New Vpn Service

well i stopped using them yestaday anyway just incase i am just using the free JonDonym at mo was goner try there 3 mixes services

i think with me personally i need either mixes price or if not mixes different servers you can select

 

You got that right. This is basic stuff which begs the question: Are these VPN providers who claim this truly in the dark and clueless or are they blatantly deceiving their customers? I have my opinion.

I've seen this latest spate of new VPN providers and have wanted to try them out but I'm in the process of moving (nothing worse) and haven't had time to hardly turn around. I am also with Steve that I believe many of these new privacy services are simply reselling the services of others.

 

Would this still be the case if you used only their SOLO? which is a server in Japan. They also have servers in maylaysia and panama. Would these servers be logged by the upstream provider? And if so would they not be encrypted and unknown to the Upstream provider. I understand the EU logs 100% but doesn't Xerobank have a server in the Netherlands? and for that matter the USA? So I am assuming they are making the same argument you make when people question you about why a server in the US. I thought your reasoning is that it is "hopped" from a "no logs" country and all traffic is encrypted and the USA server never see anything. Wouldn't this be the same as their DUO service? IE Japan hop to Austria

 

I don't presume to speak for Steve, but I don't think he's necessarily talking about strictly legal, government-imposed logging. These upstream providers log for their own quality service and technical issues. I may be wrong, but I think that's what he's saying and he's right.

 

All first-world and nearly all governments with tech infrastructure have data logging privately imposed, even if they don't have a Data Retention law imposed. Datacenters and IXs are also known to do this for datamining. This is what our blackhat talk is going to be about.

We can have XeroBank in any country we want without being subject the same shortcomings as other VPN service providers. Why? Five simple things: 1. Multi-hop Network, 2. Jurisdictionally-Aware networking, 3. Multiplexing. 4. Crowding Optimization 6. Incorporation outside of the US/UK/EU.

Nope. They are missing the most important things: multiplexing, so their traffic is easy to correlate, and crowding optimization which means if there are too few people using that route you are automatically deanonymized. Considering how foolish their network is setup, it would be safe to assume they do not have jurisdictionally aware networking either, which means they have no idea about the laws that affect their traffic, users, and upstream providers. Considering that they don't have any information about who designed the network, any reputable security researchers involved, nor any corporation, it might be inferred that it is a sole-proprietorship which renders users and anonymator defenseless against a court order. just another vpn gimmick.

 

Excuse me Steve,
doesn't the "double-hop" vpn these guys sell require a cooperation of at least two different entities (the two ISP that give them connection) in two different countries to be broken?
Considering that one of these two countries is Japan, wouldn't it be quite hard to do? I think that this shows some kind of "Jurisdictionally-Aware networking".

 

I got a free account too. It's quite easy to install and use, but there is a very strange thing: in DUO, the speed is greater than in SOLO. What the fudge? I understand that in DUO it passes the same relay in Japan and it adds a second one, in Germany. So, how come in the same speed test (Giganwes test), SOLO has an average of 600-700 Kbps and in Duo has an average of 3700-4000 Kbps?? (Both in first and second test from Giganews)

 

No. That is simply node distribution, not jurisdictionally aware routing. I'll give you an example. We have a private node for Switzerland exits at XeroBank. However, we know the law in Switzerland, and we know what isn't in the law but is done anyway: Switzerland stores all email traffic, not just their own, but all email traffic routed across switzerland. So if say you had a node in France and one in Germany, you think you're smart and just send email through. Well, if the datacenter in france is peered to it's uplink in say Switzerland, or you use the switzerland exit directly, all your email just got intercepted. One live example you can see on XeroBank is email from Canada. If you try to send an email while connected through canada, it will automatically reroute to exit from Netherlands. Why? The uplinks in Canada have a very tight leash on email traffic. Another example is our Netherlands exit node. Want to exit through netherlands? Well the EU does data retention/logging. With the user in mind, we first route through a country that doesn't have data retention, either on the books, or off the books, multiplex the traffic so the two countries will have a hard time colluding, and then let it exit through Netherlands.

