Where is the 'Off' button?

The US recently appeared in UK court to explain that it had the right to kidnap British citizens for alleged financial crimes. So what was once accepted as a relatively upsetting process of "extraordinary rendition" for nabbing criminals under the legitimacy of "fighting the terrorists," has now been surreptitiously downgraded in requirement to simply breaking a law in the US.

So let's clarify: If you are a British citizen on vacation and you jaywalk in the US, you can now be kidnapped if you travel outside the UK. The US will redirect flights, conspire with non-US customs agents, and then spit in the face of another country, in their own court, hiding behind sovereignty and previously uncontested case-law.

Readers, consider the implications if such actions are universalized: What happens if I break a law of another country, like Sudan or UAE, such as free speech or encouraging the progress of women? Do they have the right to grab me once I leave the US? By allowing the US to do this, we are emphatically nodding our heads and smiling. International case law is not unilateral. We're setting a precedent.

I was reading the article comments, and noticed that many non-US citizens have such a strange view of the US. They said things such as "For the Americans to be loved at World level, they will first have to learn to love the World themselves" and "You chaps and chapettes need to put your foot down on this species of judicial arrogance. I would say that most US citizens would be shocked to know that this is the position of its own gov't."

We aren't shocked. We (thinkers) aren't ignorant. It isn't because we want to be informed and our government is making it so difficult. It isn't because we are so scared of the "freedom-hating" terrorists. We have an administration that most Americans disapprove of, most Americans are in favor of impeachment for, and an unresponsive congress that has an even lower approval rating.

It isn't that we aren't hitting the brakes on this crazy ride. We are. It's just that someone cut the brake lines. If it was as simple as "You Americans should do something" and us responding "Oh? Okay. Let me just hit this 'Off' button," don't you think it would have ended? Unfortunately the Off button includes financial repercussions, political demostrations, and now, other acts of "Terrorism" which we've quietly allowed to be outlawed thanks to H.R. 1955. This new law makes true change by the people impossible, by labeling them criminal combatants and terrorists to our current way of life. To put it in short, this is no longer our country. Don't get me wrong. I love the idea of America, and it is the worst country except for all the rest, but the light that has been the beacon for world progress has been snuffed out. We are only such a great country still, because we haven't let time take it's toll, watching the American body atrophy, given our new political environmental conditions: Death, rendition, and the pursuit of militarization. Would America ever have been a great country with the actions and aspirations we have now? No, but it could be great again. So I will stay here and keep fighting, every way I know how. If only it was as simple as an 'Off' button.

Hushmail Can Read Your Encrypted Mail

According to Wired Blog, Hushmail, the popular purveyor in secure and encrypted mail, is colluding with the US Federal government, and displays its ability to decrypt your emails and compromise a client's security.

What happened?
Hushmail decided to help US Federal agents bust an alleged Steroid provider.

What does this mean?
If you've ever used Hushmail, all your messages sent and received through them can be decrypted.

How does Hushmail hack into your account?
Hushmail has two techniques. If you access by webmail, they can capture your password to decrypt your messages. If you access by the client-side java, they can feed you a special program which captures your password.

Why did Hushmail cooperate?
The reason they cooperated is they were compelled by a court of law, and they didn't feel like defending the client because it was alleged that they were criminals. They are a Canadian corporation, so their jurisdiction is poor for the point of defense, and it is unclear if they investigated the claim as being legitimate or dubious.

How does this compare to XeroBank?
XeroBank is in a strong jurisdiction, unlike Hushmail. XeroBank also investigates such claims and will not blindly follow a subpoena. However, XeroBank looks forward to busting money scammers and terrorists as well.

What should we learn from this?
If you are doing something illegal by the corp terms of service, jurisdictions won't matter if you use HushMail or XeroBank. If you aren't doing anything illegal according to the terms of service, jurisdictions and court orders will have a very high hurdle, as long as you have XeroBank. In the latter instance, it appears HushMail may sell you out. Honestly, we need to know more about what really happened, because if HushMail found out the steroid claims were true before handing them over, AND it really was a violation of their TOS, they acted with propriety.

Another thing we should learn from this is that HushMails use of client-side encryption is a marketing gimmick, as they can push java code to you that is untrustworthy and can give them access to your emails.

Comcast performs Denial of Service attacks against it's customers.

Recently there has been some huff in the news about torrent users getting shutdown. Not police raids, or lawsuits, but by their ISP. It isn't that Comcast is simply traffic-shaping the internet communication of its customers in order to achieve performance standards. It turns out that Comcast is using dark-arts techniques in order to silence data traffic that it doesn't like.

