Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firesheep Author Reflects On Wild Week

Soulskill posted more than 3 years ago | from the don't-be-baa-aad dept.

Encryption 229

alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"

cancel ×

229 comments

Sorry! There are no comments related to the filter you selected.

While I sorta agree with what the guy is saying... (4, Insightful)

Pojut (1027544) | more than 3 years ago | (#34105208)

...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

Re:While I sorta agree with what the guy is saying (5, Insightful)

bennomatic (691188) | more than 3 years ago | (#34105218)

Correct. And gun shops do that all day every day, all over the country.

Re:While I sorta agree with what the guy is saying (1)

MaskedSlacker (911878) | more than 3 years ago | (#34105316)

I doubt any of them sell pre-loaded guns. Guns and ammo, sure. Loaded guns? Not likely.

Re:While I sorta agree with what the guy is saying (3, Insightful)

TheKidWho (705796) | more than 3 years ago | (#34105356)

Well you do have to install it and then run it.

Besides it's not like you can run firesheep without Firefox installed to begin with.

Re:While I sorta agree with what the guy is saying (5, Insightful)

Jeremiah Cornelius (137) | more than 3 years ago | (#34105598)

"Guns don't shoot people, Firefox shoots people!"

That seems to be the nature of the hyperbolic rhetoric in this sub-thread.

The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"

Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...

Re:While I sorta agree with what the guy is saying (2, Informative)

fahlesr1 (1910982) | more than 3 years ago | (#34105378)

When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.

Some places I went to won't even sell you ammo the same day! How annoying is that? I just want to go home and plink some pop cans with my new gun!

Re:While I sorta agree with what the guy is saying (2, Informative)

ElectricTurtle (1171201) | more than 3 years ago | (#34105742)

If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately. I've bought a few guns in my time, and ammo with them, and never have been treated like that, nor would I ever accept being treated like that.

Re:While I sorta agree with what the guy is saying (1)

nschubach (922175) | more than 3 years ago | (#34105840)

Ditto. They politely ask to keep the ammo in the box you bought it in (duh) and let me on my way. One time I bought a pistol and was allowed to walk to the other side of the store and pick up something else before I carried my newly purchased firearm to the front where I handed them the receipt showing I bought it and the ammo.

Re:While I sorta agree with what the guy is saying (1)

Kraeloc (869412) | more than 3 years ago | (#34105808)

Almost every state has some kind of waiting period for handguns, unless you have a concealed carry permit valid in that state. Rifles and shotguns are pretty much universally buy-n-run though.

Re:While I sorta agree with what the guy is saying (0, Redundant)

Cinder6 (894572) | more than 3 years ago | (#34105864)

Correct. And gun shops do that all day every day, all over the country.

Uhuh. And sporting goods stores sell baseball bats every day, too. If you decide to brain someone with it, that's your business.

What's your point?

Re:While I sorta agree with what the guy is saying (1)

Pojut (1027544) | more than 3 years ago | (#34105220)

Actually, now that I'm thinking about it, I'm not so sure that works...

Re:While I sorta agree with what the guy is saying (4, Insightful)

rtfa-troll (1340807) | more than 3 years ago | (#34105710)

Try a car analogy. That might work better.

It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.

This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.

Re:While I sorta agree with what the guy is saying (5, Insightful)

Zeek40 (1017978) | more than 3 years ago | (#34105226)

Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34105520)

I think a better analogy would involve spy cameras / x-ray vision.
But I don't see why analogies are needed. If he just wanted to draw attention to web security he would have made the tool delete the cookies. Clearly he wants to have an impact. CodeJoker, anyone?

Re:While I sorta agree with what the guy is saying (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34105562)

I live in a small town. We have at least one homeless person that I know of. He likes to go to people's houses that he knows keep the doors unlocked and clean up, warm up, and sometimes steal food. Apparently, this is very effective with houses that are for sale and the realtors keep open. Everybody knows the allegations, but some people simply refuse to believe it. They have decided that this is a small, rural town and is safe by definition. They refuse to believe that this can happen and do not lock their doors. This is despite the fact that occasionally someone wakes up in the wrong house after a night at the bar, and we know it happens. People's refusal to accept any reality that goes against their preconceptions makes it easy to exploit them.

This situation with web security is similar. People simply refuse to believe it is an issue.

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34105596)

And it's got Radar + GPS to unlocked doors :p

Re:While I sorta agree with what the guy is saying (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34105772)

Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.

It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.

