New Vpn Service

I am SO interested in the reply to this. Finally, no tin foil "secret tools" stuff, no far out "1984" scenarios, just plain old "How long do you have our back?" questions. Your scenario is perfectly realistic and authorities have and will still toss you in a cell until you decide to cough up what they want. I'm awaiting a response to this with great interest. It's not a personal thing against you at all Steve, but Caix does have a good question.

 

What-if scenarios? I love these.

That's a loaded question. Just read our abuse report process flow, it goes into great detail about that.

There is a little bit of structure you should be aware of:
1. Xero Networks AG of Panama operates the services as far as I know.
2. Xero Networks USA resells the services of Xero Networks AG

So what would happen is that the US would turn in a subpoena to XN USA or me. I would deliver the request to XN USA. XN USA would send a letter asking XNAG to turn over records, XNAG would decline, case closed.

I wouldn't be arrested for this, and I also have an affidavit of fact stating as such that I work for XNAG in a consultancy, giving me advisory but not authority to operations, and that is fine and normal. I won't be in contempt, so no need to arrest. Presuming I am arrested under a false charge, and I'm in a county jail, a writ of habeas corpus is filed and I'm released. If I am abducted to a secret detention, Xero would wipe out all my credentials and logins to the benign things I do have access to like the support system and exit surveys. I still wouldn't be able to render the info they want, nor would a request for it be accepted.

I don't mind being arrested to protect legitimate clients who follow our TOS. If it's some terrorist bullshit or spammer they are not protected (if we verify that they are indeed violating our TOS). But for some agency playing the "terrorism" card, that just isn't going to fly, and it isn't going to stick either.

He can expect me to spend not a day in jail. I don't have the names, passwords, or any other helpful information to give them, and I can request that the info be turned over but it won't be honored. XBs systems are designed very securely, and I have neither the power nor authority to reverse it.

 

I think that sums it up pretty nicely. Thank you for taking time to reply and give us some insight.

 

I'll go a little bit further and ask:
What if LEO doesn't believe that you are only a consultant for Xero Networks AG, and that you are actually the owner (or one of the owners) of such company? Of course, it wouldn't be easy for them to demonstrate it, but they wouldn't need to; you would need to demonstrate that Xero Networks AG is NOT yours.
While LEO investigates about the people that own Xero Networks, they might decide that you could obstruct their work if left free, and they might decide to keep you in jail "for prevention". Also, they might ask you to cooperate with them (read: try to get information that you usually don't have) in exchange for your freedom.
So the question is: how long would you keep your integrity and defend the legittimate user for? How many days would you spend in jail, without friends and family, together with "not-the-best-people-around"?

 

That's the direction i was headed, but of course I was dismissed in the first line of the response with the "I love what ifs..."

Steve, why are you so offended by people questioning xB services? Asking questions is the basis of anything analytical, and you are catering to a crowd that is going to be much more analytical than the average Joe, and want to know the how's, why's, and what if's of your business processes, and networks. But that aside...

After reading through your flow chart in your response, one thought kept coming up in my mind. I have seen you time and again explain the practices that protect a user's identity at the payment level. From what I have read, the basic premise is, once that money is credited to an xB account, where it came from is not attainable, even from inside xB.

If the above is true, as you have told us time and again, then how can your flow chart be accurate? If you don't really know who the traffic is from, then how can you run an internal investigation against that user, and turn the findings over to LE if they violate the ToS?

The whole idea of xB (or any provider) advertising complete end to end privacy and anonymity, but readily admit that you routinely conduct internal traffic monitoring, and will turn findings over to LE in "valid"** cases says to me that my traffic and my identity at xB is no more safe than anywhere else - crowded, multiplexed, encrypted, etc or not. If you are capable of uncrowding, unmultiplexing, unencrypting, and reading and reporting that data, then my threat model has just changed back to my original question, of "Whatcha gonna do when they come for YOU?"

