

The Myth of the Boy Wizard - jgrahamc
http://blog.jgc.org/2010/09/myth-of-boy-wizard.html

======
alimoeeny
I've lived in Iran for more than 30 years, and I have enough technical
knowledge on IT security to say this, the only way that really works right now
for people of Iran to use Internet in a reasonable and practical manner is
using VPN. Any other means is not working or is impractical for most users
(most web based proxy services are either work for special websites or are
actually spying on people or ...). And VPN is not cheap and not accessible for
most Iranians (they don't have credit cards to buy the service, because of US
sanctions). And whenever government feels a bit unsafe most VPN traffic is
also blocked one way or the other for several days.

------
sspencer
The whole idea behind Haystack (hide illicit traffic amongst many innocuous
http requests) made no sense to me when I read about it a few weeks ago, but I
assumed it was being incompetently summarized.

Interesting reminder of the need for peer review.

~~~
billswift
Peer review is no substitute for critical reading. Even to the limited extent
that peer review works, it really only works at all in academic contexts.

------
dkarl
This also happened during a period of doggedly overblown optimism about the
opposition in Iran and its chances against the government. We were all rooting
for them, of course, and the optimistic coverage may have helped them a little
bit, and perhaps it was difficult to get real information, but it clearly
wasn't careful or apolitical journalism. That was probably as much of a factor
as the "boy wizard" aspect.

------
gchucky
Honestly I wasn't aware of Haystack's security issues, but
[http://haystacky.s3.amazonaws.com/www.oblomovka.com/wp/2010/...](http://haystacky.s3.amazonaws.com/www.oblomovka.com/wp/2010/09/14/haystack-
vs-how-the-internet-works/index.html) cleared up a bunch of it.

~~~
pilom
I read that article too and it only gave me more questions. Sure the owners
wouldn't know who was using the system and couldn't lock them out. That seems
to be the whole point of annonomizing software? Why does that make it
insecure? If those are the only reasons I don't see why that makes it
unsuccessful software (I personally have big doubts about their claims for
annonomizing trafic, but the oblomovka article doesn't answer those
questions.)

~~~
pyre
The article seems purposefully thin on details, but there are a couple of
points here:

1\. The owners/maintainers thought that it was possible to lock out specific
people/clients, but this is obviously not the case.

2\. The owners/maintainers think that it's impossible to have unauthorized
clients using the system, but this is obviously not the case.

Either the owners/maintainers are incompetent, or the system is not
functioning as it was designed to. This makes it all the more likely that
'nefarious' forces can infiltrate (or already have infiltrated) the system and
snoop on users.

A system that is relying heavily on secure design should not be considered to
be 'working' when it is not functioning as the designers believe that it
should be.

