Hacker News new | past | comments | ask | show | jobs | submit login

Butler has not raised the threat level on anything. This has been a widely known issue since forever. A friend of mine wrote a sniffer that could do this back in college, and he was one of the last to the party. Want something else to kvetch about? His tool could impersonate the router and act as a proxy, including serving up ssl-encrypted pages to users who didn't realize they shouldn't accept certs from unknown signers - again, that was years ago, and even then it was nothing new or unique at all.

When a tool like this rises to even a minimum level of public consciousness, you're better off thinking "people have probably been doing this for close to a decade" than "this asshole just ruined the internet by pointing out an obvious flaw that someone will now be able to exploit".

And yes, at some point, a door manufacturer that knows how easily their doors will open and how frequently people will just walk through does take on some responsibility to add a lock (and the homeowner to use it). It's going to cost more in servers? Okay, so what? It costs more to install seatbelts, are you upset at Ralph Nader, too?

[Edited to bring it down a notch]

> Butler has not raised the threat level on anything.

Flat out false. Ever heard the term "crime of opportunity"?

What's your over/under on the number of identity thefts facilitated by Eric Butler's little gift? Let's make this empirical.

Anyone who wanted to hijack http sessions was five minutes of Googling and installing away from being able to do so before "Eric Butler's little gift" anyways. Are you claiming that the marginal impact of packaging it up into a firefox extension is so great as to make it a threat of a wholly different kind?

That is exactly what I'm claiming. That's also why this article has 200+ comments and was on the top of Hacker News all day!

You vastly underestimate the barrier that "five minutes of Googling" presents. I assure you, the overwhelming majority of aspiring script kiddies would never be able to figure it out. It took an expert to package an exploit in a nice GUI (and write cookie parsing code for every major social site under the sun).

As long as only the minimally motivated can exploit it, it's not really a problem, gotcha.

How about instead of shooting the messenger, you take some of that righteous anger and point it at the companies with millions/billions to spend who have simply ignored a longstanding known issue?

How about you recognize that there are a lot of innocent people who will be hurt by this stunt? There are hundreds of thousands of companies and millions of people who are targets for this, and most don't have a spare million lying around.

Hospitals, nonprofit groups, anyone running a website has to drop everything to lock it all down now. The effect is a lot like loosing a new virus (and might ultimately be treated that way).

> As long as only the highly motivated can exploit it, it's not really a problem, gotcha.

^ This modified statement is correct. All I'm saying that making something easy to use and publicizing it widely is going to result in a lot more people using it.

[Edits - hey jfager, I don't know you from adam and don't particularly enjoy flamewars. I agree that in the long run this should be fixed, ideally in such a way that 99.99% of people can blissfully go about their day. I just wish that the energy to secure stuff had taken the form of (say) a post on "here's how Google converted Gmail to https" rather than Firesheep. Hope we can find some common ground and you can see my POV.]

The intersection of 'evil enough to do something truly malicious', 'read a tech blog in the right 24-hour period', 'didn't already know the problem existed', and 'in enough cafes to pair with enough potential victims' is too low to cause "millions" more to be impacted by this, I promise.

Your implicit definition of 'highly motivated' (someone willing to put in 5 minutes of Googling) makes me sad.

I'm agitated because you're trying to hang someone for doing A Good Thing: putting real pressure on the bigs to finally actually fix a well-known, longstanding problem.

[Response to your edit: Facebook, Twitter, and other big sites know about the problem. How would explaining to them how Google secured Gmail change anything? They know how Google secured Gmail, and they know how to secure their own services. They just simply aren't, because it saves them money and their customers aren't demanding it. But the only reason their customers aren't demanding it is because the vast majority of their customers don't know the threat exists. This tool makes the threat clear as day to the most unsophisticated layperson, which makes it real, effective pressure, far more than yet another blog post asking nicely for SSL by default].

It might make you sad, but it's spot on. People were sharing MP3 files on usenet pretty easily, back in the day. It would have taken 5 minutes or less to work out how -- even easier than grabbing cookies.

It wasn't until Napster made that 0 minutes of googling that MP3 filesharing really took off.

For something like this to end up on millions of desktops, you have to be able to explain it to a half-stoned frat at a party. "Five minutes of googling and then some nerdery"? No chance. "Install this, go to the quad and you can sign into the facebook of any other person there?" Yup, that's going to spread like wildfire.

The responsibility is with every admin that setup an insecure access point, not with every security researcher to stay quiet about widely known and widely exploited vulnerabilities.

This isn't new. Point and click tools for doing this existed 10 years ago. Making a firefox plugin just pushed it back to the top of the headlines. This is actually a good thing because if word spreads more people will be aware of the already existing risk and will be more security conscious.

Does this mean everyone should stop logging into their personal accounts over unsecure wifi at school or starbucks? ABSOLUTELY.

Hopefully this new attention on an old hole will motivate more admins to fix their networks and more users to realize how vulnerable they are.

> It wasn't until Napster made that 0 minutes of googling that MP3 filesharing really took off.

(a) network effects (b) autosharing, spurring more (a)

Neither of these apply here.

Obvious, easy security exploits should be be as publicly exposed as possible, and repeatedly so.

This kind of exploit is so many years old that it's a matter of basic public education and computer literacy. While this might be a "forcing function" on the web development community - it is not unfair. There is so much new tech every year, it's unfortunate that security isn't more in the consciousness of tech.

There may be more graceful ways to lead "sheep" to more secure use of the internet deserving of praise, but it's fair game to release an exploit, and I'd rather see FireSheep than censorship of it.

Your core argument still seems to be for security through obscurity. I'd rather have a problem be widely known, and addressed, rather than not widely known and ignored.

Re: "Hospitals, nonprofit groups, anyone running a website has to drop everything to lock it all down now." That simply isn't true. Unless a site uses cookies AND firesheep can understand those cookies, the site doesn't have a worse problem today than it did last month. It would be very nice if every site, of every group, implemented SSL for anything remotely personal. But from what I've read I doubt firesheep poses an additional threat to any such not mega-popular site.

24 hours later, more than 150000 downloads. I believe it is safe to say the threat level has indeed been raised.


For a public wifi user, how do those 150k downloads actually affect the probability that someone else on the network is using a session-hijacking tool? Given that it was already high enough that people should have already been taking preventative measures, any increase you can attribute to this would still fail to justify the witch-burning you're looking for.

There is zero difference between what someone using public wifi should be doing today and what they should have been doing last week. Now at least more people are aware of the problem.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact