Haystack is burning: Iran activists disable privacy app after security holes exposed

Remember Haystack, the privacy app designed to help Iranian dissidents speak freely without fear? Even before it was released, a string of breathless coverage in newspapers, magazines, television networks, radio programs, and blogs and blogs and more blogs touted it as a tool for technoliberation, during a news cycle in which reporters were eager to tell a story about the internet enabling a righteous revolution in Tehran.

The project was the brainchild of Austin Heap (shown at left); with friend and fellow anti-censorship advocate Daniel Colascione, he formed a nonprofit called the Censorship Research Center to manage Haystack and related cryptoanonymity projects.

Today comes news that brings no one joy: Haystack has effectively been forced to close down after security researcher Jacob Appelbaum* (Tor Project, Wikileaks) and tech writer Evgeny Morozov identified significant and fundamental security holes in the service—flaws that could endanger the safety of people in Iran who use Haystack. The Haystack team have stopped testing the app inside Iran, and are urging people who have installed copies to refrain from using it for the time being.

Coverage of the takedown is all over the place today: Wired News, Seattle Post-Intelligencer, SF Chronicle, The Financial Times (paywall), The H, Ostatic, Computerworld UK.

Danny O'Brien's Oblomovka has an authoritative (and compassionate) account. Snip:

Lessons? Well, as many have noted, reporters do need to ask more questions about too-good-to-be-true technology stories. Coders and architects need to realize (as most do) that you simply can't build a safe, secure, reliable system without consulting with other people in the field, especially when your real adversary is a powerful and resourceful state-sized actor, and this is your first major project. The Haystack designers lived in deliberate isolation from a large community that repeatedly reached out to try and help them. That too is a very bad idea. Open and closed systems alike need independent security audits.
And Jillian C. York's blog post on the affair chronicles sloppiness and lack of disclosure on the part of reporters who covered the project in its early phase.

Haystack's tagline: "Good luck finding that needle." Sadly, it appears the needle has been found. Haystack's website, by the way, still solicits donations "to help with the cause."

Update: EFF releases warning advising against Haystack. The post couldn't be more blunt: "Stop Using Haystack Software Now."

* A disclosure: Appelbaum's a personal friend, and I was able to verify over the weekend that the Haystack team's claims they'd taken the service offline were untrue, by examining an entry in BoingBoing's server logs.


  1. So am I to understand that this was being beta tested in what was effectively a war zone? So that if it doesn’t work, people could just flat out die? Without consulting cryptographers, without open source code? Are you kidding me?

    I don’t have any reason to doubt these guys’ sincerity. But I would never, under any circumstances, use anything they release. Ever.

  2. first you build them up, then you burn them down.
    epic journalism ftw.

    also, lrn2read. it’s BETA. it ain’t officially out to be used yet. by anyone. personally, the developers shouldn’t have buckled under the obvious media bullying. hint: BETA means broken. i mean, it’s just a bug right? find a bug, fix a bug.

    1. With respect, I’d point you to my explanation of what we actually saw of Haystack. It was a piece of software explicitly and widely publicized (on the cover of newsweek, no less, and not usually described as a beta) as being a component of a highly politicized battle against the Iranian government, which promised secure censorship circumvention in a seneitive political environment where censorship is a deliberate political act. Its testers were “testing” it live, in Iran (for no good reason).

      CRC lost control of the distribution of this software. While they believed they knew everyone who was “testing” the software, other users that they were not in contact with had copies of Haystack software which worked. CRC did not know these were being used. And when those people used it they did so without understanding the risks.

      Hell, CRC didn’t even understand the risks of this software. The client and server combination we observed in the wild (due to a combination of factors) was more than just “buggy”: the privacy-protecting features of the planned version were effectively not implemented, compromised or entirely disabled.

      The day after we explained what we’d seen to him, the person who designed and wrote every line of code in Haystack resigned, saying that the uncontrolled release of this code was a “catastrophe”. I’d urge you to read that in full, and then ask yourself whether he was bullied by an unfair media, or did the right, conscientious thing in the face of a terrible state of affairs.

      A state of affairs, incidentally, I am sure would have not come to light if it had not been for independent investigation and reporting.

    2. Not these days … BETA means “we’ve released the product but want an excuse for any possible problems you’ll inevitably have with it”. It’s more about rushing things out, than creating a genuine testable product.

      GMail is a great example. Google just didn’t want millions of support requests on the off chance that someone had a problem with something as ‘needed’ as email. If you’re providing a service that someone needs and can complain about – stick BETA on it; it’s like a get-out-of-jail-free card.

    3. It was indeed in beta, however, claims made by Austin Heap in the media implied that the tool was a) safe b) in wider use and c) better than all other tools of its kind. Should we really trust Heap and the Haystack team to continue? Daniel Colascione’s resignation implies he doesn’t even trust Austin Heap. It sounds like a done deal to me.

  3. What’s wrong with TOR?

    I understand there’s a pressing need for such software in countries with broken governments censoring everything, but I mean, can’t you just use an existing solution that’s already proven, rather than creating a startup company to attract investors into dumping millions into a problem that’s already been solved long ago?

    That said, I want to personally smack upside the head any and all journalists who passed this along at face value without bothering to grok any of the technical details. If it weren’t for journalists copying-and-pasting press releases, this software wouldn’t have gained the traction it did without first proving itself.

  4. I don’t think journalists can take all the blame there looks to be a massive dose of ego and attention seeking on the part of Heap, and journalists do need stories. The Haystack website along with the Censorship Research Center, the Twitter accounts, Facebook etc. all promoting and linking to the various news articles feed into the the media frenzy and thankfully the alarm bells actually rang loud enough for people to do some actual investigative journalism.

    I’m no programmer but I reckon taking on something as serious as state censorship probably needs a bit more than a couple of kids hacking away for 72 hours.

    The only question we will probably never have an answer to out of this sorry affair is if anyone in Iran actually used this software thinking they were safe and anonymous only to recieve a knock on the door at 3am.

    Perhaps Americans take their freedom for granted.

Comments are closed.