** as to a "valid" xB case, that to me is frightening. You are asking me to "just trust" you and XN, that if I have nothing to worry about you will defend my privacy / anonymity. Well, if I have nothing to worry about, then I'm not at all interested in services that protect me.

Again, I am not here to fight, nor do I want the usual suspects to come in telling me how great your Johnson is, or the other side coming in riding my posts to "See its all a marketing ploy" - I am just trying to personally understand further the entire scope of xB/XN.

At the end of the day, it seems to me that XN products (and their competitors) really are nothing more than an additional SECURITY / PRIVACY tool for a PC, not a anonymity tool. It seems I am only further protected from "hackers" on the net, and those of few resources.

 

That's not how the law works in the USA. The burden of proof is upon the prosecution. File a motion to dismiss with my appearance, and summary dismissal before any judge is granted as it should be. Common mistake, happens all the time to people.

IANAL, but again, that is not how US legal system works. Writ of habeas corpus, I can't be denied my liberty without charges. Allegations that I might do such and such are not relevant except at bond hearing for well-laid charges; we call that pre-crime, and was well documented in Orwell's 1984. I simply can't help them with what I can't help them with.

I don't have any information about users to divulge, so it isn't relevant how long they do or do not keep me, those are entirely independent events. It unfortunately is not a test of integrity, or a test of any kind (there is only one conclusion). If they kept me in jail till I was 100 I still wouldn't suddenly have information to give them.

 

Have you stopped beating your wife? This is another example of a "loaded question", as I'm happy to answer these what-ifs, not offended.

That's not the entirety of it. Summary collection of our databases by any 3rd party would not be able to correlate the Deposit Account to the Access Account. XN AG, the operators, are not prevented from tampering with their own system by anything but their integrity. XN AG is a trusted entity, so therefore you are trusting it to act as it says it will.

The ARPF shows that the traffic would have to be traced back to an originating session. That originating session that enters the Xero system had to authenticate itself by presenting an encryption key and CNAME (cryptographic certificate). That CNAME is tied to the access account #. Terminating the user account is as simple as denying authentication to that access account #, and requires no indepth discovery of any type back to the payment information (deposit account#) or IP address. IP Address is relevant to a trace for LEO, and still doesn't reverse who paid for the account, which would require cooperation from XN AG to do some type of poison token attack against itself (not likely!).

That's not true. Never, not once, has XN AG ever produced or unmasked a user, their traffic, or given any logs or information to any investigative agency. Not through hundreds of subpoenas, thousands of requests, dozens of investigations, many years of attack, and a few close encounters with LEO agents, has Xero ever rolled on a user. It's all about integrity.

Yes. You always have to trust someone or multiple someones. In the most insecure world we live in, the best method is to trust as few entities as possible, with as little and low risk information as possible, and only those with the highest integrity. Many privacy entities have good intentions, and sure, Xero is one of them. The difference is that Xero has the commensurate ability to maintain that integrity in the face of significant pressure due to it's corporate structure, security infrastructure, legal stability, and personnel. That's a lot of trouble to go through, and worthless to go through if you don't have integrity.

Considering the position of your oratory of loaded questions and strawman arguments, any observer could draw the conclusion that you're not here to find out information, but that your actions point to an intent to justify or promote a view you already have.

It's fine if you can't trust others, I really don't like trusting either. The problem is that you cannot prove something by debate, only a) disprove it or b) fail to disprove it.

The symptoms of a truthful statement being debated would be 1) failure to disprove the statement against proper questioning, and 2) consistent and bulletproof answers. Casual observers can see the results for themselves.

And it seems to me you should investigate the terms privacy vs anonymity, and distinguish friend from foe.

 

Actually, you could not be more wrong. I have a very open mind about everything I encounter, even things I have preconcived notions of, and I am always open to being wrong, or having my mind changed.

My line of questioning is honestly 100% driven by my desire to further gather information about xB's services, and decide if I want to use them. But that is something you will just have to take my word on, as pointed out in your quote, that cannot be proven, only disproven - of which I am fully aware of the conundrum of never being able to prove didn't / won't only being able to prove did / will and I dont envy xB or anyone else having to stand up to constant scrutiny by onlookers, but companies that wish to participate in sensitive areas can do nothing but deal with that issue - of which goes back to my intentions, how xB deals with that issue is part of my observation, and plays in my overall decision(s).

Honestly, Steve, if you worked for me, and you in a public forum of any kind EVER started a response with a line like that, you would be promptly shown the door. As irrelevant as it may seem, and regardless if you choose to recognize it or not, you are dealing with a potential customer, with many others looking on, and using a statement like that, in a effort to illustrate a point or not, is grossly out of line, IMO.

The question to taking offense stems from your overall tone in posts to people that question your service. You come off as if we have no right to question your company (which we still know nothing about) and services because "it's the best, and we should just take your word for that, because you know it is."

I agree, 100%, but to me, I have to see that trust somewhere. The mere fact that the flow shows information turned over to LE, bothers me. Maybe I'm just looking too much into that one, but again, it comes back to, how much pressure is xB going to take for a user? [See more next comment]

Can you provide any published cases where LE, in the US and PA have exuded strong pressure against any XN entity, and they were unsuccessful? If there are that many subpoenas served, surely there has to be a good number in the US, which would be subject to public record for us to view.

Is there anywhere we can see ANY quantification of these events? I know one of the major privacy advocate organizations (EFF maybe?) routinly publishes cases in which they have taken up a case for someone in the courts, and they provide documents and details as to the nature of the case, their actions to prevent legal action, and the results. Does XN have, or intend to ever make this type of info available for prospective buyers?

I get that shutting down an account that violates your ToS takes no knowladge of who the user is, that's not where my line of questioning goes, and you know it.

I just want to be clear on the above, in short, XN can ONLY establish the following from internal investigations / monitoring:

Source IP
Destination
Possible Payload (if not further encrypted prior to entering XN)
Time details

And those would be the only (tangible) details LE would receive? You mention the IP is relevant to LE, have IP details and or the above 4 types of info ever been turned over to LE, in any jurisdiction, in any way - or anyone outside XN?

Agree.

That's my whole issue here, and I think is most people's. You can't just say "Trust us" we want to see something. And other than big words and network theory, I, personally, have yet to see any tangible proof of XN's structure (not technological infrastructure) that tells me, yes I can trust them.

Have I seen it from anyone else, no, but xB claims to be the best, so I want to see it from the best before I pass up xB and move on to the next provider looking for something to satisfy my standards.

To me, "Trust us, we're good" is NOT a higher level of privacy or anonymization than using nothing.

You or rather XN as a whole, to my knowledge, have not provided any details to your actual structure, other than basic "About Us" and your posts here. That does not satisfy the standard I believe XN should be able to provide, given their claims in the market area.

I'm not going to trust a condom that comes with no real information about the company, or where to find it, no clinical to back up their statements, no tangible evidence that using it makes me any more safe than using nothing at all.

There are plenty of cases of using something for protection just to use something rather than nothing, that have ended up with worse results than using nothing.

I don't need to investigate any of your marketing materials (I have long ago read them all), and I know the differences in anonymity vs privacy, and my WHOLE discussion is centered on your latter "myth." All I am doing is asking reasonable questions about the service you advertise, in an effort to distinguish if xB provides the highest available service to my needs or if they are one of the "other guys." I don't believe any of my questions are out of line with that premise.

 

Steve, I agree with most of what you said, but as per the above, I disagree. Certainly that's the way it SHOULD be, but with the PATRIOT act, it is no more. This story from a couple weeks back says it all.
http://www.wral.com/news/local/story/5049867/

All they have to do is suggest XB is protecting communications of terrorists and they can hold you, without due process, for as long as they want. Again, see story above as one of hundreds of examples.

 

I am not so sure that they will get away with that kind of thing anymore withh all that is happening politically.

