[liberationtech] Deconstructing Mehdi Yahyanejad's "deconstruction of the security risks narrative of Haystack"

[Danny O'Brien]

On Sat, Sep 18, 2010 at 4:55 PM, Evgeny Morozov
<evgeny.morozov at gmail.com> wrote:
>> Just drilling down to one point here: do we know whether the client
> available for download via this Gmail account had the same
> characteristic as the client that Mehdi and Jake analysed?
>
> as far as I know, it was the same client

Okay, I've had confirmation separate from Evgeny that the Gmail
account did indeed include the same flawed test client.

To be clear, though, this is not a new distribution path. This is one
of the two that I was already aware of (the other is Mehdi, who said
he did not pass his version any further). I'm assuming that the client
that Jake got from Evgeny came from this Gmail dropbox too.

I don't know how many people used the Gmail dropbox to obtain a
client. A "dropbox" affair like this does imply a distribution to
multiple users – and certainly it would be hard to control this as a
source. From talking to Daniel though I believe (but have no evidence
to prove) that this dropbox was only aimed at sending the client to
Evgeny's "authorized user" sometime in June (Evgeny, will we at some
stage be able to reveal who your Deep Haystack source was?)

While I'm unsure how productive it is to obsess about details like
this for the purposes of winning public arguments on the fly,  I *do*
think that it's worthwhile to collect this information for the
purposes of a post-mortem. There are some powerful "dos" and "don't"s
already emerging from these details. I for one, had never considered
the info leaking problems of using a gmail dropbox with IP logging
turned on -- the damaging combination of an ancient activist technique
with a new, security-friendly Google feature.

d.