Learning the wrong lessons from Firesheep
Summary: Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now.
According to most media reports Firesheep means you should never use the Internet, never use an open WiFi connection, and certainly never use one for a social networking site like Facebook or Twitter.
(Note: This bit of art, credited to MyBlackSheep, is also deliberately teaching the wrong lesson. It is flying about the Web today, often on false-front sites that seek to download malware to you. I found this one at JackTimes. Don't pet the firesheep.)
These are the wrong lessons. I think they're wrong deliberately. Some people still seem to think that open source and the Internet are genies that can be put back into the bottle, that if people are frightened enough they will flee the Web and go back to print and the TV for their news.
It's not going to happen. Freedom is a feature, not a bug, and those who insist on considering it a bug are not your friends. (I will have more on this later today.)
Firesheep was created at the Toorcon hacker conference by Seattle programmer Eric Butler as a protest against the lack of SSL encryption on popular sites, an enormous security hole he wants plugged now:
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
(Clever readers will also note that Butler first wrote versions for the Mac and PC, promising a Linux version one fine day.)
Never mind that SSL is pretty low level security. Never mind that good intentions are always misunderstood. Eric is an idealist, this is a demo, he wants action now!
Danny O'Brien of the Committee to Protect Journalists offers the best advice I've seen on Firesheep so far.
- Use the https everywhere plug-in so you will have encryption wherever it's available.
- If you go on Twitter or Facebook use the https versions of those sites.
- Use a virtual private network. Run the unencrypted leg of such a network through Sweden.
Another way around the problem may be an existing Firefox extension called Force-TLS.
Butler's program empowered 104,000 lazy people to download it the first day. (Later updated by Butler to 129,000.) It has also led to a counter-tool called Idiocy, a virtual hand slap that does a session hijack, posts a warning tweet, and then tells victims what to do in order to prevent it from happening again.
In his follow-on blog post, Butler continues to insist he's a good guy interested only in your security, says Firesheep only puts a pretty user interface on tools that already exist, and attacks sites which either charge for use of https or implement it sparingly claiming a performance hit
He also offers a little praise for GMail, which went https-only earlier this year.
Finally, this warning:
You can’t simply avoid visiting the sites that are being attacked here. There’s an enormous amount of mixed content on the web today, such as the Facebook “Like” button, Digg’s “Digg It” button, twitter widgets, and even embedded images that are hosted on Flickr or other photo sharing sites. Every time you access any web page that includes any of this content, your browser also sends any authentication cookies you have with the request to pull down the widget.
Clever users will note such links sit at the top of the page you're now on.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Once again, the computer field acts like its own little world
Imagine if we apply that wild-west logic to something else, like fire safety: Eric Butler creates self-combusting paint to protest the lack of sprinkler systems in residential houses.
I'm not sure why we even remotely entertain the notion that Eric's actions can somehow be justified. I think it's high time we started treating computer people with the same legal standards as everyone else.
RE: Learning the wrong lessons from Firesheep
The problem existed for years before Roberts acted -- all he did was put a user interface on something that already existed.
I guess everyone who writes a user interface should be licensed by the government and have their work examined by prosecutors before it's allowed out, then.
Thanks for the reply, but I disagree
This is not scapegoating.
In my fire example, I could argue just as strongly that people are just as much at risk without sprinklers regardless of whether they have fictitious self-combusting paint on the walls.
The problem is, no one would seriously argue that putting people at risk of having their house burn down is the way to change building codes to incorporate sprinklers.
You protest, you take out ads... you run for city council.... you know, things that are supposed to happen in a mature democracy where we do things like grownups.
Yet, here you are saying that Eric Butler is OK to take the immature road to change. I'm just curious why the double standard?
RE: Learning the wrong lessons from Firesheep
Instead of disclosure of the problem itself, Eric Butler made the dangerous software avaliable for absolutely everyone. Maybe the problem could be worked out another way? Firesheep sure won't help to resolve it for minor web-services and sites and, i.e., Facebook users will sure fall victims of Firesheep, which is supposed to "help the users win".
RE: Learning the wrong lessons from Firesheep
Think everyone who does a UI should have to register? Is the UI the problem, or the underlying malware? And if no one in a position of authority pays any attention to it when you yell about it from the rooftops, what then? Let people be victimized?
