WEBVTT

00:00.000 --> 00:06.680
So the tour project sent out a letter on May 29th that was full of deception and that's what we're

00:06.680 --> 00:13.120
talking about today. Why, who actually cares? Well, the actual issue is if you can't trust them to

00:13.120 --> 00:18.000
tell you the truth with a simple newsletter, then what can you actually trust them with?

00:18.580 --> 00:25.680
Now, for a bit of context, this will be my fourth video on this subject. However,

00:25.680 --> 00:31.720
this one will be pretty short compared to the other ones. And I've released three videos exposing

00:31.720 --> 00:38.400
the tour projects, various failures, which was really unfortunate. The first was tour

00:38.400 --> 00:44.000
browsers latest update gets you fingerprinted, which is released April 22nd. And it showed

00:44.000 --> 00:50.260
basically via their own developer statements, their removal of OS spoofing protection. Two weeks

00:50.260 --> 00:57.640
later on May 6th, I released for 11 months tour let users think that they were safe, which revealed

00:57.640 --> 01:05.840
the broken security slider. The third for nine years tour ignored Princeton's proof. BGP attacks

01:05.840 --> 01:14.260
can unmask millions of users essentially showed their infrastructure vulnerabilities. And the

01:14.260 --> 01:23.020
fact that Princeton University had actually discussed mitigation techniques like nine years prior to that.

01:23.460 --> 01:30.600
Now, combined, these videos reached almost a quarter of a million viewers who really just

01:30.600 --> 01:37.780
deserve to know the truth. Now, let's actually pivot for a minute and go to the actual newsletter

01:37.780 --> 01:44.220
that I mentioned. Here, we can see that it says, don't worry, it's here to stay. There's been some

01:44.220 --> 01:51.560
online speculation and confusion around OS spoofing in tour browser as a result of tour

01:51.560 --> 01:58.900
browsers latest stable release. Let's be clear, OS spoofing has never gone away, and it is here

01:58.900 --> 02:06.740
to stay. So let's address each deception individually. And I'll start with the most

02:06.740 --> 02:12.740
vague and then get to the actual serious lie addressing the kind of nonsensical and

02:14.020 --> 02:21.460
propagandist citation of online speculation and confusion. There was no speculation.

02:22.220 --> 02:28.780
Nor was there any real confusion. Like many of you already know this, because in those three

02:28.780 --> 02:36.680
videos, 2,316 of you actually commented, here's the actual speculation, their developer stating,

02:37.300 --> 02:44.440
we turn off spoofing OS. And here's the confusion part, their actual developer stating, remove

02:44.440 --> 02:50.220
the relevant machinery from Firefox altogether. They're basically calling their own documentation

02:50.220 --> 02:56.060
decision speculation outright live, you can find where they say OS spoofing has never gone

02:56.060 --> 03:01.700
anywhere. Developer documentation actually proves they removed it entirely. Like this isn't even

03:01.700 --> 03:09.040
a question. Like, this is a direct lie to users who actually trust them. Lastly, they say here to

03:09.040 --> 03:18.320
stay when they actually removed the code in April of 2025. One month later, they claim that it's

03:18.320 --> 03:24.320
here to stay. The code is gone. It's like the feature is gone. Now, that's not me

03:24.320 --> 03:30.200
guessing that it's gone. Their own developers explicitly documented actually removing it. On

03:30.200 --> 03:39.760
October 2024, developer Thornton opens issue 43.170 stating privacy resistant finger printing spoofing

03:39.760 --> 03:46.440
user agent headers should be false in Tor browser 14 plus. The original intent of

03:47.140 --> 03:54.240
42647 was that we turn off spoofing OS. Did you catch that one? Turn off spoofing OS.

03:54.940 --> 04:01.820
That's their words, right? This not improve or modify, it's turn off. And when you turn

04:01.820 --> 04:08.540
off the light, is the light still there? I think so. In April of 2025, developer Morgan

04:08.540 --> 04:17.680
implemented the removal in issue 43.189 when he said with 43.170 we're no longer spoofing user

04:17.680 --> 04:23.100
agents in any of our browsers. We can therefore remove the relevant machinery from Firefox

04:23.100 --> 04:31.160
altogether. Now, to be clear, they stopped faking the operating system part of the user agent

04:31.160 --> 04:37.820
where everyone used to appear as a Windows user. Now your real OS actually shows through.

04:37.820 --> 04:44.540
And we'll cover more detail in this in a minute, but like Morgan basically confirms that they

04:44.540 --> 04:50.280
removed the entire machinery that made this protection even possible to begin with. This

04:50.280 --> 04:56.860
would actually proves their actual deception. Developer Pierre admits privacy resist fingerprint

04:56.860 --> 05:03.220
spoof OS and user agent handler is still in our prefs file, even though we've ripped

05:03.220 --> 05:14.880
out the code. They left a setting that does nothing like I is leaving a light switch on

05:14.880 --> 05:20.920
like the wall after removing the wiring. Users might flip that switch thinking they're protected,

05:21.120 --> 05:28.760
but nothing actually happens. It's a dummy switch, right? The protection is completely

05:28.760 --> 05:35.320
gone even though the illusion remains and the newsletter continues with calculated

05:35.320 --> 05:43.800
misdirection. I might add when it says tour browser has always limited user agents to general

05:43.800 --> 05:54.220
categories. Windows Mac OS Linux or Android in JavaScript and Windows or Android in HTTP headers.

05:54.220 --> 06:01.780
That means we spoof the OS version and architecture, which was always the approach in JavaScript.

06:02.620 --> 06:09.900
Now it's consistent in HTTP headers too. Okay, so let's decode this harmonization lie. Here's

06:09.900 --> 06:16.660
what actually happened before their change. There were two ways that websites could actually

06:17.150 --> 06:23.380
detect your operating system, mainly one was through JavaScript when enabled,

06:24.020 --> 06:31.320
which could see your real OS and through HTTP headers, the basic information your browser sends

06:31.320 --> 06:41.260
to every single website, which tore spoofed to show everyone as a Windows user, right? So this

06:41.260 --> 06:48.820
meant if you disable JavaScript, say for security, which most people want security do, you were protected

06:48.820 --> 06:57.720
and the HTTP headers still hid your real OS. Everyone looked like a Windows user in the

06:57.720 --> 07:05.960
server logs and they removed that protection and now HTTP headers reveal your real operating system

07:05.960 --> 07:12.240
just like JavaScript does. If you're on Linux, the server sees Linux. If you're on Mac, the server

07:12.240 --> 07:18.180
sees Mac and they took away the protection that basically mattered the most and the one that worked

07:18.180 --> 07:24.960
when users did everything right and called it harmonization. Now to be fair, look at different

07:24.960 --> 07:30.160
sides of this argument, they'll probably argue like their defenders at privacy guides did

07:30.160 --> 07:37.940
that CSS could detect your OS anyways, but that's nonsense. CSS based OS detection

07:38.680 --> 07:46.100
is speculative at best and pretty much hit or miss guesswork based on things like scroll bar OS,

07:46.720 --> 07:54.200
like HTTP headers are precise, right? Permanent records that actually say this user runs Linux

07:54.900 --> 07:58.540
like almost definitively, right? Now there's a massive difference between

07:58.540 --> 08:04.960
maybe we can guess your OS through some CSS tricks that might or might not work and

08:05.520 --> 08:11.820
your OS is permanently logged in plain text on every server you visit every time you visit it.

08:12.300 --> 08:19.180
They know this. They removed the protection anyways because they wanted to. They basically

08:19.180 --> 08:26.440
redefined OS spoofing to hide what they actually did and again remember previously

08:27.080 --> 08:35.000
OS spoofing meant all users all users appeared as windows regardless of the actual operating system.

08:35.360 --> 08:41.640
That's what provided the anonymity and made it hard to be fingerprinted. Everyone looked identical

08:41.640 --> 08:47.940
and everyone had the same fingerprint. It made them like obviously harder to fingerprint.

08:48.540 --> 08:56.900
So they're calling version spoofing now OS spoofing like version spoofing hides whether you're on

08:56.900 --> 09:04.840
Windows 10 or Windows 11 OS spoofing hid whether you were Windows user Linux user or Mac and the

09:04.840 --> 09:10.340
entirety of the OS. These are fundamentally different protections that we're actually talking

09:10.340 --> 09:15.720
about and before their change again server logs showed everyone as a Windows user. I really

09:15.720 --> 09:20.900
want to emphasize that and I know I'm being that dead horse but it's important after the change

09:20.900 --> 09:28.160
Linux users showed his Linux Mac users showed his Mac they fragmented the anonymity set and

09:28.160 --> 09:35.480
then they lied about it and that's my beef like so now like watch they'll try to defend this

09:35.480 --> 09:42.260
with some like technicality in between like their panhandling posts that they make where

09:42.260 --> 09:48.360
they beg for tens of thousands of dollars they'll say the preference still exists in the about config

09:48.900 --> 09:55.680
sure a dead preference that does nothing because they ripped out the code their words their developers

09:55.680 --> 10:04.600
words they claim they're still doing OS spoofing because they hide the version numbers like I mean

10:04.600 --> 10:09.060
that's like saying that you're wearing a disguise because you put on clown shoes

10:09.060 --> 10:16.540
but nothing else it's laughably stupid they'll argue that javascript already revealed your OS

10:16.540 --> 10:23.120
anyways so what with javascript disabled which security conscious users do

10:23.700 --> 10:31.040
htb headers were the kind of last line of defense and now that's gone too so

10:31.040 --> 10:37.700
server logs permanently record your real OS and this might seem like some kind of little detail

10:37.700 --> 10:42.520
but ask any serious investigator if they care about a piece of identifying information

10:42.520 --> 10:50.420
that adds uniqueness to the target and they'll point to their september 2024 blog post as proof

10:50.420 --> 10:57.080
that they actually announced it they had a passing singular mention in a alpha release blog

10:57.080 --> 11:03.200
that nobody reads and this was in my opinion for plausible deniability I can't actually

11:03.200 --> 11:09.260
state that but that's my contention these developers making six figures couldn't tweet about

11:09.260 --> 11:16.720
removing a core privacy feature nor could the marketing team apparently but they can beg

11:16.720 --> 11:22.280
continually on social media for you to fund them when the feds are not giving them millions of

11:22.280 --> 11:28.160
dollars now when confronted in the comments of the first video that I put out there

11:28.160 --> 11:35.280
they claimed that proposals for this change were introduced in september of 2024 with the tour browser

11:35.280 --> 11:42.800
14 oa4 release calling on the tour community to provide feedback we received very little feedback

11:42.800 --> 11:49.540
and implemented the change they buried the change in the alpha release notes in git lab tickets

11:49.540 --> 11:55.680
and then blamed users for not actually finding it and this goes you'll be odd reading terms

11:55.680 --> 12:02.720
of service agreement or even release notes and none of that anyone actually reads like we both know

12:02.720 --> 12:11.680
that they legit expected people to go to their git lab and read developer conversations thousands of

12:11.680 --> 12:17.500
pages to know what's actually going on when they post regularly on multiple social media gouts the

12:17.500 --> 12:25.420
real agenda appears in thorn's own words from issue 4 3 1 7 0 we are meant to discourage users

12:25.420 --> 12:32.260
from changing settings in the about config by adding a switch you are allowing entropy to increase

12:32.780 --> 12:40.300
which is anthetical to the mission my intent and has been for years is not to spoof the os in

12:40.300 --> 12:47.340
linux mac not to add a pref for users to fiddle with right they view user choice is

12:47.340 --> 12:52.820
anthetical to their mission is what they're telling you they don't want users to have preferences to

12:52.820 --> 12:59.520
fiddle with how like not allowing people to modify settings in a browser that those same people

12:59.520 --> 13:06.580
fund like if you're a u.s citizen anyway and pay taxes your donor that's what it is

13:07.240 --> 13:12.200
or if you're a donor from another country you're still paying for it like keep in mind the guy that's

13:12.200 --> 13:18.000
actually saying this makes well over a hundred thousand dollars a year to do this job and

13:18.000 --> 13:23.500
works to the comfort of his own home and here you can see an ad for developer position and this

13:23.500 --> 13:29.580
is an entry level position it seems like so most likely the devs devs that are actually talking

13:29.580 --> 13:35.420
about taking away user choice and make a lot more money anyway another developer actually

13:35.420 --> 13:41.340
warned about the consequences before implementation saying that my concern is passive fingerprinting

13:41.340 --> 13:47.880
in case of server seizure the server logs can reveal more information about the user to the

13:47.880 --> 13:53.380
adversary no one answered them they just left them on scene when markets get seized or hidden

13:53.380 --> 14:00.440
services get compromised that data absolutely helps identify users privacy guides tried

14:00.440 --> 14:06.480
chirping in and and running damage control for the Torah project claiming that

14:06.480 --> 14:12.320
there's still spoofing going on it's just four different buckets instead of one

14:13.320 --> 14:20.560
four means segregation not spoofing so before there was one group everyone appeared as being

14:20.560 --> 14:26.880
on windows and after it's four groups so clearly labeled by os like they're categorizing

14:26.880 --> 14:33.540
users instead of protecting them which was my point like they also claimed with privacy guys I mean

14:33.540 --> 14:42.040
that HTTPS prevents the issue and HTTPS prevents network interception sure but not serve a logging

14:42.040 --> 14:50.300
moron like when servers get seized logs contain os fingerprints regardless of HTTPS

14:50.300 --> 15:00.820
as but like here's what actually makes this excuse so pathetic most onion sites run HTTP

15:00.820 --> 15:09.880
not HTTPS and don't answer this but how many people do you know that download Torah browser

15:10.430 --> 15:17.390
to watch YouTube videos or make a Reddit account considering the fact you can't it's

15:17.390 --> 15:23.110
be a lot right so and I mean the latter if we're on jeopardy what is your Torah hidden services

15:23.770 --> 15:29.050
right like did they forget that onion sites actually exist you're downloading the Torah

15:29.050 --> 15:33.870
browser what are those access okay like let's put that to the side for a minute we'll just

15:33.870 --> 15:39.910
forget about it they didn't need HTTPS because Torah already provides end-to-end encryption

15:40.660 --> 15:48.890
to hidden services right so their HTTPS solves this argument is completely meaningless

15:49.680 --> 15:58.090
though it's nonsense so for the very services where anonymity matters most dark net markets

15:58.090 --> 16:05.210
whistleblower sites hidden services right privacy guides absolutely knows this but spread

16:05.210 --> 16:10.950
this nonsensical misinformation and this isn't their actual first time trying to pull this

16:10.950 --> 16:18.410
kind of nonsense either in june of 2024 graphino s actually had to call out privacy guides leader

16:18.410 --> 16:24.930
for spreading lies about their product claiming they marketed to criminals graphino s called it

16:24.930 --> 16:31.890
a thoroughly dishonest attempt to harm them seems privacy guides has a pattern of attacking

16:31.890 --> 16:37.630
actual privacy products while defending those who do things like remove privacy features

16:37.630 --> 16:45.670
okay so we move on right but look at who tore thanks in their newsletter on a related note

16:45.670 --> 16:52.310
we'd like to thank privacy guides for spearheading a productive discussion around a flaw in Torah

16:52.310 --> 17:00.490
browser security slider privacy guides the same nonprofit that defended Torah OS spoofing

17:00.490 --> 17:09.410
removal saying that classification was spoofing can't make this up in the video comments claiming

17:09.410 --> 17:17.890
that quote the risk for people or niche os's has not significantly changes when i absolutely did

17:18.530 --> 17:25.490
like my security slider video reached 68 000 people and almost 900 of you actually commented

17:25.490 --> 17:31.330
exposing this kind of 11 month vulnerability that existed and of course they didn't want to

17:31.330 --> 17:38.170
say they didn't want to talk about this channel in the newsletter but they definitely wanted to

17:38.170 --> 17:44.190
thank their defenders but both organizations and nonprofits i get it dude three videos later with

17:45.270 --> 17:52.230
239 000 views combined views anyways and over 2300 comments they can't really claim

17:52.230 --> 17:59.150
ignorance anymore though 68 users responded directly to their pinned comment in that first

17:59.150 --> 18:04.130
video and the Torah project never bothered to respond to a single one instead they posted

18:04.130 --> 18:10.270
damage control and basically ran away the timeline really shows everything october of 2024

18:10.270 --> 18:17.090
they made the decision to remove os spoofing april of 2025 there was implementation and

18:17.090 --> 18:27.150
code removal and then april 22nd of 2025 was my first video exposing their change and may 29th

18:27.150 --> 18:34.190
of 2025 was the newsletter that was actually lying about it so seven months after deciding to remove

18:34.190 --> 18:41.290
it one month after implementing it and five weeks after getting exposed they sent a newsletter

18:41.290 --> 18:47.710
claiming it was never removed they literally state os spoofing has never gone anywhere

18:48.250 --> 18:55.130
while their developers documented removing it entirely which you saw they claim it's here to stay

18:55.130 --> 19:03.430
after ripping it out the Torah project deliberately deceived users rather than

19:03.430 --> 19:08.530
just admit what they did they removed privacy features then they lied about it in an official

19:08.530 --> 19:16.670
communication my advice would be to stop donating to projects that lie about their actions

19:17.030 --> 19:25.150
stop trusting newsletters that contradict developer documentation stop believing organizations

19:25.150 --> 19:32.070
that treat user choice as a threat the newsletter proves that they'll rather deceive users

19:32.070 --> 19:39.170
than actually tell the truth about anything so as always thanks for watching to the end

19:39.170 --> 19:40.370
and i'll see you the next video