Using that to test your own security is like a lot like a white hat exposing vulnerabilities. The problem is that this vulnerability is public and made incredibly easy. Google accidentally (or so they claim) exploited this vulnerability, and are under a lot of flak for it.

So - to wrap this up with a good car analogy, since your guys' analogies have failed,

It's like giving someone a fueled up Google car capable of sniffing Wifi for usernames and passwords.

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34106102)

Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.

It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.

Using that to test your own security is like a lot like a white hat exposing vulnerabilities. The problem is that this vulnerability is public and made incredibly easy. Google accidentally (or so they claim) exploited this vulnerability, and are under a lot of flak for it.

So - to wrap this up with a good car analogy, since your guys' analogies have failed,

It's like giving someone a fueled up Google car capable of sniffing Wifi for usernames and passwords.

Trucks are for stealing. Action implied by its nature.

Re:While I sorta agree with what the guy is saying (1)

0racle (667029) | more than 3 years ago | (#34105260)

You could say the same thing regarding just about any tool.

"Here's a Silver Hammer, Max. Now, if you decide to hit someone with it, that's you're business."

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34106088)

that's you're business.

No, that's your business.

Re:While I sorta agree with what the guy is saying (1)

Toe, The (545098) | more than 3 years ago | (#34105264)

Well, exactly. Plenty of people use loaded guns to shoot ducks, bullseyes, deer, clay pigeons, etc. Loaded guns aren't necessarily about murder of humans.

An IT admin might want to see if people in his/her company are running insecure activity on company computers. For example.

Re:While I sorta agree with what the guy is saying (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34105268)

...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

Well, that's exactly the NRA's argument, and it seems to work for them......

Re:While I sorta agree with what the guy is saying (2)

droidsURlooking4 (1543007) | more than 3 years ago | (#34105286)

...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

or stop someone else from hurting or killing others. Yes, us big kids sometimes use sharp tools if the job calls for it.

Would you have it otherwise?

Re:While I sorta agree with what the guy is saying (2, Funny)

nschubach (922175) | more than 3 years ago | (#34105870)

They let you have the pointy scissors? All I got were these rounded ones that don't cut well. :(

Re:While I sorta agree with what the guy is saying (1)

iammani (1392285) | more than 3 years ago | (#34105290)

Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.

Re:While I sorta agree with what the guy is saying (1)

tom17 (659054) | more than 3 years ago | (#34105348)

That would be more akin to breaking the wireless encryption and then doing the sniffing.

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34105936)

Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.

Its more like:

Here is a butterfly net.

Hold it up in the air and see if you catch any of the house/office/car keys that people are throwing all around.
--
codk

I'd like to use a more IT related version... (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34105450)

It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.

At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.

Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.

Re:I'd like to use a more IT related version... (2, Insightful)

nschubach (922175) | more than 3 years ago | (#34105890)

How would that work with Walkie talkies or CB radio?

I mean, if I listened to someone on a walkie and they thought it was private...

Heck, even some old cordless phones could be picked up by nearby speakers.

Re:While I sorta agree with what the guy is saying (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34105510)

I just want to say that if you live in Jacksonville and you took your wife in to see her gynecologist at a certain office in Orange Park today, your wife got finger fucked by me.

This guy and his wife came in and she's been a patient of mine for a few years as I've delivered both her son and her daughter. So, the thing is, he always wants to be in the room with her when I do an exam, pap smear, breast exam, etc. So, of course, I let the poor slob stand around in there while I'm finger banging his bitch. Today, I did a digital rectal insertion after doing the pelvic exam and what does this jackass do? He turns his head and snickers as if he's grossed out by what I'm doing. Uh, HELLO! My finger's in your wifes asshole, you fucker. Guess what, you thought this was your bitch? This is now our bitch. And she's one of the ones that "loves" her gyno. At first he was reticent to let her see a man but she wasn't having any of his territorial neanderthal ways. Little does she know, haha. I even gave him instructions on how to check her cervix. Yep, me and this guy are fingerbanging his wife together. Fuck it, you are both my bitch. Fun times.

Re:While I sorta agree with what the guy is saying (2, Interesting)

MoanNGroan (1050288) | more than 3 years ago | (#34105706)

If it were a mere hacking tool that required some technical proficiency, maybe ... in this case you are handing the loaded gun to a 10-year old with simple a-b-c instructions and a list of potential targets, and a promise that it will be very difficult if not impossible to prosecute them.

