Idiocy indeed. While you may run this for altruistic reasons, and I think it's good to teach people about the dangers of unprotected browsing, running a script to automatically hijack and post to the Twitter accounts of everyone around officially makes you an asshole, IMHO.
The fact that someone isn't wearing a belt doesn't mean they deserve a pantsing.
I'm missing the logic here. If few people make a mistake, they should be informed privately, but if many people make a mistake, they should be shamed publicly? No.
And to be honest, I'm getting slightly tired of the community's tendency to stretch metaphors way beyond their applicability. Mine was mostly meant to add a touch of humor. Pants, flies, and underwear aside, auto-hijacking the Twitter accounts of everyone on your network is just dickish (no pun intended). Especially when the belt store is closed to everyone except the pants-manufacturers ;)
I do not think this can really be considered "shaming" as it's nothing to be embarrassed about.
Regarding private/public notification; Posting to your own account is an easily understandable visible demonstration of what's possible and why you should care - a DM from another account, or an @ just won't have the same effect on the user.
(I have said this elsewhere in the thread, so apologies for repetition)
I have been informed that it's possible to send a DM to yourself, so I'll add that as an option shortly as a nice alternative.
I understand the intention is to warn people. But IMO, there are plenty ways of warning or educating them, e.g. blogs, tweets etc. There's no need to 'prove' it just to make awareness.
I did tell my friends and family that a tool (Firesheep) has been released and what is the impact in layman language, and inform them to be careful when browsing through open wifi networks.
Random public shaming may not be fair, but it is a fast way to get the message out to lots of people. And I've seen it be an effective way to drive behavior change.
Metaphors are less effort to bike-shed than the underlying concept. Witness the undying car analogy, or the "C is a hammer" nonsense from a couple of days ago.
Yes, it's boring; yes, it's intellectually lazy and useless. No, it's not going away.
They walked into a glass building (unencrypted wifi location), unzipped their flies, sat down, and are totally unaware they did so. Someone would have noticed eventually - would they rather be potentially gawked at behind the one-way mirror that's always been there but they never noticed (WireShark), or told, allowing them to cookie-block the ones who do so?
As to the volume of the telling, what if near enough to everyone were doing this? You would probably become the crazy person at the intersection, telling everyone the end of privacy is near, repent and use SSL. But at least this way you can demonstrate that yes, their flies are down, in a way they can see, rather than having to take your word on it.
This sounds like an interesting idea, but is it legal to run? Sure it might be a good thing to educate people about the dangers of accessing the internet over open wireless, but what if you accidentally run it on the account of someone who is willing to sue? Do they have a legal basis to sue you?
Just because they are doing something stupid, doesn't give you the right to mess with their accounts.
Unless they're running a honey-pot machine... how do they tell? You're coming from the same IP, with the same session. At best they can fingerprint your browser, which is far from proof and easy to change. Or nab things from Flash, maybe - but people likely to use this exploit to educate are probably more likely to run Flash blockers.
While it may be unlikely for you to get caught in my mind that still doesn't make it a good idea to run Idiocy. In essence I consider it to be a form of cyber terrorism.
Terrorists use illegal or unsavory acts to gain attention and draw media coverage of their cause. Essentially idiocy is just cyber terrorism. It says "Look! I can take over your account. Now that you are scared let me show you what I want you to do."
I'm sure that if this takes off it will get media coverage, and may even cause people and websites to change their habits and protocols, but why should terrorism be used to accomplish a change to secure web protocols?
Then again I have never been a believer in "the end justifies the means" so even assuming that the end result of forcing people to use HTTPS is good, I don't think cyber terrorism is a good way to accomplish it.
In my opinion this kind of cheapening of the language kills our ability to communicate as human beings. When you compare being redirected involuntarily to a polite note that helps you understand how currently insecure your use of twitter is to vicious and violent acts, many of which result in the brutal death of innocent bystanders, acts in which mothers watch their children die in agony, you debase the language to such an extent as to be talking babble.
