On 09/14/2010 09:57 AM, Steve Weis wrote: > There have been significant developments around Haystack since the > last message on this thread. Jacob Applebaum obtained a copy and found > serious vulnerabilities that could put its users at risk. He convinced > Haystack to immediately suspend operations. The developer of Haystack, > Daniel Colascione, has subsequently resigned from the project. > > Many claims made about Haystack's security and usage made by its > creators now appear to be inaccurate. These claims were repeated > without verification by the New York Times, Newsweek, the BBC, and the > Guardian UK. Evegeny Morozov wrote several blog posts covering this. > His latest post is here: > http://neteffect.foreignpolicy.com/posts/2010/09/13/on_the_irresponsibility_of_internet_intellectuals >
Hi, What Steve has written is mostly true - though I was not working alone, we did it in an afternoon. It took quite a bit of effort to get Haystack to take this seriously. Eventually, there was an internal mutiny because of a serious technical disconnect between the author Daniel Colascione and the supposed author, Austin Heap. Daniel has been a stand up guy about the issues discovered and he really the problem space that the tool created. Sadly, most of the issues discovered do not have easy fixes - this includes even discussing some of the very simple but serious design flaws discovered. This has to be the worst disclosure issue that I've ever had to ponder - generally, I'm worried about being sued by some mega corp for speaking some factual information to their users. In this case, I guess the failure mode for being open about details is ... much worse for those affected. :-( An interesting unintended consequence of the original media storm is that no one in the media enjoys being played; it seems that now most of the original players are lining up to ask hard questions. It may be too little and too late, frankly. I suppose it's better than nothing but it sure is a great lesson in popular media journalism failures. All the best, Jacob --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
