153 comments

[ 3.5 ms ] story [ 216 ms ] thread
I know about it the vulnerability and I still login to facebook in public places. It's like the locks on our front doors.. you don't break into everyone's house just to prove they aren't very good do you? I know you could just smash my windows, but you don't, and I appreciate it. It's facebook that needs to fix the bug, not me.

Maybe send the first message, but don't be obnoxious on purpose. I dunno.

If you walked by someone's house and their car was sitting in their driveway with all the doors wide open and a box of personal documents in the back seat, you'd probably knock on their door. If the car was still there after an hour, you'd probably knock again. I sent only two messages, and they were short and to the point.

(edit) What I mean here, is that to know that someone's door is unlocked, you have to check each house. To pick a lock, you need some rudimentary skill. Firesheep (and the underlying vulnerability) is wide open and requires 0 skill to operate.

It's one thing to politely knock on the door, it's another to keep banging on their kitchen window when they are obviously ignoring you. The users probably feel helpless and just want to be left alone.

For a non-tech person it's a pretty big jump from surfing Facebook at Starbucks to setting up a VPN.

The difference is, so far there are no robots that automatically break into your house. Since your info can be harvested automatically, not sticking out as a target does not help. It is nothing personal - a script will simply steal your info automatically.

Edit: waiting for the Starbug - small devices you stick to the bottom of a desk in starbucks that stream user data to your hacker home.

Starbug! Suitably geeky.
I totally get where you are coming from with this. If I have a bag with me in a public space, or if I left my email open on my laptop and left the room I would not expect anyone to help themselves to the content. It's a trust issue. I guess the difference here is that someone could go unnoticed in our midsts.
I imagine some people, having seen spyware popups one too many times, just thought they were infected again.

"You're in Toronto, your IP is 99.12.34.56, your ISP is Rogers, you're using Windows XP! Thieves can steal your info! Download our antivirus now!"

This is exactly what I thought when I saw the same people still online -- which brought about the second round of messages. I hoped my frankness and lack of any links would make the message seem more sincere, but perhaps at this I failed.
Maybe you could have told them what they were wearing and what they were drinking. Could have been a bit too much maybe.
I may have spent 2 hours in a Starbucks to do this, but I do actually have a life. Sometimes. So yeah, a bit much. Also: follow-you-home creepy instead of just creepy.
I think if I was unaware of the technology behind this then even if you had come up to me and patiently explained it I would probably not have changed my behaviour. Until it is explained in the mainstream press or until a wide scale "fuss" is made then I suspect most people would do the same. My guess would be that anyone who is told there is a problem and they can fix it by subscribing to a VPN service would assume they were being scammed.

I think your average internet user would feel this was primarily Facebook's (and other sites) problem to fix first. A distant second might be that there was a problem with their browser. It would barely register that they should change their behaviour or pay for a service they've not heard of before.

Either that or they are following the very sensible policy of never typing something into a social website which they wouldn't want to be public. (A policy I do violate myself from time to time.)
This really needs to be on CNN and such for people to actually think about it. And realistically it looks like we all need to start using SSL - people aren't going to change their browsing habits.
Unfortunately the few non-tech news sites that I've read have covered it with blatant disregard for the underlying cause. It's been Firesheep that's pointed at as the issue, not Facebook and Twitter and Amazon ad infinum.
At least here, in Sweden, it was covered by "mainstream media" but now its yesterdays news which means that any point that was actually conveyed about the risks to personal security is now long forgotten.
> This really needs to be on CNN and such for people to actually think about it.

People see starving children on CNN and they think "Oh, how awful!" Then they turn off the TV, eat dinner, and go on with their lives.

Further, the media as a whole runs so many scare articles to increase views, I think the public is jaded. How is the common man supposed to tell the difference between articles about the threat of bedbugs and the very real threat of this sort of identify theft?

What are the legal ramifications of running firesheep on a public network?
"Google, in response to government inquiries and lawsuits, claims it is lawful to use packet-sniffing tools readily available on the internet to spy on and download payload data from others using the same open Wi-Fi access point."

will see who wins in the court :http://www.wired.com/threatlevel/2010/06/packet-sniffing-law...

see also : http://blogs.forbes.com/kashmirhill/2010/10/28/firesheep-use...

