What was your game-plan if you'd stumbled upon something highly personal and sensitive in their mailboxes? Or if one of their friends had sent them a person IM while you were logged in as them? The fact is, you could have easily approached these people face-to-face, offered to show them the risks they were exposing themselves to using your laptop, and give them the choice as to whether you took control of their accounts. While it appears that you did what you did with the best of intentions, you violated the privacy of the people whose accounts you accessed; broke a variety of laws; then documented your crime in your personal blog.
You describe your targets as lacking judgment. Maybe you should consider your own.
Upvote. This is precisely analogous to the following "brick-and-mortar" situation:
You notice that some folks in your town aren't locking the doors of their houses when they leave. So you go to each of those houses (when they're not there), walk in the front door, and tack a note to the first wall you encounter, telling them that they really ought to lock their doors.
The next day you go back and check their locks. For those that are still unlock, you go into their bedroom and mess up their sheets (being careful not to look around too much lest you notice some "marital aids", since you're not that kind of guy), so they can see that someone's really coming into their house.
It's pretty clear that you've violated any number of laws, morals, and societal values in the physical world. Why, in the virtual world, do you think that in doing so you're a white knight?
Well, I never called myself a white knight, but that's beside the point.
If someone breaks into your Facebook account, bad things can happen, but none that (directly) involve physical harm. If someone enters your home, they could easily cause you physical harm (and in many jurisdictions you'd be well within your rights to shoot them).
Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.
It's like when people equated Amazon's revoking of 1984 to breaking into a customer's house and taking the book off the shelf. It's fearmongering, and isn't an accurate analogy.
> Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.
Are you serious? If someone did that to me I would feel terribly violated! Even if I forgot / just thought I lived in a neighborhood with human decency, that is wrong on so many levels.
Trespassing by accessing someone else's property, home, car, or virtual, is wrong. Harm is harm, physical or not, and you can cause plenty of harm by accessing someone's facebook account, embarrassing them to friends or co-workers for starters.
Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be
These are your opinions, your values. You've got no business with (a) deciding the value of a person's virtual identity and data; nor (b) weighing that against your value for the education about greater security.
You might be right -- FOR YOUR PERSONAL VALUES. But it's simply none of your business how another person would judge this in the balance. Your beneficiaries/victims have every right to decide for themselves that the security afforded by the current systems are sufficient for the risks. And the fact that their decision makes it easier for you to teach them a lesson does not give you the right to do so.
ehh... I would strongly disagree. I think it would be a fairly universal opinion that having your Facebook account violated is favorable over having your home broken into, even if nothing is stolen or damaged.
I would agree that there are some ethical problems with his actions, but this is far from being ethically analogous to the whole break-in scenario.
Exactly. Just because there's a rock next to a window doesn't mean you should throw the rock through the window to prove a point that people shouldn't leave rocks near windows.
I don't get all of the animosity toward the OP. He has taken all the risk by documenting everything -- essentially saying "I'm doing what I believe is right, and you can prosecute me if you want." Making him "aware" of what he's done (and the possible consequences) seems redundant.
We can go back and forth on the white hat/black hat issues, but I think we need more people who are willing to raise awareness on this.
The animosity should be reserved for those who use Firesheep/Wireshark for completely malicious purposes.
Or, perhaps busybodies shouldn't think their personal values are more correct than the values of others.
As Henry David Thoreau said, If I knew for a certainty that a man was coming to my house with the conscious design of doing me good, I should run for my life.
Actually, whether or not I broke any laws (in the US) is not clear. I deliberately did not look at anything in their account while I was in it, so privacy was not actually compromised.
The folks I recognized on my way out were people with large profile pictures of their faces. In general, this wasn't the case. I'd have had to do a lot more rifling through accounts to be able to identify someone face-to-face, and would have risked someone having a bad reaction.
So, unlike all the people who have used Firesheep in public to look at peoples' accounts and then not told anyone about it, I notified the users and then told the public about what happened. You're saying that's bad?
