[liberationtech] Fwd: Haystack

Thu Aug 19 06:42:38 PDT 2010

It seems that Haystack has not been released publicly yet. So the discussion
about hiding its methodology or reviewing its code is irrelevant. If the
claim is that Haystack has been helping Iranians (as its extensive media
coverage suggest), at least there should be a copy of Haystack available
somewhere online that we can all download. The big players of
circumvention solutions, which have received less attention, are all
available here: www.sesawe.net , Why Haystack is not available online like
them?

The question that we should all ask now is 'where is Haystack'. And that's
the question that all the journalists who covered Haystack in the past year
should ask (or should have asked!). Where is Haystack?

On Wed, Aug 18, 2010 at 7:26 PM, Jim Youll <jyoull at alum.mit.edu> wrote:

> (apologies for this digression in the meta)
>
> - agree that Haystack, whatever it is, if it's anything at all, and EVERY
> OTHER "technology for SAFE free speech and thought" should be fully
> disclosed and analyzed and ripped to shreds by people who care about it,
> because those who only care to subvert it are already tearing it apart.
>
> - by "stuff that's supposed to be secret" I meant the "online actions and
> writings" of innocent people/whistleblowers/whomever hiding from oppressors.
> These "secrets" might be the identity of a blogger, or the addressee,
> sender, and/or content of an e-mail message. I wasn't referring to the
> technologies used to create that secrecy. It was a bad idea to introduce two
> kinds of 'secret' in one hastily-written note.
>
>
>
> On Aug 18, 2010, at 11:14 AM, Katrin Verclas wrote:
>
> I strongly disagree.  So long as the code is obfuscated and Austin Heap
> refuses to provide technical details to hackers who know their stuff (which
> he is doing in recent email),  have to assume that Haystack does not exist.
>  Shut up and ship, as John Graham Cummings noted:
> http://blog.jgc.org/2010/08/shut-up-and-ship.html.
>
> Katrin
>
>
> On Aug 18, 2010, at 1:18 AM, Jim Youll wrote:
>
> I'm sorry to hear that they're deliberately hiding their methods. The only
> reasonable assumption in an adversarial situation is that the opposition
> knows your methods. Good crypto isn't about secret methods - it's open and
> peer reviewed. And this is not just about suppression - it's about people
> working in complete safety, gaining the trust of those who are not, and
> maybe getting those trusting others killed, tortured, imprisoned...
>
> IMO the built-in problem is that a "huge, industrial strength" response
> (i.e. in proportion to the scope of the problem and the capabilities of the
> other side) may be the obvious way to go, but this creates a proportionally
> larger attack surface and vulnerabilities that increase perhaps
> exponentially as the solution's complexity grows. Analysis of complex
> systems is well within the reach of government actors. Do-gooder, on the
> other hand, can scale up a few steps and that's it. Spy vs. spy is fun for
> both parties, when two adversaries are well-matched (US vs USSR). It's not
> so much for one, when relative strengths are asymmetrical.
>
> Side note - to protect people. the stuff that's supposed to be secret has
> to stay secret for a really long time. That's much harder than, say,
> e-commerce-style security where the goal is merely to assuring that a
> message makes it from here to there, and not caring if it's readable a few
> years (or in some cases a few minutes) from now.
>
>
> On Aug 17, 2010, at 7:30 PM, Sky (Jim Schuyler) wrote:
>
> I know Austin "casually" because of common connections and concerns, am
> trying to meet with him soon here in San Francisco, and will see what
> insight I can get into their method.  Yes, they have not talked about the
> method.  I do not currently know how they're obfuscating the traffic.  And I
> also doubt they'll tell anyone very much about it.
>
>
> I would also suspect their tech is being vetted - just because of the
> calibre of people who are interested in it.
>
>
> I have some ideas about what they might be doing, and it's speculation
> based on what I know is going on in the field, and not on specific knowledge
> of how Haystack works.  I wouldn't do it exactly the way they describe it,
> and I'm guessing that they're not doing it exactly the way they're
> describing it either.  They only said it would -appear to be- a proxy to the
> user - not that they are actually using proxies in the same way they've been
> used in the past.  That would be too obvious and too easy to suppress.
>
>
> Let me also just comment on the nature and size of online problems and
> attacks that I have seen recently being addressed in the NGO, free speech
> and human rights areas.  The attacks are huge.  The resources arrayed
> -against- NGOs and other entities are huge.  And so the response (or
> circumvention) has to be industrial strength as well.  We are going to see
> these larger, concerted, responses surfacing increasingly this year and
> next.
>
>
> [Sky]
>
>
>
>
>
> On Aug 17, 2010, at 12:18 PM, Jim Youll wrote:
>
>
> Concerns aired in this discussion from another list has relevance to the
>
> "safe communications for journalists/activists" conversation that aired
>
> here recently...
>
>
> the message here seems to be wary of Haystack and other technologies that
>
> have not been analyzed for security exposures by people who know
>
> what they're talking about.
>
>
> Begin forwarded message:
>
>
> From: Steve Weis <steveweis at gmail.com>
>
> Date: August 17, 2010 11:46:54 AM PDT
>
> To: Jerry Leichter <leichter at lrw.com>
>
> Cc: "cryptography at metzdowd.com List" <cryptography at metzdowd.com>
>
> Subject: Re: Haystack
>
>
> I sent an email asking for technical information several months ago
>
> and did not receive a response. The FAQ says "the Haystack client
>
> connects to our servers which in turn talk to websites on behalf of
>
> our users" and "from a user's point of view, Haystack appears to be a
>
> normal HTTP proxy". There is no binary or source available for
>
> download and the FAQ says "revealing the source code at this time
>
> would only aide the authorities in blocking Haystack".
>
>
> Based on those statements, I'm going to speculate that the client
>
> connects to a static list of innocuous-looking proxies and that they
>
> are relying on keeping those proxies secret. If those servers were
>
> known to an authority, it would be trivial to block. I think that is
>
> why they're making the unrealistic assumption that an authority will
>
> not be able to reverse engineer or even monitor traffic from a client.
>
>
> On Tue, Aug 17, 2010 at 12:57 AM, Jerry Leichter <leichter at lrw.com> wrote:
>
> The mainstream press is full of discussion for a new program, Haystack,
>
> developed by a guy name Austin Heap and sponsored by the Censorship
> Research
>
> Center as a new kind of secure proxy.  See
>
> http://www.haystacknetwork.com/faq/ for some information.
>
>
> As described, the program relies on some kind of steganography to hide
>
> encrypted connections inside of connections to "approved" sites.  It was
>
> specifically designed to help Iranian dissidents maintain connections in
> the
>
> face of active government efforts to locate and block proxies and Tor entry
>
> and exit nodes.
>
>
> A Google search reveals absolutely no technical information about exactly
>
> what Haystack does or now it does it.  The program is available on multiple
>
> platforms but is closed source - the FAQ linked to above discusses this,
>
> citing fears that making the source available would help censors.
>
>
> Anyone know anything more about what Haystack is actually doing?
>
>
> ---------------------------------------------------------------------
>
> The Cryptography Mailing List
>
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>
>
> _______________________________________________
>
> liberationtech mailing list
>
> liberationtech at lists.stanford.edu
>
>
> Should you need to change your subscription options, please go to:
>
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
> *
> *
> skype/twitter: katrinskaya
> (347) 281-7191
>
> A global network of people using mobile technology for social impact
> http://mobileactive.org
>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100819/8406369d/attachment.html>