Schneier on Security
A blog covering security and security technology.
« My Next Book: Title and Cover |
| Did Reason Evolve as a Persuasion Tool? »
June 22, 2011
Firesheep in Use
Nice article on Firesheep in action.
Posted on June 22, 2011 at 6:23 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Of course this was written 6 months ago, and some of the info is now out of date - for example Facebook does now allow for https. It is still pretty relevant though, as you can check by using the same methodology in Starbucks today :-/
The author also (unwittingly) makes a good point about the credibility of a warning. How many users X out of "Critical System Update" windows that pop up on their desktop? How many of us are familiar with malware that poses as security software?
I think "I'm at [XYZ] Starbucks and I can see your FB account" is pretty compelling, and I think a 75% adoption rate (only 5 left out of 20) is pretty good. But could any professionals weigh in? What might have worked better?
Ah yes, I remember catching this article on the Mozilla grapevine. This is the perfect anecdote that all the security research can't help some people. They're just plain idiots.
Ah, a Firefox extension. For a second there, I thought Al Qaeda had come up with a movie plot threat. ;-p
@Danny. "They're just plain idiots", duh. There are no qualifications for buying a computer. It doesn't really even take that much money.
We can't have a secure Internet if "users" are given a critical role in security. They're amateurs at best and idiots on average. An engineered solution won't depend on users, there are too many of them and their quality is not-so-good.
Now, if we all recall Paul Chambers' ordeal, being arrested after tweeting a joke about a bomb threat at the airport, imagine what one can do if they run firesheep at an airport and snatch dozens or hundreds of facebook and twitter identities? Of course, this could have been done by any skilled user at anytime in the past, but now you don't even have to be a script kiddie.
If we all recall the line from Preston Tucker about the state of the safety of automobiles in the 1940's: "And if it were up to me, they'd be tried and convicted of manslaughter." One could say something similar about facebook and other sites that refuse to implement https by default. I do hope they are successfully sued by a a class of victims who were the victims of malicious action on facebook.
@John Perich: "What might have worked better?"
How about an extremely vulgar and offensive, expletive laden message to their mothers, mothers-in-law, and employers? That is, unless their family and employers are comedians such as Gilbert Gottfried...
I'm ignorant on this, but does facebook's openid system tie into retailers and the like, of which may store you credit card info?
Seems like an easy lawsuit against facebook for the https hole and something they would want to actively be turning on by default. Of course they probably have studies on how it affects server performance and have determined its not cost effective. How to provide better economic case?
"We can't have a secure Internet if "users" are given a critical role in security. They're amateurs at best and idiots on average. An engineered solution won't depend on users, there are too many of them and their quality is not-so-good."
I am reminded of a comic I read where the user complains to the IT guy, "if your security was up to snuff it wouldn't matter if my password was "password".
We are meant to laugh at the user, but he has a point, what we need is real 2-factor security, then it wouldn't matter much if the password was "password" if you don't have the physical token, you can't do anything.
2-factor authentication is only effective when someone is coming in the front door. Real security covers the windows, the back doors, tunnels coming in the basement, etc. The scenario in the comic shows a true lack of understanding about what real security encompasses.
Nobody seems to be bothered that this is at best unethical and at worst Illegal. Yes, firesheep is an issue but admitting to using it in anger against the public, *and* actually accessing their accounts seems to me to be just plain dumb.
I suspect the same attitude was shared by the employees of Lockheed Martin. I don't believe that did them much good.
Multi-factor authentication is only any good if ALL factors are strong.
Did anyone catch the requirement to post comments???? You have to log in with your Facebook account. Ironic?
In terms of the users he notified not 'getting it' I don't think it has anything to do with them being idiots. That is because I believe ignorance is separate from idiocy in that for many, many people in this society technology so foreign that they simply don't understand it well enough to deal with it concretely. Deer that stand in the road watching the approaching headlights aren't idiots, simply poorly adapted to the two tons of technology bearing down on them.
Scott Adams had a good point in one of his Dilbert books. We are all idiots at some point or in some facet of our lives. I suggest a new term for technology challenged people: Technids. Technical idiots. They might be origami wizards, experts in biology or skilled negotiators but they are dumb when it comes to computers in general.
