Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy Encryption Facebook Firefox Security Social Networks The Internet Your Rights Online

Herding Firesheep In NYC — Do Users Care? 200

Posted by timothy
from the not-so-much dept.
An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."
This discussion has been archived. No new comments can be posted.

Herding Firesheep In NYC — Do Users Care?

Comments Filter:
  • by Moniker3 (1913952) on Friday October 29, 2010 @06:21PM (#34069402)
    People leave themselves signed into facebook all the time in my university library. Some people just don't care that much.
    • by PatHMV (701344) <post@patrickmartin.com> on Friday October 29, 2010 @07:17PM (#34069812) Homepage

      Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

      Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

      • Clearly from the warning he provided, he wasn't intending to do harm to them.

        I think he should have been a bit more mischievous:

        "So I'm sitting here at Starbucks and there's a cute guy across the room. What should I do?"

        Post the same message for both male and female profiles, optionally changing it to "girl" for the female profiles. Hilarity ensues.

      • by jpmorgan (517966)

        That will change when the first worm that uses sidejacking to spread appears. Defaces people's facebook pages to convince them to download and run the worm... worm runs in background sidejacking and defacing other people's facebook pages... and doing all the other malicious stuff malware likes to do.

        I figure we'll see it within a year or so.

        • by TheLink (130905) on Friday October 29, 2010 @10:43PM (#34070760) Journal

          Currently you're more likely to lose your entire laptop, bags etc to a thief at a cafe.

          Anyone in IT security or who attends stuff like defcon has known about this problem for years, but nothing much has happened in normal cafes (despite people getting embarassed at defcon year after year).

          But the malware bunch have never bothered because it was not really worth it. They have no big difficulty getting people to run malware - they don't even have to be in the same country much less the same cafe. The spammers still send spam, the worms still spread, the zombies still get installed.

          It'd only be a big problem if someone (whether whitehat or blackhat) develops a nice tool/lib to do it, then the cost to the malware people goes down, and then it becomes another method for spreading.

          My guess is if the authors and proponents of firesheep never kicked up a fuss about it, it would have been many more years before it would have become a problem, if at all.

          The "easiest" solution actually is not to get everyone to use https - since lots of sites including slashdot don't use it.

          The easiest solution is to fix secure wifi: http://slashdot.org/comments.pl?sid=1578784&cid=31435914 [slashdot.org] http://slashdot.org/comments.pl?sid=1578784&cid=31437480 [slashdot.org]

          To quote myself: "with the current WiFi standards you cannot have an easy way for a Cafe/Hotel/Conference to provide encrypted wireless connections to guests in a way where they cannot snoop on each other's connections. if you use preshared key users can decrypt each other's traffic. If you use username and password, it's far more inconvenient for the user and the service provider."

          Yes in theory "people should use https, vpns etc all the time blahblahblah", but this requires ALL parties involved to support encryption. That'll happen about the time Duke Nukem Forever gets released.

          Whereas things would be much safer if people running cafe systems could unilaterally provide secure wifi just the way a site could unilaterally provide https. It takes some tweaking to the wifi standards and coordination with the OS makers, so that users don't have to do very much extra work.

          But no, with the current way way users have to enter correct usernames and passwords.

          Yes I know, MITM attacks would still be possible (assuming the users "click through warnings", or can't tell the difference between a legit starbucks cert and a fake), but that's the same for https as well.

          Furthermore if you _add_ more "ssh style" _sanity_[1], then operators could use "autogen self-signed" keys and still users could be safe because the first time they go to a cafe they just recognize the key and say its ok (risk is low after all), if the next time an attacker tries to MITM, the user gets a warning.

          If the first time you go to a cafe and notice a few people are grumbling to the cafe "hey why's there this warning popping up, why two SSIDs with the same name", you can wait for things to be sorted out first ;).

          [1] Current https/ssl stuff is insane. As long as a cert is signed by any of the CAs installed in your browser it's regarded as OK. Trusting a self-signed cert is actually safer- since you'd get a warning if the cert changed due to a MITM. Whereas if a CA in Turkey/China/etc signed a fake Bank of America's cert, you wouldn't get a warning at all when being MITMed by them! (unless you use plugins like certificate patrol). So a combination of CAs and ssh style would be better.

