EFF Says 'Stop Using Haystack'

tenco writes "Based on a blog post by the CRC today, EFF warns against using Haystack for circumventing censorship firewalls in Iran. Jacob Appelbaum states on twitter: 'Haystack is the worst piece of software I have ever had the displeasure of ripping apart.'"

Ok you've got my attention

[The+MAZZTer]

Now did Mr. Appelbaum post a detailed review somewhere that isn't limited to 140 characters? I would like to read it. The linked blog posts don't satiate me.

Re:Ok you've got my attention

[Corporate+Troll]

Yes, where is the meat actually... Not in the linked "articles". So there is a problem? Sure, very possible, but I'd like some explanations.

Re:Ok you've got my attention

Reading through the tweets [shudder], it appears they submitted their findings to Haystack in private. Haystack reviewed the findings and agreed fully and shut down testing, and their board resigned, basically killing the project. Jacob Applebaum is still deciding whether or not to fully disclose his findings to the public, the reasons for which are a bit unclear, but likely trying to avoid the Iranians who have already tested the software from being found out.

Re:Ok you've got my attention

[Sycraft-fu]

I'm not sure why you'd get so hostile towards Twitter posts. I mean seriously, what kind of reasonable idea can't be expressed in 140 charac

Re:Ok you've got my attention

[rolando2424]

I checked to see if parent's post had 140 characters.
I was not dissapointed.

Re:Ok you've got my attention

[oldspewey]

I wonder if their handbag ripoffs are as shitty as their HTML ripoffs.

Re:Ok you've got my attention

[doomy]

Here is a better explanation of what happened by Danny O'Brien (http://twitter.com/mala)

---- posted in verbatim for /. proof ----

Theres been a lot of alarming but rather brief statements in the past few days about Haystack, the anti-censorship software connected with the Iranian Green Movement. Austin Heap, the co-creator of Haystack and co-founder of parent non-profit, the Censorship Research Center, stated that it had halted ongoing testing of Haystack in Iran; EFF made a short announcement urging people to stop using the client software; the Washington Post wrote about unnamed engineers who said that lax security in the Haystack program could hurt users in Iran.

A few smart people asked the obvious, unanswered question here: What exactly happened? With all that light and fury, there is little public info about why the worlds view of Haystack should switch from it being a step forward for activists working in repressive environments that provides completely uncensored access to the internet from Iran while simultaneously protecting the users identity to being something that no-one should consider using.

Obviously, some security flaw in Haystack had become apparent, but why was the flaw not more widely documented? And why now?

As someone who knows a bit of the back story, Ill give as much information as I can. Firstly, let me say I am frustrated that I cannot provide all the details. After all, I believe the problem with Haystack all along has been due to explanations denied, either because its creators avoided them, or because those who publicized it failed to demand one. I hope I can convey why we still have one more incomplete explanation to attach to Haystacks name.

(Those whod like to read the broader context for what follows should look to the discussions on the Liberation Technology mailing list. Its an open and public mailing list, but it with moderated subscriptions and with the archives locked for subscribers only. Im hoping to get permission to publish the core of the Haystack discussion more publicly.)

First, the question that I get asked most often: why make such a fuss, when the word on the street is that a year on from its original announcement, the Haystack service was almost completely nonexistant, restricted to only a few test users, all of whom were in continuous contact with its creators?

One of the things that the external investigators of Haystack, led by Jacob Appelbaum and Evgeny Morozov, learned in the past few days is that there were more users of Haystack software than Haystacks creators knew about. Despite the lack of a public executable for examination, versions of the Haystack binary were being passed around, just like unofficial copies of Windows (or videos of Iranian political violence) get passed around. Copying: its how the Internet works.

We were also told that Haystack had a centralized, server-based model for providing the final leg of the censorship circumvention. We were assured that Haystack had a high granularity of control over usage. Surely those servers could control rogue copies, and ensure that bootleg Haystacks were exc

Re:Ok you've got my attention

[TaoPhoenix]

That's why Nerds rule.

He counted characters and you verified it.

Re:Ok you've got my attention

[kangsterizer]

Pff it's been years and people have yet to realize that 140 characters should be enough to pass the ideas of anyb

Re:Ok you've got my attention

[abigsmurf]

tldr version:

There's no way of tracking or disabling unauthorised users.

I kinda thought that was half the point of this system. Afterall, if the haystack admins can track users, it's probably possible for someone else to as well.

Re:Ok you've got my attention

[hairyfeet]

Hey, spammer moron! Listen closely, the first rule of ANY business, even shitty businesses like yours is to target your audience which you have just failed miserably. Hell you might as well have been selling tampons for the love of Pete. This is a geek site filled with the usual assortment of nerds, geeks, gearheads, OS jocks and fanatics, and a ratio of about 10,000 penises to every vagina if that. This audience don't buy no steenkin handbags!

so a word of advice, if you are gonna spam at least have the common sense to spam correctly. With this audience you need to be selling iffy software, dodgy RAM, counterfeit CPUs, and cheap ARM netbooks of questionable quality. So in conclusion KNOW YOUR AUDIENCE DIPSHIT!!! /walks off muttering how common sense is practically a God damned superpower nowadays and at least back in the day spammers took the time to know their market/

Re:Ok you've got my attention

[x2A]

Oh yeah, even our jokes get peer reviewed!

Re:Ok you've got my attention

[ntk]

Hey, Kangsterizer. I'm sorry if you read my blog post expecting to find substantive technical details; that does seem like a waste of time, and maybe I should have made it clearer at the start that there would not be that level of detail.

My claim, and that of others involved in this (including I believe the coder of the Haystack system, who is posting on this thread also) is that we can't give out more detailed info about the problems because we believe that would put people at risk.

I find this incredibly frustrating, because obviously people in your position are entirely right to be skeptical. I'd like you to not believe it's FUD, but I can't think of a way to convince you short of as I said, a detailed public analysis.

Assuming for the moment what I'm saying isn't an ingenious pack of lies or delusion, what do you think I should do?

In other words

[Pojut]

EFF says: "Stop using this program you've never heard of to circumvent national firewalls. And don't you DARE consider checking it out since you've heard about it now!"

Streisand effect, anyone?

Re:In other words

[Mr.+Slippery]

EFF says: "Stop using this program you've never heard of to circumvent national firewalls.

Haystack and its author Austin Heap have been getting a lot of press lately, with stories in Newsweek, The Guardian, and the Washington Post among other venues. If you're concerned with national firewalls, you've heard of it.

Re:In other words

[Chrisq]

EFF says: "Stop using this program you've never heard of to circumvent national firewalls. And don't you DARE consider checking it out since you've heard about it now!"

Streisand effect, anyone?

I would like more details but I expect it is something like "if you use this it has flaws that may well reveal who you are, that you are avoiding the firewall and what you are viewing to the authorities". For someone in the USA trying to get to Facebook at work this might mean it is still worth a try ... their network guys may not have herd of it. For someone in Iran where the project has been suggested as a way of avoiding state censorship it probably isn't worth the risk.

Re:In other words

[rvw]

It can't be the Streisand effect! It's well known the Streisand effect only occurs to people and companies we dislike!

But this is about software that people we dislike dislike. So it's in effect the Streisand Effect 2.0.

Re:In other words

[fishexe]

For someone in Iran where the project has been suggested as a way of avoiding state censorship it probably isn't worth the risk.

Just to be completely clear in case some readers didn't quite get your point, "the risk" may well include indefinite imprisonment or summary execution.

The EFF is like a Movie Reviewer

[MonsterTrimble]

If they hate it, it means it will be loved by many and have millions of users.

How about a link

[rudy_wayne]

How about a link to something that actually contains some information

Why?

[abigsmurf]

None of the sources give any clear reason why people should not use this program.

If you're going to systematically try to destroy the user base of someone's piece of software you should at least have the decency to explain why in clear terms, regardless of the reasons behind this kind of alert.

Re:Why?

[Meneth]

I've got one: A security program that's not free software? Any slashdotter should know better. :)

Destroy "someone's" piece of software?

[Wildfire+Darkstar]

The EFF has withdrawn their recommendation because the developers of Haystack have basically asked people to stop using it pending their security review.

There's nothing dirty or questionable going on here. CRC has been criticized for certain things, they've taken those criticisms to heart and are attempting to deal with the problems, and in the meantime are warning people that their tool shouldn't be used until those problems are resolved. The EFF's actions reflect this, and nothing else.

Re:Destroy "someone's" piece of software?

[abigsmurf]

This isn't just withdrawing a recommendation. This is "STOP USING IT NOW!", there's a big difference.

They're giving a clear command and giving a wishy-washy explanation for it.

The program is having a security audit, yes they should advise that it won't be known how secure it is until the audit is done but that headline will cause massive damage to the software's reputation that probably won't get repaired for a long time. Even if the audit verifies that it's secure and safe.

Re:Destroy "someone's" piece of software?

[Nerull]

The software is dead. The board has resigned. The primary developer says the software in use now was never meant to be secure. It was an early testing version, and should never have been distributed.

Re:Destroy "someone's" piece of software?

[abigsmurf]

All information that would be ever so helpful in the summary or any of the linked articles.

Main dev quits?

According to some info, the main developer, Daniel Colascione has quit the CRC and the Haystack project.

I am unsure if the e-mail is legit, but if it is, what will that mean? Will the existing codebase be released? No one seems to know.

As far as I can tell, the basic premise (use a variety of 'legitimate' traffic to not necessarily hide what you are doing, but increase the number of false positives to an unacceptable level) is not bad per se. Hopefully a project will get started to do just that.

Re:Main dev quits?

[QuoteMstr]

As I explicitly stated, I am not resigning in shame over the codebase. The program Danny, Jacob, and others rightly tore apart has no common lineage with what would have eventually become the Haystack release. As part of our short-lived attempt to open up, I described the design of that program in a lengthy post to liberation-tech. It is a generally reasonable design that could have worked. I believe the idea still has merit, and hope it is somehow pursued.

It is a shame it is conflated with the broken test program that, for better or for worse, saw a more general distribution than ever intended. (But then again, I should not be surprised.)

From Haystack Website

[carp3_noct3m]

Haystack and Tor do fundamentally different things, and actually complement each other.

Tor focuses on using onion routing to ensure that a user's communications cannot be traced back to him or her, and only focuses on evading filters as a secondary goal. Because Tor uses standard SSL protocols, it is relatively easily to detect and block, especially during periods when the authorities are willing to intercept all encrypted traffic.

On the other hand, Haystack focuses on being unblockable and innocuous while simultaneously protecting the privacy of our users. We do not employ onion routing, though our proxy system does provide a limited form of the same benefit.

To a computer, a user using Haystack appears to be engaging in normal, unencrypted web browsing, which raises far fewer suspicions than many encrypted connections. Authorities can block Haystack only by completely disabling access to the internet, which gives Haystack greater availability in crises, during which the authorities may be perfectly willing to block all obviously-encrypted traffic.

Re:Alternatives?

So, if he says it's a horribly written piece of software or it just doesn't do what he wants or whatever his reasons are; is he going to write something better? Because if this is the only option, why should people stop using it?

Because if it doesn't work, the users may be stoned to death.

Firewall Circumvention

[imaginieus]

That is a huge misinterpretation, here is the real story:

-DEVELOPER of widely used firewall CIRCUMVENTION software says "Don't use MY firewall CIRCUMVENTION software"

-EFF says that DEVELOPER says "Don't use his firewall CIRCUMVENTION software"

-SECURITY AUDITOR that started all this commotion says "Don't use his firewall CIRCUMVENTION software"

This is a huge issue, and I am glad that the EFF is spreading the word. You may not have heard of it, but Haystack is very widely used in Iran. It has been distributed through smuggled CD-R's and USB drives all over the country.

The fact that Haystack is insecure means that MILLIONS of people are at risk of being arrested.

Re:140 characters

[TaoPhoenix]

The proof of Fermat's Last Theorem.

Re:Alternatives?

[Mr.+Slippery]

Because if this is the only option, why should people stop using it?

This is software that, if works as advertized, helps prevent you from being arrested by an authoritarian regime. So if it does not work as advertized, the potential consequences include being arrested by an authoritarian regime.

Given this, if you don't understand why the fact that expert review has shown that it does not work as advertized, implies you should stop using the software, please ask your parents, or the doctors at the institute where they're keeping you.

Since the article is mostly content-free

[Nerull]

Here are some links:
http://neteffect.foreignpolicy.com/posts/2010/09/09/one_week_inside_the_haystack

http://jilliancyork.com/2010/09/13/haystack-and-media-irresponsibility/

http://calixte.tumblr.com/post/1120185415/no-more-haystack - Lead Developers resignation Letter

http://www.oblomovka.com/wp/2010/09/14/haystack-vs-how-the-internet-works/

Don't use it in America, either

[SethJohnson]

There was a Slashdot blurb about this on August 17th. The general consensus in that discussion was the haystack technique is a fool's solution to http traffic analysis. It's hardly even a proxy. All it does is stuff a bunch of random 'safe' http requests around your illicit requests. Yeah, that might slow down the work of a traffic monitor that has to look at all your requests. Haystack is completely ignorant to the common filtering methods of http traffic monitoring tools. It's essentially the work of inexperienced students. EFF got all serious because it was possible Haystack might be endangering people with it's false sense of security.

If you try to use this tool to browse 4chan at work, it's going to surround your browser's 4chan image http requests with nonsensical weather.com http requests. Your network admin will still see that your browser requested .jpg files from the 4chan image server.

Seth

Problems with the approach

[Animats]

First, a "privacy system" with "central servers"? What's wrong with this picture?

Second, if you need to hide traffic, you need a big bidirectional flow to an "approved" site to hide it in. Who has that role? Iran blocks Myspace, Facebook, Twitter, and Google, plus 5 million other sites, so finding some place outside Iran to hide the traffic will be tough.

I am Daniel Colascione

[QuoteMstr]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am Daniel Colascione. I've placed a link to my resignation letter
below; I feel it adds another dimension to the debate on what happened
to Haystack. If anyone has questions, I'll do my best to respond here.
Let me note, also, that as part of my rejoining the project, I
insisted that we release the source under the GPLv3, and that we
engage in an open and honest dialogue with the security community. It
was too late, of course.

-----BEGIN PGP SIGNATURE-----

iEYEAREC AAYFAkyP9 SwACgkQ17c 2LVA10Vtlx ACg6iE3K x2Cbzj3Hg CRO9k6msmz
tH8An iNSdKNga 6sOQWr8wX5 tlbCDRLPP
=s34t
-----END PGP SIGNATURE-----

(Note: the Slashdot lameness filter forced me to break up the signature; please remove the whitespace before verifying.)

My resignation letter.

Re:I am Daniel Colascione

[m50d]

Signing a message that refers to the "link to my resignation letter below", but not including the actual link? Guess the guy really doesn't understand security.