Re:While I sorta agree with what the guy is saying (0)

Anonymous Coward | more than 3 years ago | (#34105718)

Except for one minor difference: guns kill things.

Re:While I sorta agree with what the guy is saying (1)

nschubach (922175) | more than 3 years ago | (#34105948)

So do cars, baseball bats, metal poles, knifes, toasters, anti-freeze, bleach, duct tape applied over the mouth and nose, yard chemicals... I could list hundreds of tools that kill things (pets, adults, and children included.) It doesn't mean I'm going to use them for that purpose.

Re:While I sorta agree with what the guy is saying (1, Flamebait)

PopeRatzo (965947) | more than 3 years ago | (#34105728)

it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.

No. It's more like "I've hidden some explosives in several of your neighbors' cars. Here's a remote detonator. If you press the button, there will be damage.

Now, if you decide to use it, that's none of my business. At least I encouraged the discussion of how to disarm explosives".

And the answer is no. (4, Insightful)

Anonymous Coward | more than 3 years ago | (#34105214)

"Is it legal to access someone else's accounts without their permission."
No.

Firesheep is as legal as nmap in case anyone wondered.

Re:And the answer is no. (1)

jcaldwel (935913) | more than 3 years ago | (#34105236)

Actually, its more like a very specialized version of Wireshark -

Re:And the answer is no. (3, Insightful)

pantheonwhaley (1933610) | more than 3 years ago | (#34105258)

But what it is most like is a Firefox add-on.

Re:And the answer is no. (1)

bennomatic (691188) | more than 3 years ago | (#34105242)

How do you feel about using someone's open access wifi? Some people on /. would say that, if it's not being protected, it's an invitation to access.

Re:And the answer is no. (1)

Pojut (1027544) | more than 3 years ago | (#34105266)

I know you didn't ask me, but yeah, an open WiFi network is an invitation for anyone to access it.

That doesn't mean you should.

"Ignorance is no excuse" (1)

Toe, The (545098) | more than 3 years ago | (#34105442)

It is interesting. A common mantra of law enforcement is that "ignorance of the law is no excuse [wikipedia.org] for illegal behavior."

So is ignorance of security technologies an excuse for publicly broadcasting your password to people around you?

There is nothing illegal about receiving and interpreting radio signals which are unencrypted. So if some schmoe is tying a password into a non-SSL page over a non-encrypted radio network, they are actually (though ignorantly) broadcasting their password right at you.

If you write your password on a wall inside a room that you think is private, it is illegal for me to look at it through a window?

Re:"Ignorance is no excuse" (1)

Pojut (1027544) | more than 3 years ago | (#34105538)

Again, never said it was illegal...just wrong. Or at least, "wrong" as defined according to my own personal opinion of "right" and "wrong". YMMV with that one, lol :)

Re:"Ignorance is no excuse" (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34105716)

You again. I believe you're trolling. You always lose this argument, but every time WLAN is the topic, you ruminate your "opinion". You endanger people by telling them that those who use open wireless networks are doing wrong, when really the operators of open access points are making the mistake by not securing their networks even though they do not intend to offer public access. You also deprive law-abiding people of the opportunity to offer network access by telling people not to use their networks. There is not a single person who benefits from the "hands off open networks" attitude.

Re:And the answer is no. (1)

jonescb (1888008) | more than 3 years ago | (#34105308)

I have no problem accessing public wifi because I'll just set up an SSH tunnel anyway.

Re:And the answer is no. (1)

falzer (224563) | more than 3 years ago | (#34105526)

I have some reservations about it, but not enough to refuse to use it in an emergency. I already have a net connection at the places I frequent.
I would assume a coffee shop owner invites the use. I do not expect that the average Joe Neighbourhood who leaves his wifi open invites access, even though he may be ignorant and not realize the consequences.
However, the computers don't distinguish between the former and the latter's intended use. The computer just sees an open acess point.
I once accidentally used an open wifi for weeks without realizing it: my machine just connected to whatever it could find open. Whoops! Once I realized it I set it to use my own closed wifi.

In my opinion, while technically it is an open invitation, it is impolite.

Even if you are dangerously ignorant and naive about security of any sort, it does not mean one should have bad things happen to them by opportunists and criminals, nor does it mean criminals should not be punished. However my righteous contempt of criminals does absolutely nothing to stop this sort of thing: better security practices, on the other hand, do.