Ah, wow. This could not be further from the truth. This wasn't a "murky area." Its a big fat red zone.
Let's look at the Florida statute:
815.06 - Offenses against computer users. -
(1)Whoever willfully, knowingly, and without authorization:
(a)Accesses or causes to be accessed any computer, computer system, or computer network;... commits an offense against computer users.
(2)(a)Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
So you committed a felony punishable by up to five years in prison, informed the victims, and documented your crime in explicit detail on your blog. That's a tad more dangerous than using unsecured cookies.
You've probably admitted to and documented multiple counts of Computer Trespass, knowingly using a computer service without authorization and knowingly gaining access to computer material. It's a Class E felony.
156.10 Computer trespass.
A person is guilty of computer trespass when he knowingly uses or causes to be used a computer or computer service without authorization and:
1. he does so with an intent to commit or attempt to commit or further the commission of any felony; or
2. he thereby knowingly gains access to computer material.
You also wrote '[I] then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices.'
Viewing a person's music choices and sending them a message about them is a total violation of privacy. Or do you just attribute that to being another exception?
I know about it the vulnerability and I still login to facebook in public places. It's like the locks on our front doors.. you don't break into everyone's house just to prove they aren't very good do you? I know you could just smash my windows, but you don't, and I appreciate it. It's facebook that needs to fix the bug, not me.
Maybe send the first message, but don't be obnoxious on purpose. I dunno.
If you walked by someone's house and their car was sitting in their driveway with all the doors wide open and a box of personal documents in the back seat, you'd probably knock on their door. If the car was still there after an hour, you'd probably knock again. I sent only two messages, and they were short and to the point.
(edit) What I mean here, is that to know that someone's door is unlocked, you have to check each house. To pick a lock, you need some rudimentary skill. Firesheep (and the underlying vulnerability) is wide open and requires 0 skill to operate.
It's one thing to politely knock on the door, it's another to keep banging on their kitchen window when they are obviously ignoring you. The users probably feel helpless and just want to be left alone.
For a non-tech person it's a pretty big jump from surfing Facebook at Starbucks to setting up a VPN.
The difference is, so far there are no robots that automatically break into your house. Since your info can be harvested automatically, not sticking out as a target does not help. It is nothing personal - a script will simply steal your info automatically.
Edit: waiting for the Starbug - small devices you stick to the bottom of a desk in starbucks that stream user data to your hacker home.
I totally get where you are coming from with this. If I have a bag with me in a public space, or if I left my email open on my laptop and left the room I would not expect anyone to help themselves to the content. It's a trust issue. I guess the difference here is that someone could go unnoticed in our midsts.
You have a blog hosted on BlogSpot from which this article came.
You send tweets from @gloshuertos where you promoted this story.
Your twitter account lists a latitude/longitude address of 27.109827,-82.308136 which is in Venice, Florida. One of your oldest tweets mentions that you're on your way to Gainsville, Florida.
Only one Gary LosHuertos comes up on LinkedIn, but this person used to work in Gainsville Florida, so it's reasonable to assume this person may be you.
The interesting thing about that LinkedIn profile is that it lists your current employer as Amazon.com.
From your blog post, you mentioned the following:
"This was somewhat puzzling. Did they receive the first message? I logged into their accounts, and surely enough, they had. One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices."
So what you're telling us is that you used a user account of a customer of your current employer to login as that person, spy on their purchases, then logged to their Facebook account and send them messages about his customer information?
You're entering into a world of hurt if Amazon catches wind of this.
Amazon is violating its own privacy policy by allowing users to interact with its site insecurely.
Two wrongs do not make a right, but when you can implement a technical measure to protect your users from rogue ex-employees, you should do it. A legal contract does not prevent data loss, it merely allows you to punish the person who stole the data. SSL prevents the data loss in the first place.
What? Unless he is still bound by some Amazon NDA or something, what difference does it make if he violates the policies of someone he no longer works for?
This is valuable discussion but not to the HN audience as we already get it. There are some tough laws that can be applied to his behavior. I don't know what the odds are of getting caught into a criminal prosecution, but you don't want to spend the next 10 years of your life dealing with the fallout of a blog post.
It is certainly interesting news to me that 5 out of 5 random users won't change their habits, even after someone provably breaks into their account and tells them how to avoid it in the future.
The article isn't clear, but it sounds like the author used firesheep the second time to see if the users changed their habits.
Most people already know that if someone gets a hold of their account, and they already have access to it, to change the password. For this particular situation, they don't know about the whole SSL thing. It took me nearly 20 minutes to explain what a session was to my very non-technical girlfriend 2 days ago. Most people are very unsure of following directions from an untrusted source on the internet, even if they are very trusting of strangers on the internet. Most users are aware of Phishing scams as a general strategy. There is a good possibility they changed their passwords, since that is what they already know, but that particular solution doesn't work all that well for this scenario.
I'd like to think that the point of your investigation isn't so much that Amazon will be pissed, but, "Look at how much we were able to find out about a random guy through just his username and blog post"
I think most users have already accepted that information previously considered private is now available to most of the world. The step from anonominity to the information posted above is a hell of a lot more scary than from the information posted above to someone knowing your current location.
I know that the point of the article was that the author was able to log into random users accounts, but the scary part was supposed to be that the author knew exactly who and where they are. But when they give away information like the above on a regular basis, I honestly think users could care less.
Hey...I'm in Venice! I run out in that area on trails in Myakka everyday. I certainly hope you don't assume all of us Venetians to be as abusive about privacy as Senor LosHuertos.
This is exactly what I thought when I saw the same people still online -- which brought about the second round of messages. I hoped my frankness and lack of any links would make the message seem more sincere, but perhaps at this I failed.
I think if I was unaware of the technology behind this then even if you had come up to me and patiently explained it I would probably not have changed my behaviour. Until it is explained in the mainstream press or until a wide scale "fuss" is made then I suspect most people would do the same. My guess would be that anyone who is told there is a problem and they can fix it by subscribing to a VPN service would assume they were being scammed.
I think your average internet user would feel this was primarily Facebook's (and other sites) problem to fix first. A distant second might be that there was a problem with their browser. It would barely register that they should change their behaviour or pay for a service they've not heard of before.
I may have spent 2 hours in a Starbucks to do this, but I do actually have a life. Sometimes. So yeah, a bit much. Also: follow-you-home creepy instead of just creepy.
Either that or they are following the very sensible policy of never typing something into a social website which they wouldn't want to be public. (A policy I do violate myself from time to time.)
Would this work as a cheaper alternative to SSL for preventing session hijacking?
1. During the HTTPS part of the communication,
the server sends a long list of random strings.
2. The client stores all these strings in localStorage.
3. On every request, the client sends one of the strings
from the list, the server validates that it is in fact
a valid string for that session, and both remove that
string from their lists.
4. When the list runs out, you have to go back to SSL to
exchange a new list of strings.
Is there a flaw I'm overlooking (beyond the reliance on localStorage) that keeps people from using this?
If not, is there a technical term for this technique so I can Google it?
1. During the HTTPS part of the communication, the server generates a single
random key and sends it to the client.
2. The client stores this string in local storage.
3. For every request, the client generates a HMAC over the request parameters
(including a monotonic sequence number) using the key.
Both of these schemes are still susceptible to a MITM, who can just insert a bit of javascript in any page received over HTTP, that reveals the temporary secret in local storage to anyone listening.
It doesn't. Is it possible to do a MITM attack on the person at the neighboring coffee-shop table?
The only way I can think of involves being really clever about timing and being physically between the other wireless client and the AP: create enough interference to prevent their transmission from getting through to the AP right after you read the transmission, then quickly forge a request using the same one-time key.
