[liberationtech] Haystack Q&A

Joshua Cohen jcohen57 at stanford.edu
Fri Sep 3 10:07:06 PDT 2010 

I have been following this discussion as an interested observer with  
no knowledge of security software or standard vetting procedures/ 
stress tests for such software. I see two threads in the discussion:

(1) The first thread is that Haystack has not been subjected to  
standard vetting procedures that are really essential to protecting  
people.

(2) The second thread is about why (1) is true: with lots of comments  
on personality, the complexities of doing good, the demands on  
startups, etc etc.

Just wanted to say that I am MUCH less interested in (2) than in (1).  
If Haystack has not been properly vetted, it does not much matter (not  
for our topic here) whether the failure to follow protocols is well-  
or ill-motivated. what matters is that they have not been followed and  
that this may impose real dangers.

I hope we can keep the discussion focused on (1). And let me just add— 
again as an interested but relatively uninformed observer—that I have  
seen some very strong concerns expressed about (1), including in  
Jacob's message below (but others in the thread have raised similar  
issues), and I have not seen those concerns answered.


Josh Cohen
Stanford University


On Sep 3, 2010, at 1:01 AM, Jacob Appelbaum wrote:

> On 09/02/2010 10:03 PM, Patrick Meier (Ushahidi) wrote:
>> On Thu, Sep 2, 2010 at 9:50 AM, Behdad Esfahbod <behdad at behdad.org>  
>> wrote:
>>
>>> And if people haven't seen it yet, here is Evengy Morozov's take on
>>> Haystack:
>>>
>>> http://neteffect.foreignpolicy.com/posts/2010/09/02/hay_what
>>>
>>> behdad
>>>
>>>
>> This is really disappointing. If people were serious about censorship
>> circumvention and liberation technology, they would have met up  
>> with Austin
>> in person and discussed this face to face first instead of writing a
>> sensationalist article to gain public attention and make personal  
>> attacks.
>
> Hi,
>
> (As a disclaimer, I work on the Tor Project as my Day and Night Job -
> this is not the opinion of my employer at all.)
>
> I'm fairly certain that many of us are serious about censorship
> circumvention and so called liberation technology.
>
> Criticism of such a system is how we improve it. We try to understand
> the operational environments in our scoping, we define threat models  
> for
> our users, we learn where we went wrong, we adapt by studying the
> reality of the world, and then we start the process again.
>
> The points that Evengy Morozov raises are reasonable and it is  
> unfair to
> take the author to task for not reaching out to Austin. This criticism
> of Haystack seems valid and does not appear to be a sensationalist
> article written to gain public attention. Systems that are similarly
> described are potentially dangerous on both a technical and social  
> level.
>
> If Haystack exists, it seems to effectively be a single entity proxy
> like any other VPN. Unlike other VPN services, it has the tag line of
> being used for the "Green Revolution"; it also seems to be a prime
> target for monitoring or specific targeted wire tapping. If the main
> users are actually high profile revolutionaries attempting to  
> overthrow
> the Iranian government, I'd say it's not much of a stretch to say that
> it may be monitored by the US Government and/or others.
>
> Austin Heap produces no peer reviewed software, he makes bold social
> claims, he makes bold technical claims, he (and his interviews in the
> media) paints his users as revolutionaries and in the end, he attempts
> to win by using dismissive arguments. He does not reveal technical
> information to very many people and the things I've heard are far from
> impressive. They're actually very dangerous.
>
> I'm almost convinced that Haystack exists and has been deployed to  
> some
> users, somewhere. However, I've still yet to meet an Iranian who even
> knows someone who knows someone that has used it. I'd love to be
> incorrect and I'm still waiting for someone to leak me more than a  
> half
> finished design document. Those design documents were not impressive  
> at all.
>
> I've attempted to meet Austin a number of times, I've even offered to
> review his protocol, critique the security of the ideas or even the
> program itself, and so on. Each time, I have been met with hostility  
> and
> rejection. Once, I flew to San Francico for a panel discussion  
> hosted by
> the EFF - Austin, who lived down the street from the Parisoma venue,
> tweeted that he wouldn't even bother to show up. That is not very
> professional or reasonable. I am not the only one who has had this  
> kind
> of interaction with Austin; to suggest that any critic must endure  
> this
> kind of behavior is absolutely unreasonable.
>
> To be clear - the argument isn't one of Free Software versus Closed
> Source software either - if there's a binary, an attacker with
> motivation has everything they need to attack the users of the system.
>
> Austin promotes a piece of software that is supposed to be used as  
> part
> of a revolution - the burden of proof is on Austin.
>
> All the best,
> Jacob
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100903/88653b2a/attachment.html>

More information about the liberationtech mailing list