Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firesheep Author Reflects On Wild Week

Posted by Soulskill on from the don't-be-baa-aad dept.

alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"

10 of 229 comments (clear)

  1. While I sorta agree with what the guy is saying... by Pojut · · Score: 4, Insightful

    ...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

    --
    Living With a Nerd
  2. And the answer is no. by Anonymous Coward · · Score: 4, Insightful

    "Is it legal to access someone else's accounts without their permission."
    No.

    Firesheep is as legal as nmap in case anyone wondered.

  3. Re:While I sorta agree with what the guy is saying by bennomatic · · Score: 5, Insightful

    Correct. And gun shops do that all day every day, all over the country.

    --
    The CB App. What's your 20?
  4. Re:While I sorta agree with what the guy is saying by Zeek40 · · Score: 5, Insightful

    Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."

  5. Re:What I don't get by dropadrop · · Score: 5, Insightful

    Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.

    You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.

    But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.

    And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.

  6. I'd like to use a more IT related version... by Anonymous Coward · · Score: 5, Interesting

    It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.

    At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.

    Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.

  7. Re:While I sorta agree with what the guy is saying by Jeremiah+Cornelius · · Score: 5, Insightful

    "Guns don't shoot people, Firefox shoots people!"

    That seems to be the nature of the hyperbolic rhetoric in this sub-thread.

    The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"

    Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  8. Re:While I sorta agree with what the guy is saying by rtfa-troll · · Score: 4, Insightful

    Try a car analogy. That might work better.

    It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.

    This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  9. Re:Hopefully... by raddan · · Score: 5, Informative

    WRONG. WPA uses a four-way handshake to establish a per-user key called the Pairwise Transient Key. The PTK is guaranteed (well, not really guaranteed, but very, very, very likely) to be unique on a per-user basis, and that PTK is used to encrypt the communication. So no, two parties on the same AP using WPA cannot decipher each other's traffic.

    http://en.wikipedia.org/wiki/IEEE_802.11i-2004

  10. Re:While I sorta agree with what the guy is saying by Anonymous Coward · · Score: 4, Interesting

    A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.