Haystack and the Myth of the Boy Wizard

Jamie sent in an interesting writeup about The Myth of the Boy Wizard. No, it's not about Hogwarts, but rather about Haystack and its creator, Austin Heap. Last summer the media covered the programmer, the software, and its supposed effect on Iranian censorship. But as is often the case, truth is less interesting than reality. What happened is that the story managed to press some magic buttons, and the media ran with it. This one is worth a read.

Reason

[Anonymous Coward]

It wasn't clear to me that JGC knows specifically what the vulnerability is, though it seems to be related to random number generation [jgc.org].

In this post [jgc.org]: a tweet [twitter.com] is referenced as well:

never been angrier than right now. I can't actually describe how broken @haystacknetwork is, because to do so would put people at risk.

Re:OK So...

[gstoddart]

I'm still not sure what exactly the fatal flaw was in the test version that got everyone all in an uproar.

I've just re-checked the linked articles from Tuesday [slashdot.org] ... nobody explicitly says what about the software is flawed.

This post [slashdot.org], however, contains a much more detailed description of the issue. Essentially, the techniques it employed didn't work the way they said it did, and it wasn't -- and those using it were a lot more vulnerable than claimed.

It appeared that Haystacks administrator did not or could not effectively track unofficial users and that the methods he believed would lock them out were ineffective. More brutally, it also demonstrated that the CRC did not seem able to adequately monitor nor administrate their half of the live Haystack circumvention service.

When you're skirting around a government like Iran's doing things they don't like, broken security is a very risky undertaking.

From the sounds of it, this got over-hyped, never adequately reviewed, and people just ran with it believing it was secure.

Tor

[Anonymous Coward]

Tor is what most of those people are using to get information out of Iran.

Help out and setup a relay. Just make sure you aren't doing anything illegal as there is a small risk involved (Kiddy Porn is the #1 excuse the pigs use to pressure relay operators).

http://torproject.org

Also check out Freenet (http://freenetproject.org)

Re:OK So...

[jpmorgan]

The fatal flaw was the same as the one in my Lion Repelling Rock. The software was flawed at a fundamental level, because it more or less assumed that censorship is based on people going through firewall/proxy logs by hand. In real life, grep doesn't get bored.

NPR: On The Media

[mackertm]

NPR On the Media covered this last week with a pretty good story: http://onthemedia.org/transcripts/2010/09/10/05 [onthemedia.org]

Worth the read?

[Frizzled]

The Slate write-up was much better:

http://www.slate.com/id/2267262/ [slate.com]

Re:Not surprising

[WillDraven]

Look at it this way, if someone had claimed to have invented something that... I don't know, neutralized the pepper spray that the riot police were using to break up the demonstrations.

This is largely unrelated to your point, and I'm going to disappoint you by not providing any sources, but there is a common remedy for pepper spray. It is, somewhat ironically, called LAW, which stands for Liquid Antacid and Water. Basically mix one part unflavored (as in not mint!) Maalox (or equivalent) and one part water. Apply liberally to the affected mucous membranes and skin. I try to keep a couple water bottles full of it on me when attending protests.

Of course it would be better to find a preventative solution but at least this provides some quick relief from the horrible burning once you've been sprayed.