Herding Firesheep In NYC — Do Users Care?

An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."

Some people don't care

[Moniker3]

People leave themselves signed into facebook all the time in my university library. Some people just don't care that much.

Re:Some people don't care

[PatHMV]

Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Re:

[nacturation]

Clearly from the warning he provided, he wasn't intending to do harm to them.

I think he should have been a bit more mischievous:

"So I'm sitting here at Starbucks and there's a cute guy across the room. What should I do?"

Post the same message for both male and female profiles, optionally changing it to "girl" for the female profiles. Hilarity ensues.

Re:

[jpmorgan]

That will change when the first worm that uses sidejacking to spread appears. Defaces people's facebook pages to convince them to download and run the worm... worm runs in background sidejacking and defacing other people's facebook pages... and doing all the other malicious stuff malware likes to do.

I figure we'll see it within a year or so.

Re:Some people don't care

[TheLink]

Currently you're more likely to lose your entire laptop, bags etc to a thief at a cafe.

Anyone in IT security or who attends stuff like defcon has known about this problem for years, but nothing much has happened in normal cafes (despite people getting embarassed at defcon year after year).

But the malware bunch have never bothered because it was not really worth it. They have no big difficulty getting people to run malware - they don't even have to be in the same country much less the same cafe. The spammers still send spam, the worms still spread, the zombies still get installed.

It'd only be a big problem if someone (whether whitehat or blackhat) develops a nice tool/lib to do it, then the cost to the malware people goes down, and then it becomes another method for spreading.

My guess is if the authors and proponents of firesheep never kicked up a fuss about it, it would have been many more years before it would have become a problem, if at all.

The "easiest" solution actually is not to get everyone to use https - since lots of sites including slashdot don't use it.

The easiest solution is to fix secure wifi: http://slashdot.org/comments.pl?sid=1578784&cid=31435914 [slashdot.org] http://slashdot.org/comments.pl?sid=1578784&cid=31437480 [slashdot.org]

To quote myself: "with the current WiFi standards you cannot have an easy way for a Cafe/Hotel/Conference to provide encrypted wireless connections to guests in a way where they cannot snoop on each other's connections. if you use preshared key users can decrypt each other's traffic. If you use username and password, it's far more inconvenient for the user and the service provider."

Yes in theory "people should use https, vpns etc all the time blahblahblah", but this requires ALL parties involved to support encryption. That'll happen about the time Duke Nukem Forever gets released.

Whereas things would be much safer if people running cafe systems could unilaterally provide secure wifi just the way a site could unilaterally provide https. It takes some tweaking to the wifi standards and coordination with the OS makers, so that users don't have to do very much extra work.

But no, with the current way way users have to enter correct usernames and passwords.

Yes I know, MITM attacks would still be possible (assuming the users "click through warnings", or can't tell the difference between a legit starbucks cert and a fake), but that's the same for https as well.

Furthermore if you _add_ more "ssh style" _sanity_[1], then operators could use "autogen self-signed" keys and still users could be safe because the first time they go to a cafe they just recognize the key and say its ok (risk is low after all), if the next time an attacker tries to MITM, the user gets a warning.

If the first time you go to a cafe and notice a few people are grumbling to the cafe "hey why's there this warning popping up, why two SSIDs with the same name", you can wait for things to be sorted out first ;).

[1] Current https/ssl stuff is insane. As long as a cert is signed by any of the CAs installed in your browser it's regarded as OK. Trusting a self-signed cert is actually safer- since you'd get a warning if the cert changed due to a MITM. Whereas if a CA in Turkey/China/etc signed a fake Bank of America's cert, you wouldn't get a warning at all when being MITMed by them! (unless you use plugins like certificate patrol). So a combination of CAs and ssh style would be better.

Re:

[EdIII]

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Well... since most "rural" families that I know live in Oklahoma and Texas and have shotgun racks on the back of their trucks I expect the conversation to go much differently.

Re:

[Local ID10T]

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.

Re:

[Bigjeff5]

What is really iron is that this guy is decrying how people don't pay attention to the risks they are taking, while he himself tells the world that he has committed about 30-40 felonies in a single night.

Maximum jail time is 200 years (obviously he'd never get that), minimum if convicted of 30 counts of felony is 30 years.

Who's not paying attention to the risks here?

What a dumbass. I sincerely hope he goes to jail for it. Maybe then these idiots can gain a little perspective (probably won't though, the co

Jail is laughable

[ArchieBunker]

When real crimes happen like a break in, you'll be lucky if the cops show up in a few hours or even at all. Good luck explaining that someone else logged into your facebook account. Now if they heard you had an ounce of weed then its a different story...

Re:

[nospam007]

"No, they just have different value systems "

Yes, they have the 'no clue value system'.
These are computer-illiterate, facebook-only newbie morons, the messages were incomprehensible tech goobledigook, just like the security messages from the system, virus checkers or whatever.
They click them just away without reading nor understanding what they read.
More and more of these appear every day, the 'internet' has reached the toaster stage.

Re:

[X0563511]

I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious

Just because they have a different value system doesn't make them right, or less stupid/ignorant...

By -my- standards (the only standards that matter to me) they are.

Re:

[node 3]

I'm not sure how you describe "I'm not taking security precautions and I don't care about the implications" as anything *BUT* stupid and ignorant.

Do you ever leave your house with the front door unlocked (say, run over to the neighbors' real quick) or leave your windows rolled down a crack on hot days or keep your wallet in your back pocket or hand your credit card to the waitstaff or ... ?

It's not stupidity or ignorance. It's just, "you can only do so much".

In fact, I'd go further than that, and if you actively take precautions for all the things I listed, going through so much effort and living life so vigilantly seems far more stupid to me than th

Re:

[Skrapion]

But when you return from your neighbours', you'll immediately notice that somebody is in your house. Everybody with a working pair of eyes is qualified enough to detect that. With internet security, most people aren't qualified enough to be able to distinguish exactly what's important to encrypt and what isn't.

Is your email over SSL? If not, there's nothing stopping somebody from resetting your Amazon password, logging into your account, and shipping stuff to a PO box on your credit card.

Did you use the

Re:

[evanism]

Security doesn't reduce your stupidity. Nor does paranoia increase your security. Check the USA today. Post a toner cartridge and the whole country shuts down. QED. (Bet the guys at newegg are looking at their policy on combo parts shipments.) (Apologies to the nice Americans here)

Re:

[theshowmecanuck]

Post a toner cartridge and the whole country shuts down.

FTFY:
Post a toner cartridge full of [bbc.co.uk] PETN [wikipedia.org] and the whole country shuts down.

Re:

[RJFerret]

Yes, that blog posting was more an example of someone who fails to understand human nature, and overly dramatizes risk.

Heck, Facebook as a company has been proven to do more damage to users than anyone using Firesheep ever could, yet users still want to use it!

They care - they're filing lawsuits

[francium de neobie]

I hope his guy well. But there's gotta be somebody who thought up the idea of sending him a cease and desist letter just for the fun of it - or extracting a few thousand dollars from him.

Re:

[Hatta]

Good luck tracking him down.

Re:

[francium de neobie]

Had he not posted the action on his blog, it'd have been hard.

Re:

[Kindgott]

Good luck, he was behind 7 proxies.

Re:They care - they're filing lawsuits

[MichaelSmith]

Gary LosHuertos

        * Gender: Male
        * Astrological Sign: Scorpio
        * Industry: Consulting
        * Occupation: Software Engineer
        * Location: New York : NY : United States

Whoops! Your tongue is now a magnet. Whatever will you use for silverware?

Plastic.
Interests

        * road trips
        * programming
        * languages
        * movies
        * going out to eat
        * perkins
        * ihop
        * grammar
        * legends of the hidden temple

Favorite Movies

        * Garden State
        * Little Miss Sunshine
        * Finding Neverland
        * Center Stage
        * Sphere
        * 1984
        * The Devil Wears Prada
        * Moulin Rouge
        * 28 Days Later
        * Cruel Intentions
        * Dogma
        * Contact
        * Rules of Attraction
        * LOTR

Favorite Music

        * Alanis Morissette
        * Dixie Chicks
        * RHCP
        * Ben Folds
        * Styx
        * Journey
        * Eurythmics
        * The Police
        * Weezer
        * Indochine
        * Chumbawamba
        * Les Vulgaires Machins
        * Wicked
        * The Beatles
        * Jimmy Eat World
        * Avenue Q
        * Jason Robert Brown
        * Do As Infinity
        * U2
        * Fischerspooner
        * Chicks on Speed
        * Les Miserables
        * Talking Heads
        * They Might be Giants
        * Phantom Planet
        * Motion City Soundtrack
        * ABBA

Even if thats all made up, this guy has posted more than one item to this blog.

