Anyone tried XeroBank (formerly Torrify)

Actually, Genedy started this as a FUD thread but it backfired when I showed up. So technically I hijacked his thread.

 

Just when I was warming up to you.

Excuse me, Steve, but when did it "backfire?"

 

So your example would require an adversary capable of viewing every node, i.e. a "global" adversary with access to all major IXs. This shows that neither Tor nor XeroBank can provide complete protection against such an entity, but Tor does not claim to. A bigger anonymity network with more nodes is going to fare better though, and this again raises the question of how many nodes XeroBank has (compared to Tor's 2,000+).

Of course, incomplete protection against eavesdropping is still far better than no protection, and the significant point in my view is how much non-US traffic may be visible to US institutions.

Hmm...Wikipedia list 7 US IX's (at San Francisco, Washington DC, New York, Chicago, Los Angeles, Dallas and Miami). Or were you just referring to Verizon's MAE facilities?

There may be a good argument for trying to avoid US-based autonomous systems except for the last hop, but any network trying this in practice would likely have (even more) severe performance problems due to limited bandwidth.

A P2P network for directory distribution would likely be the best option, but central servers would still be needed for certificate validation.

If an IX operator wanted to track traffic at random yes. However there's plenty of other encrypted data out there (e.g. encrypted BitTorrent) so being able to pick out Tor/XeroBank traffic (without requiring processor-intensive DPI) would seem non-trivial. Using the publicly available addresses of Tor nodes would help but you'd need the user's IP address (and access to their network segment) to start with.

And how would they get that Gbp/s connection back to mainland China without swamping existing connections? They aren't likely to be able to run their own fibre into an IX without anyone noticing, and I doubt they'd want to do their processing/filtering/analysis within the US.

I beg to differ here - if some Chinese agency had privileged access and was halfway competent, they'd limit its use as much as possible.

So paranoid users would have to relax their web filtering to use it? Just a simple HTML table, updated regularly, should suffice.

Since I'm only offering 250KB/s, I'm pretty happy to let you set the wager. I see traffic of 100-150KB/s on average though, since I started blocking Rapidshare downloads.

Fingerprinting on what? All an exit node has to work on with HTTP traffic is the data a browser sends. Aside from targeting a specific URL, the only other data that could identify an individual is cookie traffic and if an attacker knows what your cookies are in advance, they've almost surely compromised your system locally and don't need a Tor exploit.

Under what circumstances though? Internet Explorer without web filtering would seem a viable target - Opera/Firefox with Java/Javascript filtered out would be a different matter. And any such technique would not just be "Tor-oriented" - it could be used (and would be more effective) as part of a general website compromise (i.e. non-Tor users would be at risk also).

If a case never goes to court, that simply means your resolve has never been tested. Unless St Kitts and Nevis is completely devoid of a legal system (it is within the jurisdiction of the Caribbean Court of Justice), a proper legal challenge should be considered inevitable.

BTW if you actually do have 300 "wins", why not publish the details? (not least, it would be interesting to see where most of the demands come from). Of course, if you're comfortable enough with your legal defences, you could also provide some entertaining replies.

 

I don't think anyone can protect against a global adversary, at low latency, with current public infrastructure.

I disagree. As I said before, perhaps the perfect anonymity network is one where there are only two nodes that do massive crowding/multiplexing. More nodes means your spreading your crowding down lower and lower, lowering your anonymity. It makes tracking difficult for someone like you, not difficult for a global adversary. The former one does both.

Specifically yes, including but not limited to. Those three spots are where most of the traffic passes through, so thats the ones that are being sat on. And they are all in the same jurisdiction, which is just terrible.

avoid it in either the first hop, or the last hop. We do this with all our routing. No routes are allowed to use the same country for both hops.

Yes and no. You just need to know the good pipes to route through. For example, a 100Mbps node really can only be expected to perform 40Mbps cross-continent and 25Mbps trans-atlantic, assuming you've got a good upstream.

That isn't the way it works, currently. An adversary has either end-node traffic they want to trace, or a person with a circuit they want to follow. Either way, they have one end of the straw and follow it to the other end, assuming a low-latency network. The best thing we can do in situations is to multiplex the traffic and separate the traffic nodes out of ix domains.

Intelligence agencies don't have to send the data anywhere. They can just use servers onsite, or use an airgap to a transmitter. They don't have to process in china, but you easily could get the data back there covertly using laser bounce and W-band transmissions. Legally doing it is less of an issue I think. They have sovereingty, I don't think they have to do it covertly.

Why not? What risk is it to them?

Let's assume they are smart with limitless resources. They could simply own the ISP or have access to any of the major backbones along a path they want to monitor. Their use is reading, so nobody notices if they are sucking up 10 bytes or 10 Tbytes.

Users visiting our website for that data are already trusting xerobank. You're thinking of a different threat model. Not that it matters: HTML doesn't lend itself to visualization very well and ugly raw data displays are great for unix and data files, not the web. It would need to be an image that conveys the information with limited amounts of text, and adjacently a link to an ugly data file for wading through. So I'm thinking a server-side java generated image should be sufficient to satisfy all requirements: no client-side execution, no ugly displays.

We should qualify our expectations. I'm betting i can steal at least 90% of all the bandwidth traffic you make available to tor, assuming you are running a standard tor node that is limiting it traffic through usage of Tor's traffic limiting configuration. Although, I think I can get the full 100% assuming your node acts like other nodes and isn't playing favorites. Do you agree to these terms?

user-agent, operating system, packet structure, resolution, accepted language, search language, bandwidth, components, cookies, hardware, plugins available, mimetype handling, localtime, surfing habits, etc.

All of those things can create a unique fingerprint, just from surfing traffic that uniquely identify you. This works regardless of pretty much any OS, browser, anonymity network, etc.

