Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] on the traceability of circumvention tools

Jacob Appelbaum jacob at appelbaum.net
Thu Sep 16 04:31:33 PDT 2010


On 09/15/2010 09:31 PM, Mehdi Yahyanejad wrote:
> 
> 
> I read the latest quotes from Evgeny and Jacob Appelbaum and see that
> they are criticizing Haystack mainly on the basis of security risks.
> To me, the main problem with Haystack has been that Austin Heap
> misled the public to believe the software was widely distributed and
> used in Iran. This is a case of personal failure, and I would caution
> against bringing security risk arguments into the mix. I believe that
> overemphasizing the security/traceability risks can potentially harm
> the circumvention community at large.
> 

This is certainly a case of personal failure. It is also an issue of
security both in the abstract and in concrete terms. There are many
issues at play and I think they're all fairly serious.

> Haystack does have some security risks. I was given a copy of the
> software a few weeks ago to send to testers in Iran. I ran the
> software locally and inspected its traffic. Haystack was connecting
> to a single IP each time I ran it. If that specific IP was shared
> among all the copies of Haystack, and if the Iranian government could
> obtain a copy of the software, it could find all the other test
> users. One way to reduce this risk is to use the minimum number of
> testers required and limit the tester group to trusted individuals.
> To Haystack's credit, they told me not to give the software to more
> than two people and to ask them not to share it. A second problem I
> saw was that Haystack was sending queries to two specific websites
> each time it launched. I wrote about this to Haystack's team and
> mentioned that such queries can easily be detected by header
> inspection of packets. I was told that the issue would be fixed in
> the production version and that they will use a much larger li st of
> websites in the queries.

Speaking of personal failures, I'm pretty much unable to comprehend why
you just disclosed the above information.

Unbelievable.

Aghast,
Jacob



More information about the liberationtech mailing list