The more commonly accepted term seems to be "Luddite"
2-factor authentication is only effective when someone is coming in the front door.
Which brings to mind, is this same issue of sidejacking also accomplishable through code inside webadverts?
Especially if someone is logged into Facebook in one browser tab and reads some page (with adverts on it) on another tab?
@Nearly everyone else
Some people may be "idiots" when it comes to computer technology but are very talented in other areas. Or they may in any case have contributed to the society through their work in other fields.
The arrogance of the comments on this page is astounding. A person who doesn't care about security as much as you is not an "idiot." They have simply made a different cost/benefit than you. The weak link isn't the user's judgement, it the reality that they have made a contrasting judgement.
The most "idiotic" thing about security professionals is that they will never accept that most people just don't care about security as much as they do. Shouting "fools" at each other doesn't advance the conversation, anymore than shouting "crazy" and other such labels.
"The more commonly accepted term seems to be 'Luddite'"
I see no reason to switch from the age-old (well, since, what, the '60's? '70's?) term "luser".
Daniel: Excuse me, but we're not talking about ice cream preferences, Jersey Shore, or Kim Kardashian here. We're talking about SECURITY. People who are not interested in security ARE idiots!
Either that or they're dead.
Especially since they run around like headless chickens every time someone whispers "terrorism" or "crime".
Are they interested in locking their home and car doors and windows? Of course. Why is computer security any different? Simply because they don't understand it.
I read a piece the other day about the mental models people have of computer viruses and hackers. It's astounding how ignorant people are of these subjects. Repeatedly the article pointed out that user poor choices in computer security were grounded in their incorrect and distorted mental models of how malware and hackers work. In short, in their general ignorance of the technology.
And frequently these poor mental models led them to dismiss taking steps to prevent malware and hacking because they believed they were immune because they didn't do certain things that they thought (incorrectly) were the only ways to be affected by malware and hackers.
The reason people take care about personal security is because they understand burglars and muggers (although I'm quite sure many people have bad mental models of those events, too.) When it comes to technology, they're ignorant.
When they become idiots is when they decide to remain ignorant.
"The arrogance of the comments on this page is astounding"
While some comments may indeed be over-simplifying the issue, it must be said that there is a distinct difference between ignorance and negligence. Whether the latter originates from stupidity or a formal risk management/cost-benefit analysis wil not prevent you from potentially getting in serious trouble under tort law, especially if 3rd parties are harmed.
In Merriam-Webster, negligence is defined as "a failure to exercise the care that a reasonably prudent person would exercise in like circumstances". IMHO the reaction of the reasonably prudent person - even if not computer literate or security-conscious at all - would be one of disbelief and distress when confronted in real-time with someone who has broken into his account, explicitely warning him of exposure.
Carrying on business as usual in that case is about just as irresponsible as continuing a trip through the night after someone has pointed out that the headlights of your car are not working. Again: there is a huge difference between not knowing and not caring. I deeply sympathise with innocent folks who in their ignorance fall victim to computer crime, but I have none whatsoever for those who willing and knowing fail to exercise due diligence, making the internet an unsafer place not just for themselves, but for others too.
I think users have to take SOME responsibility for their security. But I feel like the unsecured Wi-Fi/no HTTPS/insecure cookie design is also something that users shouldn't reasonably be expected to know about, understand or work around. The Starbucks users may have been thinking (rightly, IMO) that this really is a problem someone else should be solving. "Just don't use your computer" is not security advice that's designed to be follow.
Basically, there are certainly lazy users who contribute to the poor state of security. But to be honest, I feel like the problem revealed by Firesheep is a lazy developer problem, not a problem with users.
Time to turn on Strict Transport Security. It also wouldn't be much to purchase and install a EV-SSL certificate on your servers, too.
"But to be honest, I feel like the problem revealed by Firesheep is a lazy developer problem, not a problem with users."
Er, not entirely. The only analogy that comes to mind for these particular Starbucks users is that of a person who is being warned that his pants are about to fall off. Instead of pulling them up, he decides that exposing himself is not a problem or that he can always blame the vendor or place he bought it from for not informing him that he required a belt or braces too.
