Xerobank questions ?

Discussion in 'privacy technology' started by CloneRanger, Sep 4, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    A lot of uncertainty around lately, and for some time now about XB. And for paying customers who are receiving little or no support, must be very concerning, to say the least, and it does seem both very unprofessional, and strange.

    But i have another question.

    If they don't keep ANY logs etc etc, and a person/s were conducting some sort of illegal and/or potential illegal activity, and/or activity that "certain" governments etc disproved of, but were not illegal, and this person/s had not been flagged to XB by .GOV etc etc, how would XB know ?

    As it is, any amount of people could, and have been, doing whatever for any amout of time, and continue to do so as, long as they are not flagged to XB for interception/logging etc. Which they say they WILL do if certain activity is "said" to be taking place. Said/assumed etc etc !

    Let's say, a "friendly" to XB goverment/company etc wanted some/any info it could aquire on anyone who might be a percieved and/or real threat to them, but didn't have specific etc details of anyone, how could we be sure XB wouldn't assist them in some way/s ?

    Obviously this would also apply to any other service etc that Explicitly states the same/similar conditions. But as XB states very strongly what they do about their privacy policy and systems etc, i'm concentrating on XB.
     
  2. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    let's hope that someone from xB can answer your questions.
    not the fans here..... :D :D
     
  3. ccoates

    ccoates Registered Member

    Joined:
    Aug 31, 2010
    Posts:
    16
    Most of this is answered in their FAQ.

    You can't be sure XB won't assist them, because it says right there XB will assist them if they have jurisdiction and a court compels them to do so.

    From their Terms of Service:

    Notice right there that they did NOT say they keep zero logs. And if you're suspected of using the service for illegal activity they will log you.

    From their Privacy Policy:

    So it appears to me they keep technical logs, and use unknown heuristic software and personnel to monitor for illegal activity, and can be compelled by local laws and governments to log activity or investigate customers.
     
  4. eric2802000

    eric2802000 Registered Member

    Joined:
    Aug 31, 2010
    Posts:
    11

    Ok...that's fine and dandy...but do you recommend a VPN that you feel comfortable with? Im not trying to start a fight just looking for a good VPN!
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ eric2802000

    Would you mind posting your request elsewhere, as i want to keep this thread Strictly XB, thanks.
     
  6. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    From what Steve has explained. Panama is not subject to U.S. or U.K. spying and data retention laws. And if you look at their document for LE, they make them jump through some pretty serious hoops to even be considered. And I seem to remember a statement warning them that if they (LE) make any false claims that they will be reported, or something like that.

    And to be logged, authorities would have to have have warrants in *all* applicable jurisdictions at the same time. And even then they would not get anything because of the encryption.

    They may sometimes get complaints from the people who run the exit nodes about content.

    As for Xerobank zeroing in on bad stuff? I guess they have software that can detect denial of service attacks and massive email spamming etc... From what Steve has said, in these cases they would delete the account. But they would have to monitor it live, which he said is a pain in the a@@.

    Their terms of service are based on the Universal Declaration of Human Rights. http://www.un.org/en/documents/udhr/ So if you are not going to use their services to mastermind horrific terrorist attacks, rape children and sell the videos, or burn anybody at the stake, I don't think they care, or even want to know what you do.
     
  7. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    any xb staff to answer?
     
  8. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    with the lack of support, will they monitor at all?
     
  9. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    What you say is certainly plausible, PooseyII.

    However, based on what I've pieced together about XeroBank, and the broader cypherpunk et alia community, it may not be as simple as that.

    Consider resources/infrastructure. Although entry and exit nodes are certainly vulnerable, even finding the rest of the network would be nontrivial.

    The same goes for people. Steve is highly vulnerable. However, the people who do most of the technical work are apparently drawn from an anonymous pool. Configuring a router might require certificates from three admins, who are anonymous to Steve, and also to each other. That much of the security model is common knowledge. I'm sure that there's more to it.
     
  10. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    If the explanations given by SteveTX are factual, then the issue of logs and the potential willingness of XeroBank to assist in a governmental inquiry are moot, since there is no mechanism to associate (1) a user’s activity on XeroBank with (2) the identity of the user. This separation is achieved through the use of Deposit Account that submits anonymous ‘payment tokens’ to the Access Account.

    Thus, even if XeroBank were to log the activity of a user (and potentially terminate that user's ability to access the xB VPN service because it violates the terms of service), then the identity of that user still remains unknown to XeroBank.
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Well, considering Steve has just vanished, maybe he found out his high security wasn't quite as effective as he once thought.

