So we just got back from DefCon. It was a pleasure, and I had a great time. We arrived after Bruce Schneier's talk, which I regret, but I got to see some others. I met up with some Cult of the Dead Cow members and took Roger Dingledine & his fiance Rachel to a BBQ party. Roger is smart, a great speaker, and is well matched to Rachel. I ran in to some old buddies just about everywhere I went. One thing I noticed about Vegas is that is appears to have very few banks, but very many $4 ATMs, which is unfortunate as I had some wires transfers to execute.
On the second day I was busy working on my presentation. At 7pm I took the stage and gave it, unfortunately the type from the print shop was so small I couldn't see my notes and there was so much to cover that I didn't get it all out. Some of it got glazed over. I think what I will do is record the presentation for everyone who didn't get to see it, and do the full thing at my own pace, as we had only 45 minutes. Naturally, it will get posted online, here. All in all, however, I would say it went well. I played to a packed house of about 400 or 500 attendees, and we handed out lots of free XeroBank accounts. I really want to thank Myles Long for helping me out, and all those who showed up for the Q&A.One great thing that happened was I heard about a party for Ninja Networks. Something else I heard from another attendee was that there is a puzzle called Caezar's Challenge, within the party. This party takes place every year, and is supposedly for the most elite (huh?). I ran into one guy from @stake, at a party at the Hilton.
On the way out I asked him where the better parties were, and he handed me a badge for the Ninja Networks party, and told me the passphrase to get in. So we are back at the Riviera, and Kristin and I get into the party while a drove stand outside the velvet rope with tearful eyes. When I'm there I recognize a few faces, one of them from my local DC214 group. He informs me about the specific challenge and I read both parts of the challenge. What luck! I instantly knew answers to both the challenge questions, as they dealt with crypto-capitalism. So I located an inebriated Caezar, gave my answers, and he invited me to hang out in his pad in Seattle. Nice fellow.Guess who I later notice at the party? Roger. At that point I asked him what he was up to; and I liked to imagine he showed up and chopped down the bouncers with his fist of fury, after giving telekinetic lobotomies to the zombie crowd dying to get in. Disappointingly he informed me that he had wandered in using the authority of his Tor Project shirt. Ah well, we can have dreams can't we? In mine, Roger Dingledine, Nick Mathewson, Paul Syverson, and Steven J Murdoch are all deadly ninja warriors, fighting for anonymity of the body, and privacy of the mind.
Well this post has had very little to do with portable privacy. To give it some sense of legitimacy, I have been listening to the complaints of Jim Verard, and making changes to xB Browser to accommodate. So here is what is new is xBB 2.0.0.6a:
- search and destroy Yahoo Sign & Seal tracking data which compromises anonymity
- disable registry-based Firefox/Thunderbird Plug-ins
- dialog for Xerobank mutex shutdown should no longer destroy profile settings (fingers crossed)
- crippled the mozilla updater system to prevent corruption and security vulnerabilities from update server spoofing.
todo: the profile section needs to be reworked still. We should have soft settings in the user.js, and hard settings in the prefs.js. We have tried one and the other, but not both. I think that will be especially vital in the Tor network version.
12 comments:
Dear Steve,
I use your browser in Central-Europe and it is 90% okay with me.
I have recently read your latest posts. Let me leave you with a couple of remarks. As for German 'high privacy jurisdiction' I must partly disagree. German law can be more favourable to (some) human rights and internet privacy than American, do not forget however about some scandalous German events and phenomena.
First of all German authorities hindered access to many sites before - like Chinese. They even censored the possibility to locate certain sites via Google.
Then, in this so called 'war on terror' they have some obscure cooperation with the USA - I'm not talking about the secret and illegal overseas CIA torture prisons - found in Poland and Romania for instance by the European Union - , but in other cases.
Last but not least do not forget the fact that freedom of speech is severely and juridically restricted in Germany - whatever is your ideology or belief - it is fact. According to German law you can easily end up in jail for so called holocaust denial (or dipsute) or for a simple joke like in times of the Spanish Inquisition. On the other hand you can deny God, family, the existence of the sun, anything you want except that thing mentioned above.
All in all I suggest you to locate your company in Malaysia or somewhere in Asia. There is a sort of a choice. There some democracies there are less democratic or dicatoric countries but one thing is for sure. Most of them - especially Malaysia or Singapore - will never extradite data to the American authorities.
Best regards,
Ivan
Ivan,
No worries about our incorporation. XeroBank is located in Nevis/St.Kitts, which is a very high privacy jurisdiction.
You are right regarding a lot of the social issues of Germany, but heretofore, they were relatively friendly in regards to push coming to shove regarding privacy issues. However, the winds are changing, most certainly. I've got that detailed in a post a few prior.
