[liberationtech] Deconstructing the security risks narrative of Haystack

Daniel Colascione dan.colascione at gmail.com
Fri Sep 17 14:35:02 PDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jacob,

On 9/17/2010 12:23 PM, Jacob Appelbaum wrote:
> I really should not have said anything about bullets and heads on
> twitter. I was extremely angry and trying to make an analogy that I
> thought was fitting. I spoke with a good friend and he said that he felt
> I was equating Haystack's creators with murderers. That was not my
> intention and I'm sorry for being such a raging ass about it.

Thank you for reconsidering the effects and implications of your
words. They were disproportionate considering the total situation and
the lack of malfeasance on the CRC's part, but I understand how the
heat of the moment (and the thrill of the hunt) can lead to actions
discordant with the situation on the ground. As a good friend of mine
once said, the world would be better place if we would all pause for a
few moments before taking drastic and dramatic action. A good night's
sleep may have avoided many of the conflicts in this world.

In the interest of conciliation, would you agree to retract your
statements at http://twitter.com/ioerror/status/24434623289 and
http://twitter.com/ioerror/status/24425326976 in the same forum that
you originally made them?

Also, there's another matter I must bring up. I sent you an email on
Sunday night (Sun, 12 Sep 2010 20:50:34 -0700) moments after I heard
that the CRC's server was still operational. In this message, I
explained how the situation had come about, apologized profusely for
the server being active (though there was no indication that anyone
from Iran had tried to connect), and explained that I had personally
taken measures to ensure the server would not be re-enabled.

This protestation of good faith was apparently insufficient, and the
next day, you went on to make hyperbolic statements like the above. Is
this response typical of security researchers?

> I merely wanted to say that I felt the software was impossible to miss
> if you were really looking or if the user was really being watched.

This statement applies to most anti-censorship products, including Tor.

Your initial alarm can be divided into two components:

A: the test program was traceable (i.e., network authorities could
detect its use), and

B: the test program, having been detected, represented a risk to life
and limb in the hands of anyone found with it.

If A and B are true, then it follows that the program is highly dangerous.

A is true, and it is what I referred to what I said earlier that you
were right about the test program. Once certain parameters are known,
a network operator can detect it. As I mentioned, this statement is
also true of most anti-censorship products, Tor included. The
connection the test program made to its server is scarcely worse than
the connection Tor makes to its public and well-known directory
servers*. The same method can detect both programs.

Now the argument rests on B, the idea that being detected with the
CRC's test program is worse than being caught with another
circumvention tool. This is not a technical argument, and you and I,
as technical people, are not qualified to prosecute or oppose it.
Nevertheless, the burden of proof falls on those making the positive
claim, and instead of evidence, only speculation (based on the CRC's
media coverage and OFAC license) was provided. As it turns out, the
Iranian who began this thread is steeped in Iranian political and
cultural matters, and he set out good reasons for believing that mere
possession of the program is not nearly as dire a risk as the security
community claimed.

In short, I understand how concerns can be exaggerated in the heat of
action, and how I look forward to the public moderation of your
earlier comments.

Regards,
Daniel Colascione



* While Tor can be configured to use non-public bridge relays, most
  users will start the client in its default configuration, then look
  for alternative options only after observing that they cannot access
  the sites they would like. By this time, anyone monitoring
  connections to the directory servers will have already noticed a
  circumvention attempt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkyT3k8ACgkQ17c2LVA10Vt1HgCgoUVt/Jnx/3bPwOp2D0ODHVT9
WDUAnRq8kIYHh19PIUNjsgutI56JPtFw
=u7d0
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list