But most people who looked at the NSA’s backdoored encryption noticed it was sus and didn’t use it (as I remember it, that was a decade ago). Per your link, at the time of publishing it was unclear if anyone was using the effected version.
Okay, sure. Open source doesn’t mean completely safe, but if it’s a well-known package it does mean much, much safer. Public public affiliations don’t even say much about who authored whatever thing; here’s a another near-miss that illustrates that - which is why this can feel more like ritual purity than an actual security argument.
The algorithm has been included in the code libraries and software of major vendors and industry bodies, including Microsoft, Cisco Systems, RSA, Juniper, RIM for Blackberry, OpenSSL, McAfee, Samsung, Symantec, and Thales, according to Nist documentation, external.
Whether the software of these organisations was secure depended on how the algorithm had been used, Cambridge University cryptographic expert Richard Clayton told the BBC.
I wouldn’t say it didn’t affect anyone. And the thing about stuff like this is that this is just what has been found there likely exist many other things like this that won’t be found for a long time if it all.
OP should still use open source, to be clear I never said they shouldn’t.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn’t true.
Obviously your security is much better on widely used open source software and programs than on proprietary stuff that isn’t widely audited but it doesn’t guarantee your safety and that’s all I was pointing out.
Also to add to this, since the discussion is about TOR I think this line of conversation is even more warranted and not just some “ritualistic” thing like your edit on that original comment says. TOR is 80% funded directly by the State department.
Now, yes many talented software people are out there but the governments of the world have some of the best and it would be in all of their best interests not to disclose a vulnerability in something they could use against someone. You’re either the USAs ally or someone that is against it, either of those options would make you not disclosing a vulnerability in your best interests.
So to automatically assume that software from a government that historically is against human and privacy rights is safe simply because it is open source is disingenuous.
That said, I still recommend TOR and I like it a lot. But I do not recommend trusting something simply because it is open source. Since this user wanted an in depth conversation on the topic I don’t feel like its “ritualistic purity” to disclose all that I said above.
It isn’t bad to be suspicious. If no one was, then open source wouldn’t even matter because no one would be wary enough to check.
Moreover, the algorithm had been shown to be insecure in 2007 by Microsoft cryptographers Niels Ferguson and Dan Shumow, added Mr Clayton.
“Because the vulnerability was found some time ago, I’m not sure if anybody is using it,” he said.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn’t true.
Well, your comment implied that OP shouldn’t trust Tor. OP should trust Tor at least as much as they trust their own device, which almost certainly has closed-source components I’d rather target if I was the NSA. (Or the Chinese, or…)
Since this user wanted an in depth conversation on the topic I don’t feel like its “ritualistic purity” to disclose all that I said above.
Except in-depth isn’t what was offered. This reply appears all the time in regards to Tor, and it never comes with alternative suggestions. So yeah, I suspect something irrational is motivating it.
That excerpt still says it was deployed to all the businesses listed above it, though. So yes it was being used however those businesses used it.
And yes closed source components are inescapable (and also a potential threat) unless you use something that is GNU certified and I don’t even think a lot of them can even run the current version of Tails but I havent researched it in awhile. Maybe could run Tor browser though but if my memory serves correctly even stuff that is GNU certified has some proprietary hardware in it.
But no, the irrationality here would be saying “because something is open source you should trust it automatically and ask no questions about it” which of course isn’t what you said but you implied that because something is open source its automatically to be trusted. And that’s not true.
I never said not to use TOR or implied that, I said (and you can look back at my comments and see) that just because something is open source doesn’t automatically mean it is safe and trustworthy. And I don’t think its irrational to say that.
This was all in response to someone pointing out that depending on what the person is using TOR for they should do more research about it and educate themselves on security of using it which is true.
Never just see open source and assume complete safety or trustworthiness. Which is something people who have never used TOR do all the time and why you see the points I made being brought up around the conversation constantly.
Open source doesn’t guarantee complete safety, you should still take other steps in addition to using open source to better enhance your privacy and security. TOR is great and I think OP and others interested should use it, but you should never blindly trust something just because it is open source and used a lot. Vulnerabilities can happen all the time, if they didn’t Tails wouldn’t ever need updated at all.
