Well, I never called myself a white knight, but that's beside the point.
If someone breaks into your Facebook account, bad things can happen, but none that (directly) involve physical harm. If someone enters your home, they could easily cause you physical harm (and in many jurisdictions you'd be well within your rights to shoot them).
Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.
It's like when people equated Amazon's revoking of 1984 to breaking into a customer's house and taking the book off the shelf. It's fearmongering, and isn't an accurate analogy.
> Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.
Are you serious? If someone did that to me I would feel terribly violated! Even if I forgot / just thought I lived in a neighborhood with human decency, that is wrong on so many levels.
Trespassing by accessing someone else's property, home, car, or virtual, is wrong. Harm is harm, physical or not, and you can cause plenty of harm by accessing someone's facebook account, embarrassing them to friends or co-workers for starters.
Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be
These are your opinions, your values. You've got no business with (a) deciding the value of a person's virtual identity and data; nor (b) weighing that against your value for the education about greater security.
You might be right -- FOR YOUR PERSONAL VALUES. But it's simply none of your business how another person would judge this in the balance. Your beneficiaries/victims have every right to decide for themselves that the security afforded by the current systems are sufficient for the risks. And the fact that their decision makes it easier for you to teach them a lesson does not give you the right to do so.
ehh... I would strongly disagree. I think it would be a fairly universal opinion that having your Facebook account violated is favorable over having your home broken into, even if nothing is stolen or damaged.
I would agree that there are some ethical problems with his actions, but this is far from being ethically analogous to the whole break-in scenario.
Actually, whether or not I broke any laws (in the US) is not clear. I deliberately did not look at anything in their account while I was in it, so privacy was not actually compromised.
The folks I recognized on my way out were people with large profile pictures of their faces. In general, this wasn't the case. I'd have had to do a lot more rifling through accounts to be able to identify someone face-to-face, and would have risked someone having a bad reaction.
So, unlike all the people who have used Firesheep in public to look at peoples' accounts and then not told anyone about it, I notified the users and then told the public about what happened. You're saying that's bad?
Ah, wow. This could not be further from the truth. This wasn't a "murky area." Its a big fat red zone.
Let's look at the Florida statute:
815.06 - Offenses against computer users. -
(1)Whoever willfully, knowingly, and without authorization:
(a)Accesses or causes to be accessed any computer, computer system, or computer network;... commits an offense against computer users.
(2)(a)Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
So you committed a felony punishable by up to five years in prison, informed the victims, and documented your crime in explicit detail on your blog. That's a tad more dangerous than using unsecured cookies.
You've probably admitted to and documented multiple counts of Computer Trespass, knowingly using a computer service without authorization and knowingly gaining access to computer material. It's a Class E felony.
156.10 Computer trespass.
A person is guilty of computer trespass when he knowingly uses or causes to be used a computer or computer service without authorization and:
1. he does so with an intent to commit or attempt to commit or further the commission of any felony; or
2. he thereby knowingly gains access to computer material.
You also wrote '[I] then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices.'
Viewing a person's music choices and sending them a message about them is a total violation of privacy. Or do you just attribute that to being another exception?
Amazon is violating its own privacy policy by allowing users to interact with its site insecurely.
Two wrongs do not make a right, but when you can implement a technical measure to protect your users from rogue ex-employees, you should do it. A legal contract does not prevent data loss, it merely allows you to punish the person who stole the data. SSL prevents the data loss in the first place.
What? Unless he is still bound by some Amazon NDA or something, what difference does it make if he violates the policies of someone he no longer works for?
That's the point. It's empirical (albeit, not scientific) evidence that even when presented with the risks, users will still choose to do things that are dangerous.
dan·ger·ous
[deyn-jer-uhs, deynj-ruhs]
–adjective
1. full of danger or risk; causing danger; perilous; risky; hazardous; unsafe.
2. able or likely to cause physical injury
Who's out of touch here? We're all making such a huge deal about this with very little reason. The websites that truly need SSL (banking, purchasing, etc.) use it. People have real dangers to worry about; why should they care if someone can pretend to be them on a couple social websites that they just joined in the last year or two?
Why would you expect most people to do otherwise? I fully know the risks of using open hotspots on many websites and I do it anyway because the convenience outweighs the risks for me. Obviously I'd think twice about logging into my bank over a non-secure connection (though I'd be mad to bank with a company that doesn't secure all connections by default, of course), but open-wifi Facebook? Sure, why not?