Interestingly, the author of TFA never considers

[brokeninside]

... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.

Re:

[IamTheRealMike]

Bingo. The article he linked to talks about VPNs. Seriously, WTF? The threat Firesheep poses is basically this - some guy harassing strangers in a Starbucks. Maybe if you're very unlucky a friend/enemy doing the same. Weigh up the options, which is easier - ignoring the occasional douchebag who causes trouble in Starbucks vs buying service from a VPN provider. It's not surprising most people choose the former and you don't need an experiment to realize it!

Re:

[KiloByte]

How exactly VPN can help there? You're still passing unencrypted data to Facebook. All the gain is that it's less likely than someone listens to the traffic between the VPN provider and Facebook compared to the unpalatable liquid venue you're in.

Re:Interestingly, the author of TFA never consider

[IamTheRealMike]

Yes, exactly.

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:

1. No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
2. VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
3. Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..

I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

Re:Interestingly, the author of TFA never consider

[Jah-Wren Ryel]

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.

In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.

Re:

[IamTheRealMike]

So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware? Anything valuable is already SSL protected so that scheme would be very expensive, labor intensive, easy to discover, dangerous for the criminals and useless against high value targets like banks or gmail accounts.

Re:

[Jah-Wren Ryel]

So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware?

(A) Mischaracterization
No need to "build and deploy" a bunch of fancy shit - all its takes is for individual petty thieves with cheap laptops to spend an hour or so at each of the hotspots around their neighbourhoods each week. Small time scammers work for small time profits all the time. Just look at how frequently credit card theft is committed by low-paid clerks and shoulder surfers. Sniffing wifi is a hell of a lot less risky than either of those.

(B) False Dichotomy
Just because one means of attack is

Re:

[Jah-Wren Ryel]

So what value exactly would a small time crook get out of hacking random facebook accounts? The likelihood of him finding monetizable information in a random account would be quite low.

(A) Major failure of imagination.

Apologies for having to reach out to you like this,this had to come in a hurry
due to the urgency of the situation.
Presently,I'm stuck in England and need help getting home.I made a trip this
past weekend to London, UK and unfortunately, I was robbed .my bags, cash ,
cards and cell phones were taken at gunpoint. It was a terrible
experience.right now i need help getting back home , i've been to the embassy
and the Police here but they're not helping issues at all,the good thing

Re:

[jpmorgan]

Why do you need hardware when all the hardware is already out there? A sidejacking worm will do the trick:

Deface people's facebook pages to convince them to download the worm. Worm runs locally, quietly sidejacks other people's facebook pages and defaces them. Cycle continues and sidejack worm spreads through all the coffee shops in the country, stealing personal information and credit card numbers as it goes.

Re:

[adolf]

My favorite coffee shop has RJ45 ports at the tables on a switched network.

Still sniffable, obviously, but at least not passively: One must do some amount of ARP poisoning or MAC overflow in order to get much meaningful data.

Re:

[brain159]

*Switched* network. Read smarter, not harder.

Re:

[mlts]

This is exactly why I use an anonymous VPN service [1]. As one goes up the food chain to the core fiber links which route the core Internet traffic, the fewer people have access to the traffic and/or logging capability. To boot, if they have logging capability at the core, they would have it at the edges. There are a *lot* fewer people that have access from the core router to Facebook's page than have access (either with admin access, or are on the same subnet and can sniff/change stuff in transit.)

Essen

Re:

[TubeSteak]

I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

One of the articles about FireSheep discussed the fact that not all websites handle the logout properly on the server side.

So FIY, logging off and finding another AP may not kill their session.

Re:

[node 3]

How exactly VPN can help there? You're still passing unencrypted data to Facebook.

