The developer of the Firesheep cookie-jacking plug-in has dismissed supposed easy-fix countermeasures as worse than useless. Eric Butler released the Firefox extension last month in order to illustrate the risk posed by the failure of many sites to encrypt session cookies used to authenticate their users, even if they might run …
Would Eric Butler steal a child's bike?
Would Eric Butler steal a child's bike to teach the child to keep his bike locked up?
Would he beat up a staggering drunk to teach him binge drinking was wrong?
Would he hurl bricks through windows to "encourage house builders to use better security practices"?
Would he steal babies from a hospital maternity ward to promote better automated baby tracking systems?
Would he hand out bags of bent nails to school children to be scattered on roads to protest the auto industries failure to use puncture-proof tires?
Freely deploying Firesheep is no different.
You forgot about 'think of the children'
What Would Eric Butler Do?
Just for fun, try replacing 'Eric Butler' in Keith's post with the name of you 'favourite' UK tabloid.
Now, if you can take a break from your self righteous, 'ignorance is bliss' tirade (pausing, perhaps, to read up on logical fallacies) remember that any operating system that allows a user to trivially put a computer's wireless interfaces into promiscuous mode has been able to do this sort of thing for *years*
Mr Butler has done nothing new; he's merely packaged up and presented a succinct demonstration of a flaw that shouldn't exist on any website. Google were very slow in fixing gmail, and even they provided a purely HTTPS interface years ago to prevent this very problem!
Clearly, letting the industry sort itself out in its own good time has been an utter failure. They've been utterly irresponsible, orders of magnitude worse than a little skiddie application and some publicity.
In plain sight
Sigh. You have the intention wrong. The hack that FireSheep does is already possible - and may have already been implemented by real black-hats. Facebook et al won't budge and protect their users until forced - and releasing FireSheep might just force them, by bringing the exploit out into the open.
It's like this: You give a bank your money. Someone gets in the back door, and steals a bit now and again. The bank don't seem to mind, as not much is stolen. So, to force them to properly secure their vault, you go in and steal all the money, and leave it on the counter so everybody can see. Now they notice,and now they properly secure the vault, like they should have in the first place.
...binge drinking is wrong? Well that's all the fun out of my life then. I always though so long as you didn't do it often enough to really be an "addiction" and you combined it with sensible actions like having a designated driver and/or sleeping arrangements then binge drinking was one of the greatest activities that humankind could engage in.
Certainly has made for a large number of the really interesting and fun moments in my life!
Pint; because I feel like drinking tonight...
Hold together a cogent argument!
"Would Eric Butler steal a child's bike to teach the child to keep his bike locked up?"
No, but that's theft and is illegal.
"Would he beat up a staggering drunk to teach him binge drinking was wrong?"
No, that's assault and is illegal.
"Would he hurl bricks through windows to "encourage house builders to use better security practices"?"
No, that's vandalism and damage to property, also illegal.
"Would he steal babies from a hospital maternity ward to promote better automated baby tracking systems?'
No, that's kidnapping ( and theft?! ), once again illegal.
"Would he hand out bags of bent nails to school children to be scattered on roads to protest the auto industries failure to use puncture-proof tires?"
No, that's endangering lives on the public highway. Again, illegal.
Firesheep does nothing illegal, it merely pulls information from an open source. If you choose to abuse, then that's your business, but be prepared for th 6ft bloke who's just had his FB account cracked open to walk across the coffee shop and lump you one!
Seriously though, if Eric went down to the B&Q ( DIY hardware store for those outside the UK ) and bought a crowbar, a hammer and a bag of nails. That's not illegal, he's done nothing wrong. If then goes on to commit the crimes you mentioned using those tools, that's not the fault of the Stanley or B&Q is it? I don't see B&Q being collared in a lot of burglary cases for 'adding and abetting', do you?
Nmap, Wireshark, Aircrack, are any of these illegal? No, but they can be used for nefarious purposes if used in the "right" way.
Android: when will we get proxy support
So when will Android mobiles get a widget to connect to a proxy/ssh socks/openvpn tunnel?
As soon as you take ownership of your Android device and add one.....
......its possible Google may never spoon feed you, they supposedly have issues with the potential for location spoofing and 'local' content filtering proxies would offer. Its fairly trivial from a development PoV, can't think of any other reason why its not implemented.
Know for months?
Screw that, I was updating a colleague's relationship status to engaged about two years ago. (Well he shouldn't have been on facebook during work hours).
Was a little more involved that FireSheep though, it meant sniffing his HTTP connection, copying and pasting his facebook cookies and inserting them into Firefox using a cookie editor.
Not AC because of the current boss (he thought it was bloody hilarious). Future ones may not think so though.
illegal or at least unethical, maybe
Stupid and unthinking, certainly.
Known for months?
"The basic problem has been well understood in security circles for months"
Erm try years, anyone with any knowledge of open WiFi networks could have told you years ago that your data was transmitted for anyone with enough knowledge to grab.
Is the answer really...
...as simple as using SSL?
All that's required is to always use SSL when logged in, or use a network secured with WPA (even with a publicly known password).
...I really thought I was missing something. I didn't realise that each WPA connection ran its own crypto, assumed that anyone connected could see data on that network (not read-up on the details of WiFi yet...really must).
Good news: I don't run a public WiFi, you can all rest easy.
Well he would say that...
It's in his interest to claim that countermeasures are ineffective, otherwise his story and fame disappear in a puff of smoke.
This is only possible on account of unencrypted Wifi or WLAN's using weak encryption like WEP. WPA2 which is what most Wifi network admins have switched to renders this attack obsolete.
The same vulnerability exists when accessing non SSL sites at work - a rogue network admin with knowledge of Packet Sniffers like WireShark can easily harvest and hijack user cookie based sessions.
> Is the answer really as simple as using SSL
Yes and no. Correctly configured SSL encryption with a decent cipher and key length presents a major difficulty to a majority of crackers. However the additional processing overhead of packet encryption/decryption means to handle request volumes on a scale of Facebook's traffic would require major investment in additional server capacity and that means big dollars.
Anonymous Coward (or someone pretending to be Anonymous Coward)
SSL overhead is negligible
The processing overhead of doing everything over SSL has been negligible for years. When Google switched to SSL by default for Gmail, they reported:
"In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."
SSL overhead is negligible
Google want to sell Gmail as a completely secure business solution so the engineering effort to reduce SSL memory overhead, handshake latency / roundtrips, optimisation of application/server data packet sizes, caching etc was likely considered a worthwhile investment.
Facebook's use case is a billion teenagers exchanging idol chat, vanity photos and playing farmville - maybe this is why its not considered a priority for them?
SSL overhead is negligible
What's interesting about this is on the one hand you have a whole bunch of certificate authorities & vendors keen to push SSL technologies as a standard for commerical reasons and another group - the spooks, intelligence agencies and governments for whom widespread adoption of SSL by the general public would be a complete disaster in terms of their interception capabilities or plans for data mining!
Yup, it's that simple. If you control the router, the answer is as simple as turning on WPA encryption. I manage a few small public wifi networks (cafes, hotels, that kind of thing) and gave them a simple key (the SSID, or "internet" or similar). No more Firesheep.
I'll have to read-up on the details of WPA (when I do run the WiFi at home, that's what it uses, router is too old for WPA2). I do wonder how tools like Aircrack-ng could make this even worse, but I doubt it's possible to decrypt the packets in real-time, unless one manages to sniff the hand-shaking I guess.
But I really am ignorant of the details.
SSLSniff + SSLStrip
WEP is pointless may as well be plain text.