We're now in Panama, so that would be the Criminal Court of Panama, instead of the Caribbean. And sure, some things do get to court, but they never make it through. Can we post these? I *think* so, as long as they aren't under gag. We aren't rude, unreceptive or uncooperative like piratebayran, we are very cooperative, cordial but apologetic that we can't help them. However, posting those requests wouldn't be very tactful to any of the parties involved, and would likely just attract the wrong attention. But I agree that those would be nice trophies for a trophy room.

 

I asked you how it backfired but go figure, it's MY thread - and it's MY question that doesn't get answered.

A few other things, on these legal fights, what kind of cases have made it to court? Which courts? Why would there be gag orders if it's not in the US legal system? Why not give examples? If you won - there's nothing wrong with writing, "In March of 2008, so and so asked for all records involving....blah, blah.... and the courts ruled....." How could that be offensive to anybody? From here, the "we've won all these court battles," sounds like more hot air that seems to epitomize the whole Xerobank dream.

I invite anyone with the time and patience to read through this thread and see how Steve has made so many promises about Xerobank, projects mentioned that are never heard about again, deadlines come and go; read all that and the only logical conclusion is that this is a one-man operation with big dreams built on sand. To me it's clear: There are no "owners", "board of directors" or anything else that resembles a structure that is operational as anything other than one guy and a few relationships with payment processors, ISPs, etc. I've heard so many countries as being where Xerobank is I've lost count. Now it's "we're in Panama." But, you, are in in Dallas - that bastion of rebels(!) Xerobank is either clearly a kitchen table outfit - or there is more than meets the eye to all the coincidental connections with Metropipe I carefully outlined a long time ago early in this thread.

Some say your being a member of Hactivismo gives you street creds. Well, tell us when you became a member of Hactivismo, Steve. Was it not just April of last year? About the time you were preparing to launch your commercial "Torrify" service? Handy association.

Nothing I have written in this thread has "backfired" since you showed up. You are, like me -- a name and an avatar. You have a website and a (sorta) product (sometimes). You have promised the moon with your variously named commercial product and have only provided molded cheese. Cheese, alright, but nothing close to the promised and ever changing dates for even the smallest of updates to that "perfect" privacy service. How about a little transparency with all the unmet promises? When you deliver - we can talk backfires. I'm not holding my breath.

Best,
Genady

 

The Ballad of Genady Prishnikov

Genady,

Yeah, I live in Dallas. My life isn't very hidden, I live out in the open compared to many others in the privacy services field. I've got a thorough understanding of the landscape here, and I think privacy needs more public advocates, which is a sacrifice I am willing to make. Of course, don't confuse my making myself available here at my leisure with me being beholden to your fud interrogations. I sent you a PM you decided not to answer, and I'm happy to address most of your FUD stuff there, but you insist not in acquiring answers but in spreading fear, uncertainty, and disinformation in the public arena. But that is perfectly predictable because receiving sage answers in private doesn't serve your agenda.

FUDsters are like cockroaches, they do their best work in the dark, and they scurry when the lights are turned on. Me strolling into the thread is the lights getting turned on (backfired). You ask a question, get refuted and run away to another forum/newsgroup to spread FUD, wait a while, and then wander back in with the same accusation as though it were new. Admittedly, I must give credit where it is due: you are okay at what you do, but I don't think your employers are getting their money's worth because you don't have the expertise to make technical refutations of xerobank, only to make flimsy ad hominem assertions against who I choose to associate with. Paranoids see coincidences everywhere, so you play on that fear. It's too bad, because it wastes everyone's time when we could be discussing constructive and new ideas about privacy, and hurts the public arena of trust, all for your personal benefit.

Steve Topletz
Dallas, Texas

 

Re: The Ballad of Genady Prishnikov

First of all, as for the techinical expertise - why do you think I don't have any of that? It looks like Paranoid2K is doing a fine job asking those questions. But you are right - I am more interested in not how the curtains move - but who's behind the curtain.

Now......


Excuse me, Mr. Topletz, you came here - to this forum - to a thread I started. You have avoided all questions about the structure of Xerobank and questions about your promises, claims of won court cases, where Xerobank is based this week, the ownership of Xerobank, on and on. In your last post, you - again - failed to answer questions and resorted to attacking the messenger in a strictly personal way with the attitude that someone dare asking substantive questions is a mere troll (cockroaches in your words above), paid by some mysterious employer (and I'm paranoid?). Frankly, that's offensive. I've been registered and a member here since March of 2006 posting in a number of threads. You showed up when you wanted to use Mr. Wilders bandwidth for Xerobank marketing and support issues - period. Frankly, I'm surprised you haven't been asked to help Wilders financially and pay your honest debt like the rest of the software companies using Wilders for official support. The fact is - people here have expressed your not returning emails, not having a support forum of your own at Xerobank, a support ticket system that obviously doesn't work very well and you resort to using Wilders Security Forums (and this sub-forum in particular) for contact and support for many of your customers and neverending marketing and spamming for Xerobank. Yet - I have an agenda?

As for PM's - there is nothing we have to say to each other in private that can't and shouldn't be said right here in public on this forum. When I talk about the importance of transparency - I walk the walk, and that includes not taking anything "private" and off these forums. My questions and those of others are serious - you make fun of them and call them FUD, call us cockroaches and, in general, lack the character to simply be man enough to lay it all out and answer the questions that me - and others -have asked over and over. You only respond by saying you have answered the questions, which, is simply not true. Again, I invite anyone here to read through this thread and see the blatant lack of transparency about who Xerobank is. You love to talk about the technical specs - how about the specs that matter just as much: Who Is Xerobank and why are they (you) so secretive about its structure and your insistence on not backing up claims and promises regarding your product? It doesn't inspire a lot of trust.

