A highly lauded privacy tool designed to help Iranian activists circumvent state spying and censorship has been disabled after an independent researcher discovered security vulnerabilities in the system that could potentially expose the identities of anonymous users.
Users have been instructed to destroy all copies of the software, known as Haystack, and the developers have now vowed to obtain a third-party audit of the code and release most of it as open source before distributing anything to activists again.
Haystack is designed to encrypt a user’s traffic and also obfuscate it by using steganography-like techniques to hide it within innocuous or state-approved traffic, making it harder to filter and block the traffic. Despite its nascent status, Haystack got widespread media attention, including from Newsweek recently.
The tool is still in development, but an initial diagnostic version was being used by “a few dozen” activists in Iran when security researcher Jacob Appelbaum, a U.S. volunteer with WikiLeaks, discovered vulnerabilities in the source code and implementation of the system that could potentially place the lives of activists at risk.
Austin Heap, one of the tool’s developers, has faced sharp criticism from Appelbaum and others for failing to vet the tool with security professionals before distributing it for use. The media have also been criticized for failing to properly examine the system before praising it as an option for activists.
“The more I have learned about the system, the worse it has gotten,” Appelbaum said. “Even if they turn Haystack off, if people try to use it, it still presents a risk…. It would be possible for an adversary to specifically pinpoint individual users of Haystack.”
Heap told Threat Level that distribution of the test program had been highly controlled among a small group of select users, and that all of the participants, except one, had been informed beforehand that there were potential risks in using software that was still in development...
Continue reading
No comments:
Post a Comment