      • Re: (Score:3, Funny)

        by EdIII (1114411)

        You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

        Well... since most "rural" families that I know live in Oklahoma and Texas and have shotgun racks on the back of their trucks I expect the conversation to go much differently.

      • Re: (Score:3, Insightful)

        by Local ID10T (790134)

        You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

        In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.

      • Re: (Score:2, Troll)

        by Bigjeff5 (1143585)

        What is really iron is that this guy is decrying how people don't pay attention to the risks they are taking, while he himself tells the world that he has committed about 30-40 felonies in a single night.

        Maximum jail time is 200 years (obviously he'd never get that), minimum if convicted of 30 counts of felony is 30 years.

        Who's not paying attention to the risks here?

        What a dumbass. I sincerely hope he goes to jail for it. Maybe then these idiots can gain a little perspective (probably won't though, the co

        • When real crimes happen like a break in, you'll be lucky if the cops show up in a few hours or even at all. Good luck explaining that someone else logged into your facebook account. Now if they heard you had an ounce of weed then its a different story...

      • by nospam007 (722110) *

        "No, they just have different value systems "

        Yes, they have the 'no clue value system'.
        These are computer-illiterate, facebook-only newbie morons, the messages were incomprehensible tech goobledigook, just like the security messages from the system, virus checkers or whatever.
        They click them just away without reading nor understanding what they read.
        More and more of these appear every day, the 'internet' has reached the toaster stage.

      • by X0563511 (793323)

        I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious

        Just because they have a different value system doesn't make them right, or less stupid/ignorant...

        By -my- standards (the only standards that matter to me) they are.

    • by RJFerret (1279530)

      Yes, that blog posting was more an example of someone who fails to understand human nature, and overly dramatizes risk.

      Heck, Facebook as a company has been proven to do more damage to users than anyone using Firesheep ever could, yet users still want to use it!

  • I hope his guy well. But there's gotta be somebody who thought up the idea of sending him a cease and desist letter just for the fun of it - or extracting a few thousand dollars from him.
    • by Hatta (162192)

      Good luck tracking him down.

      • Re: (Score:3, Funny)

        Had he not posted the action on his blog, it'd have been hard.
        • by Kindgott (165758)

          Good luck, he was behind 7 proxies.

          • by MichaelSmith (789609) on Friday October 29, 2010 @11:45PM (#34070950) Homepage Journal

            Gary LosHuertos

                    * Gender: Male
                    * Astrological Sign: Scorpio
                    * Industry: Consulting
                    * Occupation: Software Engineer
                    * Location: New York : NY : United States

            Whoops! Your tongue is now a magnet. Whatever will you use for silverware?

            Plastic.
            Interests

                    * road trips
                    * programming
                    * languages
                    * movies
                    * going out to eat
                    * perkins
                    * ihop
                    * grammar
                    * legends of the hidden temple

            Favorite Movies

                    * Garden State
                    * Little Miss Sunshine
                    * Finding Neverland
                    * Center Stage
                    * Sphere
                    * 1984
                    * The Devil Wears Prada
                    * Moulin Rouge
                    * 28 Days Later
                    * Cruel Intentions
                    * Dogma
                    * Contact
                    * Rules of Attraction
                    * LOTR

            Favorite Music

                    * Alanis Morissette
                    * Dixie Chicks
                    * RHCP
                    * Ben Folds
                    * Styx
                    * Journey
                    * Eurythmics
                    * The Police
                    * Weezer
                    * Indochine
                    * Chumbawamba
                    * Les Vulgaires Machins
                    * Wicked
                    * The Beatles
                    * Jimmy Eat World
                    * Avenue Q
                    * Jason Robert Brown
                    * Do As Infinity
                    * U2
                    * Fischerspooner
                    * Chicks on Speed
                    * Les Miserables
                    * Talking Heads
                    * They Might be Giants
                    * Phantom Planet
                    * Motion City Soundtrack
                    * ABBA

            Even if thats all made up, this guy has posted more than one item to this blog.

