[liberationtech] Haystack Q&A

[Danny O'Brien]

On Thu, Sep 2, 2010 at 5:49 PM, Danny O'Brien <danny at spesh.com> wrote:
> Here are my questions for the Haystack team:
>

So, an update to this. I'm based in San Francisco, so last week I
arranged (along with Moxie of thoughtcrime.org) to see a demo of
Haystack. I took the opportunity to ask Austin some additional
questions about the Censorship Research Center's work and Haystack's
history. We met up in a local cafe, and Austin demo'd the software on
his laptop.

Really, seeing the demo was the least informative part: neither I nor
Moxie exposed it to any in-depth tests on the spot, nor did we expect
to.  The model for how Haystack is supposed to work -- a set of
external proxies that relay encrypted traffic disguised
steganographically as common unencrypted traffic patterns in order to
bypass a national filtering and surveillance system -- is already
pretty well known. The challenges with doing that are either obvious
(how do you hide the proxies from attackers?) or buried deep in the
details (how can you prevent your steganography actually serving as an
obvious fingerprint  instead?  etc). There really wasn't much we could
learn or answer from just peering at code, IP address reporting, and
diagnostic data dumps.

We did ask Austin some fairly technical questions about what we were
looking at, some of which he could answer, some of which he referred
us to Daniel Colascione, the main co-developer. The software I saw
appeared to be under active development: the UI was pretty
straightforward and clean, but the underlying client still had some
test harness features built-in. I was told it was not ready for wide
use -- the current user base are all effectively testers.

I did get some answers to the questions I gave here, and also some of
the wider context.

> 1) Could you give us precise numbers as to the user base of Haystack?

Austin reports that Haystack has less than a hundred current users.
It's not a rolled-out service, though it's been in regular use by
those users since late March.

Austin and his colleagues were informed last year by their advisors
that by offering a service to Iranian citizens in Iran they were
violating US sanctions, and therefore they shut down the proxy service
until they got the paperwork in order. Development on the client and
server code continued, but they could not test it with their Iranian
contacts until March.

The same issue also affected their fundraising: their PayPal account
was frozen. Austin said that despite appearances, their donation
drives did not bring in much cash anyway. They made some expensive
bandwidth and server decisions early on which sucked away a lot of
what they did have.

Austin explained that the Haystack development team was around seven
programmers, all working as volunteers in their spare time.

> 2) Would you make available a way that Haystack users can determine
> that they are, in fact, using the real Haystack, and not malware
> presented by others?
>

They don't have a way to do this currently; but Austin acknowledged it
as a problem, and demonstrated some early work (we didn't go into
technical details) to try and combat it that they'd been working on
since I mentioned it as a problem.

> 3) Would it be possible to provide a copy of Haystack for public
> download and evaluation? It seem like it would be possible to restrict
> the usage of a "demo" version to not take too much of Haystack's
> resources.

No movement on this. I was reassured that he'd recently proactively
reached out to some external technical experts to review or advise the
project. He'd already spoken with Bram Cohen earlier and I believe
he's also chatted with Nart Villeneuve (Nart can confirm this). I
recommended some names of people that have broad respect for analysing
secure protocols and auditing code (including Moxie), and repeated my
belief that an audit of the code under NDA from a small commercial
security company is probably best suited for Haystack's proprietary
model. I also emphasised that there was alreayd a community of people
with long expertise in building circumvention systems, and a growing
pool of communal knowledge that he could draw on.

> 3) Would you be amenable to submitting Haystack for independent review
> by security experts? If not, why not? If this has already happened,
> can you name who conducted such an audit?

No-one yet has. he seems much more amenable to this than he was when I
spoke to him last year, and as I say we discussed some possible
options.

Austin appears to be spending a lot of time recently individually
demonstrating the software and answering these kinds of questions in
person; I suggested that it might be more efficient to have a more
public, dynamic, Q&A on this forum or elsewhere.

(These are all just my impressions drawn from my notes; Austin please
step in and correct anything, or add any additional details you think
are appropriate).

-- 
Danny O'Brien
danny at spesh.com
dobrien at cpj.org