
Firesheep usage leads to Idiocy - dunk010
http://jonty.co.uk/idiocy
======
dandelany
Idiocy indeed. While you may run this for altruistic reasons, and I think it's
good to teach people about the dangers of unprotected browsing, running a
script to automatically hijack and post to the Twitter accounts of everyone
around officially makes you an asshole, IMHO.

The fact that someone isn't wearing a belt doesn't mean they deserve a
pantsing.

~~~
rosser
_The fact that someone isn't wearing a belt doesn't mean they deserve a
pantsing._

Perhaps not, but, to stretch your metaphor a bit, if someone's fly is open,
they might appreciate having it pointed out to them.

~~~
hugh3
And how do you point it out to them? As discreetly as possible, or by shouting
it to all their friends?

~~~
lotharbot
If half of their friends also have their fly open, shouting it might be a
better option.

~~~
dandelany
I'm missing the logic here. If few people make a mistake, they should be
informed privately, but if many people make a mistake, they should be shamed
publicly? No.

And to be honest, I'm getting slightly tired of the community's tendency to
stretch metaphors way beyond their applicability. Mine was mostly meant to add
a touch of humor. Pants, flies, and underwear aside, auto-hijacking the
Twitter accounts of everyone on your network is just dickish (no pun
intended). Especially when the belt store is closed to everyone except the
pants-manufacturers ;)

~~~
jontywareing
I do not think this can really be considered "shaming" as it's nothing to be
embarrassed about.

Regarding private/public notification; Posting to your own account is an
easily understandable visible demonstration of what's possible and why you
should care - a DM from another account, or an @ just won't have the same
effect on the user.

(I have said this elsewhere in the thread, so apologies for repetition)

I have been informed that it's possible to send a DM to yourself, so I'll add
that as an option shortly as a nice alternative.

~~~
ChRoss
I understand the intention is to warn people. But IMO, there are plenty ways
of warning or educating them, e.g. blogs, tweets etc. There's no need to
'prove' it just to make awareness.

I did tell my friends and family that a tool (Firesheep) has been released and
what is the impact in layman language, and inform them to be careful when
browsing through open wifi networks.

------
NathanKP
This sounds like an interesting idea, but is it legal to run? Sure it might be
a good thing to educate people about the dangers of accessing the internet
over open wireless, but what if you accidentally run it on the account of
someone who is willing to sue? Do they have a legal basis to sue you?

Just because they are doing something stupid, doesn't give you the right to
mess with their accounts.

~~~
Groxx
Unless they're running a honey-pot machine... how do they tell? You're coming
from the same IP, with the same session. At best they can fingerprint your
browser, which is far from proof and easy to change. Or nab things from Flash,
maybe - but people likely to use this exploit to educate are probably more
likely to run Flash blockers.

~~~
NathanKP
While it may be unlikely for you to get caught in my mind that still doesn't
make it a good idea to run Idiocy. In essence I consider it to be a form of
cyber terrorism.

Terrorists use illegal or unsavory acts to gain attention and draw media
coverage of their cause. Essentially idiocy is just cyber terrorism. It says
"Look! I can take over your account. Now that you are scared let me show you
what I want you to do."

I'm sure that if this takes off it will get media coverage, and may even cause
people and websites to change their habits and protocols, but why should
terrorism be used to accomplish a change to secure web protocols?

Then again I have never been a believer in "the end justifies the means" so
even assuming that the end result of forcing people to use HTTPS is good, I
don't think cyber terrorism is a good way to accomplish it.

~~~
pavel_lishin
By that definition, if I find a flaw in (as an example) the New York Times,
and e-mail them explaining the flaw and how to fix it, I'm engaging in cyber
terrorism.

Shit, I remember when people would throw around the words "white hat" and
"black hat", instead of "terrorism".

~~~
swombat
Actually, "Idiocy" is more akin to finding a flaw in the New York Times, and
then using that flaw to change the headline of their front page.

I'm pretty sure that would land you in jail if caught.

~~~
borism
not all people in jail are terrorists.

------
msmith
126 lines of python. This is a great demonstration of how simple it is to
exploit the vulnerability. Be aware, people.

------
rarestblog
Actually a good idea, but a MUCH better idea would be to automatically post a
direct message to that person (from your own account or from central Idiocy
account) about the problem, rather than hijacking the session and basically
hacking the account, running into problems with law.

~~~
jontywareing
I've been bouncing this back and forth with people all day!

Posting to your own account is an easily understandable visible demonstration
of what's possible and why they should care - a DM from another account, or an
@ just won't have the same effect on the user.

I might see if it's possible to send a DM to yourself, as that would achieve
the same result without the public exposure.

------
sedachv
It's possible to mitigate HTTP session hijacking without resorting to SSL:
[http://carcaddar.blogspot.com/2010/10/protect-flock-or-
how-t...](http://carcaddar.blogspot.com/2010/10/protect-flock-or-how-to-
mitigate.html)

It's not really viable to serve most things over HTTPS because there's no hope
of caching anywhere but at the end-point (and that's usually disabled by
default, too).

------
citricsquid
_In the last few days a tool has been released_

That seems to imply it's a single tool, and once this is "stopped" you don't
need to worry any more. Surely it should mention instead that a recently
released tool is _widely publicised_? Firesheep didn't make this possible, it
has been for a long time, it just made it more accessible.

~~~
jontywareing
I thought the rest of the paragraph covered that, but I'm happy to edit it if
you can suggest a rephrasing?

It's just supposed to be a quick introduction stating that the chances of
being exploited are significantly higher now that the entry barrier is
practically non-existent.

~~~
citricsquid
I... how did I miss that. I just went back and it's right there in the next
sentence, my apologies. wtf.

~~~
Groxx
I get a slightly hard-to-read vibe from the page, personally. Maybe the
contrast, maybe the harsher anti-aliasing in Windows (used to OSX), maybe the
largish sans-serif font.

------
codexon
I don't like it that Firesheep is driving everyone to use HTTPS.

You cannot have multiple SSL certs on a single IP and you have to pay a
significant amount to get a cert that won't pop up an annoying page which
turns away most non-technical users.

There needs to be an alternative which just does key exchange and symmetric
encryption without the identification.

~~~
jgrahamc
Your alternative to SSL would allow MITM attacks. Thus it would be useless.

~~~
codexon
I don't see another compromise that wouldn't require the signature
infrastructure.

MITM attacks are much less common than sniffing attacks as we can see here.

~~~
jgrahamc
If people moved to your scheme MITM would become common and we'd be writing
about FirePiggyInTheMiddle or similar. They can be automated. You need some
trust infrastructure for encryption to work.

~~~
codexon
In order to do FirePiggyInTheMiddle, you need to control the router. You can't
just sit in the subnet and start sending commands to random clients to hijack
their connection, especially when it is symmetrically encrypted.

~~~
wmf
ARP poisoning doesn't require control of the router; it makes MITMs pretty
trivial.

[http://www.windowsecurity.com/articles/Understanding-Man-
in-...](http://www.windowsecurity.com/articles/Understanding-Man-in-the-
Middle-Attacks-ARP-Part1.html)

~~~
codexon
Ok you guys can stop with the "but what about this" now.

We all realize there are 1000 different attacks with various levels of
difficulty and all of which have appropriate countermeasures and are nowhere
near the success rate nor ubiquity of simply receiving packets.

------
seltzered
Speaking of this, when will HN allow for HTTPS connections? :P

~~~
alanh
Post a feature request: <http://news.ycombinator.com/item?id=363>

~~~
seltzered
thanks, I noticed user culix already suggested it, so I upvoted his
suggestion: <http://news.ycombinator.com/item?id=499851>

------
petervandijck
I wonder how this jives with security expert Bruce Scheiner's stance:
[http://www.schneier.com/blog/archives/2008/01/my_open_wirele...](http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

~~~
Groxx
Doesn't seem to line up much... his stance is about running his own open
wireless access point, and how much FUD there is around it, not SSL on
websites.

edit: ah, now I see what you were getting at. Though things have changed now
that it's easier, and there's nothing _inherently_ dangerous with open wifi -
SSH to your server, and you're plenty secure.

------
drivingmenuts
"Given that most websites will not be making SSL the default any time soon,
the only option is to educate people."

And this educates them how, exactly? Education thru vandalism is just
vandalism.

~~~
jontywareing
It educates by providing information about the attack used and how to prevent
it happening in the future. You can find the link provided to users here:
<http://jonty.co.uk/idiocy-what>

The tweet can be instantly removed by the user. It's hardly vandalism as
nothing is being damaged or destroyed.

As I've said in a message elsewhere in this thread, posting to your own
account is an easily understandable visible demonstration of what's possible
and why they should care - a DM from another account, or an @ just won't have
the same effect on the user.

I've been informed that it's possible to send a DM to yourself, so I'm going
to add that as an option shortly.

------
AgentConundrum
Ok, dumb question time: Outside of things like banks, does anyone actually run
a 100% SSL web server?

I thought the point of Firesheep was more "don't use unsecured networks" than
"don't use websites that aren't 10% SSL." If it's the former, then this only
does any good if the "victims" are the people providing the service. How many
people do you think are going to notice this tweet immediately, realize where
they were when it happened, and complain to the wifi provider (whose response,
of course, will be "use at your own risk").

It might do _some_ good for people running insecure networks at home, but the
people that understand what happened and how to fix it would already be
running secure networks at home.

------
detcader
Has anyone gotten this thing to even work? Seems to rely on
<http://code.google.com/p/pypcap/> and when I attempt install from source the
install.py turns out to be horribly useless.

Without installing that pypcap thing and just using libpcap, I get this error:

    
    
      Traceback (most recent call last):
      File "idiocy.py", line 128, in <module>
        main()
      File "idiocy.py", line 20, in main
        cap = pcap.pcap(device)
      AttributeError: 'module' object has no attribute 'pcap'

------
jeffiel
How does this educate users, who don't have the option of using SSL to begin
with? It's the website operators that need the education. This just
embarrasses users due to no fault of their own.

------
Groxx
A question:

What _does_ it tweet? So far I'm only seeing people tweeting _about_ Idiocy,
nothing that appears to be coming _from_ Idiocy. Different tones / content of
the message could have extremely differing responses, and as it's
_intentionally_ high profile, should be extremely careful.

~~~
borski
From the code:

    
    
      status = 'I browsed twitter insecurely on a public network and all I got was this lousy tweet. http://jonty.co.uk/idiocy-what'

~~~
Groxx
Unfortunately, the link it includes doesn't contain the part mentioning this
capability is nothing new, merely that there's a new tool for it:
<http://jonty.co.uk/idiocy-what>

If the creator is browsing through these: _include that part_ , or people will
associate the danger with the new tool, and nothing else.

~~~
jontywareing
Good point! If you have any other comments I'd love to hear them.

Let me know if you think I should make any other edits:
<http://jonty.co.uk/idiocy-what>

~~~
Groxx
I think I'd swap the first and second paragraphs. That way, it makes more
sense after "What happened?!", and reassures people ASAP so they won't lose
interest / be confused before they find out what happened.

------
itsnotvalid
It's like if Microsoft starts disturbing virus and worms to alert you of new
bulletin updates, which is what some security experts condemn to do (sorry I
couldn't find the article about Conficker with experts saying this as an
approach to fight conficker)

------
tibbon
Anyone have ideas on getting it running on OS X?

One downside to some (often interpreted) languages is that there isn't always
an easy way to package them up into a single binary for user consumption.

~~~
kijinbear
Install Python, go to terminal, and type `python idiocy.py`

~~~
deathbob
master>python idiocy.py Traceback (most recent call last): File "idiocy.py",
line 2, in <module> import getopt, sys, pcap, dpkt, re, httplib, urllib
ImportError: No module named pcap

Is there a python equivalent to RubyGems ?

~~~
BrianLy
Distribute. See <http://python-distribute.org/pip_distribute.png>

~~~
deathbob
Yeah how do you use this? I see pcap here
<http://pypi.python.org/pypi/pcap/1.1> but can't seem to install it.

master>pip install pcap Downloading/unpacking pcap Could not find any
downloads that satisfy the requirement pcap No distributions at all found for
pcap Storing complete log in /Users/bob/.pip/pip.log

