Haystack redux

Jacob Appelbaum jacob at appelbaum.net
Wed Sep 15 06:16:34 EDT 2010 

On 09/14/2010 09:57 AM, Steve Weis wrote:
> There have been significant developments around Haystack since the
> last message on this thread. Jacob Applebaum obtained a copy and found
> serious vulnerabilities that could put its users at risk. He convinced
> Haystack to immediately suspend operations. The developer of Haystack,
> Daniel Colascione, has subsequently resigned from the project.
> 
> Many claims made about Haystack's security and usage made by its
> creators now appear to be inaccurate. These claims were repeated
> without verification by the New York Times, Newsweek, the BBC, and the
> Guardian UK. Evegeny Morozov wrote several blog posts covering this.
> His latest post is here:
> http://neteffect.foreignpolicy.com/posts/2010/09/13/on_the_irresponsibility_of_internet_intellectuals
> 

Hi,

What Steve has written is mostly true - though I was not working alone,
we did it in an afternoon. It took quite a bit of effort to get Haystack
to take this seriously. Eventually, there was an internal mutiny because
of a serious technical disconnect between the author Daniel Colascione
and the supposed author, Austin Heap. Daniel has been a stand up guy
about the issues discovered and he really the problem space that the
tool created.

Sadly, most of the issues discovered do not have easy fixes - this
includes even discussing some of the very simple but serious design
flaws discovered. This has to be the worst disclosure issue that I've
ever had to ponder - generally, I'm worried about being sued by some
mega corp for speaking some factual information to their users. In this
case, I guess the failure mode for being open about details is ... much
worse for those affected. :-(

An interesting unintended consequence of the original media storm is
that no one in the media enjoys being played; it seems that now most of
the original players are lining up to ask hard questions. It may be too
little and too late, frankly. I suppose it's better than nothing but it
sure is a great lesson in popular media journalism failures.

All the best,
Jacob

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list