Haystack new anti-censor, anti-filter protection

Austin Heap 5 July 2009:

In the upcoming days, Daniel Colascione and I will release a new program to provide unfiltered internet access to the people of Iran. A software package for Windows, Mac and Unix systems, called Haystack, will specifically target the Iranian government’s web filtering mechanisms.

...once installed Haystack will provide completely uncensored access to the internet in Iran while simultaneously protecting the user’s identity.

No more Facebook blocks, no more government warning pages when you try to load Twitter, just unfiltered Internet.

The network will be supported by donated high-quality servers outside of Iran. We will be able to provide an individual user with unfettered internet access that costs the donor $0.015 to $0.0375 per month.

Proxyheap, the precursor to Haystack, was launched on June 22 just ten days after the election. That project, though, was only envisioned as a bandaid...

... The program will initially be made available at <A href="http://haystack.austinheap.com/" target=_blank>haystack: a project for iran

Wow ... thank you very much - it would be a dream for us to surf the internet uncensored.

Minus all the "fluff".. what does this thing really do?? How does it enable uncensored net access.. proxy.. vpn.. what?? Which ports, etc.? There is no magic program folks.. sorry.

P.S. No I am not basij or IRGC or loyalists to either.

Can anyone summarize this yet?
Is it real or is it a spy program?

Nobody promised to teach people how to hack systems here - let's just be happy with the outcome and put away asking silly questions!!

All I want a program which works conveniently to surf the net uncensored.

I'm hoping it's real. I donated money to Austin Heap to help with the effort.

It's probably real if AustinHeap is involved. It's hard to keep up with everything.

Yes this project is real and is from AustinHeap

Any word on which operating systems this will support?

Never mind. I am an idiot. It's right there in the original post. Durrr...

Thank you for supporting us

Thanks

Frankly to say, I like where this thread is very interesting to discuss.


comparatif assurance voiture - Comparatif assurance voiture. Devis immédiat. Bas prix et adaptée. Devis assurance voiture.

Status?

What's the status of HayStack? Will we be given any technical info about it? I really would like to donate something and I know a lot of people will too. I just want something to grip on. The website doesn't say much. What's it all about?

They started a blog here.

He identifies different ways people can donate.

1) He apparently needs four airplane tickets on fast notice = $

2) He will in the near future need people to donate their servers as proxies.

3) He himself will need more servers and bandwidwith = $

4) There's a donate button on the blog = $

Yes, so far the website doesn't say much. But there is a short description of the project below the blog.

I really appreciate this humane action.We Iranian people will never forget this favour.

coaching Gail

I'm not a fan of security through Obscurity.

While Austin Heap has proven himself to be legit
through his previous actions, managing proxies etc,
there is no guarantee that Haystack won't fall to
the same social engineering failures that the proxies
did, namely, that the tyrants won't sneak in a mole.

We know nothing of Haystack, neither technical
(ie no source), and more importantly nor social.
Just as Austin ran into trouble trusting proxy nodes
whose authenticty/reputation he could not ascertain.
Haystack sums down to a single point of failure:
Trusting Austin and friends not to make a mistake.

A private network of trust is much stronger than say,
a public peer-to-peer network like TOR, provided that
trust is warranted. the thing is we can never be sure.
On the other hand, TOR has a much bigger network,
more nodes to proxy around, and much more bandwidth.

I suggest running TOR instead, but assuming in your
threat model that TOR exit nodes are compromised.
That means keep everything anonymous if possible, or
pseudonymous, despite TOR: create new accounts, etc.

that said, make your choice, running either is a better
effort than none. you could even do both, ie donate
some $ to haystack and run a TOR relay as well.

Oh, please do not use the torir.org downloads posted
all over this site. Never trust adhoc downloads.
The only TOR you should be installing is the one
from the canonical TOR project:

Tor: anonymity online

That is what the .asc/gnupg signatures are for. You can also be a moron and try to convince everyone they are forged too. Why not add that extra step? You seem to be on a roll here. The mirror is for the TOR project site getting blocked. We don't 100% know at this time if it is blocked or not, so that is why there is a mirror on the torir.org.

