need advice

Yes, you can use Tor, Vidalia, and Firefox inside of Sandboxie, and that should provide very good security. Even if Tor could somehow magically allow someone to control your whole system, that would be prevented when it's run in a sandbox.

I'm about done with this forum. I've spent too much time here already. I'm hoping they implement some kind of rule limiting the posting by commercial services to general forums, perhaps limiting them to only responding to posts about their services. There's something very unsavory about XeroBank commenting on Tor, Anonymizer, and a whole host of other services. And there's something unsavory about XeroBank being the first to respond to a general request about privacy software.

Bye.

 

For the attack that we will be demonstrating at defcon, Sandboxie will not prevent it. Not even your firewall will be able to see it or stop it.

While the resulting conclusion of the implementation flaw in the current tor network may leave a very bitter taste in your mouth, malwaretesting, it will not make you safer to pretend it doesn't exist or to ad hominem the messenger because you don't want to believe the message. You can go verify it with the tor developers if you like. They'll tell you: anonymity likes company. And company they are very short of.

Don't worry, with destruction comes creation. This is a cyclical environment. We discover where we are weak so we can build it stronger. For Tor, that means they will need to engage in a way to reach that critical mass by exponential growth, not just simple linear growth. I've got a solution for that, and I can help them reach it if they realize they need the help. They also have a directory structure distribution problem, because their network couldn't handle scaling to a million nodes. However, once Roger solves that problem, he can focus on the next. Until then, you must listen to Tor itself, it's written when it first starts up: "Do not rely on Tor for strong anonymity"... don't misinterpret it for modesty, because the project is a baby and we just aren't there yet with such an important work.

Above all my interest is in enhancing privacy and creating anonymity, and I think Tor will play a significant roll in strong anonymity in the future. We're trying to help it get down that road to strong anonymity, sometimes with an encouraging word, and if the child is stubborn, a swift kick. Until critical mass and a host of other issues are resolved, you'll have to get there with private networks. The encouraging notion is that XB and Tor anonymity are almost as good, and one is not much worse than the other right now. XB will be even better in the 3.0 network, and sometime later Tor may be ready to approach critical mass, bringing a whole new level to the world of anonymity, with true strong public anonymity. Yes, my crystal ball allows me to see very deep

 

If you discussed anonymization techniques and theory, I would be there too. If you discussed privacy tactics, you would see me there. It just so happens that there aren't a lot of experts willing to publicly engage in discussion or debate here. This is a place more comfortable for reviews, troubleshooting, and mild critiques or praises. Why that is, I don't know. Justin Troutman appears to know his way around cryptography, and perhaps we could have a good discussion for a while. But I'm no cryptographer and he's no (anonymist?), so the twain to not often meet. However, I think the community moderators have the wisdom to know intellectual assets, and not dissuade them. Cryptographic questions might be left unanswered and falsehoods unchallenged if Justin were to disappear. And what if Justin were to write an excellent software to solve many of the problems that users experience. Should we resent him for being knowledgable AND a contributing member to society? No. It would be a disservice to ourselves and the community. It would be better if there were more Justin Troutmans, more XeroBanks, more Paranoid2000s, et al. not less.

Does the laxity of Anonymizer make you squeemish? Shall the ivory towers of the tor fortress be irreproachable? We're discussing things that we both know and have in common. Shall we discuss crowding? Shall we discuss anonymous payment methods and theory? Shall we discuss the details of global data retention laws? If you want to discuss some other privacy aspect, I'm all ears. There just doesn't seem to be much interest, and the topics we do discuss end up becoming lopsided because of asymmetric information exchange.

 

KryptoHippie?....LOL!

 

Steve, can you kindly provide the link to the video? I did search for it using various terms (your name, Anonymizer, XeroBank, etc.), and found nothing.

I think we can agree that Anonymizer’s basic service (“Anonymous Surfing”) is, in fact, a basic service. The company never said otherwise, so to suggest that Anonymizer is deficient is neither fair nor honest. Therefore, concerning your comment that Anonymizer has a “very, very weak implementation and bad security practices, purposefully designed to be easily compromised,” do you agree that such an accusation does not apply to their advanced service (“Total Net Shield”)?

I recommend that you explicate your logic, Steve, and articulate an argument — not just make an assertion. I agree that there are gradations of trustworthiness (i.e., the degree of trust you place in the provider of the anonymizer service) — but, anonymity is binary: it is, or it is not. Again, I encourage you to post the definition of anonymity used by XeroBank, and document how various anonymizer services perform with respect to those criteria. Such an analysis and post would be welcome by many in this forum, I am sure.

