Slashdot Mirror
Herding Firesheep In NYC — Do Users Care?
An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."
You would be arrested. Breaking into someones house to point out that you can break into their house still leaves you with a breaking and entering charge. Even if you caused no damage and took nothing, you're still going to jail brainiac.
... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.
I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah
That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.
So, does your insurance company give you a discount for providing easier access to thieves?
A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.
boycott slashdot February 10th - 17th check out: altSlashdot.org
And if that can be seen on Starbuck's security cams, he just IDed himself after admitting to breaking federal laws.
Yes, exactly.
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:
I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.
you're joking right? how do you think all the interior cameras get in side the house?
they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.
In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.
When information is power, privacy is freedom.
Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.
Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?
Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.
A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.
Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.
Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the more self-identified geeks and hackers I meet in recent times, the more I come to the conclusion they're mostly idiots at this point. Ever since "geek" became some kind of shibboleth, it's been all down hill.
Fuck being a geek. There is no virtue in being capable in one area to the detriment at all others. It is indeed possible to dedicate one's brain to both number theory and cryptographic fundamentals, and still be able to solve simple cost-benefit problems.
If some stranger walked into my house to tell me my door was unlocked you can bet your ass I would be locking the door. What kind of dumb ass question is that?
The difference here, and where your logic IMHO fails, is that while many people may not care that much its exactly because of their ignorance. The problem here is that someone telling them they're vulnerable isn't enough because they are just that ignorant. They don't understand how it could possibly do them harm. Sure, some of them may not care, even if they understand the potential harm, but as a technologist I can tell you from experience that showing someone they are open to attack doesn't educate them to the harm. Now, when I've show non-tech folks what could happen if they ignore the fact they're vulnerable, the vast majority have their jaws drop to the floor. They are utterly amazed that people know how to do things like that with computers.
You don't have to be uber-security-conscious to be smart. Leaving your doors unlocked in a strange city is simply asking for harm to come knocking eventually. And, doing so willfully is most definitely stupid and ignorant.
Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
Sounds like you are the problem.
If the site doesn't support HTTPS, there's not an easy fix. The users could set up a VPN connection, but that's not as simple as clicking to install a tool. We need to start asking all sites that use cookies to store authentication credentials, which is pretty much any site that allows you to log in and remembers that you've logged in, to allow the HTTPS to access all their pages. Let's start with Slashdot. Slashdot, please provide HTTPS support on all pages on the site! StartSSL certificates are free!
EXACTLY.
I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idiot who lacked any common sense whatsoever and deserved the problems you attracted to yourself.
However, replace "car" with "computer, and we suddenly excuse that mentality. You are no longer a stupid fool exhibiting a lack of common sense or at least interest in understanding things (for example "I should check the manual to see what this idiot light means"). No, when it's a computer -- you're suddenly *the victim*. A victim of complex, baffling, impossible to understand (because you willfully refuse to try), scary technology.
You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?
In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
Security doesn't reduce your stupidity. Nor does paranoia increase your security. Check the USA today. Post a toner cartridge and the whole country shuts down. QED. (Bet the guys at newegg are looking at their policy on combo parts shipments.) (Apologies to the nice Americans here)
Just bought a new quantum computer, but I'm uncertain how it works.
And people here wonder complain about the stereotype "geek" are always portrayed as socially inept to point of almost being sick. Unfortunately, that part of the stereotype fits this blogger perfectly.
What would you think if you encounter these incidents:-
I guess it will be a BIG revelation to the author of TFA when (if?) he realize that a LOT of things in our life is not secured by technical means, but rather social norms. Girls don't wear steel skirts to avoid people lifting it, social norms dictate that people don't do it (although some would still do it). Girls don't always wear pants to keep people from peeking underskirt, and most people don't. People talking on mobile phone don't carry white noise devices to block people eavesdropping, and yet most of the time nobody will eavesdropping on your phone conversations.
Similarly, people using public networks except human decency to prevent those with technical means to eavesdropping or hijack their Facebook traffic (their banking traffic, however, is another story). I guess having human decency is too much to expect from this blogger.
Congratulations on showing your technical powers to the ignorant masses, those people will go on their lives knowing they just encountered a stupid jerk that is not worth the time to respond to.
P.S. I write programs for a living and I am ashamed to be working in the same field as that blogger. I hope more people would understand not all programmers are sick like that.
And after that, go back into your Mom's basement, erm, I mean the Bat Cave, and feel all smug about the ten kinds of awesome that you are.
But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
There's a term for this - "enabling behavior". If you don't want to have to deal with this, the only thing you can do is to refuse to do it; tell your folks in advance that they'll either stick with your recommendations, or they'll be on their own.
And then stick with that. You'll be surprised how quickly they'll adopt to Firefox, a firewall and all that. (Well, most likely; there is also a chance that they won't. But if they don't, then by definition, it won't be your problem anymore.)
I question the intelligence of those who do not take appropriate steps to safeguard their personal information. I have *NO* doubts, however, about the intelligence of someone who would commit almost 50 violations of the Electronic Communications Privacy Act (each one of those violations a felony) and then blog about it.
Laws affecting technology will always be bad until enough techies become lawyers.