Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Living With a Nerd
"Is it legal to access someone else's accounts without their permission."
No.
Firesheep is as legal as nmap in case anyone wondered.
Correct. And gun shops do that all day every day, all over the country.
The CB App. What's your 20?
Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."
At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
or stop someone else from hurting or killing others. Yes, us big kids sometimes use sharp tools if the job calls for it.
Would you have it otherwise?
Except then your subject line would have read: "57 downloads later..."
...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.
Well you do have to install it and then run it.
Besides it's not like you can run firesheep without Firefox installed to begin with.
When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.
Some places I went to won't even sell you ammo the same day! How annoying is that? I just want to go home and plink some pop cans with my new gun!
Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.
You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.
But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.
And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.
It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.
At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.
Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
This affects you only if you are connecting to the Internet wirelessly, do not employ encryption on your wireless link, and are visiting a website that doesn't use SSL (sorry for the acronym: it stands for secure sockets layer and is a protocol for encrypting connections to websites (those that use the https prefix.)).
To protect yourself, be sure your wireless equipment is configured to use encryption (always a good idea) and if you log into websites that require a password, be sure the site is using SSL (also always a good idea.)
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.
I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.
Firesheep may change that.
Make sure everyone's vote counts: Verified Voting
"Guns don't shoot people, Firefox shoots people!"
That seems to be the nature of the hyperbolic rhetoric in this sub-thread.
The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"
Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...
"Flyin' in just a sweet place,
Never been known to fail..."
Imagine wi-fi as a man at the far end of a crowded room yelling out information to you as loudly as he can.
Me: "I'm Joe! When is the next train?"
Yelling Guy (The wireless contact point): "Joe! Next train is at 5:05!"
Yes, your wireless device listens to everything being yelled back and forth, and when it 'hears' something yelled at you, it passes it on. But it still hears everything. Normally, if it hears something for 'Joe', it knows that's not you, so it just ignores it. But the firesheep plugin doesn't ignore that information. It listens in and knows if it hears certain things, grab it anyway.
If I'm on encrypted wireless, my stuff will be in a language foreign to everyone in the room but me. If I'm on an encrypted website (https://) then people might hear stuff being said, but again it will make no sense to them.
BUT, if I log into Facebook on wireless with no encryption and with Facebook logging in via http: instead of https: it's like this...
Me: I'm Joe! I want to log into Facebook. Here is my username and password!
Yelling Guy: You are successful! Here's your session information.
Gary: I'm Joe! I want to put a picture up in Facebook!
YG: Done!
Ed: I'm Joe! I want to put nasty comments on my friends wall!
YG: Done!
Phil: I'm Joe! I want to find all of Joe's Facebook friends and send them private messages!
YG: Done!
Does that help explain it?
If it were a mere hacking tool that required some technical proficiency, maybe ... in this case you are handing the loaded gun to a 10-year old with simple a-b-c instructions and a list of potential targets, and a promise that it will be very difficult if not impossible to prosecute them.
Try a car analogy. That might work better.
It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.
This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately. I've bought a few guns in my time, and ammo with them, and never have been treated like that, nor would I ever accept being treated like that.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
Wait, people weren't doing that before? I wasted all this time NOT logging into my bank account on my nintendo DS in an airport?!?!
Kidding about that last part, but were people doing this before and this is just a prepackaged easy way for everyone to do it?
They let you have the pointy scissors? All I got were these rounded ones that don't cut well. :(
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
To clarify, if at any point you connect using HTTP to a website, FireSheep can steal your cookies and impersonate you from that point on. It doesn't matter if the login form uses HTTPS or not (but of course if it does not your password can be stolen too, but AFAIK FireSheep just looks for cookies).
"Defective by design" is the design mantra at Apple HQ.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
A linux build is available here. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here.
Firesheep is as legal as Limewire... Oh wait.
A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.
Really? Show me where I can buy a loaded gun.
Every day we live with the fact some random asshat could punch us in the face, but we don't walk around with football helmets on the street do we?
Security isn't black vs. white.
If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately.
Just bring your own ammo and shoot that fucking guy.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan