Firesheep, a week later: Ethics and Legality
In only one week, Firesheep has captured the attention and interest of hundreds of thousands of people around the world, and has spurred a lot of great discussion. This is the first in a series of posts highlighting and responding to topics I found most interesting.
I’ve received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I’d like to be clear about this: It is nobody’s business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: “Is it legal to access someone else’s accounts without their permission?”.
While the answer to this question is likely dependent on many variables and will almost certainly be debated for months or years to come, it should not matter to anyone reading this. It goes without saying that harassing or attacking people is a terrible thing to do. To suggest Firesheep was created for this purpose is completely false; Firesheep was created to raise awareness about an existing and frequently ignored problem. As I’ve said before, I reject the notion that something like Firesheep turns otherwise innocent people evil.
Reports have been trickling in that Microsoft’s anti-virus software is now detecting Firesheep as a threat, despite the fact that Firesheep poses absolutely no threat to the integrity of the system it’s installed on, and as mentioned earlier, has many legitimate uses. By installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer. This is dangerous, but unfortunately not unprecedented. The same thing has happened over and over with Apple’s iOS App Store.
Firesheep has brought a discussion about very important issues into the limelight. Censorship does not offer a solution to these underlying issues, and will only cause further problems. For many people, code is a form of speech, and the freedom of speech must remain protected. If Microsoft wants to improve security with censorship, it would be more appropriate to block the insecure websites that are exposing user information in the first place.
Mozilla understands being a dictator is not their role and instead offers information about new features coming in the next version of Firefox that companies can use to further protect their users. Of course, companies have to care, and that remains a big problem.
In addition to questioning Firesheep’s legality, some people have questioned the ethics of its release. Similar tools have existed for years, so big companies, especially Facebook and Twitter, cannot claim they are unaware of these issues. They have knowingly placed user privacy on the back burner, and I’d be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep.
Comments 27 Comments
Clean slate project, anyone?
http://cleanslate.stanford.edu/index.php
Keep up the good work i like your writing.
For example of a generally accepted mode of software control, see video game rating systems. Hypothetically, if someone created software thats sole purpose was to facilitate child porn, there's a strong case that possessing the software (not merely using it) should be illegal. Despite the merits (or lack thereof) of censorship, most governments do have the power to outlaw certain software.
In New Zealand at least, there's at least a starter of an argument that mere possession of firesheep is illegal (I wrote on it here: http://webbross.co.nz/blog/?p=356, also see in particular s251 Crimes Act).
This might be correct in your country. Just like instrum3nt mentioned, some have other laws... In Germany we have the so called "Hackerparagraf"
(§ 202c StGB) that disallows the use of software that gathers access or access credentials to protected data.
However, I am not a legal expert.
Personally I think that such tools like Firesheep should not be made available in such form that even dummies can use it to steal logins from other users. Instead, you could have chosen to just show alerts on what sessions are vulnerable (on the own or remote PCs), but not actually let the user "break in."
Sure, running VPNs or TLS/SSL solves the problem. On the other side it increases the load on servers, clients, and networks. There might be architectural fixes that require less resources.
Yours
John
In response to "Personally I think that such tools like Firesheep should not be made available in such form that even dummies can use it to steal logins from other users."
Unfortunately as I believe the author has pointed out in past posts there are already a number of tools out there which automate a lesser portion of this process. They're generally ignored by the masses and thus the media and the service providers offering these insecure systems. Cain & Abel has had the ability to capture passwords and form submissions for years, I used it against many a Facebook user on campus back in my dumber days, and a little skill with Wireshark will get you anything you want.
Firesheep has only had the impact it's had due to the fact that it's so easy to use that any idiot can try it and see for themselves that these sites are insecure. All you need are an open or WEP wireless AP and two laptops. It's the nuclear option, but it's not like the earlier stages of alerting people to the vulnerability hadn't been done already.
I work in lower echelons of IT where our daily grind is dealing with bloody-minded 'clients' typical of a small corporate. We are essentially Windows cleaners and don't get to deal with the pointy end of security (we don't get out much).
When I demonstrated Firesheep to some colleagues, they were quite taken aback to see their Facebook profiles effortlessly stolen (in a lab demo). Though aware of WinPcap & security, this was a tipping point for them, witnessing how easy IT ALREADY IS for the bad guys.
