Herding Firesheep In NYC — Do Users Care?

An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."

Some people don't care

[Moniker3]

People leave themselves signed into facebook all the time in my university library. Some people just don't care that much.

Re:Some people don't care

[TheLink]

Currently you're more likely to lose your entire laptop, bags etc to a thief at a cafe.

Anyone in IT security or who attends stuff like defcon has known about this problem for years, but nothing much has happened in normal cafes (despite people getting embarassed at defcon year after year).

But the malware bunch have never bothered because it was not really worth it. They have no big difficulty getting people to run malware - they don't even have to be in the same country much less the same cafe. The spammers still send spam, the worms still spread, the zombies still get installed.

It'd only be a big problem if someone (whether whitehat or blackhat) develops a nice tool/lib to do it, then the cost to the malware people goes down, and then it becomes another method for spreading.

My guess is if the authors and proponents of firesheep never kicked up a fuss about it, it would have been many more years before it would have become a problem, if at all.

The "easiest" solution actually is not to get everyone to use https - since lots of sites including slashdot don't use it.

The easiest solution is to fix secure wifi: http://slashdot.org/comments.pl?sid=1578784&cid=31435914 http://slashdot.org/comments.pl?sid=1578784&cid=31437480

To quote myself: "with the current WiFi standards you cannot have an easy way for a Cafe/Hotel/Conference to provide encrypted wireless connections to guests in a way where they cannot snoop on each other's connections. if you use preshared key users can decrypt each other's traffic. If you use username and password, it's far more inconvenient for the user and the service provider."

Yes in theory "people should use https, vpns etc all the time blahblahblah", but this requires ALL parties involved to support encryption. That'll happen about the time Duke Nukem Forever gets released.

Whereas things would be much safer if people running cafe systems could unilaterally provide secure wifi just the way a site could unilaterally provide https. It takes some tweaking to the wifi standards and coordination with the OS makers, so that users don't have to do very much extra work.

But no, with the current way way users have to enter correct usernames and passwords.

Yes I know, MITM attacks would still be possible (assuming the users "click through warnings", or can't tell the difference between a legit starbucks cert and a fake), but that's the same for https as well.

Furthermore if you _add_ more "ssh style" _sanity_[1], then operators could use "autogen self-signed" keys and still users could be safe because the first time they go to a cafe they just recognize the key and say its ok (risk is low after all), if the next time an attacker tries to MITM, the user gets a warning.

If the first time you go to a cafe and notice a few people are grumbling to the cafe "hey why's there this warning popping up, why two SSIDs with the same name", you can wait for things to be sorted out first ;).

[1] Current https/ssl stuff is insane. As long as a cert is signed by any of the CAs installed in your browser it's regarded as OK. Trusting a self-signed cert is actually safer- since you'd get a warning if the cert changed due to a MITM. Whereas if a CA in Turkey/China/etc signed a fake Bank of America's cert, you wouldn't get a warning at all when being MITMed by them! (unless you use plugins like certificate patrol). So a combination of CAs and ssh style would be better.

Re:What a jerk

[phyrexianshaw.ca]

... you completely fail to understand how unencrypted WIFI works.

the analogy here would be him taking pictures in your open uncovered window of your couch, and sending you the picture in the mail. had he captured you having an affair and tried to ransom the image that you freely gave him back to you: that would be illegal.

never should it be illegal to INFORM SOMEBODY OF THE LACK OF SECURITY PROVIDED BY ANYTHING. it's one thing to go posting on the internet "this guy at 123 somewhere st never locks his door, and works from 9-5/m-f!!" but it should never be illegal to send him a pamphlet just inside the door stating how bad an idea it is to leave it unlocked.

Re:What a jerk

All these house analogies fail.

What this is basically like, is like putting a bunch of your stuff out on the sidewalk in front of your house... and getting all self-righteous and pissed when someone comes along and pokes through it.

They may have been logging in accidentally

[jordan314]

I gave Firesheep a try today, and am surprised how many times my own cookies come up inside it without me directly visiting those sites. My google account came up without me browsing at all -- perhaps one of my firefox add-ons was using it, or maybe google latitude on my phone was triggering it? My facebook account came up when browsing other non-facebook sites as well, most likely from facebook connect. The users could have stopped visiting facebook after getting his warning messages and still had their cookies exposed.

Re:The Best Plan

[Samantha+Wright]

But not to delete it!

The problem is not theirs, they think.

[Khenke]

For example I set up my sisters computer with a firewall, anti-virus, anti-malware software and installed FireFox.

What happened?

My sister and her husband got sick of the question popping up all the time, "Do you want to allow this program to access the internet?" and instead of reading and the checking the box "Do this always" they found it easier to turn off the firewall and the anti-virus (more stupid questions they didn't bother to read). And to top it up, they thought IE was more familiar and started (against my strong advice) using it again.

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
It's the same with getting their account hacked, it not their problem (they think), it's mine.

If people would handle their cars the same way they handle their computer the car industries wouldn't have any problem with sales today...
And if people handled strangers the same IRL that they handle them on the Internet we would have everyone giving away their keys to their house if a stranger asked for it (of just give it to them without them asking...).

I will never understand why people feel so safe on Internet.