You should note that firesheep, besides sniffing packets, also lets you use other peoples sessions. Which probably has other legal implications.
Passive sniffing is one thing. Active unauthorised access to a computer using FireSheep is definitely illegal in the UK according to the Computer Misuse Act:

  (1) A person is guilty of an offence if—
   (a) he causes a computer to perform any function with intent to secure access to
       any program or data held in any computer, or to enable any such access to be
       secured;
   (b) the access he intends to secure, or to enable to be secured, is unauthorised;
       and
   (c) he knows at the time when he causes the computer to perform the function that
       that is the case.
  (2) The intent a person has to have to commit an offence under this section need
      not be directed at—
   (a) any particular program or data;
   (b) a program or data of any particular kind; or
   (c) a program or data held in any particular computer.
I think passive sniffing may also be illegal in the UK according to RIPA [1] as it is unauthorised interception of public telecommunications.

[1]: http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I...

Yeah, definitely illegal in the UK. I'd be surprised if it wasn't illegal in the US too.

So he's basically just blogged about committing a crime. I wonder what would happen if one if his "victims" read this and then contacted the police. I bet Facebook has enough information logged about which accounts were accessing Facebook from that IP at the time, and which of them received his messages.

I was wondering the same thing. Posting this to his public blog is an admission of guilt.
Clearly, and I am at the mercy of the American justice system.
if it were somehow deemed illegal, i'm sure github would get a subpoena requesting a list of everyone who downloaded firesheep... and then everyone on HN would be looking for a lawyer.
I would imagine they would need to actually prove you hijacked someones cookie? You could always claim you downloaded it to view the source or to check if your security implementation was broken by it.
Github has logs of who downloaded Firesheep.

Github doesn't have logs of who downloaded Firesheep and used it to sniff somebodys traffic without their permission.

The users are not at fault here. Even a SSH or VPN will leave them vulnerable to attacks. Companies (Facebook, Twitter, etc.) have to increase their own security, because they are the only ones that can fix this problem.
I absolutely agree on fault. My initial recommendation was for them to refrain from using Facebook at Starbucks until that happens -- regardless of fault, users are the ones that are vulnerable.
Sending your HTTP through an SSH tunnel or a VPN will protect against the stranger-at-Starbucks attack.
But not against the stalker-techie-at-your-ISP attack.
Sure, but there are about a million times as many people able and motivated to do the wifi-neighbor attack than the stalker-ISP-gnome attack. And as people with true identities in a stable position of authority at as service provider, the gnomes are easier to find and hold accountable.

This difference -- from random anonymous stranger whose only invested in software, to physical infrastructure with paid staff -- is also one reason bank phishing attacks happen via websites and not actual storefronts made to look like real banks.

If the only threat to Twitter and Facebook users was ISP-gnomes, the websites could put off fixing the issue for another decade.

Doesn't surprise me all that much since most 'normal' people absolutely don't care about security. Passwords are meant to be written on sticky notes. Identity theft is too complicated for them to care about. And credit card fraud is easily solved by reversing the charges. It takes a massive, automated exploit & MSM coverage before they'll start caring.
(comment deleted)
I suppose the saving grace is that it would be pretty difficult--not impossible, but pretty difficult--to truly get away with this without detection. With all the logging that goes on, chances are that you could be identified by a MAC address, a web login of your own, a credit card swipe nearby, a surveillance camera, a cell phone in your pocket, or who knows what. There is a lot of information to be gotten with the right subpoenas.
It's not the lone Starbucks hacker with a laptop you need to be worried about. It's the wardrivers & honeypotters & people sophisticated enough to do a coordinated automatic harvesting effort.
On many machines, MAC addresses can be changed. I obviously wasn't attempting to avoid detection since I posted about it under my real name, but anyone could pick up a $200 netbook, pay cash, walk into a Starbucks with sunglasses on, do their business and leave undetected. MAC addresses are useless if they don't tie to anything else and aren't fixed.
I understand that getting your Amazon account hacked can lead to some head scratching situations and Amazon should really implement full SSL encryption. Having said that, what are the implications of getting your FB or Twitter or Flickr account hacked? Personally, even if annoying, I wouldn't consider it as a major issue in my digital life. I try not to mix business and private life (for instance, my FB friends are only friends, not colleagues. Same goes for Twitter) so do you see any other issue, a part from the "annoyng" factor?
There have been some interesting cases where fraudsters have hijacked facebook accounts and then used them for targeted phishing attacks.

