×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

136 comments

Ok you've got my attention (4, Interesting)

The MAZZTer (911996) | more than 3 years ago | (#33573066)

Now did Mr. Appelbaum post a detailed review somewhere that isn't limited to 140 characters? I would like to read it. The linked blog posts don't satiate me.

Re:Ok you've got my attention (2, Insightful)

Corporate Troll (537873) | more than 3 years ago | (#33573174)

Yes, where is the meat actually... Not in the linked "articles". So there is a problem? Sure, very possible, but I'd like some explanations.

Re:Ok you've got my attention (1, Funny)

Anonymous Coward | more than 3 years ago | (#33573266)

It's been censored.

Re:Ok you've got my attention (5, Informative)

Anonymous Coward | more than 3 years ago | (#33573492)

Reading through the tweets [shudder], it appears they submitted their findings to Haystack in private. Haystack reviewed the findings and agreed fully and shut down testing, and their board resigned, basically killing the project. Jacob Applebaum is still deciding whether or not to fully disclose his findings to the public, the reasons for which are a bit unclear, but likely trying to avoid the Iranians who have already tested the software from being found out.

Re:Ok you've got my attention (4, Funny)

Sycraft-fu (314770) | more than 3 years ago | (#33573522)

I'm not sure why you'd get so hostile towards Twitter posts. I mean seriously, what kind of reasonable idea can't be expressed in 140 charac

Re:Ok you've got my attention (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33573762)

Thats actually an extremely brilliant post. For those of you who did not notice it, his post had exactly 140 characters. Very cool my buddy.

Re:Ok you've got my attention (0)

Anonymous Coward | more than 3 years ago | (#33573936)

Did you have any help figuring that out or did you manage it all on your own?

Re:Ok you've got my attention (1)

CeruleanDragon (101334) | more than 3 years ago | (#33573868)

I'm not sure why you'd get so hostile towards Twitter posts. I mean seriously, what kind of reasonable idea can't be expressed in 140 charac

*retweeted*

Re:Ok you've got my attention (3, Insightful)

rolando2424 (1096299) | more than 3 years ago | (#33573890)

I checked to see if parent's post had 140 characters.
I was not dissapointed.

Re:Ok you've got my attention (1)

Sycraft-fu (314770) | more than 3 years ago | (#33574494)

I typed it in EmEditor to make sure. Firefox doesn't count characters, but EmEditor displays what your column position is :D. For the joke to be effective it needs to be accurate.

Re:Ok you've got my attention (1)

WuphonsReach (684551) | more than 3 years ago | (#33575658)

UltraEdit tells you in the status bar how many characters are selected.

Comes in handy at times. Copy/Paste into UE32 to check length is a common task.

(Yes I'm sure there's a linux command that does this... probably something like echo "X" | wc -c, or maybe -m.)

Re:Ok you've got my attention (0)

Anonymous Coward | more than 3 years ago | (#33574952)

However, I am disapointed by your post. I mean, you're there ready to make the best answer of all time and still you manage to fail miserab

Re:Ok you've got my attention (2, Funny)

kangsterizer (1698322) | more than 3 years ago | (#33574410)

Pff it's been years and people have yet to realize that 140 characters should be enough to pass the ideas of anyb

Re:Ok you've got my attention (-1, Offtopic)

milanmall (1897894) | more than 3 years ago | (#33573578)

Come on,welcome to milanmall . We offer [url=http://www.milanmall.com/]cheap guess replica handbags wholesale[/url],we recommend Fashion designers in good quality [url=http://www.milanmall.com/7star-lv-replica-handbags-category435.html/]7Star Louis vuitton replica handbags[/url] wholesale free shipping, we offer [url=http://www.idoebay.com/]replica Marc Jacobs designer handbags[/url], such as [url=http://www.idoebay.com/cheap-designer-shoes-sale-category181.html/]replica Marc Jacobs designer shoes[/url],[url=http://www.milanmall.com/]Marc Jacobs designer handbags[/url] low prices and good quality , [url=http://www.jajashopping.com/]AAA Louis vuitton handbags[/url]you will like our [url=http://www.milanmall.com/]cheap guess replica handbags wholesale[/url]

Re:Ok you've got my attention (0)

Anonymous Coward | more than 3 years ago | (#33574580)

Cool now I have a new URL to direct my botnet of LOIC's towards. Thanks, milanmall.

Re:Ok you've got my attention (1)

The MAZZTer (911996) | more than 3 years ago | (#33573584)

Hmm his twitter account has some more tidbits that shine some light. It will do for now I guess.

