Anyone tried XeroBank (formerly Torrify)

mmmmm...Yes. here: http://www.dgcmagazine.com/index.php?q=node/8

 

Yahoo uses a special type of cookie that browsers miss that identifies you across sessions, Tor or otherwise. They use it under the banner of "security" for your login. This means that Yahoo would know it was you using any yahoo service, regardless if you were connected anonymously or not. xB Browser will do an automatic search & destroy for tracking data every time it launches. Gotta keep those session secure...

 

It doesn't exactly work like that. They can tell us whatever they want, but unless we review it and agree that it is what they say, we don't actively help.

I think you can get a feel for high standards of excellence we require from law enfrocement by reading this: http://xerobank.com/leo.php

Please read all of it.

 

I signed up today but each time I try to get the registration number I am told that I cannot access the page because xerobank certificate expired on 28/05/08.
Would someone from xerobank care to comment?
John

 

Well, the EV certificate DD is taking longer than they thought it would. I think we're going to have another cert issued for it tonight, regardless, if the EV isn't completed today.

UPDATE Another certificate has been issued and will be installed momentarily.

 

As soon as you realize that one cake is not the same as the other, you can. This is similar to how many foolish anti-privacy idealogues say that you can't have security and anonymity. They aren't mutually exclusive, they are subsets of each other. It is the same here. You just need to understand the identity of the properties, and know how to acquire one without sacrificing the other. We accomplished this with the tracing by using a hybrid of computer and man. Computers are reliable it heuristic and probabilistic scanning. The have processing power but no intelligence, so they are excellent as a first layer defense to retain both client privacy and protect against malicious traffic. The human comes in as the intelligence factor, and requires only ethics and reason, not massive processing power. Then the third layer comes in along with the second, which is administrative oversight to make sure all non-grey areas are dealt with, and grey areas are handled by a person, with tact and the users' privacy in mind.

To those wondering about how tracing scenarios play out, it was detailed in this post and partially here.

 

Correct, unless the activity was deemed malicious while live, and thus logged.
We can tie that traffic to a user, but then we have to tie the user to a real person's identity, which is the problem.

Mostly correct.

None for the communication network are located in panama.

That is why we are very careful how we pick administrators who hold keys, and that is why the trust in the keys can be revoked by another link the xb chain. I personally am fine with going to jail to protect the privacy of our clients. I know one of our other admins, and I can say he is as sturdy as I am. If we are captured or don't report in regularly, our keys can be revoked, making them useless if surrendered. This is similar to a trust/nominee relationship.

I appreciated your interest, but I think your criticisms require you to read more of the thread. All critical servers are segregated across countries, databases are not linked, multiple layers of encryption on drives, OS, and files, keyed logins, lots of defense in depth, and control of the system is decentralized by admins of different jurisdictions, no financial stakeholders have access to unencrypted data, checks and balances accomplished by ethics advisor and key revoker, and revoker control is external. This wasn't built overnight, and further rollout of development doesn't get to happen overnight either. So a hollow porcupine is a pretty good analogy IMHO.

Waking up four people and descending into the depths of the routers, and getting a green light from the ethics advisor.

None. We find exactly what we are looking for or nothing at all.

detailed in prior post in great detail.

 

I think these quotes just about sum it up. You've actually been very honest. I don't see how anyone can criticize you. You've acknowledged that you cannot provide what Tor provides (e.g. anonymity). You've acknowledged that it is possible (although difficult) to trace traffic from the originating IP to the website in question. You've acknowledged that if your people BELIEVE that a customer is violating your terms, you'll be willing to cooperate, and you'll likely take pleasure in doing it. What more is there to say? Your service cannot be compared to Tor in terms of security/anonymity. By your own words, it should be clear to anyone that your service would best be compared to other privacy services, not a true anonymity service like Tor.