Best,
Genady

 

Re: The Ballad of Genady Prishnikov

It is disappointing that you consistently choose to engage discussions in a manner designed to create fear, uncertainty and disinformation. I only hope this doesn't discourage others from giving their input. I really enjoy interacting with the other people here who have legitimate concerns and want to engage in friendly debate, especially Paranoid2000, and I hope you learn from them. I know they certainly give me a lot more insight into what customers want, and what features they would like to see developed. Thankfully they are patient with me, and in return we get the opportunity to create something that hasn't existed before. I kindly request that you take these matters into a more appropriate area of discussion such as in private messaging, so that it doesn't disrupt the flow of information with others.

Code:

>You have avoided all questions about the structure of Xerobank

You have as good a guess as I do, I don't know what kind of business structures exist in Panama. Somehow the structure of the business never seemed important to the service I perform for them.

>and questions about your promises, claims of won court cases,

Get your aliases straight. :)
Disclosing that info isn't my area, that's like asking a bank manager about criminals that tried to rob them. I know what has happened, I don't really know the details of it.

> where Xerobank is based this week 

Incorporated in Panama, purchased the goodwill from Torrify LLC and dissolved it. Not that it matters, it's a private corp., it's internals are irrelevant because there is no public finance option and they don't have the ability to access client data without our help since it is all stored encrypted and password encoded and segregated.

> the ownership of Xerobank,

I don't actually know. Your question has the only purpose of trying to illuminate unpredictable attack-vector landscape, which protects users. Can't help you weaken client protection. Anyway, they don't have the ability to compromise user data, only to request it from me requiring two other admins, with consultation from the ethics advisor approval. It wouldn't matter if they were the illuminati and space aliens, they don't have the ability to compromise user data. This is the same as you asking me to divulge client information, and we have only the highest integrity and respect for client data. When they want to be public, that is their prerogative, till then I honor their choice and have enough trust to put my reputation on it.

>You showed up when you wanted to use Mr. Wilders bandwidth for Xerobank marketing and support issues - period.

I showed up when you started this thread, 99% of my posts are in here, yes? Regardless, forum bandwidth is cheap, the only thing i do here is update information about whats going on and make myself available to people having trouble. Or did I start those threads where others had a problem, too? I can only be responsible for so much. All the software I write is free, and if some other amazing group came along I would be there to sing their praises, like I sometimes have done for SecureTunnel. Your claim is inconsistent and has no substance. 

I've offered to sponsor an area on wilders if they thought the traffic was large enough, they declined my offer. Apparently they didn't miss the $0.05 of bandwidth. Again, information you choose to not ask about appropriately, and when you get your answer is backfires in your face as the exact opposite of your claim.

> there is nothing we have to say to each other in private that can't and shouldn't be said right here in public on this forum.

You are attempting to confuse transparency with having a lack of tact. Transparency would be satisfied if you actually found anything and then reported it once instead of polluting the thread. The fact is you create FUD by asking the same questions over again and rephrasing them, and attempting to ask someone to disprove negatives.

 

Uh, Steve, this is my thread! You do not dictate the terms of discussion. It takes gall to come here and make it sound as if you are here to only officially respond to Xerobank issues - and only that purpose. Any other questions are "FUD." You make it sound like everyone else can "get along" with you, but somehow my questions "disrupt the flow of information." Please. My questions make you squirm? Too tough? Well, I'm sorry, Steve, I have asked legitimate questions. I cannot believe you would request that I take them out of my own thread! You assume nobody cares about what I have asked about. I think your assumption is very wrong.

You placed your comments with CODE wraps instead of QUOTE wraps, so reading you response wasn't easy. However, one thing I read has me stunned and, frankly, I simply cannot believe. You have taken the secrecy too far this time; even, my guess, among your own customers. I am talking about your "answer" concerning who owns Xerobank.........

This is shocking. You have a new response to my question about who owns Xerobank and it stretches your credibility to the breaking point.

You wrote:

You. Don't. Get. It.

If you don't know who the ownership is (please, Steve) how can anything you went on to say above possibly be trusted? First of all, I don't believe that you don't know. But, if you really were to somehow not know - it's even worse! How do we know "they" don't have access and it takes two admins, etc. to retreive client data? You're now claiming you don't even know who they are!!! If you don't know who "they" are - you can't be sure of anything! Your owners could be the National Security Agency! The Chinese Intelligence Services! If you really don't know - you could be "owned" in more ways than one! Think about how absurd this latest claim is and how your right to be trusted (after this latest news) has been lost - forever.

You also say I ask you to prove negatives. How absurd. Read my last three posts and tell me which questions I asked were asking you to prove negatives. You act as if nobody else here reads these discussions! Everybody reading these posts can see that you avoid the tough questions. Period. My questions have been clear as crystal - it's your non-answers that have been muddy, contradictory and now - laughable.

BTW, you asked me to "get my aliases straight." You lost me. What on God's green Earth are you talking about?


You now claim you "don't actually know" who owns Xerobank. I am still sitting here with tears of laughter in my eyes. Trust quotient: BUSTED! Your game - for anyone playing attention - is over.

 

I don't mind your questions, Genady, the discussion just isn't pertinent to software/security issues, which is what this forum is about and the reason i'm here, nor does it display any sense of propriety. I don't feel any need to assist you in gossip generation. I'll answer you via PM only from now on. If you really thirst for information instead of FUD as you claim, then that shouldn't be any problem.

 

Gossip generation? Oh, please. My questions have nothing to do with gossip. Of course, you know that. It's just another smokescreen to keep from answering tough questions about a privacy service that you don't want to answer.

I will not take these discussions to PM. You are insinuating my questions aren't important to people in search of a privacy service - and they very much are. It's insulting to have you come to MY THREAD and try to tell me what the thread is about and what can and cannot be discussed here. You act as if I ask these questions only for myself to make some sort of personal evaluation. I am asking these questions as a privacy advocate insisting on transparency and truth and trust. This is an open thread about Xerobank; not Steve's personal thread to market and sing the praises of his product.