This behavior extends beyond Internet usage. I (and probably most of you reading this) hand my credit/debit cards over to waiters several times per month knowing full well they could jot down enough information while out of my sight to make illegal charges on that card (if not do far worse via more elaborate identity theft schemes). Risky? Yes, but the extreme convenience outweighs the potential pain due to the low chance of actually being one of the people that gets exploited in this way, and thus it is with open hotspots and most Internet sites.
My credit card has legally builtin insurance against fraudulent use - I'm not liable for a penny of that use if it was used illegally - unless the card itself was stolen and I failed to report it - in which case i'm liable for up to $50. (As soon as I report it stolen, I'm not liable for anything)
I use a credit card because it's safer and offers me options - someone snarfing the number would be a nuisance, because I'd need a new card, but that's it.
Let's please not forget (Sight.. I know - everyone already has) that charge-cards were pushed onto the market as a safe, convenient alternative to using cash - not a walking liability - don't let the issuers turn them into one on us.
As to the analogy - it's quite different. I'm very security conscious, and I generally don't do certain types of activity on uncontrolled or unknown networks (banking - home or somewhere else safe - but facebook at starbucks, okay)
IT's not just a problem with open hotspots, it's with any network you are on, anywhere - an open hotspot is just the easiest place for someone to try this on. An employee at an ISP could snarf data from millions of users easily...
In the UK, waiters bring over a portable card reader to your table, you stick your card in and enter your pin. No need to physically hand over your card to them.
It certainly doesn't help that there is no solution to the problem of viewing Facebook on a public wifi. If there is no SSL solution, what solution can these users take?
Seems like the ones who read the message must have made a quick cost-benefit analysis in their head of viewing facebook insecurely right now versus not accessing facebook at all - and viewing it right this minute no matter how insecure still won!
Really? Users shouldn't be afraid of the consequences of something they believe to be benign? I didn't send Starbucks patrons home weeping to cry themselves to sleep. I fully concealed my identity in the same way an actual attacker would.
There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have but you are not in any way more entitled to violate a person's expectation of privacy.
You are not a hero. You have not done anybody a favor. You did this for the same perennial excuse of "spreading awareness" trotted out by any number of noxious social irritants and did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.
You may actually care about the problem and take it seriously in other circumstances, but that is not reflected here. There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.
> There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have...
That sounds exactly like a distinction to me. A fireman would break into a house to save a child. A burglar would break into a house to steal valuables. One intends harm, the other doesn't.
> did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.
There's no such thing as true altruism. Why he did it isn't relevant. People feel good about doing good deeds. Sure, they say "I want to help people," but they really mean something more along the lines of "I want to feel good about myself."
Further, why would it be necessary for him to choose the most effective or efficient means? He owes these people nothing.
> There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.
Maybe not the best or even a good solution, but it's certainly still one. ;)
Is there also no difference between somebody entering your house without your permission to warn you about something, because they fear for your safety, and somebody entering your house to burgle it?
You should probably replace "harass" with "inform" in your comment. It would be more accurate, and less emotive.
Suppose you wake up tomorrow and discover that someone has left a note in an unfamiliar hand on the bed beside you. The note reads "You should put bars on the windows. Something bad might happen." It is not signed. You cursory search of your home reveals nothing obviously amiss. All the windows are shut and locked. You have no idea how someone could have gotten in.
Suppose you leave it be for the day. You've got more important things to do than blindly react to mysterious messages, haven't you? So day slips into night and before long it's morning again. You find another note:"Really wasn't kidding about the bars thing. I won't send another message after this -- it's up to you to take your security seriously." Same as before, nothing obviously missing, all windows and doors closed and locked. You have no idea who this is or why they are doing this. You have no idea if you can trust them.
On many machines, MAC addresses can be changed. I obviously wasn't attempting to avoid detection since I posted about it under my real name, but anyone could pick up a $200 netbook, pay cash, walk into a Starbucks with sunglasses on, do their business and leave undetected. MAC addresses are useless if they don't tie to anything else and aren't fixed.
If someone breaks into your Facebook account, bad things can happen, but none that (directly) involve physical harm. If someone enters your home, they could easily cause you physical harm (and in many jurisdictions you'd be well within your rights to shoot them).
Your analogy is flawed because a person's home is not analogous to their Facebook account. Their car might be -- and I don't think opening an unlocked car door and leaving a note on the dash is wrong.
It's like when people equated Amazon's revoking of 1984 to breaking into a customer's house and taking the book off the shelf. It's fearmongering, and isn't an accurate analogy.