back to article Software engineer blogs own Starbucks wiretap

Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre. Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Grenade

    Nope, I Demonstrates WPA2 Is Crap

    ..because there is a "shared" key. You have to trust everybody else in the WLAN.

    1. The Original Ash
      FAIL

      Not WPA

      WPA uses a 4-way handshake to generate and assign a Pairwise Transient Key which is derived from many sources of information, including the AP MAC address, but more importantly the client MAC. This is then cryptographically hashed. This essentially means that each client connected to the AP has its own key, and cannot be sidejacked.

      However, I know from experience that Starbucks use open wifi APs, so this doesn't apply.

      More info here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004

      1. Anonymous Coward
        Flame

        Ever heard of

        ... forged MAC addresses ? Not more complex than forging email sender addresses with the proper hw.

    2. Kirbini
      FAIL

      Um...

      No.

      The shared key is merely for mutual authentication and for encryption of the encryption key exchange. Each client uses a unique set of keys which are renegotiated every so often. But hey, thanks for playing.

      1. Anonymous Coward
        Flame

        If That Would Work

        ...your bank would simply use a "shared password" for all customers. No SSL/TLS. No certificates.

    3. Craig Chambers
      Thumb Down

      WPA != WPA-PSK

      As stated above WPA (2) does not leave the users inside a network open to sidejacking, but you also mistook WPA2-preshared-key (WPA2-PSK) for WPA2. The difference being that WPA (1 or 2) requires a RADIUS server and uses certificate based encryption, where the preshared key versions used on home wireless routers don't.

    4. Anonymous Coward
      Flame

      So

      ..I learned there is a somewhat broken protocol named RADIUS. Still using md5, despite being of questionable security.

      Mir rollt es die Fussnägel hoch*:

      http://en.wikipedia.org/wiki/Md5#Security

      But that's not the only way RADIUS is crap.

      And if you use PSK, I question you how this can achieve security as there is ZERO Public-Key crypto involved. Or did I figure this wrong.

      And even if they did use PK Crypto, whatabout man-in-the-middle ? (That would simply be accomplished by blasting the legitimate AP (10mW or so) with a 2000mW bogus AP). I can't find anything related to certificates when I connect to an AP. Using directed antennas (Yagi or Parabole) can even make a rogue 10mW appear like a 100mW legit AP. Without the legit AP even realizing....

      This is all crap. If you want secure WLAN, you have to use either only https sites or tunnel all traffic OpenVPN or similar. In this case, you can skip the WPA2-Smoke-And-Mirror altogether and leave the WLAN unencrypted. OpenVPN will do proper crypto using SSL/TLS.

      http://en.wikipedia.org/wiki/Openvpn

      * use translate.google.com

    5. Anonymous Coward
      Flame

      See The RADIUS Crap For Yourself

      http://en.wikipedia.org/wiki/RADIUS#Security_2

      All it does is to create work. Then you acutally secure your connection using SSL/TLS (with openVPN or https).

      Expecting Warm Flames From You. Or please retract the downvotes. Dankeschön.

  2. Sam Liddicott
    FAIL

    exposed!

    Now all the customers know it was the idiot they saw walking around with his zip undone.

    Arrest expected any time soon!

    1. LinkOfHyrule
      Coat

      Flying low

      I do hope that YKK will soon issue a critical update to fix his zip/zipper vulnerability!

      Mines the one that won't zip up.

  3. Anonymous Coward
    Anonymous Coward

    What's the betting he'd be in more trouble for the wardrobe malfunction

    than for the white-hatting?

  4. David Hicks
    Paris Hilton

    Meh

    So you can get into mah facebooks. Big whoop. If I log on to fb and someone has posted something nutty/obscene under my ID, or shared all my data with a billion and one 'applications', I should care why?

    Likewise amazon, really, as long as it's not the actual purchasing bit.

    I know, I know, computer security, personal data, blah blah blah, but who really gives a crap if some geek in an internet cafe can see your mate's status updates about how wrecked they got the other day, pictures of someone's new baby, or if (as happens frequently when someone leaves an unattended machine somewhere) there's an unexpected status update proclaiming a joyful appreciation of being on the receiving end of a bit of bottom-sex?

    1. John Gaunt

      You *Should* Care

      (Ignoring your Paris icon . . .)

      If something illegal is posted using your Facebook account, then you can be arrested. You may get fired from your job. Some quick ideas: confessing to recently-committed felonies, threatening politicians, making bomb threats, posting illegal pr0n, posting racist comments . . .

      If someone can log in to your Amazon account, then he *can* make a purchase. At the very least, he can make your browsing history appear suspicious so that Amazon suggests up terrorist or pr0n books.

      And, as you say, "personal data, blah blah blah blah". I would add "do affect your insurance rates, security clearance, background checks, credit rating, and the like".

      1. David Hicks

        Can't log in to the account

        Amazone require an https login to actually buy anything. Not sure about what happens if you have 1-click turned on.

        And if facebook can affect my credit rating then, frankly, I can do without one. I don't operate on debt anyway.

    2. Anonymous Coward
      Pirate

      You should care because

      Because when someone decides to use your FB to break up with your girlfriend (if you have one) and then insults all your mates, they will all think it's actually you doing it.

      Think about that, for a minute.

      1. David Hicks

        nonsense

        My other half wouldn't take being dumped over facebook, please.

        And my mates would just think I was either drunk or had been hacked.

        Taking FB too seriously is the main problem.

      2. Anonymous Coward
        Joke

        re: then insults all your mates

        They'll just wonder why they are being nicer than usual :-p

  5. iamapizza

    Which ones are safe?

    So this establishes that FB and Amazon aren't using full SSL for their logins. Which sites have implemented proper login systems, or which sites ARE safe then?

  6. Connor

    Illegal?

    Surely that is like noticing a car that hasn't been locked, opening the door, pushing the little lock thing down (yeah this is going back a bit but I used to do it a lot) and then leaving a note saying that they left their car open?

    I wouldn't say it was illegal, doesn't there have to be criminal intent, in place of community spirit?

    1. Kirbini
      Heart

      I knew it...

      So you're the arsehole who locked me out of my car and caused me to miss my own wedding. Thanks a lot do-gooder.

      No really, thanks. Turns out she was a total bitch. Couldn't have worked out any better.

  7. Wokstation

    Not how I expected it to end...

    ...I thought it was going to be "and sure enough, they had. He got up, packed his laptop and headed for the door before being intercepted by two of NYC's finest in their donut-sugar-frosted uniforms for inadvertently stealing the credentials of their sergeant..."

    (Or maybe a mark had narked, y'know, something resulting in the bloke leaving Starbucks in cuffs)

  8. Anonymous Coward
    Anonymous Coward

    Bit harsh

    "...doesn't do anything that hasn't been done for years. But it makes for good theatre."

    The point is that it makes it very, very easy for anybody. Which makes good theatre. Hopefully, it'll bring some changes.

  9. hplasm
    Paris Hilton

    But what did he expect them to do?

    He gave them no options, no alternatives. No - 2do this and you will be safe".

    So they carried on.

    People are like that.

  10. DrXym

    Who would be dumb enough to blog about this?

    This guy might be trying to make a point, perhaps he knows about computer security, but he sure as hell doesn't have any common sense. He almost certainly violated laws by hacking into other people's accounts. Good intentions or not, he could find himself in serious trouble.

    If his intent was to demonstrate how vulnerable Starbucks was, he should have enlisted a volunteer to act as his guinea pig. He could even have mentioned that even while testing he had to filter out other computers which were exhibiting the same issues he was testing on the volunteer.

    Anyway, I don't know why starbucks don't just encrypt their network. These vulnerabilities exist because the network has no encryption at all. With encryption, it would be considerably harder to eavesdrop on other people. Starbucks could even use it to prevent freeloaders by cycling passwords daily or suchlike and printing today's password on till receipts.

  11. Peter Gathercole Silver badge
    Unhappy

    It just shows...

    ...that people ignore things that they don't understand.

    And if he had started buying things on Amazon from their accounts, they would hold their hands in the air running around crazily, blaming Amazon, Starbucks, their ISP, the Government and everyone else but themselves.

    I'm beginning to think that the Internet is too dangerous to let Joe Public loose on it! Maybe we need an Internet driving test before allowing them to connect.

  12. Dunstan Vavasour
    Black Helicopters

    Illegal in GB as well as USA

    Needless to say, this is also illegal in GB. It's instructive to run the attack on your own private network, compromising your own sock puppet accounts (after temporarily turning off https-everywhere). Doing what this blogger did merits a visit from Inspector Knacker.

    http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990

    1. Someone Else Silver badge
      Go

      But wait...

      You remember the case of the Philadelphia-area high school that was surreptitiously peeping in on the students via the web-cam on laptops it had issues to the students? If so, you'll recall that there was no prosecution on this clearly illegal activity because there was "no criminal intent". Since there was clearly no criminal intent here either, this chap is in the clear.

      From the article (http://www.theregister.co.uk/2010/08/19/school_webcam_spying_no_crime/): "I have concluded that bringing criminal charges is not warranted in this matter," Zane David Memeger, US attorney for the Easter District of Pennsylvania said in a statement, Wired reports.

      "For the government to prosecute a criminal case, it must prove beyond a reasonable doubt that the person charged acted with criminal intent. We have not found evidence that would establish beyond a reasonable doubt that anyone involved had criminal intent."

      No harm, no foul, it seems....

      1. Scu
        Thumb Down

        No criminal intent, you say?

        Isn't the act of logging into someone else's facebook account without their permission criminal? Certainly the author intended to do so, no? Just because his motives were supposedly altruistic, and that he wasn't seeking any sort of monetary gain, should that alleviate him from prosecution? Certainly he knew it was illegal, something that may not have been known by the fellow who set up the cameras in the school case example.

  13. Graham Bartlett

    White-hacking?

