I don't agree with this statement from the article:<p><i>This, and Tor’s history of US government sponsorship, has led to series of really embarrassing conspiracy theories from the likes of PandoDaily. This is why non-technical journalists should not write about technical subjects. If you’re going to suggest that open-source software has dark ulterior vulnerabilities,</i> you need to point at exactly where they are in the code (or deployment process), <i>or you will quite rightly be laughed out of the room. Funding and relationships are not unimportant — and I’m sure Pando will now write me off as part of the shadowy conspiracy, as Tor developer Jacob Appelbaum is an old friend — but it’s the running code that actually matters. Sadly, non-engineers don’t seem to understand this, or how laughably ridiculous they look as a result.</i><p>The author, Jon Evans, seems to imply this is a widely accepted standard, which is not my experience. It also doesn't seem realistic: While it's great that open source software's source code is available, it's not possible to review it all much less to catch subtle exploits that might have been introduced by security agencies - we can't even catch many unintentional exploits. Also, we know from leaks that security agencies have tried and have succeeded at times. Realistically it comes down to trust.<p>Think of it this way: How many HN readers, a sophisticated population, have reviewed Tor's code? How many feel they have no choice but to choose either to trust them or not? Also, how many open source projects have had security audits performed by anyone?