It's probably worth noting Electronic Frontier Foundation's "HTTPS Everywhere" Firefox addon that force-redirects you to the SSL version of a site (when available). This takes the burden off of users to some degree.
I live in Vietnam, where access to Facebook is restricted via a DNS redirect dead-end. Ironically the government hasn't gotten around to blocking the SSL version of Facebook, so this is the ONLY way I can use the site. With the FF addon, I can always access the site whether i just type "facebook.com" in the address bar, or click on an unsecured facebook link in an email or on a webpage.
@Bogwitch: Multi-factor authentication is only any good if ALL factors are strong.
While multi-factor authentication is only as strong as it *could* be if all the factors are strong, I thought the whole point of multi-factor authentication was that it in a given instance it's as strong as its strongest factor. That's normally much better than the total collapse you get from any security weakness in an arrangement that's 'only as strong as its weakest element'.
As an addin or plugin for Firefox Https-Everywhere solves these issues. Clean and simple to use.
"Ironically the government hasn't gotten around to blocking the SSL version of Facebook, so this is the ONLY way I can use the site."
Wrong, there's Tor and you can use Tor's bridges to access the web, bypassing local filters for common Tor relays.
"Ironically the government hasn't gotten around to blocking the SSL version of Facebook, so this is the ONLY way I can use the site."
Also fairly easy to use an SSH proxy to bypass these types of blocks, and that method is particularly useful for web cafes and other untrusted networks.
(Easy to use, as in a couple clicks to turn on/off, but a fair bit more tech knowledge needed to set up. What someone should do is make a super easy FF add-on to install and manage such a tunnel. But that is beyond what is feasible for an add-on, I think, without an external installer.)
"only way i can use the site" was an overstatement. i use a vpn/ssh combo when accessing banking, etc back in the states (hopefully avoiding prying eyes of the government), but for casual use, the addon makes my life easier ;-)
outside of silicon valley or other tech-savvy locales, i think the average joe with a carmel macchiato in hand probably won't be firing up an ssh tunnel and configuring their browser to use it is a little more advanced than most people are willing to go.
*excuse the premature posting....
but i think you get the point...
"The more commonly accepted term seems to be "Luddite""
Luddites passionately and sometimes violently opposed technology. Most users merely have a hard time understanding technology/risks or motivating themselves to learn enough to use it properly. That's a big difference. They deserve a different label.
@ Dirk Praet
"it must be said that there is a distinct difference between ignorance and negligence."
That hits the nail on right on its head, as we say in our country. The people in the Starbucks saw evidence that someone was actively hacking their account, yet continued to use the same service in the same location. That's beyond ignorance and even beyond negligence: that's self-destructive.
And your pants analogy was both accurate and hilarious.
"Yes, firesheep is an issue but admitting to using it in anger against the public, *and* actually accessing their accounts seems to me to be just plain dumb."
Maybe. It's a gamble to test something and maybe prove a point. He succeeded on both counts. It's the best proof of how careless and self-destructive users are since the Didier Stevens little AdWords experiment.
"Is your PC virus free? Get it infected here!"
Yes, some of the comments come across as arrogant and smug; having dealt with many not very savvy users I have made plenty of uncharitable comments myself and got well frustrated. On the other hand (and as Blair noted above) most of these 'idiot' users are in fact very clever people indeed in their own fields.
So how come they 'fail' when it comes to computer security (or just in terms of general computing skills)? I put it down to three things:
- lack of motivation, because bad things don't happen often enough. Despite knowing the principles, I only really started backing things up systematically and very frequently after I'd spent a few days frantically recovering from a HD crash. Most of the time, things just work.
