I’m taking some grim satisfaction in the dissolution of the Haystack Project. If people have actually been hurt by this software, I’ll be removing the “satisfaction” part of that reaction. But given the relentless overhyping of technological interventions in pro-democratic organizing, I’m hopeful that little actual damage has been done. These technologies will no doubt soon become genuinely crucial to people living under repressive governments, but I’m optimistic that Heap’s work didn’t spread far enough to cause serious trouble.
A few key links:
- The EFF says to stop using Haystack
- The resignation letter of its main developer
- Ed Felten’s take
- Nancy Scola discusses the media’s inability to report responsibly on technology (and is very nice to me, though I hasten to say that I’m no security expert)
- The twitter stream of @ioerror, beginning at this tweet
I think Nancy’s piece raises the most important questions: why did the media — and more importantly, the federal government — fall for Austin Heap’s bullshit? Here I disagree with Nancy: I don’t think it’s just a question of technical expertise. I’ve been skeptical of Haystack since its announcement, but I couldn’t write a secure crypto proxy to save my life. That stuff is really hard.
But here’s the thing: the technology is hard, but it’s also done. Smart people have looked at these problems and have solved the ones that are solvable. There’s work left to be done at the edges — better hash algorithms, that kind of thing — but I guarantee that’s not the sort of flaw that’s afflicting Haystack.
The thing to realize is that good security is a set of patterns. Relatively few of them have to do with technology (although learning about the technology behind security systems can certainly help you understand the patterns). The media’s naivete springs from the idea that the right app could liberalize Iran. Ignorance of the app’s internals is a much smaller problem than the sort of wishful thinking that gets that story pitched and approved (and read). Recognizing a snake oil salesman is just as important as recognizing an exploit.
Alarms should have gone off when Heap announced he was writing new software. Why write software? We have software. Did Heap think the limitations of Tor and Freenet and Freegate and PGP and all the others exist because those tools’ authors are lazy or stupid? That was never the problem.
I guess what I’m trying to say is that reporters should spend more time reading Bruce Schneier. Even the repetitive entries. Especially the repetitive entries.