[liberationtech] Deconstructing the security risks narrative of Haystack

Jacob Appelbaum jacob at appelbaum.net
Fri Sep 17 15:08:41 PDT 2010 

On 09/17/2010 02:35 PM, Daniel Colascione wrote:
> Hi Jacob,
> 
> On 9/17/2010 12:23 PM, Jacob Appelbaum wrote:
>> I really should not have said anything about bullets and heads on
>> twitter. I was extremely angry and trying to make an analogy that I
>> thought was fitting. I spoke with a good friend and he said that he felt
>> I was equating Haystack's creators with murderers. That was not my
>> intention and I'm sorry for being such a raging ass about it.
> 
> Thank you for reconsidering the effects and implications of your
> words. They were disproportionate considering the total situation and
> the lack of malfeasance on the CRC's part, but I understand how the
> heat of the moment (and the thrill of the hunt) can lead to actions
> discordant with the situation on the ground. As a good friend of mine
> once said, the world would be better place if we would all pause for a
> few moments before taking drastic and dramatic action. A good night's
> sleep may have avoided many of the conflicts in this world.

I slept on the issue for about a year. Additionally, I did sleep on it
after I spoke with Austin on Friday and I gave him the benefit of the doubt.

I slept on it and ignored it largely until Sunday when I found the
network was still up.

> In the interest of conciliation, would you agree to retract your
> statements at http://twitter.com/ioerror/status/24434623289 and
> http://twitter.com/ioerror/status/24425326976 in the same forum that
> you originally made them?

Of course, I did that days ago:
https://twitter.com/ioerror/status/24459645359
https://twitter.com/ioerror/status/24460806692

I think twitter isn't the best medium for nuanced thoughts.

Still, I think it's fair to say that Austin is a charlatan and
perpetuated a great fraud on the media, users of Haystack and people who
offered him support. Until he offers up some serious explanations about
high or low user counting, informed consent warnings that didn't exist,
and more - I'll stick to that.

Quite frankly, I really feel that you should have spoken up sooner. I'm
glad you did it at all though.

> 
> Also, there's another matter I must bring up. I sent you an email on
> Sunday night (Sun, 12 Sep 2010 20:50:34 -0700) moments after I heard
> that the CRC's server was still operational. In this message, I
> explained how the situation had come about, apologized profusely for
> the server being active (though there was no indication that anyone
> from Iran had tried to connect), and explained that I had personally
> taken measures to ensure the server would not be re-enabled.
> 

Yes, I'm happy to confirm that you did send me an encrypted email that
contained that information. You seemed genuine and so we spoke on the
phone. You have a real concern and a real understanding of the issues -
you have my respect even if I am really seriously kicking your project.

I base my respect on the fact that you seem to have been misled as well.

> This protestation of good faith was apparently insufficient, and the
> next day, you went on to make hyperbolic statements like the above. Is
> this response typical of security researchers?

I have defended you when speaking with the media. However, I will not
defend Austin Heap and I think he has the most culpability in all of
this debacle.

> 
>> I merely wanted to say that I felt the software was impossible to miss
>> if you were really looking or if the user was really being watched.
> 
> This statement applies to most anti-censorship products, including Tor.
> 

I believe you are incorrect and I also believe we covered this in our
phone call.

You know just as well as I do that the _threat_ for detection of Tor is
a passive or active adversary of some kind in the network path or when
visiting a server through Tor. Haystack is much worse than this because
of the "test" components in the build used in the wild.

Additionally, Tor does not make the security claim of being impossible
to find. We're happy to run faster than the bear but we're not
pretending to have a cloak of invisibility.

> Your initial alarm can be divided into two components:
> 
> A: the test program was traceable (i.e., network authorities could
> detect its use), and
> 

Well, it's more than just network authorities, as we both know.

> B: the test program, having been detected, represented a risk to life
> and limb in the hands of anyone found with it.
> 

Austin's statements to me on Friday and to the press for the last year
are what lead me to believe this. He told me personally that important
human rights activists were using it. He stated that his testers weren't
just joe random, they were Important People.

> If A and B are true, then it follows that the program is highly dangerous.
> 

There are other things but I'll agree that A & B are enough to warrant
alarm.

> A is true, and it is what I referred to what I said earlier that you
> were right about the test program. Once certain parameters are known,
> a network operator can detect it. As I mentioned, this statement is
> also true of most anti-censorship products, Tor included. The
> connection the test program made to its server is scarcely worse than
> the connection Tor makes to its public and well-known directory
> servers*. The same method can detect both programs.
> 

I disagree. Again - we're talking, without saying, about the first few
steps that the test program makes. I'm really wary of saying much more
here. There are other concerns though, so my concerns with aren't
limited just to those first few steps. I wouldn't have written this
parapgraph if it wasn't for Mehdi's email in the last few days
discussing those issues.

Additionally, the 40,000 (perhaps more, perhaps less - real anonymity is
hard) users of Tor in Iran are not high value human rights activists
known to be contacting a server that is clearly run by a suspected spy
in the United States.

As I understand it - you thought to your credit, that the server was
only in WHOIS as the upstream ISP and not actually tied to Austin Heap.
When you, Danny and Austin had the call about this, it sounded like *you
didn't know* this fact and were totally flabbergasted upon discovery. Is
this observation incorrect?

> Now the argument rests on B, the idea that being detected with the
> CRC's test program is worse than being caught with another
> circumvention tool. This is not a technical argument, and you and I,
> as technical people, are not qualified to prosecute or oppose it.
> Nevertheless, the burden of proof falls on those making the positive
> claim, and instead of evidence, only speculation (based on the CRC's
> media coverage and OFAC license) was provided. As it turns out, the
> Iranian who began this thread is steeped in Iranian political and
> cultural matters, and he set out good reasons for believing that mere
> possession of the program is not nearly as dire a risk as the security
> community claimed.
> 

I believe that this is not simply a legal argument - though it sounds
like the law is quite clear - even if it's ignored.

While I am not a lawyer, absolutely no one on this list seems to be an
Iranian legal scholar. I think that even in the absence of such an
expert, I'm happy to disclaim my lack of credentials and still hold an
opinion on the matter.

Tools designed for a revolution have an inherent danger. I believe this
is worse when the *only users of the tools* are *high value targets* in
the country of choice.

So the meta question can be answered quite clearly when we know the
truth of the matter, was Haystack used by a handful of high value people
or 3000 people? Does that 3000 include or exclude the high value people?

As a side question - how were they warned about the issues?

> In short, I understand how concerns can be exaggerated in the heat of
> action, and how I look forward to the public moderation of your
> earlier comments.
> 
> Regards,
> Daniel Colascione
> 
> 
> 
> * While Tor can be configured to use non-public bridge relays, most
>   users will start the client in its default configuration, then look
>   for alternative options only after observing that they cannot access
>   the sites they would like. By this time, anyone monitoring
>   connections to the directory servers will have already noticed a
>   circumvention attempt.

This is actually difficult to know because our statistics are not for
private bridges, only public bridges in the bridgedb. This is an
important point, we have designed our systems to not be entirely
observable even by ourselves.

All the best,
Jacob

More information about the liberationtech mailing list