> There's no way to know GCHQ/NSA aren't running 90%+ of bridges and exit relays
Yes there is. There are currently 857 exit nodes. The Tor Project only has to personally know who runs 86 of them to ensure that 90% of the exits are not run by the NSA.
In fact, since ~90% of traffic exits through the top ~260 relays, they'd only need to know 27 of the people who run those.
> The Tor Browser does not send misinformation; it just blocks.
No, it doesn't. TB sends all kinds of misinformation, from the user agent string (always reports itself as being its base version of Firefox running on 32-bit Windows 7) to rounding javascript timing functions to reduce the precision.
> A solution would probably be a browser where every version, on every platform reports the exact same things, always the same way.
> The Wire guys made very specific claims (where did they get the >$2M figure from ... and why would they simply invent such a figure).
Their court filing[0] says the license fee was "unspecified" and the $2 million figure was based on "information and belief" which is legal terminology used to dodge perjury[1]. If they had really been told that, they wouldn't be using terms that mean "I heard that from somewhere second-hand and think it might be true".
Most users haven't made a conscious choice to use Chrome. They install it accidentally by not unticking a checkbox[0] or because they are told it will make the Google work better[1].
Except they are. The F-Droid devs kept claiming they weren't. Moxie asked them to describe the system and surprise, surprise the keys are stored on a machine that is connected to a network that is connected to the internet. It turned out that the F-Droid devs didn't/don't understand the concept of stored offline vs online.
What? APKs are signed by the developer before they uploaded to the store and the signatures are verified by PackageManagerService which is a part of AOSP.
What does Play Services have to do with anything? APKs downloaded from the Play Store are signed by a key the developer holds and validated by Android's PackageManagerService which is open source.
Each device has its own key. Before a message is sent, the client grabs all the keys for each device associated with the account of the recipient, it then encrypts the message separately for each device and sends a separate encrypted copy for each device.
This scheme has various weaknesses, eg. a rogue key could be associated with someone's account without their knowledge, and anyone who sends this person messages will therefore be sending a copy encrypted with the rogue key.
I'm not seeing your point. A vulnerability was found in OpenSMTPD. That vulnerability could not be exploited on OpenBSD because there was no way to overflow the buffer without smashing the stack canary. If you had the same version of OpenSMTPD running on a generic Linux kernel or on Mac OS X, it was vulnerable. On OpenBSD it was not. Ergo, OpenSMTPD running on OpenBSD is more secure than OpenSMTPD running on other platforms that do not provide the same mitigations.
At least, that's the way I see it.
Now, are you saying that because it's possible to bypass the mitigations in some other cases, preventing that vulnerability (and others) doesn't matter?
Or, are you saying that it would be possible to craft an exploit that bypassed the stack protection for that particular vulnerability? In which case I would love to see your PoC.
People are testing the mitigations. For example Qualsys' audit of OpenSMTPD[0] noted that a buffer overflow they found was not exploitable on OpenBSD as even a single byte overflow would smash the stack canary.
> Yet, the mere fact that I see OpenBSD desktops in Google images running shoddy applications shows many OpenBSD users make similar tradeoffs to what you described of Linux camp.
Are these "shoddy applications" not more secure on OpenBSD due to the various mitigations applied to userland software?
You mean libel. Slander is spoken, libel is written.
The easy way to remember this distinction is to know that one of the most famous libel cases in history, nicknamed the "McLibel" case, concerned printed pamphlets.
It's not that much of a stretch to imagine that the reason the FBI are threatening to abduct her off the street and deny her the right to legal counsel is somehow related to her being a major Tor contributor.
uBlock hasn't been updated in almost a year. uBlock Origin is actively developed. uBlock has effectively had no significant changes or improvements since the uBlock Origin fork happened.