Search Mailing List Archives
[liberationtech] Fwd: Haystack
katrin at mobileactive.org
Wed Aug 18 11:14:07 PDT 2010
I strongly disagree. So long as the code is obfuscated and Austin
Heap refuses to provide technical details to hackers who know their
stuff (which he is doing in recent email), have to assume that
Haystack does not exist. Shut up and ship, as John Graham Cummings
On Aug 18, 2010, at 1:18 AM, Jim Youll wrote:
> I'm sorry to hear that they're deliberately hiding their methods.
> The only reasonable assumption in an adversarial situation is that
> the opposition knows your methods. Good crypto isn't about secret
> methods - it's open and peer reviewed. And this is not just about
> suppression - it's about people working in complete safety, gaining
> the trust of those who are not, and maybe getting those trusting
> others killed, tortured, imprisoned...
> IMO the built-in problem is that a "huge, industrial strength"
> response (i.e. in proportion to the scope of the problem and the
> capabilities of the other side) may be the obvious way to go, but
> this creates a proportionally larger attack surface and
> vulnerabilities that increase perhaps exponentially as the
> solution's complexity grows. Analysis of complex systems is well
> within the reach of government actors. Do-gooder, on the other hand,
> can scale up a few steps and that's it. Spy vs. spy is fun for both
> parties, when two adversaries are well-matched (US vs USSR). It's
> not so much for one, when relative strengths are asymmetrical.
> Side note - to protect people. the stuff that's supposed to be
> secret has to stay secret for a really long time. That's much harder
> than, say, e-commerce-style security where the goal is merely to
> assuring that a message makes it from here to there, and not caring
> if it's readable a few years (or in some cases a few minutes) from
> On Aug 17, 2010, at 7:30 PM, Sky (Jim Schuyler) wrote:
>> I know Austin "casually" because of common connections and
>> concerns, am trying to meet with him soon here in San Francisco,
>> and will see what insight I can get into their method. Yes, they
>> have not talked about the method. I do not currently know how
>> they're obfuscating the traffic. And I also doubt they'll tell
>> anyone very much about it.
>> I would also suspect their tech is being vetted - just because of
>> the calibre of people who are interested in it.
>> I have some ideas about what they might be doing, and it's
>> speculation based on what I know is going on in the field, and not
>> on specific knowledge of how Haystack works. I wouldn't do it
>> exactly the way they describe it, and I'm guessing that they're not
>> doing it exactly the way they're describing it either. They only
>> said it would -appear to be- a proxy to the user - not that they
>> are actually using proxies in the same way they've been used in the
>> past. That would be too obvious and too easy to suppress.
>> Let me also just comment on the nature and size of online problems
>> and attacks that I have seen recently being addressed in the NGO,
>> free speech and human rights areas. The attacks are huge. The
>> resources arrayed -against- NGOs and other entities are huge. And
>> so the response (or circumvention) has to be industrial strength as
>> well. We are going to see these larger, concerted, responses
>> surfacing increasingly this year and next.
>> On Aug 17, 2010, at 12:18 PM, Jim Youll wrote:
>>> Concerns aired in this discussion from another list has relevance
>>> to the
>>> "safe communications for journalists/activists" conversation that
>>> here recently...
>>> the message here seems to be wary of Haystack and other
>>> technologies that
>>> have not been analyzed for security exposures by people who know
>>> what they're talking about.
>>> Begin forwarded message:
>>>> From: Steve Weis <steveweis at gmail.com>
>>>> Date: August 17, 2010 11:46:54 AM PDT
>>>> To: Jerry Leichter <leichter at lrw.com>
>>>> Cc: "cryptography at metzdowd.com List" <cryptography at metzdowd.com>
>>>> Subject: Re: Haystack
>>>> I sent an email asking for technical information several months ago
>>>> and did not receive a response. The FAQ says "the Haystack client
>>>> connects to our servers which in turn talk to websites on behalf of
>>>> our users" and "from a user's point of view, Haystack appears to
>>>> be a
>>>> normal HTTP proxy". There is no binary or source available for
>>>> download and the FAQ says "revealing the source code at this time
>>>> would only aide the authorities in blocking Haystack".
>>>> Based on those statements, I'm going to speculate that the client
>>>> connects to a static list of innocuous-looking proxies and that
>>>> are relying on keeping those proxies secret. If those servers were
>>>> known to an authority, it would be trivial to block. I think that
>>>> why they're making the unrealistic assumption that an authority
>>>> not be able to reverse engineer or even monitor traffic from a
>>>> On Tue, Aug 17, 2010 at 12:57 AM, Jerry Leichter
>>>> <leichter at lrw.com> wrote:
>>>>> The mainstream press is full of discussion for a new program,
>>>>> developed by a guy name Austin Heap and sponsored by the
>>>>> Censorship Research
>>>>> Center as a new kind of secure proxy. See
>>>>> http://www.haystacknetwork.com/faq/ for some information.
>>>>> As described, the program relies on some kind of steganography
>>>>> to hide
>>>>> encrypted connections inside of connections to "approved"
>>>>> sites. It was
>>>>> specifically designed to help Iranian dissidents maintain
>>>>> connections in the
>>>>> face of active government efforts to locate and block proxies
>>>>> and Tor entry
>>>>> and exit nodes.
>>>>> A Google search reveals absolutely no technical information
>>>>> about exactly
>>>>> what Haystack does or now it does it. The program is available
>>>>> on multiple
>>>>> platforms but is closed source - the FAQ linked to above
>>>>> discusses this,
>>>>> citing fears that making the source available would help censors.
>>>>> Anyone know anything more about what Haystack is actually doing?
>>>> The Cryptography Mailing List
>>>> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>> Should you need to change your subscription options, please go to:
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> Should you need to change your subscription options, please go to:
katrin at mobileactive.org
A global network of people using mobile technology for social impact
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech