Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Herding Firesheep In NYC — Do Users Care?

timothy posted more than 3 years ago | from the not-so-much dept.

Privacy 200

An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."

cancel ×

200 comments

If you did this to me (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34069382)

You would be arrested. Breaking into someones house to point out that you can break into their house still leaves you with a breaking and entering charge. Even if you caused no damage and took nothing, you're still going to jail brainiac.

Re:If you did this to me (1)

Dayofswords (1548243) | more than 3 years ago | (#34069422)

There is a damn show on what you just said. it's called "It Takes a Thief'
http://en.wikipedia.org/wiki/It_Takes_a_Thief_(2005_TV_series) [wikipedia.org]

Re:If you did this to me (4, Informative)

pthisis (27352) | more than 3 years ago | (#34069566)

It Takes a Thief got the owner's permission before staging the break-ins. If you got someone's permission before attempting to sidejack their account, you'd probably be in the clear. Without it, you're breaking the law.

Re:If you did this to me (0)

Anonymous Coward | more than 3 years ago | (#34069582)

You're a damn retard

Re:If you did this to me (1)

Stregano (1285764) | more than 3 years ago | (#34069638)

What I need you to do is go ahead and setup a bunch of security camera in your house, and then go a few blocks away when it is night time, sit in a van, and watch the security cameras. Don't worry, nothing will happen.

everything on teevee is da truth (2, Insightful)

YouWantFriesWithThat (1123591) | more than 3 years ago | (#34069612)

you're joking right? how do you think all the interior cameras get in side the house?

they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.

Re:If you did this to me (1)

h4rr4r (612664) | more than 3 years ago | (#34069850)

How do you plan to find me?
I pay for coffee in cash and changed my MAC address before I connected to the wireless.

This is purely hypothetical, I did not do this nor suggest anyone should.

Re:If you did this to me (0)

Anonymous Coward | more than 3 years ago | (#34070002)

It's easy enough to find the retard in this case since he posted it from his personal blog. One subpoena away.

Re:If you did this to me (1)

shitzu (931108) | more than 3 years ago | (#34069958)

Posting some rants on someone's wall is highly ineffective. I had an idea to modify the extension so that it changes everyone's relationship status (married->its complicated, etc) . That would get the targets to secure up in no time.

Sidejacking? (0)

Anonymous Coward | more than 3 years ago | (#34069384)

Sidejacking?

Don't be so foul!

Re:Sidejacking? (1)

MachDelta (704883) | more than 3 years ago | (#34070558)

Yeah, why not just sit in the coffee house running FireShepard [notendur.hi.is] instead? ;-P

Some people don't care (3, Interesting)

Moniker3 (1913952) | more than 3 years ago | (#34069402)

People leave themselves signed into facebook all the time in my university library. Some people just don't care that much.

Re:Some people don't care (4, Insightful)

PatHMV (701344) | more than 3 years ago | (#34069812)

Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Re:Some people don't care (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34070252)

If some stranger walked into my house to tell me my door was unlocked you can bet your ass I would be locking the door. What kind of dumb ass question is that?

The difference here, and where your logic IMHO fails, is that while many people may not care that much its exactly because of their ignorance. The problem here is that someone telling them they're vulnerable isn't enough because they are just that ignorant. They don't understand how it could possibly do them harm. Sure, some of them may not care, even if they understand the potential harm, but as a technologist I can tell you from experience that showing someone they are open to attack doesn't educate them to the harm. Now, when I've show non-tech folks what could happen if they ignore the fact they're vulnerable, the vast majority have their jaws drop to the floor. They are utterly amazed that people know how to do things like that with computers.

You don't have to be uber-security-conscious to be smart. Leaving your doors unlocked in a strange city is simply asking for harm to come knocking eventually. And, doing so willfully is most definitely stupid and ignorant.

Re:Some people don't care (1)

nacturation (646836) | more than 3 years ago | (#34070290)

Clearly from the warning he provided, he wasn't intending to do harm to them.

I think he should have been a bit more mischievous:

"So I'm sitting here at Starbucks and there's a cute guy across the room. What should I do?"

Post the same message for both male and female profiles, optionally changing it to "girl" for the female profiles. Hilarity ensues.

Re:Some people don't care (1)

jpmorgan (517966) | more than 3 years ago | (#34070308)

That will change when the first worm that uses sidejacking to spread appears. Defaces people's facebook pages to convince them to download and run the worm... worm runs in background sidejacking and defacing other people's facebook pages... and doing all the other malicious stuff malware likes to do.

I figure we'll see it within a year or so.

Re:Some people don't care (2, Funny)

EdIII (1114411) | more than 3 years ago | (#34070464)

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Well... since most "rural" families that I know live in Oklahoma and Texas and have shotgun racks on the back of their trucks I expect the conversation to go much differently.

Re:Some people don't care (1)

Seumas (6865) | more than 3 years ago | (#34070504)

Why do we allow such ridiculous exceptions, where technology is involved? I'm not sure how you describe "I'm not taking security precautions and I don't care about the implications" as anything *BUT* stupid and ignorant.

The problem is the same as any other discussion of exercising your civil liberties (and the fourth amendment, etc). The average person says things like "you have to give up a little freedom to get some security" and "if you have nothing to hide, why do you care about privacy?".

The average American believes that privacy is for terrorists and encryption is for people peddling child porn.

Re:Some people don't care (1)

node 3 (115640) | more than 3 years ago | (#34070556)

I'm not sure how you describe "I'm not taking security precautions and I don't care about the implications" as anything *BUT* stupid and ignorant.

Do you ever leave your house with the front door unlocked (say, run over to the neighbors' real quick) or leave your windows rolled down a crack on hot days or keep your wallet in your back pocket or hand your credit card to the waitstaff or ... ?

It's not stupidity or ignorance. It's just, "you can only do so much".

In fact, I'd go further than that, and if you actively take precautions for all the things I listed, going through so much effort and living life so vigilantly seems far more stupid to me than the people you are painting as stupid and ignorant. It's like covering your furniture in plastic. Yes, it keeps your furniture in better condition, but it also means you are spending your life sitting on plastic instead of enjoying your furniture to its fullest.

Who's the more stupid? The one who has beat up furniture but got great use out of it, or the person with pristine furniture who never really got to use it?

Re:Some people don't care (0)

Anonymous Coward | more than 3 years ago | (#34070592)

Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Took me 5 minutes to set up and play with at a local coffee shop. The point of this is that it is easy, anyone can use it, it's risk free, and it will likely become a problem.

Re:Some people don't care (0)

Anonymous Coward | more than 3 years ago | (#34070350)

In my day, people who left Solaris machines logged in would get a number of different treatments. Sometimes their particular machine would lock up, or all the machines in the lab locked up, but their account was still logged in. You were supposed to go to another machine, rlogin, and kill any undesired process, including your previous login. Many ignored this, despite the fact that signs were posted around the lab.

Anyway, I digress. Merely failing to perform the rlogin procedure was something you could sort of forgive, especially if they had to go to another building to do it. In that case, it seemed fair to do nothing, or kindly log them out. I don't recall having done anything really vicious. Sometimes I'd leave a README file in their home directory explaining that I had their account temporarily.

Other people were not so nice. One common prank was to post a personal ad to some gay-oriented newsgroup.

They care - they're filing lawsuits (1)

francium de neobie (590783) | more than 3 years ago | (#34069410)

I hope his guy well. But there's gotta be somebody who thought up the idea of sending him a cease and desist letter just for the fun of it - or extracting a few thousand dollars from him.

Re:They care - they're filing lawsuits (1)

Hatta (162192) | more than 3 years ago | (#34069732)

Good luck tracking him down.

Re:They care - they're filing lawsuits (2, Funny)

francium de neobie (590783) | more than 3 years ago | (#34069766)

Had he not posted the action on his blog, it'd have been hard.

Re:They care - they're filing lawsuits (1)

Kindgott (165758) | more than 3 years ago | (#34070080)

Good luck, he was behind 7 proxies.

Ur so kewl. (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34069414)

You're a real hero. Do you steal tapes from unlocked cars too?

Interestingly, the author of TFA never considers (5, Insightful)

brokeninside (34168) | more than 3 years ago | (#34069418)

... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.

Re:Interestingly, the author of TFA never consider (1)

IamTheRealMike (537420) | more than 3 years ago | (#34069436)

Bingo. The article he linked to talks about VPNs. Seriously, WTF? The threat Firesheep poses is basically this - some guy harassing strangers in a Starbucks. Maybe if you're very unlucky a friend/enemy doing the same. Weigh up the options, which is easier - ignoring the occasional douchebag who causes trouble in Starbucks vs buying service from a VPN provider. It's not surprising most people choose the former and you don't need an experiment to realize it!

Re:Interestingly, the author of TFA never consider (1)

KiloByte (825081) | more than 3 years ago | (#34069514)

How exactly VPN can help there? You're still passing unencrypted data to Facebook. All the gain is that it's less likely than someone listens to the traffic between the VPN provider and Facebook compared to the unpalatable liquid venue you're in.

Re:Interestingly, the author of TFA never consider (4, Insightful)

IamTheRealMike (537420) | more than 3 years ago | (#34069606)

Yes, exactly.

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:

  1. No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
  2. VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
  3. Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..

