Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
Of course, all of this was caused by the social network websites being run by people who don't think that social network accounts are all that important. If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https). So if anybody goes after you for this, it would have to be either the end users or the police, since the developers of the site don't seem to care enough to do it.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.
To clarify, if at any point you connect using HTTP to a website, FireSheep can steal your cookies and impersonate you from that point on. It doesn't matter if the login form uses HTTPS or not (but of course if it does not your password can be stolen too, but AFAIK FireSheep just looks for cookies).
A linux build is available here. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here.
WRONG. WPA uses a four-way handshake to establish a per-user key called the Pairwise Transient Key. The PTK is guaranteed (well, not really guaranteed, but very, very, very likely) to be unique on a per-user basis, and that PTK is used to encrypt the communication. So no, two parties on the same AP using WPA cannot decipher each other's traffic.
http://en.wikipedia.org/wiki/IEEE_802.11i-2004
How would that work with Walkie talkies or CB radio?
The answer is, it would not.
I mean, if I listened to someone on a walkie and they thought it was private...
Heck, even some old cordless phones could be picked up by nearby speakers.
Precisely.
Personally, I respectfully disagree with the GP. The way I look at this is exactly the way you do. if you broadcast information of any kind using radio waves, sound waves, light waves, gravity waves, thought waves, whatever, and someone receives that information, is able to interpret it, and uses it against you, it's because you a. broadcast it and b. left yourself wide open. You transmit modulated radiation, I'm going to pick it up if I want to, and do whatever I want with it. If you don't want me to do that, don't send those waves through my space, because you don't have a right to shine something at me and expect me not to look at it if I please. Project all your personal financial information on the wall, and I'm going to take pictures if I choose. Turn on a wireless transceiver in my vicinity, and I'll monitor your traffic if I feel like it. If that bothers you, keep it to yourself. Run a goddamn cable, or make sure your transmissions are not intelligible outside of your property line, or use encryption. But don't come whining to me about your "rights" because I'll simply ignore you. And that's me, a law-abiding citizen with no desire to take advantage of anyone. Expecting that mere legality will prevent someone bent on criminal activity from monitoring your communications is just silly. Don't depend upon the law, it cannot protect you in this case, so it might as well not be there.
Fact is, anyone that knows how to use encryption and take the necessary steps to protect him or her self couldn't care less whether it's legal or otherwise to receive such broadcasts. What we're talking about here are the unwashed masses, and the reality is that nothing can protect them (the law certainly can't) until the technology improves to the point where that protection is fully automatic.
The higher the technology, the sharper that two-edged sword.