I'm still shocked you would claim you don't even know who the owners of Xerobank are. How insulting to come up with this new and improved excuse that, as I said, destroys any and all trust with any rational person reading through this entire thread might have had. Like a cat with nine lives - you have a product with 999 different origins, goals, owners, lack of owners, story after story. But, to call you on any of it is --- "FUD". Sorry, Steve, honestly - it's to such a ridiculous point now that you should really stop digging the hole any deeper. It's almost embarrassing.

 

I think much of this would go away if Steve would just give straight answers to straight questions rather than engaging in hyperbole and obfuscations. Maybe there are no straight answers to give.

He is talking about access to data on the system as if it was a launch sequence. "Ethics Advisor"? Maybe corporate or retained counsel, but "Ethics Advisor" You are talking about Michael Badnarik right? The one who ran for office in Texas and US President on the libertarian party ticket? Your Ethics Advsior is not an Ethasist. No background or education in ethics, but he is the person tasked with that responsibility according to XeroBank's Website. Is having an ethasist on board suppose to show everything is on the up and up with XeroBank?

Servers are in Panama... Care to narrow that down a little bit, like where in Panama? I ask because we get through there on occasion and can't seem to find a XeroBank registered there. Who is running your servers there? Or does that require a "Q" clearance and a need to know?

Xerobank is paid for services; the money has to go somewhere; care to provide a depository bank reference? That is not an unusual request. Your web site mentions government accounts. What secure services could you possible offer any government or even NGO that they wouldn't operate in house. Secure communications links are not farmed out, they have their own secure server farms and cleared IT staff.

There was the mention of cockroaches hiding whenever a light was shined on them. Was that suppose to be a metaphor? Anyway, then you turn around and want to take your exchange with Genady Prishnikov to PM. So why not stay in the light of the open forum? Or is there things you want to say that you don't want scrutinized by others reading this thread?

All people want is a little transparency. So tell us who is behind the curtains? Your other option would be to open a forum on XeroBank's website and then you can make the rules as you see fit and not have to endure the constant questioning here. You know there are a lot of links pointing here for searches done for XeroBank.

I am sorry Steve, you do come off as evasive and you do hijack threads for your marketing hype. Face it, there have not been too many people coming to XeroBank's defense and you keep missing deadlines. My gut feeling is, and I could be wrong, XeroBank has a growing cash flow problem because people are not signing up in droves and singing XeroBanks praises on the net. If it was all you say it is, this thread would have died long ago. The word would have been out that XeroBank was a top notch operation. Not your word or the few fanboys word, but on the other security forums on the net.

 

Some of it is internal info, most I don't have, and some I do, some are just educated guesses. I share what I do have and think is appropriate. Remember, I work on the comms and ops systems, that other stuff isn't my area or concern. I do my job and I do it very well.

I'm not sure I understand what you mean. Can you elaborate?

The Michael Badnarik who is a strong and vocal advocate of privacy and self-determination? yes, the same. We don't consult him about moral relativism or hobbesian epistomology (what business needs hobbesian epistomology?), those are ethicists of acadamia. His specific job, as far as I have encountered him, is to make sure internal requests for data are substantive and legitimate as a decentralization control so owners can't just request data about clients. It is my understanding that his job is to internally represent the client as arbiter. If we have to audit an account for some reason, he comes into play as an extra layer of insurance for client privacy. I don't even know anyone else who does this on a client's behalf... imagine if AT&T had any similar ethics advisors when they were asked to spy on americans... that wouldn't have worked out too well for AT&T. On the other hand, Michael may secretly be a Heggelian vitalist, which will only lead to drunken brawls with the Nietzscheian humanists while the motivational hedonists take bets.

I don't think it proves anything, but it sets the tone and certainly makes my job more interesting to talk to Michael if we need some advice, or if he asks "Steve, what do you need to access that account for?". I had never met anyone who both knew assembly language and handled a lariat before.

I said the business was incorporated in Panama. I don't know where in Panama any business servers are, or if they are, that's not my area. I advise on the comms and ops network and their respective projects.

I have to sign into HQ with my secret decoder ring after offsetting a sequence in Pi by the magnetic flux of solar flare radiation. I imagine those are servers for business management, again, not my area. We did have a Panama comm server at SPIRIT for a while, but I didn't like the peering so I nixed it out of the circuits. It is probably still a resource though if I wanted it back or the routing suddenly got better.

That sure seems like an unusual request. Why would I have that info? Can you tell me that info for FindNot and Relakks and Metropipe and privacy.li and DiClave and anonymizer and securetunnel and swissvpn? Seriously, I'm sure everyone here would like for you to share that info with us! Personally, I think that info is something for finance/accounting. They haven't asked for any of my help in that area, and I don't think they will.

Remember, like everyone else, you asked, this isn't marketing: Technology and design doesn't come from the gov, that comes from the corporate sector. Take the Tor Project for example. That was a corporation funded by intelligence agencies for Naval Research Labs. Where do governments get all their machines and tech? Lockheed, GE, Boeing, Raytheon, Bell, 3M, etc. The NSA doesn't manufacturer their own processors, Intel does. The Secret Service doesn't make the punch cars they use for a politician's motorcade, Ford does. The FBI doesn't write their own phone software, BlackBerry does. NASA doesn't make their own rockets, some chinese company does. This isn't unusual, to me it appears to be business as usual.

That isn't the entirety of the picture, they need help like everyone else.

That means that those who spread FUD do their best work where there is no other advocate than a scare crow. In the specific instance, disinfo was spread, then refuted, then the culprit retreated to another forum to respread the same disinformation, selectively disregarding any further knowledge from the refutation. I imagine this is what goes on at privacy.li and usenet on a regular basis.

I'm talking with a security hat on. I know who the people I deal with are, but I haven't demanded to see the articles of incorporation or anything. So I can definitely say "I don't know" for sure.

So I apologize if it seems evasive to you. Some information I do have, some I don't. Some is literally nobody's business but that of xb because it is a business, as I am sure adversaries would love to have that info to try to discover attack vectors for malicious purposes. That's the difference between a public and private corp, it protects in both directions. It is against my integrity to compromise that relationship, and I purposefully put it out of my reach to maintain it for the safety of clients and myself.

A large degree of transparency you already have: I've told you more about the workings of xb than publicly exists on all other privacy corps combined. It is slightly amazing that some people care more about financial benefactors than the integrity or workings of the product, and it raises questions about their motivations. I don't see anyone from the other groups showing up to answer indepth questions. Now you're asking for internal and financial information, most of which I don't have, is inappropriate, and is irrelevant for security purposes and thus transpareny because financial folks don't have access to unencrypted data.

If you asked me for client identities or data, like you just did above for NGOs, I have to turn you down. Not because I'm being evasive but because I have a responsibility to uphold privacy agreements and not breach my integrity for the sake of inquiring minds. I apologize if you feel affronted or evaded when you ask me to impeach myself and I don't comply. Security is as much about being able maintain your integrity as it is about knowing your weak points.

As for Genady's question I forgot to answer earlier, I think I've been an official member of hacktivismo for about a year and a half, more or less, and prior to that I was unofficial and inducted into the NSF of cDc as attache for hackmo. They are an absolute pleasure to work with, some very fine minds who are also very human-rights oriented. We even aquired a few new disciples. I hope to see a some of them again this year at DefCon.

 

Fact Check:

Steve now acts like he has never been anything other than just the "tech guy." Unbelievable. The fact is he developed and OWNED TorPark. When it went to a paid service he seemed to answer questions using his moniker "Arrakis" as the OWNER. Now he comes across as a lowly employee who is only interested in the security nuts & bolts. In fact (and most importantly), he now claims to not even know who owns the company!

This is only my guess, as Steve has been extremely secretive as to the ownership (before these latest claims he doesn't even know), but my best guess is Steve is the sole-owner/coder/PR guy/tech support/janitor/etc. for Xerobank running it right off his kitchen table in Dallas, TX. I say it's only a guess, but frankly all the evidence points in that direction. It's about transparency, honesty, shifting stories, etc. Steve doesn't see that as important in selecting a service you entrust your private Internet communications with. I see it as the single most crucial thing.

FUD? Here's a post from over a year ago that Steve, himself, posted. Here is part of that post:

There was no question, early on, that Steve was running the show. Not just coding and security but payment processing, the website and as shown above - his idea and coception! Now - he has no idea who owns the company.


Fact Check:

I have never argued these points about Xerobank anywhere but Wilders. I just did a Google search and see that someone did a cut 'n paste of some of my posts and other's posts from here to Google Groups, which is Google's presentation of Usenet. That wasn't me. Period.

Steve, If others argue these same points and ask these same questions somewhere else it doesn't mean it's me. I have never taken this - as you claim - "to another forum."

To me, the threshold for loss of credibility at all on your part - has been passed.

Just so all here know: I received another request today from Steve, via PM, to ask my questions privately. He. Still. Doesn't Get. It.

 

More nodes means that an adversary requires more widespread monitoring capabilities and/or multi-jurisdictional powers. Massive multiplexing is desireable too but I would argue in favour of a system providing both - a few high usage nodes and large numbers of sparse ones - to give the best of both worlds.

Another advantage of large node numbers is that it is harder for websites to blacklist every one. With JAP for instance, you may find some forums blocking posts due to previous abuse from their (few) addresses. With Tor, you have a far greater chance of bypassing such blacklists (this isn't intended to promote forum abuse, but moderators/admins have far better tools than IP-based bans to deal with abuse and they should use these instead).

As long as they are marked as being within the same Autonomous System, then it should be possible to ensure later hops involve different networks. Where problems arise is when multiple ASes are under the same administrative control. This is an argument for careful routing using more relays.

Good info to know about. Tor tries to do the same (by requiring a different /16 subnet per node) - though that doesn't guarantee a different country for each hop, it does work most of the time. JAP is weaker here, with most of its mixes based in Germany (with a couple in the Czech Republic, Denmark and Switzerland).

It would be a very unusual intelligence agency that didn't restrict data processing to locations under its complete control! (either the home country or overseas bases secured with military assets). Satellite transmission of intelligence data is possible but since you need a dish (with a clear view of the sky), it would be risky for any extended period of time. I'd suggest that W-band's bandwidth maximum (a likely absolute max of 135Gb/s using 802.11n's theoretical maximum of 150Mb/s per 40MHz as a guideline) isn't really enough for the full unfiltered traffic of a major datacentre either.

As such, I would argue that such monitoring would have to be limited out of simple necessity. A few Mb/s of data going across the Pacific would seem a realistic maximum (less if bulked up by steganography).

Well, the obvious would be the risk of others finding out what they are looking for...

Not necessarily (the ideal anonymity provider is one that doesn't need trust after all) and I would suggest that the extra time involved in creating a snazzy applet could be better spent on technical/legal FAQs. If you have less than twenty nodes, something like JAP's status page should do the job.

I block access to certain filesharing sites (Rapidshare, etc) for bandwidth reasons and run a reasonably (well, unreasonably actually) locked down Windows setup. My node isn't 24/7 though so if you wish to propose a reasonable timeframe (a couple of hours say) via PM I'll let you know my node ID.

7 categories there are not included in HTTP headers which is the only reliable fingerprint you would have, but require active content (Java, Javascript) to determine. Only cookie contents would be truly individual. To take an example, here's what an attacker could see from my visit to Xerobank:

GET http://xerobank.com/company.php HTTP/1.1
User-Agent: Opera/9.26 (Windows NT 5.0)
Host: xerobank.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-GB,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Referer: http://xerobank.com/company.php
TE: deflate, gzip, chunked, identity, trailers
Connection: keep-alive

Most of that data is browser specific so, yes, you could target Firefox users on Windows or Russian-speaking Opera users - but you'd need more specific data to guarantee hitting an individual.

Well then doing so would actually put you in the same transparency league as JAP. Following their example with such details should benefit XeroBank's credibility considerably.

It should be perfectly possible to provide details (along the lines of, say, the ChillingEffects ClearingHouse) without having to worry about tact, especially for court documents in the public domain. If XeroBank has to worry about the "wrong attention" wouldn't that suggest its legal defences are less than satisfactory?

Now I'm not going to side with Gennady here since my concerns differ from his (and while some of the points he raises are valid, I think they would be better addressed in a separate thread) but some of your responses do raise additional questions:

While it is understandable for a private company to limit disclosure of its structure and workings, there are some questions that are significant to XeroBank's current (and potential) customers.

What is the main motivation behind XeroBank's owners? Are they seeking to provide a product to a market lacking credible options? Are they trying to provide redress to an erosion in online civil liberties? Are they interested in a profitable business above all else?

Can XeroBank's owners subvert the service? Do they have any ability to intervene themselves to view subscriber activity? Can they order other XeroBank staff to compromise the system? How vulnerable are they to legal/extra-legal pressure?

Agreed - but it is less than the information provided on the non-commercial Tor/JAP networks and I would consider these the example to follow in transparency.

It shouldn't be a surprise - consider the examples of eGold and Hushmail where the owners/administrators were legally compelled to compromise the service.

If such a possibility exists for XeroBank (if you were picked up by black-suited gents in a "Flowers By Irene" van and given a National Security Letter ordering you to compromise the network, what would happen?) then customers have an interest in knowing. On the other hand, if the security setup was so strong that system administrators could not (even at gunpoint) compromise it, then providing details on how this is achieved would not only reassure users, but give XeroBank a huge advantage over other commercial offerings.

 

Agreed. But I don't get to design it all, and I don't think we have the requirements met to move to that system. That would be xerobank 3.0 network, with those two massive muxes and some dispersed entries and exits.

Oh i don't know about that. Any admin who wants to block tor need merely download the most recent directory from a DA, parse, and block in realtime. The point being is that it only stops admins ignorant of the tor network itself.

Kind of. There just aren't that many networks for ASes to use. Of course, this will change with the structure of the internet.

100% agree

SigInt is a tricky thing. I think a single entity has processing centers outside their hq, but nothing that hq won't verify. Let's say country B wanted to do some spying on country A. If I was country B I would become a datacenter in country A, or infiltrate a datacenter in country A, or infiltrate the transmission lines (most likely) somewhere along the point at a routine maintenance junction. From there I would have an airgap transmission to a safehouse within 2 miles, and from there, I would send AES data blocks back to the local processing center for preprocessing, which copies it all to HQ. But that's just me, and just off the top of my head.

The great thing about W-band is that it is absorbed by our natural atmosphere, so it has an inherent cloaking ability (to my understanding). So you could be pumping it out, I think, and others around you wouldn't be able to hear it unless it was pointed directly at them. Who knows. I'm sure you could do something with lasers that was way beyond TBps.

I imagine the adversary knows what traffic they are looking for and can tune down the required data in near realtime, instead of a dragnet and trying to sift after the fact. Just a theory.

Nosuch is possible, assuming end to end encryption isn't used 100%.

These sort of things happen in parallel.

I might as well tell you in PM how we are going to do it if you are so innocent as to think access blocking and rapidshare will play into this at all
I suggest that whoever wins buys the 2 rounds of drinks.

If I'm the adversary, I already know that I should first look to see if your http headers fit the match. If not, I do nothing. If so, then I know if I should inject code that takes you to the java/javascript/flash, such as from an ad banner on any random page that I forge, and sniff the traffic to find the results I want.

Actually, there are some unpublished attacks that would allow me to do quite a bit to you, without you being able to block it (unless you have xb machine or janusvm) just knowing some of the data that your browser will accept. But that is a different story.

I think that is doable. I'll mention it to some of the others.

If you wish to avoid DDoS attacks, does that suggest your network defenses aren't satisfactory? No, you just prefer to avoid trouble than to seek it out. Of course, I wasn't only talking about legal attackers, I was also talking about fraudsters feeling bolstered.

We had a discussion about that and most of it ended up in the mission and vision statement. Profits are important, but the culture here is that profits are a byproduct of 1) doing something you believe in, and 2) creating value by providing a product that is needed. In this specific instance, the something we believe in is the right to privacy, the sovereignty of the individual, free markets, and promoting human rights in general.

This I have personal knowledge of. We had some indepth discussions that were covered in my Portable Privacy talk at defcon. There are a lot of good and okay services out there, and a deluge of terrible ones, but none of them are cohesive in their offerings to match service to lifestyle needs, and none of them up the level of the game; they all seemed willing to fold if you drop by their office with the right letter. For those that were unable to attend my talk at DefCon, it is viewable here.

Without any doubt at all. Off the record, I think many people, not just at xb, are disgusted by the lack of heroes who will stand up and not just say "no", but proclaim "liberty or death." There aren't many people with such strong convictions any more, certianly not in the US or UK, and certainly not among any other privacy services i've heard of. XB is the one that asked me to suggest the cover story name for the DGC Magazine interview I did: "Privacy is Back".

In the values page on the new website, the first value listed is that the privacy of clients is above all else. That includes profits. And it has been said that we would rather shut down and close up shop than violate the privacy of any legitimate client. That was one of the main things that won me over. These people, and me included, are of a similar mind. I don't want to be part of some rag-tag proxy service that can only protect users as long as it is convenient.

The simple answer is "No". The detailed answer is that they need our assent and collusion to do so, and vice versa. The only thing they could do is 1) shut off the service, or 2) expose the identity of who buys service from xerobank, but not what they are doing with that service. The latter of which isn't an issue thanks to our separation of account ID from account activity. So we could say Joe Sixpack is a xerobank customer, but we wouldn't be able to say he visits xyz website and has abc emails. All of that is encrypted, and they don't have the decryption keys, and we ourselves don't have the ability to use the decryption keys without two other admins to collude. It's kind of like in the movie Terminator 2 where arnold and the boy broke into cyberdyne but couldn't open the vault door unless the both had their keys in the lock and turned them at the same time. but now require three of them and stick them in different jurisdictions. And now consider the keys in a trust, which can be revoked by the legal department, and replaced by a pre-designated alternate outside of that same jurisdiction. There is a misnomer in one of the value statements IMHO, it says that financial stakeholders are never allowed access to client identity or data. It is true, but I think it is better stated that financial stakeholders are never allowed unencrypted access to data, or linking of data to client identity. This is because client identity can be discovered by reviewing merchant account logs, but you can't figure out what account they own just from that, so it is irrelevant.

Actual activity? Absolutely not. We can give them non personally identifying information like "we used 10TB this month on node 5" but no user details with PII. They can request it and we will ask why and then consult with the ethics advisor on the propriety. Admins retain the right to say "no" without fear of reprisal or intimidation.

They could try, but I don't think it would work unless they had a gun to our heads. But they don't ask for such data, and asking for that data is suspicious, and it takes at least three of us to tango and others get informed when we are about to do the dance so they can watch the terminals if they want. The dance is the 3 keys i was talking about earlier.

Depends where the pressure is coming from. Pressure from courts of the US, UK, EU is no pressure at all. Pressure from governments is a little bit more pressure. Pressure from Panamanian courts is eye-brow raising pressure. Pressure from Panamanian government is heavy pressure. However, our internal structure makes trying to work against is an embarrassing, wasteful, and fruitless ordeal. We don't do logs if we don't have to or we don't suspect malicious activity, so even if the criminal court of panama shows up with a letter, we don't have logs because we didn't think the activity was malicious, sorry guys.

Now it is a different story entirely if the requests are legitimate and we agree outright and see that action xyz is a significant violation of the TOS/AUP and is doing real harm to someone physically or financially. Let's say someone is dealing in CP or calling in bomb threats, then the court order would be a pleasure, and no pressure at all except a formality. Short of that, it's like trying to swallow a hollow porcupine, and about as productive.

Great questions, as usualy P2K, you don't waste time with periphery but head right for the meat.

I think the first thing that would happen is I would call a friend at the EFF and ask them to help me understand what this legal letter means, because I don't speak lawyer. Naturally I would forward a copy of it to legal at XeroBank as well, so I can understand what I can and can't do. Legal letters are such pesky things, especially for someone who can't understand what they are saying. I have to consult others to understand the contents of the letter. Of course, the FBI and I are not unfamiliar with each other, and they know I am their US contact for XB to really get things done if someone is severely fracturing the TOS/AUP.

Well, they were US citizens and knew the risks, so it is their own fault for keeping themselves in the loop by assuming ownership. Sometimes you have to make personal sacrifices to see your dreams come true. That's why TORRIFY LLC is divested, and I have no ownership of any of xerobank's interests.

Please see the above. While you can't stop the issue if the system can be compromised by a single user, you can decentralize and require cooperation which means that all other admins have to collude to compromise as well.

 

Is that interview available on the internet?

 

Okay, I was waiting to be the 667th post in this thread.

I'm not sure how many people are going to read all of this, and I'll admit I'm not one of them. I'll just give my 2 cents. Tor is clearly the best product available for internet anonymity. It's open source and widely used. For the vast majority of users, it provides an effective way of wiping traces of previous activities. After some time has passed, the powers that be will have little hope of tying an activity to a person. There's no single point of failure. It's possible, although extremely difficult, to unmask a person in real time (under certain circumstances) if there's a strong enough motivation to do it. This service should probably not be used with personally identifiable information or with any accounts/personal information you do not want to risk being stolen. But it's perfect for use on Wilders Security or usenet, where you don't want to risk being tied to your posts/downloads in any way.

Paid privacy services are an alternative if Tor is too slow, but there is no paid service that can compare to the anonymity offered by Tor. I'm inclined to put them all on equal footing until it can be proven that the service is compromised in some way or that they do logging. Cotse is often given as an example of an exemplary service because of the people who run it, and supposedly they have a good track record.

Privacy.li is basically the scum of the internet. They've been shown to have been compromised in the past. They rip people off, and they have no problem just taking your money and denying you service. Then if you complain, they'll publish your private information on the internet to keep you quiet. In short, they're pure garbage. They've been suspected of conducting man-in-the-middle attacks as well.

Anonymizer I've noticed is often viewed with distrust, although I've seen nothing concrete about them. A lot of people just assume they log and that they're in collusion with law enforcement, although I've seen no real evidence of this. Note that Anonymizer or just about any other service is better than Privacy.li.

XeroBank I believe is a newer kid on the block, and I'm inclined to give them the benefit of the doubt. I think some of the attacks are unfounded when you consider that they've provided no less information than any of the above services. And someone involved with the service is willing to spend all of this time here talking to potential customers. In short, I see no reason not to try them. Only time will tell though if they hold up as well as Cotse.

I am a little concerned about the talk about Tor though. It is widely considered the gold standard. If you want to argue that your service is equal to or more secure than Tor, you better have something to back it up. Also, I am a little concerned about making a claim and then, when asked to elaborate, no further concrete details are forthcoming. I've read a considerable amount from you, and I have little idea how your service actually operates. Although I will say I've only read about 1% of this thread, so I may be wrong. My only advice would be to lay off the superlatives unless you're willing to provide some real detail and some corroboration. But otherwise, I enjoy reading your posts. Your service may be all that and more, but we have no way of knowing it except your word. And that's not enough to put you in equal standing with Tor (or even close really). Your service is of value over Tor because of improved speed (at the sacrifice of some of the security/anonymity that Tor provides). It's the same with any other anonymity/privacy service. If you think otherwise, we need real details and corroboration that don't rely on only your word. Otherwise, you open yourself up to some attack (that may then be warranted). The real value of Tor is that we can verify the service to a large extent. That's why it's trusted. That's why it's the gold standard.