You should presume that countries collude with each other on traffic analysis and share information/access to core level routers. Why? Because they do already. This is one reason why Russia is a terrible place for privacy. They have only two IXs in the whole country. Two central locations for tapping all the traffic. And they do and it is.

 

If I don't get it wrong, when using Xerobank and exiting from Netherlands, the user is using a US gateway as first hop... the US "doesn't have data retention, either on the books, or off the books"?

Excuse my ignorance, but I don't get what "We have a private node for Switzerland exits at XeroBank" means. Will you explain? Thanks.

 

My understanding is that the US has a live correlation engine built on target escalation, but has not imposed retention/logging of all traffic. I'll get a confirmation of this shortly.

Not all XeroBank nodes are open to all XeroBank clients. Some clients have private exit nodes and entry nodes available only to them, some are test nodes for peering or other internal uses. When we turn on a public switzerland node, you'll get that benefit as well. Knowing who does what, on and off the books, requires government intelligence and operational intelligence.

 

US has wiretaps and routertaps, no datalog/dataretention.

 

I also noticed it.
As I explained - 2 servers that are used to DUO located closer than one server is used to SOLO. Therefore, connection speed varies.

 

Hmm. Did we just catch a sock puppet? Bodo - this was your first post, yet you write "As I explained....."

 

Surely you're not that naive........

Echelon
Carnivore and those are old

 

I stand by what I've said. Don't attribute supernatural power to any program. Government agencies and their programs are more incompetent than you realize. Echelon was a surveillance system in the 80s/90s as a joint program between the US and the UK, targeting primarily micro-wave and satellite transmissions, and not fiber-optic lines (the internet). Carnivore is simply a routertap aimed at a target user.

 

Come on man it is common knowledge that the NSA is logging EVERYTHING in the USA.

http://www.wired.com/science/discoveries/news/2006/04/70619

First sentence of the article

"AT&T provided National Security Agency eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data-mining equipment installed in a secret room in its San Francisco switching center, according to a former AT&T worker cooperating in the Electronic Frontier Foundation's lawsuit against the company."

And this is from Xerobank's website

http://xerobank.com/news/2009/bush-...fourth-amendment-did-not-apply-to-nsa-spying/

 

Access != Processing. Come to my blackhat talk, i'll be explaining the NSAs operation in depth.

 

From the same article

http://www.wired.com/science/discoveries/news/2006/04/70619

"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein wrote.
The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, according to Klein's statement.
The secret room also included data-mining equipment called a Narus STA 6400, "known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets," according to Klein's statement."

And this is just the stuff we KNOW about...

I probably can't make it to your talk but I would be very interested in watching it online.

 

I'll send you the video link of it when we do it.

 

Although I would really love to come to the BlackHat in Las Vegas and meet you in person, for this year I only got to attend the European edition. Will you post on here links to video/presentations you will use?

Thanks a lot

 

seems like we did see a gimmik. when did he explain earlier?

 

Will a video be available somewhere for download?

 

Naturally.

 

I'm just curious, and this is in NO way meant to incite a flame war, but I have a scenario that I have been wondering about:

Mr X is involved in activities classified by the US as cybercrime, and the lines gray over into the patriot act and terrorism, but it is not clear cut, it is only suspicion and for the sake of the argument the govt is using the patriot act and terrorism claims to push a phishing expedition against Mr X, who may be doing illegal stuff or may not.

The US tracks him to the xB network, and gets the State Dept to have all jurisdictions xB servers are in to serve warrants for not only the hardware, but also source code, full access, and cooperation "decoding" traffic.

xB kindly says blow off, and we will assume so do the datacenters.

Since xB is so "hidden" as to who they are, and you Steve are the face of xB for all practical purposes, the US govt serves you with warrants, which you refuse. A federal court in Dallas (I assume that's where you are) hauls you in and gives you the option to provide the data, help, etc in the warrants, or you can go catch 3 hots and a cot for contempt and then obstruction if you hold out on the contempt.

How long are YOU, Steve, going to sit in Dallas county jail (one of the worst in the state next to maybe Denton - since they aren't likely going to hold you in a federal holding cell for months).

How long can Mr X expect that you are going to sit and rot for him before you start giving up names, passwords, and other helpful information, esp considering Mr X may or may not be doing illegal stuff?