Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.
Of course, all of this was caused by the social network websites being run by people who don't think that social network accounts are all that important. If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https). So if anybody goes after you for this, it would have to be either the end users or the police, since the developers of the site don't seem to care enough to do it.
Check out my sci-fi/humor trilogy at PatriotsBooks.
When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.
Some places I went to won't even sell you ammo the same day! How annoying is that? I just want to go home and plink some pop cans with my new gun!
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
This affects you only if you are connecting to the Internet wirelessly, do not employ encryption on your wireless link, and are visiting a website that doesn't use SSL (sorry for the acronym: it stands for secure sockets layer and is a protocol for encrypting connections to websites (those that use the https prefix.)).
To protect yourself, be sure your wireless equipment is configured to use encryption (always a good idea) and if you log into websites that require a password, be sure the site is using SSL (also always a good idea.)
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Imagine wi-fi as a man at the far end of a crowded room yelling out information to you as loudly as he can.
Me: "I'm Joe! When is the next train?"
Yelling Guy (The wireless contact point): "Joe! Next train is at 5:05!"
Yes, your wireless device listens to everything being yelled back and forth, and when it 'hears' something yelled at you, it passes it on. But it still hears everything. Normally, if it hears something for 'Joe', it knows that's not you, so it just ignores it. But the firesheep plugin doesn't ignore that information. It listens in and knows if it hears certain things, grab it anyway.
If I'm on encrypted wireless, my stuff will be in a language foreign to everyone in the room but me. If I'm on an encrypted website (https://) then people might hear stuff being said, but again it will make no sense to them.
BUT, if I log into Facebook on wireless with no encryption and with Facebook logging in via http: instead of https: it's like this...
Me: I'm Joe! I want to log into Facebook. Here is my username and password!
Yelling Guy: You are successful! Here's your session information.
Gary: I'm Joe! I want to put a picture up in Facebook!
YG: Done!
Ed: I'm Joe! I want to put nasty comments on my friends wall!
YG: Done!
Phil: I'm Joe! I want to find all of Joe's Facebook friends and send them private messages!
YG: Done!
Does that help explain it?
If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately. I've bought a few guns in my time, and ammo with them, and never have been treated like that, nor would I ever accept being treated like that.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
Wait, people weren't doing that before? I wasted all this time NOT logging into my bank account on my nintendo DS in an airport?!?!
Kidding about that last part, but were people doing this before and this is just a prepackaged easy way for everyone to do it?
To clarify, if at any point you connect using HTTP to a website, FireSheep can steal your cookies and impersonate you from that point on. It doesn't matter if the login form uses HTTPS or not (but of course if it does not your password can be stolen too, but AFAIK FireSheep just looks for cookies).
"Defective by design" is the design mantra at Apple HQ.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
A linux build is available here. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here.
Wireshark doesn't retransmit the data it sniffs to a third party and shows you the reply of the 3rd party, Firesheep does.
(For those who didn't educate themselves before they started replying, Firesheep sniffs the cookies that are being passed in HTTP requests, then transmits those cookies to facebook to see what account facebook returns in the reply and shows you the profile picture of who you're logged in as.)
WRONG. WPA uses a four-way handshake to establish a per-user key called the Pairwise Transient Key. The PTK is guaranteed (well, not really guaranteed, but very, very, very likely) to be unique on a per-user basis, and that PTK is used to encrypt the communication. So no, two parties on the same AP using WPA cannot decipher each other's traffic.
http://en.wikipedia.org/wiki/IEEE_802.11i-2004
doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
I just want to add to what others have said that in order to have specific individual keys on a per user basis you would need something like RADIUS based authentication.
How would that work with Walkie talkies or CB radio?
The answer is, it would not.
I mean, if I listened to someone on a walkie and they thought it was private...
Heck, even some old cordless phones could be picked up by nearby speakers.
Precisely.
Personally, I respectfully disagree with the GP. The way I look at this is exactly the way you do. if you broadcast information of any kind using radio waves, sound waves, light waves, gravity waves, thought waves, whatever, and someone receives that information, is able to interpret it, and uses it against you, it's because you a. broadcast it and b. left yourself wide open. You transmit modulated radiation, I'm going to pick it up if I want to, and do whatever I want with it. If you don't want me to do that, don't send those waves through my space, because you don't have a right to shine something at me and expect me not to look at it if I please. Project all your personal financial information on the wall, and I'm going to take pictures if I choose. Turn on a wireless transceiver in my vicinity, and I'll monitor your traffic if I feel like it. If that bothers you, keep it to yourself. Run a goddamn cable, or make sure your transmissions are not intelligible outside of your property line, or use encryption. But don't come whining to me about your "rights" because I'll simply ignore you. And that's me, a law-abiding citizen with no desire to take advantage of anyone. Expecting that mere legality will prevent someone bent on criminal activity from monitoring your communications is just silly. Don't depend upon the law, it cannot protect you in this case, so it might as well not be there.
Fact is, anyone that knows how to use encryption and take the necessary steps to protect him or her self couldn't care less whether it's legal or otherwise to receive such broadcasts. What we're talking about here are the unwashed masses, and the reality is that nothing can protect them (the law certainly can't) until the technology improves to the point where that protection is fully automatic.
The higher the technology, the sharper that two-edged sword.
The real problem is that most social media sites CAN'T use https by default.
Most of the advertising content delivery networks (and this does include Google's AdSense) don't support https.
Thus, if the social media site used https for the entire session, then they wouldn't be able to serve ads, and wouldn't be able to fund the service. So it isn't going to happen.
There is a real problem with current web protocols that security is all or nothing. You can use http and be insecure, or use https and break all kinds of network technologies (e.g. proxy caches). There is no way to have authenticated but not encrypted data, and the browser security functions make it very hard to mix content from different sources.