Of course, if someone has access to the packets upstream from the AP, you're always hosed if you're not using encryption. This certainly isn't meant as a replacement for AES. :)
DNS (the UDP responses are easy to forge) is a great way to do it. You just have to be faster than the real DNS server, which might be tricky if it's local and caching.
For ARP-based attacks you'd presumably announce yourself as the owner of the default gateway's IP address, routing all data through your system.
Hijacking DHCP springs to mind; respond with an address on a completely different subnet, and your system as default gateway. Again, jackpot.
You could also install a rogue wireless access point with the same SSID, which would let you route all traffic through your system. You just need people's devices to pick yours over the real one, which would presumably require yours to have a stronger signal.
All of the above let you install a transparent proxy which gives you complete control over the target's browser's security context.
Interestingly, the rogue access point would even work with WPA(2)-PSK encrypted wifi, if you knew the key.
But that's the part of the connection we are worried about. End to end encryption from the client to the website is needed. I still don't see where your idea comes in. Clearly I'm not understanding something.
That's kind of like refreshing the session key on every page request except you send over a list of session keys that will be used on subsequent requests. Probably not done since it's usually a hit to the session storage on every page request. Still doesn't encrypt the actual content though, and since SSL would encrypt it and make this unnecessary that's probably why it's not done.
it's funny how everyone says "just use SSL - that'll fix it", soon followed by "the SSL computation overhead isn't significant any more" which is totally true, but probably not the reason why SSL isn't more widely used.
Smaller sites will suffer from the fact that SSL requires an IP address per server. Name based virtual hosting is out of the question (at least as long as Windows XP is still around). Combine this with the IP address pool quickly getting smaller and smaller and you'll see that for smaller sites, it might be impossible to get the needed amount of addresses for a reasonable price.
For large sites, there's the problem of the various CDNs which are not always under the control of the site and might not be prepared for SSL.
Remember: All assets of an encrypted page must also be encrypted, otherwise the browsers display a nasty warning (even though unencrypted assets, when served from a different domain would not be a problem what's session hijacking is concerned).
"just use SSL" might just not be possible in some cases.
The GitHub solution seems reasonable: Use HTTPS for writes and truly sensitive stuff, and unencrypted for the rest. CDNs aren't a problem since your write-requests won't have any external resources on them (they'll just redirect back to HTTP). Then the HTTPS could even be handled on a third-party gateway provider (yes, then there's a weak spot between your servers and the third party, but that's much harder to penetrate than the wifi at Starbucks.).
Your read-only session might still be high-jacked, but that's relatively low impact, (since someone could simply sniff what you're reading anyway).
Honestly? The word "douche" springs to mind. Regardless of the legality of it and how grey it may or may not be.
I'm sure you thought you were doing something good. But, short of not using Facebook in a coffee shop, what do you expect people to do? Set up their own VPN? I bet that of the people you scared off, they'll all be back on in another day or two. Maybe at the same coffee shop.
This is a problem that needs to be solved by on the website's end, not the user's end.
What are you going to do, having someones account though, possibly if they are well known attempt to changes peoples perceptions of them/ get people to believe something? You can't delete comments older than like a day so trashing the account is mostly out. Once they noticed they could invalidate that session, mention it wasn't them and it would be the end of it.
I feel mostly the same way about Facebook, those so inclined could do more damage un-friending everyone, at which point I could thank them for cleaning out old contents and organically readd those who I still speak to.
This really needs to be on CNN and such for people to actually think about it. And realistically it looks like we all need to start using SSL - people aren't going to change their browsing habits.
Unfortunately the few non-tech news sites that I've read have covered it with blatant disregard for the underlying cause. It's been Firesheep that's pointed at as the issue, not Facebook and Twitter and Amazon ad infinum.
At least here, in Sweden, it was covered by "mainstream media" but now its yesterdays news which means that any point that was actually conveyed about the risks to personal security is now long forgotten.