Understand my child?

about the signature

please don't be rude or condescending.


this is the torir sig:


http://torir.org/dist/tor-browser-1.2.2_en-US.exe.asc:
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAkpAp/YACgkQO50JPzGwl0uMfwCfWfHNrCiQEhBcTA7gKXTykow7
fXwAoKFzoPWg5nCn831EQbStDeMF/5P/
=nH34
-----END PGP SIGNATURE-----



unfortunately the TOR project page has different bundles:


http://www.torproject.org/torbrowser/dist/tor-im-browser-1.2.4_en-US.exe.asc:
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAkpZyREACgkQO50JPzGwl0v0DQCfaOYfHl5Sk+FftemmG3DTsK5c
zWoAnieRQvO4BD+XNQm4aHG4KftTsqZr
=msea
-----END PGP SIGNATURE-----


and


http://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.0.35-0.1.15.exe.asc
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAkpaiXwACgkQO50JPzGwl0vkngCgjwPsEcxYBahJTl0CCYRWMXtF
Y6YAnArhy7iieLpSlXffp76R63igzqoc
=Hn3A
-----END PGP SIGNATURE-----



maybe on torir mirror you could link to the original TOR project download and sig?

molokai

Nr 1 is "old".
Nr 2 : How can one contribute? It doesn't say at all, who to contact?
Nr 3 : Same as above.

And I agree it doesn't say much, it actually doesn't say anything except vague descriptions of what it will be able to do.

Thanks for your sharingThanks for sharing this useful information. It's great.



taux credit auto - Taux crédit auto. Comparatif des
offres! Les meilleurs taux crédit auto sont sur le net !

Austin Heap needs us to donate thumbdrives.

Gradis fiero

OK, I'm not trying to blast Austin Heap or Haystack in
particular, but I feel I have to xpost this to highlight
just how important Trust and Peer review are essential
to crypto systems.

-- original post ---

http://iran.whyweprotest.net/resources/991-free-vpn-service-country-iranians.html#post48331

-- original post --


basically, for now you should Trust TOR.

- because it's sponsored by the EFF.
- because Dr Ian Goldberg sits on the board.

Tor: People


until Haystack is peer reviewed I would be cautious.

donate resources, cash, USB drives to Haystack if you like
but please try run a TOR relay node or bridge as well.

unlike Haystack, whose effectiveness will be limited
by the number of servers, TOR i speer-to-peer which
means its efficiency grows with each new node.

so run them nodes.

it's free.

Re: the thumbdrives

If someone wants to donate but can't [for whatever reason] send monetary donations, there are ways to buy flash drives in bulk- this drives down the price of the bigger ones (think 1gig) substantially. There is often a $100 [USD] minimum, but if a few people band together- say, 5 people chipping in 20 dollars each, 10 people with 10 dollars, etc- then a lot can be bought for dispersment. Some sites even offer free logos or engravings- you can slap on 'Haystack' or 'Anonymous: Iran' or wtfever.


Just a thought.

Austin Heap in DC

Tweeting from the Speaker's balcony = win! Twitpic - Share photos on Twitter

USB sticks for Haystack project

Fry's electronic has 1GB sticks for $7 this week! Haystack only needs 128MB minimum, but heck at these prices we can spend $20 bucks and get three of them in a very worthy cause...
I will look to see if we can get a bulk 128MB cheaper and see if anyone wants to go in with me....

512mb--$4.00

Flash Card Memory USB 512MB on Pricewatch.com

512 MB $4.00 US, free shipping

I respect the effort that Austin's put in to all of this, but can anyone explain what advantage Haystack will have over TOR?

I'll be honest, I am a bit baffled about why this is being created. Especially if - as it seems - it's going to use an entirely opaque security model.

Perhaps if Austin could get 2 or 3 well-known independent security experts to look over the source code and the actual implementation, it would be helpful for everyone (other than the Iranian Government).

I can't believe that I'm alone in feeling like this, so I'm sure that there are a lot of people who'd be willing to help, if something along these lines is done. In the meantime however, there are just too many unknowns to feel anything other than scepticism. Sorry.

knowledge

if you know what you are talking about... you will look for yourself... and there is no need for these questions. and if you don't know... it's better not to ask. Just as token of respect to your interest: Watch the packets!

He's questioning them because all these issues affect the volume of donations. People (including me) are hesitating on donating money/stick because all we got about HayStack is fuzzy descriptions about a new anonymous system. No technical description what so ever. Austin Heaps great efforts outside HayStack is the "only" thing people can relay on for donating.

wish their was more info about haystack so i feel comfortable about it

A little harsh, don't you think?
You have no idea if the original poster's fiurst language is even english or if they have friends or family in desperate need of something like haystack. So, when the OP writes that they will feel more comfortable, it is not your role to chastise or criticise at all. There are many ways to communicate a desire for something that is not self-serving, i happen to believe this was one of them, why else would the OP even be on this forum?

As for your blunt accusation of the OP being a troll - why, someone disagrees with you or posts in a manner which you take umbrage at...OMG, a TROLL...

And sticking LOL at the send of your mini-rant, seriously, you laughed out loud?

[quote Very poor choice of words here! You would like more information so you could feel comfortable?!? [....][/quote]

It looked like a valid question to me. It's actually one reason I haven't even looked at a few programs - because I don't understand them anywhere near well enough, and if a software producer doesn't manage to convey the essential details it makes me wonder if they are as organised as they indicate they are.

jeez. calm down.

your logic is seriously lacking.

I'd guess that's the main reason that some of us have concerns.

Few people want to just piss money up a wall on an unknown, unquantifiable chance something *may* work. If my aim's to help, then I want to know that there's a reasonable likelihood that my contribution is going to have a positive effect, and I certainly want to be sure that it's not going to actually cause harm. If I can't be certain of that, then it's self-evident that I'll be inclined towards projects where I can (e.g. purchase a server and run TOR). This is a crying shame for Haystack, because TOR does have it's limitations, and Haystack may well be the perfect solution.

For the above reasons, giving people a broad overview of the project is just good sense. More so, because - based on what we do know - funding is actually crucial to the project's initial, and ongoing viability, [servers don't come cheap]. There's certainly no reason that disclosure of ANY kind should damage security, but not allowing donors to make an informed decision undoubtedly will.

This, in itself is a real, legit concern, and trying to stifle any dissenting voices/constructive criticisms by accusing the questioners of being malicious, trolls, or "subtle underminers" of the whole thing, is totally unhelpful. The time when things are not questioned honestly and objectively, is the exact same time that major fuck-ups occur. Peer review and open discussion significantly reduce the risk of this kind of "blindsiding."

If the setup really is reliant on it's workings never being discovered, then in all honesty, I don't see that it can work. A product that's going to be used by so many people, and is being developed by a group who've publicly stated their intentions in advance of the fact, is (a) likely to be reverse engineered or otherwise "unmasked" at some point in time and (b) very likely to have been infiltrated whether technically or physically at the design stage.

If you think this is baseless scaremongering, then I suggest that you very much underestimate the effectiveness of a national intelligence agency. It's also the reason that a transparent security solution seems as though it would have been ideal for the project: it wouldn't matter if the designs were known, it would actually make them stronger (because many people would spend a lot of time trying to crack it, and would no doubt quietly warn Austin were any vulnerabilities to be discovered). People looking to help, would have absolute confidence that this was a worthwhile way for them to spend their time, their resources (lending servers) and their money. Given that it's one of the few games in town that everyone can easily contribute to, I think that you'd find people would become very passionate and highly committed to helping. It could certainly only benefit the project.

