Online Privacy, Jurisdiction, & Hired Guns

I am pleased to be able to release the following information. In the last 6 years, none of our anonymity network management's clients have been arrested or killed despite hundreds of investigations and inquiries. And provably, with documentation, in the last 12 months despite over 50 subpoenas, investigations, raids, etc. not a single client has been compromised.

You should stop and ask yourself, "Why don't any of the other 'anonymity' services provide statistics about their customer protection? Do they even offer a guarantee of protection?" Actually, they don't. Not one other. You may be surprised to hear that when you use them, you only have privacy until someone inquires about you or wants to do a fishing expedition; that you have no customer protection at all... especially if that company is in the US. It is hard for me to take any US or UK anonymity firm seriously, as they have good hopes of making lots of money, but no hope to protect their victims customers.

Do you wonder if you've been sold out, or would be? Why don't you have any assurity? That reminds me of one of my favorite quotations from Ronin : "Whenever there is any doubt, there is no doubt."

Some have tried to make extremely flimsy and ambiguous claims, but the facts are they are 100% subject to the increasingly popular "National Security Letters." Consider another fact: we operate out of high-privacy jurisdictions like Germany, and we get lots of trouble from police and government. For their claim to be true, you would have to believe that in 12 years they've never been inquired about by any law agency. Alternatively, if they were served with NSLs, they would be under gag order and you would get some claim like that.

Another startling fact is that by default their software doesn't even encrypt user traffic, you have to manually set it to be encrypted! It is all available for any eavesdropper to observe. They've probably compromised their whole user-base, or either are operating with the secret understanding that they never protected them at all in order to justify such a delusion.

I'm trying to not write too malevolently, but a false sense of security is worse that an accurate sense that you have no security at all. What is being done by some of these 'services' and 'software providers' is nothing short of perfidy.

Anonymous Tech Support

I've been mulling over some implementation ideas: We don't know who our customers are, and we don't want to know. That's great, right? But that creates a small problem. What do you do when a customer writes and says "I lost my login name!" or how about "I want to upgrade" ? In certain situations, you need to be able to piece the information together. And in certain situations you only want the situation to be pieced together by the right people.

So what I'm thinking is some pretty revolutionary. Besides anonymous tech support for paying clients, we could implement a type of shared secret. For example, the regular tech support folks may need to know the client's username. Either it is posted to us automatically, in encrypted form that only the techs can decrypt, or the user forces the post to us by ticking some box and perhaps entering in their password, which we still have to decrypt. That way the user gets control of if he wants to share his username. And the same can be implemented with the user's order ID, and if they are paying by Dalpay, their transaction ID. So would we want to stuff a transaction ID into an account, in some encrypted form? Currently there may be some way to brute force the transaction ID, I'll have to figure out the risks. Ooh, okay 2 shared secrets, one between the client and the tech support, one between the client and billing support. That should be the right thing, but again, is it elegant? That may be a HCI issue, but the security will have to be right first.

Lots of work to do before defcon. And more under-hood work to be done on the xB Machine. I'll contact Howard and tell him to jump on the blog and actually tell people what he is doing. I can see Florian registered (why?) but doesn't post.

-Steve

XeroBank keyservers, firewalls, and xBB 2.0.0.5a

Hello folks.

We are in the middle of upgrading security settings on keyservers and our firewalls, so it is causing a little bit of a delay. In specific, for those of you who are sniffing your own connections, you can tell that the SSH keys were being rejected by the server. No worries, it is fixed.

In addition, I am informed that 2.0.0.5a has been pushed live, even though we are displaying 2.0.0.4a. I'll change that in a bit.

One thing that didn't get implemented in 2.0.0.5a, which mozilla pushed without any beta, was http/https routing past corporate firewalls/proxies for XeroBank Plus. We'll get to that with 2.0.0.5b probably in the next couple days, but it requires some on the fly PuTTY profile generation which is tricky.

Another security idea was instead of relying on file-stored ssh host keys, we wipe them and regenerate them at every instance. So even if the user has somehow added a bad hostkey for an attacker, it gets destroyed when the xB Browser is restarted.

We are also working on a clever way of identifying our customers through support so we can help them if they need help on their account. I think it would work where they request help on something, and if it requires their username or order receipt, they enter in their password and it decrypts the username field so we can find out who they are. Yes, that's right, even our support is anonymized from us! I'm going to think about that for a bit, perhaps there is something even more elegant.

Steve

More Privacy Upgrades

We've decided to create a special type of form that allows the public to contact support directly. However, this wouldn't be any old form posting to email. Instead it will be accessible via https only, and it would send us the message by key encryption, performed on the client side. All that travels to us is the encrypted message. Currently the support form on the page isn't working yet, but we are inspired by the HushMail forms. We'll check it out and keep you posted.

XeroBank 2.0.0.5a is coming today.

Credit or Debit? Vodafone scandal et al.

I've been discussing some design implementations with the web engineers. I was thinking it might be nice if users were able to credit and deplete their accounts, instead of paying a flat fee for access. This would allow users who don't use much to save, and bandwidth hogs to pay, instead of spreading the costs equally over the users. I suppose it is a pricing decision.

But the fun part is we could offer XeroBank dollars, and users could buy and sell them, with or without the help of xerobank. So that would add another layer of anonymity to the payment systems. Just fuel your account with XB dollars or whatever that you get from the gas station. Well, it is a good thought, but I doubt the market is there. Most people, I think, imagine that what they buy online is secure and anonymous as is. Oh well, we still want to give the best product possible.

On to more interesting news, did everyone hear about the greek Vodafone scandal? Okay get this: all major telecommunications systems have "legitimate" wiretapping functions built in. Cellular and landline. As did Vodafone. Well, someone hacked the system, and secretly wiretapped the heads of state, wives, politicians, and business folks. Who and for what purpose? We don't know, they got away with it. This is pretty scary stuff. So when the gov says "We need the capability of listening, but we promise we won't abuse the power" etc, your main worry isn't Alberto Gonzolez and his ~30% nefarious purposes, but amazing hackers who can jigger the system for 100% nefarious purposes. So, insist on your privacy, and not placing it in the trust of the incompetent. Glad I'm doing all my VoIP through xB network... Now if I could figure out how to do that with my cell phone... actually, the iPhone does VPN, but only PPTP. But PPTP is leaky, so I wonder if it could to L2TP, which should be a little better...

XeroBank for your iPhone, anyone?

New payment methods

Today we added another payment agent to XeroBank. This agent is in New Zealand, so servicing PNG, NZ, AU just got a lot faster.

We added the following payment methods: Western Union, MoneyGram, e-Gold, and eBullion. We will shortly be adding eCache, Pecunix, Loom, Wire Transfer, and Paypal. The paypal payments will only be accepted through verified users. I think Loom and eCache are going to be somewhat difficult. Paypal, however, if we can do it correctly, would be wonderful to do automated payments. I'm not sure if the API can differentiate between verified and non-verified accounts though. We'll see.

I'm updating xB Browser to v2.0.0.5a which should be released this thursday.

xB Machine: all hail the new king of privacy tools

Wow. I just got my hands on the pre-release of xB Machine for Defcon from our engineers. This thing is amazing. I feel like Steve Jobs toting around an iPhone a few months ago.

It is beautiful. I loaded it up on my laptop, and it was nearly as fast and responsive as my actual computing environment. It connect to Tor, XeroBank Plus, and XeroBank Pro network, and will automatically configure itself for XeroBank service if you simply enter in your id string.

I just connected wireless to XeroBank and pulled some downloads at 2500 kbps.

Germany's Politicians Hate Privacy

For those of you who are unaware, privacy oriented websites and projects in Germany have started to shut down amid political, legal, and police pressure. One wonderful project, RockATE, a tor-based LiveCD has been abandoned by its German author Benjamin Schieder. RockATE allowed users to burn a copy of the CD and take it with them anywhere. From there, you can boot up directly to a linux environment pre-configured to use the Tor network.

Benjamin is quoted thusly:

 In response to a law that passed the german legislative today, I will cease
production, development and distribution of ROCKate binaries and - maybe -
even source code soon.
The reasen is §202c StGB which states (IANAL translation):

"Producing, acquiring, selling, giving, distributing or making-accessible of
passwords or other access codes as well as computer programs whose aim it is
to commi a crime ... will be punished with up to one year in jail or a fine."

See also: http://www.phenoelit.de/202/202.html

Basically, these waters are too hot for me to tread in. Though the official
reading of the wall - reading from politicians that is - says that they only
target 'criminals' and there is no need to worry with the wording, nobody
knows when some underworked lawyer thinks he might go on to sue the ass off
of everyone in IT.

If someone wants to mirror/host/develop ROCKate further, be my guest. If you
need technical assistance, I can offer guidance, but I probably won't write
a single line of code anymore. Sorry.

Greetings,
Benjamin

What a sad situation to see the fruit of a prior privacy-haven dying on the vine.

It doesn't end there. More German Tor node operators are shutting down under the increasing pressures.

 Hi,

 I am a german TOR admin ("knuffel"). I have running a mixmaster remailer too ("awxcxn").
 Both were running on a dedicated root server.

 Half a year ago I have had my first trouble with the german BKA. The hoster of my
 server got a letter from the BKA and closed my server without any respect to the law.
 I contact the press an a few days later the server was back and online.

 A few month ago I got an anonymous tip, a telecommunication surveillance is/was
 running against me and I am listed in a "known" database.

 Over the last months, I tried to figure out, what happens. 
 I contact the data protection official of Germany for help.
 Like me, he did not get any information because the prosecution 
 denied any information with the reason:

 "Any information will compromise the security of Germany or one of its parts."
 ( § 19 Absatz 6 Bundesdatenschutzgesetz )

 I compromise the security of Germany, seems I am a terrorist or something like that.
 The anti-terrorism-law in Germany is not a joke, nothink I want to feel by myself.
 I contact a lawyer and he said, this is not a game, it is real!

 Conclusion: The TOR node "knuffel" is down and will not come back. 
 Please remove it from the directory. All my contact addresses and online
 identities related to this kind of stuff will be closed next time.

 I have a german website with some stuff about anonymity. It will go 
 down in 2-3 weeks. May be, some german gay want to download and
 save some of my work. I will prepare an offline version of the website:

  http://www.anon-web.de

 Greetings
 Karsten N. 

I have forwarded such news to Hacktivismo, and we have been discussing it.

Even the privacy-contemptuous Google has recognized there is a problem: http://halcy.de/past/2007/6/23/google_threatens_to_close_gmail/

There is actually a lawsuit and campaign to fight against the erosion of privacy. I suggest you check it out, especially if you are a Deutschlander:

http://www.vorratsdatenspeicherung.de/

xB Updates

We are releasing xB Machine at DefCon, but I'm informed it will be a development release. The result is that instead of it also running as a LiveCD, it will only run as a VM right now. No big deal just yet.

I've finished xB VPN and it is up and running. I'm still thinking of adding some more configuration options to it. For example, perhaps when it is first run it will autoconnect. That seems like the smart thing to do.

I've also been kicking around an idea of a network problem diagnoser for xB Browser / xB Mail. For example, some of our clients say "I can't connect" etc. etc. So we get them to run the debug and send the logs to us. But they don't send the right logs, or they send the wrong files. And then we need to know if it is a bad key, or a blocked network, or something requiring a proxy, or if the user is accessing their account from somewhere else. And well, that is an issue. I think I'll write something like that for xBB 2.0.0.5.

xB Mail is about ready for the beta testers, but I need to make sure the tor network plays nice, since there are many who don't. Perhaps we should also add an interface to the mix master, which is an extremely high-latency anonymous remailer.

We finished testing the anonymity networks and products. I think the really outstanding ones, other than XeroBank, were COTSE (speed) and Anonymizer (Product). Anonymizer has a little bit further to go to make themselves bulletproof, but the use of DLL injection is something we should really evaluate. The stinkers... well there were quite a few.

Getting Ready for DefCon

For those of you who don't know, I'm giving a presentation on Portable Privacy at DefCon 15. So far I've put most of my slides together for DefCon and submitted them to Nikita. I've been talking to some of Hacktivismo about what we should put in the presentation. I've been thinking about having a comparison of the commercial anonymity services out there. We had run some tests, and the results were surprising. Many of them have gaping security holes which are constantly compromising the privacy of their users. Right now I've got an overview and comparison of the Tor network and the XeroBank network, now whether we expand that... I'll see if anyone wants to know more. Guess we'll let the cat out of the bag at DefCon!

Intro

Greetings, folks. We've had some demands for more public interaction, so we're here to talk about the privacy world, security issues, xB software development, and what is going on at xB.