Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
Yeah, but it's open source, so so what? When people say this it seems like either cope to justify doing nothing, or some kind of ritual purity thing.
I'm reminded of the backdoor the NSA placed in OpenSSL.
I love open source everything, but open source doesn't just automatically mean "safer".
https://www.bbc.com/news/technology-24048343
But most people who looked at the NSA's backdoored encryption noticed it was sus and didn't use it (as I remember it, that was a decade ago). Per your link, at the time of publishing it was unclear if anyone was using the effected version.
Okay, sure. Open source doesn't mean completely safe, but if it's a well-known package it does mean much, much safer. Public public affiliations don't even say much about who authored whatever thing; here's a another near-miss that illustrates that - which is why this can feel more like ritual purity than an actual security argument.
So what should OP use?
Whether the software of these organisations was secure depended on how the algorithm had been used, Cambridge University cryptographic expert Richard Clayton told the BBC.
I wouldn't say it didn't affect anyone. And the thing about stuff like this is that this is just what has been found there likely exist many other things like this that won't be found for a long time if it all.
OP should still use open source, to be clear I never said they shouldn't.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn't true.
Obviously your security is much better on widely used open source software and programs than on proprietary stuff that isn't widely audited but it doesn't guarantee your safety and that's all I was pointing out.
Also to add to this, since the discussion is about TOR I think this line of conversation is even more warranted and not just some "ritualistic" thing like your edit on that original comment says. TOR is 80% funded directly by the State department.
Now, yes many talented software people are out there but the governments of the world have some of the best and it would be in all of their best interests not to disclose a vulnerability in something they could use against someone. You're either the USAs ally or someone that is against it, either of those options would make you not disclosing a vulnerability in your best interests.
So to automatically assume that software from a government that historically is against human and privacy rights is safe simply because it is open source is disingenuous.
That said, I still recommend TOR and I like it a lot. But I do not recommend trusting something simply because it is open source. Since this user wanted an in depth conversation on the topic I don't feel like its "ritualistic purity" to disclose all that I said above.
It isn't bad to be suspicious. If no one was, then open source wouldn't even matter because no one would be wary enough to check.
Post the next paragraph too.
Well, your comment implied that OP shouldn't trust Tor. OP should trust Tor at least as much as they trust their own device, which almost certainly has closed-source components I'd rather target if I was the NSA. (Or the Chinese, or...)
Except in-depth isn't what was offered. This reply appears all the time in regards to Tor, and it never comes with alternative suggestions. So yeah, I suspect something irrational is motivating it.
That excerpt still says it was deployed to all the businesses listed above it, though. So yes it was being used however those businesses used it.
And yes closed source components are inescapable (and also a potential threat) unless you use something that is GNU certified and I don't even think a lot of them can even run the current version of Tails but I havent researched it in awhile. Maybe could run Tor browser though but if my memory serves correctly even stuff that is GNU certified has some proprietary hardware in it.
But no, the irrationality here would be saying "because something is open source you should trust it automatically and ask no questions about it" which of course isn't what you said but you implied that because something is open source its automatically to be trusted. And that's not true.
I never said not to use TOR or implied that, I said (and you can look back at my comments and see) that just because something is open source doesn't automatically mean it is safe and trustworthy. And I don't think its irrational to say that.
This was all in response to someone pointing out that depending on what the person is using TOR for they should do more research about it and educate themselves on security of using it which is true.
Never just see open source and assume complete safety or trustworthiness. Which is something people who have never used TOR do all the time and why you see the points I made being brought up around the conversation constantly.
Open source doesn't guarantee complete safety, you should still take other steps in addition to using open source to better enhance your privacy and security. TOR is great and I think OP and others interested should use it, but you should never blindly trust something just because it is open source and used a lot. Vulnerabilities can happen all the time, if they didn't Tails wouldn't ever need updated at all.
Alternatives (that I wouldn't really recommend) do exist and since you mentioned how none were mentioned the two that come to mind first is i2p and Whonix although Whonix uses Tor routing but is an alternative to Tails I guess. Still wouldn't recommend them over Tails though.
It was in the OpenSSL (for example) as an option you could manually enable. Who knows if anyone actually did, given that everyone who knew enough to specifically ask also heard it was suspicious.