Tuesday, September 14, 2010

Critical Bugs Stop Haystack Anti-Censorship Project

Via H-Online.com -

Good luck finding that needle? Haystack’s certainly not having much luck at the moment. Rather than being needles in a haystack, users of the anti-censorship software are more like beacons in the night. Haystack is intended to enable opponents of the government in Iran to enjoy uncensored access to the internet. The Iranian government blocks web sites such as Facebook, Twitter and news sites. Haystack tries to beat the filters by encrypting data and embedding it in other innocuous connections. A proxy outside Iran then forwards the data to the correct web site and vice versa.

As a result of some major bugs, the project has now been suspended and users are being advised to stop using the software. Details are sketchy at present, but it appears that it is easier to trace Haystack users than Austin Heap, the man behind the project, would have users believe.

The bugs were uncovered during an independent security analysis by security specialist Jacob Appelbaum. According to Appelbaum, Haystack is the worse piece of software he has ever looked at, indeed he does not shy away from describing its authors as charlatans. He considers that using the software, which is still in the test phase, endangers users.

[...]

To avoid increasing the risk faced by testers in Iran, Applebaum will not publish any details, at least for the time being.

Because of the allegations concerning user security Haystack developer and co-founder of the Censorship Research Center (CRC), Daniel Colascione, has resigned. Colascione wrote, in an email to security analysts and project members, that he felt that in good conscience he could no longer represent the CRC. He regrets that the CRC did not work transparently and that users had been misled. However, he says the tool was not ready or intended for production use.


----------------------------------------------------------------------------------------

To me, it seems like you shouldn't be beta testing this type of software in countries where exposure (or vulnerabilities) can have lethal consequences.

No comments:

Post a Comment