Clear as mud? :)

Re:And the answer is no. (1)

falzer (224563) | more than 3 years ago | (#34105920)

I'll add that I commented how I personally feel about the use of open wifi. More broadly speaking, I do not think there should be any laws or rules against using open wifi, but rather more education on the subject. As a crypto-enthusiast, I think social networking sites should be much more serious about security.

Re:And the answer is no. (3, Informative)

dgatwood (11270) | more than 3 years ago | (#34105282)

Of course, all of this was caused by the social network websites being run by people who don't think that social network accounts are all that important. If they thought people stealing access to accounts was a big deal, they would be using https by default instead of making it really hard to use https (e.g. Facebook immediately redirecting you to the http page after logging in via https). So if anybody goes after you for this, it would have to be either the end users or the police, since the developers of the site don't seem to care enough to do it.

Re:And the answer is no. (2, Interesting)

mdm-adph (1030332) | more than 3 years ago | (#34105588)

This is where you make the difference between "access" and "see."

Such as: if I somehow steal your bank account password, and log in to your account, I'm illegally "accessing" your data.

If you leave your bank statement out on a table where I'm sitting and then leave, and I happen to see what's on it, I'm "seeing" it.

Facebook was transmitting its tokens in an unencrypted fashion without any security to them whatsoever. The situation is a little more confusing than just a "no."

542,000 downloads later.... (0)

Anonymous Coward | more than 3 years ago | (#34105238)

He's probably wondering how much money he'd have made if he'd charged for it.

Re:542,000 downloads later.... (3, Insightful)

Toe, The (545098) | more than 3 years ago | (#34105298)

Except then your subject line would have read: "57 downloads later..."

Re:542,000 downloads later.... (1)

OzPeter (195038) | more than 3 years ago | (#34105386)

He's probably wondering how much money he'd have made if he'd charged for it.

Advert revenue? I haven't been to his site so I have no idea if he hosts ads.

Re:542,000 downloads later.... (1)

Darkness404 (1287218) | more than 3 years ago | (#34105560)

...Probably nothing. Chances are, his site would be just like those spammers advertising "fr33 micros0ft p0intz g3n3rat0rz" and would be ignored by everyone.

What I don't get (1)

jonescb (1888008) | more than 3 years ago | (#34105250)

Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.

Re:What I don't get (5, Insightful)

dropadrop (1057046) | more than 3 years ago | (#34105402)

Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.

You answered the question yourself. While nothing changed in the security of all these services, and your account could have been hijacked just as easily a year ago, now the probability of it happening to a random open wifi user just went up.

But what really happened is that now clueless reporters actually found a tool so simple that even they understand how session hijacking works (ok, they probably still don't understand, but do see how easy it is). When everybody see's just how fragile the foundation is, it raises discussion.

And the funny thing is, there is some thanking to Microsoft and Internet Exploder for this situation. If older IE versions didn't always bitch when you load secure and insecure components on the same page we would probably have long running best practices of sending all session related data over https even for sites where (client) caching prevents usage of https.

Re:What I don't get (1)

master0ne (655374) | more than 3 years ago | (#34105770)

Older browsers?!?! IE8 still "bitches" when i load up facebooks "Account Settings" Page - "Do you want to view only the webpage content that was delivered securely

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage."

Re:What I don't get (1)

dreampod (1093343) | more than 3 years ago | (#34105550)

I think you answered your own question there. Also add the fact that Firesheep is intended partially as a publicity stunt so it has higher visibility than the standard 'hackers' who are trying to keep under the radar. The author has given interviews on it to several sites and articles detailing its use and the general inseurity of session based cookies have been a coordinated part of this publicity push and a natural consequence of it being popular enough that articles on it garner pageviews.

Using it against unsuspecting people is illegal (2, Informative)

Anonymous Coward | more than 3 years ago | (#34105254)

At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.

Re:Using it against unsuspecting people is illegal (1)

kill-1 (36256) | more than 3 years ago | (#34106060)

If you're talking about 202a StGB (Ausspähen von Daten), that only applies if you actually access data that is not meant for you to see.

Hopefully... (2, Interesting)

ThoughtMonster (1602047) | more than 3 years ago | (#34105320)

...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

Re:Hopefully... (1)

tlhIngan (30335) | more than 3 years ago | (#34105458)

...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

They do, actually. Most routers and hardware support "secure easy setup" type one-click security. Sure you often have to buy equipment from one manufacturer, but that's just incentive to do it and to show how to do it.

