Firesheep: Bringing Intuitive Snooping to the Masses

This is a seriously fucking evil piece of software.

Snooping on fellow web users in public is now possible with Apple-level simplicity. Install this third-party Firefox add-on and you can be reading the private Facebook messages of those around you in just two clicks. The flip side is, you’d better protect yourself immediately, unless you want your personal life to be laid bare, captured by an ethereal sieve. At last count Firesheep has been downloaded 130k times—and that was just the first 24 hours.

Firesheep takes advantage of a very well-worn (and well-known) security vulnerability. When you are surfing the web on an open network at an airport, or a coffee shop, or library, or dorm, you are occupying the same wireless spectrum as those around you. In the same way that people in airports, coffee shops, libraries, and dorms can listen in on your conversations, people on the same wireless network can also passively listen and intercept your Internet communications.

This is known as “packet sniffing” and is not a new phenomenon. What is new is that packet sniffing has been democratized. Firesheep is an extremely user-friendly packet sniffer. It removes the quirks, guesswork, and command-line tenor from the experience. It has an admirable level of design and polish, masking several processes under a simple interface layer. It is invitingly simple—you might even call it Apple-esque.

Firesheep sniffs for a very specific type of information—cookies. Cookies are the de-facto identity system for the web. They can be used for things like authentication, storing site preferences, and shopping cart contents. You probably have hundreds of cookies stored on the computer you’re using right now. Cookies are how you stay logged into most web sites.

Firesheep monitors your current wifi network and waits for someone to log in to any of the 26 sites listed in its default database (which include Facebook, Yahoo Mail, Twitter, and Flickr—to name a few). Then it tries, in real-time, to intercept the cookie that the user is using to communicate with the site. If successful, Firesheep can trick the site into thinking that it is the same user. You, the Firesheep user, can do anything the real user can (send mail from Yahoo, change a Facebook profile, anything). This isn’t the same as stealing log-in details—it’s a temporary hijack. But the consequences for user privacy are enormous.

why did this dude make this evil, evil software?

This is no student project—it’s 21st century activism. Eric Butler, the author of Firesheep, created and released the plug-in in the great “grey hat” tradition.

In computer security lore, there are two hacker camps. “White hat” hackers are the good guys, the ethical hackers who defend government and business from the threat of the “black hats.” The black hats are the crackers, spammers, botnet operators, fraud artists, identity thieves, and other malcontents who are making the web unsafe for the rest of us.

Between these two camps are the “grey hats”—skilled hackers who sometimes act illegally, though generally in good will, to raise awareness and achieve greater security. Butler released Firesheep at a security conference this week, ostensibly to force operators of insecure web services to get their act together: “This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” he wrote on his blog.

Butler may already be having an impact. Facebook released a public statement yesterday, in which it assured users that secure log-in was coming in a matter of months (services like Gmail already use Transport Layer Security for https:// encryption). The best outcome of the Firesheep release would be a pitchfork-waving mob demanding greater and more consistent use of TLS.

But you have to question the morality of releasing this monster upon the world. Many grey hats limit their disclosure of vulnerabilities on a need-to-know basis—not Butler, who wrapped these vulnerabilities in pleasing, well-designed, easy-to-use software. Later in life, J. Robert Oppenheimer (director of the Los Alamos laboratory in wartime and “father of the atomic bomb”) confessed that his motivation for creating the bomb was to make war impossible. Of course, war continued. And now the bomb is out there. Is Eric Butler a lesser Oppenheimer? Or will Firesheep shame the web into taking user privacy more seriously?

I asked some friends for reactions to Firesheep. “Scary,” said most. One friend called it “fucking rad.” Another reported the reaction of his colleague: “That’s a hell of a way to make a point.”

This whole episode strikes me as important, and a critical juncture. I’ll bet that Firesheep will be common knowledge in college dorms in under two weeks. It will quickly capture mainstream media attention in the way that other comets like Chat Roulette have. It will viscerally transform the way people understand privacy. And perhaps, one day, we will note it as a turning point in the debate about the open web, and citizens’ relationship with information technology.

the new napster?

Though diabolical, Firesheep is something special. It’s in the details. Simply turn on monitoring, and users’ full names will automatically begin appearing in a sidebar, along with service and profile icons. Read that sentence again. Seriously, profile icons! You’re presented with a array of sessions that you can immediately open in a new browser tab. Want to see what John Smith has in his Yahoo! inbox? Go ahead! Want to see what Stacy Lee is privately messaging to her boyfriend in Facebook? Be my guest.

Firesheep unifies a number of invisible exploit mechanics, packages them with a pre-configured database of known insecure sites, and enables the user to snoop on anyone in the vicinity with a single click.

Illicit software is rarely this accessible. Running this exploit the traditional way may not be that difficult, but still requires knowledge, focus, and purpose—not to mention three or four steps. Sidejacking nearby users in Firesheep takes zero steps—it’s completely automated. You can immediately assume the identity of any nearby users in a new browser tab. And (this bears repeating, because it’s just too rich): you get a neat, automatically populated array of profile icons. It feels too easy to be hacking.

Firesheep is the new Napster—a dead-simple piece of consumer software that upends the established order. Both apps were exploitative (and innovative) in their own ways. Napster torpedoed the perceived safety in intellectual property and Firesheep will do the same for privacy.

Before Napster, widescale copying was commonplace but not that easy. Napster made it so easy that people overcame the stigma of “stealing.” In so doing, Napster transformed the attitudes of a generation of computer users. Expect the same from Firesheep. Today’s high schoolers live in public, and the compunctions of their peers cannot be relied upon to stay them from snooping. Voyeurism and surveillance are embedded in American pop culture and government—and now it’s so easy! Do we really expect that this stuff won’t flourish?

What Napster and Firesheep have in common, arguably, is that they facilitate taking what is not yours. Not just technically, but practically. In 1999 that was copyrighted music. In 2010 that’s personal information. We put more of ourselves online than ever before, which is what makes Firesheep so seductive. Mark my words: Firesheep will not be the last tool to bring intuitive snooping to the masses.^

I’m not arguing that the web is a more dangerous place now than it was two days ago, or that any of these problems are new. I’m just saying, fuck.

an “open” question

It’s hard to shake the feeling that Butler has knowingly initiated a new phase in the public perception of the open web. Set aside the ethical hacker questions for a moment. This is a watershed moment. Can you imagine an app like this appearing in the iOS App Store? The answer is, never, not in a million years, never. As deadly as roving script kiddies with packet-sniffing iPhones might be, Apple will ensure that this will only ever happen on jail-broken devices. And most people would probably consider this a good thing.

in the history of the web, there has been lots of good, arguably legitimate software that was more or less illegal. I’m thinking of DeCSS and Handbrake, to name a few. But I’m sure most people never felt personally threatened by DeCSS. Firesheep is another story.

Here’s an easily resolvable thought experiment. Imagine if 2010 Apple had 1999 Microsoft-level dominance when Shawn Fanning developed the first version of Napster. In order for Napster to work on most computers, Fanning would have to submit the app to Apple for review. Would Apple accept Napster into the store? The answer is never, not in a million years, never. If Napster were structurally preventable, would we be better off today? We’ll never know. If Firesheep were structurally preventable, would we be better off today? I think public opinion would be unanimous on this. 500 million Facebook users suddenly feel very naked in public.

The Firesheep episode is the first of many trials by fire for the open way of doing things. And that’s why the “open” response is critical. The increased exposure from Firesheep will hopefully pressure platform operators into plugging this particular security hole. But though Firesheep uses a known exploit, it’s so fundamental that it certainly won’t be remedied overnight.

In the meantime, many will turn a critical eye toward the open web, rightly criticizing it for being a rough neighborhood. In the coming years, they might even flee to the suburbs of managed platforms. We should hope this is not the case—I hear they have harsh zoning laws.

Notes

^The first signs of this will be a resurgence of low-fi tricks like keyloggers and social engineering. The next wave will be web-based—javascripts embedded in blogs and other personal profiles to capture visitor information (savvy teenagers already examine their visitor logs and analytics). Industry has a huge head-start on advanced privacy violative apps: data-mining, heatmaps, typing cadence correlation, and beacons all contribute to make you personally identifiable, even if you take all reasonable steps to anonymize yourself. See EFF’s Panopticlick project for more.