Lazy scriptkiddies might find Firesheep a great dumb-down tool, but their victims will inevitably get done, whether or not it exists.
Arguing against Firesheep is like saying auto transmissions should never have been released because less-skilled getaway drivers can then rob banks.
If you guys are worried, just use a VPN and protect yourself. That's the real issue here. You wouldn't walk into an amazon jungle without protection. Why should online be any different? Go to privateinternetaccess.com and get a VPN.
"""
"Hackerparagraf"
(§ 202c StGB) that disallows the use of software that gathers access or access credentials to protected data.
"""
Except the data isn't protected. It is being sent over the network completely unprotected. One might almost liken it to hanging your house keys on the gate in front of your yard. Someone walking by, takes the key that is just hanging there, puts 1 and 1 together and uses the key to enter your house.
The problem can't be ignored any longer thanks to the awareness that FireSheep brought. So I created a report card of various online services from FireSheep testing.
http://www.digitalsociety.org/2010/11/online-services-security-report-card/
That said, I'd encourage you to give more thought to how you're presenting your legal and moral opinions on the subject, along with a stronger statement about misuse. It seems clear you're in no danger legally, but a minority of your users might be.
You're not doing them any favors by blending your beliefs and ideals and wording them as fact or downplaying risk. Even if you're 100% right for some jurisdictions, surely it won't be for others. Language that's fine for an internet argument may be poor advice for a teenager in Texas.
Clearly warning users to restrict their use to their own networks and accounts or ones they gain permission for would go a long way. Obviously many people would ignore it, but it would likely save at least some less technical users from doing something they'd later regret.
It might also be charitable to mention that the tool makes no significant attempt to disguise its use and that actively hijacked sessions can be easily detected by site owners, network owners, local users and others if they are looking for them. Perhaps that is by design, but I've seen several instances of people with good intentions but poor judgement who believed they were effectively untraceable.
Plus, easy tools like this make testing so much easier!
I'm also curious - how long did this tool take you to build end to end? I've never written a plugin before, but was considering something similar at some point, and would definitely appreciate any input as to the difficulty of it.
Sadly what is meant for good will always be exploited by those who want to use it for bad, it should not mean that the good folks get penalised because of those who cannot behave! Same goes for a lot of things these days.
I believe you and thank you for making this tool, which will help me test the security of my website and also my visitors will benefit from being on a secure site.
Peace out, Twistyd Morticia - sat listening to kids throwing fireworks which is totally dangerous when fireworks are meant for bonfire night with adult supervision.
@mfukar: tcpdump itself shouldn't be a problem as long as you use is only in a legal context. But there are tools which are illegal to have in Germany, e.g. tools that can bypass copyright protection of CDs, DVDs.
The operator of an unsecured wireless network runs a much higher risk for being held liable and potentially sued for samages.
Even in the USA legislation is moving away from "free speech." It's a fact.
@wohlrah, @ALL: I didn't say that it's unethical to publish Firesheep I am just not sure if it's a good idea.
However, I acknowledge and honor Eric Butler's effort. Let's see what happens. It could as well be the needed trigger event to push for a widely security fix.
Question:
Is there any setup of a wireless network that makes is safe in that respect. I mean without using VPN or SSL/TLS in the presentation layer? (OSI model) Wohlra mentions that even WEP secured networks are unsafe (which is true of course.)
Do you think WPAv2 is safe enough?
Thanks.
I hope this makes people change their networks and start taking security into consideration.
Moral and ethics arguments be damned, I say.
Good on you for going to the trouble of showing the majors something that should never have been allowed to happen.
Do they serve Beer (or Bier) in prison?
Can I make special requests, as I'm actually more partial to spirits, and I do like spicy food :)
1. Governments do have the power to censor software, that is obvious from numerous laws all over the world that do exactly that.
2. I never said that governments *should* have that power - maybe they should, maybe not. That would be a topic for a thesis, not a short blog post.
3. "The article clearly addresses that this is not what firesheep was made for." You are right - the article argues that the software was not made for an illegal purpose. But that's not what I was talking about. You have to agree it's hard to see what the legitimate use is for a consumer downloading and/or using it, unless there's consent. And if there's consent then you won't be causing damage and falling foul of NZ law.
I don't see what your point is.