Haystack: Resistance Technology Without Borders
Posted by Kevin Carson on Aug 10, 2010 in Commentary • 10 commentsOne of the recurring themes in my column is the war for digital freedom. The bad guys, of course, are the forces I like to call the Copyright Nazis: the RIAA, MPAA, ASCAP, NewsCorp, Microsoft — pretty much the entire proprietary content industry. And of course those guys wouldn’t be much of an enemy if it weren’t for legislation like the Digital Millenium Copyright Act, the WIPO Copyright Treaty, the Uruguay Round TRIPS Accord, and the increasingly authoritarian surveillance state required to enforce such legislation. Together, the proprietary content industries and the surveillance state constitute one of those much-vaunted “complexes,” like the paradigmatic “Military-Industrial Complex” to which all others are compared.
But my focus here is on the good guys — the guys in the opposite corner, in the white trunks, who play Roadrunner to the proprietary content industries’ Wile E. Coyote.
Past heroes singled out for praise include The Pirate Bay, the most successful file-sharing operation to date. Some reflected glory also belongs to assorted Pirate Parties around the world, to the extent that they run political interference for the free culture movement and raise public awarness about just how despicable the Copyright Nazis really are. (I really should mention the Electronic Frontier Foundation, which is at the forefront of groups performing the latter function).
The Falun Gong also deserves high praise for its efforts in developing proxy server technologies for combatting the Chinese surveillance state, and generally staying ahead of the Chinese government in an offensive-defensive arms race against Internet censorship. The Falun Gong has been very generous in sharing its technical know-how with other dissident groups around the world.
The bar was recently raised for any future competition by the heroic efforts of Bradley Manning and Julian Assange, in the Wikileaks story (which some of you may have read about). Assange has set up a high-volume website for government and corporate whistleblowers worldwide to publish leaked documents — and since it relies on an international server network, it is beyond the power of any government to shut down. Manning leaked the biggest cache of classified documents since the Pentagon Papers, subsequently published on said Wikileaks, which has resulted in an amusing impromptu dance in recent weeks by assorted members of the Obama administration’s national security apparatus.
And now there’s Haystack It doesn’t exactly top Wikileaks, but it still ranks pretty high up there. Haystack is the baby of Austin Heap, a 20-something hacker who decided — after witnessing the turmoil in Iran following the disputed election — to put his geek skills to work on behalf of that country’s dissident community. Heap was helped enormously in the effort by a disgruntled Iranian government official, who provided considerable technical detail on the functioning of the government’s filtering software. Heap wound up developing desktop software — Haystack — which not only encrypts but disguises connections and outgoing data, so to the government it looks like someone surfing a revolutionary website is visiting some other popular site like The Weather Channel.
Haystack is distributed on the same invitation-only, friend-of-a-friend model originally used by Gmail. That reflects Heap’s vision of steady, organic growth, rather than a rapid expansion of “low-value demand.” He specifically says he’d prefer it be used by freedom activists rather than file-sharers. But we all know how this is gonna turn out. Now that the genie’s out of the bottle, it will wind up in the hands of file-sharers sooner rather than later. (Anyway, I thought file-sharers WERE freedom activists).
And the beauty of it is, the Copyright Nazis’ own authoritarian state is helping to distribute the rope to hang itself. Heap has talks scheduled with John McCain, and the State Department is on board with his project.
The U.S. government is so gung-ho about the immediate appeal of helping dissidents undermine the system of power in an official enemy state, it’s lost sight of an important consideration: the technology of resistance has no borders. For the Obama administration to help Heap spread this technology to Iranian dissidents is the equivalent of attacking Iran with a virulently contagious biological weapon for which the United States has developed no vaccine. But there’s one big difference: this virus only kills THEM.
C4SS (c4ss.org) Research Associate Kevin Carson is a contemporary mutualist author and individualist anarchist whose written work includes Studies in Mutualist Political Economy, Organization Theory: A Libertarian Perspective, and The Homebrew Industrial Revolution: A Low-Overhead Manifesto, all of which are freely available online. Carson has also written for such print publications as The Freeman: Ideas on Liberty and a variety of internet-based journals and blogs, including Just Things, The Art of the Possible, the P2P Foundation and his own Mutualist Blog.
Your writing inspires me Kevin. This crypto-anarchism stuff is really starting to pan out. I'm pumped. Viva la resistance!