  • by brokeninside (34168) on Friday October 29, 2010 @06:22PM (#34069418)
    ... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.
    • Bingo. The article he linked to talks about VPNs. Seriously, WTF? The threat Firesheep poses is basically this - some guy harassing strangers in a Starbucks. Maybe if you're very unlucky a friend/enemy doing the same. Weigh up the options, which is easier - ignoring the occasional douchebag who causes trouble in Starbucks vs buying service from a VPN provider. It's not surprising most people choose the former and you don't need an experiment to realize it!
      • by KiloByte (825081)

        How exactly VPN can help there? You're still passing unencrypted data to Facebook. All the gain is that it's less likely than someone listens to the traffic between the VPN provider and Facebook compared to the unpalatable liquid venue you're in.

        • Yes, exactly.

          Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:

          1. No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
          2. VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
          3. Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..

          I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

          • by Jah-Wren Ryel (80510) on Friday October 29, 2010 @07:01PM (#34069720)

            Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.

            In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.

            • So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware? Anything valuable is already SSL protected so that scheme would be very expensive, labor intensive, easy to discover, dangerous for the criminals and useless against high value targets like banks or gmail accounts.
              • So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware?

                (A) Mischaracterization
                No need to "build and deploy" a bunch of fancy shit - all its takes is for individual petty thieves with cheap laptops to spend an hour or so at each of the hotspots around their neighbourhoods each week. Small time scammers work for small time profits all the time. Just look at how frequently credit card theft is committed by low-paid clerks and shoulder surfers. Sniffing wifi is a hell of a lot less risky than either of those.

                (B) False Dichotomy
                Just because one means of attack is

              • by jpmorgan (517966)

                Why do you need hardware when all the hardware is already out there? A sidejacking worm will do the trick:

                Deface people's facebook pages to convince them to download the worm. Worm runs locally, quietly sidejacks other people's facebook pages and defaces them. Cycle continues and sidejack worm spreads through all the coffee shops in the country, stealing personal information and credit card numbers as it goes.

          • by adolf (21054)

            My favorite coffee shop has RJ45 ports at the tables on a switched network.

            Still sniffable, obviously, but at least not passively: One must do some amount of ARP poisoning or MAC overflow in order to get much meaningful data.

          • by mlts (1038732) *

            This is exactly why I use an anonymous VPN service [1]. As one goes up the food chain to the core fiber links which route the core Internet traffic, the fewer people have access to the traffic and/or logging capability. To boot, if they have logging capability at the core, they would have it at the edges. There are a *lot* fewer people that have access from the core router to Facebook's page than have access (either with admin access, or are on the same subnet and can sniff/change stuff in transit.)

            Essen

          • by TubeSteak (669689)

            I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

            One of the articles about FireSheep discussed the fact that not all websites handle the logout properly on the server side.

            So FIY, logging off and finding another AP may not kill their session.

        • by node 3 (115640)

          How exactly VPN can help there? You're still passing unencrypted data to Facebook.

          I was going to answer your question, but you already did:

          All the gain is that it's less likely than someone listens to the traffic between the VPN provider and Facebook compared to the unpalatable liquid venue you're in.

          *Less likely* is the key. That's how a VPN helps. Security nerds seem to think you have to be 100% secure (conveniently ignoring the fact that 100% security is impossible) or you're not secure at all. That's a good mindset for finding security holes, but it's a horrible mindset for worrying about one's own personal security. In the real world, you do what you can to reasonably reduce your risks and take your chances.

          It's at least a little ironic that

      • by Hatta (162192)

        Firesheep does Amazon too. Let the wrong person on your Amazon account and you might be in for a surprise when your credit card statement arrives.

        • by hitmark (640295)

          Tho one could question why Amazon should keep a copy of the credit card info at all.

          • Well, they offer to keep it. If you decline that offer and they still keep it, then there's a problem. But if they're keeping it because you asked them to to make your purchases more convenient, then, no, you may not question why they're keeping a copy of your credit card info. You would already know that they need to keep that info in order to keep the info.

