Software Meant to Protect Iranian Dissidents May Be Fatally Flawed
The software tool called Haystack was supposed to protect dissidents in Iran who wanted to use the Internet free of the government’s censorship. If third-party software testers are correct, though, flaws in the system meant to help those dissidents could have led authorities right to them. The Censorship Research Center, the San Francisco-based organization that created Haystack, has now pulled it back and asked users to destroy the existing copies.
“We have halted ongoing testing of Haystack in Iran pending a security review,” HaystackNetwork.com said in a brief statement. “If you have a copy of the test program, please refrain from using it.” [AFP]
Jacob Appelbaum, a security expert who volunteers with WikiLeaks, sounded the alarm.
Appelbaum says that after hearing a description of how the tool functioned, he worried that it might not have been built correctly. But he became truly concerned once he tested it himself. Appelbaum and his colleagues broke the tool’s privacy protections in less than six hours. Appelbaum says it would be easy for government authorities to do the same. [Technology Review]
Appelbaum went public with his criticisms in case people are still using Haystack, as the tool appears to be available on multiple websites.
Haystack is designed to encrypt a user’s traffic and also obfuscate it by using steganography-like techniques to hide it within innocuous or state-approved traffic, making it harder to filter and block the traffic. [Wired.com]
Appelbaum refused, however, to divulge the details of the problems he found with the software, fearing it would instruct the Iranian government and make it even easier for its officials to crack Haystack. Even with the recall, he says, Iranian activists are still in danger.
“The more I have learned about the system, the worse it has gotten,” Appelbaum said. “Even if they turn Haystack off, if people try to use it, it still presents a risk…. It would be possible for an adversary to specifically pinpoint individual users of Haystack.” [Wired.com]
Austin Heap, one of the two men behind the the Censorship Research Center, says that people knew there were risks when they signed up to use the software tool. The new version, he says, will be mostly open-source before the next release, giving security testers a chance to hunt through it for flaws. However, Heap’s partner Daniel Colascione has now resigned from the organization because of the controversy.