Joeboy: Your doubts would carry more weight if I thought the U.S. government was a rational actor with a realistic understanding of its own long-term best interests. But the whole "selling us the rope to hang them with" thing is hardly new. As for Iran, I don't think supporting dissidents against what is by most accounts a fairly authoritarian regime constitutes uncritical acceptance of the U.S. government's anti-Iranian "threat" hysteria as a package deal. Iranian dissidents are some of the most vehement opponents of an American-Israeli strike on their country, because (their own patriotism aside) they know it would do more to rally the people around the regime than anything else imaginable.
The phenomenon of having your own weapons turned against you is nothing new.
The mujaheddin is a prime example, but so are weapons technologies. When the US developed the atomic bomb, it caused our enemies to acquire it more quickly than they would have otherwise, for a few reasons:
1) The US demonstrated that the bomb was possible
2) US raised the bar for "keeping up" with the US military
3) The design was eventually leaked
The military strategists must be aware that the weapons they deploy today will be deployed against them tomorrow. I think that they just figure that they will deal with future threats as they arise, and bet on a strategy of staying one step ahead of the opposition.
Maybe they figure that Copyright is worth sacrificing if the technology will undermine the political control of the Iranian, Chinese, and similar regimes.
Libertarians don't typically inspire optimism; many of them are so right about how the system works their outlook is understandably bleak. Kevin, your writings and this site are glaring exceptions, you're both *right and confident*. Bravo again!
Why should anybody trust this thing? If \the State Department is on board with the project\, that really, really doesn’t inspire confidence. http://blog.jgc.org/2010/08/shut-up-and-ship.html
And while this might be designed to tackle the right problems, isn’t there something rather unsavoury about jumping on the anti-Iran bandwagon to promote (/fund?) it?
Ok, let's assume you're right and the US is happy to promote its own destruction because they're a bunch of blundering n00bs when it comes to SIGINT (which is stupid but that's not the point).
The point is, as I understand it nobody knows how this works, or if it works, or who is able to circumvent it. In the world of grown-up crypto (as used by governments, banks, mobsters etc) that's normally considered fatal. No serious actor would use such a system. Good crypto is open.
I’m kind of with Joeboy on this. Any paranoia about US govt. involvement aside, I wouldn’t trust any crypto software that hasn’t at least been vetted by cryptologists that I trust by reputation. That it is closed-source, and doesn’t include any technical details on the website, does not inspire the trust.
Even cryptographic software that’s well-designed and well-implemented is a risk if you trust it to handle a threat model it wasn’t designed to handle. Tor is the canonical example of this. It provides anonymous routing, but does not provide end-to-end encryption. If you don’t provide end-to-end encryption yourself (which you should, and which the Tor manual tells you to do), any Tor exit node may be able to snoop on your traffic, and many of them exist to do precisely this. What is Haystack’s threat model, and how does it address it? We don’t know. Even if the implementation is perfect, is there an obvious way you can misuse it, as with Tor? We don’t know.
I strongly recommend the article that Joeboy recommended. It really lays out the problems with this.
JoeBoy and GCU Prosthetic Conscience – right on… closed-source = insecure, almost by definition. I would not trust anything that won’t let me see its source.
There’s been a lot of stories recently, put about in order to reduce public confidence in pseudonymising and encryption mechanisms – partly in order to try and deter folks from contributing to Wikileaks (which has had a MASSIVE increase in the volume of submissions recently), but also more generally because the State hates the idea that people can exchange informatin that the State can’t see.
The story is always about someone who does something dumb – like sending unencryted traffic through TOR (which means that the exit node gets it ‘in clear’ – so, listen at an exit node and get traffic thqt the sender is too stupid to encrypt…).
Folks need to understand the differences between SSH tunnels/proxy cascades/TOR/JAP (things that provide ecryption en route, and/or pseudonymity) and encryption.
If you’ve got something that is sensitive that you don’t want snooped, you have to encrypt it first.
gnuPGP has a plugin for Thunderbird if you want a constant keyset… but it’s better to set up a mechanism by which each end of the transaction knows where to get the decrypt key.
Good places to put keyrefs: have the decrypt key be an extract from one of the posts on alt.anonymous.messages (do it properly, and that’s as close to a one-time-pad mechanism as you’ll ever get… the sole residual risk s the but at the other end).
Encrypt EVERYTHING – just to get used to the habit. Every bit of my web traffic goes out in part through an encrypted SSH tunnel: not because I am trying to buy nuclear trigger elements from Israeli eBay, but because it forces the droogs to capture and store yet more useless garbage that they will never get around to decrypting.
Cheerio
GT
For anyone still subscribed to this thread, there'a an update at http://blog.jgc.org/2010/09/haystack-project-resp…
Postscript: Looks like the skeptics were right on this one and I was wrong.