Re:Ok you've got my attention (5, Informative)

doomy (7461) | more than 3 years ago | (#33574022)

Here is a better explanation [oblomovka.com] of what happened by Danny O'Brien (http://twitter.com/mala)

---- posted in verbatim for /. proof ----

Theres been a lot of alarming but rather brief statements in the past few days about Haystack [haystacknetwork.com], the anti-censorship software connected with the Iranian Green Movement. Austin Heap [austinheap.com], the co-creator of Haystack and co-founder of parent non-profit, the Censorship Research Center [censorshipresearch.org], stated that it had halted ongoing testing of Haystack in Iran; EFF made a short announcement [eff.org] urging people to stop using the client software; the Washington Post [washingtonpost.com] wrote about unnamed engineers who said that lax security in the Haystack program could hurt users in Iran.

A few smart people asked the obvious, unanswered question here: What exactly happened? With all that light and fury, there is little public info about why the worlds view of Haystack should switch from it being a step forward [newsweek.com] for activists working in repressive environments that provides completely uncensored access [haystacknetwork.com] to the internet from Iran while simultaneously protecting the users identity to being something that no-one should consider using.

Obviously, some security flaw in Haystack had become apparent, but why was the flaw not more widely documented? And why now?

As someone who knows a bit of the back story, Ill give as much information as I can. Firstly, let me say I am frustrated that I cannot provide all the details. After all, I believe the problem with Haystack all along has been due to explanations denied, either because its creators avoided them, or because those who publicized it failed to demand one. I hope I can convey why we still have one more incomplete explanation to attach to Haystacks name.

(Those whod like to read the broader context for what follows should look to the discussions on the Liberation Technology mailing list [stanford.edu]. Its an open and public mailing list, but it with moderated subscriptions and with the archives locked for subscribers only. Im hoping to get permission to publish the core of the Haystack discussion more publicly.)

First, the question that I get asked most often [twitter.com]: why make such a fuss, when the word on the street is that a year on from its original announcement, the Haystack service was almost completely nonexistant [jgc.org], restricted to only a few test users, all of whom were in continuous contact with its creators?

One of the things that the external investigators of Haystack, led by Jacob Appelbaum [appelbaum.net] and Evgeny Morozov [foreignpolicy.com], learned in the past few days is that there were more users of Haystack software than Haystacks creators knew about. Despite the lack of a public executable for examination, versions of the Haystack binary were being passed around, just like unofficial copies of Windows (or videos of Iranian political violence) get passed around. Copying: its how the Internet works.

We were also told that Haystack had a centralized, server-based model for providing the final leg of the censorship circumvention. We were assured that Haystack had a high granularity of control over usage. Surely those servers could control rogue copies, and ensure that bootleg Haystacks were excluded from the service?

Apparently not. Last Friday, Jacob Appelbaum approached me with some preliminary concerns about the security of the Haystack system. I brokered a conversation between him, Austin Heap, Haystack developer Dan Colascione and the CEO of CRC, Babak Siavoshy. Concerned by what Jacob had deduced about the system, Austin announced that he was shutting down Haystacks central servers, and would keep Haystack down until the problems were resolved.

Shortly after, Jacob obtained a Haystack client binary (I think from Evgeny). On Sunday, Jacob was able to conclusively demonstrate to me that he could still use Haystack using this client via Austins servers.

When I confronted Austin with proof of this act, on the phone, he denied it was possible. He repeated his statement that Haystack was shut down. He also said that Jacobs client had been permanently disabled. This was all said as I watched Jacob incontrovertibly using Haystack, using his supposedly disabled client, using the same Haystack servers Austin claimed were no longer operational.

It appeared that Haystacks administrator did not or could not effectively track unofficial users and that the methods he believed would lock them out were ineffective. More brutally, it also demonstrated that the CRC did not seem able to adequately monitor nor administrate their half of the live Haystack circumvention service.

Rogue clients; no apparent control. This is why I and others decided to make a big noise on Monday: it was not a matter of letting just CRCs official Haystack testers quietly know of problems; we feared there was a potentially wider and vulnerable pool of users who were background users of Haystack that none of us, including CRC, knew how to directly reach.

Which brings us to the next question: why reach out and tell people to stop using Haystack?

As you might imagine from the above description of Haystacks system management, on close and independent examination the Haystack system as a whole, including these untracked binaries, turned out to have very little protection from a high number of potential attacks including attacks that do not need Haystack server availability. I cant tell you the details; youll have to take it on my word that everyone who learns about them is shocked by their extent. When I spelled them out to Haystacks only core developer, Dan Colascione late on Sunday, he was shocked too (he resigned [tumblr.com] from Haystacks parent non-profit the Censorship Research Center last night, which I believe effectively kills Haystack as a going concern. CRCs advisory board have also resigned.)