            • by hitmark (640295)

              I just checked, and they held two sets of card data for me while i don't recall ever saying yes to them doing so...

          • by stm2 (141831)

            One click shopping (tm) :)

      • ...vs buying service from a VPN provider.

        Ummm...how many people reading this article actually bought VPN service from someone else? I run OpenVPN or Tunnelblick on my laptops and VPN home. Even the least tech-savvy geek on /. should be able to at least port-forward through SSH. (If you can't please turn in your geek card now.)

        • Re: (Score:3, Insightful)

          A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.

          Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.

          Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the m

        • by icebike (68054)

          I'm confused.

          Wouldn't just logging in to https.facebook.com and log on from there solve the problem?

          • by TheLink (130905)
            No. Firesheep hijacks/copies sessions.

            After logging in on https facebook redirects you to http, firesheep gets your session. pwned.

            The risk is actually very low until stuff like firesheep becomes common enough amongst wifi cafe users (whether via malware or pranksters).

            Currently you're more likely to lose your entire laptop to a thief at a cafe.
            • by icebike (68054)

              Ah, I see. Didn't actually get that far since I have no use for Facebook.

              Why would they redirect insecure? SSL takes very little additional resources once your session key is established?

              Seems they could solve this if the weren't so cheap.

    • Your online accounts are not like a car.

      You can't very easily "empty" your online accounts.

      Once someone breaks in, they can do things with your account without having to do any further "hotwiring".

      Simply accessing the account through "hijacking" a session doesn't break anything that needs to be repaired after the fact, so leaving your account vulnerable to hijacking doesn't save you anything.

      You might find the utility of open wifi to be worth the risk that your transmissions can be intercepted, read, and yo

  • by cappp (1822388) on Friday October 29, 2010 @06:26PM (#34069446)
    I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah

    That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.
  • by John Hasler (414242) on Friday October 29, 2010 @06:27PM (#34069470) Homepage

    So that's the reason. None of them noticed his messages because they were too busy staring at his crotch.

  • Denial is bliss (Score:5, Insightful)

    by bl8n8r (649187) on Friday October 29, 2010 @06:33PM (#34069508)
    A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.
    • Re: (Score:3, Insightful)

      by joe_frisch (1366229)

      Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.

      I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me

  • by jordan314 (1052648) on Friday October 29, 2010 @07:29PM (#34069874)
    I gave Firesheep a try today, and am surprised how many times my own cookies come up inside it without me directly visiting those sites. My google account came up without me browsing at all -- perhaps one of my firefox add-ons was using it, or maybe google latitude on my phone was triggering it? My facebook account came up when browsing other non-facebook sites as well, most likely from facebook connect. The users could have stopped visiting facebook after getting his warning messages and still had their cookies exposed.
  • by Khenke (710763) on Friday October 29, 2010 @08:01PM (#34070032) Journal

    For example I set up my sisters computer with a firewall, anti-virus, anti-malware software and installed FireFox.

    What happened?

    My sister and her husband got sick of the question popping up all the time, "Do you want to allow this program to access the internet?" and instead of reading and the checking the box "Do this always" they found it easier to turn off the firewall and the anti-virus (more stupid questions they didn't bother to read). And to top it up, they thought IE was more familiar and started (against my strong advice) using it again.

    But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
    It's the same with getting their account hacked, it not their problem (they think), it's mine.

    If people would handle their cars the same way they handle their computer the car industries wouldn't have any problem with sales today...
    And if people handled strangers the same IRL that they handle them on the Internet we would have everyone giving away their keys to their house if a stranger asked for it (of just give it to them without them asking...).

    I will never understand why people feel so safe on Internet.

    • Re: (Score:3, Insightful)

      by h4rr4r (612664)

      But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

      Sounds like you are the problem.

      • by Stevecrox (962208)
        I agree, I maintain all my family's computers. Some of those people are terrifying with computers.

        When doing this sort of thing your doing it as a favour to them. Setup the PC so it is secure and leave basic instructions. If they can't follow them or ignore the work you've done let them pay someone to fix it. Then they start to appreciate what your doing for them, or they become happy paying someone to fix their screw ups.
    • Re: (Score:2, Insightful)

      by Seumas (6865)

      EXACTLY.

