Xerobank too expensive

ok steve thanks can i ask when do you expect shadowvpn to be p and running

 

Less than a month.

 

I am new to this forum (not to security.... just to this forum), and I am being really amused.
I didn't know this XeroBank before few hours ago, and since I saw it being repeatedly discussed on here, I took some time to check the site. Maybe I didn't look carefully enough, but I did not find any technical explanation. I don't know what algorithms are used to encrypt data, I didn't find where the servers are located... I also had a hard time to find out how much this service costs. On the other hand, I easily saw all the service that will be "soon" available, but that are NOT now.
Then, reading this thread, I noticed how a security and privacy expert is not expert enough to hide from the common people (not the FBI) that maybe XeroBank is not exactly how he is representing it.
Also... why would I trust XeroBank, whose only employee (and maybe the only one existing) that I know of, cannot convey any trust? I would be paying in order to not let anybody spy on me... besides him!

Last thing: TOR works wonderful for anoimity and it's free; it takes some time to set up... but that will make the user more conscious about security and privacy, which is advisable if some kind of privacy needs to be reached for real. I don't understand why so many people are concerned with their ISP spying on their browsing habits, but are not concerned about "Anonymous Surfing Service" providers doing the same.

 

There have been a lot of technical details discussed here in the last year. And why should Steve hide? Actually, he has been getting a lot of criticism on this very forum for not being more open than he already is. An no offense, but it doesn't sound like you have taken the time to learn anything at all about their services so it is hard to take your criticisms seriously.

As for Tor? It is way way too slow for me. And evidently it is not near as secure as it was once thought to be.

 

Whoa there. You aren't allowed to question the security of tor. Only defensive praise is acceptable here. And definitely don't draw any attention to our credibility if we are later proven to be wrong, and those other folks were right.

 

Genady, for quite some time, you have hammered away at Xerobank. As I have read your posts over time, there is an increasing hatred, a venom that goes far beyond rational criticism. There are times when your posts almost drip with obsessiveness about the origins and structure of Xerobank. There is a viciousness in your posts that is quite disturbing.

I note that in all your posts you have utterly failed to offer any solid proof or tangible evidence regarding many of your conclusions. That much to me, is clear. Genady, despite all your wild emotion, you have really proven nothing. You come up short.. Empty handed. You have taken what you feel is empirical evidence and drawn your own subjective conclusions about Xerobank. Your stuff really borders on classic FUD=FEAR-UNCERTAINTY-DOUBT.

You have referred to Xerobank as a "kitchen table operation." Yours is is the logic of "Where there's smoke there's fire." You have inference, but no proof. None.

You have castigated Metropipe as a "honeypot scam." There too, Genady, not once, not once, have you ever, offered solid evidence, tangible proof in support of any of your claims. Yours is conclusion by inference. I find that logic dangerous and reprehensible. Your classic statement today: " To me, it appears like more charade." It appears... It appears, it appears... That's your specialty. Conclusion based on appearance.

But beyond that, many times I have wondered.. "What could his motive be?"

It's almost as though you are running a negative political ad campaign. There's an awful lot of smear in your posts and your tone is getting worse. Sort of like if you repeat the same old tripe over and over again, some people will begin to believe it, and some of it will stick. Steve Topletz can answer your questions from now until 2020. You aren't looking for answers, my friend. You are simply looking to smear Xerobank. Wouldn't matter what he said. You'd twist his statements and still draw your won self-serving conclusions. You aren't looking for proof here, Genady.

There is also demonstration in your posts of a level of familiarity and expertise with anonymity technologies. At times you have asked very intelligent questions. But at this point, your are simply trolling out your old, tired statements from long ago. At this point you are merely repeating what you have posted long ago.

But motive... Motive.. Most people have an agenda. A motive. I have often questioned yours. This issue keeps coming up for me...

Genady, it appears that perhaps you, yourself, work for a competitor of Xerobank. It appears to me that you work for another privacy service. That would certainly explain alot.

Would you care to share with us which privacy service YOU work for?

 

At the same time though, Genady is doing nothing but helping the community by making Steve answer so many questions. In turn it helps XeroBank's credibility

 

No.

Genady's posts are self-serving and disengenous.

If Genady were to cast his light of suspicion on 1) FindNOT 2) privacy.li 3) Cotse, then perhaps I would understand. But he hasn't. Xerobank has been subjected to a vicious grilling that frankly, I personally have never witnessed with other privacy services. Should not all privacy services be held to the same terms of disclosure? The same standards? Have they? Isn't that only logical? Who are they? Where are they? What is their business structure? What information do we need to trust them? What information is enough to discredit them? Honestly, because of the nature of the business, will we ever really know, in truth, who they are?