Deciding whether publishing further details of these flaws put Haystack users in danger is not just a technical question. Does the Iranian government have sufficient motivation to hurt Haystack users, even if theyre just curious kids who found a strange binary on a bulletin-board system? Theres no evidence the Iranian government has gone after the users of other censorship circumvention systems. The original branding of Haystack as Green Movement software may increase the apparent value of constructing an attack against Haystack, but Haystack client owners do not have any connection with the sort of high-value targets a government might take an interest in. The average Haystack client owners is probably some bright mischievous kid who snagged a binary to access Facebook.

Lessons? Well, as many have noted, reporters do need to ask more questions about too-good-to-be-true technology stories. Coders and architects need to realise that you simply cant build a safe, secure, reliable system without consulting with other people in the field, especially when your real adversary is powerful and resourceful state-sized actors, and this is your first major project.The Haystack designers lived in deliberate isolation from a large community that repeatedly reached out to try and help them: that was a very bad idea. Open and closed systems alike need independent security audits.

These are old lessons, repeatedly taught.

New lessons? Well, Ive learned that even apparent vapourware can have damaging consequences (I originally got re-involved in investigating Haystack because I was worried the continuing lack of a real Haystack might encourage Iranian-government-created fake Haystack malware as though such things were even needed!).

Should one be a good cop or a bad cop? I remember sitting in a dark bar in San Francisco back in July of 2009, trying to persuade a blase Heap to submit Haystack for an independent security audit. I spoke honestly to anyone who contacted me at EFF or CPJ about my concerns, and would prod other human rights activists about what they knew about Haystack whenever I met them (most of us were sceptical of his operation, but without sufficient evidence to make a public case). I encouraged journalists to investigate the back story to Haystack. I kept a channel open to Austin throughout all of this, which I used to occasionally nudge him toward obtaining an audit of his system, and, finally, get a demonstration that answered some of our questions (and raised many more). Perhaps I should have acted more directly and publicly and sooner?

And now I am think about Austin Heaps own end quote from his Newsweek article [newsweek.com] in August, surely the height of his fame.A mischievous kid will show you how the Internet works, he warns. They certainly did in this case.

Re:Ok you've got my attention (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33574208)

ugh, that's about 10 times longer that it ought to be and full of useless filler, like a "chicken" mcnugget or a high school essay with 5 sentences of actual content buried in 2 pages of bullshit. Oh wait, is he demonstrating haystack?

Re:Ok you've got my attention (2, Insightful)

abigsmurf (919188) | more than 3 years ago | (#33574896)

tldr version:

There's no way of tracking or disabling unauthorised users.

I kinda thought that was half the point of this system. Afterall, if the haystack admins can track users, it's probably possible for someone else to as well.

Re:Ok you've got my attention (1)

kangsterizer (1698322) | more than 3 years ago | (#33574800)

This post added nothing. Here's the fking key sentence resuming all this text (which i have read and wasted my time on):

"I cant tell you the details; youll have to take it on my word that everyone who learns about them is shocked by their extent."

There you go, it's empty. Nothing is said about the presumed design vulnerability. Nothing. Zero.

Not caring about people references, it sounds like pure FUD to me and the truth is probably elsewhere. With Mulder's sister most likely.

Re:Ok you've got my attention (1, Insightful)

Rogerborg (306625) | more than 3 years ago | (#33575820)

Counterpoint: the only evidence that Haystack worked was pure assertion.

The audience for this warning is Haystack users in Iran, not you and me. It's not a game to them. We're not discussing pwning some boxen, we're talking about bullets in the head.

M'kay? Grown ups are talking. Shush now.

Re:Ok you've got my attention (1)

Burz (138833) | more than 3 years ago | (#33574830)

Perhaps Haystack was poorly designed, but I can think of one factor that could eventually trump the anonymity of any such network: The prevalence of malware on Windows. A botnet controlled for the purpose could probably compromise/decode a lot of what's going on in these networks. That's why I recommend people use non-Windows systems if they want Tor, I2P, etc. to remain useful.

Re:Ok you've got my attention (0)

Anonymous Coward | more than 3 years ago | (#33576398)

Seemed to me that the implication is that there are rogue binaries of Haystack that connects to fake Haystack servers that logs all traffic. "I shut down all servers!" "But it still works!". Or even official binaries that was tricked into connecting to fake servers.

Add in possibility of adding backdoors that the fake servers can exploit, and it may warrant all the fuss that is kicked up.

Re:Ok you've got my attention (1)

tenco (773732) | more than 3 years ago | (#33574842)

Yeah, I know. One of the reasons I submitted this was, that maybe someone more into this project would care to comment. Turns out that there are already some blogposts (posted by some karma whores below ;)) I missed. Maybe there's a way to get these as an update into my submission, CmdrTaco?

In other words (2, Insightful)

Pojut (1027544) | more than 3 years ago | (#33573102)

EFF says: "Stop using this program you've never heard of to circumvent national firewalls. And don't you DARE consider checking it out since you've heard about it now!"

Streisand effect, anyone?