It's extremely popular if you consider how many routers have that function used (you can usually tell by the SSID). Of course, you do give up a lot of control when using it (limited number of clients configured this way, almost impossible to do a manual configuration, etc), but it's there and usually there's pages in the printed guides about using it.

Re:Hopefully... (3, Insightful)

dreampod (1093343) | more than 3 years ago | (#34105476)

I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?

Wouldn't that mean that anybody able to access the access point could still harvest the un-encrypted cookies using Firesheep given the primary demonstration of the problem is with public wireless networks at coffee shops and airports?

Re:Hopefully... (1)

TubeSteak (669689) | more than 3 years ago | (#34105612)

I'm not an expert on wireless encryption but doesn't WPA encrypt using a specified key for all users of the same wireless network rather than providing specific individual keys on a per user basis?

Ding ding ding. We have a winner.
This was exactly how I first tested FireSheep on my own home network.

My wireless router has the ability to create a few guest networks and assign them individual encryption keys,
but the hardware required to do that for 20~50+ connections you might reasonably encounter in a commercial setting...
I can't imagine that'd be cheap.

Re:Hopefully... (1)

mdm-adph (1030332) | more than 3 years ago | (#34105618)

If I understand it correctly, even if you know the password to access a WPA-encrypted wifi network, you still can't access other people's data -- you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity. This is different from WEP, where, I'm pretty sure, if you had the password, all accessed computers' data was visible to everyone else.

Now, I could be wrong, so someone with more knowledge about this please speak up!

Re:Hopefully... (1)

phantomcircuit (938963) | more than 3 years ago | (#34105682)

you have to capture their "handshake" with the router in addition, and that takes a bit of questionable activity.

To get the handshake you simply have to be sniffing the network at the same time the other client connects, note that it is possible to force clients to reconnect.

Re:Hopefully... (1)

ElectricTurtle (1171201) | more than 3 years ago | (#34105912)

WPA, like WEP, is simply encryption of the links between clients and AP. There is no encryption between the clients, they are as transparent to each other as if they were physically cabled to any hub or switch. Now I've heard tell of some enterprise class APs having the capacity to create things like VLANs using multiple SSIDs, but those are expensive and rare (from a SOHO perspective).

However, WPA when used with RADIUS can integrate with a domain controller and establish permissions for various network resources based on account parameters.

Re:Hopefully... (1)

colinnwn (677715) | more than 3 years ago | (#34106100)

My ancient $50 WRT-54GL with DD-WRT does segregated VLANS with multiple SSIDs and independent passkeys. Running one now keyless for my neighbors, and WPA2 for me.

Re:Hopefully... (3, Insightful)

Bigjeff5 (1143585) | more than 3 years ago | (#34105686)

That's true for WEP encryption I believe, but definitely not for WPA.

It's the same key for authorization to the router, but once established it creates a separate shared key for each individual connection.

So no, once you are connected to the router you don't get free access to everyone else's traffic. You can communicate them via the router, but you'd have to break their encryption to grab their cookies.

Re:Hopefully... (0)

Anonymous Coward | more than 3 years ago | (#34105992)

Mod parent up insightful

Re:Hopefully... (1)

phantomcircuit (938963) | more than 3 years ago | (#34106030)

Like other posters you have failed to grasp that anybody sniffing the sharing of the per client key can read you traffic.

So someone who starts sniffing the network after you have connected cannot listen in, but someone who has been there from the beginning can.

Haha (0)

Anonymous Coward | more than 3 years ago | (#34105486)

Haha

Re:Hopefully... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34105498)

...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption the default. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

Fixed that for you, if people want to run unencrypted wifi, that should be their right, but I do agree that manufacturers should turn on the best security connection by default. Quick point, the wireless DSL modem I bought from Quest defaults to WPA2 and has a 32 Char (though each of those chars is still just a hexdigit...) password. Pretty decent out of the box if you ask me.

This isn't about manufacturers (3, Interesting)

rsborg (111459) | more than 3 years ago | (#34105516)

This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.

I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.

Firesheep may change that.

Re:Hopefully... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34105584)

manufacturers will take a hint and make WPA encryption mandatory.

That's actually a terrible idea. WPA won't solve the real problem.
It would make people feel secure, until a year later someone publishes a tool that simplifies ARP poisoning [sf.net] and the whole story starts again.

If you really care about the security of the users, you should teach people how to use end-to-end encrypted protocols, like HTTPS for example.

Re:Hopefully... (1)

Bigjeff5 (1143585) | more than 3 years ago | (#34105760)

ARP poisoning is pretty easy to protect against [sourceforge.net] .