Malaysia is another interesting story. It has a delay of +200ms to their internet pipe before any transfer of data, which doesn't do it for us just yet. Singapore/Peninsular Malaysia is very full of cocktalk and gossip despite people being demanding of their own privacy. It would be worthwhile to investigate the political privacy climate. Perhaps we should start putting together a map of sorts.
Nice writeup Steve. I hope to hear your presentation in some form or other.
Can you give a date as to when the next version of xB-Browser will
appear, considering both Firefox 2.0.0.5, and Tor 0.1.2.15 have
security issues?I've taken to using Firefox 2.0.0.6 with the latest
Tor & Privoxy & Vidalia bundle (0.1.2.16). It seems faster than
using 'xB-Browser. But even with both Java, and JavaScript turned-off,
I feel this setting up is not 100% secure.Firstly, I haven't got
the 'NoScript' installed. Secondly, I do not fully trust Privoxy to
prevent ALL DNS leaks, It does appear according to my firewall logs it
is working? Thirdly, I am using the 'Proxysel', not the 'Torbutton'
pluggin.Opinion?
Sure. It is ready for download, I just don't think it has been published yet.
Click here for xB Browser 2.0.0.6a
xB Browser will actually be faster than the vidalia pack because the browser component is optimized for the Tor network. Of course, what it all *really* depends on is your current circuit. But if sharing the same circuit, xB Browser would be faster than the Vidalia pack.
Regarding Proxysel, I would still suggest using Torbutton by Mike Perry. I am quite sure it is updated a lot more often then Proxysel is. It probably doesn't matter all that much however, since switching proxies is a simple mechanism like a hammer.
Keep using xB Browser, your current firefox setup can *easily* track you, even if you have full privacy settings turned on.
Great writeup, Steve. You said, "Keep using xB Browser, your current Firefox setup can *easily* track you, even if you have full privacy settings turned on." Could you perhaps be a little more explicit on this subject and tell us what the potential risks are? Secondly, what is the development schedule for xBMachine and what can we expect? The Pre-Release is good but somewhat buggy.. Not from a security standpoint, but some things just don't work..
The potential risks, as I understand it, is that it *may* be possible for websites to set cookies in abnormal and non-volatile locations for later retrieval. Disturbing, something to look into.
Development schedule for xB Machine? Well, what we allowed for download is a development pre-release to provide proof of concept at a *very* high level. The rest of it is being worked on without a specific date. I imagine we will have the LiveCD aspect of it solved in a couple months, and in between then we will be changing around the interfaces, updating scripts, adding more applications.
What suggestions do you have about xB Machine, from a usage standpoint?
Hi Steve, I have some questions!
why, every time I download xb and try to launch it, the firefox.exe try to do a DNS request at his first run, if I allow it (truth my firewall) it work and don't ask for dns again(on next times I start xb) , if I Deni it, it don't want to connect to any website.
I have just downloaded xb2.0.0.6a , when I try to check for updates for plug-ins it automatically say "an error occur while trying to find updates for ..."
thx for the job, and thx to Tor developers.
greets
I try not to make a habit of doing tech support through this blog. I won't allow it to become a support area. But, seeing as the mailforms for sending in questions are not fully implemented, I'll answer this question.
1. Do you know what is in the initial DNS request you are seeing? What address/name is it requesting?
2. Updates via the browser have been crippled, as they are a threat to your privacy settings. Updates will be notified through a popup from now on.
Steve, thanks for mention. Just a quick question. How we may update all Firefox plugins, available on Xerobank? I don't see any pop-up here. I need to go to noscript.net website and download manually the new version?
I am glad to see there are new improvements. You're doing a good job.
Unless it is a critical security update, I wouldn't update the Add-ons, they've been known to break the browser sometimes. We automatically update and test them in each release. If you absolutely must update them, delete them from the profile and extract the .xpi (rename it to a zip) and place that folder back in the profile. The folder will be a long GUID string of alphanumerics and hyphens.
Steve, I tried to download Noscript on their website (noscript.net), and I have now 1.1.6.12 version. Xerobank is available on your main website (xerobank.com) using the old 1.1.6.02 version.
I was affraid after this update, made manually, because after the first time, XB was not connecting to internet, and Firefox refusing connections. I think after the reset, the browser was not connected to TOR.exe file. So, I reset XB again and it worked, and is surfing on web the same way that before. I was affraid that this update could be messing with the browser, like the old times, but it was nothing in fact.
Perhaps this information about the updates been removed should be available on XB's tutorial.
P.S. Wow, now I see your last post. Thanks for the information! I didn't know that.
Post a Comment