Firesheep Author Reflects On Wild Week 229
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
While I sorta agree with what the guy is saying... (Score:5, Insightful)
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Re:While I sorta agree with what the guy is saying (Score:5, Insightful)
Re: (Score:2)
I doubt any of them sell pre-loaded guns. Guns and ammo, sure. Loaded guns? Not likely.
Re:While I sorta agree with what the guy is saying (Score:4, Insightful)
Well you do have to install it and then run it.
Besides it's not like you can run firesheep without Firefox installed to begin with.
Re:While I sorta agree with what the guy is saying (Score:5, Insightful)
"Guns don't shoot people, Firefox shoots people!"
That seems to be the nature of the hyperbolic rhetoric in this sub-thread.
The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"
Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...
Re:While I sorta agree with what the guy is saying (Score:4, Interesting)
A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.
Re: (Score:2, Informative)
When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.
Some places
Re: (Score:3, Informative)
Re: (Score:2)
Ditto. They politely ask to keep the ammo in the box you bought it in (duh) and let me on my way. One time I bought a pistol and was allowed to walk to the other side of the store and pick up something else before I carried my newly purchased firearm to the front where I handed them the receipt showing I bought it and the ammo.
Re: (Score:3, Insightful)
Really? Show me where I can buy a loaded gun.
Re: (Score:2)
That is his point. You're making it redundantly twice for him.
Re: (Score:2)
Actually, now that I'm thinking about it, I'm not so sure that works...
Re:While I sorta agree with what the guy is saying (Score:5, Insightful)
Try a car analogy. That might work better.
It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.
This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.
Re:While I sorta agree with what the guy is saying (Score:5, Insightful)
Re: (Score:2)
Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.
It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.
Using that t
Re: (Score:2)
Many people who own trucks might argue with your statement.
more like... (Score:2)
Re: (Score:3, Interesting)
Every day we live with the fact some random asshat could punch us in the face, but we don't walk around with football helmets on the street do we?
Security isn't black vs. white.
Re: (Score:2)
"Here's a Silver Hammer, Max. Now, if you decide to hit someone with it, that's you're business."
Re: (Score:2)
I am business?
Re: (Score:2)
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
or stop someone else from hurting or killing others. Yes, us big kids sometimes use sharp tools if the job calls for it.
Would you have it otherwise?
Re: (Score:3, Funny)
They let you have the pointy scissors? All I got were these rounded ones that don't cut well. :(
Re: (Score:2)
Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.
Re: (Score:2)
Re: (Score:2)
So how about "here is a key duplication kit, have fun"?
I'd like to use a more IT related version... (Score:5, Interesting)
It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.
At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.
Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.
Re: (Score:3, Insightful)
How would that work with Walkie talkies or CB radio?
I mean, if I listened to someone on a walkie and they thought it was private...
Heck, even some old cordless phones could be picked up by nearby speakers.
Re:I'd like to use a more IT related version... (Score:4, Informative)
How would that work with Walkie talkies or CB radio?
The answer is, it would not.
I mean, if I listened to someone on a walkie and they thought it was private...
Heck, even some old cordless phones could be picked up by nearby speakers.
Precisely.
Personally, I respectfully disagree with the GP. The way I look at this is exactly the way you do. if you broadcast information of any kind using radio waves, sound waves, light waves, gravity waves, thought waves, whatever, and someone receives that information, is able to interpret it, and uses it against you, it's because you a. broadcast it and b. left yourself wide open. You transmit modulated radiation, I'm going to pick it up if I want to, and do whatever I want with it. If you don't want me to do that, don't send those waves through my space, because you don't have a right to shine something at me and expect me not to look at it if I please. Project all your personal financial information on the wall, and I'm going to take pictures if I choose. Turn on a wireless transceiver in my vicinity, and I'll monitor your traffic if I feel like it. If that bothers you, keep it to yourself. Run a goddamn cable, or make sure your transmissions are not intelligible outside of your property line, or use encryption. But don't come whining to me about your "rights" because I'll simply ignore you. And that's me, a law-abiding citizen with no desire to take advantage of anyone. Expecting that mere legality will prevent someone bent on criminal activity from monitoring your communications is just silly. Don't depend upon the law, it cannot protect you in this case, so it might as well not be there.
Fact is, anyone that knows how to use encryption and take the necessary steps to protect him or her self couldn't care less whether it's legal or otherwise to receive such broadcasts. What we're talking about here are the unwashed masses, and the reality is that nothing can protect them (the law certainly can't) until the technology improves to the point where that protection is fully automatic.
Re: (Score:2, Interesting)
Re: (Score:2, Flamebait)
No. It's more like "I've hidden some explosives in several of your neighbors' cars. Here's a remote detonator. If you press the button, there will be damage.
Now, if you decide to use it, that's none of my business. At least I encouraged the discussion of how to disarm explosives".
Re: (Score:2)
So do cars, baseball bats, metal poles, knifes, toasters, anti-freeze, bleach, duct tape applied over the mouth and nose, yard chemicals... I could list hundreds of tools that kill things (pets, adults, and children included.) It doesn't mean I'm going to use them for that purpose.
Re: (Score:2)
"Loaded guns aren't necessarily about murder of humans."
But killing everything else on the planet is perfectly acceptable unless humans say otherwise, right?
And the answer is no. (Score:4, Insightful)
"Is it legal to access someone else's accounts without their permission."
No.
Firesheep is as legal as nmap in case anyone wondered.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
It is a lot more like Wireshark than it is like most Firefox add-ons - say Tre Style Tabs or Taboo (which are my current favourites).
You woul presumably argue the that Internet Explorer is more like MS Word (because they both run on the same platofrm) than like Konqueror (because they perform the same function).
Re: (Score:2)
But how is it like a car?
Because it runs in Firefox, and cars occasionally catch fire.
Re: (Score:2)
Re: (Score:2)
I know you didn't ask me, but yeah, an open WiFi network is an invitation for anyone to access it.
That doesn't mean you should.
Re: (Score:2)
Again, never said it was illegal...just wrong. Or at least, "wrong" as defined according to my own personal opinion of "right" and "wrong". YMMV with that one, lol :)
Re: (Score:2)
Apparently you have a hard time understanding...
1. Just because you [legally] CAN do something, doesn't mean you SHOULD do it, and
2. There is a big difference legality and morality.
Sometimes the two coincide, other times they are out of touch of reality. i.e. Prohibition, victim-less crimes such as smoking tobacco vs. other drugs, using synthetic DMT vs. the DMT that your brain naturally produces, etc.
Re:And the answer is no. (Score:4, Informative)
Of course, all of this was caused by the social network websites being run by people who don't think that social network accounts are all that important. If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https). So if anybody goes after you for this, it would have to be either the end users or the police, since the developers of the site don't seem to care enough to do it.
Re: (Score:2)
If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https).
The problem is millions of times worse than that.
Facebook/digg/reddit/etc all have their widgets plastered across 90% of websites.
Every time you go to one of those websites, the widget fetches your cookie.
So unless every single one of those widgets is changed to do its ajax thing over HTTPS, credentials are still going to leak.
Re: (Score:2)
Not necessarily. The other web sites could use an opaque token that does not expose your Facebook credentials (for example). Ostensibly, they're supposed to be doing that, IIRC.... Now, that won't help you as far as somebody pretending to be you on those third-party websites, and to the extent that those sites can post things on your wall, etc., they're still a hole, but not nearly as big a hole as exposing a full set of login credentials.
Re: (Score:3, Informative)
The real problem is that most social media sites CAN'T use https by default.
Most of the advertising content delivery networks (and this does include Google's AdSense) don't support https.
Thus, if the social media site used https for the entire session, then they wouldn't be able to serve ads, and wouldn't be able to fund the service. So it isn't going to happen.
There is a real problem with current web protocols that security is all or nothing. You can use http and be insecure, or use https and break all kin
Re: (Score:3, Interesting)
This is where you make the difference between "access" and "see."
Such as: if I somehow steal your bank account password, and log in to your account, I'm illegally "accessing" your data.
If you leave your bank statement out on a table where I'm sitting and then leave, and I happen to see what's on it, I'm "seeing" it.
Facebook was transmitting its tokens in an unencrypted fashion without any security to them whatsoever. The situation is a little more confusing than just a "no."
Using it against unsuspecting people is illegal (Score:2, Informative)
At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.
Re: (Score:2)
If you're talking about 202a StGB (Ausspähen von Daten), that only applies if you actually access data that is not meant for you to see.
Re: (Score:2)
It's entirely possible that you login as someone else and don't immediately see any private information. So using Firesheep isn't automatically illegal. It always depends on the exact situation.
Re: (Score:2)
If they can find you. If you're sitting at a public wifi hotspot with a custom temporary MAC, how exactly would they track you down?
Hopefully... (Score:3, Interesting)
...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.
Re: (Score:2)
They do, actually. Most routers and hardware support "secure easy setup" type one-click security. Sure you often have to buy equipment from one manufacturer, but that's just incentive to do it and to show how to do it.
It's extremely popular if you consider how many routers
Re: (Score:3, Insightful)
I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
Wouldn't that mean that anybody able to access the access point could still harvest the un-encrypted cookies using Firesheep given the primary demonstration of the problem is with public wireless networks at coffee shops and airports?
Re: (Score:2)
I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
Ding ding ding. We have a winner.
This was exactly how I first tested FireSheep on my own home network.
My wireless router has the ability to create a few guest networks and assign them individual encryption keys,
but the hardware required to do that for 20~50+ connections you might reasonably encounter in a commercial setting...
I can't imagine that'd be cheap.
Re: (Score:2)
If I understand it correctly, even if you know the password to access a WPA-encrypted wifi network, you still can't access other people's data -- you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity. This is different from WEP, where, I'm pretty sure, if you had the password, all accessed computers' data was visible to everyone else.
Now, I could be wrong, so someone with more knowledge about this please speak up!
Re: (Score:2)
you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity.
To get the handshake you simply have to be sniffing the network at the same time the other client connects, note that it is possible to force clients to reconnect.
Re: (Score:2)
However, WPA when used with RADIUS can integrate with a domain controller and establish permissions for various network
Re: (Score:2)
Re:Hopefully... (Score:4, Insightful)
That's true for WEP encryption I believe, but definitely not for WPA.
It's the same key for authorization to the router, but once established it creates a separate shared key for each individual connection.
So no, once you are connected to the router you don't get free access to everyone else's traffic. You can communicate them via the router, but you'd have to break their encryption to grab their cookies.
Re: (Score:2)
Like other posters you have failed to grasp that anybody sniffing the sharing of the per client key can read you traffic.
So someone who starts sniffing the network after you have connected cannot listen in, but someone who has been there from the beginning can.
Re: (Score:2)
Re:Hopefully... (Score:5, Informative)
http://en.wikipedia.org/wiki/IEEE_802.11i-2004 [wikipedia.org]
Re: (Score:3, Informative)
doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?
I just want to add to what others have said that in order to have specific individual keys on a per user basis you would need something like RADIUS [wikipedia.org] based authentication.
This isn't about manufacturers (Score:4, Interesting)
This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.
I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.
Firesheep may change that.
Re: (Score:2)
Actually, I can expect that. And I can even show you a pretty graph [wigle.net] that indicates folks are doing an increasingly better job with encrypting their wireless networks.
As an anecdote, my own experiences with wardriving in small-town Ohio have been interesting to me. Some towns and neighborhoods are full of wide-open networks. Some are almost completely locked-down. Some people w
Re: (Score:2)
ARP poisoning is pretty easy to protect against [sourceforge.net].
Really, a service like FaceBook I wouldn't expect to be very secure. You're already sharing your information with the rest of the world, someone else accessing your account is simply going to cause you some annoyance. Not that big a deal. Amazon I would expect to secure their communications though, so it's disturbing that they don't.
sadface (Score:2)
No linux build?
Linux build is available (Score:3, Informative)
A linux build is available here [mediafire.com]. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here [github.com].
Re: (Score:2)
I dunno, while I'm *mostly* certain you're a good guy and that link is legit, it seems like downloading a random mediafire link isn't really in the spirit of things here...
As Legal As... (Score:3, Funny)
Re: (Score:2)
Firesheep is as legal as Limewire... Oh wait.
Gnutella, Limewire's network, is perfectly legal. Limewire was forced to "shut down" because of their advertising which supposedly "promoted illegal file-sharing". Frostwire or any other Gnutella client is perfectly legal.
Car analogy time:
Say you buy a car. You can drive safely, or you can run people over; your choice. Just because you can run people over, however, doesn't mean that cars should be illegal. Same for file sharing and Firesheep. There are legitimate uses for tools like Firesheep such as securi
Re: (Score:3, Insightful)
Except then your subject line would have read: "57 downloads later..."