Really, a service like FaceBook I wouldn't expect to be very secure. You're already sharing your information with the rest of the world, someone else accessing your account is simply going to cause you some annoyance. Not that big a deal. Amazon I would expect to secure their communications though, so it's disturbing that they don't.

Re:Hopefully... (1)

adolf (21054) | more than 3 years ago | (#34105654)

You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

Actually, I can expect that. And I can even show you a pretty graph [wigle.net] that indicates folks are doing an increasingly better job with encrypting their wireless networks.

As an anecdote, my own experiences with wardriving in small-town Ohio have been interesting to me. Some towns and neighborhoods are full of wide-open networks. Some are almost completely locked-down. Some people will have two SSIDs for their house, like a WPA-protected network called "Jones" and a second non-encrypted "Jones Guest".

And there's plenty of savvy people out there who even give different family members their own encrypted WLANs, judging from the SSIDs that I see.

Generally speaking, I've seen folks make good progress over the past few years. Gone are the days when I could just open my laptop in any old neighborhood, pick one of several "linksys" APs, and get Internet access.

Re:Hopefully... (1)

JoeRandomHacker (983775) | more than 3 years ago | (#34105670)

There are the support costs when the user can't figure out how to configure it.

AES? PSK? What the heck are those things?
What do you mean it doesn't work if everything isn't set up the same?
I just want it to work. Why won't it work?

Companies have to pay people to answer these questions.

I'm not saying it isn't a good idea, just that there are actual costs.

Re:Hopefully... (1)

tnnn (1035022) | more than 3 years ago | (#34105724)

Mandatory? No. If I want to run WEP or no encryption at all, I have the right to do so. Making WPA turned on by default is another thing - cost doesn't change but you can use your AP the way you like it, not the way someone tells you to do.

Is It Legal (3, Interesting)

sexconker (1179573) | more than 3 years ago | (#34105330)

"A much more appropriate question is: "Is it legal to access someone else's accounts without their permission.""

No, that's not an appropriate question.
The answer is a clear-cut, resounding, "NO".

His add-on simply sniffs the open air for cookies from a list of sites that use http instead of https. Then you get a little "log in" button to take that cookie as your own.

While effective, it's trivial to do, and doesn't uncover any new exploits or weaknesses.

Firesheep is only intended for illegal purposes, thus Firesheep itself may be deemed illegal in many countries, or the use of it may be justifiably restricted to certain activities (such as penetration testing).

This wasn't an unpatched exploit that a big company took months to fix.
This wasn't some obscure vector that went unacknowledged for years.
This was a fucking design decision.
Sending credentials in the clear is retarded. This shit needs to stop, and if it takes an asshole like Eric Butler trolling Facebook and Twitter users at Starbucks to get it changed, so be it. Companies don't cater to the experts, they cater to the masses. The only way to get shit changed is to make the masses bitch.

What we can conclude from this fiasco is:

Butler is an asshat.
Many major sites don't give a shit about security.
Many major sites do give a shit about public perception.
In order to get things fixed, we need asshats like Butler pointing at the wide open door and shouting to the plebes, "LOOK WHAT I CAN DO!".

Re:Is It Legal (1)

rtfa-troll (1340807) | more than 3 years ago | (#34105862)

Firesheep is only intended for illegal purposes, thus Firesheep itself may be deemed illegal in many countries, or the use of it may be justifiably restricted to certain activities (such as penetration testing).

Demonstrating security flaws to people requires easy to use examples that go the whole way. I have little (a little too much?) idea why, but they will always say "oh; but that's not a real world thing" unless you actually shove it in their faces. This has a perfectly legitimate role in security training.

Re:Is It Legal (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34105990)

In order to get things fixed, we need asshats like Butler pointing at the wide open door and shouting to the plebes, "LOOK WHAT I CAN DO!".

I admire that kind of Ass-hat. Often times people don't get the message until it affects them negatively.

I've been that asshat myself - doing some questionable maneuvers to warn regular users of their insecure habits. For me, it's not to show off what I can do and it's not about being a self righteous do-good-er either.

It's a "I am ticked off at the way people carelessly handle this crap" - If I act too kind it will go ignored, as if it were charity. If I do something malicious I could end up in jail. How about that nice happy medium where I can piss someone off enough to get them to change their habits, but not so much where I could be arrested.