    In all seriousness, I used XB for quite awhile with no troubles, but "no troubles" means I used the VPN without technical difficulty. That's not the same as using the VPN and believing all the James Bond 007 marketing.
     
  12. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    What makes you think that serving subpoenas in Panama is so easy? I'm sure that the core privacy people -- not Steve (just a kid, relatively speaking) -- have good connections there (or wherever they are, given that Panama may be a ruse). And in any case, who is the XB who'd be forced to log? It's all virtual ;)

    The best evidence that I have for the truth of XB's claims is that they haven't been falsified after over two years in "business". I'm sure that XB has attracted folks with seriously bad intentions, and I haven't seen anything in Wired about their exposure. You say that the target would "never know". However, if someone had gone down, and if they had conducted themselves prudently, they'd have some pretty good ideas about who'd pwned them. If I go down, you'll read about it here, one way or another.
     
  13. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    While I don’t claim to know the details of the process, my understanding is that it is logically impossible to infer the source (i.e., the Deposit Account) from the ‘payment token’ that is received by the Access Account. Thus, I believe (?) that not even XeroBank could determine the identity of the user corresponding to a set of transmissions done on the xB VPN network. In other words, if an adversary discovers suspicious activity on xB VPN, then neither that adversary nor XeroBank can trace backwards from those transmissions to determine the identity of the corresponding user.

    SteveTX “promised” a white paper describing this process long ago, but (unfortunately) the document never did materialize, to the best of my knowledge.
     
  14. onigen

    onigen Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    29
    Steve is probably at Gitmo being waterboarded for his vast secrets.
    I wish him a speedy and safe return :-*
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Probably not lately.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    The FBI is not going to waste their time unless some truly horrific crime is being committed. Like raping children and selling the vids. In a case like that, I would expect them (Xerobank) to lend a hand. Wouldn't you??

    However. I seriously doubt that child rapists and terrorists would ever consider using Xerobank.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Here is a message that was posted by Cryptohippioe the other day. I never bothered deleting it but this may give an idea of the kind of monitoring that Xerobank and others may do if someone is abusing their services:


    ["Sent 2010-08-10 by Cryptohippie Support

    Unfortunately, there has been more spam going through our mail gateway. The spammer ceased during our previously-announced logging, then started back once we had stopped. So, commencing immediately, we will do enough logging to identify the computers that are causing this trouble.

    Logging will begin immediately. We will record ONLY:

    Mail servers talked to.
    The time of the communication.
    The internal IP address of the connection.

    This applies ONLY to our mail gateways. It does NOT apply to cryptogroup.net mail systems or users of secure-smarthost.com. NO email addresses or email content will be recorded. All data will be destroyed 48 hours after it was recorded

    Logging will cease in seven days".]
     
  18. Sheldon7

    Sheldon7 Registered Member

    Joined:
    Mar 16, 2009
    Posts:
    73
    Something definitely seems abnormal with XB.
    It started with communication from them dying down to almost non-existant (other than a book review? or a thank you for an award nomination by a user).
    Then the forums have gone into "maintenance mode", saying 'see you back in a few days' > https://xerobank.com/forum/. That was nearly two months ago.

    I can't help but think shutting down the forums was a way to minimise the growing unrest and questions that were being asked about wtf is going on! Which is surprising, as i'd guess over 75% of the users were remaining optimistic that things would come back on.

    Didn't help amidst all of this to launch.... something? called www.Dark.ai .
    Calling you a secret operative, then requesting your cell phone number in cleartext seems odd at best, but dangerous.

    I would love to see some of XB's rhetoric / developments / announcements come to fruition. Seems they had perspective, credibility and some ability to execute. But lately this talent is being overshadowed by shortcomings in delivery, making its users restless and a diminishing clientele.

    Hope Stevetx or wizard read this and at least communicate with us.
     
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    A subpoena from whomo_O Jesus?
     
  20. ccoates

    ccoates Registered Member

    Joined:
    Aug 31, 2010
    Posts:
    16
    From a practical standpoint, you wouldn't actually need subpoena's in every country, right?

    If you can prove illegal activity in your country, then you can compel a business to abide by your laws within that country, and possibly shut down their services within that country. That seems like a financial burden/hit most companies wouldn't shoulder.

    You only need a subpoena everywhere if the other party refuses to cooperate, and is willing to maintain that stance even in the face of financial ruin.
     