I was going to answer your question, but you already did:

All the gain is that it's less likely than someone listens to the traffic between the VPN provider and Facebook compared to the unpalatable liquid venue you're in.

*Less likely* is the key. That's how a VPN helps. Security nerds seem to think you have to be 100% secure (conveniently ignoring the fact that 100% security is impossible) or you're not secure at all. That's a good mindset for finding security holes, but it's a horrible mindset for worrying about one's own personal security. In the real world, you do what you can to reasonably reduce your risks and take your chances.

It's at least a little ironic that

Re:

[Hatta]

Firesheep does Amazon too. Let the wrong person on your Amazon account and you might be in for a surprise when your credit card statement arrives.

Re:

[hitmark]

Tho one could question why Amazon should keep a copy of the credit card info at all.

Re:

[zippthorne]

Well, they offer to keep it. If you decline that offer and they still keep it, then there's a problem. But if they're keeping it because you asked them to to make your purchases more convenient, then, no, you may not question why they're keeping a copy of your credit card info. You would already know that they need to keep that info in order to keep the info.

Re:

[hitmark]

I just checked, and they held two sets of card data for me while i don't recall ever saying yes to them doing so...

Re:

[stm2]

One click shopping (tm) :)

Re:

[element-o.p.]

...vs buying service from a VPN provider.

Ummm...how many people reading this article actually bought VPN service from someone else? I run OpenVPN or Tunnelblick on my laptops and VPN home. Even the least tech-savvy geek on /. should be able to at least port-forward through SSH. (If you can't please turn in your geek card now.)

Re:

[RaymondKurzweil]

A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.

Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.

Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the m

Re:

[icebike]

I'm confused.

Wouldn't just logging in to https.facebook.com and log on from there solve the problem?

Re:

[TheLink]

No. Firesheep hijacks/copies sessions.

After logging in on https facebook redirects you to http, firesheep gets your session. pwned.

The risk is actually very low until stuff like firesheep becomes common enough amongst wifi cafe users (whether via malware or pranksters).

Currently you're more likely to lose your entire laptop to a thief at a cafe.

Re:

[icebike]

Ah, I see. Didn't actually get that far since I have no use for Facebook.

Why would they redirect insecure? SSL takes very little additional resources once your session key is established?

Seems they could solve this if the weren't so cheap.

Re:

[apparently]

WEP is cracked in SECONDS; failing that, POSTING the network password (WEP, or PSK-WPA) on the wall allows any malicious customer to use said password to decrypt any other customer's wifi traffic.

You're advocating a false sense of security. Please stop, before someone unwittingly follows your technical advice.

Re:

[Junior J. Junior III]

Your online accounts are not like a car.

You can't very easily "empty" your online accounts.

Once someone breaks in, they can do things with your account without having to do any further "hotwiring".

Simply accessing the account through "hijacking" a session doesn't break anything that needs to be repaired after the fact, so leaving your account vulnerable to hijacking doesn't save you anything.

You might find the utility of open wifi to be worth the risk that your transmissions can be intercepted, read, and yo

Re:

[citylivin]

Your statement is stupid. Who is going to pay the deductable if there was no damage to the vehicle and there was nothing of value in the vehicle?
Insurance companies need not be involved. Why should they? Over the crackhead change in your centre console?

Re:

[hedwards]

Actually, the contents of your car are almost certainly not covered by your auto insurance. That's typically covered by either home owner's insurance or renter's insurance.

Dear tech guru:

[apparently]

By the way, what are these "costs" that you're talking about? Every wifi router in the last decade allows some type of WPA/WEP/whatever encryption. There is no cost involved in setting up WPA/WEP and then putting a sign up in your cafe that says "THE WIFI PASSWORD IS 'P@SSWORD'". Problem solved. Are you really suggesting there is any cost/benefit comparison that would find that trivial action too costly for the return?

A WEP or PSK-WPA password is going to do absolutely nothing to prevent a malicious indiv

False sense of security

[cappp]

I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah

That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.

From TFA: "my fly had been wide open"

[John Hasler]

So that's the reason. None of them noticed his messages because they were too busy staring at his crotch.

Re:From TFA: "my fly had been wide open"

[nacturation]

Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.

Denial is bliss

[bl8n8r]

A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.