* * * * * * * * * * * * * * * * * * * ** * * * * * * * * ** * * * * * * * * *​

Individuals who advocate TOR should read the following articles, and then reconsider their position on the issue.

Tor hack proposed to catch criminals
TOR anonymisation network phished
Testing TOR Nodes for Man-in-the-Middle Attacks​

With TOR, there is no need to go “ask” for a trace. A governmental body can simply attach a few thousand nodes to the network. Steve made the same point when he asked, “What adversary would spend countless hours trying to hack the {TOR} network, or break encryption, when they could literally just buy their way into it for cheap?”

* * * * * * * * * * * * * * * * * * * ** * * * * * * * * ** * * * * * * * * *​

Caspian, let’s consider “anonymizer service X” for a moment. One of three conditions must logically be true:

1. The service does not, in fact, have the US Government as a client.
2. The service does, in fact, have the US Government as a client – but doesn’t say so.
3. The service does, in fact, have the US Government as a client – and publically says so.​

Now, as a user of the anonymizer service, it is impossible to distinguish between Case 1 and Case 2. Therefore, the interesting comparison is between Case 2 and Case 3. According to your logic, you prefer Case 2 over Case 3. In other words, it appears that you would be more willing to place trust in an anonymizer service that avoids stating that it has the US Government as a client (Case 1 or Case 2) rather than one that makes it public knowledge (Case 3). Isn’t that an odd argument?

If Anonymizer/Abraxis had something to hide because they have the US Government as a client, don’t you think that they would hide that association? The fact that they are open about it should increase – not decrease – your level of trust in the company.

Question: By the way, Steve, does XeroBank have any US Government entity as a significant client?

* * * * * * * * * * * * * * * * * * * ** * * * * * * * * ** * * * * * * * * *​

Yes, Steve, please provide the URL to the source you are referencing.

 

...and if the Tor user is not filtering web traffic (which they should be, since the Tor project specifically recommends it) and not running any process control software (like System Safety Monitor on Windows systems) which could prevent Tor from starting any other program.

Tor certainly needs to be used in conjunction with other software for proper security and anonymity, but that applies with any other anonymiser also.

Well it is certainly going to be more difficult to break out of a VM, but that doesn't make it impossible. On the other hand, a VM involves limiting user choice as to what software they can use - for example could anyone use the Opera browser in conjunction with xB Machine? Or GetRight? Or Eudora?

Kind of difficult to double the size of the Tor network without anyone noticing.

Nope sorry - assuming that nodes were chosen completely at random (in reality, higher bandwidth ones would be selected more and Tor selects nodes in different /16 netblocks so you'd have to set them up on a global basis), you'd have a 12.5% chance of having access to all the traffic for a particular user at a specific time. You'd then have to correlate their encrypted and unencrypted streams, but you could use a customised Tor setup to log that for you.

Another point to consider is that Tor implements entry guards - only a limited number of nodes can be chosen for the first hop. You'd have to get your rogue network on that "trusted" list first.

I call FUD on this. There are plenty of other groups that need de-centralised anonymity and that includes law enforcement (ironically, for monitoring child pornography and bomb threat making sites), political dissidents that risk imprisonment or execution by repressive regimes and anyone that may be targeted (fairly or not - consider past US government actions with regards to online gambling or steroid production) by their own government (including mistaken or malicious targeting).

The "Tor is for paedophiles" argument is a lame one which seems to pop up with some regularlity in your posts, and it greatly demeans the validity of any other points you make.

If you are talking about Tor node operators, then yes, they won't have the resources of a commercial company in dealing with court orders. On the other hand, they don't have the incentives a commercial company has in doing back-room deals either.

If you are talking about end users however - the only circumstance they should be receiving a court order is if the anonymity system is compromised and Tor/XeroBank are on an equal footing here (unless XeroBank is prepared to add legal insurance to its product list).

You'd need more than $20K...

Looking at just the top 10 Tor nodes contributing bandwidth at time of posting gives the following:

Code:

Webdvdr (France)..............6782 KB/s
desync (Ca, US)...............6084 KB/s
blutmagie (Germany)...........5757 KB/s
bettyboop (WA, US)............5580 KB/s
nixnix (WA, US)...............5508 KB/s
chaoscomputerclub (Germany)...5423 KB/s
BostonUCompSci (MA, US).......4850 KB/s
humanistischeunion1 (France)..4825 KB/s
degaussYourself (France)......4187 KB/s
atari (Germany)...............4016 KB/s

That gives a total 47,504 KB/s bandwidth - if we assume 1,300 other nodes contribute the minimum 20KB/s then that's a (conservative!) estimate of 73,504KB/s throughput for the Tor network.