RE: Learning the wrong lessons from Firesheep
Dana,
You need to stop and consider the term "messenger". This guy didn't run up and tell the king that the castle walls were too short. He went out to all the villages and gave them a trebuchet, and told them they could use them on the castle because its vulnerable. Sure, someone may have figured that out, and some may have the means to exploit it, but now it's easy for everyone to exploit it since they were given the tool.
"Messenger" versus "Weaponer". Huge, huge difference.
RE: Learning the wrong lessons from Firesheep
IMHO, that's not an accurate analogy. I'd say the villagers already had the trebuchet (or 27), know the castle is vulnerable, know where to find big rocks (or bee hives, diseased corpses, celine dion CDs, etc...) and a few have even successfully landed 17lb medieval bowling balls on the king's breakfast more than once.
What Butler did was more akin to setting up a big warehouse in the village then made and gave away free bolt-on mods for the trebuchets (yeah, pimp my ride!). It was a big mod that provides an internal combustion engine that moved the trebuchet, power steering, GPS and an automated targeting system.
Is that a bad thing? Yes, I think it's still a bad thing but I also think we need to be very clear what faults lie where.
1. Silly king with the lame castle walls - silly websites/company owners with their lame security
2. Naughty carpenters that built the trebuchet(s) - naughty hackers that wrote the original malware code/scripts
3. Naughtier mod-kit peddler that built and gave alway the trebuchet mod-kit - naughtier Butler who put an easier to use UI on the existing malware
Smack all 3 if you like or none but again, place the right fault with the right party.
@croberts Same deal, it is scapegoatting. I agree with you that there are far better ways to get the message across like I believe protesters have no business blocking major roads downtown delaying my commute to work. However, Butler isn't the only person who did a misdeed here and IMHO, he's not the worse of the three obvious parties either.
Eric Butler's a coward
More than a messenger!
Oh Please
Right now, Dana, you are using a variant of the "Music Piracy is Good" argument, quite extensively I might add.
Music Pirates Claim that they're only hurting the "middle man" and empowering the Artists. Similarly, Eric is claiming his tool only hurts Website Owners and Empowers the End Users.
He ignores by releasing a tool that was intentionally designed to hack into others accounts... AND released as opensource (basically means that he wants people to make variants, that he wants them to do MORE than just what his "proof-of-concept" test does... and that he wants a guarantee that he can't "just be 'shutdown'") that the people he is hurting ARE the End Users.
But wait, there's more fun. Music Pirates claim that "The Genii is out of the bottle, Piracy is here to stay so fuck off". Freedom IS A BUG! Only obscenely uneducated and immature people claim otherwise.
What the internet currently represents is anarchy. Youtube is constantly being contacted to pull down copyright infringing media, they hide behind the same laws Wikipedia does so they're not responsible for the media they provide because they don't manage the content... but it doesn't change the fact that their service is used (to no small degree) to illegally distribute copyright protected media.
It's lewd, but child pornography does exist... I would think that if someone were to start using their services to upload their homemade videos that they'd have a hardtime explaining why they were distributing it.
Let's take this one step further. I'm a pedophile on an open wireless connection and I use firesheep to hijack a YouTube account. Oh, the possibilities.
But without resorting to a Slipery-Slope argument... let's get back on point. The internet is currently in a state of anarchy... various sites have their own "governments" which are regulated (typically) by who is the biggest bully "with friends". Take Wikipedia, the community won't take anything you say seriously until you've reached some imaginary level. Take various "forum" sites, even with moderation the community can quickly spiral down into considering cyberbullying "a typical norm".
I mean, seriously... I was banned from a community for blatantly accusing many "high standing members" for blatantly insulting and publicly humiliating a new member for asking a simple question. The person asking professed to being 13, while those who were taunting and ridiculing him claimed to be over 20.
How about the freedom to commit libel?
http://dontkillspike.livejournal.com/250717.html
The Freedom to Steal?
http://about.digg.com/blog/what?s-happening-hd-dvd-stories
http://about.digg.com/blog/digg-09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
Document THIS KIND of material?
http://en.wikipedia.org/wiki/Richard_Goldberg
IS THIS THE "FREEDOM" YOU SPEAK OF?
I mean, thepiratebay.org exists solely to facilitate the illegal transfer of copyrighted material... yet they claim they're freedom fighters...
http://www.wired.com/threatlevel/2009/08/churchill/
I mean... SERIOUSLY NOW!
Eric didn't invent anything, he didn't even do anything all that innovative. What he did do was produce and distribute a product that users would download "with the intent of committing an illegal act". This is akin to him giving out Car Remotes that exploits cars that don't use a rolling code. (Rather silly because they all should... but still). Sure, it is "informative" to do so... but all people are going to do with them is steal cars.
He's trying to claim innocence from malicious intent, because "he only intended for his product to serve as a warning" excluding the obvious fact that "people would download his product to commit crimes".
You CAN'T keep claiming "It's just a UI, The Genii is out of the bottle, He did nothing wrong". He DID do something wrong... but his CHARISMA (and "bug" that is called freedom) has convinced you otherwise.
RE: Learning the wrong lessons from Firesheep
Trust me, if the hackers knew about this exploit before Firesheep went public (and something tells me they did), they wouldn't have said boo to anybody about it; instead they'd have quietly gone about hijacking our Facebook accounts for their own gain, and all of us sheep would have been sheared repeatedly.
I'd rather see the shears coming and be able to do something about it, personally.
RE: Learning the wrong lessons from Firesheep
Nothing is going to happen as a result of this... they won't update their servers, the idiot who made the program is trying to claim that there is no cost (without reading the fineprint) to adding the service when there actually is (he pulled a few "free" sites, but he refused to comment on anything but what was on the front page of those sites. They certainly wouldn't want to have the traffic google would produce going through without some form of fee.
Point is, if you actually wanted to, you can tear that persona of his down revealing the pathetic man inside. He wants to act like he's just "sticking it to the man" when all he is really doing is promoting anarchy. He will deny that anyone can seriously get hurt, but will also say that if someone does it's not HIS fault.
Strange how quickly he twists his words.
RE: Learning the wrong lessons from Firesheep
Yes, because people definitely listen so well when you just tell them about things. People (including you and me) are stupid, you have to force them to act. The fault does not lie with -anyone- but the people who allow the security holes in the first place.
RE: Learning the wrong lessons from Firesheep
RE: Learning the wrong lessons from Firesheep
It's rather similar to the argument that if guns are outlawed, only outlaws will have guns. Personally, I would prefer that nobody had guns but that's quite impossible.
Unlike gun control however, the problems here /can/ be fixed, and widespread awareness of them will help.
RE: Learning the wrong lessons from Firesheep
SOME Bad people have had Nuclear Weapons.
Other Bad people were not so fortunate.
Then Butler say "Free Nuclear Weapon Day" and gave everyone the bombs they deserved.
Guns have through licensing and regulations. What he would be doing is handing out "untraceable guns". Though I like the nuclear weapon analogy better.
RE: Learning the wrong lessons from Firesheep
http://www.imperiousseo.com
The Real Problem is HTTPS and IPv4
Its easy to miss that fact that its technically impossible for all of the websites everywhere to be encrypted. I wish they could, myself. Absolutely everything of mine would be encrypted for certain. However, there can only be one SSL cert per IP address for security reasons and partly due to the design of HTTPS. I don't know of any CAs that will issue a single cert for multiple domains, either. I believe they could do so if they wanted, though. To solve this problem for myself I've gotten wildcard or multi-subdomain certs for my second level domains and just put all of my own services under those domains. Then I can use Apache's vhost_alias module as usual to map domains to content. But I also host tons of domains I don't control on vhost servers. There's no way to implement SSL for those sites because they all share an IP. I'd either have to use a cert for each site and buy tons of (non-existent) IPv4 addresses (which ARIN refuses to sell me) or give all but one site an invalid cert.
RE: Learning the wrong lessons from Firesheep
However, if a site is expected to store, display, or broker personal information (not just a GUID or other identifier for our computer, or what version of software we're using as a browser) then the responsible thing is for that site to get a valid certificate and use it to power SSL. As far as site hosts are concerned, if a site needs more than one IP/netblock to manage SSL, then that'll factor into their site costs. Perhaps then we won't see such profligate disregard for customer privacy, because it'll cost more money to run such a service in the first place.
Facebook is such a site, and this isn't the first time Zuckerberg's been caught with his pants down in regards to user privacy. What surprises me is, everybody's getting on Butler's case for pointing out that the Emperor has no clothes on, AGAIN.
multi domain Certs exist
there are many CAs that will issue multiple domain certs, i've purchased several...
not all that expensive either. godaddy's multi-domain cert starts at 5 domains for $89.99