[liberationtech] on the traceability of circumvention tools

[Danny O'Brien]

On Wed, Sep 15, 2010 at 9:31 PM, Mehdi Yahyanejad <yahyanejad at gmail.com> wrote:
> I read the latest quotes from Evgeny and Jacob Appelbaum and see that they are criticizing Haystack mainly on the basis of security risks. To me, the main problem with Haystack has been that Austin Heap misled the public to believe the software was widely distributed and used in Iran. This is a case of personal failure, and I would caution against bringing security risk arguments into the mix. I believe that overemphasizing the security/traceability risks can potentially harm the circumvention community at large.
>
> Haystack does have some security risks. I was given a copy of the software a few weeks ago to send to testers in Iran. I ran the software locally and inspected its traffic. Haystack was connecting to a single IP each time I ran it. If that specific IP was shared among all the copies of Haystack, and if the Iranian government could obtain a copy of the software, it could find all the other test users. One way to reduce this risk is to use the minimum number of testers required and limit the tester group to trusted individuals. To Haystack's credit, they told me not to give the software to more than two people and to ask them not to share it. A second problem I saw was that Haystack was sending queries to two specific websites each time it launched. I wrote about this to Haystack's team and mentioned that such queries can easily be detected by header inspection of packets. I was told that the issue would be fixed in the production version and that they will use a much larger li
>  st of websites in the queries.
>
> These problems may have put testers at a higher risk than was necessary. However, in the context of wider usage of circumvention tools, I do not think that the Haystack team put testers in serious danger. Almost all circumvention tools, including Tor and Ultrasurf, can be traced. However, circumvention tools are not illegal in Iran and most people do not feel at risk using them.

I am, at some level, relieved to hear this, and I am compelled to
defer to your knowledge of the political implications of Haystack use
within Iran. The last few days have involved me and others reaching
out to Iranian groups to try and calibrate exactly what the political
risk attached to being a "known user of Haystack" actually is, because
this is, as you have now told as all, where the primary risk of the
vulnerabilities lies. While we were doing this, we refrained from
providing the technical details of the fingerprint that could be used
to identify the Haystack user.

It's a complex risk equation that you describe. As you say, one
possible way of limiting risk is to limit the number of users.
However, given that Haystack was billed as an anti-government
circumvention program, having a small circle of users would make it
far more possible, and more feasible to make an example of them with
fewer negative political repercussions.

One does not have to look exclusively to the current Iranian
administration for histories of such, as you say, a "round-up", or
portray Ahmadinejad's government as a monolithically zealous or
vindictive to imagine this would happen. In almost any country, a
piece of software actively supported by a hostile foreign power and
widely advertised by that power's mainstream media as a
near-miraculous tool of internal revolution, which is subsquently
discovered to be both trivially detectable and in use by only a cadre
of a few dozen users, would prompt a far different reaction than a
well-known piece of software or hardware used illicitly by thousands
to download mildly salacious but widespread media --  even if they
technically served the same function. I leave it to readers of this
list, for instance, to construct scenarios where the US government
would choose, either out of genuine security concerns, or a sense of
democratically-encouraged grand political theater, to arrest, question
or begin to aggressive monitor such a group.

One particular part of the total risk equation that we can at least
quantify is the ease of identification; as you and now everyone
understands, the signature of this version of Haystack (which I think
we must say now is *the* version of Haystack) is more than just
trivial to determine. [I am once again omitting some facts here, my
apologies]. Indeed, the cost of uncovering the supposedly undetectable
needle in the Haystack is close to zero. This contrasts, as you must
know, with the relative costs of detecting the users of other
circumvention software.

There are some other factors as well that I believe you have not
considered. I had been led to believe by CRC until your post that the
application we were looking at (which has the characteristics you
describe) was a "test" program, that was never intended for wide
distribution or portrayal as the real Haystack, was several months old
and had been superseded, and had somehow inadvertently leaked out to
wider distribution. Your statement indicates that, in fact, this *was*
the program that was being distributed, as recently as a few weeks
ago. I'd appreciate Daniel's clarification on this, because if this is
true, we are dealing with a far wider and more deliberate distribution
of known flawed software than i thought he had described.

