Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre. Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary …
Now all the customers know it was the idiot they saw walking around with his zip undone.
Arrest expected any time soon!
I do hope that YKK will soon issue a critical update to fix his zip/zipper vulnerability!
Mines the one that won't zip up.
Nope, I Demonstrates WPA2 Is Crap
..because there is a "shared" key. You have to trust everybody else in the WLAN.
WPA uses a 4-way handshake to generate and assign a Pairwise Transient Key which is derived from many sources of information, including the AP MAC address, but more importantly the client MAC. This is then cryptographically hashed. This essentially means that each client connected to the AP has its own key, and cannot be sidejacked.
However, I know from experience that Starbucks use open wifi APs, so this doesn't apply.
More info here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004
The shared key is merely for mutual authentication and for encryption of the encryption key exchange. Each client uses a unique set of keys which are renegotiated every so often. But hey, thanks for playing.
WPA != WPA-PSK
As stated above WPA (2) does not leave the users inside a network open to sidejacking, but you also mistook WPA2-preshared-key (WPA2-PSK) for WPA2. The difference being that WPA (1 or 2) requires a RADIUS server and uses certificate based encryption, where the preshared key versions used on home wireless routers don't.
..I learned there is a somewhat broken protocol named RADIUS. Still using md5, despite being of questionable security.
Mir rollt es die Fussnägel hoch*:
But that's not the only way RADIUS is crap.
And if you use PSK, I question you how this can achieve security as there is ZERO Public-Key crypto involved. Or did I figure this wrong.
And even if they did use PK Crypto, whatabout man-in-the-middle ? (That would simply be accomplished by blasting the legitimate AP (10mW or so) with a 2000mW bogus AP). I can't find anything related to certificates when I connect to an AP. Using directed antennas (Yagi or Parabole) can even make a rogue 10mW appear like a 100mW legit AP. Without the legit AP even realizing....
This is all crap. If you want secure WLAN, you have to use either only https sites or tunnel all traffic OpenVPN or similar. In this case, you can skip the WPA2-Smoke-And-Mirror altogether and leave the WLAN unencrypted. OpenVPN will do proper crypto using SSL/TLS.
* use translate.google.com
See The RADIUS Crap For Yourself
All it does is to create work. Then you acutally secure your connection using SSL/TLS (with openVPN or https).
Expecting Warm Flames From You. Or please retract the downvotes. Dankeschön.
If That Would Work
...your bank would simply use a "shared password" for all customers. No SSL/TLS. No certificates.
Ever heard of
... forged MAC addresses ? Not more complex than forging email sender addresses with the proper hw.
So you can get into mah facebooks. Big whoop. If I log on to fb and someone has posted something nutty/obscene under my ID, or shared all my data with a billion and one 'applications', I should care why?
Likewise amazon, really, as long as it's not the actual purchasing bit.
I know, I know, computer security, personal data, blah blah blah, but who really gives a crap if some geek in an internet cafe can see your mate's status updates about how wrecked they got the other day, pictures of someone's new baby, or if (as happens frequently when someone leaves an unattended machine somewhere) there's an unexpected status update proclaiming a joyful appreciation of being on the receiving end of a bit of bottom-sex?
You *Should* Care
(Ignoring your Paris icon . . .)
If something illegal is posted using your Facebook account, then you can be arrested. You may get fired from your job. Some quick ideas: confessing to recently-committed felonies, threatening politicians, making bomb threats, posting illegal pr0n, posting racist comments . . .
If someone can log in to your Amazon account, then he *can* make a purchase. At the very least, he can make your browsing history appear suspicious so that Amazon suggests up terrorist or pr0n books.
And, as you say, "personal data, blah blah blah blah". I would add "do affect your insurance rates, security clearance, background checks, credit rating, and the like".
You should care because
Because when someone decides to use your FB to break up with your girlfriend (if you have one) and then insults all your mates, they will all think it's actually you doing it.
Think about that, for a minute.
Can't log in to the account
Amazone require an https login to actually buy anything. Not sure about what happens if you have 1-click turned on.
And if facebook can affect my credit rating then, frankly, I can do without one. I don't operate on debt anyway.
My other half wouldn't take being dumped over facebook, please.
And my mates would just think I was either drunk or had been hacked.
Taking FB too seriously is the main problem.
re: then insults all your mates
They'll just wonder why they are being nicer than usual :-p
What's the betting he'd be in more trouble for the wardrobe malfunction
than for the white-hatting?
Which ones are safe?
So this establishes that FB and Amazon aren't using full SSL for their logins. Which sites have implemented proper login systems, or which sites ARE safe then?
Surely that is like noticing a car that hasn't been locked, opening the door, pushing the little lock thing down (yeah this is going back a bit but I used to do it a lot) and then leaving a note saying that they left their car open?
I wouldn't say it was illegal, doesn't there have to be criminal intent, in place of community spirit?
I knew it...
So you're the arsehole who locked me out of my car and caused me to miss my own wedding. Thanks a lot do-gooder.
No really, thanks. Turns out she was a total bitch. Couldn't have worked out any better.
Not how I expected it to end...
...I thought it was going to be "and sure enough, they had. He got up, packed his laptop and headed for the door before being intercepted by two of NYC's finest in their donut-sugar-frosted uniforms for inadvertently stealing the credentials of their sergeant..."
(Or maybe a mark had narked, y'know, something resulting in the bloke leaving Starbucks in cuffs)
"...doesn't do anything that hasn't been done for years. But it makes for good theatre."
The point is that it makes it very, very easy for anybody. Which makes good theatre. Hopefully, it'll bring some changes.
But what did he expect them to do?
He gave them no options, no alternatives. No - 2do this and you will be safe".
So they carried on.
People are like that.
Who would be dumb enough to blog about this?
This guy might be trying to make a point, perhaps he knows about computer security, but he sure as hell doesn't have any common sense. He almost certainly violated laws by hacking into other people's accounts. Good intentions or not, he could find himself in serious trouble.
If his intent was to demonstrate how vulnerable Starbucks was, he should have enlisted a volunteer to act as his guinea pig. He could even have mentioned that even while testing he had to filter out other computers which were exhibiting the same issues he was testing on the volunteer.
Anyway, I don't know why starbucks don't just encrypt their network. These vulnerabilities exist because the network has no encryption at all. With encryption, it would be considerably harder to eavesdrop on other people. Starbucks could even use it to prevent freeloaders by cycling passwords daily or suchlike and printing today's password on till receipts.
Illegal in GB as well as USA
Needless to say, this is also illegal in GB. It's instructive to run the attack on your own private network, compromising your own sock puppet accounts (after temporarily turning off https-everywhere). Doing what this blogger did merits a visit from Inspector Knacker.
You remember the case of the Philadelphia-area high school that was surreptitiously peeping in on the students via the web-cam on laptops it had issues to the students? If so, you'll recall that there was no prosecution on this clearly illegal activity because there was "no criminal intent". Since there was clearly no criminal intent here either, this chap is in the clear.
From the article (http://www.theregister.co.uk/2010/08/19/school_webcam_spying_no_crime/): "I have concluded that bringing criminal charges is not warranted in this matter," Zane David Memeger, US attorney for the Easter District of Pennsylvania said in a statement, Wired reports.
"For the government to prosecute a criminal case, it must prove beyond a reasonable doubt that the person charged acted with criminal intent. We have not found evidence that would establish beyond a reasonable doubt that anyone involved had criminal intent."
No harm, no foul, it seems....
No criminal intent, you say?
Isn't the act of logging into someone else's facebook account without their permission criminal? Certainly the author intended to do so, no? Just because his motives were supposedly altruistic, and that he wasn't seeking any sort of monetary gain, should that alleviate him from prosecution? Certainly he knew it was illegal, something that may not have been known by the fellow who set up the cameras in the school case example.
It just shows...
...that people ignore things that they don't understand.
And if he had started buying things on Amazon from their accounts, they would hold their hands in the air running around crazily, blaming Amazon, Starbucks, their ISP, the Government and everyone else but themselves.
I'm beginning to think that the Internet is too dangerous to let Joe Public loose on it! Maybe we need an Internet driving test before allowing them to connect.
Given that he's been wandering around with his wanger on display, I'm just glad it's not brown-hatting.
The Daily Star
Data snoop stalks coffee shop user with cock out - lolz - Great headline
Is it illegal? Absolutely.
Could he be prosecuted? That depends on what you mean by "prosecute"
Could he be convicted by a jury here is The States? Not a chance. Hence the previous Clintonism.
Why is there no chance of him being convicted by a jury of his peers? Really, I'm curious.
Lots of reasons.
The ones which come to mind immediately:
1. The US jury system is so screwed up it is nearly impossible to get what most of us would regard as a competent jury seated, because so many of the things most of us would regard as marks of competence count as reasons to dismiss you from the jury pool.
2. Before you get to a jury trial, there's the whole plea bargaining mess.
3. Given solid evidence against a perp who committed a violent crime, there is at best a 50/50 chance of conviction. This isn't a violent crime, and the guy has shown his intention was to help people. I don't even think you could find 12 people if you select them at random who will agree to convict someone who hasn't caused ACTUAL harm when he was trying to do something good.
illiegal it may be, but I'd rather know my flies were undone so I could do something about it
You owe me a new keyboard and screen!!
Yeah, right there...
"When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open."
So he forgot to zip after he cranked one out under the Starbucks table while cracking other peoples login info on top of the Starbucks table? I mean, geez, at first I thought this guy was just another do-gooder, intent on pressing his high-and-mighty security opinions onto unwilling others. But after seeing the zipper part, now I'm not so sure. Sounds like he may be a bit of a security perv.
You're all missing the obvious...
*He* didn't actually blog about this. His blog was sidejacked and someone posted this entirely-fictional account to get him in trouble.
10: The thing is, the person sidejacking him is actually innocent; they're also being 'framed'. Their account was sidejacked by yet another party that's trying to get them into trouble.
20: GOTO 10
I hope that this clears things up...
Can you give me that in Java syntax please? It's been a while since I spoke BASIC...
When used properly GOTO can, in fact, improve code quality and readability. According to Knuth, who took a more balanced view than Djikstra.
Although you should still be shot for using it without having read both. And I don't just mean the two papers.
In fact I'd state that as a general principle, but I suspect if I were to go around putting all the codemonkeys who haven't even heard of either of them against a wall, we'd start getting low on programmers. Which might even end up being a bad thing.
GOTO is for noobs
10: COMEFROM 20
not just full ssh for logon
@iamapizza you need to enable ssh for the entire session to avoid sidejacking, not just the logon. That is the point. Most sites are vulnerable, not just amazon and facebook
This is why you should never let a site store your credit card details for 1 click purchasing :)
The question remains
If you're at the local Starbucks and use firesheep to hijack an account, can you then use https-everywhere to lock them out?
If you only want to surf (proper - correct certificate) https sites you are safe. It is unclear wether facebook and google completely support https. So if you are disciplined enough to use only https, maybe you are secure.
does not work with all sites. VPN may help
Reminds me of that Cobol programmer they found dead in the shower in the mid 90's. CSI could not figure out the cause of death.. until a geek on the investigation team discovered the reason when he read the instructions on the shampoo bottle found with the body.
The instructions said:
Oh they must mean intentional computer misuse and therefore a criminal offence (here in the UK).
Don't give criminal activity a nice name, it dilutes the offence e.g. "tagging" vs grafitti vandalism
He is perfectly right, but....
This guy oughta be careful. He may be operating within the Law as it is written, and may have the public interest in-mind, but that doesn't necessarily make any odds. He may view exposing the vulnerability as a proper action, but others with vested interests in keeping the status-quo (or, perhaps simply with avoiding doing the work needed to fix the security-hole) may not agree.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...