I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

Re:Interestingly, the author of TFA never consider (4, Insightful)

Jah-Wren Ryel (80510) | more than 3 years ago | (#34069720)

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.

In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.

Re:Interestingly, the author of TFA never consider (1)

IamTheRealMike (537420) | more than 3 years ago | (#34069740)

So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware? Anything valuable is already SSL protected so that scheme would be very expensive, labor intensive, easy to discover, dangerous for the criminals and useless against high value targets like banks or gmail accounts.

Re:Interestingly, the author of TFA never consider (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#34070224)

So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware?

(A) Mischaracterization
No need to "build and deploy" a bunch of fancy shit - all its takes is for individual petty thieves with cheap laptops to spend an hour or so at each of the hotspots around their neighbourhoods each week. Small time scammers work for small time profits all the time. Just look at how frequently credit card theft is committed by low-paid clerks and shoulder surfers. Sniffing wifi is a hell of a lot less risky than either of those.

(B) False Dichotomy
Just because one means of attack is available doesn't preclude entirely different people from attacking via another avenue.

Re:Interestingly, the author of TFA never consider (1)

jpmorgan (517966) | more than 3 years ago | (#34070300)

Why do you need hardware when all the hardware is already out there? A sidejacking worm will do the trick:

Deface people's facebook pages to convince them to download the worm. Worm runs locally, quietly sidejacks other people's facebook pages and defaces them. Cycle continues and sidejack worm spreads through all the coffee shops in the country, stealing personal information and credit card numbers as it goes.

Re:Interestingly, the author of TFA never consider (1)

adolf (21054) | more than 3 years ago | (#34070084)

My favorite coffee shop has RJ45 ports at the tables on a switched network.

Still sniffable, obviously, but at least not passively: One must do some amount of ARP poisoning or MAC overflow in order to get much meaningful data.

Re:Interestingly, the author of TFA never consider (0)

Anonymous Coward | more than 3 years ago | (#34070126)

or just run ettercap

Re:Interestingly, the author of TFA never consider (1)

brain159 (113897) | more than 3 years ago | (#34070394)

*Switched* network. Read smarter, not harder.

Re:Interestingly, the author of TFA never consider (1)

Clived (106409) | more than 3 years ago | (#34070170)

Would no the option of not using Firefox with Firesheep enabled remove the security issue that goes along with wifi browsing? I dropped Firefox about a year ago because it was too slow, too much baggage, I run the Chromium browser or Google Chrome browser almost exclusively. Haven't heard aof any such vulnerabilities with wifi or otherwise there ??

Comments ?

Re:Interestingly, the author of TFA never consider (1)

Zwaxy (447665) | more than 3 years ago | (#34070466)

The hacker runs Firefox with the Firesheep extension, not you.

It doesn't matter what you run, you're still vulnerable if you're sending cookies in the clear.

Re:Interestingly, the author of TFA never consider (1)

Hatta (162192) | more than 3 years ago | (#34069754)

Firesheep does Amazon too. Let the wrong person on your Amazon account and you might be in for a surprise when your credit card statement arrives.

Re:Interestingly, the author of TFA never consider (1)

hitmark (640295) | more than 3 years ago | (#34069916)

Tho one could question why Amazon should keep a copy of the credit card info at all.

Re:Interestingly, the author of TFA never consider (1)

zippthorne (748122) | more than 3 years ago | (#34070440)

Well, they offer to keep it. If you decline that offer and they still keep it, then there's a problem. But if they're keeping it because you asked them to to make your purchases more convenient, then, no, you may not question why they're keeping a copy of your credit card info. You would already know that they need to keep that info in order to keep the info.

Re:Interestingly, the author of TFA never consider (1)

hitmark (640295) | more than 3 years ago | (#34070510)

I just checked, and they held two sets of card data for me while i don't recall ever saying yes to them doing so...

Re:Interestingly, the author of TFA never consider (1)

stm2 (141831) | more than 3 years ago | (#34070460)

One click shopping (tm) :)

Re:Interestingly, the author of TFA never consider (1)

element-o.p. (939033) | more than 3 years ago | (#34069942)

...vs buying service from a VPN provider.

Ummm...how many people reading this article actually bought VPN service from someone else? I run OpenVPN or Tunnelblick on my laptops and VPN home. Even the least tech-savvy geek on /. should be able to at least port-forward through SSH. (If you can't please turn in your geek card now.)

Re:Interestingly, the author of TFA never consider (3, Insightful)

RaymondKurzweil (1506023) | more than 3 years ago | (#34070160)

A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.

Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.

Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the more self-identified geeks and hackers I meet in recent times, the more I come to the conclusion they're mostly idiots at this point. Ever since "geek" became some kind of shibboleth, it's been all down hill.