- lack of awareness: most people simply don't know how bad things can get, how easy it is in principle to screw you up or what you could do to protect yourself at relatively little effort or cost. Maybe people mostly know about viruses these days, but that's more or less the limit. In fact there is a sort of ostrich syllogism which says: "understanding security risks is a nerdy sort of thing. I'm not a nerd, therefore I'm not at risk";
- they use a different set of conceptual metaphors and/or use a mapping from the real world to the virtual world that is different to that used by the computerati. Simple example: some people like hierarchical tree structures for organising data, some like tagged data with a good search tool. I am sometimes bewildered by the different ways of viewing data and processes that some users have and by how much it seems to diverge from the way it is discussed in tech circles. The older I get and the more I talk to a wide range of users the more I think this is a major problem/security weakness. The metaphors many (most?) people use for everyday security are simply not flexible, comprehensive or robust enough for the different domain of computer security.
Those people had the choice of not using Facebook or using it insecurely. Apparently they made the conscious decision to take the risk and continue to use it, probably because they perceive the risk as small (and from all I know it really is small).
I can't see anything wrong with making a trade-off between convenience and risk, people do it all the time.
@J, "I can't see anything wrong with making a trade-off between convenience and risk, people do it all the time."
The trouble, J, comes not from making the trade-off in this particular instance, but from the way most average users will "extrapolate" to "convenience" in other areas, such as online finance. How many of these sheep users do you suppose would ignore a similar message about, say, an Amazon account?
@Richard Steven Hack
"Are they interested in locking their home and car doors and windows? Of course. Why is computer security any different? Simply because they don't understand it."
Yes but you can also not directly compare home and car doors/windows with some computer security issues such as this one.
The reason is, open doors and windows is something we can actually see. The issues discussed here happen in the cyberspace and are not in the same sense visible to anyone.
We cannot expect people to even be afraid of these issues because of all the securityFearMongering going around and at the same time the fact that these issues are about as visible as gnomes and fairies.
People are going to need some introduction from someone into these issues but in order to make time for it, they first need to be sufficiently worried about the issues. And they are not going to get worried about the issues until their mental model make the issues sufficiently plausible. Which is not going to happen tomorrow because the mental model would not be simple. Computer security issues such as this one are by nature complex.
So you first need to know a bunch before you can even be afraid.
Besides that there is the issue that anytime people have to draw conclusions about something that is not visible, they do that by choosing some sort of a model. This model is what they then believe in, be it about God or something more down to earth. We all have multiple models about various things and without accurate knowledge none/some/all of these are more or less skewed.
I mean I agree with you about the lack of understanding being the reason, it is just that the comparison to something physical is not apt here, IMHO.
@Dirk, re: "ignorance or negligance"
I'm reminded of the joke where the teacher asks a student to explain the difference between ignorance and apathy. The student replied "I don't know, and I don't care". I think apathy is as much a problem as ignorance or negligance.
"Computer security issues such as this one are by nature complex."
_Security_ problems are by nature complex. I don't really know how the lock in my door works, but I know that I should lock it. And it I return home and find a stranger in kitchen, that means I have a security problem (bad lock? weak door? windows? chimney?) and I have to fix it asap.
Jack: That's exactly what I said. Users make those choices because they don't understand them.
Your point that people won't make time to understand the problem because they don't believe the problem is precisely the chicken-and-egg issue with humans.
As someone once said, humans don't do the right thing until they get a boot up their ass in the sense of something bad enough happening to them to force them to do so. And I'm no exception.
Except even then, humans don't do the right thing - they do the expedient thing, or the thing some self-serving bozo tells them to do. Which is why the scareware industry is thriving, and why we're still in Iraq.
Bottom line: People ARE too stupid, ignorant and emotional to be educated to do the right thing. Which means these security issues are not going away for the foreseeable future.
Which means we'll continue to live with botnets and corporate breaches.
In other words: Well, you know the drill by now, I don't need to repeat myself.
Larry Seltzer has a relevant article:
You can't trust consumers to protect themselves
Almost every security proposal, especially the really broad ones, has an element of user education in it. "We've got to train users to look for these things and avoid them" or something to that effect. Many security experts will sigh and tell you that it's like teaching math to your dog. Not only will they not learn it, they don't even get the point.
@ Richard Steven Hack
"In other words: Well, you know the drill by now, I don't need to repeat myself."
Security is right around the corner?
Heh, heh...Optimism is its own reward! :-)
Maybe these 4 people were FBI agents waiting for the guy to do anything a bit more drastic to arrest him...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.