Forget Finding A Needle In A Haystack... How About Actually Finding Haystack

from the security-through-obscurity dept

We recently wrote about Newsweek's coverage of Austin Heap and Haystack, a program he supposedly wrote to help Iranian internet users avoid being spied on by the Iranian government. Some of our commenters questioned the overall legitimacy of the story. It has a very too-perfect Hollywood sort of feel to it -- and some pointed out the fact that no one seems to be able to actually look at Haystack. It sounds like a lot more folks are skeptical of the claims around Haystack as well. Glyn Moody points us to a post by Evgeny Morozov that rips apart the total secrecy around Haystack, to suggest the whole setup is pretty hard to believe.
I like Hollywood as much as the next guy -- and yet something just doesn't feel right about Haystack. What really bothers me is that one cannot download and examine their software; as far as the Internet is concerned, Haystack doesn't exist. In fact, Heap says that it is only distributed to trusted contacts inside Iran; putting it online would create a situation where the government could easily get hold of it as well and then reverse-engineer it or ban it or find a way to track its users.

So, in essence, the outside public - including Iranians -- are asked to believe that a) Haystack software exists b) Haystack software works c) Haystack software rocks d) the Iranian government doesn't yet have a copy of it, nor do they know that Haystack rocks & works. (And who could fault them for not reading Newsweek? I certainly can't). For someone with my Eastern European sensibilities, that's a lot of stuff to believe in. Even Santa -- we call him Ded Moroz -- appears more plausible in comparison.
He goes on to note that, at the very least, this security by obscurity actually could be quite dangerous for Iranians actually using this program, since it may be giving them a very false sense of security:
To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure. The only good way that I know of to make sure that it's secure is to let outsiders test it.
Indeed. In retrospect, the Newsweek version of this story had too many holes that should have acted as red flags.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Kurata, Sep 2nd, 2010 @ 10:14pm

    Developing in secrecy has never been a good idea to begin with, and you should most likely be suspicious of such system, as it implies that not a lot of people know about it.
    Since less people know about it, less people are likely to test it, and thus, less people are likely to find problems.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    :Lobo Santo (profile), Sep 2nd, 2010 @ 10:36pm

    Re:

    Total agreement. Cryptographers' Dilemma, totally.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Cyrus Farivar, Sep 3rd, 2010 @ 3:08am

    Austin's response

    You guys might be interested in Austin's response:

    http://blog.austinheap.com/brain-dead-journalism/

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    out_of_the_blue, Sep 3rd, 2010 @ 5:12am

    All that's certain is US and Isreal wish to overthrow Iran.

    Can't drop context; "danger" of Iran is being hyped exactly as was Iraq. That raises likelihood that Haystack is created by a spy agency. But even assuming Heap is on his own, he's playing into the overthrow plan, from which no good will come.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Berenerd (profile), Sep 3rd, 2010 @ 5:38am

    To quote a wise...dead man...

    "One does not simply walk into mordor..."

    If this program worked, all it would take for the iranian government to get a copy is to raid a house where they can't see what the user is doing and poof. they can now reverse engineer it.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Sep 3rd, 2010 @ 7:44am

    Austin's rebuttal is very interesting and I cant help but wonder what the hell this guy is doing wasting time slaying dragons in warcraft.

    I keep looking for a "download" button or link. If his little project isnt open source, then its bullshit and shouldnt be trusted.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Pete Braven (profile), Sep 3rd, 2010 @ 9:47am

    Satndard maxim,..

    If it sounds too good to be true, it probably is!
    If a government wants to get hold of anything, we know all too well they will, especially if getting hold of it is supposed to be difficult!
    Conversely, if they ain't supposed to lose stuff,... it turns up on the internet!

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 3rd, 2010 @ 12:12pm

    Most other projects are open source and well suited for the task why bother with something so suspicious?

    Tor
    Retroshare
    GNUNet
    I2P(is java based be warned)

    And a lot of others including steganography that is practically undetectable and can be used in any platform securely(i.e. video, image, text, net traffic...).
    http://en.wikipedia.org/wiki/Steganography (look in "[edit] Steganography Tools")

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Sep 3rd, 2010 @ 12:40pm

    Great resource for anonymous networks although is more focused on P2P.

    http://www.anonymous-p2p.org/

    Some other programs:

    Omemo motto "Browse the world's biggest hard drive"
    http://www.omemo.com/
    http://www.stealthnet.de/ (operational)
    http://stegoshare.sourceforge.net/ (operational, high security)
    http://osiris.kodeware.net/ (Creation of anonymous websites, soon to be open sourced)
    http://netsukuku.freaknet.org/ (the stealth internet, internet overlay that runs on top of the internet and it is anonymous)

    http://retroshare.sourceforge.net/
    RetroShare is a Open Source cross-platform, private and secure decentralize communication platform.
    It lets you securely chat and share files with your friends and family, using a web-of-trust to authenticate peers and OpenSSL to encrypt all communication.
    RetroShare provides filesharing, chat, messages, forums and channels


    Now why with all the options one has, somebody would trust a newcomer that is secretive?

    That raises all kinds of red flags.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This