Haystack Situation Looking Worse And Worse: Why Did The State Dept. Endorse This Mess?

from the this-isn't-looking-good dept

A couple weeks ago, we noted that there were increasingly serious questions being asked about Haystack, the high profile app that was being championed in the press for supposedly helping Iranian dissidents use the internet to communicate safely. While Haystack's founder, Austin Heap, responded to the accusations by calling it "brain dead journalism," it's increasingly looking like the real brain dead journalism was in the original stories. The deeper people looked at Haystack the worse it has looked, and various experts have ripped the program to shreds, noting massive security holes in the software which likely placed users at risk.
"The more I have learned about the system, the worse it has gotten," Appelbaum said. "Even if they turn Haystack off, if people try to use it, it still presents a risk.... It would be possible for an adversary to specifically pinpoint individual users of Haystack."
Giving the increasing levels of criticism, Heap has announced that the program has been shut down, but others have noted that, not only is it still available, but people are using it without Heap realizing it -- which could be quite dangerous if people think it's safe. The more you read, the more this project sounds like pure hype from the beginning and a total mess in reality. Just take the following resignation letter from the program's chief developer who, according to Wired, had recently taken a "hiatus" over questions about the way the program was being developed and pushed:
I would like to stress that I am not resigning in shame over the much-maligned test program. It is as bad as Appelbaum makes it out to be. But I maintain that it was a diagnostic tool never intended for dissemination, never mind hype. I did have a solid, reasonable design, and described it in our brief overture of transparency. _That_ is what Haystack would have been. It would have worked!

What I am resigning over is the inability of my organization to operate effectively, maturely, and responsibly. We have been disgraced. I am resigning over dismissing pointed criticism as nonsense. I am resigning over hype trumping security. I am resigning over being misled, and over others being misled in my name.
The whole thing is a complete mess, and it sounds like a situation where some folks were more interested in getting press attention for a very early prototype, which they then pretended was a complete and legitimate product. If you're making a random blogging tool or some web 2.0 service, that's fine. When you're trying to make something that people will rely on so that their government doesn't lock them up and throw away the key, it's not.

There is, of course, plenty of blame to go around here, for the lack of more detailed scrutiny from the press and others, but the really stunning part, of course, is that the US State Department specifically endorsed this product. As Evgeny Morozov notes in his blog post (first link above), that's the true head scratcher:
Just to make it clear: Haystack is not at fault here; the State Department -- I am not so sure. Austin Heap can make whatever statements he likes; the government, however, is supposed to treat such statements with due skepticism and think through the political implications of their endorsement of any technologies. All this fast-tracking stuff would surely reflect bad on the State Department if after an independent security review it does turn out that Haystack has severe security flaws, which its testers -- or other Iranian uses -- may not have been aware of.

And why did Clinton choose to speak about Haystack and not say Tor or any other tool? Also, not very clear. Were the diplomats charmed by all the buzz around Haystack in the media? Possibly. That said, it would be very good to know whether the State Department did ANY analysis/testing of Haystack's claimed capabilities, thought through how well it could scale in Iran, and whether they may be hurting its users in Iran -- current and future ones -- by lining up behind them. Were these questions asked and answered?

Filed Under: haystack, iran, obscurity, security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    fogbugzd (profile), 14 Sep 2010 @ 8:47pm

    Things that smell bad usually are

    I was interested when I first heard about Haystack. I was interested in helping. But it didn't take long to curb my enthusiasm. Reading the web site, it just didn't look like the people running Haystack knew what they were doing. The final straw for me was only distributing the software to people they trusted. It is ridiculous to think that this was really keeping the software out of government hands, and anyone who knows anything about security knows that security through obscurity does not work very well in serious applications. My thought at the time was that the real reason might be that they didn't want scrutiny of their product. It turns out that may not have been too far from the truth.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.