Tom Olzak

Archive for the ‘Cyber Espionage’ Category

Bad software can be tortuous… in a very bad way

In Application Security, Cyber Espionage, Hacking, Network Security, Risk Management on September 16, 2010 at 10:35

It isn’t any surprise that Iranians and other people using the Internet in information-restricted countries need a way to “break out.”  It is also no surprise that someone would try to build a software solution to meet this challenge.  What is a surprise is the alleged lack of due diligence applied by the creators of Haystack, an application that seemed to promise anonymity for Iranians trying to circumvent government controls.

According to the Haystack website,

“Haystack is a computer program that allows full, uncensored access to the internet even in areas with heavy internet filtering such as Iran. We use a novel approach to obfuscating traffic that is exceptionally difficult to detect, much less block, but which at the same time allows users to security use normal web browsers and network applications.


Haystack hides traffic to any from the internet at large inside traffic that looks like perfectly normal web connections to innocuous sites. The Haystack client connects to our servers which in turn talk to websites on behalf of our users.”

This sounds like a great idea.  Think of the uses for a product that allows Iranians–and maybe eventually Chinese, North Koreans, etc.–to access uncensored opinion and news.  Of course, it would have to do this without government officials being able to see what users are accessing.  And although Haystack was supposed to do this, it apparently fails miserably.

According to a tweet by security researcher Jacob Appelbaum,

“Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.”

In other words, if you are living in Iran and hoping freely to to surf the Web AND stay out of an Iranian prison, this is probably not the software for you.  So the Censorship Research Center (CRC) pulled the product.  Probably a good idea…

So what went wrong?  The main developer of Haystack resigned publicly and sent a letter to the Liberationtech mailing list.  In the letter, Daniel Colascione takes a lot of the responsibility for releasing what was supposed to be a test application–maybe closer to a proof of concept.  According to Colascione, it was not intended for public distribution or use by people who might put their physical freedom in jeopardy.  However, hype prevailed at the CRC, launching the product into public view and setting unreasonable and incorrect expectations.

Dan Goodin writes in a 14 September 2010 article in The Register,

The Guardian, for instance, named Censorship Research Center Executive Director Austin Heap the the 2010 Innovator of the Year and called Haystack “a key technology used by Iranians to disseminate information outside the country in the protests that followed the disputed election result in June 2009.” Newsweek, the BBC, Forbes,, and The Atlantic have also lauded the project, even though Heap now says it never made it out of development and wasn’t widely used.

At this time, no one really knows if anyone put themselves in danger by using the software.  But let’s be honest; when something is hyped this much, it inevitably makes it to users’ desktops.  Based on on my quick research into this incident, this seems more like mismanagement than the intended release of really bad software.  It looks like the CRC was carried away on the tide of growing acclaim and took the public along for the ride.  Another instance of the media getting carried away?

In any case, I think there are at least two lessons to learn from this event.

  1. Never let potentially prison-causing software out of its cage until it is fully tested by numerous security researchers trying very hard to break it.
  2. Never get carried away by the hype surrounding a new product.  Do you own research into the product and its capabilities.  We can’t rely on much of the media responsibly to do this.

But Congress hasn’t stuck its collective finger in it yet…

In Business Continuity, Cyber Espionage, Cyber Terrorism, Cyber-warfare, Cybercrime, Government on April 15, 2010 at 12:24

In a recent article, U S Cyber Command Nominee Discusses Policies, an army three-star general commented on cyber-war preparation.  While I agree with the military’s approach–what they will discuss, given the classified nature of their planning–I don’t believe Congress will be able to keep their hands out of this.  By the time our elected officials finish debating, filibustering, or holding hearings, our electricity, water supply, and financial institutions  will all have converted to Chinese as their official language…

And by the way, who taught the alleged soldier int the photo how to salute?  And what’s with the strap hanging down from his helmet?  Ok, Ok.  I know.  I was a sergeant way too long…  I’ll let it go.

White House Blowing Smoke?

In China, Cyber Espionage, Cyber-warfare, Government on April 7, 2010 at 11:45

A little something I wrote about recent comments by White House Cybersecurity Coordinator Howard Schmidt.

White House Blowing Smoke?.

The Picture Says It All

In China, Cyber Espionage, Cyber-warfare, Government on March 29, 2009 at 11:44

Once again, the Chinese have been caught with their hands in other people’s computers.

Canadian researchers have revealed an extensive Chinese spying operation, which involved the hacking of over 1000 computers in 103 countries, according to reports in several leading newspapers today.

The new report from the Information Warfare Monitor, a group comprising researchers from Ottawa-based think tank SecDev Group and the University of Toronto’s Munk Centre for International Studies, was originally set up to investigate allegations of Chinese snooping on Tibetan exiles.

Source: Massive Chinese cyber hack revealed, Phil Muncaster,, 29 March 2009

This shouldn’t be a surprise to anyone following the exploits of the Chinese in cyberspace over the past few years.  And I imagine the Chinese government’s response will be the same as in the past, a response characterized by the image below (from the Muncaster article, caption is mine).

The 3 Monkeys Approach to Chinese Deniability

The 3 Monkeys Approach to Chinese Deniability

%d bloggers like this: