Herding Firesheep In NYC — Do Users Care?

An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."

Some people don't care

[Moniker3]

People leave themselves signed into facebook all the time in my university library. Some people just don't care that much.

Re:Some people don't care

[PatHMV]

Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Re:Some people don't care

[EdIII]

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Well... since most "rural" families that I know live in Oklahoma and Texas and have shotgun racks on the back of their trucks I expect the conversation to go much differently.

Re:Some people don't care

[Local+ID10T]

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.

Re:Some people don't care

[TheLink]

Currently you're more likely to lose your entire laptop, bags etc to a thief at a cafe.

Anyone in IT security or who attends stuff like defcon has known about this problem for years, but nothing much has happened in normal cafes (despite people getting embarassed at defcon year after year).

But the malware bunch have never bothered because it was not really worth it. They have no big difficulty getting people to run malware - they don't even have to be in the same country much less the same cafe. The spammers still send spam, the worms still spread, the zombies still get installed.

It'd only be a big problem if someone (whether whitehat or blackhat) develops a nice tool/lib to do it, then the cost to the malware people goes down, and then it becomes another method for spreading.

My guess is if the authors and proponents of firesheep never kicked up a fuss about it, it would have been many more years before it would have become a problem, if at all.

The "easiest" solution actually is not to get everyone to use https - since lots of sites including slashdot don't use it.

The easiest solution is to fix secure wifi: http://slashdot.org/comments.pl?sid=1578784&cid=31435914 http://slashdot.org/comments.pl?sid=1578784&cid=31437480

To quote myself: "with the current WiFi standards you cannot have an easy way for a Cafe/Hotel/Conference to provide encrypted wireless connections to guests in a way where they cannot snoop on each other's connections. if you use preshared key users can decrypt each other's traffic. If you use username and password, it's far more inconvenient for the user and the service provider."

Yes in theory "people should use https, vpns etc all the time blahblahblah", but this requires ALL parties involved to support encryption. That'll happen about the time Duke Nukem Forever gets released.

Whereas things would be much safer if people running cafe systems could unilaterally provide secure wifi just the way a site could unilaterally provide https. It takes some tweaking to the wifi standards and coordination with the OS makers, so that users don't have to do very much extra work.

But no, with the current way way users have to enter correct usernames and passwords.

Yes I know, MITM attacks would still be possible (assuming the users "click through warnings", or can't tell the difference between a legit starbucks cert and a fake), but that's the same for https as well.

Furthermore if you _add_ more "ssh style" _sanity_[1], then operators could use "autogen self-signed" keys and still users could be safe because the first time they go to a cafe they just recognize the key and say its ok (risk is low after all), if the next time an attacker tries to MITM, the user gets a warning.

If the first time you go to a cafe and notice a few people are grumbling to the cafe "hey why's there this warning popping up, why two SSIDs with the same name", you can wait for things to be sorted out first ;).

[1] Current https/ssl stuff is insane. As long as a cert is signed by any of the CAs installed in your browser it's regarded as OK. Trusting a self-signed cert is actually safer- since you'd get a warning if the cert changed due to a MITM. Whereas if a CA in Turkey/China/etc signed a fake Bank of America's cert, you wouldn't get a warning at all when being MITMed by them! (unless you use plugins like certificate patrol). So a combination of CAs and ssh style would be better.

Re:Some people don't care

[evanism]

Security doesn't reduce your stupidity. Nor does paranoia increase your security. Check the USA today. Post a toner cartridge and the whole country shuts down. QED. (Bet the guys at newegg are looking at their policy on combo parts shipments.) (Apologies to the nice Americans here)

Re:Some people don't care

[theshowmecanuck]

Post a toner cartridge and the whole country shuts down.

FTFY:
Post a toner cartridge full of PETN and the whole country shuts down.

Interestingly, the author of TFA never considers

[brokeninside]

... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.

False sense of security

[cappp]

I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah

That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.

From TFA: "my fly had been wide open"

[John+Hasler]

So that's the reason. None of them noticed his messages because they were too busy staring at his crotch.

Re:From TFA: "my fly had been wide open"

[nacturation]

Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.

Denial is bliss

[bl8n8r]

A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.

Re:Denial is bliss

[joe_frisch]

Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.

I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me). I need to decide if the decreased risk of being hacked is worth the cost in time.

