Anyone tried XeroBank (formerly Torrify)

Give it a few days. Could be wrong, but I believe Steve is currently out of town, in Las Vegas attending Defcon. I'm not sure if he's handling PM or responding to support questions while on the road, but he should probably return to a normal flow of business shortly.

B

 

Many thanks, its much appreciated. I'll wait until next week.
Best Regards
Jack

 

I'm back. What can I do for you?

 

Hello Mr Topletz:

I've read through these postings on wilderssecurity which give more information on xerobank than the xerobank web site.

Thank you for offering this novel service.

There was discussion earlier that you can't expect even your users to trust you, especially at this early stage of xerobank. You addressed some of the concerns especially with respect to javascript.

Yet, you are NOT consistent and that creates an image of unprofessionalism for the effort. Example: you tell new subscribers to turn ON javascript, namely:

"You may need to enable javascript, but no worries, it puts you
at no additional risk since you are already trusting XeroBank
with your communications."

What is the point of supposedly anonymous payments and anonymous signup if now you do not allow anonymous activation and proceeding of the account signup?

I don't understand why you can't do a simple test of goinig through ALL steps and processes of signing up for xerobank using TOR, with the noscript add-on, and turning off java, javascript, images, etc., just like any other privacy/security-conscious person would do, and resolve ALL the inconsistencies that way?

To allow the inconsistencies to remain pretty much destroys any effort to protect privacy in other steps of the signup/activation process.

Nathan C

 

This may have been covered before in a previous post but after trawling I couldn't find something that quite related to the situation.

Over the past couple of months I have been testing 'torpark' on my pendrive just to see if it could actually get through the school firewall. I was successful once with torpark. This was some time ago. I've battled to try and establish a circuit, adding the necessary proxy ip for the school network and port 8080. I've had no such luck and I get a time out with the free version every time. I've tried the new xB Browser Demo, but I suspect school has detected xB and blocked it completely. I get a "proxy is refusing connections" when the browser opens. How can they do this? What ports does xB use to make a connection?

The school's internet is pretty good. It's running on 10mbit fibre. All filtering is done offsite to a company called http://www.watchdog.net.nz/ .
Quoting the website:
"Our filtering technology is very sophisticated
For example:

* We do not block Google Images — we filter them so that you can still access 1000’s of wonderful images.
* We filter httpssecure) sites - we have been doing this for years and many sites that we block are of this type.
* We block anonymous proxies - We are also block proxies via pattern recognition. This feature is continually being improved as new proxy signatures are added. This is the best form of defence against these 'cgi' proxies embedded' in web sites. We filter both http: and https: sites so proxies on https: are no problem."

Network firewall is squidguard.

The filter is set to block any site that contains words like "proxy" "tor" "hacking" etc etc. I can understand that there needs to be good protection in a school but when I want to research google or any security site it bothers me that these are blocked when they contain particular keywords. Last night I setup PHProxy on my server, removing all words attributed to the proxy itself but they were fast to I assume, manually look through web logs and block it off.

But aside from that, xB Browser demo is really excellent! Great speed and very stable. Steve, it cannot be said enough how much your dedication is appreciated. I find anonymity on the internet highly interesting so watching developments in xerobank and tor is great.

 

Kinko's started blocking the xerobank site after a couple weeks.

Proxify (a web proxy) gets around the Kinko's block by providing a number of alternative addresses to access. Some of those addresses are strictly https if I remember right.

 

Hi Torrify,

I have a few additional questions:

1. I saw at your HowTos how to block all traffic without the connection to your server with ubuntu. Can you explain this for Windows Vista too?

2. I am very interested in your Pro-Service. But to pay 105 $ and then get a bad speed or often disconnects is risky. Do you offer a test account for 2 days or a week. I would pay for it with Egold or creditcard. Or do you offer a moneybackguarantee, what could be difficult if it is really anon.

3. Do you plan to add to the vpn-connection a ssh-Service. This would be an interesting feature.

Thanks,

frager

 

I have the XB Pro VPN account and I have never lost a connection. It is running very smoothly. It is slower than my 10MB connection, but it is not bad at all. I am absolutely thrilled.

 

Hi,

what is your average speed and from where do you get it?
Thanks,

frager

 

First, let me qualify anything that I say by letting you know that I am new to all of this, so I do not know much. I know so little compared to most of the guys here that it is embarassing. Talk to me about music theory or something else and I can hang, hehe! But I am here to learn.

