Tom Olzak

Bad software can be tortuous… in a very bad way

In Application Security, Cyber Espionage, Hacking, Network Security, Risk Management on September 16, 2010 at 10:35

It isn’t any surprise that Iranians and other people using the Internet in information-restricted countries need a way to “break out.”  It is also no surprise that someone would try to build a software solution to meet this challenge.  What is a surprise is the alleged lack of due diligence applied by the creators of Haystack, an application that seemed to promise anonymity for Iranians trying to circumvent government controls.

According to the Haystack website,

“Haystack is a computer program that allows full, uncensored access to the internet even in areas with heavy internet filtering such as Iran. We use a novel approach to obfuscating traffic that is exceptionally difficult to detect, much less block, but which at the same time allows users to security use normal web browsers and network applications.

[…]

Haystack hides traffic to any from the internet at large inside traffic that looks like perfectly normal web connections to innocuous sites. The Haystack client connects to our servers which in turn talk to websites on behalf of our users.”

This sounds like a great idea.  Think of the uses for a product that allows Iranians–and maybe eventually Chinese, North Koreans, etc.–to access uncensored opinion and news.  Of course, it would have to do this without government officials being able to see what users are accessing.  And although Haystack was supposed to do this, it apparently fails miserably.

According to a tweet by security researcher Jacob Appelbaum,

“Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.”

In other words, if you are living in Iran and hoping freely to to surf the Web AND stay out of an Iranian prison, this is probably not the software for you.  So the Censorship Research Center (CRC) pulled the product.  Probably a good idea…

So what went wrong?  The main developer of Haystack resigned publicly and sent a letter to the Liberationtech mailing list.  In the letter, Daniel Colascione takes a lot of the responsibility for releasing what was supposed to be a test application–maybe closer to a proof of concept.  According to Colascione, it was not intended for public distribution or use by people who might put their physical freedom in jeopardy.  However, hype prevailed at the CRC, launching the product into public view and setting unreasonable and incorrect expectations.

Dan Goodin writes in a 14 September 2010 article in The Register,

The Guardian, for instance, named Censorship Research Center Executive Director Austin Heap the the 2010 Innovator of the Year and called Haystack “a key technology used by Iranians to disseminate information outside the country in the protests that followed the disputed election result in June 2009.” Newsweek, the BBC, Forbes, Salon.com, and The Atlantic have also lauded the project, even though Heap now says it never made it out of development and wasn’t widely used.

At this time, no one really knows if anyone put themselves in danger by using the software.  But let’s be honest; when something is hyped this much, it inevitably makes it to users’ desktops.  Based on on my quick research into this incident, this seems more like mismanagement than the intended release of really bad software.  It looks like the CRC was carried away on the tide of growing acclaim and took the public along for the ride.  Another instance of the media getting carried away?

In any case, I think there are at least two lessons to learn from this event.

  1. Never let potentially prison-causing software out of its cage until it is fully tested by numerous security researchers trying very hard to break it.
  2. Never get carried away by the hype surrounding a new product.  Do you own research into the product and its capabilities.  We can’t rely on much of the media responsibly to do this.
%d bloggers like this: