
Herding Firesheep in a NYC Starbucks: Do Users Care? - gloshuertos
http://technologysufficientlyadvanced.blogspot.com/2010/10/herding-firesheep-in-new-york-city.html
======
uptown
What was your game-plan if you'd stumbled upon something highly personal and
sensitive in their mailboxes? Or if one of their friends had sent them a
person IM while you were logged in as them? The fact is, you could have easily
approached these people face-to-face, offered to show them the risks they were
exposing themselves to using your laptop, and give them the choice as to
whether you took control of their accounts. While it appears that you did what
you did with the best of intentions, you violated the privacy of the people
whose accounts you accessed; broke a variety of laws; then documented your
crime in your personal blog.

You describe your targets as lacking judgment. Maybe you should consider your
own.

~~~
gloshuertos
Actually, whether or not I broke any laws (in the US) is not clear. I
deliberately did not look at anything in their account while I was in it, so
privacy was not actually compromised.

The folks I recognized on my way out were people with large profile pictures
of their faces. In general, this wasn't the case. I'd have had to do a lot
more rifling through accounts to be able to identify someone face-to-face, and
would have risked someone having a bad reaction.

So, unlike all the people who have used Firesheep in public to look at
peoples' accounts and then not told anyone about it, I notified the users and
then told the public about what happened. You're saying that's bad?

~~~
uptown
"I deliberately did not look at anything in their account while I was in it,
so privacy was not actually compromised."

From your blog: "I opened up his Amazon homepage, identified something he had
recently looked at"

~~~
gloshuertos
That was the single exception, and I agree that that was in a murky area.

~~~
sdurkin
Ah, wow. This could not be further from the truth. This wasn't a "murky area."
Its a big fat red zone.

Let's look at the Florida statute:

815.06 - Offenses against computer users. -

(1)Whoever willfully, knowingly, and without authorization:

(a)Accesses or causes to be accessed any computer, computer system, or
computer network;... commits an offense against computer users.

(2)(a)Except as provided in paragraphs (b) and (c), whoever violates
subsection (1) commits a felony of the third degree, punishable as provided in
s. 775.082, s. 775.083, or s. 775.084.

So you committed a felony punishable by up to five years in prison, informed
the victims, and documented your crime in explicit detail on your blog. That's
a tad more dangerous than using unsecured cookies.

~~~
gloshuertos
Clearly I meant that it was a murky area morally.

Also I don't live in Florida.

I also never said that I thought I was protected from prosecution, so I don't
know why you're so eager to prove that I am.

~~~
uptown
You've probably admitted to and documented multiple counts of Computer
Trespass, knowingly using a computer service without authorization and
knowingly gaining access to computer material. It's a Class E felony.

156.10 Computer trespass.

A person is guilty of computer trespass when he knowingly uses or causes to be
used a computer or computer service without authorization and:

1\. he does so with an intent to commit or attempt to commit or further the
commission of any felony; or

2\. he thereby knowingly gains access to computer material.

Computer trespass is a class E felony.

<http://ypdcrime.com/penal.law/article156.htm#156.10>

------
cschep
I know about it the vulnerability and I still login to facebook in public
places. It's like the locks on our front doors.. you don't break into
everyone's house just to prove they aren't very good do you? I know you could
just smash my windows, but you don't, and I appreciate it. It's facebook that
needs to fix the bug, not me.

Maybe send the first message, but don't be obnoxious on purpose. I dunno.

~~~
gloshuertos
If you walked by someone's house and their car was sitting in their driveway
with all the doors wide open and a box of personal documents in the back seat,
you'd probably knock on their door. If the car was still there after an hour,
you'd probably knock again. I sent only two messages, and they were short and
to the point.

(edit) What I mean here, is that to know that someone's door is unlocked, you
have to check each house. To pick a lock, you need some rudimentary skill.
Firesheep (and the underlying vulnerability) is wide open and requires 0 skill
to operate.

~~~
marcusbooster
It's one thing to politely knock on the door, it's another to keep banging on
their kitchen window when they are obviously ignoring you. The users probably
feel helpless and just want to be left alone.

For a non-tech person it's a pretty big jump from surfing Facebook at
Starbucks to setting up a VPN.

------
uptown
Okay, let's connect some dots about you.

Your name is Gary LosHuertos

You look like this: <http://yfrog.com/0irajuj>

Gender: Male

Astrological Sign: Scorpio

Industry: Consulting

Occupation: Software Engineer

Location: New York : NY : United States

You have a blog hosted on BlogSpot from which this article came.

You send tweets from @gloshuertos where you promoted this story.

Your twitter account lists a latitude/longitude address of
27.109827,-82.308136 which is in Venice, Florida. One of your oldest tweets
mentions that you're on your way to Gainsville, Florida.

<https://twitter.com/#!/gloshuertos/status/1267758656>

Only one Gary LosHuertos comes up on LinkedIn, but this person used to work in
Gainsville Florida, so it's reasonable to assume this person may be you.

<http://www.linkedin.com/pub/gary-loshuertos/11/68/aa0>

The interesting thing about that LinkedIn profile is that it lists your
current employer as Amazon.com. From your blog post, you mentioned the
following:

"This was somewhat puzzling. Did they receive the first message? I logged into
their accounts, and surely enough, they had. One of them was even on
Amazon.com, which I had warned about in my first message. I targeted him
first: I opened up his Amazon homepage, identified something he had recently
looked at, and then sent him a "no, seriously" message on Facebook from his
account including the fun fact about his music choices."

So what you're telling us is that you used a user account of a customer of
your current employer to login as that person, spy on their purchases, then
logged to their Facebook account and send them messages about his customer
information?

You're entering into a world of hurt if Amazon catches wind of this.

~~~
gloshuertos
Wait a second.

You're saying I shouldn't bash my employer on a public blog and then submit it
to another public website?

OMG

Really you didn't dig deep enough. Googling my name pulls up an email with my
current employer in it. I don't work for Amazon anymore.

~~~
uptown
It's reassuring to know that you wait until you're employed by somebody else
before violating your previous employer's privacy policies.

~~~
jrockway
Amazon is violating its own privacy policy by allowing users to interact with
its site insecurely.

Two wrongs do not make a right, but when you can implement a technical measure
to protect your users from rogue ex-employees, you should do it. A legal
contract does not prevent data loss, it merely allows you to punish the person
who stole the data. SSL prevents the data loss in the first place.

------
chaosmachine
I imagine some people, having seen spyware popups one too many times, just
thought they were infected again.

"You're in Toronto, your IP is 99.12.34.56, your ISP is Rogers, you're using
Windows XP! Thieves can steal your info! Download our antivirus now!"

~~~
gloshuertos
This is exactly what I thought when I saw the same people still online --
which brought about the second round of messages. I hoped my frankness and
lack of any links would make the message seem more sincere, but perhaps at
this I failed.

~~~
koski
Maybe you could have told them what they were wearing and what they were
drinking. Could have been a bit too much maybe.

~~~
gloshuertos
I may have spent 2 hours in a Starbucks to do this, but I do actually have a
life. Sometimes. So yeah, a bit much. Also: follow-you-home creepy instead of
just creepy.

------
paulbaumgart
Would this work as a cheaper alternative to SSL for preventing session
hijacking?

    
    
      1. During the HTTPS part of the communication,
         the server sends a long list of random strings.
      2. The client stores all these strings in localStorage.
      3. On every request, the client sends one of the strings
         from the list, the server validates that it is in fact
         a valid string for that session, and both remove that
         string from their lists.
      4. When the list runs out, you have to go back to SSL to
         exchange a new list of strings.
    

Is there a flaw I'm overlooking (beyond the reliance on localStorage) that
keeps people from using this?

If not, is there a technical term for this technique so I can Google it?

~~~
caf
Even better:

    
    
        1. During the HTTPS part of the communication, the server generates a single
           random key and sends it to the client.
        2. The client stores this string in local storage.
        3. For every request, the client generates a HMAC over the request parameters
           (including a monotonic sequence number) using the key.
    

Both of these schemes are still susceptible to a MITM, who can just insert a
bit of javascript in any page received over HTTP, that reveals the temporary
secret in local storage to anyone listening.

~~~
paulbaumgart
If you were to generate the HMAC over the entire request, would that help with
ensuring authenticity?

------
pilif
it's funny how everyone says "just use SSL - that'll fix it", soon followed by
"the SSL computation overhead isn't significant any more" which is totally
true, but probably not the reason why SSL isn't more widely used.

Smaller sites will suffer from the fact that SSL requires an IP address per
server. Name based virtual hosting is out of the question (at least as long as
Windows XP is still around). Combine this with the IP address pool quickly
getting smaller and smaller and you'll see that for smaller sites, it might be
impossible to get the needed amount of addresses for a reasonable price.

For large sites, there's the problem of the various CDNs which are not always
under the control of the site and might not be prepared for SSL.

Remember: All assets of an encrypted page must also be encrypted, otherwise
the browsers display a nasty warning (even though unencrypted assets, when
served from a different domain would not be a problem what's session hijacking
is concerned).

"just use SSL" might just not be possible in some cases.

~~~
newman314
SSL does not necessarily need one IP per server.

[https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_I...](https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication)

Unforunately, support is not sufficiently widespread at this time.

~~~
pilif
as I said: "at least as long as Windows XP is still around". Internet Explorer
under XP doesn't support the extension.

------
Zev
Honestly? The word "douche" springs to mind. Regardless of the legality of it
and how grey it may or may not be.

I'm sure you thought you were doing something good. But, short of not using
Facebook in a coffee shop, what do you expect people to do? Set up their own
VPN? I bet that of the people you scared off, they'll all be back on in
another day or two. Maybe at the same coffee shop.

This is a problem that needs to be solved by on the website's end, not the
user's end.

~~~
gloshuertos
Yeah, it does need to be solved by the website. That doesn't change that users
are vulnerable and don't know about it.

~~~
Zev
Again: What do you expect people to do about this? Stop using Facebook while
sipping on a latte?

~~~
gloshuertos
Yes.

------
pluies_onpublic
Isn't it ironic that we're discussing it on a website that doesn't have https
at all, _not even on the login page_?

~~~
robryan
What are you going to do, having someones account though, possibly if they are
well known attempt to changes peoples perceptions of them/ get people to
believe something? You can't delete comments older than like a day so trashing
the account is mostly out. Once they noticed they could invalidate that
session, mention it wasn't them and it would be the end of it.

I feel mostly the same way about Facebook, those so inclined could do more
damage un-friending everyone, at which point I could thank them for cleaning
out old contents and organically readd those who I still speak to.

------
cloudwalking
This really needs to be on CNN and such for people to actually think about it.
And realistically it looks like we all need to start using SSL - people aren't
going to change their browsing habits.

~~~
gloshuertos
Unfortunately the few non-tech news sites that I've read have covered it with
blatant disregard for the underlying cause. It's been Firesheep that's pointed
at as the issue, not Facebook and Twitter and Amazon ad infinum.

------
lhnz
> What's absolutely incomprehensible is that after someone has been alerted to
> the danger (from their own account!) that they would casually ignore the
> warning, and continue about their day.

That's not incomprehensible. They have trust. And they don't consider what
they're doing particularly private.

------
DufusM
What I find surprising is that insecure email and wireless had existed for
quite some time before this. Almost all IMAP/POP/Gmail used to flow over
regular HTTP. It is only recently (read, last year) that a lot of major email
traffic has been https-ified.

Why suddenly jump on FB, Twitter etc with self-righteous anger when many of
these same geeks were using insecure email until less than a year ago?

------
Tyrannosaurs
Out of interest has there been any response from Facebook, Twitter, Amazon and
so on?

I've had a quick look and not seen anything but it's entirely possible I've
missed something.

------
koevet
I understand that getting your Amazon account hacked can lead to some head
scratching situations and Amazon should really implement full SSL encryption.
Having said that, what are the implications of getting your FB or Twitter or
Flickr account hacked? Personally, even if annoying, I wouldn't consider it as
a major issue in my digital life. I try not to mix business and private life
(for instance, my FB friends are only friends, not colleagues. Same goes for
Twitter) so do you see any other issue, a part from the "annoyng" factor?

~~~
raesene
There have been some interesting cases where fraudsters have hijacked facebook
accounts and then used them for targeted phishing attacks.

One example of the attack [http://techcrunch.com/2009/01/20/latest-facebook-
scam-phishe...](http://techcrunch.com/2009/01/20/latest-facebook-scam-
phishers-hit-up-friends-for-cash/)

In those cases the fraudsters have stolen the account completely and locked
the original user out, but I guess it's that kind of attack + the information
leakage aspect that could be a concern..

~~~
koevet
Yes, true. Something similar happened to me when a I have received an email
(gmail) from a friend asking for money because she was stuck somewhere.
Similar pattern. It's interesting to notice that this social engineering
attacks are easy to carry in a place like US, where there is one common
language. I immediately detected that the mail was a fraud, because this
person would have never write to me in English.

------
johnglasgow
The users are not at fault here. Even a SSH or VPN will leave them vulnerable
to attacks. Companies (Facebook, Twitter, etc.) have to increase their own
security, because they are the only ones that can fix this problem.

~~~
gojomo
Sending your HTTP through an SSH tunnel or a VPN will protect against the
stranger-at-Starbucks attack.

~~~
BrandonM
But not against the stalker-techie-at-your-ISP attack.

~~~
gojomo
Sure, but there are about a million times as many people able and motivated to
do the wifi-neighbor attack than the stalker-ISP-gnome attack. And as people
with true identities in a stable position of authority at as service provider,
the gnomes are easier to find and hold accountable.

This difference -- from random anonymous stranger whose only invested in
software, to physical infrastructure with paid staff -- is also one reason
bank phishing attacks happen via websites and not actual storefronts made to
look like real banks.

If the only threat to Twitter and Facebook users was ISP-gnomes, the websites
could put off fixing the issue for another decade.

------
WingForward
A few days into it and I've decided Eric Butler made a mistake in releasing
Firesheep.

Security is about battling a combination of Time + Talents/Tools +
Determination + Opportunity.

Firesheep greatly increases the Tools someone has to hack an account. Eric has
made browsing much less secure.

The intended result is to bring the security issue to people's awareness,
which he has done. But the result should have been to increase security. That
will only happen if the the change in required Tools is balanced by a decrease
in Opportunity (free wifi becoming simple password wifi at a minimum).

I doubt that will happen. Releasing Firesheep was a mistake.

------
GHFigs
_I included no clues as to my identity, less because of fear of retribution,
and more because invasion of privacy is all the more frightening when it is
committed by an absolute stranger with no chance of discovering their
identity._

Disgusting. Sowing fear is not education.

~~~
gloshuertos
Really? Users shouldn't be afraid of the consequences of something they
believe to be benign? I didn't send Starbucks patrons home weeping to cry
themselves to sleep. I fully concealed my identity in the same way an actual
attacker would.

~~~
GHFigs
There is no distinction between you and an "actual" attacker. You seem to have
labored within a nimbus of self-righteous nerd egotism that someone more
criminally minded might not have but you are not in any way more entitled to
violate a person's expectation of privacy.

You are not a hero. You have not done anybody a favor. You did this for the
same perennial excuse of "spreading awareness" trotted out by any number of
noxious social irritants and did so not by the means most efficient or
effective, but the means readily available and most likely to satisfy your
urge to feel superior to your fellow man.

You may actually care about the problem and take it seriously in other
circumstances, but that is not reflected here. There is no security problem
for which "exploit the problem to harass strangers in coffee shops" is the
solution.

~~~
adbge
> _There is no distinction between you and an "actual" attacker. You seem to
> have labored within a nimbus of self-righteous nerd egotism that someone
> more criminally minded might not have..._

That sounds exactly like a distinction to me. A fireman would break into a
house to save a child. A burglar would break into a house to steal valuables.
One intends harm, the other doesn't.

> _did so not by the means most efficient or effective, but the means readily
> available and most likely to satisfy your urge to feel superior to your
> fellow man._

There's no such thing as true altruism. Why he did it isn't relevant. People
feel good about doing good deeds. Sure, they say "I want to help people," but
they really mean something more along the lines of "I want to feel good about
myself."

Further, why would it be necessary for him to choose the most effective or
efficient means? He owes these people nothing.

> _There is no security problem for which "exploit the problem to harass
> strangers in coffee shops" is the solution._

Maybe not the best or even a good solution, but it's certainly still one. ;)

~~~
GHFigs
_One intends harm, the other doesn't._

...but then...

 _Why he did it isn't relevant._

I am at least as uncertain as to what your position is as you are. Also...

 _He owes these people nothing._

Nothing, of course, except the common courtesy of not violating their privacy.
Yes, even in New York.

------
roadnottaken
Why is this so surprising? Most people I know don't really care about internet
privacy. Most people I know don't post anything sensitive to their facebook
pages. I don't use facebook and when I mention that I think it's weird to put
personal stuff on the internet (which always has the _potential_ to be public)
they think I'm a paranoid nut. Let's admit that it's not really an
unreasonable position, provided you don't work at the NSA.

------
defdac
1) Install WinSSHD on your home computer/server. Open port 22 in your home
firewall/router.

2) Install Tunnelier on your laptop, flip to the Services tab and enable SOCKS
at 127.0.0.1 and port 1337. Login in to your home computer.

3) Change Chrome target to chrome.exe --proxy-server=socks5://127.0.0.1:1337

Mostly used for obtrusive proxies though it will make you as secure as you are
at your home network..

~~~
bilban
Not a very 'green' solution!

~~~
bilban
My point was that having a computer running 24/7 at home to use as a secure
proxy when you are out in the field is a bit wasteful. The technical solution
was fine - though I can't see many non-techies getting their heads around
this. Why the down vote - pffffh.

------
AngeloAnolin
Do users care. Quite a thought that actually scared a bit out of me, because
unless these users would actually care, only would there be protocols that
would prevent this from happening. And when would users care? When their
personal identities have been stolen, and private information (credit cards,
social insurance numbers, personal messages) have been compromised. Do we
really have to go that point where the risk is imminent before taking action?

Having identified the vulnerabilities of WEP encryption on wireless networks,
shouldn't it be that device manufacturers of wireless routers take away WEP
encryption as an option but instead focus on a more secure method of
connection? Of course this may have some downside to it, but unless your
ordinary Joe and Jane realize the upsides of having secure connection to the
web, they may see this as a discomfort.

------
jozo
While it's nice that this gets some attention and not very nice of facebook to
automatically revert you back to an unencrypted connection, this is not a
facebook specific problem. Anytime you use a wireless network, where you don't
have control over the access point, you need to secure everything you want to
keep private. This goes for everything from google searches and files
transfers to instant messaging and e-mail. The proven solution is to use a VPN
tunnel, which even many home routers support nowadays.

Of course there's still a bigger problem with arp spoofing and other attacks,
which in the long term will need to be solved. Maybe with something like
DNSSEC DKI.

------
lowglow
What are the legal ramifications of running firesheep on a public network?

~~~
helwr
"Google, in response to government inquiries and lawsuits, claims it is lawful
to use packet-sniffing tools readily available on the internet to spy on and
download payload data from others using the same open Wi-Fi access point."

will see who wins in the court
:[http://www.wired.com/threatlevel/2010/06/packet-sniffing-
law...](http://www.wired.com/threatlevel/2010/06/packet-sniffing-laws-murky/)

see also : [http://blogs.forbes.com/kashmirhill/2010/10/28/firesheep-
use...](http://blogs.forbes.com/kashmirhill/2010/10/28/firesheep-users-may-be-
breaking-the-law/)

~~~
jasondavies
Passive sniffing is one thing. Active unauthorised access to a computer using
FireSheep is definitely illegal in the UK according to the Computer Misuse
Act:

    
    
      (1) A person is guilty of an offence if—
       (a) he causes a computer to perform any function with intent to secure access to
           any program or data held in any computer, or to enable any such access to be
           secured;
       (b) the access he intends to secure, or to enable to be secured, is unauthorised;
           and
       (c) he knows at the time when he causes the computer to perform the function that
           that is the case.
      (2) The intent a person has to have to commit an offence under this section need
          not be directed at—
       (a) any particular program or data;
       (b) a program or data of any particular kind; or
       (c) a program or data held in any particular computer.
    

I think passive sniffing may also be illegal in the UK according to RIPA [1]
as it is unauthorised interception of public telecommunications.

[1]:
[http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I...](http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I/crossheading/unlawful-
and-authorised-interception)

~~~
mike-cardwell
Yeah, definitely illegal in the UK. I'd be surprised if it wasn't illegal in
the US too.

So he's basically just blogged about committing a crime. I wonder what would
happen if one if his "victims" read this and then contacted the police. I bet
Facebook has enough information logged about which accounts were accessing
Facebook from that IP at the time, and which of them received his messages.

------
nodata
What does he expect the users to do? Not use Facebook? Right...

~~~
gloshuertos
That's the point. It's empirical (albeit, not scientific) evidence that even
when presented with the risks, users will still choose to do things that are
dangerous.

~~~
georgemcbay
Why would you expect most people to do otherwise? I fully know the risks of
using open hotspots on many websites and I do it anyway because the
convenience outweighs the risks for me. Obviously I'd think twice about
logging into my bank over a non-secure connection (though I'd be mad to bank
with a company that doesn't secure all connections by default, of course), but
open-wifi Facebook? Sure, why not?

This behavior extends beyond Internet usage. I (and probably most of you
reading this) hand my credit/debit cards over to waiters several times per
month knowing full well they could jot down enough information while out of my
sight to make illegal charges on that card (if not do far worse via more
elaborate identity theft schemes). Risky? Yes, but the extreme convenience
outweighs the potential pain due to the low chance of actually being one of
the people that gets exploited in this way, and thus it is with open hotspots
and most Internet sites.

~~~
dedward
My credit card has legally builtin insurance against fraudulent use - I'm not
liable for a penny of that use if it was used illegally - unless the card
itself was stolen and I failed to report it - in which case i'm liable for up
to $50. (As soon as I report it stolen, I'm not liable for anything)

I use a credit card because it's safer and offers me options - someone
snarfing the number would be a nuisance, because I'd need a new card, but
that's it.

Let's please not forget (Sight.. I know - everyone already has) that charge-
cards were pushed onto the market as a safe, convenient alternative to using
cash - not a walking liability - don't let the issuers turn them into one on
us.

As to the analogy - it's quite different. I'm very security conscious, and I
generally don't do certain types of activity on uncontrolled or unknown
networks (banking - home or somewhere else safe - but facebook at starbucks,
okay)

IT's not just a problem with open hotspots, it's with any network you are on,
anywhere - an open hotspot is just the easiest place for someone to try this
on. An employee at an ISP could snarf data from millions of users easily...

------
cduan
I suppose the saving grace is that it would be pretty difficult--not
impossible, but pretty difficult--to truly get away with this without
detection. With all the logging that goes on, chances are that you could be
identified by a MAC address, a web login of your own, a credit card swipe
nearby, a surveillance camera, a cell phone in your pocket, or who knows what.
There is a lot of information to be gotten with the right subpoenas.

~~~
gloshuertos
On many machines, MAC addresses can be changed. I obviously wasn't attempting
to avoid detection since I posted about it under my real name, but anyone
could pick up a $200 netbook, pay cash, walk into a Starbucks with sunglasses
on, do their business and leave undetected. MAC addresses are useless if they
don't tie to anything else and aren't fixed.

~~~
netaddict
Not just on many machines. You can change your MAC address on any manchine
using GNU macchanger <http://www.alobbs.com/macchanger/>

------
c1sc0
Doesn't surprise me all that much since most 'normal' people absolutely don't
care about security. Passwords are meant to be written on sticky notes.
Identity theft is too complicated for them to care about. And credit card
fraud is easily solved by reversing the charges. It takes a massive, automated
exploit & MSM coverage before they'll start caring.

------
robryan
It is weird it hasn't been covered more, usually here in Australia the media
run scare stories on the most insignificant of Facebook flaws. I wouldn't be
in a hurry to point it out to them this new one either, it would be
sensationalized into some kind of no cafe is safe without any technical
details.

~~~
ghiculescu
The problem being that no cafe IS safe - what people have posted on their
Facebook is important, and some of the websites Firesheep attacks can be even
more damaging for the user - until everyone runs VPNs or websites get their
act together.

------
rmoriz
Someone should write a blog post about dsniff and how to get dozens of
login/passwords for not only pop3, imap, messenger logins at starbucks/airport
wifi.

We all know that 90% of the users tend to have one passwort for everything.
That password usually works for any SSL secured service, too ;-)

------
c4urself
Could it be that the persons thought it was some kind of automatically-
generated message? Maybe a you're wearing a red shirt that says ... would get
the point across?

~~~
gloshuertos
Is a machine breaking into your account any less scary than a person doing it?

------
tnorthcutt
The solution you link to in your post involves using a not-free VPN service.
Is there a guide somewhere to setting up a free solution to this problem?

------
alanh
Off-topic: I submitted a Tell HN post inspired by this submission:
<http://news.ycombinator.com/item?id=1848420>

------
ergo98
If that public wifi is secured with a password -- albeit a _public_ password
-- does that protect individual sessions?

Meaning you go to a cafe and the blackboard tells you that today's WPA2
password is "greenbeans". Knowing this does it provide the ability to sniff or
abuse other users sessions on this WAP?

Honestly don't know this and can't find a clear answer about it.

~~~
jrnkntl
afaik (and from my own experience) that won't work.

    
    
      "As long as the universally supported WPA encryption protocol is used,
      each individual user receives their own private “session key” that absolutely 
      prevents eavesdropping between users, even through they are all using the
      same WiFi password."
    

from: [http://steve.grc.com/2010/10/28/instant-hotspot-
protection-f...](http://steve.grc.com/2010/10/28/instant-hotspot-protection-
from-firesheep/)

~~~
docgnome
Yeah, we tested it on our WPA encrypted wireless and didn't get anything. It
was seen when I logged into facebook but my coworker wasn't able to login as
me. At least not with Firesheep.

------
points
Just don't do 'login' type work at public wifi :/ is that so hard? Do people
not know this already? Did some people ever think it was safe to use public
wifi for anything other than general browsing?

Please HN: Stop getting outraged by stuff that doesn't really matter. You're
turning into Reddit, and just like them, you will have forgotten all about
this by next week, and be on to the next topic you need to be outraged about.
It's depressing. Angelgate? No one cares any more. No one should have cared in
the first place.

~~~
gdl
<http://ycombinator.com/newsguidelines.html> : "If your account is less than a
year old, please don't submit comments saying that HN is turning into Reddit.
(It's a common semi-noob illusion.)"

~~~
points
I created this account after a couple of years. My main account is 1000+ days
old.

Seriously. This summer has been depressing to watch HN go down the pan.