Re:In other words (1)

abigsmurf (919188) | more than 3 years ago | (#33573180)

It can't be the Streisand effect! It's well known the Streisand effect only occurs to people and companies we dislike!

Re:In other words (2, Funny)

rvw (755107) | more than 3 years ago | (#33574256)

It can't be the Streisand effect! It's well known the Streisand effect only occurs to people and companies we dislike!

But this is about software that people we dislike dislike. So it's in effect the Streisand Effect 2.0.

Re:In other words (3, Insightful)

Mr. Slippery (47854) | more than 3 years ago | (#33573242)

EFF says: "Stop using this program you've never heard of to circumvent national firewalls.

Haystack and its author Austin Heap have been getting a lot of press lately [google.com], with stories in Newsweek, The Guardian, and the Washington Post among other venues. If you're concerned with national firewalls, you've heard of it.

Re:In other words (4, Insightful)

Chrisq (894406) | more than 3 years ago | (#33573338)

EFF says: "Stop using this program you've never heard of to circumvent national firewalls. And don't you DARE consider checking it out since you've heard about it now!"

Streisand effect, anyone?

I would like more details but I expect it is something like "if you use this it has flaws that may well reveal who you are, that you are avoiding the firewall and what you are viewing to the authorities". For someone in the USA trying to get to Facebook at work this might mean it is still worth a try ... their network guys may not have herd of it. For someone in Iran where the project has been suggested as a way of avoiding state censorship it probably isn't worth the risk.

Don't use it in America, either (5, Informative)

SethJohnson (112166) | more than 3 years ago | (#33574232)

There was a Slashdot blurb about this on August 17th [slashdot.org]. The general consensus in that discussion was the haystack technique is a fool's solution to http traffic analysis. It's hardly even a proxy. All it does is stuff a bunch of random 'safe' http requests around your illicit requests. Yeah, that might slow down the work of a traffic monitor that has to look at all your requests. Haystack is completely ignorant to the common filtering methods of http traffic monitoring tools. It's essentially the work of inexperienced students. EFF got all serious because it was possible Haystack might be endangering people with it's false sense of security.

If you try to use this tool to browse 4chan at work, it's going to surround your browser's 4chan image http requests with nonsensical weather.com http requests. Your network admin will still see that your browser requested .jpg files from the 4chan image server.

Seth

Re:Don't use it in America, either (1)

noidentity (188756) | more than 3 years ago | (#33575570)

Oh, come on, there's no way they have technology that advanced yet. Separating http requests based on hosts etc.? No way. Next you'll be telling me there's a way to sort the files in a folder on my PC by the type of file. You'd need a supercomputer to do that!

Re:Don't use it in America, either (1)

dacut (243842) | more than 3 years ago | (#33576396)

Your network admin will still see that your browser requested .jpg files from the 4chan image server.

Ah, so it's vulnerable to a grep attack, then...

Re:In other words (3, Informative)

fishexe (168879) | more than 3 years ago | (#33574384)

For someone in Iran where the project has been suggested as a way of avoiding state censorship it probably isn't worth the risk.

Just to be completely clear in case some readers didn't quite get your point, "the risk" may well include indefinite imprisonment or summary execution.

Re:In other words (1)

Nerull (586485) | more than 3 years ago | (#33573666)

Yes, I'm sure the Streisand effect will resurrect the central server and allow the software to be used again.

The EFF is like a Movie Reviewer (3, Funny)

MonsterTrimble (1205334) | more than 3 years ago | (#33573140)

If they hate it, it means it will be loved by many and have millions of users.

Re:The EFF is like a Movie Reviewer (1)

AltairDusk (1757788) | more than 3 years ago | (#33573628)

So DRM and laws that erode privacy are loved by many? Those are two common targets of the EFF, I'm not following your logic here.

Re:The EFF is like a Movie Reviewer (0)

Anonymous Coward | more than 3 years ago | (#33573754)

Lots of people buy DRM "enhanced" items, and lots of people vote for politicians enact such laws. I see no problem with the logic.

Re:The EFF is like a Movie Reviewer (1)

Lunix Nutcase (1092239) | more than 3 years ago | (#33574016)

So DRM and laws that erode privacy are loved by many?

Actually, yes. There are many people who love these things. There are also many people who are apathetic to them. You need to step out of the slashdot bubble a bit more often.

Re:The EFF is like a Movie Reviewer (0)

Anonymous Coward | more than 3 years ago | (#33574346)

So DRM and laws that erode privacy are loved by many?

Well, if you define "many" in terms of total aggregate income of the people who like it, then yes.

Re:The EFF is like a Movie Reviewer (1)

AltairDusk (1757788) | more than 3 years ago | (#33575558)

I would argue those people either don't know what it is or tolerate it because they want the content. I have met very few people that like the DRM itself.

