I've lived in Iran for more than 30 years, and I have enough technical knowledge on IT security to say this, the only way that really works right now for people of Iran to use Internet in a reasonable and practical manner is using VPN. Any other means is not working or is impractical for most users (most web based proxy services are either work for special websites or are actually spying on people or ...). And VPN is not cheap and not accessible for most Iranians (they don't have credit cards to buy the service, because of US sanctions). And whenever government feels a bit unsafe most VPN traffic is also blocked one way or the other for several days.

The whole idea behind Haystack (hide illicit traffic amongst many innocuous http requests) made no sense to me when I read about it a few weeks ago, but I assumed it was being incompetently summarized.

Interesting reminder of the need for peer review.

Peer review is no substitute for critical reading. Even to the limited extent that peer review works, it really only works at all in academic contexts.

This also happened during a period of doggedly overblown optimism about the opposition in Iran and its chances against the government. We were all rooting for them, of course, and the optimistic coverage may have helped them a little bit, and perhaps it was difficult to get real information, but it clearly wasn't careful or apolitical journalism. That was probably as much of a factor as the "boy wizard" aspect.

Honestly I wasn't aware of Haystack's security issues, but http://haystacky.s3.amazonaws.com/www.oblomovka.com/wp/2010/... cleared up a bunch of it.

I read that article too and it only gave me more questions. Sure the owners wouldn't know who was using the system and couldn't lock them out. That seems to be the whole point of annonomizing software? Why does that make it insecure? If those are the only reasons I don't see why that makes it unsuccessful software (I personally have big doubts about their claims for annonomizing trafic, but the oblomovka article doesn't answer those questions.)

The article seems purposefully thin on details, but there are a couple of points here:

1. The owners/maintainers thought that it was possible to lock out specific people/clients, but this is obviously not the case.

2. The owners/maintainers think that it's impossible to have unauthorized clients using the system, but this is obviously not the case.

Either the owners/maintainers are incompetent, or the system is not functioning as it was designed to. This makes it all the more likely that 'nefarious' forces can infiltrate (or already have infiltrated) the system and snoop on users.

A system that is relying heavily on secure design should not be considered to be 'working' when it is not functioning as the designers believe that it should be.