Re:Is It Legal (1)

master0ne (655374) | more than 3 years ago | (#34106052)

The purpose of this software is to show "The Masses" just how easy and trivial this is. This software can be used for "penetration testing", a valid and legititimate purpose. That is the purpose of this software.This software can also be used for illegal reasons, such as stealing someone else's facebook account. If you prefer to thin of Butler as a asshat for trying to point out this VERY serious problem, than by all means, i hope we can all be as big of asshat's as Butler. By this logic any "brute force" program is illegal, keylogger's are illegal, viruses are illegal, etc.... the software itself is not illegal, how the user uses the software determins the legality of the software. If i want to code a virus to format my drive for testing purposes, i am prefectly within my rights to do so, to send this software to hunderds of people as a screensaver with "puppies screensaver" as the subject would be illegal.

Hey Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#34105352)

Mind if I use your Slashdot account?

Still confused (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34105358)

I'm sorry but networking and security are not my forte. Can someone describe what the problem is, what this add-on does and how to protect yourself or your website? All in clear terms and please refrain from using acronyms.

Re:Still confused (2, Informative)

BitterOak (537666) | more than 3 years ago | (#34105506)

As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.

This affects you only if you are connecting to the Internet wirelessly, do not employ encryption on your wireless link, and are visiting a website that doesn't use SSL (sorry for the acronym: it stands for secure sockets layer and is a protocol for encrypting connections to websites (those that use the https prefix.)).

To protect yourself, be sure your wireless equipment is configured to use encryption (always a good idea) and if you log into websites that require a password, be sure the site is using SSL (also always a good idea.)

Re:Still confused (3, Informative)

j-beda (85386) | more than 3 years ago | (#34105778)

Actually, it grabs cookies, so even if you do not transmit your signon stuff in the clear, the attacker can still use your session. Read the linked article for more details.

The tool works in any network situation (wired or wireless) where intra-client communication happens - so if you can see other computers' shared folders and bonjour services and stuff like that, then potentially this tool could pick up cookies to do its work. Some (all?) WiFi encryption methods do use the same encryption for each client, so they can be vulnerable, and certainly if an attacker is "upstream" from the wireless router (perhaps on the wired network the wireless router is attached before going out the establishment's cable modem for example), all that traffic is completely unencrypted.

Re:Still confused (1)

zachriggle (884803) | more than 3 years ago | (#34106002)

Mod parent up insightful, or GP down.

Re:Still confused (2, Informative)

interkin3tic (1469267) | more than 3 years ago | (#34105792)

As far as I understand, what this tool does is it sniffs the data in unencrypted WiFi sessions, determines when people are logging in (using a password) to a website that does not employ encryption, and allows the user to hijack their session.

Wait, people weren't doing that before? I wasted all this time NOT logging into my bank account on my nintendo DS in an airport?!?!

Kidding about that last part, but were people doing this before and this is just a prepackaged easy way for everyone to do it?

Re:Still confused (1)

MichaelKristopeit121 (1933108) | more than 3 years ago | (#34105822)

i understood that it worked over any local networked... wired or wireless... generally you can trust the users of computers hard wired into your network, but if any machine had a virus, or you have a housemate or guest with a bone to pick, then you may be vulnerable.

using https connections is the solution, but it's more CPU intensive, so it scales far slower and costs more to operate to the provider of the usually free services being exploited.

Re:Still confused (1)

farnsworth (558449) | more than 3 years ago | (#34105836)

be sure the site is using SSL (also always a good idea.)

It's not always easy to do this. You could easily verify that a login page is ssl, but you don't know where you are going to get 302ed to after you submit that form.

I wish browsers had a way to temporarily disable plain http for such occasions. In the meantime there is always software firewalls I guess.

Re:Still confused (3, Informative)

The MAZZTer (911996) | more than 3 years ago | (#34105908)

To clarify, if at any point you connect using HTTP to a website, FireSheep can steal your cookies and impersonate you from that point on. It doesn't matter if the login form uses HTTPS or not (but of course if it does not your password can be stolen too, but AFAIK FireSheep just looks for cookies).

Re:Still confused (1)

Bucc5062 (856482) | more than 3 years ago | (#34105528)

You do realize this is Slashdot, (Kinda) News for nerds? Break out a dictionary or get ready to Google letters.

Re:Still confused (1)

Yvan256 (722131) | more than 3 years ago | (#34105702)

Some acronyms are common enough (SSL, DRM, etc) but others are more rare and those who work in the field may take their knowledge for granted.

