Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firesheep Author Reflects On Wild Week

Posted by Soulskill on from the don't-be-baa-aad dept.

alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"

7 of 229 comments (clear)

  1. Hopefully... by ThoughtMonster · · Score: 2, Interesting

    ...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

  2. I'd like to use a more IT related version... by Anonymous Coward · · Score: 5, Interesting

    It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.

    At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.

    Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.

  3. This isn't about manufacturers by rsborg · · Score: 3, Interesting

    This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.

    I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.

    Firesheep may change that.

    --
    Make sure everyone's vote counts: Verified Voting
  4. Re:And the answer is no. by mdm-adph · · Score: 2, Interesting

    This is where you make the difference between "access" and "see."

    Such as: if I somehow steal your bank account password, and log in to your account, I'm illegally "accessing" your data.

    If you leave your bank statement out on a table where I'm sitting and then leave, and I happen to see what's on it, I'm "seeing" it.

    Facebook was transmitting its tokens in an unencrypted fashion without any security to them whatsoever. The situation is a little more confusing than just a "no."

    --
    It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
  5. Re:While I sorta agree with what the guy is saying by MoanNGroan · · Score: 2, Interesting

    If it were a mere hacking tool that required some technical proficiency, maybe ... in this case you are handing the loaded gun to a 10-year old with simple a-b-c instructions and a list of potential targets, and a promise that it will be very difficult if not impossible to prosecute them.

  6. Re:While I sorta agree with what the guy is saying by Anonymous Coward · · Score: 4, Interesting

    A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.

  7. Re:While I sorta agree with what the guy is saying by ToasterMonkey · · Score: 2, Interesting

    Every day we live with the fact some random asshat could punch us in the face, but we don't walk around with football helmets on the street do we?

    Security isn't black vs. white.