      I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idi

      • by RichiH (749257)

        I tend to agree.

        But one thing to keep in mind is that with a car or similar, you get a lot less lights and stuff. A computer can, by its very nature, throw a bazillion of different situations at you. No other thing can.

        All that being said, computers are a fact of life so people need to start to think.

    • Re: (Score:3, Informative)

      by the_womble (580291)

      But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer. It's the same with getting their account hacked, it not their problem (they think), it's mine.

      It would be there problem if you did not make it yours.

      Its amazing how willing people are to volunteer free support for Windows. If they are not paying you tell them to ask MS for help.

    • by SheeEttin (899897)

      It's the same with getting their account hacked, it not their problem (they think), it's mine.

      Given that it's a relative, I think it's obvious you're doing this for free.
      Simple solution: bill them. Hard.
      That's the reason you don't drive all around when you've got all kinds of lights on on your dash. Parts & labor can be wicked expensive, so it's in your best interest to take care of it.

      (Of course, I can provide an immediate counterpoint. I listen to Car Talk on NPR sometimes, and there's the occasi

    • by RichiH (749257)

      I know one person who acted in a similar way.

      Guess what: I stopped fixing their shit. The data is on a seperate partition, so all they need to do is find someone to reinstall Windows. But that's not me.

      The rest grew up after I explained the issues at hand.

  • by IonOtter (629215) on Friday October 29, 2010 @08:09PM (#34070076) Homepage

    Back when I was a student in college, we were using DEC VAX/VMS systems to provide service to the campus network.

    I loved the help menu. It was VERY useful to do all sorts of things, such as creating your LOGIN.COM file. With the LOGIN.COM file, you could set your command prompt, establish which home directory to use, create macros to start batch jobs...you name it.

    Occasionally, we'd come across someone who forgot to log out of their session, and just left ms-kermit running on their terminal.

    If it was the first time, we'd telnet into their mail client and send them an email from themselves, warning them to be more careful. If it was the second time, we had a bit more fun.

    Such as setting their home directory ATTRIB *.* +H

    The best was when we edited their LOGIN.COM file, so that whenever they tried to execute *any* commands, it would send a pmail to the sysadmin saying, "I'm an idiot who left his account open, and I need an adult to fix it for me, please?"

    Not surprisingly, the sysadmin WAS amused by this, and had great fun exacerbating the torture. It was a different era, when sysadmins had PhD's and a sense of humor.

    Fond memories...

    • by Nethead (1563)

      On Unix systems we would add a control-D as the first character to the .login file on their account.

  • by meeotch (524339) on Friday October 29, 2010 @08:18PM (#34070104) Homepage

    Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.

    • by hedwards (940851)
      What annoys me about Firefox is that it doesn't let you easily sidestep the security on a temporary basis. Either you can't go in or it wants you to create a permanent exception. I'm not really sure why it can't provide a convenient way of making it a one time deal. Once I'm in if I decide to do that, then is the appropriate time for me to decide whether to add a permanent exception or not.

      In virtually all cases I'm not going back to that site, so ultimately not providing a convenient temporary access is
      • by Phroggy (441)

        If you're talking about the security warning you get when browsing to an HTTPS site with an invalid certificate, apparently you missed the checkbox labeled "Permanently store exception" or something to that effect. It's checked by default, but you can certainly uncheck it.

        That's not what we're talking about here though...

  • by George_Ou (849225) on Saturday October 30, 2010 @04:01AM (#34071580)
    Forced SSL doesn't even work for Google, Twitter, and Facebook and probably most other sites even if they support SSL. That's because the javascript on those pages will opt to transmit authentication cookies in the clear. http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/ [digitalsociety.org]
  • by Compulawyer (318018) on Saturday October 30, 2010 @09:37AM (#34072670)
    I question the intelligence of those who do not take appropriate steps to safeguard their personal information. I have *NO* doubts, however, about the intelligence of someone who would commit almost 50 violations of the Electronic Communications Privacy Act (each one of those violations a felony) and then blog about it.

A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Working...