> This really needs to be on CNN and such for people to actually think about it.
People see starving children on CNN and they think "Oh, how awful!" Then they turn off the TV, eat dinner, and go on with their lives.
Further, the media as a whole runs so many scare articles to increase views, I think the public is jaded. How is the common man supposed to tell the difference between articles about the threat of bedbugs and the very real threat of this sort of identify theft?
> What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.
That's not incomprehensible. They have trust. And they don't consider what they're doing particularly private.
What I find surprising is that insecure email and wireless had existed for quite some time before this. Almost all IMAP/POP/Gmail used to flow over regular HTTP. It is only recently (read, last year) that a lot of major email traffic has been https-ified.
Why suddenly jump on FB, Twitter etc with self-righteous anger when many of these same geeks were using insecure email until less than a year ago?
I understand that getting your Amazon account hacked can lead to some head scratching situations and Amazon should really implement full SSL encryption.
Having said that, what are the implications of getting your FB or Twitter or Flickr account hacked? Personally, even if annoying, I wouldn't consider it as a major issue in my digital life.
I try not to mix business and private life (for instance, my FB friends are only friends, not colleagues. Same goes for Twitter) so do you see any other issue, a part from the "annoyng" factor?
In those cases the fraudsters have stolen the account completely and locked the original user out, but I guess it's that kind of attack + the information leakage aspect that could be a concern..
Yes, true. Something similar happened to me when a I have received an email (gmail) from a friend asking for money because she was stuck somewhere. Similar pattern.
It's interesting to notice that this social engineering attacks are easy to carry in a place like US, where there is one common language.
I immediately detected that the mail was a fraud, because this person would have never write to me in English.
The users are not at fault here. Even a SSH or VPN will leave them vulnerable to attacks. Companies (Facebook, Twitter, etc.) have to increase their own security, because they are the only ones that can fix this problem.
Sure, but there are about a million times as many people able and motivated to do the wifi-neighbor attack than the stalker-ISP-gnome attack. And as people with true identities in a stable position of authority at as service provider, the gnomes are easier to find and hold accountable.
This difference -- from random anonymous stranger whose only invested in software, to physical infrastructure with paid staff -- is also one reason bank phishing attacks happen via websites and not actual storefronts made to look like real banks.
If the only threat to Twitter and Facebook users was ISP-gnomes, the websites could put off fixing the issue for another decade.
I absolutely agree on fault. My initial recommendation was for them to refrain from using Facebook at Starbucks until that happens -- regardless of fault, users are the ones that are vulnerable.
A few days into it and I've decided Eric Butler made a mistake in releasing Firesheep.
Security is about battling a combination of Time + Talents/Tools + Determination + Opportunity.
Firesheep greatly increases the Tools someone has to hack an account. Eric has made browsing much less secure.
The intended result is to bring the security issue to people's awareness, which he has done. But the result should have been to increase security. That will only happen if the the change in required Tools is balanced by a decrease in Opportunity (free wifi becoming simple password wifi at a minimum).
I doubt that will happen. Releasing Firesheep was a mistake.
I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity.
Making people aware of what they fear (and what they should fear) is exactly something that education does. People aren't wearing seatbelts, because they aren't afraid enough of what may happen in case of an accident. Proper education on the consequences would instill fear. People only take precautions to prevent against harm based on their fear of being harmed. There is no other motivator for such behavior.
Really? Users shouldn't be afraid of the consequences of something they believe to be benign? I didn't send Starbucks patrons home weeping to cry themselves to sleep. I fully concealed my identity in the same way an actual attacker would.
There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have but you are not in any way more entitled to violate a person's expectation of privacy.
You are not a hero. You have not done anybody a favor. You did this for the same perennial excuse of "spreading awareness" trotted out by any number of noxious social irritants and did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.
You may actually care about the problem and take it seriously in other circumstances, but that is not reflected here. There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.
> There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have...
