Privacy Tool for Iranian Activists Disabled After Security Holes Exposed
September 15th, 2010Via: Wired:
A highly lauded privacy tool designed to help Iranian activists circumvent state spying and censorship has been disabled after an independent researcher discovered security vulnerabilities in the system that could potentially expose the identities of anonymous users.
Users have been instructed to destroy all copies of the software, known as Haystack, and the developers have now vowed to obtain a third-party audit of the code and release most of it as open source before distributing anything to activists again.
Haystack is designed to encrypt a user’s traffic and also obfuscate it by using steganography-like techniques to hide it within innocuous or state-approved traffic, making it harder to filter and block the traffic. Despite its nascent status, Haystack got widespread media attention, including from Newsweek recently.
The tool is still in development, but an initial diagnostic version was being used by “a few dozen” activists in Iran when security researcher Jacob Appelbaum, a U.S. volunteer with WikiLeaks, discovered vulnerabilities in the source code and implementation of the system that could potentially place the lives of activists at risk.
Austin Heap, one of the tool’s developers, has faced sharp criticism from Appelbaum and others for failing to vet the tool with security professionals before distributing it for use. The media have also been criticized for failing to properly examine the system before praising it as an option for activists.
“The more I have learned about the system, the worse it has gotten,” Appelbaum said. “Even if they turn Haystack off, if people try to use it, it still presents a risk…. It would be possible for an adversary to specifically pinpoint individual users of Haystack.”
Heap told Threat Level that distribution of the test program had been highly controlled among a small group of select users, and that all of the participants, except one, had been informed beforehand that there were potential risks in using software that was still in development.
“They are all people who are aware of the risks who use other anti-censor tools and had expressed a direct interest to me or others that they would like to be part of the test program,” Heap said.
Nonetheless, he and colleagues decided to halt human testing of the program this week and use only machine testing going forward, in light of the criticism from Appelbaum and others. He said the group would open-source 90 percent of the code before releasing a version to users.
“All of the encryption routines, all the parts that are tantamount to protecting a user’s privacy will be publicly released,” he promised.
Appelbaum, a developer for the Tor Project, which developed and maintains the Tor anonymity and anti-censorship tool, disputed that distribution of Haystack was controlled. He said the tool was available for download from multiple sites on the internet, including Heap’s own web site, which Threat Level confirmed.
Although Heap assured Appelbaum that the program had been disabled by Saturday, Appelbaum found he could still use it without problems as of Sunday evening. He decided to go public with his criticism out of concern that some users might still be unaware of the risks of using it.
Activist associated with e-honeypot A calls out e-honeypot B. Pot and kettle.
@ltcolonelneomo.
Sir, I have no idea if you actually are a lieutenant of rank and honor, but I hearilty disagree with your assessment regarding this articlein its entirety. I am in the business of defending and encouraging whistleblowers? And you, Sir?
You have, apparently, made up your mind that Wikileaks is a shill for the CIA, a “honeypot.”
Gracious of you.
I have to say, Sir! I heartily disagree with your assessment. Whistleblowers are few and far between in the U.S., all of them usually lose their jobs and when deciding to go to legal action incur millions of costs, that is unless a non profit organization goes to bat for them. Someday I’ll find you a link.
But get a grip on it, Sir. It takes an outstanding individual to stand up to the machine. And goddam it, what the hell has gotten up everybody’s butts about Wikileaks? Jeso Christo. I guess my conclusion is you don’t get what whistleblowing is all about. It’s not a party on Facebook or Twitter. Whistleblowing people that I’ve worked with have lost their lives and gone into some hell for doing so because they believed in what they were doing.
I want to say some rude things to you right now, but I won’t. Kevin wouldn’t post them anyway.
But Lt. ColoneL, I am sick of people who sit back in their armchair rockers and decide to piss all over people in the world who are doing the real work.
Sorry. I just had to say this here now.
I have to take side for about 60% with nemo. It is peculiar, that only wikileaks and to a lesser degree, haystack are mentioned in the media.