Fuck being a geek. There is no virtue in being capable in one area to the detriment at all others. It is indeed possible to dedicate one's brain to both number theory and cryptographic fundamentals, and still be able to solve simple cost-benefit problems.

Re:Interestingly, the author of TFA never consider (1)

icebike (68054) | more than 3 years ago | (#34070492)

I'm confused.

Wouldn't just logging in to https.facebook.com and log on from there solve the problem?

Re:Interestingly, the author of TFA never consider (1)

Seumas (6865) | more than 3 years ago | (#34070574)

No, the easiest and cheapest solution (almost stupidly so) is to set WPA/WEP on your access point and then post the network password on the wall of your business. The effort and cost involved is that of minutes and pennies and the reward (both in good will toward your customers and actual security) is nearly infinite in comparison.

Re:Interestingly, the author of TFA never consider (0)

Anonymous Coward | more than 3 years ago | (#34069456)

... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.

why don't you explain what the costs are of using a free firefox add-on, or would that make you realize your correlation was completely irrelevant banter?

Re:Interestingly, the author of TFA never consider (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34069462)

So, does your insurance company give you a discount for providing easier access to thieves?

Re:Interestingly, the author of TFA never consider (1)

citylivin (1250770) | more than 3 years ago | (#34069880)

Your statement is stupid. Who is going to pay the deductable if there was no damage to the vehicle and there was nothing of value in the vehicle?
Insurance companies need not be involved. Why should they? Over the crackhead change in your centre console?

what insurance? (1)

brokeninside (34168) | more than 3 years ago | (#34069960)

Generally speaking, it's not cost-effective to carry comprehensive insurance on a vehicle more than two or three years old. Consequently, I only carry liability insurance on my vehicle.

But even if it were prudent for me to carry comprehensive insurance, whatever contents of the car that might get stolen would almost certainly be lower than the deductible while the price of replacing a broken window will almost certainly be higher than the deductible.

Re:what insurance? (1)

hedwards (940851) | more than 3 years ago | (#34070540)

Actually, the contents of your car are almost certainly not covered by your auto insurance. That's typically covered by either home owner's insurance or renter's insurance.

Re:Interestingly, the author of TFA never consider (1)

egranlund (1827406) | more than 3 years ago | (#34069652)

I do this too. x2 if you have a convertible. Replacing a top is hardly a cheap or easy job B-)

Re:Interestingly, the author of TFA never consider (0)

Anonymous Coward | more than 3 years ago | (#34069726)

*sigh* I wish thieves were that intelligent.

Window in an old POS car I used to have were broken to steal spare change I had sitting in the console beside my shifter.

My doors were always unlocked due to some jackhole years previous driving a screwdriver in the keyhole rendering it useless. :(

Re:Interestingly, the author of TFA never consider (1)

Junior J. Junior III (192702) | more than 3 years ago | (#34070194)

Your online accounts are not like a car.

You can't very easily "empty" your online accounts.

Once someone breaks in, they can do things with your account without having to do any further "hotwiring".

Simply accessing the account through "hijacking" a session doesn't break anything that needs to be repaired after the fact, so leaving your account vulnerable to hijacking doesn't save you anything.

You might find the utility of open wifi to be worth the risk that your transmissions can be intercepted, read, and your accounts hijacked. But if it starts happening, like, more than once, most likely you'll change your mind quickly.

We really need a wifi protocol that allows open yet private access via encrypted tunnel. We *really* need to get off http and do *everything* over https. We *REALLY* need to fix the terrible mess that is SSL certificate authority based trust.

Re:Interestingly, the author of TFA never consider (1)

Seumas (6865) | more than 3 years ago | (#34070564)

Again, why do we make such exceptions when it comes to technology? If you show ignorance and stupidity in caring for your home, children, pets, automobile, home appliances, or other things the world is happy to apply those labels to you. Show the same lack of interest, attention, effort, and common sense toward technology and you're not stupid or ignorant. You're just "weighing your options and risks".

You would have difficulty with your insurance coverage if your house was robbed and they discovered that you didn't lock your doors and windows. Or even left them wide open. You are forced to maintain insurance on a variety of things (car, home, health) so that you don't impact other people for your own risk assessments. But when it comes to technology, we permit this "aw, shucks" mentality. Even though identity theft of various types and degrees carry just as much damage to people well beyond just the direct "victim".

Also, there is absolutely no viable analogy between protecting your network and "if I lock my door, they'll just break the window".

