[bouncycastle]

I didn't mention anything about a browser.

Note that, for example, your isp can see whenever you are using tor or a VPN. From there, they can inspect the packets to work out what pastebin you have visited. Eg. simply by measuring how many bytes you have uploaded and then finding the paste and comparing the length of the paste with the number of uploaded bytes. (Just a basic example, there are more advanced methods). See https://witestlab.poly.edu/blog/de-anonymizing-tor-traffic-w...

[sudosysgen]

Yes.

This is why you don't actually post anything on pastebin yourself.

Rather, you SSH into a VPS (via multiple VPNs and Tor/I2P), then program the VPS to post your message to pastebin in a week.

And of course, you're not doing this from your home, you're doing this from the parking lot of a Starbucks in a car with tinted windows and fake plates, using a device with a spoofed MAC address.

There are many ways of pulling this off so that no one will ever be able to pin you down. You just need to pay attention to detail.

You're of course using some sort of obfuscated bridge too, so that packet sizes become meaningless.

[bouncycastle]

Allright, good point. I'll concede the argument - there's fairly decent anonymity for those who use a combination of tools and know how to operate them. It's still not 100% perfect, but good enough.

Some examples where it could go wrong: what if the VPS was a honeypot? What if the VPN logged everything? What if Tor or other piece of software they are using has a 0-day? The more complexity, the more chance for a bug or mistake... and so on...

[sudosysgen]

Yes, it's absolutely true that you must be very careful, and of course it's not 100% but it's 99.9999...% perfect.

That said, a VPN logging everything, or Tor being compromised, or the VPS being a honeypot wouldn't be enough to compromise you, you'd need all of them to be true simultaneously.