{ Codebutler } Firesheep – 1 Week Later

In only one week, Firesheep has captured the attention and interest of hundreds of thousands of people around the world, and has spurred a lot of great discussion. This is the first in a series of posts highlighting and responding to topics I found most interesting.

I’ve received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I’d like to be clear about this: It is nobody’s business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: “Is it legal to access someone else’s accounts without their permission?”.

While the answer to this question is likely dependent on many variables and will almost certainly be debated for months or years to come, it should not matter to anyone reading this. It goes without saying that harassing or attacking people is a terrible thing to do. To suggest Firesheep was created for this purpose is completely false; Firesheep was created to raise awareness about an existing and frequently ignored problem. As I’ve said before, I reject the notion that something like Firesheep turns otherwise innocent people evil.

Reports have been trickling in that Microsoft’s anti-virus software is now detecting Firesheep as a threat, despite the fact that Firesheep poses absolutely no threat to the integrity of the system it’s installed on, and as mentioned earlier, has many legitimate uses. By installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer. This is dangerous, but unfortunately not unprecedented. The same thing has happened over and over with Apple’s iOS App Store.

Firesheep has brought a discussion about very important issues into the limelight. Censorship does not offer a solution to these underlying issues, and will only cause further problems. For many people, code is a form of speech, and the freedom of speech must remain protected. If Microsoft wants to improve security with censorship, it would be more appropriate to block the insecure websites that are exposing user information in the first place.

Mozilla understands being a dictator is not their role and instead offers information about new features coming in the next version of Firefox that companies can use to further protect their users. Of course, companies have to care, and that remains a big problem.

In addition to questioning Firesheep’s legality, some people have questioned the ethics of its release. Similar tools have existed for years, so big companies, especially Facebook and Twitter, cannot claim they are unaware of these issues. They have knowingly placed user privacy on the back burner, and I’d be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep.

This entry was written by Zac , posted on Monday November 01 2010at 09:11 am , filed under Ethical Hacking/Pen-Testing, Vulnerabilities and tagged , , , , , , , , , , , , , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Leave a Reply

You must be logged in to post a comment.