The recent case was an attack against P2P, which is traffic that you and I may share when transferring files between each other. A good portion of the time, this file-sharing technology is used to trade copyrighted media between consumers. However, it is a legitimate technology for sharing files nonetheless. We don't ban the use of money simply because people can buy illegal drugs with it, nor should p2p traffic or torrents be singled out. For example, most of the open-source, free linux distributions are very large; and the most efficient method of sending and receiving them is by sharing it between consumers, instead of everyone downloading it at one central point and 'clogging the tubes'. This is a great way of conveying data, and it doesn't rely on a single point of distribution, but fully independent cells who share information.

So what is the row about? Comcast is sabotaging the communications between users, sending 'disconnect' notices by impersonating the people who are sharing files. Sabotaging 'undesirable' communications is typically done by countries engaged in military warfare, or more recently by hackers attacking computer networks or services. This technique is called Denial Of Service. It is used to disrupt internet communications, often by causing traffic jams. The analogy was well made that if Comcast was a phone company and didn't like what you were talking about, it might break into the conversation and impersonate your voice, telling the other party you had to go and not to call back.
The most interesting thing about this story is that Comcast originally lied about using the tactic of impersonation, then got busted, lied again, and now they have switched tunes and are admitting to it, calling it 'delaying'.

Does this technique benefit Comcast? Obviously so. Is it legitimate, or even legal? Probably not.

UPDATE: Comcast Internal PR-Spin Memo Leaked

It's Done. xB Browser 2.0.0.8 is here.

Okay this has been quite a week. I've been taxing the rest of the team to death, and I sense a revolt coming. So here I am, coming up for air, dropping the latest xBB, and giving some hints. This latest xBB is all about the installer. This installer is good for free users, xB Plus clients, and xB Pro clients. It gets even better... new users can create demo accounts and trial xerobank right from the installer! And the download is as small as ever.

Regarding the browser itself, we cleaned it up for vista, and improved some of the structure. Soon it will be getting a much stronger overhaul. We updated everything in it, as per usual, Firefox/Geckos core, plugins, new plugins, tor, etc.

So I'm done with version A, and we're uploading it. Still some planning on how we are going to do upgrades from one installer to another, considering that xB Browser doesn't use the registry for info storage.

Download it from the beta folder here.

xB Browser 2.0.0.8

Held back on 2.0.0.7 because it wasn't ready for push, nor necessary [theoretical QT vulnerability for firefox (PLUGINS DISABLED IN XB BROWSER), not critical] and we are in the middle of a bigger/better software build. Should be ready in just a couple more days. We've built an installer for the program, so you can put it on your hard drive or USB drive. I've written some code that allows you to provide your xerobank transaction ID to autodownload your activation keys, and I'm thinking of how to add this into the browser or installer or both. I'm considering combining the software with xB VPN for our new product release. This should be interesting to say the least. Lots of least-resistance design coming up. Perhaps there should be a simple product downloader instead of a pre-packaged downloader?

I edited the software, experimentally, to allow it to run concurrently with firefox. Well, it kind of works. But if you try to start firefox afterwards it just opens up another xB Browser window, which is kind of annoying. Going to need a customized theme for xB Browser once we get it all sorted out.

That way it could look up your product with the transaction ID, and grab the software you need or request.

Still thinking about it...

Lunch with the FBI

Last Wednesday I had lunch with the FBI, whom I had run in to at the UTA security conference. We met at Chilis and had blue-cheese burgers and one of the agents had a honey-mustard chicken-finger salad. Amongst some of the things we discussed was XeroBank. I brought it up.

I mentioned that we will shortly be opening up servers in the US, and would like to avoid any unnecessary raids of our data-centers, as they are an inconvenience to all. Such an arrangement would also help them avoid any embarrassing situations where they end up pointing guns at geeky technicians, only to get a hard disk full of encrypted data. The essence is that we want to send a strong message to the money-fraudsters and child-pornographers that they will not be protected or tolerated by XeroBank, as they are violators of our Terms of Service, and costly offenders to all. Of course, we don't care about the activity of non-violators, and I said as much. I had to stress that unless the violators are international 'terrorists' that pose some immediate threat to human life, child-pornographers, or cash/paypal/e-gold fraudsters then we simply can't be bothered with anything less than a court order, which won't trace or identify the client anyway. In the situation there is such a claim of terrorism etcetera, we will have to go to the trouble of attempting to monitor the account first to see if such a claim is valid. If we find out such a claim is valid, then the user is violating our terms of service and isn't protected by our confidentiality agreement. If the user isn't violating our terms of service, we have to decline to provide any assistance. Of course, we also know who we are dealing with, and if it is an issue of terrorism, we don't think we'll be getting a call from the FBI. In that situations the lights will turn on at the NSA, and the potential threat will be neutralized with little or no involvement from xb whatsoever. As I said earlier, if you are trying to hide from a super-powerful omniscient agency with the ability to monitor all traffic on the internet, you've got bigger problems than anyone can help you with.

Striking a balance is difficult, but it means knowing how far both parties are willing to go. It means that an agency knows they have an uphill battle, and to be given a string to pull means they can't abuse it for petty issues, nor burn their contacts, else they will be stonewalled. It also means that xb has to walk a very tight rope when given a legitimate tip that someone is abusing our service, because we have to investigate the traffic live, in addition to potentially violating the user's privacy if the client turns out to be legitimate. I think we would want to notify the user that they were requested for monitoring, and that nothing showed up, so the investigation of their account was closed. I think we should also give them a new account to restore their anonymity in our system. So if the FBI gives us a tip, and it turns out to be no good, then they burned their chance to nab the criminal. Or if they give us a tip, and it turns out to be something petty or nothing at all, then we've all wasted our time and outraged the privacy of a legitimate client. I think it is important to have such an understanding, because XeroBank has communicated to me they won't be subject to politically or financially motivated claims by any agency, regardless of jurisdiction.

A beacon in the darkness: Dr. Ann Cavoukian

Dr. Cavoukian recently gave a moving presentation on privacy, at Waterloo University. Simply amazing. Hacktivismo should have awards, just for people like her. Click the picture below to be taken to the page you can view the video at.

UTA Security Conference

Greetings viewers!

I had a few requests for me to post the presentation and tips that I gave earlier today. You can download the presentation by clicking here.

Social Network - Clean House / Search and Destroy

• Separate - Only use your real name for professional work. Don't link to you aliases.
  
• Articulate - OMG, will you be LOLing when your interviewer finds out you have a 5th grade speech equivalency?
  
• Obfuscate - Cover your past indiscretions with false information. Need help finding your indiscretions? Check the bottom of this post.
  
• Delete - Give Google 4 months to archive your false identity, then destroy it.
  

Separate Your Networks

• Real name for professional networks - LinkedIn : Steve Topletz
  
• Fake name for friend networks - MySpace: Arrakis
  

Learn how to write a resume - distract your interviewer from your alias of "partydude04"

Stop unsolicited credit card / insurance offers

• http://www.optoutprescreen.com

Lock down your credit report from unauthorized access

• http://www.tiny.cc/PcqjD

Engage in Best Practices

• Keep your drivers license in your car
• Carry cash instead of plastic cards
• If you have to carry a card, carry only 1 payment card, credit card preferably
• Shopping Online: Use FREE one-time-use credit card numbers from your bank's website.
  
• NEVER carry your social security card
• Shred bills, receipts, documents, contracts, etc.
  
• Use history / tracks erasing software (like xB Browser)
  
• Use encryption (ex: TrueCrypt)
  
• Be careful what you use the internet for
• USE XEROBANK SOFTWARE! (It's free and has 0 calories)
  

SPY ON YOURSELF

Did grandma's photo-album sell you out? Try out some of these social-network search engines on yourself. I was able to easily locate political donations, church welcomings, blogs, photos, home addresses, phone numbers, resumes, and a litany of other information about my colleagues.

1. Wink
2. Spock
3. Pipl
4. YoName
   

A Travesty of a Mockery

So I was talking with our brand manager the other night, and we were discussing the symbolism of logos. I decided that I should step back and take a look around. Maybe there are hidden meanings. What exactly is the AT&T logo? It seems like a line etching of a sphere. A little presumptuous to say it is Earth, but maybe. What does it mean? What about Sprint? Their logo looks like some disrupted feathers. Perhaps it is a bird wing flapping. Lucent? A big red circular stain, like from a coffee cup. Apparently their lucidity is ground roasted. So if that is how the big guys play it, what about the smaller ones? How do they choose to distinguish themselves. Looking around, I noticed something hilarious... an (de)evolution of logos.


Here we have the Silver Surfer, A Marvel comic character. He looks majestic and tough, arms folded. Click on him to get more detail. Where have I seen this before? Ah yes.


The adult bouncer logo, a blatant ripoff of the Silver Surfer. For those of you who have never visited the internets, AdultBouncer is one of those obnoxious pornography websites that will do whatever it can to get your attention and credit card number. They decide to mask him by putting some wrap-around sunglasses on him, and a single sun instead of a galaxy. I guess his secret disguise keeps AdultBouncer safe from being sued. Now we are getting somewhere. Yet, I had the feeling I had seen this before...

I knew I recognized that silhouette! Apparently the AdultBouncer logo is doing some moonlighting over at MightyPorn, er, Key. The little guy has the wrap-around shades, sun, and all. Of course they made some extremely minor changes like changing the sun color and changing his pose, but obviously they were trying to make people think of the adultbouncer version of the "surfer". I suppose that since they spent some time and money planning that logo, the subconscious association was intentional. Apparently MightyKey has a very specific client in mind. Perhaps this is an astronomically unlikely coincidence. Surely a professional company wouldn't try to incorporate any suggestive imagery on their website, because what does porn have to do with computer security, other than the most sophomoric understanding that "sex sells (computers)"? Well, if there are any other "special moments" you don't want your family or employer to see, be sure to lock them away in MightyKey's spank-ba... "vault" that only you, MightyKey, the government, and any corporation who requests it, have access to.

UPDATE: MightyKey decided to block some blog readers who tried to visit their website from here. Censorship from an anonymous internet provider? Glad to see they aren't violating their ethics or purpose of existence.

NSA Spying defense implodes

A possibly fatal blow has been struck against the NSA domestic spying program, by one of their own. The crux of the NSA's arguement for dismissal was that it couldn't confirm that it did anything with AT&T et al, as it was a state secret. Obviously that is a ridiculous claim, as the conspicuity has blown away any supposed veil of secrecy, regardless if there was complicity or not. So what happened? National Intelligence Director Mike McConnell has (inadvertently?) destroyed the NSA's claim by openly admitting that the telephone companies being sued did indeed aid in the domestic spying program. Not that there was much doubt, but this is now down on ink and paper, and can not likely be considered a state secret at this point.

So how will the NSA and US Government respond? Perhaps they will claim heresay, or Mike McConnell will be pressured to claim that the interview was a farce. Maybe they will say that the statement is still vague enough that secrecy is preserved, which is like a wet t-shirt contestant denying obscenity charges for the fact they were wearing a shirt.

This lawsuit represents a threat that would bankrupt AT&T, Bell, and Verizon. The damages the telcos would have to pay would be in the billions, as there would be a $500 penalty per violation, to be paid to each person, which is likely anyone reading this. The telcos will use every bit of lobbying and persuasion they can muster to sweep this problem under the rug. And they have been doing a pretty good job of it so far, as we are six years into the illegal spying, with no accountability in sight.

FOLLOWUP: The EFF's Derek Slater has commented that this will allow the spying case to proceed in court, and defeats the government's claim of state secret privilege. Ars Technica speculates the government will shift tactics to press vigorously for immunity for its accomplices when congress reconvenes sessions in September.

UPDATE: I have spoken with the EFF, and they have informed me that they will be developing a strategy for dealing with the upcoming push for retroactive immunity for the telcos.

How easy is easy enough?

As I was wading through a myriad of clients asking why their browser was still slow after they signed up. Well obviously that wasn't right, XeroBank network is the fastest by far. They were still user the Tor network and had not logged into their account to download their software. It struck me: There must be a better way.

I was speaking with Ricardo about our checkout process, and it occurs to me that we should make some changes. What I want is to push the update directly to the user's xB Browser as soon as they finish checkout. Of course, they need to log in just to get their transaction ID, which is only two click from getting their browser already. Yeah, yeah, it is indeed pretty simple already. But, that doesn't mean there is a legitimate reason that it should be any more complicated than it already is. Another issue which stops this from happening is that completing checkout doesn't mean their credit card has been verified yet. So what to do? Well 1) Use the recovery-email-address to send the user a notification of "what now?", and 2) Something a little more.

I was having dinner tonight, about to drop into a transcendental state, when it hit me. Why can't we let users upgrade the browser, right from the browser? I rushed back to the XeroBank dojo.

I began pouring over the ancient scrolls of Master Xero. There is a legendary technique for extracting the config files from the ethereal core. I know that with the proper training, I can achieve the skill and apply it to the browser.

So I've devised a way that the users can upgrade the browser, if they haven't logged in to download the other. A lot of methods to reach the same goal. And I've been thinking about making it somehow even easier.

I must tell you, there is no more complex task than making the technical and difficult appear simple and easy.

UPDATE: The skill has been achieved. The only issue now is making the technique respect the balance of local proxy configuration, if the client has one.

DefCon 15: A Review

So we just got back from DefCon. It was a pleasure, and I had a great time. We arrived after Bruce Schneier's talk, which I regret, but I got to see some others. I met up with some Cult of the Dead Cow members and took Roger Dingledine & his fiance Rachel to a BBQ party. Roger is smart, a great speaker, and is well matched to Rachel. I ran in to some old buddies just about everywhere I went. One thing I noticed about Vegas is that is appears to have very few banks, but very many $4 ATMs, which is unfortunate as I had some wires transfers to execute.

On the second day I was busy working on my presentation. At 7pm I took the stage and gave it, unfortunately the type from the print shop was so small I couldn't see my notes and there was so much to cover that I didn't get it all out. Some of it got glazed over. I think what I will do is record the presentation for everyone who didn't get to see it, and do the full thing at my own pace, as we had only 45 minutes. Naturally, it will get posted online, here. All in all, however, I would say it went well. I played to a packed house of about 400 or 500 attendees, and we handed out lots of free XeroBank accounts. I really want to thank Myles Long for helping me out, and all those who showed up for the Q&A.

One great thing that happened was I heard about a party for Ninja Networks. Something else I heard from another attendee was that there is a puzzle called Caezar's Challenge, within the party. This party takes place every year, and is supposedly for the most elite (huh?). I ran into one guy from @stake, at a party at the Hilton. On the way out I asked him where the better parties were, and he handed me a badge for the Ninja Networks party, and told me the passphrase to get in. So we are back at the Riviera, and Kristin and I get into the party while a drove stand outside the velvet rope with tearful eyes. When I'm there I recognize a few faces, one of them from my local DC214 group. He informs me about the specific challenge and I read both parts of the challenge. What luck! I instantly knew answers to both the challenge questions, as they dealt with crypto-capitalism. So I located an inebriated Caezar, gave my answers, and he invited me to hang out in his pad in Seattle. Nice fellow.

Guess who I later notice at the party? Roger. At that point I asked him what he was up to; and I liked to imagine he showed up and chopped down the bouncers with his fist of fury, after giving telekinetic lobotomies to the zombie crowd dying to get in. Disappointingly he informed me that he had wandered in using the authority of his Tor Project shirt. Ah well, we can have dreams can't we? In mine, Roger Dingledine, Nick Mathewson, Paul Syverson, and Steven J Murdoch are all deadly ninja warriors, fighting for anonymity of the body, and privacy of the mind.

Well this post has had very little to do with portable privacy. To give it some sense of legitimacy, I have been listening to the complaints of Jim Verard, and making changes to xB Browser to accommodate. So here is what is new is xBB 2.0.0.6a:

- search and destroy Yahoo Sign & Seal tracking data which compromises anonymity
- disable registry-based Firefox/Thunderbird Plug-ins
- dialog for Xerobank mutex shutdown should no longer destroy profile settings (fingers crossed)
- crippled the mozilla updater system to prevent corruption and security vulnerabilities from update server spoofing.

todo: the profile section needs to be reworked still. We should have soft settings in the user.js, and hard settings in the prefs.js. We have tried one and the other, but not both. I think that will be especially vital in the Tor network version.

Privacy vs Profits: The false dichotomy of commercial anonymity

I often overhear comments such as "You can't trust commercial anonymity networks, all they care about is the bottom line." This is a common thought, because it makes sense. For the most part, that is true. I don't think you can trust most commercial anonymity services, nor should you. From what I've seen, all but two others stink right on the surface, no telling what goes on behind the counter. But that isn't what they are getting at. For some reason, people become suspicious when money is involved. Maybe they are thinking "If you'll take payment to protect me, will you take a little bit more to spy on me?" A valid concern, but let us step back.

Do you distrust a lawyer to defend your interests, because you pay them? Do you suspect a doctor of foul play, because there is a bill? Of course not. They are there to do their job. Infact I posit that they have more to lose because you are paying them. Their reputation is on the line, they have a duty to fulfill their obligation, and hopefully word gets around if they "rat you out". But again, such a statement begs the question, why does the bottom line get in the way of trust?

First lets examine the situation: Commercial anonymity networks, versus free anonymity networks. A free anonymity network is run by unknown individuals, who may or may not collude, may or may not be monitoring your exit-node traffic, and who owe you nothing. In fact, they give up their bandwidth, which could be generosity, or could be due to ulterior motives. They are inherently prone to attempts of spying, some traffic analysis, and have even been "theoretically" compromised due to technical attacks such as Sybil. I think a strong point they have is that they are difficult to observe, since there are 1000+ nodes in the Tor network. I2P has its own great things it can boast, I think their network is designed to be unobservable, but apparently isn't quite ready for the big time. When a subpoena is served or police show up, the user may get hassled, but they probably didn't keep logs, and they aren't a single entity, and there is no guarantee of the target using that network again, even if you could track them. So in essence, the user's identity isn't known by the person who gets investigated.

Commercial anonymity networks would typically be run by a single entity. Most of them are run from the USA, which is itself a bad idea. By running, I mean the firm is incorporated, and the principle owner(s) reside, in the USA. The risk is to the corporation itself. This is because the hazardous jurisdiction may make the firm, or the principles who control the firm, come under pressure to violate their oath (promised or implied). A specific example is the situation where e-Gold had not only it's assets confiscated, but the law firm that was supposed to protect the trust which held the assets also caved under governmental pressure, and finally the owners themselves live in the US. For all intents and purposes, it was a US company, despite its foreign registration. So we know the risk that a firm endures, but how does that transfer to the customer? Via moral hazard.

The moral hazard in this instance is the trust that the customer places in the firm. Due to assymetric information, the firm is inherently subject to a dilemma:

"Do we immediately comply with requests for data about our customers, or do we protect them and investigate if the claim has merit, and say NO if it doesn't?"

For firms located in the US and the UK, the dilemma has a built in answer: They have no choice. Their assets will be seized and the people involved will be arrested and imprisoned for obstruction of "justice" or some other charge. There are very few who are willing to go to jail for what they believe in, especially for someone else they've never met. So they have a different dilemma:

"Do we keep doing business and hope nobody finds out we are spying on our customers, or do we close up shop?"




Unfortunately, they may not have a choice in this situation. They may feel compelled by the powers that be to keep operating as a honeypot for the agency to drop by and collect the flies that get stuck. Or in the case of e-Gold, they openly and pro-actively worked with the FBI, without demanding proof that the customers involved are actual criminals. Of course, they do not have the prerogative to demand proof, as the governmental authority of that jurisdiction was involved. So this sort of situation could happen, or may already have happened, to many of the privacy providers located in risky jurisdictions. This bitter pill is sweetened by the fact that the firm under pressure can keep making money, and pretend that the horrible situation never happened. Such tactics are often used by police who pick up drug-dealers, turn them, and get them to become informants. For e-Gold, it didn't turn out as well. They cooperated completely, and they were still pillaged and accused. The message should be clear to providers of controversial services: It is not in your long-term interest to cooperate; but people don't live day to day by long-term decisions.

So what is the solution to a bad situation? Don't get in that situation in the first place. Don't do business with poorly structured commercial anonymity services, especially those that operate out of legally risky jurisdictions such as USA, Canada, and the United Kingdom. If you are using them, stop. Even though you aren't doing anything illegal, by using their services you could be volunteering your data to observation and snooping. A little paranoid? Maybe. But I would rather err on the side of precaution, when nobody really knows what either hand is doing. What would I personally suggest? Investigate the anonymity services out there. Find out their reputation, and what jurisdiction they are formed in. Ask their customers what they think, and take it all with a grain of salt.

Steve

Online Privacy, Jurisdiction, & Hired Guns

I am pleased to be able to release the following information. In the last 6 years, none of our anonymity network management's clients have been arrested or killed despite hundreds of investigations and inquiries. And provably, with documentation, in the last 12 months despite over 50 subpoenas, investigations, raids, etc. not a single client has been compromised.

You should stop and ask yourself, "Why don't any of the other 'anonymity' services provide statistics about their customer protection? Do they even offer a guarantee of protection?" Actually, they don't. Not one other. You may be surprised to hear that when you use them, you only have privacy until someone inquires about you or wants to do a fishing expedition; that you have no customer protection at all... especially if that company is in the US. It is hard for me to take any US or UK anonymity firm seriously, as they have good hopes of making lots of money, but no hope to protect their victims customers.

Do you wonder if you've been sold out, or would be? Why don't you have any assurity? That reminds me of one of my favorite quotations from Ronin : "Whenever there is any doubt, there is no doubt."

Some have tried to make extremely flimsy and ambiguous claims, but the facts are they are 100% subject to the increasingly popular "National Security Letters." Consider another fact: we operate out of high-privacy jurisdictions like Germany, and we get lots of trouble from police and government. For their claim to be true, you would have to believe that in 12 years they've never been inquired about by any law agency. Alternatively, if they were served with NSLs, they would be under gag order and you would get some claim like that.

Another startling fact is that by default their software doesn't even encrypt user traffic, you have to manually set it to be encrypted! It is all available for any eavesdropper to observe. They've probably compromised their whole user-base, or either are operating with the secret understanding that they never protected them at all in order to justify such a delusion.

I'm trying to not write too malevolently, but a false sense of security is worse that an accurate sense that you have no security at all. What is being done by some of these 'services' and 'software providers' is nothing short of perfidy.

Anonymous Tech Support

I've been mulling over some implementation ideas: We don't know who our customers are, and we don't want to know. That's great, right? But that creates a small problem. What do you do when a customer writes and says "I lost my login name!" or how about "I want to upgrade" ? In certain situations, you need to be able to piece the information together. And in certain situations you only want the situation to be pieced together by the right people.

So what I'm thinking is some pretty revolutionary. Besides anonymous tech support for paying clients, we could implement a type of shared secret. For example, the regular tech support folks may need to know the client's username. Either it is posted to us automatically, in encrypted form that only the techs can decrypt, or the user forces the post to us by ticking some box and perhaps entering in their password, which we still have to decrypt. That way the user gets control of if he wants to share his username. And the same can be implemented with the user's order ID, and if they are paying by Dalpay, their transaction ID. So would we want to stuff a transaction ID into an account, in some encrypted form? Currently there may be some way to brute force the transaction ID, I'll have to figure out the risks. Ooh, okay 2 shared secrets, one between the client and the tech support, one between the client and billing support. That should be the right thing, but again, is it elegant? That may be a HCI issue, but the security will have to be right first.

Lots of work to do before defcon. And more under-hood work to be done on the xB Machine. I'll contact Howard and tell him to jump on the blog and actually tell people what he is doing. I can see Florian registered (why?) but doesn't post.

-Steve

XeroBank keyservers, firewalls, and xBB 2.0.0.5a

Hello folks.