There are a handful of others, like i2p, freenet, anonet and other darknets, tor (!), hamachi (!), perfect dark (!) and handmade solutions like ssh and open unix consoles.
The trouble the three letter agency have whith those tools isn’t the dark part, you don’t capture a capable gangster anyway. Once you understand how to set up a darknet and why you should do it, you are no longer a part of the open and controlled society, i.e. “normality”. Normal users want and can only use a point-and-click solution, which has its downsides. At this point, if someone wants a working solution, he has to setup many things. After that, he understands how the internet works at layers just underneath the all too visible application layer.
@Eileen
I wasn’t referring to Wikileaks per se, I was referring to Tor, a tool frequently lauded as providing anonymity to activists, in fact, developed from military technology, and proven in the past to be unsafe, heavily monitored, and used as a honeypot by governments and private security companies. Note the following quote:
“Appelbaum, a developer for the Tor Project, which developed and maintains the Tor anonymity and anti-censorship tool….”
Given the free publicity Wikileaks receives from the government/corporate press on a routine basis, and given that it makes use of name-brand “wiki” in its name, I strongly suspect it is designed to act as a vacuum to would-be leakers. They want to be a one-stop shop that all leakers turn to. This is an inherently unsafe and sound model for leaking, in my opinion, as it diverts attention away from all the other organizations one can leak to.
Intelligence agencies routinely make use of pre-existing opposition groups to further their ends. They also create them out of scratch. This has all been well-documented. An opposition group can be judged by the fruits of its labors. Within the last 10 years, I have participated in so-called opposition groups and observed from the sidelines as well. I can safely say that their actions are mostly ineffectual, judged by the fact that things have either stayed the same or gotten worse, on all fronts, for the average person, within the USA. From my interaction with these groups, I find that the people who tend to the control them and constitute them to be deluded as to the efficacy of their own actions. They believe they make a difference, while in most cases they have little conception of the magnitude and scope of the problems they face. For example, I “monitored” elections for the NAACP. An NAACP lawyer asked me after the fact what I thought of the effort. I told her that in all honesty, while it appeared like we were doing good by having people handing out literature on rights at the election stations, we were in fact, not confronting the more insidious and difficult to deal with problem of electoral manipulation through black-box voting technology. Needless to say, it was not what she wanted to hear. This is but one small example, I could give many others.
Using so-called hacker tools for cyber-activism is a bit like being a member of Morpheus’s crew in the Matrix. You can do seemingly cool and powerful things, but then you attract the attention of the Powers That Be, who may have only granted you the powers in the first place to see what you would do. And unfortunately, there is nobody who could have the effect of Neo, at least not without the complicity of the system.
I’m surprised a frequent reader of this website would make such a strident defense of Wikileaks, given all the unknowns about it. In any case, the so-called earth-shattering leaks about the war only reiterate points made back in 2003, and in case were points that can easily be predicted about any military conflict. When there is war, things like torture, rape, degradation, looting, murder of civilians go hand in hand with it. The civilian authorities know this, it is no surprise to them, and they could care less. It is only the naive subjects who temporarily awake from their media-induced stupor that get upset and start waving signs.
Wikileaks sounds like Wikipedia which I have learned not to trust.
@PeterofLoneTree
You would do well not to trust any source. As for Wikipedia, it was clearly intended to build up a certain level of trust before going over to the dark side. These things follow a natural arch. Good idea –> Implementation –> Press on how great it is –> Manufactured bad event –> Reform –> Good idea implemented is now subordinated to serve mediocrity.
It used to be that anybody could edit Wikipedia. Then someone complained that someone put something false in it. As if that doesn’t happen in Britannica et al! Suddenly, there needed to be tiers of editors with varying degrees of power.
Additionally, organizations hire people to monitor wikipedia full-time to control the dissemination of information on subjects of interest to them.
That being said, I’ll take Wikipedia over Britannica any day of the week.