That sounds exactly like a distinction to me. A fireman would break into a house to save a child. A burglar would break into a house to steal valuables. One intends harm, the other doesn't.
> did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.
There's no such thing as true altruism. Why he did it isn't relevant. People feel good about doing good deeds. Sure, they say "I want to help people," but they really mean something more along the lines of "I want to feel good about myself."
Further, why would it be necessary for him to choose the most effective or efficient means? He owes these people nothing.
> There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.
Maybe not the best or even a good solution, but it's certainly still one. ;)
Is there also no difference between somebody entering your house without your permission to warn you about something, because they fear for your safety, and somebody entering your house to burgle it?
You should probably replace "harass" with "inform" in your comment. It would be more accurate, and less emotive.
Suppose you wake up tomorrow and discover that someone has left a note in an unfamiliar hand on the bed beside you. The note reads "You should put bars on the windows. Something bad might happen." It is not signed. You cursory search of your home reveals nothing obviously amiss. All the windows are shut and locked. You have no idea how someone could have gotten in.
Suppose you leave it be for the day. You've got more important things to do than blindly react to mysterious messages, haven't you? So day slips into night and before long it's morning again. You find another note:"Really wasn't kidding about the bars thing. I won't send another message after this -- it's up to you to take your security seriously." Same as before, nothing obviously missing, all windows and doors closed and locked. You have no idea who this is or why they are doing this. You have no idea if you can trust them.
Why is this so surprising? Most people I know don't really care about internet privacy. Most people I know don't post anything sensitive to their facebook pages. I don't use facebook and when I mention that I think it's weird to put personal stuff on the internet (which always has the potential to be public) they think I'm a paranoid nut. Let's admit that it's not really an unreasonable position, provided you don't work at the NSA.
If you have an Alchemy-based firmware running on your home router, you can enable sshd so you can have an always-on ssh tunnel wherever you go.
I did this to my home router and had it all working in about 30 minutes. Most of that time was trying to figure out how to get putty to open a tunnel (and registering/configuring a No-IP dynamic dns account).
My point was that having a computer running 24/7 at home to use as a secure proxy when you are out in the field is a bit wasteful. The technical solution was fine - though I can't see many non-techies getting their heads around this. Why the down vote - pffffh.
Do users care. Quite a thought that actually scared a bit out of me, because unless these users would actually care, only would there be protocols that would prevent this from happening. And when would users care? When their personal identities have been stolen, and private information (credit cards, social insurance numbers, personal messages) have been compromised. Do we really have to go that point where the risk is imminent before taking action?
Having identified the vulnerabilities of WEP encryption on wireless networks, shouldn't it be that device manufacturers of wireless routers take away WEP encryption as an option but instead focus on a more secure method of connection? Of course this may have some downside to it, but unless your ordinary Joe and Jane realize the upsides of having secure connection to the web, they may see this as a discomfort.
While it's nice that this gets some attention and not very nice of facebook to automatically revert you back to an unencrypted connection, this is not a facebook specific problem. Anytime you use a wireless network, where you don't have control over the access point, you need to secure everything you want to keep private. This goes for everything from google searches and files transfers to instant messaging and e-mail. The proven solution is to use a VPN tunnel, which even many home routers support nowadays.
Of course there's still a bigger problem with arp spoofing and other attacks, which in the long term will need to be solved. Maybe with something like DNSSEC DKI.
"Google, in response to government inquiries and lawsuits, claims it is lawful to use packet-sniffing tools readily available on the internet to spy on and download payload data from others using the same open Wi-Fi access point."
Passive sniffing is one thing. Active unauthorised access to a computer using FireSheep is definitely illegal in the UK according to the Computer Misuse Act:
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to
any program or data held in any computer, or to enable any such access to be
secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised;
and
(c) he knows at the time when he causes the computer to perform the function that
that is the case.
