Sunday, August 08, 2010

Shut up and ship

Over the weekend I got to hear about an attempt to avoid Internet censorship called Haystack. I thought on a technical level it might be interesting to read about how they want to get around the Iranian government's web filtering. It's an interesting topic because evading the Chinese government's firewall has been discussed in some technical circles for a while.

Alas, the Haystack web site has zero technical details. Worse, they plan to keep their software closed source. So, there's no way of evaluating their claim that their amazing software will help Iranian citizens evade Internet filtering in Iran. That hasn't stopped them getting in Newsweek and asking you to send them donations.

Now, it may well be the case that these folks are onto something, but I wouldn't trust a closed source piece of vaporware if I were trying to evade a government (any government). IMHO, the gold standard for hiding stuff from prying governmental eyes is PGP. It's open source and its design was discussed heavily in public and has been vetted. Or how about TrueCrypt? Open source, publicly vetted.

Worryingly, Haystack's only 'technical' detail is the following: "We use state-of-the-art elliptic curve cryptography to ensure that these communications cannot be read." Fair enough, but frankly that means nothing. They could be using AES, or RSA, or pretty much any good algorithm and I still wouldn't care. Two reasons: their implementation might be rubbish and enable attacks or their cryptography might be irrelevant because another technique (traffic analysis?) might make breaking Haystack possible. After all, all the Iranian government needs is a list of people running the software.

(Actually, using ECC might be a net negative. You don't really want to be messing around with something that's relatively (in crypto-years) new, patent encumbered, and slow. Using ECC indicates that either the people behind Haystack are either incredibly knowledge about cryptography or the opposite.)

And then there's the 'genius' (at least that's what Newsweek makes him out to be) who designed this software. His CV touts his degree in marketing and extensive experience with PHP. I guess he might have a hidden crypto background but I'm also guessing he's no Phil Zimmerman. I realize readers might be uncomfortable with an ad hominem criticism, but without any code or technical details all I can go on is the technical chops of the person behind Haystack.

Of course, there's a simple solution to my criticisms: shut up and ship. Ship an open source version of your code and let's take a look at it. Let the Iranian government have a look at it. Then we'll know if it's vaporware or regime-changing ware.

I had similar feelings about Diaspora who raised $200k in donations without showing a line of code. All they had to do was aspire to take on Facebook (with a privacy angle).

If it isn't clear, I detest this "get lots of press for my vaporware project, get people to donate, then work on something (or not)" approach.

Shut up and ship.

But perhaps I should give Austin Heap (Haystack's mastermind) the final word:

“I hope we are ready to take on the next country,” he replied. “We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works.”

I think I just threw up in my mouth a little.


If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.


<$BlogCommentDateTime$> <$BlogCommentDeleteIcon$>

Post a Comment

Links to this post:

<$BlogBacklinkControl$> <$BlogBacklinkTitle$> <$BlogBacklinkDeleteIcon$>
Create a Link

<< Home