Could you explain what you mean by this? What precisely will be a pleasure to do if someone is "caught" violating your terms? How will you cooperate?


Addendum:

I really dislike it when people do that. First, if you're not willing to publish the attack, please don't talk about it. Second, I believe there's nothing that xb machine or janusvm do that can't be done manually (by someone with the right knowledge). If you believe otherwise, then tell us what they can do that can't be done without them.

 

see you can't trust xb, its owned by the devil itself (see post #666)!...

"and if you didn't know i was being sarastic' -Homer simpson.

Couldn't help myself , on a more serious its good to see some information finally come through. Thanks P2K for the excellent questioning, and xb for an honest answer. All we have to wait for now is physical results and xb may have revived itself.

Malwaretesting, xb answered this a few pages aback about how they can lockdown the system if they find a user abusing the service. Your conclusion is quite right, and as mentioned in this post xb has only to deliver on its promise and its can be a gold templete for people to assessing anonymizing networks, until then TOR is the standard for now. Through there isn't any reason to use other services if you aren't too paraniod about your privacy.

 

His post implied to me that if they found someone "abusing" the service or if someone who is potentially harmful is using their service, they would work to try to "out" them. Am I wrong? If that's what he's saying, then that's the drawback of all paid privacy services right there. They decide if you're being abusive. They decide how they're going to deal with you. I'm not going to argue their right to do that, I'm just saying some people might not want to take that risk.

If I'm interpreting his statement wrong, point me in the right direction. Maybe he addressed it in another of these 670 posts that I may not have read. What does he mean by "then the court order would be a pleasure, and no pressure at all except a formality." That implies to me they would try to find the individual. But previously, the implication was that there was virtually no way to do it. So, I'm looking for an explanation for this.

 

I tried XB Browser today and it told me that "Yahoo tracking data has been removed". So what exactly is this data?

I have been using Yahoo email for a few years, always through Tor. Does everyone get this tracking data or is it just those they detect using Tor or other proxy?

Thanks

 

This is one of the main reason that I would not touch XeroBank. There are some disturbing quotes by Steve on this board (my emphasis):

"Now, if this is some subpoena over something like child pornography or financial fraud, we would want to help them out and they should work with us."

"Steroid users wouldn't be a blip on the radar, that is a personal choice that harms nobody but the potential user. Now if they are fake steroids and you're doing fraud, we'll be more interested in hunting you."

"if the evil traffic isn't violating our terms of service or we don't believe it is evil"

"But xb has to "draw the line" somewhere. They aren't going to allow the service to be used for spam/scam/virus, threats, theft/hacking, or child porn... The scum can keep using Tor."

Simply put, I would not pay money to an individual/organization who was inclined to pass such judgements. To quote from The Freenet Project:

"Q. I don't want my node to be used to harbor child porn, offensive content or terrorism. What can I do?
A. The true test of someone who claims to believe in Freedom of Speech is whether they tolerate speech which they disagree with, or even find disgusting. If this is not acceptable to you, you should not run a Freenet node."

I accept that commercial organizations do not have the same freedoms as non-commercial organizations - in that they have to protect their business - but actively wanting to target some individuals based on subjective judgments ("the scum") is something else entirely.

 

Another problem I can see is that by publicly identifying the kinds of activities that would persuade the company to co-operate with the authorities, you are letting them know which lies they need to tell you to get you on side.

For example, supposing they were after someone who had been posting evidence in support of the claims that 9/11 was an inside job. They are not going to tell you that that is why they are after that person because they know you would refuse to co-operate. So instead they would just have to cook up some story about the person being involved in fraud, child pornography or terrorism. And if necessary they would fake some "evidence" of such activities, which would be very easy for them to do.

 

I would like to try it but their certificate expired on 28/05/08 and i cannot get the registration number.
Perhaps someone from xerobank could respond.
John

 

You can't have your cake and eat it too. If there's NO way to compromise the system and out someone, then you have to basically live with all of the above activities and risk having your system shut down by the authorities.

From what I've understood from your previous posts, there's no way to tie an activity to a user after the fact, correct? So, I presume the way you would deal with the "scum" is to try to find them in real time, as the activity is being done, correct?

If there is a way to "tap" the system to view activities in real time, then that puts you in the same league as JAP, not Tor. Many people will find this acceptable, but it would help if you would just stop skirting around the issue and describe what would actually happen.

Are all of your servers located in Panama? Or are some in other countries? If you think for a second that any of your people with the keys would hold up for a second under pressure from the police/government, I think you've shown a gross overestimation of the human will. I've seen people that say all the right things about privacy, liberty, human rights, etc. fold like a wet towel. And a lot of times it's not even the law that gets them to fold, it's money.

Giving the analogy of "swallow a hollow porcupine" is meaningless if your system relies on the willpower of people. That will NEVER hold up. The only true safeguards on your system are those that are built in and DO NOT rely on any 1, 5, or 10 people being able to hold out to pressure. You can easily get 10 people to start crying like schoolgirls and sell out their own children if you whisper the right things in their ears. An example of a good safeguard is having servers located in different countries, because getting 3 or 10 people in the same country to fold is not that difficult.

So, in my mind there are 2 issues.

1. You've already stated that it's not possible to connect a person to an activity after a fact. So, I'm assuming you can't catch "scum" after the fact.

2. What would it take to catch a person doing something in real time? How many of your users would that compromise if you were to place a "tap"? What circumstances would have to transpire for you to be willing to do this? As much detail as possible would help.