Re:

[joe_frisch]

Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.

I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me

They may have been logging in accidentally

[jordan314]

I gave Firesheep a try today, and am surprised how many times my own cookies come up inside it without me directly visiting those sites. My google account came up without me browsing at all -- perhaps one of my firefox add-ons was using it, or maybe google latitude on my phone was triggering it? My facebook account came up when browsing other non-facebook sites as well, most likely from facebook connect. The users could have stopped visiting facebook after getting his warning messages and still had their cookies exposed.

The problem is not theirs, they think.

[Khenke]

For example I set up my sisters computer with a firewall, anti-virus, anti-malware software and installed FireFox.

What happened?

My sister and her husband got sick of the question popping up all the time, "Do you want to allow this program to access the internet?" and instead of reading and the checking the box "Do this always" they found it easier to turn off the firewall and the anti-virus (more stupid questions they didn't bother to read). And to top it up, they thought IE was more familiar and started (against my strong advice) using it again.

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
It's the same with getting their account hacked, it not their problem (they think), it's mine.

If people would handle their cars the same way they handle their computer the car industries wouldn't have any problem with sales today...
And if people handled strangers the same IRL that they handle them on the Internet we would have everyone giving away their keys to their house if a stranger asked for it (of just give it to them without them asking...).

I will never understand why people feel so safe on Internet.

Re:

[h4rr4r]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

Sounds like you are the problem.

Re:

[Stevecrox]

I agree, I maintain all my family's computers. Some of those people are terrifying with computers.

When doing this sort of thing your doing it as a favour to them. Setup the PC so it is secure and leave basic instructions. If they can't follow them or ignore the work you've done let them pay someone to fix it. Then they start to appreciate what your doing for them, or they become happy paying someone to fix their screw ups.

Re:

[Seumas]

EXACTLY.

I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idi

Re:

[RichiH]

I tend to agree.

But one thing to keep in mind is that with a car or similar, you get a lot less lights and stuff. A computer can, by its very nature, throw a bazillion of different situations at you. No other thing can.

All that being said, computers are a fact of life so people need to start to think.

Re:

[the_womble]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer. It's the same with getting their account hacked, it not their problem (they think), it's mine.

It would be there problem if you did not make it yours.

Its amazing how willing people are to volunteer free support for Windows. If they are not paying you tell them to ask MS for help.

Re:

[SheeEttin]

It's the same with getting their account hacked, it not their problem (they think), it's mine.

Given that it's a relative, I think it's obvious you're doing this for free.
Simple solution: bill them. Hard.
That's the reason you don't drive all around when you've got all kinds of lights on on your dash. Parts & labor can be wicked expensive, so it's in your best interest to take care of it.

(Of course, I can provide an immediate counterpoint. I listen to Car Talk on NPR sometimes, and there's the occasi

Re:

[RichiH]

I know one person who acted in a similar way.

Guess what: I stopped fixing their shit. The data is on a seperate partition, so all they need to do is find someone to reinstall Windows. But that's not me.

The rest grew up after I explained the issues at hand.

The Good Old Days

[IonOtter]

Back when I was a student in college, we were using DEC VAX/VMS systems to provide service to the campus network.

I loved the help menu. It was VERY useful to do all sorts of things, such as creating your LOGIN.COM file. With the LOGIN.COM file, you could set your command prompt, establish which home directory to use, create macros to start batch jobs...you name it.

Occasionally, we'd come across someone who forgot to log out of their session, and just left ms-kermit running on their terminal.

If it was the first time, we'd telnet into their mail client and send them an email from themselves, warning them to be more careful. If it was the second time, we had a bit more fun.

Such as setting their home directory ATTRIB *.* +H

The best was when we edited their LOGIN.COM file, so that whenever they tried to execute *any* commands, it would send a pmail to the sysadmin saying, "I'm an idiot who left his account open, and I need an adult to fix it for me, please?"

Not surprisingly, the sysadmin WAS amused by this, and had great fun exacerbating the torture. It was a different era, when sysadmins had PhD's and a sense of humor.

Fond memories...

Re:

[Nethead]

On Unix systems we would add a control-D as the first character to the .login file on their account.

Author is ignoring the obvious

[meeotch]

Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.

