Firesheep Author Reflects On Wild Week 229
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
Hopefully... (Score:3, Interesting)
...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.
Is It Legal (Score:1, Interesting)
"A much more appropriate question is: "Is it legal to access someone else's accounts without their permission.""
No, that's not an appropriate question.
The answer is a clear-cut, resounding, "NO".
His add-on simply sniffs the open air for cookies from a list of sites that use http instead of https. Then you get a little "log in" button to take that cookie as your own.
While effective, it's trivial to do, and doesn't uncover any new exploits or weaknesses.
Firesheep is only intended for illegal purposes, thus Firesheep itself may be deemed illegal in many countries, or the use of it may be justifiably restricted to certain activities (such as penetration testing).
This wasn't an unpatched exploit that a big company took months to fix.
This wasn't some obscure vector that went unacknowledged for years.
This was a fucking design decision.
Sending credentials in the clear is retarded. This shit needs to stop, and if it takes an asshole like Eric Butler trolling Facebook and Twitter users at Starbucks to get it changed, so be it. Companies don't cater to the experts, they cater to the masses. The only way to get shit changed is to make the masses bitch.
What we can conclude from this fiasco is:
Butler is an asshat.
Many major sites don't give a shit about security.
Many major sites do give a shit about public perception.
In order to get things fixed, we need asshats like Butler pointing at the wide open door and shouting to the plebes, "LOOK WHAT I CAN DO!".
Still confused (Score:1, Interesting)
I'm sorry but networking and security are not my forte. Can someone describe what the problem is, what this add-on does and how to protect yourself or your website? All in clear terms and please refrain from using acronyms.
I'd like to use a more IT related version... (Score:5, Interesting)
It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.
At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.
Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.
This isn't about manufacturers (Score:4, Interesting)
This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.
I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.
Firesheep may change that.
Re:While I sorta agree with what the guy is saying (Score:1, Interesting)
This situation with web security is similar. People simply refuse to believe it is an issue.
Re:And the answer is no. (Score:3, Interesting)
This is where you make the difference between "access" and "see."
Such as: if I somehow steal your bank account password, and log in to your account, I'm illegally "accessing" your data.
If you leave your bank statement out on a table where I'm sitting and then leave, and I happen to see what's on it, I'm "seeing" it.
Facebook was transmitting its tokens in an unencrypted fashion without any security to them whatsoever. The situation is a little more confusing than just a "no."
Re:While I sorta agree with what the guy is saying (Score:2, Interesting)
Re:"Ignorance is no excuse" (Score:1, Interesting)
You again. I believe you're trolling. You always lose this argument, but every time WLAN is the topic, you ruminate your "opinion". You endanger people by telling them that those who use open wireless networks are doing wrong, when really the operators of open access points are making the mistake by not securing their networks even though they do not intend to offer public access. You also deprive law-abiding people of the opportunity to offer network access by telling people not to use their networks. There is not a single person who benefits from the "hands off open networks" attitude.
Re:While I sorta agree with what the guy is saying (Score:4, Interesting)
A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.
Re:While I sorta agree with what the guy is saying (Score:3, Interesting)
Every day we live with the fact some random asshat could punch us in the face, but we don't walk around with football helmets on the street do we?
Security isn't black vs. white.