With Tor, a person can do things that you happen to disagree with and still maintain their anonymity. In other words, only one person knows what really happened. And I'm not going to get into a debate of how difficult it would be to track someone through Tor. The only issue is that it would be much easier to track someone through your system. With your service, a couple gray-hairs think your traffic is inappropriate, and you're in trouble. So, I object to Tor even being mentioned in this thread. Your service is about privacy. Tor is about anonymity. They're different things entirely. Don't get me wrong. I'm not criticizing your service in any way, and I think you probably provide one of the best paid privacy services. But you don't provide anonymity.

I guess I'll ask a few more question. Where precisely are all of your servers located? How many hops does the traffic take before reaching the destination? Is it encrypted/decrypted 3 times like Tor? Do you make sure all traffic is routed to more than one country?

Is there a single point of failure for your operation? In other words, is there one central location where pressure could be applied to bring the whole operation down (or otherwise coerce cooperation)?

 

I will have to admit that I get paranoid about that sort of thing sometimes. But I am hoping that it is just paranoia. Surely they have better things to do and bigger fish to fry.

 

I would think that would be the easy part. I mean you will have the IP address, right?

 

Well, not entirely. I do think it is anonymity versus just privacy. The way anonymity in Tor can be broken is the same way it has to be broken for XeroBank: collusion among operators. The only problem is that massive amounts of tor nodes are run by colluding groups.

I would personally take pleasure in helping track someone trying to do money fraud, that would be nice. It sends a message to the fraudsters that they aren't welcome. Short of that, I don't think it would be very fun. It would be a lot of work.

Right, but the only things that someone could do with tor that they couldn't do with xerobank is distributing child pornography and making bomb threats. So, yeah, Tor definitely has that *advantage* on XeroBank, but only at the cost of moving at dialup speeds. A good trade-off! Some people need those advantages, and XeroBank is not for them. For everyone else, it's an attractive option IMHO.

Switzerland, Malaysia, Ireland, USA, Canada, UK, Netherlands, Sweden, Japan, and China. Probably more that I don't know about.

Depends on the traffic. UDP/TCP traffic does 2 hops:
User -> XB Entry(Country A) -> XB Exit(Country B) -> Destination

If it is mail or data storage, it travels through three or four hops before the destination.

It is encrypted across each node like tor. And unlike tor, we do true channel multiplexing for low observability.

Absolutely. No routes are allowed to use the same country. If you were a US person using xb, and you selected XB exit for USA, your traffic would hop from the US to say Switzerland, then back to the US, then to your final destination.

In my opinion, no. In a public legal stance, I would say the only "weak" point would be the criminal court of Panama. But then you have to get subpoenas at all the servers as well, which are all in different countries.

 

It's our prerogative to cooperate or not, unless they have a subpoena from panama. If they didn't violate the TOS / AUP, it isn't even our prerogative. We can't cooperate with that and we'll fight it on every ground. If some group comes and says "it's terrorists!" the response will be "fill out the forms and we'll get back to you after we review the data, and don't forget to send us your detailed evidence."

 

I am glad to hear that you would not just take somebody's word for it. I did not use to worry about anything like I do now. But I do blog about some very liberal issues concerning religion and some political views etc. I am thoroughly pissed off at George W Putin and Company and I like to feel free to blow off a little steam here and there when I want to.

I'm more of the peace loving hippie type and I like to express opinions about social issues. Maybe I'm being crazy but it scares me now. And my ISP is so conservative that they refused to show an add against a local conservative politician. It was an add that ran on all the major networks. And I have heard many other stories about them as well. It makes me feel afraid to express an opinion. I feel uncomfortable going to Americans United for the Separation of Church and State now and other websites like that. Maybe I have a psychological problem and am just over reacting, but I hear about things that I just can't believe. And like that guy said, someone could try to lay something on you that is not real just for having an alternative view about things. I have always been under the impression that you and the members of the CDC are free thinkers and are very open minded, and fair minded people. And I cannot imagine that anything that I do personally would in any way show a disregard for your terms of service. So I feel comfortable where I am and I appreciate the reassurance.

