Search Mailing List Archives
[liberationtech] Deconstructing the security risks narrative of Haystack
jacob at appelbaum.net
Fri Sep 17 00:26:14 PDT 2010
On 09/16/2010 11:50 PM, Mehdi Yahyanejad wrote:
> Evgeny admirably started the public criticism of Haystack. To my
> dismay, after people from the security field entered the mix, the
> narrative of "Austin Heap misled the public on the level of Haystack
> use and capabilities" turned into "Haystack is putting people at
> risk". The latter idea is based on exaggerated fears and can be very
> damaging to the circumvention community. Any narrative built on fear
> can be extremely hard to challenge, particularly when it carries some
> truth and is also kept ambiguous.
The story developed from many data points. At first, it seemed that
Austin was unaware; after a time, it seemed that Austin was simply
avoiding people who wanted to help. Now it appears that Austin, Daniel
and yourself all knew the risks and decided not to tell your testers the
truth of what the tool did - it would not stand up to peer review of any
kind and certainly it did not pass the giggle test.
If you'd like me to post proof of Haystack's so called "warnings" - I'm
more than happy to do it. If you'd like me to explain the grave nature
of the Haystack software in general, I'll have to think hard about it.
I can't imagine that it will do anything other drag this out further -
what's the point? Is that really required?
It seems that disclosing any more information is pointless at this time.
I'm just not sure why you would do that - it merely escalates an already
tense situation. Given that your lead and only developer agreed with me
and then resigned, I'm not sure why you're beating this dead horse.
> Several news articles have quoted experts who claimed to "have
> cracked the Haystack code in six hours" but said they could not
> explain what was wrong with Haystack because it would put people's
> lives in danger by making them traceable and allowing the Iranian
> government to discover their identity.
A slight correction - I agreed to keep them quiet after talking with
Austin and Daniel. I have kept many details of my conversation with both
secret. Austin had a lot to say and while I'm pretty upset with how
things have played out, I'm still not going to disclose everything in
those conversations. There simply isn't a good reason and frankly, I'm
starting to feel badly for them.
To be fair - I said that our analysis took six hours - the issues that
are the most horrible were spotted in less than a minute. One minute.
These issues aren't rocket science, they're simply serious and of course
seriously misrepresented by the media hype that Haystack participated in.
In addition, I'd like to ask you if you're challenging my statements
about Haystack? I believe firmly that it would be possible for the
Iranian government to trace Haystack users - do you dispute this fact?
I'm sorry to say it but you're pushing and I'll not let you distort
reality. You're part of the reason that this problem exists and you
should take responsibility for your mistakes, whatever they are.
Please do not shift the blame onto us for finding a copy of Haystack and
discovering these issues independently. We at least had the courtesy to
contact Austin and Daniel - it was only after I felt Austin was being
dishonest that we changed tactics.
I'm not the only one that felt he was being dishonest but I won't speak
for anyone but myself. It does appear that you agree with me in your
emails about his level of honesty or as you phrased it "misled the
public" with popular media.
> Reading these quotes, I made a key observation that could have not
> been made by their intended audience who didn't have the software. I
> had only run Haystack for 15 minutes but I already knew what they
> meant. Now that it is known that the Haystack prototype can be used
> to trace users(a fact that the security experts publicized), it would
> be relatively easy for a person with basic knowledge of ] computer
> networking working for the Iranian government to do so. This should
> have been obvious to Jacob Appelbaum and Danny O'Brian with their
> level of expertise. This meant that if they truly believed their own
> words that tracing the test users puts "bullet in their heads", they
> should have never announced the risks publicly.
This a common tactic with vendors - you're shifting the blame to those
that discovered the issues. Don't do that, it's not my fault that people
in Iran were using this software. It's also not my fault that this
system was designed in such a way - Daniel already agreed that it
shouldn't have gotten out beyond the hand picked testers.
It is clear to me that it was in the wild. There is no clearer proof
than the fact that I have a copy. I'm not the only one.
> They either didn't
> believe the seriousness of the risk, or assumed there is zero chance
> of the prototype falling in the hand of the government, or simply
> thought elevating the risks to the test users is worth the political
> gains. I only hope that they can present a fourth possibility that I
> have completely missed.
Yes, I believed that the only way to cause you and your group to act
reasonably was to tell people about the things we had found. Your group
confirmed my findings and so, it's not like there's much of a debate.
To be clear: Austin said that he disabled Haystack before we spoke on
Friday - I was still able to route traffic through it on Sunday and this
has been confirmed by multiple independent parties.
The onus is on you to prove that Haystack is honest and fair when I have
concrete proof that shows me the opposite. All of the evidence is
against your group - Haystack has less than zero credibility at this point.
I believe that others harbor the same concerns; this is only underscored
by the claims made in the media during the last thirteen months.
> Also, I realized a fair amount of details on the traceability risk
> could be presented without increasing the risks. I made my
> disclosures with extreme care and after consultation with other
> experts before its release. My disclosures were done not for the sake
> of academic argument but to allow the audience to see the facts,
> understand the above argument and make their own judgements. They
> will be also given a chance to challenge the narrative constructed on
> exaggerated risks of traceability.
Your judgment is seriously impaired in my professional opinion. Daniel
and Austin both confirmed my concerns. That should have been the end of
it. What is there left to debate?
Are you simply worried that your name is being dragged through the mud?
That wasn't my intention but it's clear that you have some culpability
in this - perhaps more than others, perhaps less. Perhaps you can
address that fact? What did you tell the other advisory board members
about your findings? What did you advise Austin and Daniel to do?
More information about the liberationtech