(2) The intent a person has to have to commit an offence under this section need
not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
I think passive sniffing may also be illegal in the UK according to RIPA [1] as it is unauthorised interception of public telecommunications.
Yeah, definitely illegal in the UK. I'd be surprised if it wasn't illegal in the US too.
So he's basically just blogged about committing a crime. I wonder what would happen if one if his "victims" read this and then contacted the police. I bet Facebook has enough information logged about which accounts were accessing Facebook from that IP at the time, and which of them received his messages.
if it were somehow deemed illegal, i'm sure github would get a subpoena requesting a list of everyone who downloaded firesheep... and then everyone on HN would be looking for a lawyer.
I would imagine they would need to actually prove you hijacked someones cookie? You could always claim you downloaded it to view the source or to check if your security implementation was broken by it.
That's the point. It's empirical (albeit, not scientific) evidence that even when presented with the risks, users will still choose to do things that are dangerous.
dan·ger·ous
[deyn-jer-uhs, deynj-ruhs]
–adjective
1. full of danger or risk; causing danger; perilous; risky; hazardous; unsafe.
2. able or likely to cause physical injury
Who's out of touch here? We're all making such a huge deal about this with very little reason. The websites that truly need SSL (banking, purchasing, etc.) use it. People have real dangers to worry about; why should they care if someone can pretend to be them on a couple social websites that they just joined in the last year or two?
Why would you expect most people to do otherwise? I fully know the risks of using open hotspots on many websites and I do it anyway because the convenience outweighs the risks for me. Obviously I'd think twice about logging into my bank over a non-secure connection (though I'd be mad to bank with a company that doesn't secure all connections by default, of course), but open-wifi Facebook? Sure, why not?
This behavior extends beyond Internet usage. I (and probably most of you reading this) hand my credit/debit cards over to waiters several times per month knowing full well they could jot down enough information while out of my sight to make illegal charges on that card (if not do far worse via more elaborate identity theft schemes). Risky? Yes, but the extreme convenience outweighs the potential pain due to the low chance of actually being one of the people that gets exploited in this way, and thus it is with open hotspots and most Internet sites.
My credit card has legally builtin insurance against fraudulent use - I'm not liable for a penny of that use if it was used illegally - unless the card itself was stolen and I failed to report it - in which case i'm liable for up to $50. (As soon as I report it stolen, I'm not liable for anything)
I use a credit card because it's safer and offers me options - someone snarfing the number would be a nuisance, because I'd need a new card, but that's it.
Let's please not forget (Sight.. I know - everyone already has) that charge-cards were pushed onto the market as a safe, convenient alternative to using cash - not a walking liability - don't let the issuers turn them into one on us.
As to the analogy - it's quite different. I'm very security conscious, and I generally don't do certain types of activity on uncontrolled or unknown networks (banking - home or somewhere else safe - but facebook at starbucks, okay)
IT's not just a problem with open hotspots, it's with any network you are on, anywhere - an open hotspot is just the easiest place for someone to try this on. An employee at an ISP could snarf data from millions of users easily...
In the UK, waiters bring over a portable card reader to your table, you stick your card in and enter your pin. No need to physically hand over your card to them.
It certainly doesn't help that there is no solution to the problem of viewing Facebook on a public wifi. If there is no SSL solution, what solution can these users take?
Seems like the ones who read the message must have made a quick cost-benefit analysis in their head of viewing facebook insecurely right now versus not accessing facebook at all - and viewing it right this minute no matter how insecure still won!
I suppose the saving grace is that it would be pretty difficult--not impossible, but pretty difficult--to truly get away with this without detection. With all the logging that goes on, chances are that you could be identified by a MAC address, a web login of your own, a credit card swipe nearby, a surveillance camera, a cell phone in your pocket, or who knows what. There is a lot of information to be gotten with the right subpoenas.