We are in the middle of upgrading security settings on keyservers and our firewalls, so it is causing a little bit of a delay. In specific, for those of you who are sniffing your own connections, you can tell that the SSH keys were being rejected by the server. No worries, it is fixed.

In addition, I am informed that 2.0.0.5a has been pushed live, even though we are displaying 2.0.0.4a. I'll change that in a bit.

One thing that didn't get implemented in 2.0.0.5a, which mozilla pushed without any beta, was http/https routing past corporate firewalls/proxies for XeroBank Plus. We'll get to that with 2.0.0.5b probably in the next couple days, but it requires some on the fly PuTTY profile generation which is tricky.

Another security idea was instead of relying on file-stored ssh host keys, we wipe them and regenerate them at every instance. So even if the user has somehow added a bad hostkey for an attacker, it gets destroyed when the xB Browser is restarted.

We are also working on a clever way of identifying our customers through support so we can help them if they need help on their account. I think it would work where they request help on something, and if it requires their username or order receipt, they enter in their password and it decrypts the username field so we can find out who they are. Yes, that's right, even our support is anonymized from us! I'm going to think about that for a bit, perhaps there is something even more elegant.

Steve

More Privacy Upgrades

We've decided to create a special type of form that allows the public to contact support directly. However, this wouldn't be any old form posting to email. Instead it will be accessible via https only, and it would send us the message by key encryption, performed on the client side. All that travels to us is the encrypted message. Currently the support form on the page isn't working yet, but we are inspired by the HushMail forms. We'll check it out and keep you posted.

XeroBank 2.0.0.5a is coming today.

Credit or Debit? Vodafone scandal et al.

I've been discussing some design implementations with the web engineers. I was thinking it might be nice if users were able to credit and deplete their accounts, instead of paying a flat fee for access. This would allow users who don't use much to save, and bandwidth hogs to pay, instead of spreading the costs equally over the users. I suppose it is a pricing decision.

But the fun part is we could offer XeroBank dollars, and users could buy and sell them, with or without the help of xerobank. So that would add another layer of anonymity to the payment systems. Just fuel your account with XB dollars or whatever that you get from the gas station. Well, it is a good thought, but I doubt the market is there. Most people, I think, imagine that what they buy online is secure and anonymous as is. Oh well, we still want to give the best product possible.

On to more interesting news, did everyone hear about the greek Vodafone scandal? Okay get this: all major telecommunications systems have "legitimate" wiretapping functions built in. Cellular and landline. As did Vodafone. Well, someone hacked the system, and secretly wiretapped the heads of state, wives, politicians, and business folks. Who and for what purpose? We don't know, they got away with it. This is pretty scary stuff. So when the gov says "We need the capability of listening, but we promise we won't abuse the power" etc, your main worry isn't Alberto Gonzolez and his ~30% nefarious purposes, but amazing hackers who can jigger the system for 100% nefarious purposes. So, insist on your privacy, and not placing it in the trust of the incompetent. Glad I'm doing all my VoIP through xB network... Now if I could figure out how to do that with my cell phone... actually, the iPhone does VPN, but only PPTP. But PPTP is leaky, so I wonder if it could to L2TP, which should be a little better...

XeroBank for your iPhone, anyone?

New payment methods

Today we added another payment agent to XeroBank. This agent is in New Zealand, so servicing PNG, NZ, AU just got a lot faster.

We added the following payment methods: Western Union, MoneyGram, e-Gold, and eBullion. We will shortly be adding eCache, Pecunix, Loom, Wire Transfer, and Paypal. The paypal payments will only be accepted through verified users. I think Loom and eCache are going to be somewhat difficult. Paypal, however, if we can do it correctly, would be wonderful to do automated payments. I'm not sure if the API can differentiate between verified and non-verified accounts though. We'll see.

I'm updating xB Browser to v2.0.0.5a which should be released this thursday.

xB Machine: all hail the new king of privacy tools

Wow. I just got my hands on the pre-release of xB Machine for Defcon from our engineers. This thing is amazing. I feel like Steve Jobs toting around an iPhone a few months ago.

It is beautiful. I loaded it up on my laptop, and it was nearly as fast and responsive as my actual computing environment. It connect to Tor, XeroBank Plus, and XeroBank Pro network, and will automatically configure itself for XeroBank service if you simply enter in your id string.

I just connected wireless to XeroBank and pulled some downloads at 2500 kbps.

Germany's Politicians Hate Privacy

For those of you who are unaware, privacy oriented websites and projects in Germany have started to shut down amid political, legal, and police pressure. One wonderful project, RockATE, a tor-based LiveCD has been abandoned by its German author Benjamin Schieder. RockATE allowed users to burn a copy of the CD and take it with them anywhere. From there, you can boot up directly to a linux environment pre-configured to use the Tor network.

