Software Meant to Protect Iranian Dissidents May Be Fatally Flawed

80beatsBy Andrew MosemanSep 15, 2010 9:36 PM
computer-security.jpg

Newsletter

Sign up for our email newsletter for the latest science news
 

The software tool called Haystack was supposed to protect dissidents in Iran who wanted to use the Internet free of the government's censorship. If third-party software testers are correct, though, flaws in the system meant to help those dissidents could have led authorities right to them. The Censorship Research Center, the San Francisco-based organization that created Haystack, has now pulled it back and asked users to destroy the existing copies.

"We have halted ongoing testing of Haystack in Iran pending a security review," HaystackNetwork.com said in a brief statement. "If you have a copy of the test program, please refrain from using it." [AFP]

Jacob Appelbaum, a security expert who volunteers with WikiLeaks

, sounded the alarm.

Appelbaum says that after hearing a description of how the tool functioned, he worried that it might not have been built correctly. But he became truly concerned once he tested it himself. Appelbaum and his colleagues broke the tool's privacy protections in less than six hours. Appelbaum says it would be easy for government authorities to do the same. [Technology Review]

Appelbaum went public with his criticisms in case people are still using Haystack, as the tool appears to be available on multiple websites.

Haystack is designed to encrypt a user’s traffic and also obfuscate it by using steganography-like techniques to hide it within innocuous or state-approved traffic, making it harder to filter and block the traffic. [Wired.com]

Appelbaum refused, however, to divulge the details of the problems he found with the software, fearing it would instruct the Iranian government and make it even easier for its officials to crack Haystack. Even with the recall, he says, Iranian activists are still in danger.

“The more I have learned about the system, the worse it has gotten,” Appelbaum said. “Even if they turn Haystack off, if people try to use it, it still presents a risk…. It would be possible for an adversary to specifically pinpoint individual users of Haystack.” [Wired.com]

Austin Heap, one of the two men behind the the Censorship Research Center, says that people knew there were risks when they signed up to use the software tool. The new version, he says, will be mostly open-source before the next release, giving security testers a chance to hunt through it for flaws. However, Heap's partner Daniel Colascione has now resigned

from the organization because of the controversy. Related Content: 80beats: Pakistan Bans Facebook & YouTube in “Draw Mohammad Day” Crackdown

80beats: Iran Blocks Gmail; Will Offer Surveillance-Friendly National Email Instead

80beats: Google to China: No More Internet Censorship, or We Leave

80beats: Report: Chinese Hackers Stole Indian Missile Secrets & the Dalai Lama’s Email

Image: iStockphoto

1 free article left
Want More? Get unlimited access for as low as $1.99/month

Already a subscriber?

Register or Log In

1 free articleSubscribe
Discover Magazine Logo
Want more?

Keep reading for as low as $1.99!

Subscribe

Already a subscriber?

Register or Log In

More From Discover
Recommendations From Our Store
Shop Now
Stay Curious
Join
Our List

Sign up for our weekly science updates.

 
Subscribe
To The Magazine

Save up to 40% off the cover price when you subscribe to Discover magazine.

Copyright © 2023 Kalmbach Media Co.