One example of the attack http://techcrunch.com/2009/01/20/latest-facebook-scam-phishe...

In those cases the fraudsters have stolen the account completely and locked the original user out, but I guess it's that kind of attack + the information leakage aspect that could be a concern..

Yes, true. Something similar happened to me when a I have received an email (gmail) from a friend asking for money because she was stuck somewhere. Similar pattern. It's interesting to notice that this social engineering attacks are easy to carry in a place like US, where there is one common language. I immediately detected that the mail was a fraud, because this person would have never write to me in English.
it's funny how everyone says "just use SSL - that'll fix it", soon followed by "the SSL computation overhead isn't significant any more" which is totally true, but probably not the reason why SSL isn't more widely used.

Smaller sites will suffer from the fact that SSL requires an IP address per server. Name based virtual hosting is out of the question (at least as long as Windows XP is still around). Combine this with the IP address pool quickly getting smaller and smaller and you'll see that for smaller sites, it might be impossible to get the needed amount of addresses for a reasonable price.

For large sites, there's the problem of the various CDNs which are not always under the control of the site and might not be prepared for SSL.

Remember: All assets of an encrypted page must also be encrypted, otherwise the browsers display a nasty warning (even though unencrypted assets, when served from a different domain would not be a problem what's session hijacking is concerned).

"just use SSL" might just not be possible in some cases.

In addition to the IP address per server problem and coordinating with CDNs, the CDNs often charge quite a bit more money for secure content.
The GitHub solution seems reasonable: Use HTTPS for writes and truly sensitive stuff, and unencrypted for the rest. CDNs aren't a problem since your write-requests won't have any external resources on them (they'll just redirect back to HTTP). Then the HTTPS could even be handled on a third-party gateway provider (yes, then there's a weak spot between your servers and the third party, but that's much harder to penetrate than the wifi at Starbucks.).

Your read-only session might still be high-jacked, but that's relatively low impact, (since someone could simply sniff what you're reading anyway).

Are you the pilif of the pilif inter-base railway?
Yes :-)

I love trains, coe's quest and minecraft. Looks like a perfect fit

It's always fun when the internet feels like a small place for a minute. :)
Nothing is ever really secure. Yes, non-technical Starbucks users are easy targets, but so are most web sites. The last couple of "Review my startup/app" HN posts have all had very obvious XSS holes, for example, and many others have completely insecure session handling even if they do send them over HTTPS. We all tend to wonder just how lame less technical users are and forget that someone else is probably wondering right now how we, ourselves, can be so lame and not understand basic Web security for our own sites.
Would this work as a cheaper alternative to SSL for preventing session hijacking?

  1. During the HTTPS part of the communication,
     the server sends a long list of random strings.
  2. The client stores all these strings in localStorage.
  3. On every request, the client sends one of the strings
     from the list, the server validates that it is in fact
     a valid string for that session, and both remove that
     string from their lists.
  4. When the list runs out, you have to go back to SSL to
     exchange a new list of strings.
Is there a flaw I'm overlooking (beyond the reliance on localStorage) that keeps people from using this?

If not, is there a technical term for this technique so I can Google it?

That's essentially a one time pad where you are using SSL for pad distribution.
It's not a one-time-pad, it's a one-time-password system.

(Just like the SAS codes that are used by STRATCOM to authenticate nuclear launches! ;)

That's kind of like refreshing the session key on every page request except you send over a list of session keys that will be used on subsequent requests. Probably not done since it's usually a hit to the session storage on every page request. Still doesn't encrypt the actual content though, and since SSL would encrypt it and make this unnecessary that's probably why it's not done.
How does this prevent a MITM attack?
It doesn't. Is it possible to do a MITM attack on the person at the neighboring coffee-shop table?

