[liberationtech] Fwd: Haystack

Fri Aug 20 15:44:25 PDT 2010

opinion: not much to debate about Haystack. A reason to periodically review, going forward, is to propagate concerns until its promoter and those with concerns* can publicly square up questions and answers. There is nothing special about the questions that need to be asked. Otherwise, the product gets a free pass. 

No security product should get a free pass. Every security product in use today - and taken seriously - has been subjected to significant open review. "Effective... as far as we know" is the strongest claim you will hear from respected crypto/privacy/security professionals.

- - - 

* "Critics" implies "cranks" sometimes in this context so I won't use the word. There exists a large, well-qualified audience of concerned experts for all crypto/privacy/security technologies.  I'm not one of them, just an admirer. They deserve to be heard, and their words given serious weight.

On Aug 20, 2010, at 1:54 PM, Gabe Gossett wrote:

> I followed the link below to the story below about Haystack being granted a US license, which goes to Austin Heap’s blog.  So I tried to find anything more substantial about this government license and found nothing, including nothing at the Treasury Dept. website.  In fact, the Office of Foreign Assets Control (cited in the post) has a page where they have listed all of the actions they have taken in the past year: http://www.ustreas.gov/offices/enforcement/ofac/actions/index.shtml
>  
> According to Heap’s blog post, dated April 14, “Today, the Censorship Research Center (“CRC”) announced that it has received critical United States Government authorizations required to export anti-filtering technology to Iran.”   But CRC is listed nowhere. 
>  
> Making this appear even more bogus is that, according to a NY Times story published more than a month before this blog post, the Treasury Department issued exemptions for “a general license for the export of free personal Internet services and software” in Iran, among other countries.  This is a general license for any company.  So when Austin’s blog post claims that “The CRC is the only organization licensed to export such software to Iran,”  it is very misleading.  Basically, from what I can find at this point, there is no evidence that the US government has given Haystack any form of approval, much less vetting.
>  
> I sent Austin an email asking for proof that Haystack works.  We’ll see if we hear anything.
>  
> -Gabe
>  
> From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Evgeny Morozov
> Sent: Thursday, August 19, 2010 11:47 PM
> To: Liberation Technologies
> Subject: Re: [liberationtech] Fwd: Haystack
>  
> I would like to add another thread to this fascinating discussion: as some of you may know, Haystack has also been granted a US government license to legally distribute their software in Iran (that is, they are not subject to the usual set of sanctions-related restrictions on the export of technology to the country). I also believe that Hillary Clinton mentioned Haystack - at least in passing - in one of her speeches. 
> 
> Whatever the merits of Haystack's technology - and I must confess that I'm in with the most skeptical members of this thread - such endorsement by the US government may have also given Iranians a false sense of security and at least some nominal assurance that Haystack has been properly vetted on its technological merits. (Since it was US Treasury that granted them a license, one cannot be 100% sure that such vetting actually did take place). 
> 
> This is not to necessarily bash Haystack, but to point out the inefficiencies of the current sanctions regime on Iran and the kind of unintended consequences it creates.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100820/aca847a1/attachment.html>