Forget Finding A Needle In A Haystack… How About Actually Finding Haystack
from the security-through-obscurity dept
We recently wrote about Newsweek’s coverage of Austin Heap and Haystack, a program he supposedly wrote to help Iranian internet users avoid being spied on by the Iranian government. Some of our commenters questioned the overall legitimacy of the story. It has a very too-perfect Hollywood sort of feel to it — and some pointed out the fact that no one seems to be able to actually look at Haystack. It sounds like a lot more folks are skeptical of the claims around Haystack as well. Glyn Moody points us to a post by Evgeny Morozov that rips apart the total secrecy around Haystack, to suggest the whole setup is pretty hard to believe.
I like Hollywood as much as the next guy — and yet something just doesn’t feel right about Haystack. What really bothers me is that one cannot download and examine their software; as far as the Internet is concerned, Haystack doesn’t exist. In fact, Heap says that it is only distributed to trusted contacts inside Iran; putting it online would create a situation where the government could easily get hold of it as well and then reverse-engineer it or ban it or find a way to track its users.
So, in essence, the outside public – including Iranians — are asked to believe that a) Haystack software exists b) Haystack software works c) Haystack software rocks d) the Iranian government doesn’t yet have a copy of it, nor do they know that Haystack rocks & works. (And who could fault them for not reading Newsweek? I certainly can’t). For someone with my Eastern European sensibilities, that’s a lot of stuff to believe in. Even Santa — we call him Ded Moroz — appears more plausible in comparison.
He goes on to note that, at the very least, this security by obscurity actually could be quite dangerous for Iranians actually using this program, since it may be giving them a very false sense of security:
To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure. The only good way that I know of to make sure that it’s secure is to let outsiders test it.
Indeed. In retrospect, the Newsweek version of this story had too many holes that should have acted as red flags.