daveOS
Jedi
I tried tacking this onto the 'Facebook Must Die' thread, but that whole conversation represents a virtual identity crisis Sott.net created for me in choosing to associate with FB that I can't find any graceful way of navigating, and this following story I think represents a timely manifestation of 'People Power' demonstrating critical technical shortcomings of FB that deserves more focused scrutiny and wide attention than my confusion allows for (under the 'Facebook Must Die' context).
[quote author="Matt Markovich, komotv.com"]
Firesheep developer: Facebook ignoring huge security problem
_http://www.komonews.com/news/tech/107360348.html
SEATTLE -- On a recent afternoon, I surprised a lot of people at a coffee shop in Seattle's Capitol Hill neighborhood. I walked in, sat down, got onto the café's free Wi-Fi network and fired up a free application called Firesheep.
With a minute, the names of a dozen people on the same wireless network started to appear in the Firesheep program. The users were listed along with the names of multi-billion dollar websites like Facebook, Twitter, Amazon, YouTube and The New York Times.
In some cases, the person's Facebook profile picture would also appear, making it easy for me to identify them in the café.
With a simple click on the user's icon in Firesheep I could log into their account on Facebook or Twitter or a variety of other websites that do not use encryption to fully protect the browsing session with their users. I could easily assume someone else's online identity and do nearly anything I wanted with their account.
Firesheep is a frighteningly simple tool that streamlines techniques malicious computer hackers have used for years to gain unauthorized access to personal accounts on the internet. Firesheep takes these previously complex tasks and rolls them into a user-friendly program that even an average computer use like me can figure out.
"It's like you are in my house and I did not invite you," said a surprised Sarah Dooley.
After her Facebook icon appeared in my Firesheep list, I approached her as she typed away on her iBook. I showed on my computer her main Facebook page and described the simple steps it took to get into her account.
"This is scary and I'm glad you showed me," she said.
Making network intercepts easy
Firesheep is a free extension for the Firefox web browser. It was created by Eric Butler, a Seattle programmer, and first presented at a security convention in San Diego in October. In the first three weeks of its release, Firesheep has been downloaded more than 700,000 times and that number
Watch an extended interview with Firesheep developers Eric Butler and Ian Gallagher.
continues to grow daily.
Watch an extended interview with Firesheep developers Eric Butler and Ian Gallagher.
Butler's creation listens to the digital traffic on the network the user's computer is connected to. It's listening for a cookie -- that's term coined for a tiny bit of identifying information a user's computer exchanges with a website.
Cookies are what allow you to stay on a website that requires a user name and password without logging in every time you click to another page. But cookies are vulnerable to being hijacked if they are sent on an unencrypted connection.
Firesheep has built-in filters that listen for people on an unsecured network who may be exchanging information with websites like Facebook.
A user's initial log in to Facebook is encrypted and not vulnerable to hijacking. But every subsequent exchange between a Facebook user and Facebook's servers in what's called a "session" is unencrypted, and it's these exchanges Firesheep is catching.
Firesheep lets its user essentially grab that cookie out of the air and place it on their computer. In doing so, the Firesheep user can take over the identity of the Facebook user and alter almost anything in the account except for the initial login password.
"I wrote Firesheep because I was tired of having to deal with websites that were ignoring this problem of user privacy," Butler told me in his first interview since releasing Firesheep. "Hopefully sites like Facebook and Twitter will see this and decide protecting user privacy is a priority for them."
"The elephant in the room"
The security software programmer admits that Firesheep simplifies the hijacking process to the point a novice user can figure it out, but said he doesn't think the tool turns good people into evil people.
"It's important to note that an attacker who's motivated has always been able to do this," Butler said.
Butler and co-developer Ian Gallagher believe the security lapse with websites that contain a person's private information has been ignored to such a great extent that something eye-opening had to be done.
"Users of these sites don't realize that this is happening, but the companies have known about this for a long time and have chosen to ignore this problem. Instead, they are putting money in privacy features and not making their websites secure," Butler said.
"Those privacy controls don't really matter if you can steal an entire user's session or you can see everything they are doing," said Gallagher, who help trouble shoot the plug-in. "It's the elephant in the room they've been disregarding."
Facebook did not respond to our e-mail requests for an interview. A spokesperson for the company did tell the Wall Street Journal that Facebook is looking into improving its online security.
Legal questions
Butler's intent may be noble but the repercussions of the release of Firesheep could create unknowing lawbreakers.
Watch: Washington State Attorney General Rob McKenna discusses wiretapping laws and network security.
"I think when you are in a coffee shop and just doing your business online, if someone is intercepting everything you're doing, I think it's quite likely a violation of our state's wiretapping law and perhaps the federal wiretapping law as well," said Washington State Attorney General Rob McKenna.
McKenna had never seen Firesheep until I showed him. He said he hasn't seen any case law that would suggest simply viewing another person's information obtained over unsecured Wi-Fi network through a program like Firesheep is illegal, but he believes it is.
Other legal scholars have argued that it's more ambiguous.
Jonathan Gordon, a Los Angeles attorney who consults for internet companies, told Computerworld that there is no expectation of privacy on an unsecured wireless network, and wiretapping laws make an exception for that.
Think of an unsecured network like a crowded airport lobby. When you shout to someone across the lobby, there's no expectation of privacy for what you're yelling. Being on an unsecured Wi-Fi network, like the kind you'll find at many coffee houses and internet cafes, is the electronic version of being in a crowded airport lobby.
But there's no debate if a person's information gathered with Firesheep or other tools is used to make a post or tweet without the account user's consent. That is illegal and considered stealing someone's identity, according to McKenna.
Butler, however, would likely be held harmless if someone uses Firesheep to commit an illegal act.
"The maker of the crowbar isn't guilty of burglary because a burglar uses it to break into a house," McKenna said. "It's not the creator of the tool that's liable; it's the user of the tool."
Butler said he's not an expert in wiretapping laws but believes sites like Facebook are responsible for the information they keep and should be held liable for not protecting that information.
"Every website that is dealing with personal information and a user account really should be using encryption for everything," he said. "That's really answer."
He adds that using a virtual private network will also prevent Firesheep from capturing your network traffic.
Butler cautions everyone who thinks that simply putting a password on a Wi-Fi network will offer complete protection. He says it doesn't.
If the Firesheep user is using a common or shared user name or password to gain access to a network, anyone else using the same user name and password could be subjected to hijacking.
---
Other tips and precautions:
- Look for an "https" in the address bar of the website you're visiting. It may be there when you log into the website, but if it's not there after you've logged in, anything you send could be easily hijacked by someone using Firesheep.
- Sites that keep an "https" in the address bar during the entire session are using encryption and cannot be accessed with Firesheep. Banks commonly use "https" for the user's entire online session.
- If you are on an open and unsecured Wi-Fi or wired network, do not go to sites that require a login to access your information. Looking at sites that require no action on your part should not compromise your privacy.
- Beware that any communication you send over an unsecured Wi-Fi network has the potential of being viewed by anyone else on that network.
[/quote]
[quote author="Matt Markovich, komotv.com"]
Firesheep developer: Facebook ignoring huge security problem
_http://www.komonews.com/news/tech/107360348.html
SEATTLE -- On a recent afternoon, I surprised a lot of people at a coffee shop in Seattle's Capitol Hill neighborhood. I walked in, sat down, got onto the café's free Wi-Fi network and fired up a free application called Firesheep.
With a minute, the names of a dozen people on the same wireless network started to appear in the Firesheep program. The users were listed along with the names of multi-billion dollar websites like Facebook, Twitter, Amazon, YouTube and The New York Times.
In some cases, the person's Facebook profile picture would also appear, making it easy for me to identify them in the café.
With a simple click on the user's icon in Firesheep I could log into their account on Facebook or Twitter or a variety of other websites that do not use encryption to fully protect the browsing session with their users. I could easily assume someone else's online identity and do nearly anything I wanted with their account.
Firesheep is a frighteningly simple tool that streamlines techniques malicious computer hackers have used for years to gain unauthorized access to personal accounts on the internet. Firesheep takes these previously complex tasks and rolls them into a user-friendly program that even an average computer use like me can figure out.
"It's like you are in my house and I did not invite you," said a surprised Sarah Dooley.
After her Facebook icon appeared in my Firesheep list, I approached her as she typed away on her iBook. I showed on my computer her main Facebook page and described the simple steps it took to get into her account.
"This is scary and I'm glad you showed me," she said.
Making network intercepts easy
Firesheep is a free extension for the Firefox web browser. It was created by Eric Butler, a Seattle programmer, and first presented at a security convention in San Diego in October. In the first three weeks of its release, Firesheep has been downloaded more than 700,000 times and that number
Watch an extended interview with Firesheep developers Eric Butler and Ian Gallagher.
continues to grow daily.
Watch an extended interview with Firesheep developers Eric Butler and Ian Gallagher.
Butler's creation listens to the digital traffic on the network the user's computer is connected to. It's listening for a cookie -- that's term coined for a tiny bit of identifying information a user's computer exchanges with a website.
Cookies are what allow you to stay on a website that requires a user name and password without logging in every time you click to another page. But cookies are vulnerable to being hijacked if they are sent on an unencrypted connection.
Firesheep has built-in filters that listen for people on an unsecured network who may be exchanging information with websites like Facebook.
A user's initial log in to Facebook is encrypted and not vulnerable to hijacking. But every subsequent exchange between a Facebook user and Facebook's servers in what's called a "session" is unencrypted, and it's these exchanges Firesheep is catching.
Firesheep lets its user essentially grab that cookie out of the air and place it on their computer. In doing so, the Firesheep user can take over the identity of the Facebook user and alter almost anything in the account except for the initial login password.
"I wrote Firesheep because I was tired of having to deal with websites that were ignoring this problem of user privacy," Butler told me in his first interview since releasing Firesheep. "Hopefully sites like Facebook and Twitter will see this and decide protecting user privacy is a priority for them."
"The elephant in the room"
The security software programmer admits that Firesheep simplifies the hijacking process to the point a novice user can figure it out, but said he doesn't think the tool turns good people into evil people.
"It's important to note that an attacker who's motivated has always been able to do this," Butler said.
Butler and co-developer Ian Gallagher believe the security lapse with websites that contain a person's private information has been ignored to such a great extent that something eye-opening had to be done.
"Users of these sites don't realize that this is happening, but the companies have known about this for a long time and have chosen to ignore this problem. Instead, they are putting money in privacy features and not making their websites secure," Butler said.
"Those privacy controls don't really matter if you can steal an entire user's session or you can see everything they are doing," said Gallagher, who help trouble shoot the plug-in. "It's the elephant in the room they've been disregarding."
Facebook did not respond to our e-mail requests for an interview. A spokesperson for the company did tell the Wall Street Journal that Facebook is looking into improving its online security.
Legal questions
Butler's intent may be noble but the repercussions of the release of Firesheep could create unknowing lawbreakers.
Watch: Washington State Attorney General Rob McKenna discusses wiretapping laws and network security.
"I think when you are in a coffee shop and just doing your business online, if someone is intercepting everything you're doing, I think it's quite likely a violation of our state's wiretapping law and perhaps the federal wiretapping law as well," said Washington State Attorney General Rob McKenna.
McKenna had never seen Firesheep until I showed him. He said he hasn't seen any case law that would suggest simply viewing another person's information obtained over unsecured Wi-Fi network through a program like Firesheep is illegal, but he believes it is.
Other legal scholars have argued that it's more ambiguous.
Jonathan Gordon, a Los Angeles attorney who consults for internet companies, told Computerworld that there is no expectation of privacy on an unsecured wireless network, and wiretapping laws make an exception for that.
Think of an unsecured network like a crowded airport lobby. When you shout to someone across the lobby, there's no expectation of privacy for what you're yelling. Being on an unsecured Wi-Fi network, like the kind you'll find at many coffee houses and internet cafes, is the electronic version of being in a crowded airport lobby.
But there's no debate if a person's information gathered with Firesheep or other tools is used to make a post or tweet without the account user's consent. That is illegal and considered stealing someone's identity, according to McKenna.
Butler, however, would likely be held harmless if someone uses Firesheep to commit an illegal act.
"The maker of the crowbar isn't guilty of burglary because a burglar uses it to break into a house," McKenna said. "It's not the creator of the tool that's liable; it's the user of the tool."
Butler said he's not an expert in wiretapping laws but believes sites like Facebook are responsible for the information they keep and should be held liable for not protecting that information.
"Every website that is dealing with personal information and a user account really should be using encryption for everything," he said. "That's really answer."
He adds that using a virtual private network will also prevent Firesheep from capturing your network traffic.
Butler cautions everyone who thinks that simply putting a password on a Wi-Fi network will offer complete protection. He says it doesn't.
If the Firesheep user is using a common or shared user name or password to gain access to a network, anyone else using the same user name and password could be subjected to hijacking.
---
Other tips and precautions:
- Look for an "https" in the address bar of the website you're visiting. It may be there when you log into the website, but if it's not there after you've logged in, anything you send could be easily hijacked by someone using Firesheep.
- Sites that keep an "https" in the address bar during the entire session are using encryption and cannot be accessed with Firesheep. Banks commonly use "https" for the user's entire online session.
- If you are on an open and unsecured Wi-Fi or wired network, do not go to sites that require a login to access your information. Looking at sites that require no action on your part should not compromise your privacy.
- Beware that any communication you send over an unsecured Wi-Fi network has the potential of being viewed by anyone else on that network.
[/quote]
