Saturday, October 30, 2010

Fire, Sheep, and Fox

About a week ago, a new tool was released to the internet, called Firesheep.  To me, there's just something funny about the name.  Sheep are inherently cool, and fire implies something serious.  The juxtaposition is funny.

But the implications are serious. Firesheep allows a user to EASILY sniff traffic over an open WiFi network, and steal cookies -- basically, your login authentication for Facebook, Google, Amazon, Flickr, CNET, the New York Times, Twitter, yahoo, and a ton of other websites that don't use secure protocols like https or SSL.  A well-written demonstration of using this can be found here -- just plop yourself down at the nearest Starbucks and send polite warning messages to the 20+ Facebook and Amazon accounts you can access. Watch their response.

There's a big reason I put EASILY in the above paragraph in CAPITAL LETTERS.  Other tools for doing this (known as sidejacking) have been around for years (it was first demo'd at a BlackHat presentation in August of 2007), but none have never been as user-friendly and intuitive as Firesheep.  This is a plug-in for Firefox (hence the "fire" in firesheep), and someone's account can be accessed within about 10 seconds and a double mouse click.  It's that simple.  To quote an oft-used Apple idiom, It Just Works.

Many tech folks are dismissing this as yet another tool to exploit something we've already known.  And maybe they're right.  But I believe they're underestimating the value of making things user friendly.  The gold standard of this is Apple:

  • They were not the first to invent the Personal Computer -- the window-based interface just made it easy to use.
  • They were certainly not the first to invent the mp3 player -- they just made it easy to use, in a cool form factor.  
  • They were not the first to invent the smart phone -- they just made it easy to use.

See a trend here?  I think Firesheep could develop the same way.  And although it may not appeal to everyday, innocent users of The Internets like you and me, I bet it has an incredibly strong appeal to pimply-faced technologically inclined teenagers.  And all it takes is some enterprising youth to camp out in a Beverly Hills Starbucks and wait for an unsuspecting celebrity to log in.  Instant tabloid news story, similar to the episode when Paris Hilton's smartphone got hacked over Bluetooth.

In a worst-case scenario, this would spook 95% of Facebook users, who run screaming from the site and dump their accounts before Facebook implements a solution.  Panics have happened on Wall Street many times; we're probably due for one on the Internet soon, too.

How to protect yourself against this?

  • There's already a counter program out there called FireShepherd, but it's kind of brute-force and not very user friendly.  Or network friendly.  But it's better than nothin'.
  • Make sure your gmail is set to always use https.

Just be aware of what's out there.  There's a whole lot of Not Privacy on the internet.

No comments:

Post a Comment