## Tuesday, September 14, 2010

### Haystack project responds to 'security concerns', looks like it's falling apart

In a rather ranty post of mine I criticized the Haystack project for a lack of openness. Happily, there's an official blog post indicating that they are stopping testing because of security concerns:

Recently, there has been a vigorous debate in the security community regarding Haystack’s transparency and security. We believe that many of the points made in this debate were valid. As a result, and in order to ensure Haystack’s security, we have halted ongoing testing of Haystack in Iran pending a security review. We have begun contacting users of Haystack to tell them to cease using the program. We will not resume testing until this third party review is completed and security concerns are addressed in an open and transparent way.

It would be nice if they pointed to this debate, talked about which points they found valid and told us who was doing the third-party review etc. They really need to engage people who've been involved in this sort of thing to make sure that their code is going to work.

Roll on the openness and transparency.

Update: Oh wait, a read of Jacob Applebaum's Twitter feed makes it look like he's analyzed Haystack and the results are not good at all. And here's what he appears to have to say:

Hi - I have analyzed Haystack. It is total garbage and Austin Heap has pulled one over on the world.

I spoke with Heap on Friday and he promised that the network was disabled before we spoke on Friday. I was very sad to need to prove to a few specific people that it was still on late Sunday evening.

My findings are the reason that the Haystack network has now been shut off, his lead developer apparently turned the network down and locked him out of the machines. His advisory board has resigned as of today according to my sources

An ugly situation. Probably not good that Danny O'Brien wrote the following on Twitter:

never been angrier than right now. I can't actually describe how broken @haystacknetwork is, because to do so would put people at risk.

And the main developer has apparently quit:

What I am resigning over is the inability of my organization to operate effectively, maturely, and responsibly. We have been disgraced. I am resigning over dismissing pointed criticism as nonsense. I am resigning over hype trumping security. I am resigning over being misled, and over others being misled in my name.

Update: Here's a good summary of the situation. And here's a great summary of all the glowing media at the time.

Wonder if BBC, Newsweek, The Guardian etc. will apologize? They should. It's shameful to see this sort of reporting. Shameful.

Labels: ,

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.

<$BlogCommentBody$>

<$BlogCommentDateTime$> <$BlogCommentDeleteIcon$>

#### Links to this post:

<$BlogBacklinkControl$> <$BlogBacklinkTitle$> <$BlogBacklinkDeleteIcon$>
<$BlogBacklinkSnippet$>