The only way I can think of involves being really clever about timing and being physically between the other wireless client and the AP: create enough interference to prevent their transmission from getting through to the AP right after you read the transmission, then quickly forge a request using the same one-time key.

Of course, if someone has access to the packets upstream from the AP, you're always hosed if you're not using encryption. This certainly isn't meant as a replacement for AES. :)

So what was your suggestion was for then? I think I'm missing the use case.
Taking write access to my Facebook account away from anyone who captures my wireless packets on their way to the AP.
But that's the part of the connection we are worried about. End to end encryption from the client to the website is needed. I still don't see where your idea comes in. Clearly I'm not understanding something.
(comment deleted)
Is it possible to do a MITM attack on the person at the neighboring coffee-shop table?

Yes. You can attack ARP or DNS to take control of their connections.

DNS (the UDP responses are easy to forge) is a great way to do it. You just have to be faster than the real DNS server, which might be tricky if it's local and caching.

For ARP-based attacks you'd presumably announce yourself as the owner of the default gateway's IP address, routing all data through your system.

Hijacking DHCP springs to mind; respond with an address on a completely different subnet, and your system as default gateway. Again, jackpot.

You could also install a rogue wireless access point with the same SSID, which would let you route all traffic through your system. You just need people's devices to pick yours over the real one, which would presumably require yours to have a stronger signal.

All of the above let you install a transparent proxy which gives you complete control over the target's browser's security context.

Interestingly, the rogue access point would even work with WPA(2)-PSK encrypted wifi, if you knew the key.

Great points. It's impressive how elegantly SSL with a CA solves all these problems. :)
Yeah you would need to hash the contents of the request against the one-time string and then send the hash but not the string.
Even better:

    1. During the HTTPS part of the communication, the server generates a single
       random key and sends it to the client.
    2. The client stores this string in local storage.
    3. For every request, the client generates a HMAC over the request parameters
       (including a monotonic sequence number) using the key.
Both of these schemes are still susceptible to a MITM, who can just insert a bit of javascript in any page received over HTTP, that reveals the temporary secret in local storage to anyone listening.
It wouldn't be vulnerable to JavaScript if it was built into the browser -- like HttpOnly cookies.
If you were to generate the HMAC over the entire request, would that help with ensuring authenticity?
What I find surprising is that insecure email and wireless had existed for quite some time before this. Almost all IMAP/POP/Gmail used to flow over regular HTTP. It is only recently (read, last year) that a lot of major email traffic has been https-ified.

Why suddenly jump on FB, Twitter etc with self-righteous anger when many of these same geeks were using insecure email until less than a year ago?

(comment deleted)
Out of interest has there been any response from Facebook, Twitter, Amazon and so on?

I've had a quick look and not seen anything but it's entirely possible I've missed something.

1) Install WinSSHD on your home computer/server. Open port 22 in your home firewall/router.

2) Install Tunnelier on your laptop, flip to the Services tab and enable SOCKS at 127.0.0.1 and port 1337. Login in to your home computer.

3) Change Chrome target to chrome.exe --proxy-server=socks5://127.0.0.1:1337

Mostly used for obtrusive proxies though it will make you as secure as you are at your home network..

Not a very 'green' solution!
My point was that having a computer running 24/7 at home to use as a secure proxy when you are out in the field is a bit wasteful. The technical solution was fine - though I can't see many non-techies getting their heads around this. Why the down vote - pffffh.
This is exactly what I do (but with OpenSSH) its even the same port :P
If you have an Alchemy-based firmware running on your home router, you can enable sshd so you can have an always-on ssh tunnel wherever you go.

I did this to my home router and had it all working in about 30 minutes. Most of that time was trying to figure out how to get putty to open a tunnel (and registering/configuring a No-IP dynamic dns account).

I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity.

Disgusting. Sowing fear is not education.