Re:The EFF is like a Movie Reviewer (1)

Wiarumas (919682) | more than 3 years ago | (#33573970)

I disagree. If you aggregate enough reviews together like rottentomatoes, I find it pretty accurate. With that said, somebody compile more tweets with the word Haystack and find out if its rotten or certified fresh.

Re:The EFF is like a Movie Reviewer (1)

MonsterTrimble (1205334) | more than 3 years ago | (#33576252)

I agree and actually use Rotten Tomatoes to find out if a movie is worth seeing or even downloading. There is a particular movie reviewer locally which has tastes almost 100% opposite of mine. if she hated a movie I loved it, and vice versa.

That being said, I was trying to make a joke with respect to the EFF's warnings in the past regarding facebook.

How about a link (3, Insightful)

rudy_wayne (414635) | more than 3 years ago | (#33573160)

How about a link to something that actually contains some information

Re:How about a link (1)

taff^2 (188189) | more than 3 years ago | (#33573438)

His tweet also says "Charlatons exposed. Media Enquiries Welcome." Perhaps it's worth asking him?

Re:How about a link (1)

fishexe (168879) | more than 3 years ago | (#33574404)

How about a link to something that actually contains some information

The editors tried to find some, but they were all hidden in the Haystack.

Re:How about a link (1)

JasterBobaMereel (1102861) | more than 3 years ago | (#33575900)

Haystack Site says :

"We have halted ongoing testing of Haystack in Iran pending a security review. If you have a copy of the test program, please refrain from using it."

Why? (5, Insightful)

abigsmurf (919188) | more than 3 years ago | (#33573164)

None of the sources give any clear reason why people should not use this program.

If you're going to systematically try to destroy the user base of someone's piece of software you should at least have the decency to explain why in clear terms, regardless of the reasons behind this kind of alert.

Destroy "someone's" piece of software? (5, Informative)

Wildfire Darkstar (208356) | more than 3 years ago | (#33573206)

The EFF has withdrawn their recommendation because the developers of Haystack have basically asked people to stop using it pending their security review.

There's nothing dirty or questionable going on here. CRC has been criticized for certain things, they've taken those criticisms to heart and are attempting to deal with the problems, and in the meantime are warning people that their tool shouldn't be used until those problems are resolved. The EFF's actions reflect this, and nothing else.

Re:Destroy "someone's" piece of software? (2, Informative)

abigsmurf (919188) | more than 3 years ago | (#33573734)

This isn't just withdrawing a recommendation. This is "STOP USING IT NOW!", there's a big difference.

They're giving a clear command and giving a wishy-washy explanation for it.

The program is having a security audit, yes they should advise that it won't be known how secure it is until the audit is done but that headline will cause massive damage to the software's reputation that probably won't get repaired for a long time. Even if the audit verifies that it's secure and safe.

Re:Destroy "someone's" piece of software? (4, Informative)

Nerull (586485) | more than 3 years ago | (#33573790)

The software is dead. The board has resigned. The primary developer says the software in use now was never meant to be secure. It was an early testing version, and should never have been distributed.

Re:Destroy "someone's" piece of software? (2, Insightful)

abigsmurf (919188) | more than 3 years ago | (#33573884)

All information that would be ever so helpful in the summary or any of the linked articles.

Re:Destroy "someone's" piece of software? (1)

nedlohs (1335013) | more than 3 years ago | (#33574276)

The developer says "We have begun contacting users of Haystack to tell them to cease using the program".

So clearly the EFF is just repeating what they are saying, which is "don't use it".

Re:Destroy "someone's" piece of software? (1)

Goaway (82658) | more than 3 years ago | (#33574236)

CRC has been criticized for certain things, they've taken those criticisms to heart and are attempting to deal with the problems

From the posts earlier in this thread, it seems they are "dealing with the problems" by pretty much shutting down permanently. Which is a good thing, since they seem to have had little clue at all what they were doing.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#33573302)

You missed the part where the first link from EFF is to the *creator* of the software, pulling it himself.

Re:Why? (1)

abigsmurf (919188) | more than 3 years ago | (#33573858)

I did miss that but given there is no background information whatsoever to the article and barely any more in the EFF post. Is it surprising?

The headline says "EFF says stop using haystack", the article says it's the EFF saying not to use it and posts a twitter quote that implies the EFF made the recommendation on the basis that they thought the software was garbage.

The article and headline are misleading and only 1 of the four links actually gives a clear indication of what's going on.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#33574036)

This blog http://neteffect.foreignpolicy.com/ has a good summary of the concerns that led to this point but it doesn't attempt a technical discussion.

Re:Why? (4, Insightful)

Meneth (872868) | more than 3 years ago | (#33574064)

I've got one: A security program that's not free software? Any slashdotter should know better. :)

Re:Why? (1)

kangsterizer (1698322) | more than 3 years ago | (#33574522)

None of the sources give any clear reason why people should not use this program.

