Search Mailing List Archives
[liberationtech] Deconstructing the security risks narrative of Haystack
yahyanejad at gmail.com
Thu Sep 16 23:50:59 PDT 2010
Evgeny admirably started the public criticism of Haystack. To my
dismay, after people from the security field entered the mix,
the narrative of "Austin Heap misled the public on the level of
Haystack use and capabilities" turned into "Haystack is putting
people at risk". The latter idea is based on exaggerated fears
and can be very damaging to the circumvention community.
Any narrative built on fear can be extremely hard to challenge,
particularly when it carries some truth and is also kept ambiguous.
Several news articles have quoted experts who claimed to "have
cracked the Haystack code in six hours" but said they could not
explain what was wrong with Haystack because it would put people's
lives in danger by making them traceable and allowing the Iranian
government to discover their identity.
Reading these quotes, I made a key observation that could have not
been made by their intended audience who didn't have the software.
I had only run Haystack for 15 minutes but I already knew what they
meant. Now that it is known that the Haystack prototype can be
used to trace users(a fact that the security experts publicized), it
would be relatively easy for a person with basic knowledge of ]
computer networking working for the Iranian government to do so.
This should have been obvious to Jacob Appelbaum and
Danny O'Brian with their level of expertise. This meant that if they
truly believed their own words that tracing the test users puts
"bullet in their heads", they should have never announced the
risks publicly. They either didn't believe the seriousness of the
risk, or assumed there is zero chance of the prototype falling
in the hand of the government, or simply thought elevating the
risks to the test users is worth the political gains. I only hope that
they can present a fourth possibility that I have completely missed.
Also, I realized a fair amount of details on the traceability risk
could be presented without increasing the risks. I made my disclosures
with extreme care and after consultation with other experts before
its release. My disclosures were done not for the sake of academic
argument but to allow the audience to see the facts, understand the
above argument and make their own judgements. They will be also given
a chance to challenge the narrative constructed on exaggerated risks
Since the lines were too long in my previous post, I copy it here for people
could read it:
I read the latest quotes from Evgeny and Jacob Appelbaum and see that they
riticizing Haystack mainly on the basis of security risks. To me, the main
em with Haystack has been that Austin Heap misled the public to believe the
ware was widely distributed and used in Iran. This is a case of personal
, and I would caution against bringing security risk arguments into the mix.
elieve that overemphasizing the security/traceability risks can potentially
the circumvention community at large.
Haystack does have some security risks. I was given a copy of the software a
weeks ago to send to testers in Iran. I ran the software locally and
its traffic. Haystack was connecting to a single IP each time I ran it. If
specific IP was shared among all the copies of Haystack, and if the Iranian
rnment could obtain a copy of the software, it could find all the other test
rs. One way to reduce this risk is to use the minimum number of testers
and limit the tester group to trusted individuals. To Haystack's credit,
old me not to give the software to more than two people and to ask them not
hare it. A second problem I saw was that Haystack was sending queries to two
cific websites each time it launched. I wrote about this to Haystack's team
mentioned that such queries can easily be detected by header inspection of
ts. I was told that the issue would be fixed in the production version and
they will use a much larger list of websites in the queries.
These problems may have put testers at a higher risk than was necessary.
, in the context of wider usage of circumvention tools, I do not think that
Haystack team put testers in serious danger. Almost all circumvention tools,
luding Tor and Ultrasurf, can be traced. However, circumvention tools are
legal in Iran and most people do not feel at risk using them.
There are many ways of detecting circumvention tools. For example, when you
ch a circumvention tool, the software goes through an initialization process
figure out how to connect to the outside world. Often it starts by trying a
ted set of IPs in the hundreds or thousands. A government can run one or
opies of the software to discover a fair share of these IPs. It can then
ne who has tried to connect to the IPs and locate them. In practice there
tter ways to detect usage of tools such as Ultrasurf or Tor; the
ve different signatures in the type of packets they send in the first few
s after launch. Governments can monitor the packet traffic to detect usage
ock the applications.
While it is well known that circumvention tools are traceable, it has not
d their use in Iran. Using circumvention tools is not illegal in Iran (and
ems anywhere else in the world). Hundreds of thousands of Iranians are using
cumvention tools on daily basis and are not afraid to say so publicly. Even
orters of the Iranian government use them to write on censored websites such
Can traceability be a problem? Yes, in theory it can. Iranian government can
ide one day to round up a few Haystack users to embarrass Hillary Clinton
pporting it, or alternatively can round up a few Tor users and charge them
espionage for using a tool sponsored (in the past) by the US Navy. These are
hypothetical risks to consider of course. But as far as we know these
ve never happened.
Any risks associated with the traceability can be largely mitigated by the
use of circumvention tools. For example, owning satellite TV receivers
circumvention tools-- is illegal in Iran but they are so widely used that
e are not feeling insecure. Even the seasonal scare tactics of the police
ng into a few houses and confiscating satellite dishes and ticketing the
have not reduced the wide adoption, which is now estimated to be at 40% of
The damaging part of the traceability-risk argument for to the rest of the
mvention tool initiatives is that non-traceability of circumvention tools
ghly controlled networks--whether it's Iran, China or a private company's
rk-- is too high of a standard to achieve, and I can argue in a separate
at it is not a critical property for circumvention tools to have anyway.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech