Re: Haystack redux

[Steve Weis]

There have been significant developments around Haystack since the
last message on this thread. Jacob Applebaum obtained a copy and found
serious vulnerabilities that could put its users at risk. He convinced
Haystack to immediately suspend operations. The developer of Haystack,
Daniel Colascione, has subsequently resigned from the project.

Many claims made about Haystack's security and usage made by its
creators now appear to be inaccurate. These claims were repeated
without verification by the New York Times, Newsweek, the BBC, and the
Guardian UK. Evegeny Morozov wrote several blog posts covering this.
His latest post is here:
http://neteffect.foreignpolicy.com/posts/2010/09/13/on_the_irresponsibility_of_internet_intellectuals

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Haystack

[Steve Weis]

I emailed the author Austin Heap again yesterday to ask for some
technical details. He responded and declined to provide any
information.

At this point, I have seen no evidence that Haystack exists.

On Tue, Aug 17, 2010 at 8:10 PM,   wrote:
>  > Based on those statements, I'm going to speculate that the client
>  > connects to a static list of innocuous-looking proxies and that they
>  > are relying on keeping those proxies secret.
>
> Hmm, what is the chance that the static ones redirect to
> other proxies (some of which might even be unwitting)?
>
> Probably too out there.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Haystack

[Steve Weis]

I sent an email asking for technical information several months ago
and did not receive a response. The FAQ says "the Haystack client
connects to our servers which in turn talk to websites on behalf of
our users" and "from a user's point of view, Haystack appears to be a
normal HTTP proxy". There is no binary or source available for
download and the FAQ says "revealing the source code at this time
would only aide the authorities in blocking Haystack".

Based on those statements, I'm going to speculate that the client
connects to a static list of innocuous-looking proxies and that they
are relying on keeping those proxies secret. If those servers were
known to an authority, it would be trivial to block. I think that is
why they're making the unrealistic assumption that an authority will
not be able to reverse engineer or even monitor traffic from a client.

On Tue, Aug 17, 2010 at 12:57 AM, Jerry Leichter  wrote:
> The mainstream press is full of discussion for a new program, Haystack,
> developed by a guy name Austin Heap and sponsored by the Censorship Research
> Center as a new kind of secure proxy.  See
> http://www.haystacknetwork.com/faq/ for some information.
>
> As described, the program relies on some kind of steganography to hide
> encrypted connections inside of connections to "approved" sites.  It was
> specifically designed to help Iranian dissidents maintain connections in the
> face of active government efforts to locate and block proxies and Tor entry
> and exit nodes.
>
> A Google search reveals absolutely no technical information about exactly
> what Haystack does or now it does it.  The program is available on multiple
> platforms but is closed source - the FAQ linked to above discusses this,
> citing fears that making the source available would help censors.
>
> Anyone know anything more about what Haystack is actually doing?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com