On many machines, MAC addresses can be changed. I obviously wasn't attempting to avoid detection since I posted about it under my real name, but anyone could pick up a $200 netbook, pay cash, walk into a Starbucks with sunglasses on, do their business and leave undetected. MAC addresses are useless if they don't tie to anything else and aren't fixed.
It's not the lone Starbucks hacker with a laptop you need to be worried about. It's the wardrivers & honeypotters & people sophisticated enough to do a coordinated automatic harvesting effort.
Doesn't surprise me all that much since most 'normal' people absolutely don't care about security. Passwords are meant to be written on sticky notes. Identity theft is too complicated for them to care about. And credit card fraud is easily solved by reversing the charges. It takes a massive, automated exploit & MSM coverage before they'll start caring.
It is weird it hasn't been covered more, usually here in Australia the media run scare stories on the most insignificant of Facebook flaws. I wouldn't be in a hurry to point it out to them this new one either, it would be sensationalized into some kind of no cafe is safe without any technical details.
The problem being that no cafe IS safe - what people have posted on their Facebook is important, and some of the websites Firesheep attacks can be even more damaging for the user - until everyone runs VPNs or websites get their act together.
Someone should write a blog post about dsniff and how to get dozens of login/passwords for not only pop3, imap, messenger logins at starbucks/airport wifi.
We all know that 90% of the users tend to have one passwort for everything. That password usually works for any SSL secured service, too ;-)
Could it be that the persons thought it was some kind of automatically-generated message? Maybe a you're wearing a red shirt that says ... would get the point across?
If that public wifi is secured with a password -- albeit a public password -- does that protect individual sessions?
Meaning you go to a cafe and the blackboard tells you that today's WPA2 password is "greenbeans". Knowing this does it provide the ability to sniff or abuse other users sessions on this WAP?
Honestly don't know this and can't find a clear answer about it.
afaik (and from my own experience) that won't work.
"As long as the universally supported WPA encryption protocol is used,
each individual user receives their own private “session key” that absolutely
prevents eavesdropping between users, even through they are all using the
same WiFi password."
Yeah, we tested it on our WPA encrypted wireless and didn't get anything. It was seen when I logged into facebook but my coworker wasn't able to login as me. At least not with Firesheep.
Securing the connection layer doesn't matter. With a $10 Wifi card I can create an infrastructure access point called "Starbucks Wifi" or whatever I want that's encrypted with anything (WPA2, WEP, open... doesn't matter). Then when you connect to that, I get all your packets and can steal your session.
Now, sure, this attacks costs me $10 for the wifi card and it's not as fast as connecting to Starbucks' wifi and opening a Firefox tab... but you will still get a lot of data.
Link-level encryption is not the same as session encryption. For your link to be secure, you need link-level encryption. For your session to be secure, you need session-level encryption. It's that simple. Facebook is a session, not a link, so Facebook needs SSL.
There is simply no other workaround.
(And oh yeah, you need to authenticate who you are talking to. The access point asks you for a password to prove that you are allowed to talk to it. But you don't ask it for a password to prove that it is allowed to talk to you. Connecting to an access point is like giving your credit card information to the call that starts like, "Is this jrockway? There's a problem with your credit card...". They know who you are, but you have no idea whether they are actually your bank.)
Just don't do 'login' type work at public wifi :/ is that so hard? Do people not know this already? Did some people ever think it was safe to use public wifi for anything other than general browsing?
Please HN: Stop getting outraged by stuff that doesn't really matter. You're turning into Reddit, and just like them, you will have forgotten all about this by next week, and be on to the next topic you need to be outraged about. It's depressing. Angelgate? No one cares any more. No one should have cared in the first place.
I don't know where you see 'outrage'. I only see someone investigating the security concerns of users of a Starbucks' wifi and being worried that they don't care about their privacy.
http://ycombinator.com/newsguidelines.html : "If your account is less than a year old, please don't submit comments saying that HN is turning into Reddit. (It's a common semi-noob illusion.)"
You describe your targets as lacking judgment. Maybe you should consider your own.