Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Living With a Nerd
"Is it legal to access someone else's accounts without their permission."
No.
Firesheep is as legal as nmap in case anyone wondered.
Correct. And gun shops do that all day every day, all over the country.
The CB App. What's your 20?
Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Well, that's exactly the NRA's argument, and it seems to work for them......
Except then your subject line would have read: "57 downloads later..."
Well you do have to install it and then run it.
Besides it's not like you can run firesheep without Firefox installed to begin with.
Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.
You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.
But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.
And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.
I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
Wouldn't that mean that anybody able to access the access point could still harvest the un-encrypted cookies using Firesheep given the primary demonstration of the problem is with public wireless networks at coffee shops and airports?
...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption the default. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.
Fixed that for you, if people want to run unencrypted wifi, that should be their right, but I do agree that manufacturers should turn on the best security connection by default. Quick point, the wireless DSL modem I bought from Quest defaults to WPA2 and has a 32 Char (though each of those chars is still just a hexdigit...) password. Pretty decent out of the box if you ask me.
manufacturers will take a hint and make WPA encryption mandatory.
That's actually a terrible idea. WPA won't solve the real problem.
It would make people feel secure, until a year later someone publishes a tool that simplifies ARP poisoning and the whole story starts again.
If you really care about the security of the users, you should teach people how to use end-to-end encrypted protocols, like HTTPS for example.
"Guns don't shoot people, Firefox shoots people!"
That seems to be the nature of the hyperbolic rhetoric in this sub-thread.
The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"
Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...
"Flyin' in just a sweet place,
Never been known to fail..."
That's true for WEP encryption I believe, but definitely not for WPA.
It's the same key for authorization to the router, but once established it creates a separate shared key for each individual connection.
So no, once you are connected to the router you don't get free access to everyone else's traffic. You can communicate them via the router, but you'd have to break their encryption to grab their cookies.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Try a car analogy. That might work better.
It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.
This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
How would that work with Walkie talkies or CB radio?
I mean, if I listened to someone on a walkie and they thought it was private...
Heck, even some old cordless phones could be picked up by nearby speakers.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Really? Show me where I can buy a loaded gun.