Re:

[hedwards]

What annoys me about Firefox is that it doesn't let you easily sidestep the security on a temporary basis. Either you can't go in or it wants you to create a permanent exception. I'm not really sure why it can't provide a convenient way of making it a one time deal. Once I'm in if I decide to do that, then is the appropriate time for me to decide whether to add a permanent exception or not.

In virtually all cases I'm not going back to that site, so ultimately not providing a convenient temporary access is

Re:

[Phroggy]

If you're talking about the security warning you get when browsing to an HTTPS site with an invalid certificate, apparently you missed the checkbox labeled "Permanently store exception" or something to that effect. It's checked by default, but you can certainly uncheck it.

That's not what we're talking about here though...

Even forced SSL doesn't work

[George_Ou]

Forced SSL doesn't even work for Google, Twitter, and Facebook and probably most other sites even if they support SSL. That's because the javascript on those pages will opt to transmit authentication cookies in the clear. http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/ [digitalsociety.org]

Wow. Highly questionable activities.

[Compulawyer]

I question the intelligence of those who do not take appropriate steps to safeguard their personal information. I have *NO* doubts, however, about the intelligence of someone who would commit almost 50 violations of the Electronic Communications Privacy Act (each one of those violations a felony) and then blog about it.

Re:

[Dayofswords]

There is a damn show on what you just said. it's called "It Takes a Thief'
http://en.wikipedia.org/wiki/It_Takes_a_Thief_(2005_TV_series) [wikipedia.org]

Re:If you did this to me

[pthisis]

It Takes a Thief got the owner's permission before staging the break-ins. If you got someone's permission before attempting to sidejack their account, you'd probably be in the clear. Without it, you're breaking the law.

everything on teevee is da truth

[YouWantFriesWithThat]

you're joking right? how do you think all the interior cameras get in side the house?

they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.

Re:

[Stregano]

What I need you to do is go ahead and setup a bunch of security camera in your house, and then go a few blocks away when it is night time, sit in a van, and watch the security cameras. Don't worry, nothing will happen.

Re:

[h4rr4r]

How do you plan to find me?
I pay for coffee in cash and changed my MAC address before I connected to the wireless.

This is purely hypothetical, I did not do this nor suggest anyone should.

Re:

[Anonymous Coward]

I yell "who the fuck hacked my facebook?" and look for the geeky looking dude who looked into his latte.

Re:

[theshowmecanuck]

You have to find the people whose accounts he accessed in order to prove he actually did what he said.

Re:

[X0563511]

Additionally, you have to find a judge who gives enough of a shit to issue said subpoena.

Re:

[cbiltcliffe]

So, you know for sure it's him, because he posted it on his personal blog, just like you _didn't_ post all those message on your hijacked Facebook profile, huh?

Sure. That seems reasonable.

Re:

[shitzu]

Posting some rants on someone's wall is highly ineffective. I had an idea to modify the extension so that it changes everyone's relationship status (married->its complicated, etc) . That would get the targets to secure up in no time.

Re:

[Puls4r]

You don't seem to get it.

Broadcasting information in the clear leaves it open to everyone. It's really no different than having a radio station and being surprised people tune in, or having a conversation on a crowded elevator and being upset that someone overheard you.

While a lock on a house is very easy to pick, it serves it's purpose. It keeps honest people honest. Frankly, people who want to get into your house are going to get in quite easily, regardless of your locks. Windows tend to do that

Re:

[Anonymous Coward]

All these house analogies fail.

What this is basically like, is like putting a bunch of your stuff out on the sidewalk in front of your house... and getting all self-righteous and pissed when someone comes along and pokes through it.

Re:

[russotto]

Broadcasting information in the clear leaves it open to everyone. It's really no different than having a radio station and being surprised people tune in, or having a conversation on a crowded elevator and being upset that someone overheard you.

Well, yeah, But then using that information to access someone else's account is another story. If I overhear someone's safe combination, I still don't have the right to open their safe, even if I happen to have legitimate access to the area it's in, and even if I'

Re:

[chebucto]

The closest analogy I've seen is the -1 Flamebait comment [slashdot.org] at the bottom of this article - stealing tapes from an unlocked car.