It's a classic of the internet age news. Except a few.. exceptions:

There's never a real source. (source links are links to equally vague articles)
There's never a real analysis, god forbid journalism work (each news item is processed in a matter of seconds anyway and only the "wow => ad clicks" effect matters)
There's never an explanation. No one cares for the reason, the facts, etc. They just care about a quick "HAHA LOOK THEY SUK (or rok. yeh no C!)", even thus the reasons are always what's really interesting once you're past reading news as pure "quick entertainment"

It happens be it a Slashdot post (community reviewed news), a blog post (well duh, blog posts are made by randoms), a news site (well duh, those aren't real journalists) or journalist (well duh, journalists are a disappearing specie.)

Alternatives? (1)

sanosuke001 (640243) | more than 3 years ago | (#33573230)

So, if he says it's a horribly written piece of software or it just doesn't do what he wants or whatever his reasons are; is he going to write something better? Because if this is the only option, why should people stop using it? Just because this guy says he doesn't like it means that we should do what he says without any information as to an alternative he approves of? Hell, people saying that you should do x over y "just because" is bullshit.

Re:Alternatives? (0)

Anonymous Coward | more than 3 years ago | (#33573568)

Or perhaps, circumventing a state-sponsored firewall is extremely hard, and getting busted by said state because of flaws in such software could have extremely negative consequences (such as fines, arrest or prison)?

Perhaps Haystack is flawed because its creator was somewhat unaware of the whole range potential issues?

(Don't forget that "this guy" is the creator of Haystack)

Re:Alternatives? (5, Informative)

Anonymous Coward | more than 3 years ago | (#33573596)

So, if he says it's a horribly written piece of software or it just doesn't do what he wants or whatever his reasons are; is he going to write something better? Because if this is the only option, why should people stop using it?

Because if it doesn't work, the users may be stoned to death.

Re:Alternatives? (3, Informative)

Mr. Slippery (47854) | more than 3 years ago | (#33573866)

Because if this is the only option, why should people stop using it?

This is software that, if works as advertized, helps prevent you from being arrested by an authoritarian regime. So if it does not work as advertized, the potential consequences include being arrested by an authoritarian regime.

Given this, if you don't understand why the fact that expert review has shown that it does not work as advertized, implies you should stop using the software, please ask your parents, or the doctors at the institute where they're keeping you.

Re:Alternatives? (1)

CraftyJack (1031736) | more than 3 years ago | (#33576068)

Because if this is the only option, why should people stop using it?

Imagine a malfunctioning table saw. Got it?

Wha ? (0, Offtopic)

daveime (1253762) | more than 3 years ago | (#33573232)

What is this, a game of fucking Chinese Whispers ?

Some Random Blog says "Don't use some firewall I've never heard of".
EFF says Some Random Blog says "Don't use some firewall I've never heard of".
Some Twitter Guy says EFF says Some Random Blog says "Don't use some firewall I've never heard of".

OKAY, I WON'T USE IT ... I'M NOT EVEN IN IRAN !!!

My wife just told me to tell the dog to stop chewing on the carpet. If I post this trivia on Twitter, will it appear on Slashdot in the next 15 minutes ?

Re:Wha ? (0)

Anonymous Coward | more than 3 years ago | (#33573456)

The first blog post is from the creator of Haystack - it is not "some random blog".

Firewall Circumvention (2, Informative)

imaginieus (897756) | more than 3 years ago | (#33573684)

That is a huge misinterpretation, here is the real story:

-DEVELOPER of widely used firewall CIRCUMVENTION software says "Don't use MY firewall CIRCUMVENTION software"

-EFF says that DEVELOPER says "Don't use his firewall CIRCUMVENTION software"

-SECURITY AUDITOR that started all this commotion says "Don't use his firewall CIRCUMVENTION software"

This is a huge issue, and I am glad that the EFF is spreading the word. You may not have heard of it, but Haystack is very widely used in Iran. It has been distributed through smuggled CD-R's and USB drives all over the country.

The fact that Haystack is insecure means that MILLIONS of people are at risk of being arrested.

Re:Firewall Circumvention (1)

daveime (1253762) | more than 3 years ago | (#33573948)

The fact that Haystack is insecure means that MILLIONS of people are at risk of being arrested.

Lets hope it's not more than 72 MILLION then !!!

The real story is still the fact that there is no story.

Everyone says the same thing as everything else i.e. "don't use this", presumably so they can all appear as "wise" as the person who actually discovered the flaw(s) (whatever the hell they are), but no one actually says WHAT IS WRONG with the damn thing.

OR points out the fact that something that is "widely used and distributed all over Iran" is actually a piece of insecure shit.

