## Sunday, August 08, 2010

### Shut up and ship

Over the weekend I got to hear about an attempt to avoid Internet censorship called Haystack. I thought on a technical level it might be interesting to read about how they want to get around the Iranian government's web filtering. It's an interesting topic because evading the Chinese government's firewall has been discussed in some technical circles for a while.

Alas, the Haystack web site has zero technical details. Worse, they plan to keep their software closed source. So, there's no way of evaluating their claim that their amazing software will help Iranian citizens evade Internet filtering in Iran. That hasn't stopped them getting in Newsweek and asking you to send them donations.

Now, it may well be the case that these folks are onto something, but I wouldn't trust a closed source piece of vaporware if I were trying to evade a government (any government). IMHO, the gold standard for hiding stuff from prying governmental eyes is PGP. It's open source and its design was discussed heavily in public and has been vetted. Or how about TrueCrypt? Open source, publicly vetted.

Worryingly, Haystack's only 'technical' detail is the following: "We use state-of-the-art elliptic curve cryptography to ensure that these communications cannot be read." Fair enough, but frankly that means nothing. They could be using AES, or RSA, or pretty much any good algorithm and I still wouldn't care. Two reasons: their implementation might be rubbish and enable attacks or their cryptography might be irrelevant because another technique (traffic analysis?) might make breaking Haystack possible. After all, all the Iranian government needs is a list of people running the software.

(Actually, using ECC might be a net negative. You don't really want to be messing around with something that's relatively (in crypto-years) new, patent encumbered, and slow. Using ECC indicates that either the people behind Haystack are either incredibly knowledge about cryptography or the opposite.)

And then there's the 'genius' (at least that's what Newsweek makes him out to be) who designed this software. His CV touts his degree in marketing and extensive experience with PHP. I guess he might have a hidden crypto background but I'm also guessing he's no Phil Zimmerman. I realize readers might be uncomfortable with an ad hominem criticism, but without any code or technical details all I can go on is the technical chops of the person behind Haystack.

Of course, there's a simple solution to my criticisms: shut up and ship. Ship an open source version of your code and let's take a look at it. Let the Iranian government have a look at it. Then we'll know if it's vaporware or regime-changing ware.