I don't know what the rhetorical strategy is called that you have employed, but it is beneath you.
Personally I believe the exact opposite. It is important that we break free from the political propaganda that says that terrorism means a suicide bomber that kills others, and recognize that the basic concept of terrorism is used all the time by our own respective governments and other power figures.
I see it as terrorism when a religious leader tells people that they will go to hell for not following religious tenants. I see it as terrorism when a government uses FUD on its own people to get them to support a war on another nation.
I also see it as a form of terrorism to take over someone's account and post something in their name. The average person who discovers that someone has hijacked their account and posted in their name is going to feel angry and afraid.
As far as I see it Idiocy and Firesheep can be used in the same manner as terrorism: to frighten people by threatening them. Sure the threat of taking over an online account is much less than the threat of death by a suicide bomb, but I see no reason why it should not be called terrorism.
Instead I find it fascinating that there is so much negative feelings toward me personally for using the word terrorism. Is it suddenly non-kosher to make a comparison? You say I am "cheapening language skills" and "talking babble". I am just surprised at your vehement response, and the general dislike of my use of the word.
I have a broad view of what terrorism is, you evidently have a very narrow view. If you do not want to broaden your view of what a terrorist act can be, then you will not notice the many subtle acts of terrorism committed. If people insist that terrorism can only be applied to acts of physical violence then they will be unaware of the way governments, political leaders, religious leaders, and others use fear to control the masses.
But the point of my comments originally were not to define terrorism, but instead to explain why I might disapprove of Idiocy. Instead it appears to have turned into a large discussion on whether or not it is right to use the word terrorism to describe something which scares someone into changing their actions or habits.
At any rate, downvotes do not hurt me, but I am disappointed by the narrow view of what the word terrorism means.
You can't just choose to neglect to connotations a word carries with it and expect everyone else to do the same, especially while those connotations are still culturally relevant.
Terrorism carries certain meanings in today's political climate, and by using it loosely, you're implicitly linking session hijacking as a means to spread awareness of a longstanding vulnerability to a religious, political and usually violent term. It's akin to calling someone a Nazi, even if there is a comparison to Nazism that could be made.
Feel free to use it as you want, but to expect any other reaction than the one you got is wishful thinking.
I understand what you are saying. Perhaps comparing session hijacking to terrorism is a little too harsh when it is put like that.
It is still the closest word I can think of which describes what one does if they run Idiocy: threaten other people's online confidence and make them more frightened, and hence more cautious in the future.
Only time will tell if Firesheep and Idiocracy are the 9/11 of the online world, leading to more HTTPS (compared to the way real world terrorism resulted in more airport security protocols). Although it might seem harsh there are a lot of similarities.
By that definition, if I find a flaw in (as an example) the New York Times, and e-mail them explaining the flaw and how to fix it, I'm engaging in cyber terrorism.
Shit, I remember when people would throw around the words "white hat" and "black hat", instead of "terrorism".
No one gets scared when you point out a flaw in the New York Times. (Except maybe the writer who is now at risk of getting fired.) Additionally, pointing out a flaw in a newspaper is not illegal. Impersonating someone is (or can be depending on what you do while impersonating them).
Whether it is black hat or white hat wasn't my point. My point is that Idiocy aims to accomplish change by scaring people and getting media attention. That is the same thing that terrorism does, so I think the term fits.
Now whether it is possible to have "white hat" terrorism is another related argument but it doesn't invalidate by original point.
Terrorism is used by many groups. In the broadest definition terrorism is the systematic use of fear especially as a means of coercion.
Therefore, the spreading of FUD by politicians definitely fits under the umbrella of terrorism. In fact if you take out the media factor the United States commits terrorism all the time with its drones flying in the middle east. Terrorism is being used to fight terrorists. When a parent threatens a child with punishment for not changing their behavior it is terrorism.
As I said, you can debate whether it is possible to have "good terrorism" or terrorism for a noble cause. Sometimes fear seems to be necessary. If criminals and citizens weren't at least slightly afraid of the police and government the world would probably be a lot more dangerous.
Didn't mean to imply I disagreed with your stance, just pointing out the relative security (unless someone else knows something) of running it.
It probably is illegal, yes, and I won't personally run it, nor recommend anyone else does (as much as I've toyed with the idea of doing just such a thing by hand, at times). One could consider this civil disobedience, however, as it's not inherently harmful nor capable of spreading like a virus, and is for a good cause. At worst it annoys and makes people more paranoid online (as they should be), at best it causes change.
I understand. Mainly I'm just worried that people aren't thinking things through completely when they make a tool like this freely available.
Personally I expect that Firesheep will be used mostly by 4chan, script kiddies, and others who just want lulz. Idiocy is clearly an attempt to use the same concepts for good, but it is still mildly worrying from the point of view of the methods being used to accomplish the goal. Like I said, it feels like a terrorist-style attention grabber to me.
I think it is sort of interesting that terrorism is such a loaded term that people object to its use. Terrorism doesn't have to involve killing people. It just means scaring people into doing what you want.
While I understand what you're saying, the problem with terms like that is that they shut down rational thought for many people.
It's by no means the only such term, though: 'Republican' and 'Democrat' have the same kind of effect for a very large percentage of the problem with thoughts equivalent to, "Oh, he's an X. That tells me all I need to know about him and I don't have to know anything else."
Actually a good idea, but a MUCH better idea would be to automatically post a direct message to that person (from your own account or from central Idiocy account) about the problem, rather than hijacking the session and basically hacking the account, running into problems with law.
I've been bouncing this back and forth with people all day!
Posting to your own account is an easily understandable visible demonstration of what's possible and why they should care - a DM from another account, or an @ just won't have the same effect on the user.
I might see if it's possible to send a DM to yourself, as that would achieve the same result without the public exposure.
To DM them, you'd have to make them follow you first, which would still require using the hijacked session. Roaming around busy public WiFi doing that would be an easy way to get a bunch of Twitter followers though!
It's not really viable to serve most things over HTTPS because there's no hope of caching anywhere but at the end-point (and that's usually disabled by default, too).
That seems to imply it's a single tool, and once this is "stopped" you don't need to worry any more. Surely it should mention instead that a recently released tool is widely publicised? Firesheep didn't make this possible, it has been for a long time, it just made it more accessible.
I thought the rest of the paragraph covered that, but I'm happy to edit it if you can suggest a rephrasing?
It's just supposed to be a quick introduction stating that the chances of being exploited are significantly higher now that the entry barrier is practically non-existent.
I get a slightly hard-to-read vibe from the page, personally. Maybe the contrast, maybe the harsher anti-aliasing in Windows (used to OSX), maybe the largish sans-serif font.
I don't like it that Firesheep is driving everyone to use HTTPS.
You cannot have multiple SSL certs on a single IP and you have to pay a significant amount to get a cert that won't pop up an annoying page which turns away most non-technical users.
There needs to be an alternative which just does key exchange and symmetric encryption without the identification.
It has surprisingly high client support, but obviously isn't universal enough for you to rely on it working.
With a protocol which doesn't require a certificate, you're still subject to MITM attacks. These are particularly viable on public wifi networks -- just set up a rogue access point.
If people moved to your scheme MITM would become common and we'd be writing about FirePiggyInTheMiddle or similar. They can be automated. You need some trust infrastructure for encryption to work.
In order to do FirePiggyInTheMiddle, you need to control the router. You can't just sit in the subnet and start sending commands to random clients to hijack their connection, especially when it is symmetrically encrypted.
Ok you guys can stop with the "but what about this" now.
We all realize there are 1000 different attacks with various levels of difficulty and all of which have appropriate countermeasures and are nowhere near the success rate nor ubiquity of simply receiving packets.
MITM over wifi isn't much harder than this attack, you've just got to convince people to associate with your AP rather than the default. Ettercap has been able to do that sort of thing for years; all that's needed is a swanky front-end.
Doesn't seem to line up much... his stance is about running his own open wireless access point, and how much FUD there is around it, not SSL on websites.
edit: ah, now I see what you were getting at. Though things have changed now that it's easier, and there's nothing inherently dangerous with open wifi - SSH to your server, and you're plenty secure.
It educates by providing information about the attack used and how to prevent it happening in the future. You can find the link provided to users here: http://jonty.co.uk/idiocy-what
The tweet can be instantly removed by the user. It's hardly vandalism as nothing is being damaged or destroyed.
As I've said in a message elsewhere in this thread, posting to your own account is an easily understandable visible demonstration of what's possible and why they should care - a DM from another account, or an @ just won't have the same effect on the user.
I've been informed that it's possible to send a DM to yourself, so I'm going to add that as an option shortly.
Ok, dumb question time: Outside of things like banks, does anyone actually run a 100% SSL web server?
I thought the point of Firesheep was more "don't use unsecured networks" than "don't use websites that aren't 10% SSL." If it's the former, then this only does any good if the "victims" are the people providing the service. How many people do you think are going to notice this tweet immediately, realize where they were when it happened, and complain to the wifi provider (whose response, of course, will be "use at your own risk").
It might do some good for people running insecure networks at home, but the people that understand what happened and how to fix it would already be running secure networks at home.
Has anyone gotten this thing to even work? Seems to rely on http://code.google.com/p/pypcap/ and when I attempt install from source the install.py turns out to be horribly useless.
Without installing that pypcap thing and just using libpcap, I get this error:
Traceback (most recent call last):
File "idiocy.py", line 128, in <module>
main()
File "idiocy.py", line 20, in main
cap = pcap.pcap(device)
AttributeError: 'module' object has no attribute 'pcap'
How does this educate users, who don't have the option of using SSL to begin with? It's the website operators that need the education. This just embarrasses users due to no fault of their own.
What does it tweet? So far I'm only seeing people tweeting about Idiocy, nothing that appears to be coming from Idiocy. Different tones / content of the message could have extremely differing responses, and as it's intentionally high profile, should be extremely careful.
Unfortunately, the link it includes doesn't contain the part mentioning this capability is nothing new, merely that there's a new tool for it: http://jonty.co.uk/idiocy-what
If the creator is browsing through these: include that part, or people will associate the danger with the new tool, and nothing else.
I think I'd swap the first and second paragraphs. That way, it makes more sense after "What happened?!", and reassures people ASAP so they won't lose interest / be confused before they find out what happened.
It's like if Microsoft starts disturbing virus and worms to alert you of new bulletin updates, which is what some security experts condemn to do (sorry I couldn't find the article about Conficker with experts saying this as an approach to fight conficker)
One downside to some (often interpreted) languages is that there isn't always an easy way to package them up into a single binary for user consumption.
I'm pretty sure you can install all the dependencies with macports, but you can't put the wireless card in monitor mode using the 'iw' command, because there's no iwtools on the mac AFAIK. And monitor (or promiscuous) mode is necessary.
$ python idiocy.py
Traceback (most recent call last):
File "idiocy.py", line 2, in <module>
import getopt, sys, pcap, dpkt, re, httplib, urllib
ImportError: No module named pcap
I'm not a python programmer. I don't see anything the equivalent of 'gem' to install modules. Googling isn't helping. Here's what I thought to try so far.
$ easy_install libpcap python-pcap python-dpkt
Searching for libpcap
Reading http://pypi.python.org/simple/libpcap/
Couldn't find index page for 'libpcap' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading http://pypi.python.org/simple/
No local packages or download links found for libpcap
error: Could not find suitable distribution for Requirement.parse('libpcap')
master>pip install pcap
Downloading/unpacking pcap
Could not find any downloads that satisfy the requirement pcap
No distributions at all found for pcap
Storing complete log in /Users/bob/.pip/pip.log
The fact that someone isn't wearing a belt doesn't mean they deserve a pantsing.