Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Living With a Nerd
"Is it legal to access someone else's accounts without their permission."
No.
Firesheep is as legal as nmap in case anyone wondered.
Correct. And gun shops do that all day every day, all over the country.
The CB App. What's your 20?
Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."
Except then your subject line would have read: "57 downloads later..."
Well you do have to install it and then run it.
Besides it's not like you can run firesheep without Firefox installed to begin with.
Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.
You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.
But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.
And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.
It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.
At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.
Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.
I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
Wouldn't that mean that anybody able to access the access point could still harvest the un-encrypted cookies using Firesheep given the primary demonstration of the problem is with public wireless networks at coffee shops and airports?
This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.
I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.
Firesheep may change that.
Make sure everyone's vote counts: Verified Voting
"Guns don't shoot people, Firefox shoots people!"
That seems to be the nature of the hyperbolic rhetoric in this sub-thread.
The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"
Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...
"Flyin' in just a sweet place,
Never been known to fail..."
That's true for WEP encryption I believe, but definitely not for WPA.
It's the same key for authorization to the router, but once established it creates a separate shared key for each individual connection.
So no, once you are connected to the router you don't get free access to everyone else's traffic. You can communicate them via the router, but you'd have to break their encryption to grab their cookies.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Try a car analogy. That might work better.
It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.
This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.
To clarify, if at any point you connect using HTTP to a website, FireSheep can steal your cookies and impersonate you from that point on. It doesn't matter if the login form uses HTTPS or not (but of course if it does not your password can be stolen too, but AFAIK FireSheep just looks for cookies).
A linux build is available here. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here.
WRONG. WPA uses a four-way handshake to establish a per-user key called the Pairwise Transient Key. The PTK is guaranteed (well, not really guaranteed, but very, very, very likely) to be unique on a per-user basis, and that PTK is used to encrypt the communication. So no, two parties on the same AP using WPA cannot decipher each other's traffic.
http://en.wikipedia.org/wiki/IEEE_802.11i-2004
A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.