Really? Users shouldn't be afraid of the consequences of something they believe to be benign? I didn't send Starbucks patrons home weeping to cry themselves to sleep. I fully concealed my identity in the same way an actual attacker would.
There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have but you are not in any way more entitled to violate a person's expectation of privacy.

You are not a hero. You have not done anybody a favor. You did this for the same perennial excuse of "spreading awareness" trotted out by any number of noxious social irritants and did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.

You may actually care about the problem and take it seriously in other circumstances, but that is not reflected here. There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.

Is there also no difference between somebody entering your house without your permission to warn you about something, because they fear for your safety, and somebody entering your house to burgle it?

You should probably replace "harass" with "inform" in your comment. It would be more accurate, and less emotive.

Suppose you wake up tomorrow and discover that someone has left a note in an unfamiliar hand on the bed beside you. The note reads "You should put bars on the windows. Something bad might happen." It is not signed. You cursory search of your home reveals nothing obviously amiss. All the windows are shut and locked. You have no idea how someone could have gotten in.

Suppose you leave it be for the day. You've got more important things to do than blindly react to mysterious messages, haven't you? So day slips into night and before long it's morning again. You find another note:"Really wasn't kidding about the bars thing. I won't send another message after this -- it's up to you to take your security seriously." Same as before, nothing obviously missing, all windows and doors closed and locked. You have no idea who this is or why they are doing this. You have no idea if you can trust them.

How do you react?

Differently to how I would react if I was burgled.
(comment deleted)
> There is no distinction between you and an "actual" attacker. You seem to have labored within a nimbus of self-righteous nerd egotism that someone more criminally minded might not have...

That sounds exactly like a distinction to me. A fireman would break into a house to save a child. A burglar would break into a house to steal valuables. One intends harm, the other doesn't.

> did so not by the means most efficient or effective, but the means readily available and most likely to satisfy your urge to feel superior to your fellow man.

There's no such thing as true altruism. Why he did it isn't relevant. People feel good about doing good deeds. Sure, they say "I want to help people," but they really mean something more along the lines of "I want to feel good about myself."

Further, why would it be necessary for him to choose the most effective or efficient means? He owes these people nothing.

> There is no security problem for which "exploit the problem to harass strangers in coffee shops" is the solution.

Maybe not the best or even a good solution, but it's certainly still one. ;)

One intends harm, the other doesn't.

...but then...

Why he did it isn't relevant.

I am at least as uncertain as to what your position is as you are. Also...

He owes these people nothing.

Nothing, of course, except the common courtesy of not violating their privacy. Yes, even in New York.

Making people aware of what they fear (and what they should fear) is exactly something that education does. People aren't wearing seatbelts, because they aren't afraid enough of what may happen in case of an accident. Proper education on the consequences would instill fear. People only take precautions to prevent against harm based on their fear of being harmed. There is no other motivator for such behavior.
What does he expect the users to do? Not use Facebook? Right...
That's the point. It's empirical (albeit, not scientific) evidence that even when presented with the risks, users will still choose to do things that are dangerous.
Why would you expect most people to do otherwise? I fully know the risks of using open hotspots on many websites and I do it anyway because the convenience outweighs the risks for me. Obviously I'd think twice about logging into my bank over a non-secure connection (though I'd be mad to bank with a company that doesn't secure all connections by default, of course), but open-wifi Facebook? Sure, why not?

This behavior extends beyond Internet usage. I (and probably most of you reading this) hand my credit/debit cards over to waiters several times per month knowing full well they could jot down enough information while out of my sight to make illegal charges on that card (if not do far worse via more elaborate identity theft schemes). Risky? Yes, but the extreme convenience outweighs the potential pain due to the low chance of actually being one of the people that gets exploited in this way, and thus it is with open hotspots and most Internet sites.

In the UK, waiters bring over a portable card reader to your table, you stick your card in and enter your pin. No need to physically hand over your card to them.
My credit card has legally builtin insurance against fraudulent use - I'm not liable for a penny of that use if it was used illegally - unless the card itself was stolen and I failed to report it - in which case i'm liable for up to $50. (As soon as I report it stolen, I'm not liable for anything)

I use a credit card because it's safer and offers me options - someone snarfing the number would be a nuisance, because I'd need a new card, but that's it.

Let's please not forget (Sight.. I know - everyone already has) that charge-cards were pushed onto the market as a safe, convenient alternative to using cash - not a walking liability - don't let the issuers turn them into one on us.

As to the analogy - it's quite different. I'm very security conscious, and I generally don't do certain types of activity on uncontrolled or unknown networks (banking - home or somewhere else safe - but facebook at starbucks, okay)

IT's not just a problem with open hotspots, it's with any network you are on, anywhere - an open hotspot is just the easiest place for someone to try this on. An employee at an ISP could snarf data from millions of users easily...

It certainly doesn't help that there is no solution to the problem of viewing Facebook on a public wifi. If there is no SSL solution, what solution can these users take?

Seems like the ones who read the message must have made a quick cost-benefit analysis in their head of viewing facebook insecurely right now versus not accessing facebook at all - and viewing it right this minute no matter how insecure still won!

  dan·ger·ous   
  [deyn-jer-uhs, deynj-ruhs]
  –adjective
  1. full of danger or risk; causing danger; perilous; risky; hazardous; unsafe.
  2. able or likely to cause physical injury
Who's out of touch here? We're all making such a huge deal about this with very little reason. The websites that truly need SSL (banking, purchasing, etc.) use it. People have real dangers to worry about; why should they care if someone can pretend to be them on a couple social websites that they just joined in the last year or two?
Isn't it ironic that we're discussing it on a website that doesn't have https at all, not even on the login page?
What are you going to do, having someones account though, possibly if they are well known attempt to changes peoples perceptions of them/ get people to believe something? You can't delete comments older than like a day so trashing the account is mostly out. Once they noticed they could invalidate that session, mention it wasn't them and it would be the end of it.

I feel mostly the same way about Facebook, those so inclined could do more damage un-friending everyone, at which point I could thank them for cleaning out old contents and organically readd those who I still speak to.

Could it be that the persons thought it was some kind of automatically-generated message? Maybe a you're wearing a red shirt that says ... would get the point across?
Is a machine breaking into your account any less scary than a person doing it?
(comment deleted)
While it's nice that this gets some attention and not very nice of facebook to automatically revert you back to an unencrypted connection, this is not a facebook specific problem. Anytime you use a wireless network, where you don't have control over the access point, you need to secure everything you want to keep private. This goes for everything from google searches and files transfers to instant messaging and e-mail. The proven solution is to use a VPN tunnel, which even many home routers support nowadays.

Of course there's still a bigger problem with arp spoofing and other attacks, which in the long term will need to be solved. Maybe with something like DNSSEC DKI.

It is weird it hasn't been covered more, usually here in Australia the media run scare stories on the most insignificant of Facebook flaws. I wouldn't be in a hurry to point it out to them this new one either, it would be sensationalized into some kind of no cafe is safe without any technical details.
The problem being that no cafe IS safe - what people have posted on their Facebook is important, and some of the websites Firesheep attacks can be even more damaging for the user - until everyone runs VPNs or websites get their act together.
> What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

That's not incomprehensible. They have trust. And they don't consider what they're doing particularly private.

Just don't do 'login' type work at public wifi :/ is that so hard? Do people not know this already? Did some people ever think it was safe to use public wifi for anything other than general browsing?

Please HN: Stop getting outraged by stuff that doesn't really matter. You're turning into Reddit, and just like them, you will have forgotten all about this by next week, and be on to the next topic you need to be outraged about. It's depressing. Angelgate? No one cares any more. No one should have cared in the first place.

I don't know where you see 'outrage'. I only see someone investigating the security concerns of users of a Starbucks' wifi and being worried that they don't care about their privacy.
http://ycombinator.com/newsguidelines.html : "If your account is less than a year old, please don't submit comments saying that HN is turning into Reddit. (It's a common semi-noob illusion.)"
I created this account after a couple of years. My main account is 1000+ days old.

Seriously. This summer has been depressing to watch HN go down the pan.