Re: (Score:2)
He's probably wondering how much money he'd have made if he'd charged for it.
Advert revenue? I haven't been to his site so I have no idea if he hosts ads.
Re: (Score:2)
Re:What I don't get (Score:5, Insightful)
Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.
You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.
But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.
And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.
Re: (Score:2)
Older browsers?!?! IE8 still "bitches" when i load up facebooks "Account Settings" Page - "Do you want to view only the webpage content that was delivered securely
This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage."
Re: (Score:2)
Why is it a problem that it complains in this situation? Sending a page half-encrypted is a big security problem - not the least of which is t hat the user has no reasonable way to know which information was sent securely.
Re: (Score:2)
it -should- complain, yes.... but the reason why people are groaning at Microsoft on this issue is the same reason they're groaning about the UAC prompts. With UAC prompts, lazy people get trained to 'just click Yes', thus severely reducing the effectiveness of the prompt. That this happens in other operating systems, albeit usually on a CLI, is apparently not an issue.
With the mixed content warning, you get an even worse problem from lazy people. The end-user will just click 'yes' as otherwise some sill
Re: (Score:2)
I think you answered your own question there. Also add the fact that Firesheep is intended partially as a publicity stunt so it has higher visibility than the standard 'hackers' who are trying to keep under the radar. The author has given interviews on it to several sites and articles detailing its use and the general inseurity of session based cookies have been a coordinated part of this publicity push and a natural consequence of it being popular enough that articles on it garner pageviews.
Re: (Score:2, Informative)
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
This affects you only if you are connecting to the Internet wirelessly, do not employ encryption on your wireless link, and are visiting a website that doesn't use SSL (sorry for the acronym: it stands for secure sockets layer and is a protocol for encrypting connectio
Re:Still confused (Score:4, Informative)
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.
Re: (Score:2)
No - shared folders and services do not necessarily mean intra-client communications - often times your router is still the mid point in between those kinds of transactions and if you are wired in - you won't be able to sniff out the traffic specifically going between the computer and the router.
This doesn't affect wired situations - unless you preform some kind of Man in the Middle attack on the router/end user - probably by some method of ARP poisoning. Otherwise, there's no way for you to listen in and g
Re: (Score:2)
I'm too old. I still think of ethernet networks as being largely made up of 10baseT into "dumb" hubs or even (gasp!) 10base2 thinnet coaxial cable. With most modern switches, Monkeedude1212 is correct that this sort of traffic does not pass by every client on the network. I just tried out Firesheep on some machines in our home, and it was not able to pick up anything on our WPA encrypted wireless-n network, or on our switched gig-ethernet wired network. I did not dig one of our "dumb" hubs out of the attic
Re: (Score:2)
Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.
While it's true that if only the login page is protected by SSL and the rest of the session is unencrypted then your cookies may be exposed, but if the website uses a complete SSL solution after login (as most banks for instance do) then you should still be safe.
Re: (Score:2)
Actually probably not on a switched network, the reason you can see all the open shares on a network is because those packets are generally broadcast to every client on the network by way of the broadcast IP x.x.x.255 for that subnet. any other traffic going directly from client to website or 2 other clients will be unsniffable without exploiting the switch itself to make it fall back into a broadcast (hub) mode, if that is even still possible these days.
Try it, on your standard home network config, ping 192.168.1.255, you should get random responses back from all the active IPs on the network. Same way file sharing clients work on a network like that they throw their announce packets "hey ive got these shares open" to the 192.168.1.255 ip, and the switch knows to throw that packet out to every port on the switch, and all the clients know its a packet for them to listen to other than their own set IP address
A very good point - I still think of ethernet in terms of "dumb" hubs rather than "intelligent" switches. A quick test of our wired gig-Ethernet network and our wireless-n WPA2 network seems to show that firesheep does not pick up anything.
In any case, I've downloaded HTTPS-Everywhere and Force-TLS to try them out - I think I'll keep one of them running most of the time.
Re: (Score:3, Informative)
As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.
Wait, people weren't doing that before? I wasted all this time NOT logging into my bank account on my nintendo DS in an airport?!?!
