Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] on the traceability of circumvention tools

Jacob Appelbaum jacob at
Thu Sep 16 04:31:33 PDT 2010

On 09/15/2010 09:31 PM, Mehdi Yahyanejad wrote:
> I read the latest quotes from Evgeny and Jacob Appelbaum and see that
> they are criticizing Haystack mainly on the basis of security risks.
> To me, the main problem with Haystack has been that Austin Heap
> misled the public to believe the software was widely distributed and
> used in Iran. This is a case of personal failure, and I would caution
> against bringing security risk arguments into the mix. I believe that
> overemphasizing the security/traceability risks can potentially harm
> the circumvention community at large.

This is certainly a case of personal failure. It is also an issue of
security both in the abstract and in concrete terms. There are many
issues at play and I think they're all fairly serious.

> Haystack does have some security risks. I was given a copy of the
> software a few weeks ago to send to testers in Iran. I ran the
> software locally and inspected its traffic. Haystack was connecting
> to a single IP each time I ran it. If that specific IP was shared
> among all the copies of Haystack, and if the Iranian government could
> obtain a copy of the software, it could find all the other test
> users. One way to reduce this risk is to use the minimum number of
> testers required and limit the tester group to trusted individuals.
> To Haystack's credit, they told me not to give the software to more
> than two people and to ask them not to share it. A second problem I
> saw was that Haystack was sending queries to two specific websites
> each time it launched. I wrote about this to Haystack's team and
> mentioned that such queries can easily be detected by header
> inspection of packets. I was told that the issue would be fixed in
> the production version and that they will use a much larger li st of
> websites in the queries.

Speaking of personal failures, I'm pretty much unable to comprehend why
you just disclosed the above information.



More information about the liberationtech mailing list