By the way, what are these "costs" that you're talking about? Every wifi router in the last decade allows some type of WPA/WEP/whatever encryption. There is no cost involved in setting up WPA/WEP and then putting a sign up in your cafe that says "THE WIFI PASSWORD IS 'P@SSWORD'". Problem solved. Are you really suggesting there is any cost/benefit comparison that would find that trivial action too costly for the return?

False sense of security (5, Insightful)

cappp (1822388) | more than 3 years ago | (#34069446)

I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah

That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.

From TFA: "my fly had been wide open" (3, Funny)

John Hasler (414242) | more than 3 years ago | (#34069470)

So that's the reason. None of them noticed his messages because they were too busy staring at his crotch.

Re:From TFA: "my fly had been wide open" (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34069534)

And if that can be seen on Starbuck's security cams, he just IDed himself after admitting to breaking federal laws.

Re:From TFA: "my fly had been wide open" (0)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#34069694)

quote me the law. please. after five minutes of googling for it, nothing's coming up.

Re:From TFA: "my fly had been wide open" (3, Insightful)

nacturation (646836) | more than 3 years ago | (#34070262)

Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.

Denial is bliss (4, Insightful)

bl8n8r (649187) | more than 3 years ago | (#34069508)

A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.

Re:Denial is bliss (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34070016)

Or they might decide that the risk is worth it, for their facebook fix. Provide them with a technical solution that takes one second to implement, and allows them to continue gaining all the convenience from before, with the security vulnerability. Then they'll probably use it.

As it is, you're asking them to give something up (facebooking in a Starbucks) to protect them against some nebulous, unknown threat. How can you criticise their judgement without knowing the value they place on these two things?

Re:Denial is bliss (2, Insightful)

joe_frisch (1366229) | more than 3 years ago | (#34070552)

Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.

I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me). I need to decide if the decreased risk of being hacked is worth the cost in time.

What a jerk (1)

Saint Stephen (19450) | more than 3 years ago | (#34069544)

What gives this guy the right to do this? He should be prosecuted!

Maybe he should go around picking locks and leaving notes in peoples house about how easy it is to get into the house.

Self important prick.

Re:What a jerk (0)

Anonymous Coward | more than 3 years ago | (#34069626)

What gives this guy the right to do this? He should be prosecuted!

Maybe he should go around picking locks and leaving notes in peoples house about how easy it is to get into the house.

Self important prick.

It's not like going around and picking locks. It's like going around and checking for open doors. IT'S OPEN NEWORK USING UNENCRYPTED SESSIONS. Might as well bend over and say "Yes, please".

Re:What a jerk (1)

espiesp (1251084) | more than 3 years ago | (#34070284)

It's not even checking for open doors. It's like your neighbors leaving their windows open, and having a loud conversation. You can either close your windows, or, by downloading this software you are essentially opening your windows and listening in.

If they don't want to be heard they can close their windows and talk quietly. Or encrypt their shit. Or if they can't encrypt it, they can not use it at all. Just like they wouldn't talk about their hemorrhoids in Starbucks, they shouldn't do anything online that would be a liability or embarrassing.

Re:What a jerk (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34069670)

And in fact that already happened once.
This guy [ow.ly] got himself arrested for hacking the wifi networks and currently awaits trial.
He faces up to 5 years in prison

Re:What a jerk (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34069994)

Mod down, its a Goatse.cx link.

Re:What a jerk (1)

Puls4r (724907) | more than 3 years ago | (#34069676)

You don't seem to get it.

Broadcasting information in the clear leaves it open to everyone. It's really no different than having a radio station and being surprised people tune in, or having a conversation on a crowded elevator and being upset that someone overheard you.

While a lock on a house is very easy to pick, it serves it's purpose. It keeps honest people honest. Frankly, people who want to get into your house are going to get in quite easily, regardless of your locks. Windows tend to do that.

Broadcasting in the clear is, effectively, leaving the door wide open. In fact, with firesheep, it's tantamount to posting a sign saying "door unlocked, no one home". Your anger would be far better directed at the websites who choose to doing NOTHING with regards to storing information in cookies.

Take that a step further. Frankly, people who allow web browsers to store information (history, cookies, and worse passwords and form information) shouldn't be surprised that people turn up with it. Stop leaving your doors unlocked.

Re:What a jerk (3, Interesting)

Anonymous Coward | more than 3 years ago | (#34069736)

All these house analogies fail.

What this is basically like, is like putting a bunch of your stuff out on the sidewalk in front of your house... and getting all self-righteous and pissed when someone comes along and pokes through it.

Re:What a jerk (1)

russotto (537200) | more than 3 years ago | (#34070054)

Broadcasting information in the clear leaves it open to everyone. It's really no different than having a radio station and being surprised people tune in, or having a conversation on a crowded elevator and being upset that someone overheard you.

Well, yeah, But then using that information to access someone else's account is another story. If I overhear someone's safe combination, I still don't have the right to open their safe, even if I happen to have legitimate access to the area it's in, and even if I'm just putting in a note telling them they're an idiot.

While a lock on a house is very easy to pick, it serves it's purpose. It keeps honest people honest. Frankly, people who want to get into your house are going to get in quite easily, regardless of your locks. Windows tend to do that.

Honest people are honest whether or not your door is locked. The lock serves to deter the dishonest but lazy, the dishonest but afraid of getting caught, or the merely bored.

Re:What a jerk (1)

chebucto (992517) | more than 3 years ago | (#34070386)

The closest analogy I've seen is the -1 Flamebait comment [slashdot.org] at the bottom of this article - stealing tapes from an unlocked car.

In this case, it's probably more like leaving notes in unlocked cars saying 'your car is unlocked'. IMHO leaving the note is creepy and intrusive; stealing the tape is criminal. Either way, you're poking your head around in places people want to keep private. Locks may keep honest people honest, but honest people shouldn't require locks to stay honest. Houses, cars, and facebook accounts are implicity private places, and you should never enter one without the conset of the owner, regardless of how well or poorly the thing is protected against intruders.

If you think about it, the only reason we nerds tell people to use SSL is to protect themselves against the kind of intrusion the author of TFA did. An unlocked door, or an open account, is not an invitation to snoop around. The analogy I gave above fails - the majority facebook users don't know their account are accessible to others. That doesn't change the fact that snooping is the wrong thing to do. If you find a public terminal with an open account, log it out. If you know someone or some group is vulnerable to snooping, warn them, do not snoop on them. There are a ton of ways to do this - letters to the editor, blog posts, mentioning it in conversation, formal requests to national privacy commissioners, meetings with local legislators, posters on telephone poles, soapboxes, whatever. Accessing personal facebook pages of a dozen random people at starbucks is not the way to do it.

Re:What a jerk (2, Interesting)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#34069730)

... you completely fail to understand how unencrypted WIFI works.

the analogy here would be him taking pictures in your open uncovered window of your couch, and sending you the picture in the mail. had he captured you having an affair and tried to ransom the image that you freely gave him back to you: that would be illegal.

never should it be illegal to INFORM SOMEBODY OF THE LACK OF SECURITY PROVIDED BY ANYTHING. it's one thing to go posting on the internet "this guy at 123 somewhere st never locks his door, and works from 9-5/m-f!!" but it should never be illegal to send him a pamphlet just inside the door stating how bad an idea it is to leave it unlocked.

Re:What a jerk (0)

Anonymous Coward | more than 3 years ago | (#34069734)

Lets face it, open wifi + non-SSL has issues. Is it unethical, perhaps to some, depends where your ethics lie. Its almost like walking around with your fly down, either someone is going to tell you it is, or your picture will end up on some random website depicting people with their fly down. Personally I'd rather be told by someone that appears to care, other than it reaching the net and being tossed around like a $2 whore.

dunno, they care.. usually afterwards though (1)

gale the simple (1931540) | more than 3 years ago | (#34069546)

My sister understood that after I showed her how easy it can be to dig up information on people who do not take any precautions, ie. her previous employer who fired her. But that anecdote aside, I think I agree with previous voices.. great big lawsuit is afoot.

No they don't care... (0)

cyberidian (1917584) | more than 3 years ago | (#34069648)

This supports my opinion about Facebook privacy fears are greatly exaggerated and maybe the people that care the most are the ones trying to sell you something to protect yourself from it. First of all, I don’t care if anyone sees my Facebook information because I don’t post anything that I wouldn’t want the public to see. Even the photos of my daughter are not especially dangerous in a stranger’s hands. With the other accounts, as long as no one sees my credit card or bank info –what does it really matter? Consider that most of your personal information is already available on the Internet through a Google search and in the local phonebook. Also Identity Theft occurs all the time from activities that have nothing to do with computers or the Internet. Last time my credit card was used fraudulently it was because my purse was stolen out of a locked car in a mall parking lot. Guess I better not drive or shop a mall anymore! If you are worried about your children, people that might harm your child are just as likely to be seeing your child in Starbucks as breaking into your photo gallery on Facebook at Starbucks, and it would be a lot easier to steal your child at a Starbucks than to figure out how to find your child after breaking into your Facebook account. Also just because there could be a child predator at your local Starbucks or shopping mall, does that mean that you will never let your children leave the house? I sure hope not. Believe me, I am in IT and I fully support appropriate IT security and due diligence, but I think the concerns about Facebook and Amazon privacy are over done and are almost a created problem where none existed. If you don’t like Facebook or Amazon, don’t use them. I, myself, will keep using them because I enjoy them and I don’t really think other people at Starbucks care about my Facebook activity. I sure don’t care about theirs.

Re:No they don't care... (1)

Stregano (1285764) | more than 3 years ago | (#34069716)

I will be honest with you, that is one huge paragraph that I did not read (too long, sorry), but I will go based off of you having No they don't care.

It is something I learned from non computer saavy people. They just want it to work. They don't care about anything after that. If it breaks, oh well, they have a friend that is good with computers that can fix it while they sit there not paying any attention to the fact that they got hacked.

I know if that personally happened to me, the first thing I would do is standup and look around. Why? Chances are the person is in starbucks with you, so you look for the person that notices you standing up. Just start shouting at the guy. Honestly, what are the chances it is some big burly guy? If you look really mad, hopefully they will get all scared.

If not, well, hopefully you are a good runner.

If the person whose pc I am fixing is willing to learn what I am doing to their pc, I fix it. I seriously stopped fixing my friends and family's pc's unless they agreed that they would be willing to learn what I was doing.

Hey, that is how I learned. If you refuse to learn about the machine you are using, when it hurts you, then there will not be much you can do.

You know that they make forklift drivers get certified, right?

Re:No they don't care... (0)

Anonymous Coward | more than 3 years ago | (#34069742)

I'll one-click purchase you this [amazon.com]

Re:No they don't care... (1)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#34069752)

formatting aside:
Great job. that pretty well sums the majority of the people I know.

the remainder: are having an affair/stealing money/doing something they shouldn't and keep hearing "people can get information about you!" in the news.

Re:No they don't care... (0)

Anonymous Coward | more than 3 years ago | (#34069796)

"First of all, I don’t care if anyone sees my Facebook information because I don’t post anything that I wouldn’t want the public to see."

Great. What do you do when SOMEONE ELSE posts something in your profile you don't want the public to see?

Re:No they don't care... (1)

hedwards (940851) | more than 3 years ago | (#34070594)

Right, and there's fewer than 100 people killed in the US by lightning strikes, so it must not be that big a deal to walk around outside in a thunderstorm?

Obligatory XKCD. [xkcd.com]

The Best Plan (0)

Alcoholic Synonymous (990318) | more than 3 years ago | (#34069662)

Honestly, the BEST thing you could have done for them would have been to deface their accounts, disclosing that they were warned in advance but "too stupid" to take the threat seriously. Embarrass them to no end, links to goatse content, sign them up for groups like NAMBLA, you name it. Then change their password so they can't just quickly log in and fix it.

Make examples of them, so the next time, and maybe for their friends witnessing it, having what and how spelled out publicly might make them take the threat seriously.

Re:The Best Plan (1)

mail2345 (1201389) | more than 3 years ago | (#34069804)

FB requires your current password to change your password.
And goatse harms people otherwise uninvolved.

Re:The Best Plan (2, Interesting)

Samantha Wright (1324923) | more than 3 years ago | (#34069926)

But not to delete it!

Re:The Best Plan (1)

Plombo (1914028) | more than 3 years ago | (#34070382)

Honestly, the BEST thing you could have done for them would have been to deface their accounts, disclosing that they were warned in advance but "too stupid" to take the threat seriously.

No, that's the worst thing anyone could have done. Trying to "educate" random strangers by defacing their property and interfering with their lives reeks of arrogance. Why do you think you know what's best for other people better than they do, and what gives you the right to force your opinion on them?

If you deface their accounts and they lose their jobs because of it, I doubt they'll be very thankful.

They may have been logging in accidentally (5, Interesting)

jordan314 (1052648) | more than 3 years ago | (#34069874)

I gave Firesheep a try today, and am surprised how many times my own cookies come up inside it without me directly visiting those sites. My google account came up without me browsing at all -- perhaps one of my firefox add-ons was using it, or maybe google latitude on my phone was triggering it? My facebook account came up when browsing other non-facebook sites as well, most likely from facebook connect. The users could have stopped visiting facebook after getting his warning messages and still had their cookies exposed.

Commit a felony? (0)

Anonymous Coward | more than 3 years ago | (#34069956)

This idiot commits a felony and goes around bragging about it? I'm sure he will feel the consequence of his actions shortly.

The problem is not theirs, they think. (4, Interesting)

Khenke (710763) | more than 3 years ago | (#34070032)

For example I set up my sisters computer with a firewall, anti-virus, anti-malware software and installed FireFox.

What happened?

My sister and her husband got sick of the question popping up all the time, "Do you want to allow this program to access the internet?" and instead of reading and the checking the box "Do this always" they found it easier to turn off the firewall and the anti-virus (more stupid questions they didn't bother to read). And to top it up, they thought IE was more familiar and started (against my strong advice) using it again.

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
It's the same with getting their account hacked, it not their problem (they think), it's mine.

If people would handle their cars the same way they handle their computer the car industries wouldn't have any problem with sales today...
And if people handled strangers the same IRL that they handle them on the Internet we would have everyone giving away their keys to their house if a stranger asked for it (of just give it to them without them asking...).

I will never understand why people feel so safe on Internet.

Re:The problem is not theirs, they think. (0)

Anonymous Coward | more than 3 years ago | (#34070116)

(against my strong advice) using it again.

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

I have had this problem with relatives. I used to just fix whatever problem they had as it was easier than the alternative, which was trying to make them understand why they'd had the problem in the first place. (usually pebkac situations like turning off Antivi or reverting to IE)

Eventually I put my foot down and if they phoned me with a problem I asked what they had been doing, if they told me they were using IE I refused to help them. You do that once and I assure you, you won't ever have the problem again. They'll either take your advice or they'll find someone else to fix their shit. You don't even have to be nasty about it either, this is your time they are wasting by being douchebags and going against your advice. I simply explained this to them and said if they felt my advice was not worth taking then I'd rather spend my time assisting people that respected the time I invested into repairing/fixing their machines and educating them on the best/safest way to use them.

Re:The problem is not theirs, they think. (2, Insightful)

h4rr4r (612664) | more than 3 years ago | (#34070314)

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

Sounds like you are the problem.

They need a simple guide or something to click! (1)

dRn-1 (732935) | more than 3 years ago | (#34070066)

The funny thing is I bet if he'd put "You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool." followed by a nice image implying "Click here to install a tool to protect yourself", a very good percentage of them would have clicked it!.

Re:They need a simple guide or something to click! (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34070342)

If the site doesn't support HTTPS, there's not an easy fix. The users could set up a VPN connection, but that's not as simple as clicking to install a tool. We need to start asking all sites that use cookies to store authentication credentials, which is pretty much any site that allows you to log in and remembers that you've logged in, to allow the HTTPS to access all their pages. Let's start with Slashdot. Slashdot, please provide HTTPS support on all pages on the site! StartSSL certificates are free!

Re:They need a simple guide or something to click! (1)

icebike (68054) | more than 3 years ago | (#34070506)

But facebook DOES support https, no?

Re:They need a simple guide or something to click! (1)

brain159 (113897) | more than 3 years ago | (#34070416)

I fully expect, within 14 days of now (if that), for people to be using this in busy locations to send links out to victims friends telling them to "click here to browse my holiday photos with this cool FakePhotosRealMalware tool!".

Not that I'm going to do it, just that it's really obvious and I want to feel smug for totally calling it.

The Good Old Days (3, Funny)

IonOtter (629215) | more than 3 years ago | (#34070076)

Back when I was a student in college, we were using DEC VAX/VMS systems to provide service to the campus network.

I loved the help menu. It was VERY useful to do all sorts of things, such as creating your LOGIN.COM file. With the LOGIN.COM file, you could set your command prompt, establish which home directory to use, create macros to start batch jobs...you name it.

Occasionally, we'd come across someone who forgot to log out of their session, and just left ms-kermit running on their terminal.

If it was the first time, we'd telnet into their mail client and send them an email from themselves, warning them to be more careful. If it was the second time, we had a bit more fun.

Such as setting their home directory ATTRIB *.* +H

The best was when we edited their LOGIN.COM file, so that whenever they tried to execute *any* commands, it would send a pmail to the sysadmin saying, "I'm an idiot who left his account open, and I need an adult to fix it for me, please?"

Not surprisingly, the sysadmin WAS amused by this, and had great fun exacerbating the torture. It was a different era, when sysadmins had PhD's and a sense of humor.

Fond memories...

You can't stop the signal, Mal. (0)

Anonymous Coward | more than 3 years ago | (#34070092)

"You can't stop the signal, Mal. Everything goes somewhere, and I go everywhere." -- Mr. Universe, Serenity

Author is ignoring the obvious (3, Insightful)

meeotch (524339) | more than 3 years ago | (#34070104)

Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.

Re:Author is ignoring the obvious (2)

hedwards (940851) | more than 3 years ago | (#34070570)

What annoys me about Firefox is that it doesn't let you easily sidestep the security on a temporary basis. Either you can't go in or it wants you to create a permanent exception. I'm not really sure why it can't provide a convenient way of making it a one time deal. Once I'm in if I decide to do that, then is the appropriate time for me to decide whether to add a permanent exception or not.

In virtually all cases I'm not going back to that site, so ultimately not providing a convenient temporary access is probably worse for security.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...