Alternatives (that I wouldn’t really recommend) do exist and since you mentioned how none were mentioned the two that come to mind first is i2p and Whonix although Whonix uses Tor routing but is an alternative to Tails I guess. Still wouldn’t recommend them over Tails though.
I’m reminded of the backdoor the NSA placed in OpenSSL.
I love open source everything, but open source doesn’t just automatically mean “safer”.
https://www.bbc.com/news/technology-24048343
But most people who looked at the NSA’s backdoored encryption noticed it was sus and didn’t use it (as I remember it, that was a decade ago). Per your link, at the time of publishing it was unclear if anyone was using the effected version.
Okay, sure. Open source doesn’t mean completely safe, but if it’s a well-known package it does mean much, much safer. Public public affiliations don’t even say much about who authored whatever thing; here’s a another near-miss that illustrates that - which is why this can feel more like ritual purity than an actual security argument.
So what should OP use?
Whether the software of these organisations was secure depended on how the algorithm had been used, Cambridge University cryptographic expert Richard Clayton told the BBC.
I wouldn’t say it didn’t affect anyone. And the thing about stuff like this is that this is just what has been found there likely exist many other things like this that won’t be found for a long time if it all.
OP should still use open source, to be clear I never said they shouldn’t.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn’t true.
Obviously your security is much better on widely used open source software and programs than on proprietary stuff that isn’t widely audited but it doesn’t guarantee your safety and that’s all I was pointing out.
Also to add to this, since the discussion is about TOR I think this line of conversation is even more warranted and not just some “ritualistic” thing like your edit on that original comment says. TOR is 80% funded directly by the State department.
Now, yes many talented software people are out there but the governments of the world have some of the best and it would be in all of their best interests not to disclose a vulnerability in something they could use against someone. You’re either the USAs ally or someone that is against it, either of those options would make you not disclosing a vulnerability in your best interests.
So to automatically assume that software from a government that historically is against human and privacy rights is safe simply because it is open source is disingenuous.
That said, I still recommend TOR and I like it a lot. But I do not recommend trusting something simply because it is open source. Since this user wanted an in depth conversation on the topic I don’t feel like its “ritualistic purity” to disclose all that I said above.
It isn’t bad to be suspicious. If no one was, then open source wouldn’t even matter because no one would be wary enough to check.
Post the next paragraph too.
Well, your comment implied that OP shouldn’t trust Tor. OP should trust Tor at least as much as they trust their own device, which almost certainly has closed-source components I’d rather target if I was the NSA. (Or the Chinese, or…)
Except in-depth isn’t what was offered. This reply appears all the time in regards to Tor, and it never comes with alternative suggestions. So yeah, I suspect something irrational is motivating it.
That excerpt still says it was deployed to all the businesses listed above it, though. So yes it was being used however those businesses used it.
And yes closed source components are inescapable (and also a potential threat) unless you use something that is GNU certified and I don’t even think a lot of them can even run the current version of Tails but I havent researched it in awhile. Maybe could run Tor browser though but if my memory serves correctly even stuff that is GNU certified has some proprietary hardware in it.
But no, the irrationality here would be saying “because something is open source you should trust it automatically and ask no questions about it” which of course isn’t what you said but you implied that because something is open source its automatically to be trusted. And that’s not true.
I never said not to use TOR or implied that, I said (and you can look back at my comments and see) that just because something is open source doesn’t automatically mean it is safe and trustworthy. And I don’t think its irrational to say that.
This was all in response to someone pointing out that depending on what the person is using TOR for they should do more research about it and educate themselves on security of using it which is true.
Never just see open source and assume complete safety or trustworthiness. Which is something people who have never used TOR do all the time and why you see the points I made being brought up around the conversation constantly.
Open source doesn’t guarantee complete safety, you should still take other steps in addition to using open source to better enhance your privacy and security. TOR is great and I think OP and others interested should use it, but you should never blindly trust something just because it is open source and used a lot. Vulnerabilities can happen all the time, if they didn’t Tails wouldn’t ever need updated at all.
Alternatives (that I wouldn’t really recommend) do exist and since you mentioned how none were mentioned the two that come to mind first is i2p and Whonix although Whonix uses Tor routing but is an alternative to Tails I guess. Still wouldn’t recommend them over Tails though.