 

Is it that simple? There are a few things I would like to point out. First, your prohibited activities (obtained from your website) are more than you mentioned in your post. Second, nothing is ever as black and white as that. From my experience, most things are a shade of gray.

Let me give you an example. Remember that FBI link designed to entrap people with underage porn. One click and off to jail. It's been clearly shown to me that there are numerous ways to get transferred to the FBI website without having any intention of viewing any porn. What happens if the you get hit by a subpoena from the FBI for that? Their strategy is pure garbage and is sure to get many false positives, but you might be faced with it. And wouldn't the combination of using a paid privacy service plus clicking the FBI link be an automatic 2 strikes and you're out. They wouldn't have to find anything on the user's computer. Those 2 factors combined would probably be enough for a conviction. And the FBI doesn't look at the referrer when their website is visited. Their system is streamlined for a quick and easy conviction. They don't want too many facts getting in the way and hindering their investigation or possibly letting the "perp" off. You live in the US. Wouldn't you be forced to comply? Couldn't you then force others to comply? Would you go to jail for someone who you know to be 80% likely of intentionally clicking that link because of the 20% chance that the customer didn't intentionally do it?

Also, what does "underage erotic materials" mean? If you're a Bible thumping wacko, then 10 to 20% of what's on youtube or myspace would be considered underage erotic material. And, no, I'm not exaggerating. How old is underage? What is considered erotic? I can tell you for a fact that people have been convicted for far less than what you would find on the National Geographic channel or on youtube or myspace for that matter. Saying that the law, even in a single country, is arbitrary and not evenly applied is an understatement. What happens if a user accidentally downloads something that might be illegal? Do you cooperate for downloads or only for uploaded material? I can tell you for a fact I've downloaded things I didn't want to download. Things can be mislabeled. People in the US have gone to jail for taking pictures of their kids in the bath.

(Removed specific example)


I'm not entirely familiar with your service, but is it possible for one of your customers to be hacked (through some vulnerability in the customer's computer) so that the intruder's traffic would flow through your service? Do you take anonymous subscriptions? Wouldn't it be possible for someone to sign up, then as an extra precaution route all of their traffic through someone else's wireless connection?

What constitutes a threat of violence? What if I post the following somewhere:

"Man, if I ever get my hands on you, I'm going bash your skull in and rip your eyes from their sockets. Then I'm going to really hurt you."

OR

"That guy cut me off. I wish I had taken my baseball bat out and bashed his brains in. If I ever see him again, I'm going to do just that."

These sound like threats to me, but it's not something that I would get overly worked up over or take seriously. Would you?


What if someone visits a white supremacist website and proclaims "We should kill all N***." I think that's protected free speech. Do you?

What if someone from the US visits a site known to be frequented by Al Queda? And he says something like:

"The US is becoming too powerful for it's own good. I'm with you brothers...."

Free speech, right? Well, I doubt the FBI would think so.

What if you received a subpoena from the MPAA or RIAA claiming that someone is making available copyrighted works through file sharing or usenet, or whatever? That would fall under your prohibition of theft, right? You live in the US, right? Couldn't you get in trouble? I can probably give you an example for every one of your prohibited activities, but I won't. Between copyright violations, "underage erotic materials", and threats of violence (aka "the big three"), when interpreted very broadly, you're probably talking about 30 to 40% of internet users (my guesstimate).

I'm just pointing out that you will almost never face a situation as cut and dry as you're making it out. And, really, when you take into account all of your prohibited activities, what's left? You've pretty much included (with a few exceptions) everything you could possibly catch heat for. Are there things on your prohibited activities list that you would just cancel an account for rather than cooperate with a subpoena?

Your conduct policies are probably comparable to most services, so I'm not criticizing you in particular. And, you're the only one that I've ever seen actually discussing this honestly and openly, so I applaud you for that. I'm just saying that, in my mind, the average user can run afoul of your policies more easily than you're letting on.

How liberal are your people? How compelling does the evidence have to be? Have you actually considered such scenarios in depth? Can you give concrete examples of what you believe would be a violation of your terms?

 

I think the statement sums up the tone: the only things you can do with Tor that you can't do with XB are those that are personally harmful to other people. That is the advantage that Tor has.

Good question, 4 defense responses:
0. XB won't accept such fishing tactics as a legitimate request.
1. FBI subpoenas are not recognized in XeroBank's legal jurisdiction. They'll have to file in the PCC, which likely won't accept them either.
2. XB doesn't create logs of things like that, the computers only look for malicious traffic. Therefore, even if subpoenaed effectively, xb has no logs to provide.
3. If an intel service requests data for an illegitimate or politicized purpose, they will burn their relationship with XB, which they don't want to do.

I think I would rather not, considering that circumstance.

No. The others would request the legitimate data from me, which I would be unable to provide any verifiable information, and any of my access to xerobank would be revoked.

The short answer is "Yes", the longer answer is "I won't be there for long." It's all part of being principled and willing to die for what you believe in.

I think it means erotic materials depicting (minors) below the age of consent for your jurisdiction.

Accidents happen. I can't tell you how many times I've downloaded something and it wasn't what I thought...

It would be easier to say neither. Downloads almost certainly don't create any malicious instance. We don't allow seeding of torrents, so uploads are out of the picture. That kills a lot of any requests we would have.

Anything is possible.

XB does indeed take anonymous subscriptions.

I suppose. Make sure you have their permission

Something that a reasonable jury of your peers would consider a credible danger against another's health, I think. Everything is context, so a single sentence doesn't tell much.

No, I don't think so.

It doesn't sound like a credible threat, but that is for ethics guys to figure out, if it gets flagged, which it likely won't.

Showing support for a movement isn't a free speech violation under the UDHR. That is for an intelligence service to investigate if it is noteworthy, not us.

Sometimes this actually happens. When it does, xb finds out what traffic they are talking about, investigates it, and if true xb would block the torrent upload. If the user is persistent in upload attempts, their account would be blocked and they would be notified. If the RIAA wants to pursue it further, xb will be happy to charge the RIAA $700/hr for research, which likely won't yield anything, and then must be subpoenaed from Panama.

Trouble can always come knocking, but no. Ultimately I'm not responsible for xb's actions, I just have very strong faith in them. I am a consultant/advisor, not an employee. I own no part of xb, nor do i control it's resources and activities.

Sure. Anything we see as truly malicious.

You'll have yet to meet one. XB is pretty good about handling those situations for the best outcome of everyone involved.

Well, Michael Badnarik is our ethics advisor, so you tell me.

Enough for the criminal court of Panama to say that it is a crime in panama and that it carries a minimum two year sentence. Today's political climate in the US and UK makes such a position untenable for most corporations. That is why Panama was chosen as the place of incorporation, I think.

Sure:
1. Uploading/seeding/distributing cp/copyrighted works which you don't own the copyright to
2. Network vulnerability scanning
3. Making credible death threats
4. Fraud: Selling "male enhancement" pills
5. Sending out an email to 25k recipients
6. "419" scams and payment/pyramid schemes.

 

You've masterfully skirted the issue. I know you don't want to answer the question, but you had better have that in the back of your mind. If you look at a lot of the high profile cases, they usually don't involve hard-core porn (which I understand is actually rare). They often involve non-pornographic porn, as I would call it, often with no nudity. And remember that nudity is not illegal (I believe in the entire Western world). Law enforcement often ignores the law and goes after people who clearly have not violated the law. Why? Because they know they'll get a conviction anyway. That's because juries will absolutely ignore the letter of the law and convict anyway if they get a bad feeling about someone. It happens all the time.

Are you qualified to make those decisions? Do you realize that it's illegal for you to even look at the images (if they are indeed illegal) to make those decisions? You can't have your committee reviewing this stuff, passing it around the table or projecting it up for everyone to see. Bottom line. You can't look at it, therefore you can't make the decisions you state you'll have to make. And I'm not sure you would have anyone qualified to make those decisions anyway.

So, now what?

Funny man

 

Malwaretesting, You asked several excellent questions. Especially the grey involved in so many of these decisions. In the USA some local prosecutors are actually calling fully-clothed kids "child pornography" and calling pictures from so-called "child modeling sites" pornography. While it's certainly not my cup of tea, that's a slippery slope. I mean, the Sears Sunday paper insert would qualify if it was downloaded! The FBI's "click-a-link, expect-a-raid" example was another good area of grey that shows that things are almost never black & white.

And Steve, I have to hand it to you, for the most part those were very solid answers.

 

Bizarre. We posted at the same time. When I said, "for the most part" about Steve's reply, your example was my example. It's the "slippery slope" syndrome.

 

Yeah, we had some of the exact same points, posted at the same time.

 

Child Modeling sites... that would be a waste of everyone's time, again, something they *might* be able to enforce in a Panama criminal court (extreme doubt), but that will certainly not be considered a willful violation of xb TOS/AUP and that would burn their professional relationship. Regardless, you could label anything as child pornography, and claim "well, you can't look at the evidence." Sorry, then xb can't cooperate if they can't verify your claim, unless you go get a court order in the jurisdiction of competency.

I need to redact a statement about "it's terrorism". That isn't entirely correct. We won't accept all claims under the "terrorism" banner. Infact we won't accept most. It has to be a provable life or death situation, in which case we will actively be involved. Of course, if it was really terrorism, they wouldn't call us, the superpowers would come into play to do massive IX monitoring.

 

Okay, I'm going to let it go at that. But let me point out that people in the US do get convicted for very little and with little evidence. Often times the only evidence they find are one or two questionable (and tiny and blurry) thumbs in a thumbs.db file. That along with circumstantial evidence (e.g. ISP records) is usually all that it takes.

From what I've read, they don't often get people on what would be considered real porn. So, when you were saying that you would gladly cooperate on CP investigations, I had to scoff a little because I wasn't sure you fully understand the sorry state of affairs when it actually comes to investigating this stuff. The people who actually do this stuff are usually too good to be caught like this. The people who often get caught up in this stuff are often innocent. I remember reading a story about a guy in Australia who accidentally downloaded one (that's right, ONE) picture. He even went to the cops and showed it to them. He was tried and convicted because he waited six months to get around to showing it to them. He waited too long in their minds, so he must have enjoyed it.

And my example of accidentally downloading potentially illegal material is not a triviality. The subpoena you get could be for that person. This is not an infrequent occurrence. You could use whatever procedure you want to verify it and determine that it is actual porn. But the person could still be innocent.

I'm going to leave this thread at that. Feel free to respond if you wish. But unless you can provide a compelling argument, I think I've demonstrated the value of Tor (as close to true anonymity as we have now) and leaving human beings out of the equation as much as possible. I think you're a good guy, and people would be in good hands signing up for your service (for the combination of speed and security). From your description, your service seems as good as I can expect, so I can't hold anything against you. But I'll point out again that Tor provides anonymity and you provide privacy.

If I need speed and good usability (with high security/privacy) for something, I would trust your service. If I need true anonymity where I don't want to let my fate rest on the better judgment of any person, I'll use Tor. That's just my opinion, and I believe it to be well grounded in fact.

 

Xerobank looks like a great service, but when I went to their website today it says that their personal service is "coming soon."

How soon? How much $?

 

Are you referring to the Crypto Router? I saw that too. I am definitely curious.

 

When it comes to which service to use, it's Xerobank. I hope the trust is deserved and I think it is. There are a lot of questions unanswered that I'd like to see answered (ownership and that kinda thing) but my research tells me Xerobank is the way to go. Thanks for all the work Steve!

 

Thanks for all the positive support. XB2.0 should launch shortly. The integrity check for the US ThePlanet entry node still needs to be run, otherwise we're good to go. I expect we'll have the File Vault up and running sometime this month as well, if things go without a hitch.