I have not tested the speed of my internet connection with Xerobank. If you know of a reliable method of testing it, let me know and I will test it for you and post it here.

I used an IPhantom before this and it was faster, but there were some other problems, and why should I trust it?. I have messed around a little with the free Torpark browser and the Vidalia bundle (with tor and Privoxy). But they are far too slow and could never be anything more than a toy for me to play around with. I will sacrifice privacy rather than have to suffer through that. I am far too impatient. But Xerobank kicks ass HARD in my opinion. I love it and am renewing my account.

 

The servers are located in germany, so I am interested in speeds that are near germany. One testsite is http://www.speedtest.at/speedtest1.php This server is near germany at austria. This site make a download of a 2.5 MB and tells you the speed of the connection.

Or another testsite in germany is: http://www.speedmeter.de/speedtest/

It would be very intersting what speed you get and can you please tell me from which continent or country you connect to xerobank?

Thanks,

frager

 

XB 2.0.0.6a was released.

According to Steve, on his personal blog:

That's great. Are you sure this option is really enabled? We can't tell by looking the browser (I was thinking you have developed some visible plugin). Well, I didn't make any tests even using regular Firefox.

When I removed the sign/seal file (xml file placed on some different Windows directory) I noticed he was created by Internet Explorer (which I didn't use anymore). This new version was downloaded and it's now installed and running.

As for the favorites, it is possible to export all of them, by saving a single file (bookmarks.html). At least for now, only the usernames/logins/passwords were placed all over again, and also Firefox configurations. If you can make any tool to save them, it will be nice, and save a lot of time in the future.

As for the updates issue, see these messages from his blog:

anonymous said:

Steve said:

anonymous said:

One thing I must say (it's not a big deal), just an observation. The default page from Xerobank browser was http://support.xerobank.com/IPSpy which tells if you're using a proxy or not.

Now the main page from the browser is google.com. Previous versions from Xerobank have the Google search toolbar installed and visible (and you're able to remove, this is just a plugin). Now this tool has returned. It wasn't available on the last versions (or at least, wasn't visible on the status bar).

What's confusing is the fact that Google have no respect regarding the privacy of any users, and I think we should not use their service (at least, their search engine).

I share the same feelings about Yahoo (which you have blacklisted on XB cookies section), Microsoft, AOL and related. Instead we should look for other search engines, not so famous, who may use cookies or not ( www.scroogle.org is one of them, however is not my favorite because lacks more options). Scroogle at least doesn't keep logs and need cookies enabled.

I am saying that also because when you try to use Google's website he says your proxy is infected by some spyware. This is a false warning, perhaps because Javascript is not allowed by default (this has nothing to do with cookies, which are enabled) and I believe after that you have to enter some image code and perhaps it didn't work out.

As for this feature:

- disable registry-based Firefox/Thunderbird Plug-ins

Could you please explain what does it mean?

 

This is not a Javascript or cookie issue - the cause is another Tor user being infected with malware that tries to DoS Google, resulting in the proxies they use being blacklisted. Aside from using Proxomitron with the Google-Scroogle Redirector (which detects Google's "Sorry" page and copies your search terms across to Scroogle) another option is a search engine like Clusty.

 

frager;

You would be extremely pleased with XB's speeds. I am delighted with them.

I get about 1750 kb/s down and roughly 595 kb/s up with the straight VPN connection.

Bear in mind there would be three ways to connect using XB: 1) Connecting directly using the XB browser 2) Using a straight VPN connection 3) Using a VPN connection and then connecting with the XB browser.

I don't mean to be redundant here, but consider it a given that the more levels of anonymity you add, the slower the connection will be. Connecting through Tor will ALWAYS be slower. But you will find that connecting via VPN, and then through the XB browser/Tor is significicantly faster than connecting over a standard broadband connection via say something like JanusVPN or Opera Tor...

This is not intended as a slam against either of these fine products.. They are excellent. But speeds are decidedly slower...

B

 

Thanks for your tips, Paranoid.

Oh, I forgot to mention another thing about XeroBank.

Please, see this thread:

https://www.wilderssecurity.com/showpost.php?p=998727&postcount=22

After you downloaded XeroBank for the first time, PrefBar plugin (which replaces the old RefControl add-on, like Steve explained before), has the option "Send Referrer" checked/enabled.

