothetically, an auto manufacturer may have had a previously poor record in terms of manufacturing quality control. However now, they have recognized, that and have taken aggressive steps to rectify that. I may be aware of their previous record, but have examined their current product offerings, read testimonials, and have found that their current crop of new cars are extremely well made. Their previous record may cause you, not to buy their product. However I decide to buy one. Neither of us is right, neither of us in wrong.

Steve really said it best awhile back, when I believe he said, "Ultimately you have to trust someone." And when a person engages in online anonymity, that will always be true.

Tor is hotly debated. Last Spring, a Swedish fellow established a rogue experimental node, and sniffed personal email usermanes and passwords belonging to major businesses and governments that used the Tor network to access their online accounts. His site was ultimately shut down. Caused a firestorm of controversy as he posted this stunning, revealing information online.

There were several ways to look at this event. The revelation caused many individuals to conclude that Tor was inherently untrustworthy and potentially exposed them to unknown risks. This revelation caused many people to distrust the Tor process and to abandon their usage of Tor altogether.

Others viewed this event with, perhaps a more mature perceptive, understanding that Tor does not turn a user into an invisible light being of energy if people choose to be irresponsible enough to reveal unique, personal indentifying information over the Tor network.

One event, two responses. It's like that. One trusts, one doesn't. It's a sensitivity issue.

To me, It is highly understandable that Steve might wish to shield the actual identity of Xerobank Management. This reduces the attack vector against them. Not from individuals, but from potential, and powerful adversaries who may wish to destroy them. To me, That is very understandable. You, on the other hand view it otherwise.

Steve has been extremely forthcoming in so many areas. It is very refreshing. How the XB network operates, and most importantly what people may expect from using XB, in terms of their privacy policy. Very specific and detailed. Honestly, I have never seen so much information revealed.

Steve’s approach is a radical departure from what we have come to expect from anonymity/privacy services. Normally these other services are pretty shadowy, and cagey. By contrast, Steve has been remarkably candid and open. Something is very positive, and remarkably different about Xerobank.

Knowing who they are, may ultimately tell you nothing about their motivtions.

But as long as their intentions are pristine, their committment to anonymity uncompromising, it is unimportant as to their identity. Knowing who they are might make you feel better, but at the end of the day won't help protect your online privacy. You may know little, personally, about the chef that prepared the gourmet meal you enjoyed last night, but the proof of his credibillity and intentions will be in that delightful dinner you enjoyed...


All The Best,

Ballzo

 

Very interesting to read both sides of the argument. As a user, I definitely wont trust anyone without knowing the credentials. But even knowing credentials do not mean that it would be perfect. One can have different perspectives. But one thing is sure. If you want privacy from your ISP, snoopers etc it is fine. But if you think that you would indulge in something and get away just by using Tor et al, you are absolutely mistaken.
Now do you believe in espionage fiction? If yes, would you be surprised if a F Agent is actually working in XB and sifting through data? Or on the other side any service provider itself sifts through data and makes you a very very soft target for private affairs?
I am not pointing fingers at XB management or anyone else. In fact this may be one of the best anonymous services available today. But as a user who cares about privacy, the point I am making is ANYTHING is possible. Can anyone say that it will not be compromised tomorrow? How many times did you know in advance that privacy was compromised in so and so company, or a backdoor was created in XYZ software or some HHH mail handing over everything to the authorities MUCH AFTER everything was done and the news was in the public domain? What makes you think that it wont happen for someone else in future? Take no one's word. For you do not know what may happen tomorrow. If your privacy is critically important, Internet leaves too many trails. Where and how you would like to leave the trail is upto you! Inspite of knowing the pitfalls if you still require anonymity to protect many of your privacy needs, then definitely go on.
IMHO arguing about whether to trust or not, or big well known names or no names doesn't make any difference. As a parallel, Enron was well-known, covered as a maverick company by Gary Hamel in his book, all records (well thats what everyone thought) were in public domain, the CEO a respected figure and then we all know what happened!

 

Steve,
I am having problems with xB 2.0.0.12b. I have changed the default theme for another one (Winestripe) and it keeps changing to the default xB theme. Is this a bug? Where is the directory where we put new firefox themes?

And even if I change the default page, this xB version keeps going to ipcheck.xerobank.com without asking, when the browser is starting. Is there a way to fix or change this? I don't want that check, I need to go to my blank page.

The Noscript extension is not 100% configured, I think you need to enable the option of "Forbid web bugs", that is disabled now and was enabled in the past. All options from the "Not trusted" area of Noscript were enabled in the past, but they are not all enabled now. See this thread about the Web-bugs issue:

https://www.wilderssecurity.com/showthread.php?t=198437

I also noticed that this time you removed the Chatzilla extension... I find it a good extension, despite the fact of a few ignorant networks like EfNet are blocking Tor servers. At least I can use on the network from my country.

Thanks!

 

Jim,

That's no bug. We're forcing the theme. If you really want to edit it, edit the TOR_prefs.js and manually edit it.