 

I trust Xerobank because I trust Steve and his associations. They are well known human rights activists and privacy advocates and they have been very active in trying to be helpful in creating change in the world. Here is an old youtube video announcing the release of Scatterchat, which is a sincere effort to provide a secure means of communication for people living in places like China and the Middle East.

http://www.youtube.com/watch?v=WX3RM87OXlc

I have also read that they have done some work for the EFF, who I am also grateful for.

 

That would be very naive to assume. Federal agencies do not care who is in power, and which party is advancing their respective agendas. There is VERY little association with federal agencies at the local level with the current administration, no matter who it is.

I have watched the legal system from inside and outside, at just about every level, and you would be surprised at the ability to hold and lose someone "in the system."

I would like to believe that Steve's plans for his "out" should they come for him work, but time and time again, I have seen them not.

 

I'm glad you're concerned for my safety. However, I think it is relatively established at this point that my safety or detention does not influence or relate to the safety of xb clients.

 

Bravo ! There maybe others on this board that, unfortunately, don't have the same view.

 

You seem to forget that the burden of proof is on the accuser, not the defendant.

 

I asked my a legal buddy of mine over enchiladas today, he told me I would not be party to the suit, and a motion to dismiss would be in order as the court would not have a cause of action. However, if the prosecutor attempted a "diversity-jurisdiction" grab to try to wrangle ST & XN USA & XN AG, then I would go to a deposition, explain my non-managerial status and present my affidavit, and be dismissed from the suit.

 

How convenient.

 

As much as I trust you Steve (mostly due to your associations), I don't think it could be as neat and tidy as you think. Did you actually go to the link I provided earlier? http://www.wral.com/news/local/story/5049867/

That's scary stuff. Detained, no formal charges, no access to defense, no way to prove your innocence, you're just in legal limbo all thanks to the PATRIOT act. The story above is recent too, a lot of this is simply not changing anytime soon. Axle00, you're right, in theory. But with these alarming powers the feds have with PATRIOT all bets are off. The other thing to remember is XB's position on cooperating in a real threat (which would be a TOS violation), as one man's terrorism is anothers simple activism. Sometimes the line is very narrow.

 

A federal agency may do something silly or stupid, that is out of my control. Don't worry about me. The only thing that matters is the integrity of Xero and the continued protection of our clients, which is well in hand even if I am disappeared, threatened, waterboarded, tickled, etc.

 

Since I have been quoted quite a bit, I feel the need to post again on this topic:

Steve, I know how the law works in USA, in Europe, and in other countries; also, and especially, I know how the LEO works in USA, Europe and other countries. You can be sure that if LEO was after something they consider "important" and such something is taking advantage of the Xerobank Network, you would be personally in trouble, watched, probably jailed (not tortured, in my opinion ), until you will cooperate at your best (just as a side not: THEY will decide when it is your best, not you). If you are telling us that you have NO information useful to uncover one of your users, not even names to give the LEO so that they can have somebody new to take care of, well this is enough for me. Now, I will only be waiting for your ISO:27001

As already noted by other posters, this is how everything SHOULD work. Please, when writing such sentences, think about all the non-strictly-legal aspects.

Steve, privacy and human rights activists, and your service as well, exist exactly for this reason: we are heading towards a pre-crime state, towards a 1984-like situation. Some of us, the people who can understand this and believe that it is not what we deserve, are trying to fight in some way. You are one of us, and in particular an estimated one of us; so, please, don't do the mistake to lower the attention towards what is going on, not even for marketing purposes.

 

markoman,

I realize that things may go bad, but we try to avoid wet situations where we can. The reality is that I am not an interesting target for black bagging, and much more valuable to everyone if i'm in-play rather than in time-out. I'm not very attractive to squeeze for info.

 

I appreciate it. I would suffer imprisonment as well if I were in your shoes and had to.

 

Well, so make sure that the people who can be squeezed for information stays in the right jurisdictions

 

Steve, does OpenBSD know you still their mascot? ;-) They want it/him/her back!

 

To get back on the original Topic of the thread....... My free trial with Anonymator.cc just ended today. Is this the same for everyone else? I use Secretsline but I am curious to see if the free trial ended for others..