Re:If you did this to me

[pthisis]

It Takes a Thief got the owner's permission before staging the break-ins. If you got someone's permission before attempting to sidejack their account, you'd probably be in the clear. Without it, you're breaking the law.

Re:Interestingly, the author of TFA never consider

[IamTheRealMike]

Yes, exactly.

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:

1. No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
2. VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
3. Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..

I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

everything on teevee is da truth

[YouWantFriesWithThat]

you're joking right? how do you think all the interior cameras get in side the house?

they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.

Re:Interestingly, the author of TFA never consider

[Jah-Wren+Ryel]

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.

In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.

Re:What a jerk

[phyrexianshaw.ca]

... you completely fail to understand how unencrypted WIFI works.

the analogy here would be him taking pictures in your open uncovered window of your couch, and sending you the picture in the mail. had he captured you having an affair and tried to ransom the image that you freely gave him back to you: that would be illegal.

never should it be illegal to INFORM SOMEBODY OF THE LACK OF SECURITY PROVIDED BY ANYTHING. it's one thing to go posting on the internet "this guy at 123 somewhere st never locks his door, and works from 9-5/m-f!!" but it should never be illegal to send him a pamphlet just inside the door stating how bad an idea it is to leave it unlocked.

Re:What a jerk

All these house analogies fail.

What this is basically like, is like putting a bunch of your stuff out on the sidewalk in front of your house... and getting all self-righteous and pissed when someone comes along and pokes through it.

Re:They care - they're filing lawsuits

[francium+de+neobie]

Had he not posted the action on his blog, it'd have been hard.

They may have been logging in accidentally

[jordan314]

I gave Firesheep a try today, and am surprised how many times my own cookies come up inside it without me directly visiting those sites. My google account came up without me browsing at all -- perhaps one of my firefox add-ons was using it, or maybe google latitude on my phone was triggering it? My facebook account came up when browsing other non-facebook sites as well, most likely from facebook connect. The users could have stopped visiting facebook after getting his warning messages and still had their cookies exposed.

Re:The Best Plan

[Samantha+Wright]

But not to delete it!

The problem is not theirs, they think.

[Khenke]

For example I set up my sisters computer with a firewall, anti-virus, anti-malware software and installed FireFox.

What happened?

My sister and her husband got sick of the question popping up all the time, "Do you want to allow this program to access the internet?" and instead of reading and the checking the box "Do this always" they found it easier to turn off the firewall and the anti-virus (more stupid questions they didn't bother to read). And to top it up, they thought IE was more familiar and started (against my strong advice) using it again.

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
It's the same with getting their account hacked, it not their problem (they think), it's mine.

If people would handle their cars the same way they handle their computer the car industries wouldn't have any problem with sales today...
And if people handled strangers the same IRL that they handle them on the Internet we would have everyone giving away their keys to their house if a stranger asked for it (of just give it to them without them asking...).

I will never understand why people feel so safe on Internet.

Re:The problem is not theirs, they think.

[h4rr4r]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

Sounds like you are the problem.

Re:The problem is not theirs, they think.

[Seumas]

EXACTLY.

I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idiot who lacked any common sense whatsoever and deserved the problems you attracted to yourself.

However, replace "car" with "computer, and we suddenly excuse that mentality. You are no longer a stupid fool exhibiting a lack of common sense or at least interest in understanding things (for example "I should check the manual to see what this idiot light means"). No, when it's a computer -- you're suddenly *the victim*. A victim of complex, baffling, impossible to understand (because you willfully refuse to try), scary technology.

Re:The problem is not theirs, they think.

[the_womble]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer. It's the same with getting their account hacked, it not their problem (they think), it's mine.

It would be there problem if you did not make it yours.

Its amazing how willing people are to volunteer free support for Windows. If they are not paying you tell them to ask MS for help.

The Good Old Days

[IonOtter]

Back when I was a student in college, we were using DEC VAX/VMS systems to provide service to the campus network.

I loved the help menu. It was VERY useful to do all sorts of things, such as creating your LOGIN.COM file. With the LOGIN.COM file, you could set your command prompt, establish which home directory to use, create macros to start batch jobs...you name it.

Occasionally, we'd come across someone who forgot to log out of their session, and just left ms-kermit running on their terminal.

If it was the first time, we'd telnet into their mail client and send them an email from themselves, warning them to be more careful. If it was the second time, we had a bit more fun.