  21. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Okay, we've had our troubles Poosey, but this is an excellent post.

    You are absolutely, 100% correct in your legal scenario. This Panama stuff is absurd. Just because a company is incorporated someplace other than the USA does not give them license to violate US law and somehow give them protection. And if ANY part of that business is operating in the United States, even if it's the owner, manager, spokesperson, (Steve), they would be arrested for withholding information and probably end up with a slew of contempt of court citations. None of the 007 stuff flies. It's marketing at its worst when you go to such lengths not to actually provide high-security, but to make your prospective customers believe that.


    For example, when I was using XB, I never bought Steve's boasts of how important "crowding" is. The crowds (traffic) coming from a server is nothing to a federal intelligence agency, with basically unlimited funds, in doing traffic analysis. That didn't apply to my uses of XB anyway, but it bothered me that that were selling the service with so many different marketing ploys. There was always an "answer" no matter how absurd, always a new product on the way, always a new whitepaper that would blow the lid off the industry. I finally saw all of this as everything I didn't want to be a part of and I ceased to use their services.
     
  22. Sheldon7

    Sheldon7 Registered Member

    Joined:
    Mar 16, 2009
    Posts:
    73
    Lockbox, I have a different take on your jurisdiction comments. I certainly agree with you that XB has impaired credibility at the moment (Note my comments on page 1).

    XB jurisdiction however, at least seems robust. If XB's servers are physically located in Panama, and XB Networks is indeed a panama company, the process of foreign entities serving notice on XB for an alleged offense is certainly impeded.

    You referred to "ANY part of that business operating in the United States....would be arrested for withholding information.". It's not quite that simple. If a US govt wanted to serve notice on XB, they would have to show cause and have the matter heard by a court in Panama. This takes time. Then, the Panama court would have to agree that under its laws, that a crime may have been committed. This may be subject to an appeal by XB. Regardless, only then could a directive of the Judge be carried out by Panamanian authorities and then handed over to its US counterparts.

    This process is costly, time consuming and would impede at least trivial cases (say, file sharing) and some fishing expeditions. XB has often said that if you are wanted by a global adversary, then you probably wouldn't be relying on XB's jurisdiction to protect you.

    I don't propose that the Panama set up is at all bulletproof. It is an impediment though.
    You mentioned that the "US based employees would be arrested". This would be difficult. The US authorities (in this example) would have to link Steve's /others actions with the alleged offense. He would not be arrested for this, likely just questioned. And, if the plausible deniability of XB's infrastructure is true, then Steve / others would not likely be in a position to solely damage the suspect. If XB's servers were in the US however, this would be a walk in the park though via a simple seizure.

    You are right. Panama does not ensure bulletproof protection of clients or XB. But it sure does create an impediment. An impediment that, along with the other mechanisms purportedly part of XB's makeup, creates a strong vpn backbone.

    I'm more concerned about the absence of communication, announcing "dark.ai" with no follow through, a 6 month delay in any meaningful communication on its Onyx program, and taking the forums offline because the restlessness of its users was becoming to vocal. Seems like the weak way of dealing with issues, rather than acknowledging and confronting, or better yet solving.

    I'd be willing to invest heavily in a company that could actually pull off what XB once claimed it was able to. Maybe these discussions will spark some thoughts, and turn into a meaningful commercial alternative. Wilders VPN perhaps?:p
     
    Last edited: Sep 7, 2010
  23. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    The most stable and long-lasting company in this realm of which I am aware is Anonymizer, which has a “a pristine 15-year history of protecting customer online identities.”
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Read their Privacy Policy :eek: And i'm sure i remember reading that the've turned over people in the past :thumbd:

    Who would want to use a service run by a company/people that are in bed with the Feds anyway ? If they started giving the Feds etc the runaround, how long before they took their BIG $ elsewhere :p So i wouldn't "bank" on them to be on our side.

    @ PooseyII

    Your monthly breakdown costs are interesting, and if anywhere near correct quite an amount of $ is needed to constantly rely on ! I'm sure SteveTX himself stated in a post somewhere on here, that for the top Onyx service it is/was $51,000 per month :eek: A few of those would surely go a long way to help paying the bills.

    You picked up on my main concerns :thumb:

     
  25. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Dude, Anonymizer is owned by Abraxis Corp., which is a well-known CIA contractor. Google it, for the love of TFSM!
     
Loading...
Thread Status:
Not open for further replies.