[liberationtech] Deconstructing the security risks narrative of Haystack

[Mehdi Yahyanejad]

Evgeny admirably started the public criticism of Haystack. To my
dismay, after people from the security field entered the mix,
the narrative of "Austin Heap misled the public on the level of
 Haystack use and capabilities" turned into "Haystack is putting
people at risk". The latter idea is based on exaggerated fears
and can be very damaging to the circumvention community.
Any narrative built on fear can be extremely hard to challenge,
particularly when it carries some truth and is also kept ambiguous.

Several news articles have quoted experts who claimed to "have
cracked the Haystack code in six hours" but said they could not
explain what was wrong with Haystack because it would put people's
lives in danger by making them traceable and allowing the Iranian
government to discover their identity.

Reading these quotes, I made a key observation that could have not
been made by their intended audience who didn't have the software.
I had only run Haystack for 15 minutes but I already knew what they
meant. Now that it is known that the Haystack prototype can be
used to trace users(a fact that the security experts publicized), it
would be relatively easy for a person with basic knowledge of ]
computer networking working for the Iranian government to do so.
This should have been obvious to Jacob Appelbaum and
Danny O'Brian with their level of expertise. This meant that if they
truly believed their own words that tracing the test users puts
"bullet in their heads", they should have never announced the
risks publicly. They either didn't believe the seriousness of the
risk, or assumed there is zero chance of the prototype falling
in the hand of the government, or simply thought elevating the
risks to the test users is worth the political gains. I only hope that
they can present a fourth possibility that I have completely missed.

Also, I realized a fair amount of details on the traceability risk
could be presented without increasing the risks. I made my disclosures
with extreme care and after consultation with other experts before
its release. My disclosures were done not for the sake of academic
argument but to allow the audience to see the facts, understand the
above argument and make their own judgements. They will be also given
a chance to challenge the narrative constructed on exaggerated risks
of traceability.


-mehdi
----






Since the lines were too long in my previous post, I copy it here for people
who
could read it:

I read the latest quotes from Evgeny and Jacob Appelbaum and see that they
are c
riticizing Haystack mainly on the basis of security risks. To me, the main
probl
em with Haystack has been that Austin Heap misled the public to believe the
soft
ware was widely distributed and used in Iran. This is a case of personal
failure
, and I would caution against bringing security risk arguments into the mix.
I b
elieve that overemphasizing the security/traceability risks can potentially
harm
 the circumvention community at large.

Haystack does have some security risks. I was given a copy of the software a
few
 weeks ago to send to testers in Iran. I ran the software locally and
inspected
its traffic. Haystack was connecting to a single IP each time I ran it. If
that
specific IP was shared among all the copies of Haystack, and if the Iranian
gove
rnment could obtain a copy of the software, it could find all the other test
use
rs. One way to reduce this risk is to use the minimum number of testers
required
 and limit the tester group to trusted individuals. To Haystack's credit,
they t
old me not to give the software to more than two people and to ask them not
to s
hare it. A second problem I saw was that Haystack was sending queries to two
spe
cific websites each time it launched. I wrote about this to Haystack's team
and
mentioned that such queries can easily be detected by header inspection of
packe
ts. I was told that the issue would be fixed in the production version and
that
they will use a much larger list of websites in the queries.

These problems may have put testers at a higher risk than was necessary.
However
, in the context of wider usage of circumvention tools, I do not think that
the
Haystack team put testers in serious danger. Almost all circumvention tools,
inc
luding Tor and Ultrasurf, can be traced. However, circumvention tools are
not il
legal in Iran and most people do not feel at risk using them.

There are many ways of detecting circumvention tools. For example, when you
laun
ch a circumvention tool, the software goes through an initialization process
to
figure out how to connect to the outside world. Often it starts by trying a
limi
ted set of IPs in the hundreds or thousands.  A government can run one or
more c
opies of the software to discover a fair share of these IPs. It can then
determi
ne who has tried to connect to the IPs and locate them. In practice there
are be
tter ways to detect usage of tools such as Ultrasurf or Tor; the
applications ha
ve different signatures in the type of packets they send in the first few
second
s after launch. Governments can monitor the packet traffic to detect usage
or bl
ock the applications.

While it is well known that circumvention tools are traceable, it has not
impede
d their use in Iran. Using circumvention tools is not illegal in Iran (and
it se
ems anywhere else in the world). Hundreds of thousands of Iranians are using
cir
cumvention tools on daily basis and are not afraid to say so publicly. Even
supp
orters of the Iranian government use them to write on censored websites such
as
Friendfeed.

Can traceability be a problem? Yes, in theory it can. Iranian government can
dec
ide one day to round up a few Haystack users to embarrass Hillary Clinton
for su
pporting it, or alternatively can round up a few Tor users and charge them
with
espionage for using a tool sponsored (in the past) by the US Navy. These are
all
 hypothetical risks to consider of course. But as far as we know these
things ha
ve never happened.

Any risks associated with the traceability can be largely mitigated by the
wider
 use of circumvention tools. For example, owning satellite TV receivers
--unlike
 circumvention tools-- is illegal in Iran but they are so widely used that
peopl
e are not feeling insecure. Even the seasonal scare tactics of the police
breaki
ng into a few houses and confiscating satellite dishes and ticketing the
owners
have not reduced the wide adoption, which is now estimated to be at 40% of
all t
he households.

The damaging part of the traceability-risk argument for to the rest of the
circu
mvention tool initiatives is that  non-traceability of circumvention tools
in hi
ghly controlled networks--whether it's  Iran, China or a private company's
netwo
rk-- is too high of a standard to achieve, and I can argue in a separate
note th
at it is not a critical property for circumvention tools to have anyway.


-mehdi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100916/7f2e0554/attachment.html>