The thing is, nerds now have a lot more domains than before. If I say CSS, those who work in video and broadcasting will think Content Scramble System, those who work with websites will think Cascading Style Sheets, others will probably have yet another meaning for it.

Re:Still confused (2, Informative)

SoTerrified (660807) | more than 3 years ago | (#34105704)

Imagine wi-fi as a man at the far end of a crowded room yelling out information to you as loudly as he can.
Me: "I'm Joe! When is the next train?"
Yelling Guy (The wireless contact point): "Joe! Next train is at 5:05!"

Yes, your wireless device listens to everything being yelled back and forth, and when it 'hears' something yelled at you, it passes it on. But it still hears everything. Normally, if it hears something for 'Joe', it knows that's not you, so it just ignores it. But the firesheep plugin doesn't ignore that information. It listens in and knows if it hears certain things, grab it anyway.

If I'm on encrypted wireless, my stuff will be in a language foreign to everyone in the room but me. If I'm on an encrypted website (https://) then people might hear stuff being said, but again it will make no sense to them.

BUT, if I log into Facebook on wireless with no encryption and with Facebook logging in via http: instead of https: it's like this...

Me: I'm Joe! I want to log into Facebook. Here is my username and password!
Yelling Guy: You are successful! Here's your session information.
Gary: I'm Joe! I want to put a picture up in Facebook!
YG: Done!
Ed: I'm Joe! I want to put nasty comments on my friends wall!
YG: Done!
Phil: I'm Joe! I want to find all of Joe's Facebook friends and send them private messages!
YG: Done!

Does that help explain it?

Re:Still confused (1)

Yvan256 (722131) | more than 3 years ago | (#34105810)

Is sure does. Good thing my name's not Joe!

Re:Still confused (1)

Kraeloc (869412) | more than 3 years ago | (#34106086)

Nicely explained. Mind if I borrow your 'yelling guy' simile for myself? I just got a job at Nintendo customer support, and I'm going to have to explain a lot of wifi-related concepts to very un-savvy users.

Error (1, Offtopic)

youngone (975102) | more than 3 years ago | (#34105586)

There's a huge error in the article of course. I'm sure all Slashdot users will have picked it up, but I'll spell it out for the slower ones among you. Mr Butler is quoted as saying"It is nobody's business telling you what software you can or cannot run on your own computer." This is quite wrong. Its Steve Jobs' business what you run on your computer. Right, carry on.

Re:Error (2, Informative)

Tridus (79566) | more than 3 years ago | (#34106028)

"Defective by design" is the design mantra at Apple HQ.

Ah , self-absolution (1)

MoanNGroan (1050288) | more than 3 years ago | (#34105650)

Enabling this type of crime (invasion of privacy) is just as criminal and even more morally/ethically suspect than the people who commit it. The users can at least excuse their trespass as curiosity or at worst a crime of opportunity, while Eric had the opportunity many times over to question the decision of creating and then releasing the tool. Hacking tools are one thing; this puts the keys into the hands of the everyman. Pretending that it is just an honest tool that 'might' be used inappropriately is a farce.

Karma is a fickle bitch, and she doesn't trade bullshit for redemption. I'm thinking it will only take one large company to get burned badly by this irresponsible choice to illustrate this to our young, self-righteous Eric.

Re:Ah , self-absolution (1)

citylivin (1250770) | more than 3 years ago | (#34106068)

Hacking tools are one thing; this puts the keys into the hands of the everyman.

Are you seriously making the argument that because you find hacking tools to be too difficult to use, that they shouldn't be available to everyone? Only some arbitrary definition of elite hacker that you dreamed up should be able to use security tools?

A tool is a tool. Sure one could argue that a gun is mostly used for killing and the firesheep will mostly be used for abuse, but in the end its just a tool. Its up to society to dictate which tools are too far to the side of antisocial. A good example would be cel phone/gps jammers.

The onus here, like so many other security problems, is on the VENDOR of the exploited software! Not on the tool that brings this security hole to light. If these popular websites are getting by with cookie auth only, well whoes problem is that?
The laziest way of doing security is an administrative ban on something. The proper way is to engineer your system in such a way as the attack becomes useless.

sadface (1)

coolsnowmen (695297) | more than 3 years ago | (#34105846)

No linux build?

Linux build is available (3, Informative)

carvell (764574) | more than 3 years ago | (#34106064)

A linux build is available here [mediafire.com] . It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.

You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.

All info taken from here [github.com] .

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>