From 8788ddf6bcbad17a495582b916992a3d5d6a9bbe Mon Sep 17 00:00:00 2001 From: Miloslav Ciz Date: Wed, 8 Nov 2023 13:05:30 +0100 Subject: [PATCH] Update --- tor.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tor.md b/tor.md index 151304d..582217c 100644 --- a/tor.md +++ b/tor.md @@ -2,4 +2,8 @@ TODO -**Is Tor safe and really "private"?** HELL NO. It is "safer" and more "private" than clearweb/clearnet (if only for the [obscurity](obscurity.md)) AGAINST THE SMALL GUYS ONLY, like average server owners and tiny [ISP](isp.md)s, however the big guys (NSA/CIA/FBI/governments, [Google](google.md), [Facebook](facebook.md) etc.) can almost definitely get through -- consider how much of a [bloat](bloat.md) Tor and its browser are: did you alone go through the code, checked and tested there isn't a single exploitable line? Or did you just trust a promise of a website and your favorite content producers? (Heck it even has [autoupdates](autoupdate.md) now so they're just inserting you their code in real time now.) There most definitely is an exploitable line, and very likely more than one; if not by intention (it is EXTREMELY easy to sneak a malicious obfuscated line to a FOSS project; for a government or trillionaire corporation that's like a laughable amount of effort) then by pure statistics (even excellent code will have about 1 bug on 100 lines of code; if not in 100 then in 1000, 10000 or 100000). And if there is an exploitable line, you can bet your life they know about it -- do you think NSA won't put their greatest effort into searching for a way to infiltrate the biggest communication network of criminals, terrorists and other competition? This will be on top of every government intelligence service list, they will pour incredible amounts of resources into finding those lines, so you would be really crazy they don't know about them. So why don't they just go and bust all the bad guys selling drugs and CP on Tor? OK, does that question even need an answer? Do you think they will reveal this? The moment they do, everyone stops using Tor and they can no longer spy. They literally don't give a single shit about some harmless incels downloading illegal videos or making laughable amounts of pocket money selling marijuana, why would they give up their biggest weapon and spend great money and resources on busting a few horny neckbeards (there wouldn't even be enough space in jail for them lol)? They just want you to think it's safe to use so that you use it and they can spy on you. GOVERNMENTS AND CORPORATIONS LIKE GOOGLE LITERALLY SPONSOR TOR, they WANT YOU TO USE IT -- if you can't see what this means then there's likely not much hope in trying to explain anything. They will use the info they gather to bust the big guys who threaten national security, economic stability or whatever, without revealing how they did it of course. Also if they find you're using Tor you automatically get on their watchlist so it may actually be even less "safe" than vanilla clearnet with HTTPS. "BUTTT BUT IT OPEN SOARRRS EVERYONE CAN CHECK THE CODEEEEE" -- are you shitting yourself? Your "everyone" here means someone with excellent expertise AND tremendous resources that analysis of such a huge codebase requires, who is also willing to spend them -- how many entities like that are there in the world? A handful maybe, most of them exactly the mentioned bad guys like government and monster corporations, all of them rich capitalists, i.e. without any morals; now even if there is an independent entity of this kind and if such an entity does the insane, makes the investment and finds the exploit, do you think it will throw its investment out of the window for "public good", or does it try to profit from it by selling the knowledge to the highest bidder (or just staying silent about it)? Hmmm but if that's true, surely Tor developers also know it's futile, why are they even developing it? Because it's their living, they're sponsored, it's a pretty comfy job, they're just snake oil sellers who maybe even believe it works. Hmmm but wait, there are many good guy organizations who need security and will sponsor people to look for vulnerabilities. No -- any organization that really NEEDS a private conversation won't be dumb, it won't search for hyped things but something that's cheap and works, i.e. they will just use encrypted email or encrypted [snail mail](snail_mail.md) that flies under the radar easily and just works as long as math works. Some will sponsor Tor because it is still useful, e.g. it helps break some [censorship](censorship.md), but no one serious about privacy will rely on Tor. So nope, you're not safe with Tor. You are never safe under [capitalism](capitalism.md). Anyway, let this show you how futile any effort for "privacy" is in a shitty society -- the solution doesn't lie in increasing privacy and security, but in [unfucking society](less_retarded_society.md). \ No newline at end of file +## The BIG RANT: Is Tor Really Safe? + +start NOTE: I got some objections from people, keep in mind the rant below is not based on evidence but rather my own experience and what I think is the most reasonable thing to believe. + +**Is Tor safe and really "private"?