There are many possible reasons as to why things are the way they are. They may be the best reasons, or they may be the worst; but at the minute, we've no way of knowing, and that is helpful to no-one at all.

kleist poration

As a staunch believer in the open source movement, I believe we are right to question Haystack. Without the ability to have the code peer-reviewed we could unwittingly be harming Iranians desperate for free Internet.

It is troubling to me that in their rush to help, good natured people are throwing possibly thousands of dollars at a project that nobody outside of the development team can verify is working. The fewer eyes on the project the more likely there is to be problems.

I'm not saying I don't admire this young man and all his work, but I think we need to realize this isn't a fun side project or anything. These are real people like us in Iran and I think we need to recognize this rather than rush to embrace the newest thing.

I don't see many people asking questions:
Who is the Haystack team?
Who sponsors them?
Where are they getting the money to write software to circumvent one of the most sophisticated filtering systems in the world in just a few weeks?
What is their background or expertise in cryptography, steganography, networking, etc.? How do we even know this is the most competent team as opposed to simply the team that has garnered the most press and came up with the idea?

I'm always leery of those seeking a lot of press and if the Google results for Mr. Heap are any indication he is quite adept at self-promotion. Also, keep in mind that during this development time when Iranians are seemingly desperate to have information as soon as possible he has had sufficient time to completely redesign his website.

I believe that the individuals who are questioning Haystack are doing the right thing. I wish Mr. Heap and his team great success with Haystack but I hope they know what they are doing. Distributing proxy servers does not a cryptography and steganography master make.

Yep, but that's not the choice that's on the table:

(a) The system is great, it does exactly what it says on the tin.

(b) The developer's intentions are good, but unfortunately the system is flaky.

(c) The "system" is basically hot-air.

Well if it's (a), then clearly no problems. (c), okay people lose some money, and walk away sadder and a bit wiser. But (b)...should speak for itself. Goodwill, polite niceties and all the rest of it don't come into it. Whilst we're sitting comfortably behind our computer screens, worrying-but-it's-all-a-bit-removed-really, people who use this system will potentially be putting their lives and those of their families on the line. Literally. At best they risk arrest, at worst possible torture. They could even be killed.

So this isn't some neutral "hopefully it'll work" thing, this is something that could actively hurt people rather than help them. If I put money into it, then I definitely have a moral responsibility to ensure - to the best of my ability - that my money is part of something that will not cause harm.

I desperately hope that Haystack does bear the fruits that've been promised. It would be extremely cool. But for the time being, I'm going to put my resources elsewhere, until as someone else said, "there's something to grip hold of."

As a person formerly involved in IT business development / security software solutions I want to add these small comments:

A: Validity of basic technical concept

Many of us, who understand the simple reality of TCP/IP communication, need to get some clue about the basic technical concept so that we can evaluate whether the concept on the face of it is valid, or if it is just re-creating a 'wheel' that we already have, or if it is, in the worst case, something geeks like to call 'snake oil'.

B: Scalability up to millions of users

If the basic technical concept seems good, then it (for me) becomes a question about scalability and resources. Compared to Freegate, for example, with an established track record, Haystack is a very fresh project. What resources will it take to scale it to millions of users? Is there a realistic plan for this? Is this the goal?

C: New solutions or more of the old?

Iranians are using the Internet as we speak, without Haystack, so to be able to do it more and better, do they need something new (Haystack) or more of the old (Tor, Freegate, etc)? Personally, I think they may need both.

Finally

It's important to realize that getting your stuff reviewed by other knowledgeable people is a *good thing* and something that everyone should welcome. "If it doesn't kill the project, it makes it stronger".

I jumped off the corporate bandwagon myself, partly to be able to create software for better democracy, so (again) my best regards to Austin Heap and if Haystack becomes what it is aiming for it will serve as a good example to the rest of us of what dedicated cool guys can do with the kind support of others