If we round it up to 75MB/s (for simpler maths) that means providing 194,400 GB/month. At a price of $1.50/GB (you'd probably be able to provide better figures) that would mean a monthly cost of $300,000 (or just $150,000+ for the majority of traffic). And that cost would certainly be increased by the need to pay for significant bandwidth outside the US.

Of course, bandwidth is going to get cheaper as time progresses - but Tor's usage is going to increase also.

Assuming all nodes are chosen at random (and ignoring entry guards), the colluding network would have ((14/20)^3) x 100% = 34.3% chance of having a user routing their traffic only through nodes you control.

Well, I've argued that $150+K/month is a more realistic figure - and for that price, you could probably buy outright any anonymity service provider. Indeed, the cost is probably an argument in favour of Tor since hijacking any other service would be an order of magnitude cheaper.

Agreed - but this is a case of benefits and problems. Without public participation, you have centralised control and the possibility of one administrator being able (or being coerced) into monitoring users. With public participation you have decentralised control but the possibility of rogue operators.

Limited numbers of public participants really comes down to the nature of individual network connections - almost all broadband services are asymmetric and offer an upload capacity that is a fraction of the download. As network infrastructure improves, upload limits should increase allowing more users to join in - at which point the big problem for Tor becomes scalability.

Tor can (and will) generally work as long as the majority of node operators participate "for the right reasons" much like other public collaborations like Wikipedia. They're not perfect, but they can produce results that outshine many commercial competitors.

 

While Steve clearly has his own drum to beat, I would consider most of his posts (aside from the "Tor user = scum" banalities) to provide useful, challenging and thought-provoking points. He does have a perspective on the anonymity and security industry that most of us lack and any work XeroBank do in finding vulnerabilities in Tor itself helps to make that network stronger.

There is a seeming contradiction with the anonymity industry with users wishing to know as much as possible about those running services, with the more anonymous companies attracting greater scepticism. XeroBank's participation here does, in contrast, provide useful information for those using that service. It's just a pity that their website doesn't do as good a job - yet.

Finally while I can sympathise with those arguing that XeroBank ought to host their own forums, there is a real advantage to having discussion here in the open, with unbiased moderation. In fact, I would suggest that XeroBank (and Wilders' admins) do consider setting up a separate subforum here soon, since there seem to be an increasing number of XeroBank-related posts.

 

Happy to.

Neither confirm nor deny at this point. I haven't evaluated Total Net Shield, and anonymizer's network isn't open source or described. I would have to crack TNS to give a positive affirmation or denial.

Nonononono. Anonymity is not at all binary, it is by degree and quality. It is a new field so there aren't any metrics for it yet. There will be eventually, but not today, not this year, maybe not in the next 5 years. I couldn't possibly begin to explain it all. Makes my head hurt just thinking about it

It is against our policy to disclose the identity of our clients, so we can neither confirm nor deny.

Privacy vs. Profits: The false dichotomy of commercial anonymity

 

Yes and no. By default, they're locked down. To do anything the need sudo and root to install stuff.

It doubled in size over the last few months. Did you notice?

If you have 50% of the nodes, and you only need to control any 2 out of 3 hops, then you have the additive probabilities of 1 conjunction 2, 2 conjunction 3, 1 conjunction 3, and 1 conjunction 2 conjunction 3 (37.5% + 12.5%). Not just 1 con 2 con 3 (12.5%).

This is the equivalent of 3 independent coin tosses where you need the total chances of getting two or more Heads results.

Wait 30 days or so, then you're trusted. If you can't wait, the debian bluster caused all trusted status to get reset. Everyone starts again at zero so they are all on equal footing.

I agree. I'm not arguing against that. I'm saying if you're comparing xb and tor, tor's decentralization advantage over xb is that you can get away with cp and bomb threats without much fear of reprisal. You wouldn't be able to get away with that using xb.

If you are talking about Tor node operators, then yes, they won't have the resources of a commercial company in dealing with court orders. On the other hand, they don't have the incentives a commercial company has in doing back-room deals either.

Wait, what? Can you elaborate on that?