** HELL NO. It is "safer" and more "private" than clearweb/clearnet (if only for the [obscurity](obscurity.md)) AGAINST THE SMALL GUYS ONLY, like average server owners and tiny [ISP](isp.md)s, however the big guys (NSA/CIA/FBI/governments, [Google](google.md), [Facebook](facebook.md) etc.) can most likely get through -- consider how much of a [bloat](bloat.md) Tor and Tor browser are (we have to mention that Tor router and Tor Browser are two different things): did you alone go through the code, checked and tested there isn't a single exploitable line? Or did you just trust a promise of a website and your favorite content producers? (Tor Browser now even has [autoupdates](autoupdate.md) so they're just inserting you their code in real time now.) There most definitely is an exploitable line, and very likely more than one; if not by intention (it is EXTREMELY easy to sneak a malicious obfuscated line to a FOSS project; for a government or trillionaire corporation that's like a laughable amount of effort) then by pure statistics (even excellent code will have about 1 bug on 100 lines of code; if not in 100 then in 1000, 10000 or 100000). You may prove the protocol to be safe but remember, security may be broken anywhere, not just the protocol: for example in interface code (in case of Tor Browser imagine they e.g. manage to turn your JavaScript on, then simply fingerprint you). And if there is an exploitable line, you can bet your life they know about it -- do you think NSA won't put their greatest effort into searching for a way to infiltrate the biggest communication network of criminals, terrorists and other competition? This will be on top of every government intelligence service list, they will pour incredible amounts of resources into finding those lines, so you would be really crazy they don't know about them. So why don't they just go and bust all the bad guys selling drugs and CP on Tor? OK, does that question even need an answer? Do you think they will reveal this? The moment they do, everyone stops using Tor and they can no longer spy. They literally don't give a single shit about some harmless incels downloading illegal videos or making laughable amounts of pocket money selling marijuana, why would they give up their biggest weapon and spend great money and resources on busting a few horny neckbeards (there wouldn't even be enough space in jail for them lol)? They just want you to think it's safe to use so that you use it and they can spy on you. GOVERNMENTS AND [CORPORATIONS](corporation.md) LIKE GOOGLE LITERALLY SPONSOR TOR, they WANT YOU TO USE IT -- if you can't see what this means then there's likely not much hope in trying to explain anything. They will use the info they gather to bust the big guys who threaten national security, economic stability or whatever, without revealing how they did it of course. They will let small black market exist so as to "prove" it's safe and so make it a nice honeypot -- they lost some money in economy, but it's an investment like any other. Also if they find you're using Tor you automatically get on their watchlist so it may actually be even less "safe" than vanilla clearnet with HTTPS. "BUTTT BUT IT OPEN SOARRRS EVERYONE CAN CHECK THE CODEEEEE" -- are you shitting yourself? Your "everyone" here means someone with excellent expertise AND tremendous resources that analysis of such a huge codebase requires, who is also willing to spend them -- how many entities like that are there in the world? A handful maybe, most of them exactly the mentioned bad guys like government and monster corporations, all of them rich capitalists, i.e. without any morals; now even if there is an independent entity of this kind and if such an entity does the insane, makes the investment and finds the exploit, do you think it will throw its investment out of the window for "public good", or does it try to profit from it by selling the knowledge to the highest bidder (or just staying silent about it)? Hmmm but if that's true, surely Tor developers also know it's futile, why are they even developing it? Because it's their living, they're sponsored, it's a pretty comfy job, they're just snake oil sellers who maybe even believe it works. Hmmm but wait, there are many good guy organizations who need security and will sponsor people to look for vulnerabilities. No -- any organization that really NEEDS a private conversation won't be dumb, it won't search for hyped things but something that's cheap and works, i.e. they will just use encrypted email or encrypted [snail mail](snail_mail.md) that flies under the radar easily and just works as long as math works. Some will sponsor Tor because it is still useful, e.g. it helps break some [censorship](censorship.md), but no one serious about privacy will rely on Tor. So really until proven otherwise (which probably can't be done) you can't rely on safety of Tor. You are never safe under [capitalism](capitalism.md). Anyway, let this show you how futile any effort for "privacy" is in a shitty society -- the solution doesn't lie in increasing privacy and security of course, but in [unfucking society](less_retarded_society.md). \ No newline at end of file