I think this option should be disabled by default. I mean, if you click on this link: http://refspoof.mozdev.org/referrer.php your referrer will be sent. If you uncheck this box, no referrer will be sent. Until now, I don't see any problems by disabling this feature. If privacy is a concern, why leave this option enabled (by default?).

 

Okay. I am out of town right now on a little vacation, but I will do this test for you when I get home.

 

Hi Ballzo,

thanks for your info. Do you talk about kbit or kbyte?

And do you get this speed with one connection or multiple for example by using with bittorent...

frager

 

Kilobytes..

My personal habits dictate that I access single sites at a time.. I try not to drag things down..When anon, I expect things to be slower.. P2P is a whole other can of worms..

 

I don't understand. iam three hops back of my IP now..so my IP would be the last node to recieve from a ping. So how whthout seeing my individual IP which you can't, is anyone going to ID my system? So what good is trying to be a ghost when proxy servers do the same as regular IPs. You're just giving info to another IP ( two insted of 1).. add VOIp and that makes three. Iam to dumb to make any logical conclusions.

 

Are are only giving one IP, and that is the XeroBank IP, not your own. Only XeroBank knows how to send the information back to you.

 

I think because there are a lot of sites that do use referrers, and like certain types of downloads, and this would break them. The concern is this: Would the users be more likely to have a problem with it checked, or unchecked? Maybe we should disable the referrer by default. I'll have to give it some thought. Do we know which major websites/services use the referrer?

Also, regarding the registry based plugins. I found that there is a flaw or feature of mozilla where it allows plugins to be loaded into the browser even if they aren't installed in your profile! That means that if the admin of the computer has installed a plugin in such a way that it is in the registry, then suddenly it gets loaded into any firefox/thunderbird you pull up, in addition to all your regular plugins. Now imagine if that plugin is something like the Yahoo or Google toolbar. Horrific.

 

Nathan,

I think you are misinformed. You can sign up without javascript. However, I am 100% correct, if you are already trusting us with your traffic and not to tamper with it, it does not enlarge your risk domain. The essence is if we were malicious, it wouldn't matter that you didn't sign up with javascript, but then did any kind of surfing where a malicious company could alter what data you were getting. I'm not trying to give you an inconsistent image, but the situation is more complex and cold when it comes to security theory, rather than simple with warm and fuzzy feelings that you are safer because you didn't use javascript to create an account. That just is not true. Now technically, if you sign up then never use the account, or use all your surfing while totally blocking active content of all sorts, then it is more true, but not 100%. Consider a malicious exit node that could inject 0-day browser exploits, and it will never be true.

You can. There is a little link for doing checkout without javascript.
That link takes you to this signup page.

 

1. You already get this with you use xB Pro's xB VPN software. However, to be more accurate, there are things you can do with Linux that you simply can't do with Windows, the network stack is of a different design.
2. We will have VPN demos sometime in the near future. Contact me offlist, I'll work with you.
3. xB Pro is TLS VPN, xB Plus is SSH. Are you looking for something else?

 

Hi Torrify,
thanks for your answers.

1. A question to your Windows Software Pack: If the connection to your server break down, my software reconnets to the server and do the software after this connect with my real IP or is the Internet connection blocked? For example with the pptp-connection to relakks, after a disconnect from the relakks-server my software reconnects with my real IP.

2. OK, but I do not have your emailadress. Can you please contact me at this mailadress: frager ~at~ webtopio.com

3. Sometimes I work on my computer and need to do some things with my real Ip and some things protected with an anonymous connection. And then it would be interesting to not use a vpn, but use a prog like putty... and then connect for example some programs with the ssh-tunnel and some without ssh-tunnel. And this in combination with the great speed of the vpn servers. (Is it possible to use Anonymous IM / VoIP / FTP / P2P with the Plus Service I think not)

frager

 

Hello Mr Topletz:

Thank you for your answer.

Unfortunately if you had read my question slowly, you would have understood that I am a subscriber, not a signup. The message I quoted in my posting was what Xerobank e-mailed!!!!!!!! Thus, you, Xerobank, provided the sense of inconsistency or misinformed me.

However, you seem to be talking signups and I'm talking downloads etc once a person has signed up.

Your other points are taken but frankly, most of your possible subscribers aren't going to understand those details but look at the black and white. When your own Xerobank messages says that javascript might be required, what does that convey to the more dominant, novice users, who have noted that javascript is disabled for signup but possibly needed for downloading?