Forgot your password?
typodupeerror
Encryption Firefox Mozilla Privacy Security Social Networks Wireless Networking IT

Firesheep Author Reflects On Wild Week 229

Posted by Soulskill
from the don't-be-baa-aad dept.
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
This discussion has been archived. No new comments can be posted.

Firesheep Author Reflects On Wild Week

Comments Filter:
  • by Pojut (1027544) on Tuesday November 02, 2010 @04:27PM (#34105208) Homepage

    ...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

    • by bennomatic (691188) on Tuesday November 02, 2010 @04:29PM (#34105218) Homepage
      Correct. And gun shops do that all day every day, all over the country.
      • I doubt any of them sell pre-loaded guns. Guns and ammo, sure. Loaded guns? Not likely.

        • by TheKidWho (705796) on Tuesday November 02, 2010 @04:39PM (#34105356)

          Well you do have to install it and then run it.

          Besides it's not like you can run firesheep without Firefox installed to begin with.

          • by Jeremiah Cornelius (137) on Tuesday November 02, 2010 @04:58PM (#34105598) Homepage Journal

            "Guns don't shoot people, Firefox shoots people!"

            That seems to be the nature of the hyperbolic rhetoric in this sub-thread.

            The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"

            Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...

            • by Anonymous Coward on Tuesday November 02, 2010 @07:36PM (#34107114)

              A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.

      • Re: (Score:2, Informative)

        by fahlesr1 (1910982)

        When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.

        Some places

        • Re: (Score:3, Informative)

          If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately. I've bought a few guns in my time, and ammo with them, and never have been treated like that, nor would I ever accept being treated like that.
          • by nschubach (922175)

            Ditto. They politely ask to keep the ammo in the box you bought it in (duh) and let me on my way. One time I bought a pistol and was allowed to walk to the other side of the store and pick up something else before I carried my newly purchased firearm to the front where I handed them the receipt showing I bought it and the ammo.

      • Re: (Score:3, Insightful)

        by ToasterMonkey (467067)

        Really? Show me where I can buy a loaded gun.

    • by Pojut (1027544)

      Actually, now that I'm thinking about it, I'm not so sure that works...

      • by rtfa-troll (1340807) on Tuesday November 02, 2010 @05:09PM (#34105710)

        Try a car analogy. That might work better.

        It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.

        This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.

    • by Zeek40 (1017978) on Tuesday November 02, 2010 @04:30PM (#34105226)
      Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."
      • Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.

        It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.

        Using that t

      • It's more like saying here's a list of car makes and models that don't have functioning locks even though their owner's think the locks work.
    • by 0racle (667029)
      You could say the same thing regarding just about any tool.

      "Here's a Silver Hammer, Max. Now, if you decide to hit someone with it, that's you're business."
    • ...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

      or stop someone else from hurting or killing others. Yes, us big kids sometimes use sharp tools if the job calls for it.

      Would you have it otherwise?

      • Re: (Score:3, Funny)

        by nschubach (922175)

        They let you have the pointy scissors? All I got were these rounded ones that don't cut well. :(

    • by iammani (1392285)

      Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.

    • by Anonymous Coward on Tuesday November 02, 2010 @04:47PM (#34105450)

      It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.

      At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.

      Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.

      • Re: (Score:3, Insightful)

        by nschubach (922175)

        How would that work with Walkie talkies or CB radio?

        I mean, if I listened to someone on a walkie and they thought it was private...

        Heck, even some old cordless phones could be picked up by nearby speakers.

        • by ScrewMaster (602015) * on Tuesday November 02, 2010 @10:23PM (#34108058)

          How would that work with Walkie talkies or CB radio?

          The answer is, it would not.

          I mean, if I listened to someone on a walkie and they thought it was private...

          Heck, even some old cordless phones could be picked up by nearby speakers.

          Precisely.

          Personally, I respectfully disagree with the GP. The way I look at this is exactly the way you do. if you broadcast information of any kind using radio waves, sound waves, light waves, gravity waves, thought waves, whatever, and someone receives that information, is able to interpret it, and uses it against you, it's because you a. broadcast it and b. left yourself wide open. You transmit modulated radiation, I'm going to pick it up if I want to, and do whatever I want with it. If you don't want me to do that, don't send those waves through my space, because you don't have a right to shine something at me and expect me not to look at it if I please. Project all your personal financial information on the wall, and I'm going to take pictures if I choose. Turn on a wireless transceiver in my vicinity, and I'll monitor your traffic if I feel like it. If that bothers you, keep it to yourself. Run a goddamn cable, or make sure your transmissions are not intelligible outside of your property line, or use encryption. But don't come whining to me about your "rights" because I'll simply ignore you. And that's me, a law-abiding citizen with no desire to take advantage of anyone. Expecting that mere legality will prevent someone bent on criminal activity from monitoring your communications is just silly. Don't depend upon the law, it cannot protect you in this case, so it might as well not be there.