The ipcheck.xerobank.com is not a bug either, it was planned that way to make sure. You can still change your homepage to blank, but the first page opened will always be ipcheck.xerobank.com to let you know if the connection is actually anonymized. It is a safety issue.

NoScript must have changed the way their firefox preferences are written. I'll get that fixed for 2.0.0.12c.

Steve

 

Whoa!

Did I miss something here?

Are you trying to force the default xB Modern theme? Do you have any idea of how lame is that? If at least was the old Torpark theme...

First, the Yahoo cookie block which is there even today, now this...

About the ipcheck, you have modified xB to restore modified config settings, for example, when you mess the proxy settings, xB will restore these settings again when is restarted, so it's not a big deal.

What I am not sure is that safety system will also prevent restarts from new extensions installed, since when xB browser is restarted suddenly by a brand new extension (Restart button), it's not connecting through Tor network and my firewall, since is preventing direct connections, make xB says: "The browser is refusing connections". So I need to close everything and restart again to make things normal.

If that's the case then I agree with the idea of connecting to ipcheck when xB is starting, but this is a very, very specific case since we are not installing new extensions every day. Otherwise, the Ipcheck will only be an obstacle considering the Tor network is already slow, and have something like that all the time...

Anyway, like I said once, it's crazy to have xB browser without a firewall and those specific rules to prevent attempts of direct connections while allowing Java/Javascript and other plugins.

One thing that I discover recently was that it's possible to load a video using Windows Media Player (attention: I am not talking about Flash/Youtube videos) using xB browser, or a Real Media file (.rm). And in both cases, we can't make Windows Media Player use Tor settings like we do with Java/Javascript and Flash.

A firewall with correct and specific set of rules (like Outpost) is mandatory if you want to stay anonymous. Never forget that.

 

Jim,

We solved the need for the firewall. In the next version of xB Browser, we removed all mime types for Tor, so they aren't able to leak. Any other firewall should be configured to handle the rest.

So what you're saying is you don't like the xb modern theme? We're forcing it so users don't get confused if they already have firefox installed. They will know which window is anonymous or not.

The IP check is necessary IMHO.Think about all the users who aren't using it just for Tor. It is going to be working in conjunction with another piece of software, xB VPN, or legacy SSH connections, so users need some assurity about their privacy state. Letting users know if the browser is anonymous is important than just assuming it is. Think of it as defense in depth.

And as for Yahoo, that is vital. That's like saying "Well, I want an anonymity system that tracks me and tells everyone who I am"... that is counter-intuitive. Yahoo would be able to access those Flash cookies if we didn't remove them, and thus track you between anonymous and public sessions. Sorry, we can't allow that.

as for the extensions, we are going to be implementing tighter control over them to fix a FlushTorCircuit button issue.

 

Steve,
the Flush Circuit button is called "RestartFirefox" (I see no reason for that), but what I was trying to say earlier was that, after you install a new extension (let's say, Secure Login which makes your browser look like the Wand login from Opera), the Firefox window asks you to restart the browser (otherwise, the new extension won't be installed).

But at the same time, there's a "Restart browser" hyperlink on that extension window where the progress of download is showed. To make things easier for you.

What I am saying is, if you click on that "Restart-browser hyperlink/button", xB browser will restart in the interval of 1-2 seconds and when this happens, you will not be connected using your "proxy forced settings". They will not work only this time. So, you will be "naked" because of this sudden restart.

Remember that xB needs about 10 or more seconds to establish a connection, so a sudden restart like that is disabling the forced proxy settings. That's why, if you don't have a firewall with correct set of rules, the IPCheck should be vital. Otherwise, assuming you are using Tor (which is always slow) and a firewall, it's not that important.

About the IP leakage, just to clarify my last post:

Java/Javascript/Flash can be controlled if you have a firewall. I already posted the correct set of rules (taken from Paranoid2000) on this thread and that thread "Deanonymyzing...", so they don't pose as a threat anymore (assuming someone have found those hackers.org codes).

That being said, even if you are allowing plugins on xB, they can't leak your real IP. And they are not a threat anymore.

But the same doesn't apply to Windows Media Player and Real Media streams, they can be loaded on any browser and any site out there. And why is that? Because as far I can see, you can't make them connect using proxy settings, while you are loading the contents of a website, using your browser.

Flash doesn't have a specific program, it's a plugin inside the browser, so what you have specified for the browser (firewall rules), Flash is following without hesitation. Java does the same, and on the Windows CPanel can be configured to use the proxy settings:

See those pictures:

http://img100.imageshack.us/img100/148/set4ij4.gif
http://img81.imageshack.us/img81/9881/set1qt7.gif
http://img80.imageshack.us/img80/4122/set2cj1.gif
http://img80.imageshack.us/img80/8673/set3wg4.gif

About the default theme, it's a matter of taste.

Actually I am using the Winestripe theme, which it's a classic theme designed for an old Firefox version. Instead of using the Windows XP default theme (the one you saw on those photos), I am using the "Classic theme", this time with critical changes.

Here's my default Windows XP theme, used in the past years:
http://rapidshare.com/files/98361669/mytheme.theme.html

I am also forcing all my browsers and softwares using that background color, ignoring the default colors used. My background color is always that, and my hyperlink colors is always #C0C0C0 or brighter.

The reason for that is because someone is always using 100% white background colors, and people (or at least web/developers) never think about accessibility reasons.

The white background reflects the lights of your environnement harming your vision, or at least making you lost interest on keeping watching/reading the contents. The same doesn't happen with papers because the texture is more subtle, and we can't compare them to CRT monitors.

 

xB Browser already does this for you, whenever it starts. However, beware, because Java does not have to follow the settings that you set for proxy, they are merely suggestions.

Where are you seeing "Restart Firefox" ? Is that in the window title for the FTC plugin? FTC was built by modifying the old Restart Firefox plugin.

Additionally, the new xB Browser for Tor will keep WMV and realmedia plugins from loading, and there is nothing Windows can do about it. you'll be able to go to aboutlugins and see that *nothing* is loaded, and when the browser tries to access plugins manually, they are already muted, for Tor users.

 

1 day with xB Browser (Trial) and I'm very impressed. Probably going to buy Plus account, Pro is too expensive to me. Is the only biggest difference that with Pro account you can use other programs than browser and mail too? Can I use Thunderbird, POP Peeper and so on with that email account?

I have also one request. Please throw that FiltersetG to Garbage and start to use EasyList (probably EasyElement and ABP Tracking Filter too) or atleast let the user choose which filterset he/she like most. Even the Adblock Plus developer (Wladimir Palant) says that don't use FiltersetG.

http://adblockplus.org/blog/filtersetg-i-call-bullshit

http://adblockplus.org/en/faq_project#filterset.g

 

Steve, some time ago you promised us a rundown of all the privacy services and pros/cons of each and how they differ from XeroBank. Hope you can find the time to do that now that xB 2.0 seems to be coming up nicely. Can't wait to see the list.

 

Yes, you can use Thunderbird with it. It is an encrypted IMAP account, so unlike POP, your messages are stored on our offshore servers instead of your computer. The practical upshot is that you can access the same messages on your home computer, laptop, PDA, etc. and not worry which device has the mail you were looking for.

I'm willing to consider other list updaters. I'll take a look.

 

Sure. I think I may have posted something up but I don't recall.
I didn't include any web proxies. Those aren't very secure or private, and there are thousands on them.

Here is the old data I have offhand. It may no longer be accurate:

Service Price Protocol Speed VPN Surfing Email Storage VOIP Logs Corp_Jurisdiction Privacy Hops Notes
Tor - Free - SSL - 20Kbps - / - Y - N - N -N - N - N/A - Multi - Medium - 3 - Malicious exit nodes sniff traffic
Relakks - 5e/m - PPTP -100Kbps - Y - Y - N -N - N - ? - Sweden+ - None - 1 - Very unsafe. 100% dns leaks.
Anonymizer - $10/m - HTTP - 100Kbps - N - Y -N -N -N - All - USA - None - 1 - No encryption. Bad jurisdiction.
Findnot - $45/m - PPTP/TLS - 200Kbps - Y - Y - N -N -N - All - USA - Low - 1 - Unsafe. DNS leaks. Bad jurisdiction.
SecureTunnel - $10/m - SSH - 110 - 1200Kbps - N - Y - N -N - N - All/Abuse - USA - Low - 1 - Good design, Bad jurisdiction
MP Tunneler - $20/m - SSH - 200Kbps - N - Y - N -N -N - Abuse - ? - Medium - 1 - Looks good
MP Professional - $35/m - TLS - ?Kbps - Y - Y - N - N - N - Abuse - ? - High - 2 - Looks good
XeroBank Plus - $10/m - SSH - 200 - 700Kbps - N - Y -Y -N - N - Abuse - Panama - High - 2 - Looks good
XeroBank Pro - $35/m - TLS - 1500Kbps - Y -Y -Y - N -N - Abuse - Panama - High - 2 - Looks great
XeroBank 2.0 - ~$30m - SSH/TLS - ~1500Kbps - Y - Y - Y - Y - Y - Abuse - Panama - High - 2 - Looks excellent

 

If the VPN connect is active and DNS Client is disabled how can it leak unless the connection is broken

If Open VPN is already installed on a computer will that prevent the install of XeroBank VPN/SSH service?

Thks

 

What do you mean "DNS client"? For the PPTP connections that are leaking, those DNS requests are not being sent through the PPTP connection but instead over your normal connection, being sent (typically) to your ISP's DNS.

Previous OpenVPN installation should prevent the workings of xB VPN.

 

so from the list, is Xerobank 2.0 going to cost a flat 30 dollars a month for a 1.5 Mbs connection or will continue at the same pricing as now. Also what will be the download quote for the new connections?.

Sorry to make this my first post but been following this thread for sometime and just needed some clarity on some the new features coming (btw, when is Xerobank launching this month?)