I wonder, is he still allowed to be called a "security specialist" after they hang the first blogger / journalist who gets caught thanks to his software being fucked up ?

Re:Wha ? (1)

abigsmurf (919188) | more than 3 years ago | (#33573950)

I read another blog post about this incident and it sounds pretty serious. Especially the stuff involving the purple monkey dishwasher.

So (1)

Spad (470073) | more than 3 years ago | (#33573256)

So the authors of Haystack say that people should stop using it until they've completed their 3rd Party security review and as a result, the EFF are taking the brave step of recommending that people stop using Haystack?

It employs a sophisticatal mathematiced formula (0, Troll)

countertrolling (1585477) | more than 3 years ago | (#33573282)

How can you go wrong? Fucking marketspeek with its propagandizing lime green background. How many people has this thing sucked in? And jeeze! Talk about being at war with Iran...

Main dev quits? (2, Informative)

Anonymous Coward | more than 3 years ago | (#33573348)

According to some info [tumblr.com], the main developer, Daniel Colascione has quit the CRC and the Haystack project.

I am unsure if the e-mail is legit, but if it is, what will that mean? Will the existing codebase be released? No one seems to know.

As far as I can tell, the basic premise (use a variety of 'legitimate' traffic to not necessarily hide what you are doing, but increase the number of false positives to an unacceptable level) is not bad per se. Hopefully a project will get started to do just that.

Re:Main dev quits? (0)

Anonymous Coward | more than 3 years ago | (#33575722)

As far as I can tell, the basic premise is not bad per se.

Yeah, that's where they fucked up too.

What the hell is a haystack? (0)

Anonymous Coward | more than 3 years ago | (#33573474)

I tried to click the link, but work has it categorized as "proxy avoidance." That's a pretty good clue, but what exactly is the thing?

Re:What the hell is a haystack? (1)

Nerull (586485) | more than 3 years ago | (#33573712)

Haystack was designed to circumvent government censorship in Iran. If it doesn't work, it can get people killed.

From Haystack Website (3, Informative)

carp3_noct3m (1185697) | more than 3 years ago | (#33573552)

Haystack and Tor do fundamentally different things, and actually complement each other.

Tor focuses on using onion routing to ensure that a user's communications cannot be traced back to him or her, and only focuses on evading filters as a secondary goal. Because Tor uses standard SSL protocols, it is relatively easily to detect and block, especially during periods when the authorities are willing to intercept all encrypted traffic.

On the other hand, Haystack focuses on being unblockable and innocuous while simultaneously protecting the privacy of our users. We do not employ onion routing, though our proxy system does provide a limited form of the same benefit.

To a computer, a user using Haystack appears to be engaging in normal, unencrypted web browsing, which raises far fewer suspicions than many encrypted connections. Authorities can block Haystack only by completely disabling access to the internet, which gives Haystack greater availability in crises, during which the authorities may be perfectly willing to block all obviously-encrypted traffic.

Re:From Haystack Website (1)

sco08y (615665) | more than 3 years ago | (#33576220)

To a computer, a user using Haystack appears to be engaging in normal, unencrypted web browsing, which raises far fewer suspicions than many encrypted connections. Authorities can block Haystack only by completely disabling access to the internet, which gives Haystack greater availability in crises, during which the authorities may be perfectly willing to block all obviously-encrypted traffic.

It also means that you absolutely can not reveal the source code. The software is, fundamentally, steganography.

Most people are familiar with strong encryption, and they understand that genuine encryption algorithms are all published and open. They are considered strong because even when the algorithm is known, they are unbreakable so long as the key is secret.

But steganography is fundamentally harder than encryption. While strong steganography may be possible, I don't think anyone has achieved that. Generally, a steganographic algorithm is really just a hiding place for your data, and once you reveal the code behind the algorithm, you've revealed the hiding place.

Move along. Nothing to see here. (1)

conspirator23 (207097) | more than 3 years ago | (#33573682)

1. Insular geek clique gets into a pissing match over software design. Software is taken back to alpha by the developers, and they give notice. The EFF propagates the developers own wishes to a wider audience. 2. Slashdot??? RTFA??? Wha??? 3. EFF bashing profit!

Comments in the code? (1)

Elwar123 (1053566) | more than 3 years ago | (#33573974)

I'm thinking some programmer forgot to comment his code. Thank you, sir, for your warning.

Since the article is mostly content-free (5, Informative)

Nerull (586485) | more than 3 years ago | (#33573988)

Use Needles (1)

atisss (1661313) | more than 3 years ago | (#33574418)

Needles are known for their superiority against haystack, as there is always needle in haystack, but not otherwise.

So how exactly does haystack work? (1)

DrXym (126579) | more than 3 years ago | (#33574488)

I can't think of many ways you could make "innocuous" requests which really mask requests to banned sites. Data has to flow to and from the computer via the proxy which means it is subject to all kinds of traffic analysis.

Plain text is obviously out. Encrypted data is going to look suspicious. This implies the system probably has to use stego. Data hidden in plain site amongst other data.

For example, imagine if Doubleclick were complicit with Haystack, they could send certain cookies in an embedded iframe that only a Haystack local proxy with the right key could decrypt. To everyone else it would look like a typical ad cookies - encrypted garble. The Haystack app could also encrypt and send back a payload in the other direction by submitting another cookie. As long as authorities didn't compare the send / receive cookies for equality, this traffic could ride piggyback on top of any website.

I think whatever it is, it may start off successfully but the more people who use it, the more it will begin to stand out like a sore thumb. Iranian authorities will even run the app for themselves and see how it's sending & receiving data. Then it's a relatively simple matter to trace which IP addresses which are using it and send around the goons with the rubber hoses.

I told them so... (0)

Anonymous Coward | more than 3 years ago | (#33574802)

When I first heard of Haystack, I read their entire website. They did not give enough details to permit a full analysis, but it was clear that the security of Haystack is based on the false premise that steganography can not be detected by automated filter systems. There was also no indication of protection against man-in-the-middle attacks, disclosing to the State not only who is visiting what forbidden website, but also the full content of anything viewed or transmitted. I wrote them a letter pointing out these problems and referencing technical documentation that would confirm my observations and enable the project to start work on correcting some of the gross deficiencies in the Haystack protocol. Apparently I was only one of hundreds, or thousands, to do so. I for one welcome and support all efforts to publicize the fact that Haystack is a broken security tool exposing its users to more, not less, personal and physical danger than non-users.

Problems with the approach (4, Interesting)

Animats (122034) | more than 3 years ago | (#33575168)

First, a "privacy system" with "central servers"? What's wrong with this picture?

Second, if you need to hide traffic, you need a big bidirectional flow to an "approved" site to hide it in. Who has that role? Iran blocks Myspace, Facebook, Twitter, and Google, plus 5 million other sites [wikipedia.org], so finding some place outside Iran to hide the traffic will be tough.

Ugh Haystack - previously vaporware or scam (1, Informative)

Anonymous Coward | more than 3 years ago | (#33575266)

While

http://neteffect.foreignpolicy.com/posts/2010/09/09/one_week_inside_the_haystack [foreignpolicy.com]

article linked above says he didn't know where it came from, people working with Anonymous Iran knew Austin Heap from the get-go. He had set up some proxies right when the difficulties started and got maximum coverage and kudos for that. He then leveraged that notoriety to start Haystack. Austin Heap is not a programmer but has degrees in marketing and is really excellent at that. He had a full website up for Haystack and was selling it before it existed.

He attended meetings with congress people to ask for these grants all before it existed as well. Many times people posted contact info for people in the security software area and asked that he have his code confidentially peer reviewed since he had already stated it would not be open source. His responses were nothing short of hostile. Any early requests for technical details so people with NGOs could at least get a feel for it's effectiveness were either turned down or answered with non-answers that were confusing, and in some cases technically clueless. So this pissing match started long ago. But Austin has ever tweeted constantly asking for help in donations, grant writing, flash drives, servers, lawyers to set up non-profits, and even developers to write it. Out of the gate he was asking all over Twitter and Anon for $$$.

It wasn't until he continued to dig in on the no peer review that many got suspicious. It smelled like well-hyped vapor-ware, perhaps with good intentions, but so heavily milked for donations likely before even a single line of code existed I do consider it an opportunistic scam at worst or well-intentioned but clueless vaporware at best.

Now it seems he wrote something strong enough to be peer reviewed, and it has issues. Color me *yawning*. I suspect he finally caved on getting it reviewed since it may not sell well without endorsements, or at least one peer review. Though, if his skills in publicity and getting donations are finally harnessed to create something that works via peer reviews maybe everyone will be happy. He can have his shiny well publicized start-up and anti-censorship users can get something that is going to work.

Pft, that old crappy haystack was nothing. (1)

HeckRuler (1369601) | more than 3 years ago | (#33575544)

We've already moved away from haystack technology and currently employ stickTech. Their competitors keep preaching about a new field dubbed as "masonry", but I really don't see the need.

NPR's On The Media reported on this recently (1)

cutecub (136606) | more than 3 years ago | (#33576402)

Unlike most news and analysis programs, "On The Media" actually took some responsibility for their role in hyping this story: [onthemedia.org]

The other guilty party here is us, and by us, you do mean us, among everybody else [LAUGHS] in the media. We aired an interview with Heap back in May, and we were quite impressed with his story. You say that Heap has proved to be catnip for the media. Why do you think his narrative is so appealing?

That's an admission you don't hear too often in the press, oblique though it was.

-S

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...