Such as setting their home directory ATTRIB *.* +H

The best was when we edited their LOGIN.COM file, so that whenever they tried to execute *any* commands, it would send a pmail to the sysadmin saying, "I'm an idiot who left his account open, and I need an adult to fix it for me, please?"

Not surprisingly, the sysadmin WAS amused by this, and had great fun exacerbating the torture. It was a different era, when sysadmins had PhD's and a sense of humor.

Fond memories...

Author is ignoring the obvious

[meeotch]

Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.

Re:Author is ignoring the obvious

[hedwards]

What annoys me about Firefox is that it doesn't let you easily sidestep the security on a temporary basis. Either you can't go in or it wants you to create a permanent exception. I'm not really sure why it can't provide a convenient way of making it a one time deal. Once I'm in if I decide to do that, then is the appropriate time for me to decide whether to add a permanent exception or not.

In virtually all cases I'm not going back to that site, so ultimately not providing a convenient temporary access is probably worse for security.

Re:Interestingly, the author of TFA never consider

[RaymondKurzweil]

A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.

Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.

Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the more self-identified geeks and hackers I meet in recent times, the more I come to the conclusion they're mostly idiots at this point. Ever since "geek" became some kind of shibboleth, it's been all down hill.

Fuck being a geek. There is no virtue in being capable in one area to the detriment at all others. It is indeed possible to dedicate one's brain to both number theory and cryptographic fundamentals, and still be able to solve simple cost-benefit problems.

Re:They need a simple guide or something to click!

If the site doesn't support HTTPS, there's not an easy fix. The users could set up a VPN connection, but that's not as simple as clicking to install a tool. We need to start asking all sites that use cookies to store authentication credentials, which is pretty much any site that allows you to log in and remembers that you've logged in, to allow the HTTPS to access all their pages. Let's start with Slashdot. Slashdot, please provide HTTPS support on all pages on the site! StartSSL certificates are free!

Re:If you did this to me

I yell "who the fuck hacked my facebook?" and look for the geeky looking dude who looked into his latte.

Re:They care - they're filing lawsuits

[MichaelSmith]

Gary LosHuertos

        * Gender: Male
        * Astrological Sign: Scorpio
        * Industry: Consulting
        * Occupation: Software Engineer
        * Location: New York : NY : United States

Whoops! Your tongue is now a magnet. Whatever will you use for silverware?

Plastic.
Interests

        * road trips
        * programming
        * languages
        * movies
        * going out to eat
        * perkins
        * ihop
        * grammar
        * legends of the hidden temple

Favorite Movies

        * Garden State
        * Little Miss Sunshine
        * Finding Neverland
        * Center Stage
        * Sphere
        * 1984
        * The Devil Wears Prada
        * Moulin Rouge
        * 28 Days Later
        * Cruel Intentions
        * Dogma
        * Contact
        * Rules of Attraction
        * LOTR

Favorite Music

        * Alanis Morissette
        * Dixie Chicks
        * RHCP
        * Ben Folds
        * Styx
        * Journey
        * Eurythmics
        * The Police
        * Weezer
        * Indochine
        * Chumbawamba
        * Les Vulgaires Machins
        * Wicked
        * The Beatles
        * Jimmy Eat World
        * Avenue Q
        * Jason Robert Brown
        * Do As Infinity
        * U2
        * Fischerspooner
        * Chicks on Speed
        * Les Miserables
        * Talking Heads
        * They Might be Giants
        * Phantom Planet
        * Motion City Soundtrack
        * ABBA

Even if thats all made up, this guy has posted more than one item to this blog.

Even forced SSL doesn't work

[George_Ou]

Forced SSL doesn't even work for Google, Twitter, and Facebook and probably most other sites even if they support SSL. That's because the javascript on those pages will opt to transmit authentication cookies in the clear. http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/

Re:The Best Plan

[RichiH]

And after that, go back into your Mom's basement, erm, I mean the Bat Cave, and feel all smug about the ten kinds of awesome that you are.

Wow. Highly questionable activities.

[Compulawyer]

I question the intelligence of those who do not take appropriate steps to safeguard their personal information. I have *NO* doubts, however, about the intelligence of someone who would commit almost 50 violations of the Electronic Communications Privacy Act (each one of those violations a felony) and then blog about it.