Actually... Your bandwidth cost claims are massively inflated, leading to a false conclusion. Tor claims to be operating at 1 Gpbs throughput, which is 316 Terabytes of data per month, not just 195 TB as you suggest. Bandwidth costs ~$500 per 100Mbps. Using your numbers of 195 TB, that would cost $3500 per month for controlling 50% of all Tor nodes, by bandwidth. Using my numbers, it would cost only $5000 USD per month. If we solve for confidence and at $20k/month budget, we could move up to 90% confidence!

Now tell me again, at $3500 per month, why wouldn't you buy the Tor network out?

And I disagree on your math. Assuming you only need to know any 2 nodes in a 3 node circuit, because you already know the decryption key. Now if we assumed you had to be the first node, and capture any of the other two, and you have 50% control of the nodes, that is 1 coin toss dependent variable, followed by 1 coin toss independent, followed by 1 coin toss independent, getting heads on the first toss, and requiring at least heads on toss 2 or 3...

 

man do i feel sorry for the orginal poster of this forum whom i have guessed run away and will never bother to use any privacy software after this thread.

this thread turns up some interesting questions:

1) is xb browser compromised as well as the rest of the tor versions?

2) wouldn't it be better to build a version (other than janusvm/xb machine) that fixes these bugs and rub it in the faces of the developers, than to punish users of the network whom use it with threats of revealing thier indenities many of whom are innocent are using it for the greater good?

 

The criteria that you apply to Total Net Shield by Anonymizer would apply equally well to XeroBank – correct? In other words, is there publically available and verifiable information on the structure of the XeroBank network? Does XeroBank provide access to the source code for all of the software that it uses?

May I make a request? In the future, if you make disparaging comments about Anonymizer, please be sure to clarify that you are not speaking of Total Net Shield, since you admit to having no deep knowledge of the product.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *​

[1] It is only possible for XeroBank to disclose the identity of a client/customer if that identity is known by XeroBank. Therefore, isn’t this comment an admission that XeroBank does in fact know the identity of its clients/customers? I thought that XeroBank isolated an “account” from an “account holder”, so that the two could never be linked? Please elaborate and explain this apparent contradiction.

[2] Additionally, the request here Steve isn’t to disclose the identity of a client. The request is to affirm that entities of the US Government are not major clients of XeroBank. If, in fact, entities of the US Government are absent from your list of clients, then – by definition – they are not clients, and your policy not to “disclose the identity of our clients” does not apply. As a consequence, there is nothing prohibiting you from stating that entities of the US Government are not major clients of XeroBank, assuming that such is indeed the case.

 

In theory, yes. In reality, no, not yet. It probably will by defcon though.

It would, but it can't be done. Well, maybe it could, but I don't yet know how.

 

All of the software is GPL/Open-Source/Source-Viewable. None of it is proprietary, except for the accounting software. When we release the whitepaper on the network design, those answered should be cleared up.

As to speaking about anonymizer, let's not give the benefit of the doubt to a company that has shown it has no care whatsoever for anonymity or privacy. Never once did it occur to me, as you ask: "Yeah, one of their main products was absolutely compromising by design, let's reserve judgement on the rest and their motivations." I think we can say at this point that anything they produce is highly suspect. Would you buy *another* car from a dealer that sold you a lemon with a gerbil wheel for an engine?

Each user has two accounts. One is the deposit account, the other is the access account. They are not linked to each other if you don't have automatic payments, or remove automatic payments and do it manually every month. The identity of the deposit account holder is known to us, because we process their payments. The identity of the access account is not known to us, as it has no identity, and cannot be automagically reversed to the discover the depositor under either of those two latter conditions. For most people they won't need the account separation by anonymization, but we offer it as an option so even people with normal credit cards can suddenly pay us about as anonymously as any person sending cash, as long as their willing to do the payments manually every month.

It is prohibited for us to disclose any information about a client, including if they are or are not a client. If someone came up and asked me if you were a client, and you weren't, and I said "no", but then once you signed up and they asked again and I said "i can't tell you", then defacto I have told you. The response must be the same regardless if they are or are not.

 

and what would that response be

 

At the bottom

 

@ the bottom as in the part where you said "so we can neither confirm nor deny"

 

Bubba makes a very good point here. It's like Anonymizer and their recent buyout by Abraxus. For better or worse, those who might choose Anonymizer knows they are owned by Abraxus. Think about it, Steve, since you have admitted to not even knowing the real owners of Xerobank - maybe Abraxus owns Xerobank! Maybe they are making a move to corner the market (so to speak). You could neither confirm nor deny - because you don't know! And if you really do know - you won't tell us!