Kidding about that last part, but were people doing this before and this is just a prepackaged easy way for everyone to do it?
Re: (Score:2)
be sure the site is using SSL (also always a good idea.)
It's not always easy to do this. You could easily verify that a login page is ssl, but you don't know where you are going to get 302ed to after you submit that form.
I wish browsers had a way to temporarily disable plain http for such occasions. In the meantime there is always software firewalls I guess.
Re:Still confused (Score:4, Informative)
Re: (Score:2)
Even worse, apparently even if you log out of the aforementioned site, the session data may not be cleared on the server side. This means someone could continue to impersonate you, even after you have logged ou
Re: (Score:2)
You do realize this is Slashdot, (Kinda) News for nerds? Break out a dictionary or get ready to Google letters.
Re: (Score:2)
Some acronyms are common enough (SSL, DRM, etc) but others are more rare and those who work in the field may take their knowledge for granted.
The thing is, nerds now have a lot more domains than before. If I say CSS, those who work in video and broadcasting will think Content Scramble System, those who work with websites will think Cascading Style Sheets, others will probably have yet another meaning for it.
Re: (Score:3, Informative)
Imagine wi-fi as a man at the far end of a crowded room yelling out information to you as loudly as he can.
Me: "I'm Joe! When is the next train?"
Yelling Guy (The wireless contact point): "Joe! Next train is at 5:05!"
Yes, your wireless device listens to everything being yelled back and forth, and when it 'hears' something yelled at you, it passes it on. But it still hears everything. Normally, if it hears something for 'Joe', it knows that's not you, so it just ignores it. But the firesheep plugin doesn
Re: (Score:2)
Is sure does. Good thing my name's not Joe!
Re: (Score:2)
This is not entirely accurate. Firesheep operates in the application layer, not in ring 0. This means it can only access information directed to it from the kernel. The relevant point is that your network interface will throw away anything that isn't addressed to it, and only pass up information that is specifically addressed to your computer or is send in broadcast. None of the stuff you described is sent using broadcast packets (broadcast requires UDP, not TCP, anyhow). So, although your network card can
Re: (Score:2)
This software is an add-on for FireFox that looks at network traffic for the network that its on (weather its on your work network, a public wireless network, or your work network). It will find any information that the user is giving a website or that the website is giving the end user that is not encrypted. This includes "cookies" that can allow the person running this program to impersonate the end user (ie steal their account). The way to protect your website is to design it in such a way that all infor
Re: (Score:2)
Firesheep is only intended for illegal purposes, thus Firesheep itself may be deemed illegal in many countries, or the use of it may be justifiably restricted to certain activities (such as penetration testing).
Demonstrating security flaws to people requires easy to use examples that go the whole way. I have little (a little too much?) idea why, but they will always say "oh; but that's not a real world thing" unless you actually shove it in their faces. This has a perfectly legitimate role in security training.
Re: (Score:2)
In order to get things fixed, we need asshats like Butler pointing at the wide open door and shouting to the plebes, "LOOK WHAT I CAN DO!".
I admire that kind of Ass-hat. Often times people don't get the message until it affects them negatively.
I've been that asshat myself - doing some questionable maneuvers to warn regular users of their insecure habits. For me, it's not to show off what I can do and it's not about being a self righteous do-good-er either.
It's a "I am ticked off at the way people carelessly handle this crap" - If I act too kind it will go ignored, as if it were charity. If I do something malicious I could end up in jail. How a
Re: (Score:2)
The purpose of this software is to show "The Masses" just how easy and trivial this is. This software can be used for "penetration testing", a valid and legititimate purpose. That is the purpose of this software.This software can also be used for illegal reasons, such as stealing someone else's facebook account. If you prefer to thin of Butler as a asshat for trying to point out this VERY serious problem, than by all means, i hope we can all be as big of asshat's as Butler. By this logic any "brute force" p
Re: (Score:3, Informative)
"Defective by design" is the design mantra at Apple HQ.
Re: (Score:2)
Are you seriously making the argument that because you find hacking tools to be too difficult to use, that they shouldn't be available to everyone? Only some arbitrary definition of elite hacker that you dreamed up should be able to use security tools?
A tool is a tool. Sure one could argue that a gun is mostly used for killing and the firesheep will mostly be used for abuse, but in the end its just a tool. Its up to society to di