          Fact is, anyone that knows how to use encryption and take the necessary steps to protect him or her self couldn't care less whether it's legal or otherwise to receive such broadcasts. What we're talking about here are the unwashed masses, and the reality is that nothing can protect them (the law certainly can't) until the technology improves to the point where that protection is fully automatic.

    • Re: (Score:2, Interesting)

      by MoanNGroan (1050288)
      If it were a mere hacking tool that required some technical proficiency, maybe ... in this case you are handing the loaded gun to a 10-year old with simple a-b-c instructions and a list of potential targets, and a promise that it will be very difficult if not impossible to prosecute them.
    • Re: (Score:2, Flamebait)

      by PopeRatzo (965947) *

      it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

      No. It's more like "I've hidden some explosives in several of your neighbors' cars. Here's a remote detonator. If you press the button, there will be damage.

      Now, if you decide to use it, that's none of my business. At least I encouraged the discussion of how to disarm explosives".

  • by Anonymous Coward on Tuesday November 02, 2010 @04:28PM (#34105214)

    "Is it legal to access someone else's accounts without their permission."
    No.

    Firesheep is as legal as nmap in case anyone wondered.

    • by jcaldwel (935913)
      Actually, its more like a very specialized version of Wireshark -
      • Re: (Score:2, Insightful)

        But what it is most like is a Firefox add-on.
        • It is a lot more like Wireshark than it is like most Firefox add-ons - say Tre Style Tabs or Taboo (which are my current favourites).

          You woul presumably argue the that Internet Explorer is more like MS Word (because they both run on the same platofrm) than like Konqueror (because they perform the same function).

    • How do you feel about using someone's open access wifi? Some people on /. would say that, if it's not being protected, it's an invitation to access.
      • by Pojut (1027544)

        I know you didn't ask me, but yeah, an open WiFi network is an invitation for anyone to access it.

        That doesn't mean you should.

    • by dgatwood (11270) on Tuesday November 02, 2010 @04:33PM (#34105282) Journal

      Of course, all of this was caused by the social network websites being run by people who don't think that social network accounts are all that important. If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https). So if anybody goes after you for this, it would have to be either the end users or the police, since the developers of the site don't seem to care enough to do it.

      • by TubeSteak (669689)

        If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https).

        The problem is millions of times worse than that.
        Facebook/digg/reddit/etc all have their widgets plastered across 90% of websites.
        Every time you go to one of those websites, the widget fetches your cookie.
        So unless every single one of those widgets is changed to do its ajax thing over HTTPS, credentials are still going to leak.

        • by dgatwood (11270)

          Not necessarily. The other web sites could use an opaque token that does not expose your Facebook credentials (for example). Ostensibly, they're supposed to be doing that, IIRC.... Now, that won't help you as far as somebody pretending to be you on those third-party websites, and to the extent that those sites can post things on your wall, etc., they're still a hole, but not nearly as big a hole as exposing a full set of login credentials.

      • Re: (Score:3, Informative)

        by robosmurf (33876)

        The real problem is that most social media sites CAN'T use https by default.

        Most of the advertising content delivery networks (and this does include Google's AdSense) don't support https.

        Thus, if the social media site used https for the entire session, then they wouldn't be able to serve ads, and wouldn't be able to fund the service. So it isn't going to happen.

        There is a real problem with current web protocols that security is all or nothing. You can use http and be insecure, or use https and break all kin

    • Re: (Score:3, Interesting)

      by mdm-adph (1030332)

      This is where you make the difference between "access" and "see."

      Such as: if I somehow steal your bank account password, and log in to your account, I'm illegally "accessing" your data.

      If you leave your bank statement out on a table where I'm sitting and then leave, and I happen to see what's on it, I'm "seeing" it.

      Facebook was transmitting its tokens in an unencrypted fashion without any security to them whatsoever. The situation is a little more confusing than just a "no."

  • by Anonymous Coward

    At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.

    • by kill-1 (36256)

      If you're talking about 202a StGB (Ausspähen von Daten), that only applies if you actually access data that is not meant for you to see.

    • by Hatta (162192)

      If they can find you. If you're sitting at a public wifi hotspot with a custom temporary MAC, how exactly would they track you down?

  • Hopefully... (Score:3, Interesting)

    by ThoughtMonster (1602047) on Tuesday November 02, 2010 @04:36PM (#34105320) Homepage

    ...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

    • by tlhIngan (30335)

      ...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

      They do, actually. Most routers and hardware support "secure easy setup" type one-click security. Sure you often have to buy equipment from one manufacturer, but that's just incentive to do it and to show how to do it.

      It's extremely popular if you consider how many routers

    • Re: (Score:3, Insightful)

      by dreampod (1093343)

      I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?

      Wouldn't that mean that anybody able to access the access point could still harvest the un-encrypted cookies using Firesheep given the primary demonstration of the problem is with public wireless networks at coffee shops and airports?

      • by TubeSteak (669689)

        I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?

        Ding ding ding. We have a winner.
        This was exactly how I first tested FireSheep on my own home network.

        My wireless router has the ability to create a few guest networks and assign them individual encryption keys,
        but the hardware required to do that for 20~50+ connections you might reasonably encounter in a commercial setting...
        I can't imagine that'd be cheap.

      • by mdm-adph (1030332)

        If I understand it correctly, even if you know the password to access a WPA-encrypted wifi network, you still can't access other people's data -- you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity. This is different from WEP, where, I'm pretty sure, if you had the password, all accessed computers' data was visible to everyone else.

        Now, I could be wrong, so someone with more knowledge about this please speak up!

        • you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity.

          To get the handshake you simply have to be sniffing the network at the same time the other client connects, note that it is possible to force clients to reconnect.

        • WPA, like WEP, is simply encryption of the links between clients and AP. There is no encryption between the clients, they are as transparent to each other as if they were physically cabled to any hub or switch. Now I've heard tell of some enterprise class APs having the capacity to create things like VLANs using multiple SSIDs, but those are expensive and rare (from a SOHO perspective).

          However, WPA when used with RADIUS can integrate with a domain controller and establish permissions for various network
          • by colinnwn (677715)
            My ancient $50 WRT-54GL with DD-WRT does segregated VLANS with multiple SSIDs and independent passkeys. Running one now keyless for my neighbors, and WPA2 for me.
      • Re:Hopefully... (Score:4, Insightful)

        by Bigjeff5 (1143585) on Tuesday November 02, 2010 @05:06PM (#34105686)

        That's true for WEP encryption I believe, but definitely not for WPA.

        It's the same key for authorization to the router, but once established it creates a separate shared key for each individual connection.

        So no, once you are connected to the router you don't get free access to everyone else's traffic. You can communicate them via the router, but you'd have to break their encryption to grab their cookies.

        • Like other posters you have failed to grasp that anybody sniffing the sharing of the per client key can read you traffic.

          So someone who starts sniffing the network after you have connected cannot listen in, but someone who has been there from the beginning can.

          • by raddan (519638) *
            Yes, but, if I understand WPA correctly, you can only intercept the user's PTK if you already know the pre-shared key. While that does not make the handshake secure, it significantly reduces the attack vector to include only those people who already have access to the system. So you can spy on coworkers but not total strangers.
      • Re:Hopefully... (Score:5, Informative)

        by raddan (519638) * on Tuesday November 02, 2010 @06:31PM (#34106546)
        WRONG. WPA uses a four-way handshake to establish a per-user key called the Pairwise Transient Key. The PTK is guaranteed (well, not really guaranteed, but very, very, very likely) to be unique on a per-user basis, and that PTK is used to encrypt the communication. So no, two parties on the same AP using WPA cannot decipher each other's traffic.

        http://en.wikipedia.org/wiki/IEEE_802.11i-2004 [wikipedia.org]
      • Re: (Score:3, Informative)

        by luder (923306) *

        doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?

        I just want to add to what others have said that in order to have specific individual keys on a per user basis you would need something like RADIUS [wikipedia.org] based authentication.

    • by rsborg (111459) on Tuesday November 02, 2010 @04:52PM (#34105516) Homepage

      This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.

      I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.

      Firesheep may change that.

    • by adolf (21054)

      You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

      Actually, I can expect that. And I can even show you a pretty graph [wigle.net] that indicates folks are doing an increasingly better job with encrypting their wireless networks.

      As an anecdote, my own experiences with wardriving in small-town Ohio have been interesting to me. Some towns and neighborhoods are full of wide-open networks. Some are almost completely locked-down. Some people w

  • No linux build?

  • by carvell (764574) on Tuesday November 02, 2010 @05:43PM (#34106064) Homepage

    A linux build is available here [mediafire.com]. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.

    You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.

    All info taken from here [github.com].

    • by h3 (27424)

      I dunno, while I'm *mostly* certain you're a good guy and that link is legit, it seems like downloading a random mediafire link isn't really in the spirit of things here...

  • by Derosian (943622) on Tuesday November 02, 2010 @06:18PM (#34106428) Homepage Journal
    Firesheep is as legal as Limewire... Oh wait.
    • Firesheep is as legal as Limewire... Oh wait.

      Gnutella, Limewire's network, is perfectly legal. Limewire was forced to "shut down" because of their advertising which supposedly "promoted illegal file-sharing". Frostwire or any other Gnutella client is perfectly legal.

      Car analogy time:
      Say you buy a car. You can drive safely, or you can run people over; your choice. Just because you can run people over, however, doesn't mean that cars should be illegal. Same for file sharing and Firesheep. There are legitimate uses for tools like Firesheep such as securi

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...