You fail to see this problem, Steve. Thoroughly.

 

Genady, I see what you mean, but the vulnerability for Anonymizer doesn't exist for XeroBank. Anonymizer's owners have full access and control over not just financial, but also decryption keys. So it poses a credible threat to anonymity for that reason alone. But XeroBank financial/owners don't have control over the decryption keys. I'm about as worried about them decrypting the data as i am about you decrypting it. Because the threat isn't there, it's isn't credible. It's out of their hands, so the threat just isn't the same. It's like a gal worrying about getting prostate cancer. You get that, don't you?

 

I'm actually still here. the lack of a technical background makes getting through these threads nearly impossible. however, i have a little better idea about privacy software and a general idea of how it's supposed to work, even though i haven't a clue about the technical aspect of it.

i also appreciate the advice and info regarding some of the services and products. Steve has been helpful, and i think his participation here offers legitimacy to his service. After all, he is willing to answer what seem to be very difficult questions and at times appear to be ferocious attacks.

There would be ethical considerations and obvious conflicts of interest had he not disclosed his affiliation with XB. Having done so, however, gives everyone that reads these threads the opportunity to take his posts with the knowledge that they probably and understandably involve some bias towards his product.

JD

 

I'm with you, JD. I do not have a back ground in computer science or technology, so I am for the most part lost, with a lot of what is being discussed here. But in the year or so that I have been reading these posts, I have learned a great deal......little bits and pieces at a time.

And I am also glad that Steve is here. I am an XB customer for one, and I get to hear different points of view from people who are far more knowledgeable than I am.

 

Steve, Anonymizer provides a range of products for a variety of customer needs. Just as it is foolhardy to criticize a “Chevrolet” for not being a “Cadillac” (both products of the same manufacturer), so too is it unjustifiable to criticize the entry-level Anonymizer solution for not having all the features that one might want. The fact that a “Chevrolet” is limited in features/benefits does not imply that all products of General Motors are defective – although, that is precisely the odd conclusion that one would reach by following your logic.

The fact that you choose not to disclose information about a client (and have a policy against it) implies that you could disclose information about a client (if such a policy did not exist), which is in contradiction to your prior assertions that you couldn’t disclose information about a client even if you wanted to do so – because XeroBank doesn’t possess the information in the first place. So, to be clear, does XeroBank avoid disclosing information about its clients because it unwilling to do so – or, because it is unable to do so?

Steve, if not the owners of the company, then who does have control over the decryption keys? Please explain.

 

I agree. But it is an impeachment of their integrity to offer a security/anonymity software that gives no security/anonymity with it's default settings. That isn't like chevy vs. cadillac, that's buying a car labeled v8, and opening the hood to find 8 vegetarian hampsters and being told you can exchange them for a real engine if you know the right buttons to press. Who isn't getting fleeced by such a product? And the fact that they have a whole array, a whole theme park of similar rides, is not a comforting thought. Perhaps they have an antivirus software that locates viruses and scolds them. Perhaps they have a cookie cleaning software that makes sure the cookies are properly formatted and well arranged for the next web visit. Fool me once, right?

Where is this "chosen" business? It isn't a choice for me to make. It is policy. We don't do that. We can know the identity of our customers, that isn't a security threat for anyones anonymity, but is a violation of confidentiality for them to be unwillingly exposed.

server admins have decryption keys, and the revoker(s) can disable their keys remotely.

 

Steve, impeaching the integrity of Anonymizer is serious and troubling, and hopefully not an action that you take lightly. To advance the discussion, let’s move this point from a “generalization” to a “specific,” and consider the “basic” product from Anonymizer: their Anonymous Surfing service (which I believe is the foundation for your observations). That service claims to provide only one key privacy function: hiding the user’s IP address from a website. To the best of my knowledge, the product does indeed perform that one important function. Do you know otherwise? If yes, then you are justified in criticizing it; but, if not, then might you reconsider your “impeachment”?

I am confused. I though that through your process of separating the “account” from the “account holder,” the identity of the later could not be known by XeroBank. Can you kindly explain this apparent contradiction further?

 

Steve Topletz: TAKE SIX! Reinvention after reinvention of the service, its history, its capabilities, its features.....whew.

 

1.We know of the identity of the deposit account holder.
2. We don't know the identity of the access account holder.
3. Deposit account funds the access account, and if done manually, there is no backwards link.