[liberationtech] on the traceability of circumvention tools

Mehdi Yahyanejad yahyanejad at gmail.com
Wed Sep 15 21:31:31 PDT 2010 

 
I read the latest quotes from Evgeny and Jacob Appelbaum and see that they are criticizing Haystack mainly on the basis of security risks. To me, the main problem with Haystack has been that Austin Heap misled the public to believe the software was widely distributed and used in Iran. This is a case of personal failure, and I would caution against bringing security risk arguments into the mix. I believe that overemphasizing the security/traceability risks can potentially harm the circumvention community at large.

Haystack does have some security risks. I was given a copy of the software a few weeks ago to send to testers in Iran. I ran the software locally and inspected its traffic. Haystack was connecting to a single IP each time I ran it. If that specific IP was shared among all the copies of Haystack, and if the Iranian government could obtain a copy of the software, it could find all the other test users. One way to reduce this risk is to use the minimum number of testers required and limit the tester group to trusted individuals. To Haystack's credit, they told me not to give the software to more than two people and to ask them not to share it. A second problem I saw was that Haystack was sending queries to two specific websites each time it launched. I wrote about this to Haystack's team and mentioned that such queries can easily be detected by header inspection of packets. I was told that the issue would be fixed in the production version and that they will use a much larger list of websites in the queries.

These problems may have put testers at a higher risk than was necessary. However, in the context of wider usage of circumvention tools, I do not think that the Haystack team put testers in serious danger. Almost all circumvention tools, including Tor and Ultrasurf, can be traced. However, circumvention tools are not illegal in Iran and most people do not feel at risk using them.

There are many ways of detecting circumvention tools. For example, when you launch a circumvention tool, the software goes through an initialization process to figure out how to connect to the outside world. Often it starts by trying a limited set of IPs in the hundreds or thousands.  A government can run one or more copies of the software to discover a fair share of these IPs. It can then determine who has tried to connect to the IPs and locate them. In practice there are better ways to detect usage of tools such as Ultrasurf or Tor; the applications have different signatures in the type of packets they send in the first few seconds after launch. Governments can monitor the packet traffic to detect usage or block the applications.

While it is well known that circumvention tools are traceable, it has not impeded their use in Iran. Using circumvention tools is not illegal in Iran (and it seems anywhere else in the world). Hundreds of thousands of Iranians are using circumvention tools on daily basis and are not afraid to say so publicly. Even supporters of the Iranian government use them to write on censored websites such as Friendfeed. 

Can traceability be a problem? Yes, in theory it can. Iranian government can decide one day to round up a few Haystack users to embarrass Hillary Clinton for supporting it, or alternatively can round up a few Tor users and charge them with espionage for using a tool sponsored (in the past) by the US Navy. These are all hypothetical risks to consider of course. But as far as we know these things have never happened. 

Any risks associated with the traceability can be largely mitigated by the wider use of circumvention tools. For example, owning satellite TV receivers --unlike circumvention tools-- is illegal in Iran but they are so widely used that people are not feeling insecure. Even the seasonal scare tactics of the police breaking into a few houses and confiscating satellite dishes and ticketing the owners have not reduced the wide adoption, which is now estimated to be at 40% of all the households. 

The damaging part of the traceability-risk argument for to the rest of the circumvention tool initiatives is that  non-traceability of circumvention tools in highly controlled networks--whether it's  Iran, China or a private company's network-- is too high of a standard to achieve, and I can argue in a separate note that it is not a critical property for circumvention tools to have anyway. 


-mehdi

More information about the liberationtech mailing list