Herding Firesheep In NYC — Do Users Care? 200
An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."
If you did this to me (Score:1, Insightful)
You would be arrested. Breaking into someones house to point out that you can break into their house still leaves you with a breaking and entering charge. Even if you caused no damage and took nothing, you're still going to jail brainiac.
Interestingly, the author of TFA never considers (Score:5, Insightful)
False sense of security (Score:5, Insightful)
That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.
Re:Interestingly, the author of TFA never consider (Score:1, Insightful)
So, does your insurance company give you a discount for providing easier access to thieves?
Denial is bliss (Score:5, Insightful)
Re:From TFA: "my fly had been wide open" (Score:1, Insightful)
And if that can be seen on Starbuck's security cams, he just IDed himself after admitting to breaking federal laws.
Re:Interestingly, the author of TFA never consider (Score:5, Insightful)
Yes, exactly.
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:
I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.
everything on teevee is da truth (Score:3, Insightful)
they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.
Re:Interestingly, the author of TFA never consider (Score:5, Insightful)
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.
In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.
Re:Some people don't care (Score:5, Insightful)
Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.
Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?
Re:Denial is bliss (Score:1, Insightful)
Or they might decide that the risk is worth it, for their facebook fix. Provide them with a technical solution that takes one second to implement, and allows them to continue gaining all the convenience from before, with the security vulnerability. Then they'll probably use it.
As it is, you're asking them to give something up (facebooking in a Starbucks) to protect them against some nebulous, unknown threat. How can you criticise their judgement without knowing the value they place on these two things?
Author is ignoring the obvious (Score:3, Insightful)
Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.
Re:Interestingly, the author of TFA never consider (Score:3, Insightful)
A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.
Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.
Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the more self-identified geeks and hackers I meet in recent times, the more I come to the conclusion they're mostly idiots at this point. Ever since "geek" became some kind of shibboleth, it's been all down hill.
Fuck being a geek. There is no virtue in being capable in one area to the detriment at all others. It is indeed possible to dedicate one's brain to both number theory and cryptographic fundamentals, and still be able to solve simple cost-benefit problems.
Re:Some people don't care (Score:1, Insightful)
If some stranger walked into my house to tell me my door was unlocked you can bet your ass I would be locking the door. What kind of dumb ass question is that?
The difference here, and where your logic IMHO fails, is that while many people may not care that much its exactly because of their ignorance. The problem here is that someone telling them they're vulnerable isn't enough because they are just that ignorant. They don't understand how it could possibly do them harm. Sure, some of them may not care, even if they understand the potential harm, but as a technologist I can tell you from experience that showing someone they are open to attack doesn't educate them to the harm. Now, when I've show non-tech folks what could happen if they ignore the fact they're vulnerable, the vast majority have their jaws drop to the floor. They are utterly amazed that people know how to do things like that with computers.
You don't have to be uber-security-conscious to be smart. Leaving your doors unlocked in a strange city is simply asking for harm to come knocking eventually. And, doing so willfully is most definitely stupid and ignorant.
Re:From TFA: "my fly had been wide open" (Score:4, Insightful)
Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.
Re:The problem is not theirs, they think. (Score:3, Insightful)
But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
Sounds like you are the problem.
Re:They need a simple guide or something to click! (Score:2, Insightful)
Re:Denial is bliss (Score:3, Insightful)
Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.
I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me). I need to decide if the decreased risk of being hacked is worth the cost in time.
Re:The problem is not theirs, they think. (Score:2, Insightful)
EXACTLY.
I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idiot who lacked any common sense whatsoever and deserved the problems you attracted to yourself.
However, replace "car" with "computer, and we suddenly excuse that mentality. You are no longer a stupid fool exhibiting a lack of common sense or at least interest in understanding things (for example "I should check the manual to see what this idiot light means"). No, when it's a computer -- you're suddenly *the victim*. A victim of complex, baffling, impossible to understand (because you willfully refuse to try), scary technology.
Re:Some people don't care (Score:3, Insightful)
You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?
In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.
Re:Some people don't care (Score:3, Insightful)
An example of socially sick geek being smug (Score:1, Insightful)
And people here wonder complain about the stereotype "geek" are always portrayed as socially inept to point of almost being sick. Unfortunately, that part of the stereotype fits this blogger perfectly.
What would you think if you encounter these incidents:-
I guess it will be a BIG revelation to the author of TFA when (if?) he realize that a LOT of things in our life is not secured by technical means, but rather social norms. Girls don't wear steel skirts to avoid people lifting it, social norms dictate that people don't do it (although some would still do it). Girls don't always wear pants to keep people from peeking underskirt, and most people don't. People talking on mobile phone don't carry white noise devices to block people eavesdropping, and yet most of the time nobody will eavesdropping on your phone conversations.
Similarly, people using public networks except human decency to prevent those with technical means to eavesdropping or hijack their Facebook traffic (their banking traffic, however, is another story). I guess having human decency is too much to expect from this blogger.
Congratulations on showing your technical powers to the ignorant masses, those people will go on their lives knowing they just encountered a stupid jerk that is not worth the time to respond to.
P.S. I write programs for a living and I am ashamed to be working in the same field as that blogger. I hope more people would understand not all programmers are sick like that.
Re:The Best Plan (Score:3, Insightful)
And after that, go back into your Mom's basement, erm, I mean the Bat Cave, and feel all smug about the ten kinds of awesome that you are.
Re:The problem is not theirs, they think. (Score:1, Insightful)
But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.
There's a term for this - "enabling behavior". If you don't want to have to deal with this, the only thing you can do is to refuse to do it; tell your folks in advance that they'll either stick with your recommendations, or they'll be on their own.
And then stick with that. You'll be surprised how quickly they'll adopt to Firefox, a firewall and all that. (Well, most likely; there is also a chance that they won't. But if they don't, then by definition, it won't be your problem anymore.)
Wow. Highly questionable activities. (Score:4, Insightful)