A program designed to make Iranian internet users safe from government peeking has been pulled by its creators because, er, it opens up their identities to anyone that cares to take a look.
The program, called Haystack, is designed to hide traffic to and from the internet at large inside what looks like connections to innocuous sites. The Haystack client connects to the company’s servers, which in turn talk to websites on behalf of its users.
But its website now reads: “We have halted ongoing testing of Haystack in Iran pending a security review. If you have a copy of the test program, please refrain from using it.”
The problem is that Haystack is apparently chock-full of vulnerabilities that could leave users’ identies exposed – although it’s not known whether the Iranian government or any other third party has been taking advantage of the site’s vulnerability. If not, they’re probably kicking themselves.
Haystack was created by the San Francisco-based Censorship Research Center (CRC) last year after Iran’s presidential election, and was hailed at the time as an important tool for internet freedom.
But the shine has worn off, and it’s recently received heavy criticism. Hacker Jacob Appelbaum called it “the worst piece of software I have ever had the displeasure of ripping apart”, and the Electronic Frontier Foundation warned people to stop using it.
As a result, chief developer Daniel Colascione has quit the project, saying the program is just as bad as Appelbaum claimed.
“But I maintain that it was a diagnostic tool never intended for dissemination, never mind hype,” he says.
“What I am resigning over is the inability of my organization to operate effectively, maturely, and responsibly. We have been disgraced. I am resigning over dismissing pointed criticism as
nonsense. I am resigning over hype trumping security. I am resigning over being misled, and over others being misled in my name.”
But the other participants in the project say they will work to patch the holes – at least, as long as there are still any Iranians with the nerve to go anywhere near a computer.
“Recently, there has been a vigorous debate in the security community regarding Haystack’s transparency and security. We believe that many of the points made in this debate were valid,” says CRC co-founder Austin Heap on his blog.
“We will not resume testing until this third party review is completed and security concerns are addressed in an open and transparent way.”