Firesheep, a week later: Idiot Shepherds
In only one week, Firesheep has captured the attention and interest of hundreds of thousands of people around the world, and has spurred a lot of great discussion. This is the second in a series of posts highlighting and responding to topics I found most interesting.
Previous post in series: Ethics and Legality
In addition to all the news articles, blog posts, comments, and tweets, Firesheep has inspired some people to respond with code.
One developer thought Firesheep, as a mostly passive tool, didn’t go far to warn people about the dangers of using insecure websites. He released a new tool called Idiocy which automatically hijacks any Twitter accounts it spots and posts a tweet as them, offering a much more blunt reminder to both the victim and their followers.
Idiocy, at less than 130 lines of code, is an important example of how easy eavesdropping can be.
While Idiocy might offer a useful message, Twitter users have no way to use the website securely without a third party tool like HTTPS Everywhere. Very few people have actually been affected by Idiocy, a search on twitter at this time shows less than a dozen tweets containing the message posted by Idiocy.
Another developer created FireShepherd, which has been widely reported as a way to stay “safe” while using insecure websites on public networks. To understand how this tool works, imagine your friend gets drunk at a bar and starts shouting his credit card number to everyone within earshot. Knowing he isn’t in his right mind and will likely regret his actions in the morning, you decide to intervene by shouting “LALALA” even louder with the hope that nobody will be able to hear what he is saying. While this may prevent some people from hearing the card number, it won’t stop everyone, and will most certainly upset everyone else at the bar even further.
This is essentially what FireShepherd does. FireShephed continuously sends random data over the network in an attempt to confuse session hijacking tools such as Firesheep. To an attacker, this is nothing more than a simple annoyance. FireShepherd does not change the fact that sensitive information is being sent insecurely.
Sending out lots of random data, especially over a wireless network, can disturb everyone else on the network and result in their connections becoming slow and/or unreliable. In addition, FireShepherd by default sends all this data out over the Internet to www.facebook.com, placing unnecessary load on their servers. This is usually referred to as a Distributed Denial of Service Attack, and is probably not something you want to participate in.
FireShepherd provides no real security and is harmful to Facebook’s servers and the local network which it is used on. Nobody should recommend using it for any reason.