Benjamin is quoted thusly:

 In response to a law that passed the german legislative today, I will cease
production, development and distribution of ROCKate binaries and - maybe -
even source code soon.
The reasen is §202c StGB which states (IANAL translation):

"Producing, acquiring, selling, giving, distributing or making-accessible of
passwords or other access codes as well as computer programs whose aim it is
to commi a crime ... will be punished with up to one year in jail or a fine."

See also: http://www.phenoelit.de/202/202.html

Basically, these waters are too hot for me to tread in. Though the official
reading of the wall - reading from politicians that is - says that they only
target 'criminals' and there is no need to worry with the wording, nobody
knows when some underworked lawyer thinks he might go on to sue the ass off
of everyone in IT.

If someone wants to mirror/host/develop ROCKate further, be my guest. If you
need technical assistance, I can offer guidance, but I probably won't write
a single line of code anymore. Sorry.

Greetings,
Benjamin

What a sad situation to see the fruit of a prior privacy-haven dying on the vine.

It doesn't end there. More German Tor node operators are shutting down under the increasing pressures.

 Hi,

 I am a german TOR admin ("knuffel"). I have running a mixmaster remailer too ("awxcxn").
 Both were running on a dedicated root server.

 Half a year ago I have had my first trouble with the german BKA. The hoster of my
 server got a letter from the BKA and closed my server without any respect to the law.
 I contact the press an a few days later the server was back and online.

 A few month ago I got an anonymous tip, a telecommunication surveillance is/was
 running against me and I am listed in a "known" database.

 Over the last months, I tried to figure out, what happens. 
 I contact the data protection official of Germany for help.
 Like me, he did not get any information because the prosecution 
 denied any information with the reason:

 "Any information will compromise the security of Germany or one of its parts."
 ( § 19 Absatz 6 Bundesdatenschutzgesetz )

 I compromise the security of Germany, seems I am a terrorist or something like that.
 The anti-terrorism-law in Germany is not a joke, nothink I want to feel by myself.
 I contact a lawyer and he said, this is not a game, it is real!

 Conclusion: The TOR node "knuffel" is down and will not come back. 
 Please remove it from the directory. All my contact addresses and online
 identities related to this kind of stuff will be closed next time.

 I have a german website with some stuff about anonymity. It will go 
 down in 2-3 weeks. May be, some german gay want to download and
 save some of my work. I will prepare an offline version of the website:

  http://www.anon-web.de

 Greetings
 Karsten N. 

I have forwarded such news to Hacktivismo, and we have been discussing it.

Even the privacy-contemptuous Google has recognized there is a problem: http://halcy.de/past/2007/6/23/google_threatens_to_close_gmail/

There is actually a lawsuit and campaign to fight against the erosion of privacy. I suggest you check it out, especially if you are a Deutschlander:

http://www.vorratsdatenspeicherung.de/

xB Updates

We are releasing xB Machine at DefCon, but I'm informed it will be a development release. The result is that instead of it also running as a LiveCD, it will only run as a VM right now. No big deal just yet.

I've finished xB VPN and it is up and running. I'm still thinking of adding some more configuration options to it. For example, perhaps when it is first run it will autoconnect. That seems like the smart thing to do.

I've also been kicking around an idea of a network problem diagnoser for xB Browser / xB Mail. For example, some of our clients say "I can't connect" etc. etc. So we get them to run the debug and send the logs to us. But they don't send the right logs, or they send the wrong files. And then we need to know if it is a bad key, or a blocked network, or something requiring a proxy, or if the user is accessing their account from somewhere else. And well, that is an issue. I think I'll write something like that for xBB 2.0.0.5.

xB Mail is about ready for the beta testers, but I need to make sure the tor network plays nice, since there are many who don't. Perhaps we should also add an interface to the mix master, which is an extremely high-latency anonymous remailer.

We finished testing the anonymity networks and products. I think the really outstanding ones, other than XeroBank, were COTSE (speed) and Anonymizer (Product). Anonymizer has a little bit further to go to make themselves bulletproof, but the use of DLL injection is something we should really evaluate. The stinkers... well there were quite a few.

Getting Ready for DefCon

For those of you who don't know, I'm giving a presentation on Portable Privacy at DefCon 15. So far I've put most of my slides together for DefCon and submitted them to Nikita. I've been talking to some of Hacktivismo about what we should put in the presentation. I've been thinking about having a comparison of the commercial anonymity services out there. We had run some tests, and the results were surprising. Many of them have gaping security holes which are constantly compromising the privacy of their users. Right now I've got an overview and comparison of the Tor network and the XeroBank network, now whether we expand that... I'll see if anyone wants to know more. Guess we'll let the cat out of the bag at DefCon!

Intro

Greetings, folks. We've had some demands for more public interaction, so we're here to talk about the privacy world, security issues, xB software development, and what is going on at xB.