In this case, it's probably more like leaving notes in unlocked cars saying 'your car is unlocked'. IMHO leaving the note is creepy and intrusive; stealing the tape is criminal. Either way, you're poking your head around in places people want to keep private. Locks may keep honest people honest, but honest people shouldn't require locks to stay honest. Houses, cars, and facebook acc

Re:

[phyrexianshaw.ca]

... you completely fail to understand how unencrypted WIFI works.

the analogy here would be him taking pictures in your open uncovered window of your couch, and sending you the picture in the mail. had he captured you having an affair and tried to ransom the image that you freely gave him back to you: that would be illegal.

never should it be illegal to INFORM SOMEBODY OF THE LACK OF SECURITY PROVIDED BY ANYTHING. it's one thing to go posting on the internet "this guy at 123 somewhere st never locks his

Re:

[RichiH]

"Should" "should" "should"

Sure, it's trivial to sniff data off of unencryted Wi-Fi. It's also trivial to punch you in the face. Both are illegal unless you agree beforehand.

The ease of doing something is disconnected from how legal it is. If you sniff username & password and log into an account, you are breaking the law. Period.

Re:

[Nethead]

But, replace "house" with "computer" and suddenly I don't have to apply any of that to it.

Let me know when you get that $250,000 computer.

Re:

[Stregano]

I will be honest with you, that is one huge paragraph that I did not read (too long, sorry), but I will go based off of you having No they don't care.

It is something I learned from non computer saavy people. They just want it to work. They don't care about anything after that. If it breaks, oh well, they have a friend that is good with computers that can fix it while they sit there not paying any attention to the fact that they got hacked.

I know if that personally happened to me, the first thing I

Re:

[phyrexianshaw.ca]

formatting aside:
Great job. that pretty well sums the majority of the people I know.

the remainder: are having an affair/stealing money/doing something they shouldn't and keep hearing "people can get information about you!" in the news.

Re:

[hedwards]

Right, and there's fewer than 100 people killed in the US by lightning strikes, so it must not be that big a deal to walk around outside in a thunderstorm?

Obligatory XKCD. [xkcd.com]

Re:

[mail2345]

FB requires your current password to change your password.
And goatse harms people otherwise uninvolved.

Re:

[Samantha Wright]

But not to delete it!

Re:

[RichiH]

And after that, go back into your Mom's basement, erm, I mean the Bat Cave, and feel all smug about the ten kinds of awesome that you are.

Re:

[Alcoholic Synonymous]

I didn't say they would be thankful. I said they would take personal security seriously. They either aren't bright enough or concerned enough to take a direct and courteous warning seriously. Most people DON'T take warnings seriously, until it bites them in the ass.

The problem being, people who really want to bite them in the ass aren't going to deface them. They are going to harvest information from them and use if for their own malicious ends. At worst, they can use the information to physically stalk, ma

Re:

[Alcoholic Synonymous]

Maybe you should RTFA.

This guy took the non-dick approach. He got into their accounts and sent them messages from themselves saying how he did it and how to protect themselves. He even sent a followup after a while saying "I was serious". They still didn't care. I am saying, the warning should not be private/ignorable, after that.

If you want to call it bullying, so be it. But this is the equivalent of a bully saying "I am going to beat you up behind the school after class." and then you actually show up be

Re:

[Anonymous Coward]

If the site doesn't support HTTPS, there's not an easy fix. The users could set up a VPN connection, but that's not as simple as clicking to install a tool. We need to start asking all sites that use cookies to store authentication credentials, which is pretty much any site that allows you to log in and remembers that you've logged in, to allow the HTTPS to access all their pages. Let's start with Slashdot. Slashdot, please provide HTTPS support on all pages on the site! StartSSL certificates are free!

Re:

[icebike]

But facebook DOES support https, no?

Re:

[brain159]

I fully expect, within 14 days of now (if that), for people to be using this in busy locations to send links out to victims friends telling them to "click here to browse my holiday photos with this cool FakePhotosRealMalware tool!".

Not that I'm going to do it, just that it's really obvious and I want to feel smug for totally calling it.

Re:

[MachDelta]

Yeah, why not just sit in the coffee house running FireShepard [notendur.hi.is] instead? ;-P