    Given that he's been wandering around with his wanger on display, I'm just glad it's not brown-hatting.

  14. Tom 13

    Is it illegal? Absolutely.

    Could he be prosecuted? That depends on what you mean by "prosecute"

    Could he be convicted by a jury here is The States? Not a chance. Hence the previous Clintonism.

    1. Anonymous Coward
      Anonymous Coward

      @Tom 13

      Why is there no chance of him being convicted by a jury of his peers? Really, I'm curious.

      1. Tom 13

        Lots of reasons.

        The ones which come to mind immediately:

        1. The US jury system is so screwed up it is nearly impossible to get what most of us would regard as a competent jury seated, because so many of the things most of us would regard as marks of competence count as reasons to dismiss you from the jury pool.

        2. Before you get to a jury trial, there's the whole plea bargaining mess.

        3. Given solid evidence against a perp who committed a violent crime, there is at best a 50/50 chance of conviction. This isn't a violent crime, and the guy has shown his intention was to help people. I don't even think you could find 12 people if you select them at random who will agree to convict someone who hasn't caused ACTUAL harm when he was trying to do something good.

  15. Badwolf

    The Daily Star

    Data snoop stalks coffee shop user with cock out - lolz - Great headline

  16. Brett
    Jobs Halo

    illiegal ?

    illiegal it may be, but I'd rather know my flies were undone so I could do something about it

  17. Juan Inamillion
    Joke

    @White-hacking?

    You owe me a new keyboard and screen!!

  18. Pirate Dave Silver badge
    Pirate

    Yeah, right there...

    "When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open."

    So he forgot to zip after he cranked one out under the Starbucks table while cracking other peoples login info on top of the Starbucks table? I mean, geez, at first I thought this guy was just another do-gooder, intent on pressing his high-and-mighty security opinions onto unwilling others. But after seeing the zipper part, now I'm not so sure. Sounds like he may be a bit of a security perv.

  19. JeffyPooh
    Headmaster

    You're all missing the obvious...

    *He* didn't actually blog about this. His blog was sidejacked and someone posted this entirely-fictional account to get him in trouble.

    10: The thing is, the person sidejacking him is actually innocent; they're also being 'framed'. Their account was sidejacked by yet another party that's trying to get them into trouble.

    20: GOTO 10

    I hope that this clears things up...

    1. BorkedAgain

      BASIC?

      Can you give me that in Java syntax please? It's been a while since I spoke BASIC...

    2. H2Nick

      GOTO

      Nasty.

      1. The Other Steve

        GOTO pedantry:

        When used properly GOTO can, in fact, improve code quality and readability. According to Knuth, who took a more balanced view than Djikstra.

        Although you should still be shot for using it without having read both. And I don't just mean the two papers.

        In fact I'd state that as a general principle, but I suspect if I were to go around putting all the codemonkeys who haven't even heard of either of them against a wall, we'd start getting low on programmers. Which might even end up being a bad thing.

        1. Shakje

          GOTO is for noobs

          10: COMEFROM 20

  20. Anonymous Coward
    Grenade

    not just full ssh for logon

    @iamapizza you need to enable ssh for the entire session to avoid sidejacking, not just the logon. That is the point. Most sites are vulnerable, not just amazon and facebook

    This is why you should never let a site store your credit card details for 1 click purchasing :)

  21. Anonymous Coward
    Anonymous Coward

    The question remains

    If you're at the local Starbucks and use firesheep to hijack an account, can you then use https-everywhere to lock them out?

    1. Anonymous Coward
      Anonymous Coward

      Somehow, yes

      If you only want to surf (proper - correct certificate) https sites you are safe. It is unclear wether facebook and google completely support https. So if you are disciplined enough to use only https, maybe you are secure.

  22. Anonymous Coward
    Big Brother

    https-everywhere

    does not work with all sites. VPN may help

  23. alien anthropologist
    Troll

    GOTO?

    Reminds me of that Cobol programmer they found dead in the shower in the mid 90's. CSI could not figure out the cause of death.. until a geek on the investigation team discovered the reason when he read the instructions on the shampoo bottle found with the body.

    The instructions said:

    1. Lather.

    2. Rinse.

    3. Repeat.

  24. ShaggyDoggy

    Sidejacking ?

    Oh they must mean intentional computer misuse and therefore a criminal offence (here in the UK).

    Don't give criminal activity a nice name, it dilutes the offence e.g. "tagging" vs grafitti vandalism

  25. Anonymous Coward
    Black Helicopters

    He is perfectly right, but....

    This guy oughta be careful. He may be operating within the Law as it is written, and may have the public interest in-mind, but that doesn't necessarily make any odds. He may view exposing the vulnerability as a proper action, but others with vested interests in keeping the status-quo (or, perhaps simply with avoiding doing the work needed to fix the security-hole) may not agree.

    http://www.theregister.co.uk/2010/11/01/spamhaus_blocks_spamwise/

This topic is closed for new posts.

Other stories you might like