It appears that Genady has an agenda.

Specifically, his logic about Metropipe is utterly discredited. Genady has read Internet posts, quoted them and now claims that they are true. I remind you that Genady has proven NOTHING about Metropipe. And yet he seeks to discredit Xerobank because of it's alleged connections to Metropipe. That is EXACTLY what he has done. That is vicious.

My neighbor was convicted of burglary. I am seen talking to my neighbor and now I am guilty by association? That is very dangerous logic. But that is Genady's logic.

Ultimately, we really don't know much about alot or privacy services, now do we? I can't say that I do.

Who privacy services really are, who their financial backers are, who their officers are what there structure is, often is unclear.
It doesn't make them untrustworthy or suspicious. It just means the information is not available, not readily forthcoming.

Genady certainly has a right to trust, or not trust whatever service providers he chooses. As we all are.

But I am increasingly finding his unsubstantiated and repeated accusations offensive and obnoxious.

Recently, Topletz discussed his interactions at Defcon. Genady's response to the effect, "Don't make me puke."

What's up with that anyway?

 

Actually, I have taken more time to learn about XeroBank services than I took about learning about others' services; just, nowhere on the site I could find a technical explanation about anything, especially about security. Sure, I know it is based on OpenVPN, but I don't get a hint about how their OpenVPN is configured. I know they give me "Private Internet", but I don't know how they make it so private (really, I don't know where their servers are, and I don't know how many hops are between the XeroBank user and the Internet), they give me "Encrypted Email" (encrypted how? Where? Does it mean they give me https web mail? Or maybe POP3 and SMTP over SSL? Or both? Or maybe I get a certificate and I can use asymettric cryptography? And how do I send encrypted emails to people who don't have a certificate, in this case?) and then, some day, I will get who knows how much secure storage (still, it is impossible to know how it is supposed to be secured, nor I know how much storage). I might wanna read the open source code... but I don't think many customers would do that in order to evaluate the quality of a service (and I admit it... I am not that good at coding and reading code).

Part of the offer is a bundle of software, including a browser, an email client and this xbMachine. My question is: why should I feel more secure using their browser than using Firefox? What does their browser do so great? (I couldn't find the answers on the site). About their email client... same questions! IMHO it is "safer" to use widely known and reviewed software (see Firefox, Thunderbird, and others) rather than a software used only by few people (the XeroBank customers) and, in my knowledge, never riviewed by anybody (please point a review to it if I am wrong). Last, but not least, they offer their own OS. Wow... this OS is supposed to be "the most secure operating system in the world", and of course "It is the ultimate user security and privacy tool". Now... who says that besides whoever compiled that web site? On what basis they are claiming it as so secure? This sounds like a snakeoil to me.
One more thing: they claim that using their services, there will be no more need for protecting the host (somewhere they say you will get rid of the hassle of firewalls, AV's and so on). This is really an irresponsible claim, and nobody with a minimum least of knowledge about security would say something like that without being scared about consequences of their lies. Besides I don't know how they think they can protect your internet browsing without a proper configuration of the client machine.

And that is my modest opinion about XeroBank. About TOR, I agree that, in some cases, it might be too slow (try to change your identity until you find all hops with a decent speed), but it doesn't expose you to the VPN service provider, who knows exactly what you are looking at on the internet. Sure, you might get some code injected by some ***hole running a hop, but that is why you make sure that your machine has a proper security setup, no matter what anonymizer you are using.

 

Actually you've missed quite abit and have jumped the gun so to speak. Thats pretty easily done with the about of searching through threads.

So XB offers an OpenVPN client that has a choice of servers between Canada and Netherlands and a hop in betweeen with a server located in DC, USA. I have no idea where the servers are located for the email, but they are outside of the US and can be viewed online (most secure) or downloaded via SMTP/SSL. Thats about all. Further along is secure storage and VOIP.

Your probably quite correct, alot of discussion has been placed here and around the forum and you'll can search that yourself. A secure host is better than relying on a third party to do it for you, in my book at least. But thats my opinon and not anyone elses. Grendy I believe keeps Steve quite honest and for the best part has been able to get some good answers out in the open and gives us some insight and some good debates going. Still alot of questions about the actualy operation of XB hasn't been answered and makes some of us alittle suspionious about whats going on. Thats for you and you alone to make the choice which side you believe.