Secondly, you and I are working I think on a number of assumptions
based on statements made to us by Austin Heap. While I do not want to
confuse a sober determination of the risks of Haystack with the sort
of speculative mudslinging that without concrete facts this discussion
can easily descend into, I think it's fair to say that, after several
months of taking Austin at his word, I am now of the opinion that, to
be generous, he adjusts his statements to best fit the wishes of his
current audience. Witness, for instance, the constantly varying
numbers given as to the total number of official testers of Haystack
in Iran; the number of developers of Haystack; reasons why he did not
release the source; the capabilities and existence of the current
Haystack client; the reasons why development on the client ceased for
several months; whether he had truly shut down the Haystack server;
and so on.

It is, I think, partly frustration with this constantly shifting
ground that led to so many resignations at CRC in the last few days.
What this means for the rest of us in practical terms is that we have
no reliable source for many of the vital pieces of information any of
us need to determine the true risks.

Out of this sense of my limited knowledge of Iranian internal
politics, the true numbers of Haystack users, what they have been
told, the inability of CRC to keep track of what and how many copies
of what software nor monitors their own servers, the contradictions in
what each of us have been separately told, the amazing gulf between
the impressive goals of Haystack and the actual qualities of the real
client, I have refrained from providing the information that you have
now released. I wish I could be as sure as you of the true state of
affairs.

I am also curious as to why you have deliberately chosen to omit
several key facts in your analysis. I think that if I was as confident
as you as to the benefit of revealing 90% of the nature of the problem
the Iranian government needs to solve in order to identify Haystack
users for the sole purpose of academically considering some
hypothetical damage to the circumvention community, I imagine I would
also not hold back on that final 10%. Even though I really hope you
are right, I am not going to provide that 10%, and despite our
different estimation techniques, I urge you not to.

d.


>
> There are many ways of detecting circumvention tools. For example, when you launch a circumvention tool, the software goes through an initialization process to figure out how to connect to the outside world. Often it starts by trying a limited set of IPs in the hundreds or thousands.  A government can run one or more copies of the software to discover a fair share of these IPs. It can then determine who has tried to connect to the IPs and locate them. In practice there are better ways to detect usage of tools such as Ultrasurf or Tor; the applications have different signatures in the type of packets they send in the first few seconds after launch. Governments can monitor the packet traffic to detect usage or block the applications.
>
> While it is well known that circumvention tools are traceable, it has not impeded their use in Iran. Using circumvention tools is not illegal in Iran (and it seems anywhere else in the world). Hundreds of thousands of Iranians are using circumvention tools on daily basis and are not afraid to say so publicly. Even supporters of the Iranian government use them to write on censored websites such as Friendfeed.
>
> Can traceability be a problem? Yes, in theory it can. Iranian government can decide one day to round up a few Haystack users to embarrass Hillary Clinton for supporting it, or alternatively can round up a few Tor users and charge them with espionage for using a tool sponsored (in the past) by the US Navy. These are all hypothetical risks to consider of course. But as far as we know these things have never happened.
>
> Any risks associated with the traceability can be largely mitigated by the wider use of circumvention tools. For example, owning satellite TV receivers --unlike circumvention tools-- is illegal in Iran but they are so widely used that people are not feeling insecure. Even the seasonal scare tactics of the police breaking into a few houses and confiscating satellite dishes and ticketing the owners have not reduced the wide adoption, which is now estimated to be at 40% of all the households.
>
> The damaging part of the traceability-risk argument for to the rest of the circumvention tool initiatives is that  non-traceability of circumvention tools in highly controlled networks--whether it's  Iran, China or a private company's network-- is too high of a standard to achieve, and I can argue in a separate note that it is not a critical property for circumvention tools to have anyway.
>
>
> -mehdi
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>