 

This answers only a little part of the questions I was wondering in my latest post. On the other hand, if I (personally) were evaluating buying an anonimyzer service and I ran into XeroBank, for sure I wouldn't take the time to search on all forums I know about where their servers are; I wouldn't even google for "XeroBank server location", since this would mean doing it for every anonymizing service evaluated, making the cost of choosing the service provider over the reasonable budget for sure.

About "secure emails", calling an https web mail (or even POP3 and SMTP over SSL) "secure email" is at least misleading! It could make somebody not experienced in the field think that sending an email through that accounts is enough to be fairly sure that only the recipient of the email could read the email, which is just FALSE (I am sure you know why, but if anybody else needs an explanation, I will be glad to give one later if asked).

Still, this piece of information is available on this forum, but not on the official XeroBank forum. So if I can advise XeroBank, who surely is reading us, put some more content on your awesome looking site.

The matter with XeroBank's claim about securing the host is not whether it is better to secure the host on your own or let a third party do it (through a proxy), since the only possible option is the first. So, your opinion is also my opinion; and especially, it is Schneier's opinion. (Note that I am pointing at two different links).

 

I'm a little confused. Is markoman really genady?

Https webmail and servers in DC. Where do you get this stuff?

I'll pass the comments along about the website content. Can you tell me how detailed of information you're looking for? Obviously an overview isn't enough for you, but a whitepaper might be overkill. Perhaps a technical summary.

Actually the more I think about it, the more strange it seems. When you ask a pottery maker how he makes his pots, well they are made from clay, and they have style. Sure there is different types of clay and glaze, but that isn't really the question the user has. They want to know why it is a good pot rather than a bad pot, and if it suits their needs. Trying to talk about a pot in terms of mathematical curvatures and chemical makeup doesn't really tell you anything about the quality of the pot. Having someone else tell you it is a good or bad pot only informs you of their opinion, which can be purchased by proposing or opposing parties, as there don't seem to be any competent free pottery audit corps. I suppose it comes down to this: Do you know enough about pots to determine if a pot is good or bad? Do you know what your needs are? What information do you need to determine this for yourself?

 

I'm sorry, but personally I am wondering how many sock puppets Genady has? How many aliases does he post under? The questions being posed the last few days have been asked and answered repeatedly, if people would only take a few moments to search for them. This now appears to be a coordinated classic FUD smear attack.

 

So glad to hear from you XeroBank! No, I am not Genady, to answer your question.

Gmail itself offers webmail on https and SMTP and POP3 over ssl. I don't know where their servers are, but please enlighten me why your location is so much better?

I don't know much about pottery making. I know a bit more about security. And I know that the quality of security needs to be explained by giving facts. Facts that include, between the others, encryption algorthims used, reviews of the implementations of such algorithms, information about physical security of the servers used, or the measures adopted in order to secure such servers from cyber attacks (I am using this nasty word "cyber attack" in order to distinguish it from "physical security").
If on the website I read "The connection between the client and XeroBank Servers are encrypted using AES 256bit" I would feel more comfortable than reading something like "The data exchanged between the client and the server is impossible to read by anyone unauthorized".

Really, I am not saying that your service is not a valid one. I don't know much about it, and I can only judge it on what is beign announced. And reading how your OS is the most secure in the world or how your web browser is so safe to use even without AV and/or firewall makes me think that people who wrote your website doesn't know much about security. Maybe he is more of a marketing man? Might be... but maybe you could have some technician advise him.

To anyone out there, DO NOT TRUST anybody who tries to sell you some security application as the most secure.

 

As I already posted (if you had taken the time to search....) I think it is not common to go look on all forums for answers that should be provided on any website that sells security services; for me, appearing as a snakeoil is enough to go back to google and look for a different provider of a similar service.

 

I'm probably going to have to agree. I just laughed at the idea of webmail, and then I got asked where the webmail servers are located.

Here are some buzzwords and phrases that have been available in the past regarding the service: AES-256, BlowFish, 2048-bit DH Handshake, No logs, No servers with user data stored unencrypted, or in USA or UK, TLS-only IMAP mail on encrypted partitions, anonymous SMTP mail with stripped headers, OpenVPN with IPSEC cascade and load balancing, Multi-Jurisdictional Network, Anonymized account payment, etc. These sort of things sound like what you're looking for, but as I've said prior, no amount of questioning seems to satisfy, there's always more (the same) unanswered questions. I hope I don't get asked again, but hey, we can all wish.

 

Price is relative. To some people it's too expensive, to others it's a bargain.

We are living in the richest time in Earth's history, where billionares can be made overnight in the Information Age, and you are complaining that $35 per month is too much for something?

Maybe you should learn how to save money, invest it wisely, learn how to make money make more money (compounding) etc. It seems the problem here is not the $35 per month, but your lack of money and investment skills and your ignorance in how to create wealth.

For goodness sake, $35 per month is peanutes, many people spend more money per month on coffee.

 

Sorry if I missed it, but how are Xerobank and ShadowVPN different?

 

So is that part not accurate? About servers in DC?

Honeslty, I've started thinking twice about xerobank from some of these posts on this site, specifically the DC part and I don't really like a hop being in Houston (U.S.) I'd rather prefer everything off-shore. Also people talking about the "one-man" thing since like people are saying that if anything were to happen a "one-person" company probably wouldn't have the deep pockets to fight anything.

The services, anonymity and features that you claim to offer sound really good. This is what is making me want to go with your service. Your company sounds more interested in the users privacy than any other company. I've also notice that you seem to get a lot of grilling from people here but, you still stay here so that kind of means something to me. Even if people are trying to make your business look bad you're still here. I don't see any other companies doing anything like this. I guess if you didn't really believe in what you're offering you wouldn't be here.

 

Correct me if I'm wrong, but I don't believe IronKey comes with VPN - just a pirvate Tor.

 

XeroBank and ShadowVPN are drastically different. ShadowVPN is a vpn-only service, no mail, no storage, no voip, no unlimited connections, no multi-hop network, no frills. It is a single-hop service on par with say SwissVPN or PerfectPrivacy except that it is protected, serviced, and operated by Xero Networks AG of Panama corp. Pure VPN, excellent speed, and unlike SwissVPN and PP, servers aren't located in high-risk datalogging jurisdictions, nor is the corporation.

Of course it isn't true. That is just more disinformation that fearmongers spread. One of the big entry nodes is in Houston, but it doesn't matter because 100% of all traffic going in and out of it is encrypted, and it then hops internationally before going to your final destination. Unlike every other service out there, xb isn't a one-hop network, nor is the holding corporation in a high-risk jurisdiction like the US/UK/EU where subpoenas and court orders take an easy foothold. Nobody else does that, so it isn't a real surprise you didn't know, but hey, now you do.

Another obvious piece of disinformation. That is only said because I'm the only person who really makes an appearance here. By that same logic, everyone else is a zero-man operation, because they aren't here at all.

That is correct. It has something like 12 nodes, compared to tor's 2000 nodes, and the corporation is held and operated in the US, running an old and rebranded version of Tor and Vidalia.

 

While I appreciate the time you take in order to give explanations about the technical details, I am surprised that you call it "buzzwords". That is the basis of your service, meaning what exncryption algortihms you use and what privacy policy you offer. But I got what I was looking for: some objective means to judge your service, much different from "The most secure ever" thing on the website.
If you could better explain where AES-256 and blowfish are used, it would be great, but I don't wanna be accused of asking too much. I can easily guess what the HD Handshake is for

One last question (I promise, I won't be trying to look in deeper detail): Do you plan to offer an encrypted email service, meaning distrbuing certificates that would make only me and my receipient able to read an email? (I know what kind of technology I am talking about).

 

AES-256 and Blowfish are the encryption algorithms used to communicate from your computer to the XeroBank network, via OpenVPN TLS.

That capability already exists in our system, and we are adding PGP into our customized mail client so anyone can use public key encryption, or mail certificates for encrypting messages.

 

Wonderful. I think that encrypted email (and possibly signed) should be just the standard. And considering how easy and costless it is, it bothers me that it isn't.

 

Because only a "sock puppet" of Genady's could possibly question the great Steve Topletz?

No, I have no sock puppets in this discussion to make it appear there are more people that think like me. Insulting. I've been a member here a long time and have never pushed any products - ever. Look at my posts and until I became enraged at the truth-skirting by Steve, I was all over this forum posting on all kinds of topics. Steve showed up when he needed to market his Torrify XeroBank products. Steve, frankly, soured me on the site.

But since you brought it up......I've often wondered how many Steve Topletz uses (sock puppets) to push his products here. I think there may have been some that appeared to question him and challenge him that only set him up to explain something he wanted to attempt explaining! Users he seemed to be helping with "wonderful" customer service.

Two can play this game of sock puppet accusations, Steve. Why even go there?