Herding Firesheep In NYC — Do Users Care?

An anonymous reader writes "Following the Firesheep uproar, I spent some time telling people who don't read Slashdot about the vulnerability that open WiFi networks create in what seemed like the most effective way possible: by sidejacking their accounts and sending them messages about how it happened. The results were surprising — would users really rather leave their accounts open to intruders rather than stay off Facebook at Starbucks? The link recounts the experience, and also lists some rough numbers of how many accounts could be compromised at a popular NY Starbucks location."

If you did this to me

[Anonymous Coward]

You would be arrested. Breaking into someones house to point out that you can break into their house still leaves you with a breaking and entering charge. Even if you caused no damage and took nothing, you're still going to jail brainiac.

Interestingly, the author of TFA never considers

[brokeninside]

... that some users might weigh the costs of security against the costs of being insecure and opt to be insecure. As an example, I don't generally lock the doors of my car. I've found that if I do, people that want to get in when I'm not there break the windows and take what they want anyway. Locking my car doors merely causes the extra headache of replacing the glass alongside whatevever gets stolen. Yet the author of TFA would consider me a moron for being within the universe of people that have an intruder yet still refuse to lock their doors.

False sense of security

[cappp]

I wonder if the problem isn't linked to the spread of specific remedy rather than actual understanding. We've all told confused relatives and friends to delete random messages appearing in their accounts, and to avoid clicking on links or buying products that promise some online miracle. That's possibly what those last hold-outs in TFA were reflexivly doing. In effect we're trained people to behave in a way that was understood to improve security, without providing them the context to protect themselves in any other situation. Like teaching a child not to stick their hand into the sitting-room fireplace but failing to mention that stoves, heaters, and engines all get bloody hot too. Hell that's a flawed lesson as well...they should have been taught about heat and burning as concepts. I'm not really sure how to solve the issue though. At the end of the day a large portion of the population lack the skills, time, interest, or motivation to learn about what is becoming the increasingly complicated world of computer security. I'm a proud geek and I couldn't tell you how secure firefox add-ons are, or which virus scanner does the most reliable work, or how the hell to stop random ports blah blah blah

That being said only 5 out of 20 actually ignored the advice. Of those another 1 took a little more effort but finally learned his lesson. That's not bad odds considering.

Re:Interestingly, the author of TFA never consider

[Anonymous Coward]

So, does your insurance company give you a discount for providing easier access to thieves?

Denial is bliss

[bl8n8r]

A lot of the time it seems people would rather not know, or be dismissive of their risk because they just simply cannot comprehend the details or do not want to. There is nothing else you can do for them. Someone once said about people: you can explain it to them, they will understand it, and then they will ignore it.

Re:From TFA: "my fly had been wide open"

[Anonymous Coward]

And if that can be seen on Starbuck's security cams, he just IDed himself after admitting to breaking federal laws.

Re:Interestingly, the author of TFA never consider

[IamTheRealMike]

Yes, exactly.

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:

1. No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
2. VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
3. Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..

I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.

everything on teevee is da truth

[YouWantFriesWithThat]

you're joking right? how do you think all the interior cameras get in side the house?

they contact the family, sign a contract to get permission to break in and pay for damages etc., and then set up cameras.

Re:Interestingly, the author of TFA never consider

[Jah-Wren Ryel]

Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk.

In my case, that 'distortion' is the application of automation. Yeah, today very few people are side-jacking facebook. But I can remember when phishing, 411-scams, and even spam were all so rare that those didn't pose a significant risk either. But all of those, and pretty much every significant risk on the net, became problematic due to the application of automation. Side-jacking facebook is ripe for similar automation. And don't think for a second that attacks that are automated will be so blatant that you can easily notice tampering with your account -- that would defeat the purpose of malicious side-jacking in the first place.

Re:Some people don't care

[PatHMV]

Exactly. I rather tire of seeing the self-proclaimed geek elite decrying these users as "stupid" and "ignorant." No, they just have different value systems then the uber-security-conscious. Lots of people in rural areas regularly leave their doors unlocked. Just because a hacker COULD get access to their account at a Starbucks doesn't mean that the odds of it happening at any particular Starbucks at any given time is terribly high.

Was it idiocy for the folks at this Starbucks to stay online on Facebook even after being warned by this hacker? Clearly from the warning he provided, he wasn't intending to do harm to them. You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

Re:Denial is bliss

[Anonymous Coward]

Or they might decide that the risk is worth it, for their facebook fix. Provide them with a technical solution that takes one second to implement, and allows them to continue gaining all the convenience from before, with the security vulnerability. Then they'll probably use it.

As it is, you're asking them to give something up (facebooking in a Starbucks) to protect them against some nebulous, unknown threat. How can you criticise their judgement without knowing the value they place on these two things?

Author is ignoring the obvious

[meeotch]

Clearly, the people in the article have blocked Facebook messages from themselves. I've done this myself, in fact. It's the only way to keep the dozens of warnings I receive every day about how insecure Facebook is from clogging my inbox.

Re:Interestingly, the author of TFA never consider

[RaymondKurzweil]

A lot of people might, dumbass. Where I live, I can't get more than 1 meg up for home service (under $70/mo), so using my home connection as a general purpose VPN forwarding point would suck ass on many sites.

Also, since the issue here is about the Facebook population... the intersection of Facebook users and SSH port forward capable people is probably a very small percentage of Facebook users.

Luckily I don't have a geek card to turn in, and if I was forced to have one I would gladly turn it in, since the more self-identified geeks and hackers I meet in recent times, the more I come to the conclusion they're mostly idiots at this point. Ever since "geek" became some kind of shibboleth, it's been all down hill.

Fuck being a geek. There is no virtue in being capable in one area to the detriment at all others. It is indeed possible to dedicate one's brain to both number theory and cryptographic fundamentals, and still be able to solve simple cost-benefit problems.

Re:Some people don't care

[Anonymous Coward]

If some stranger walked into my house to tell me my door was unlocked you can bet your ass I would be locking the door. What kind of dumb ass question is that?

The difference here, and where your logic IMHO fails, is that while many people may not care that much its exactly because of their ignorance. The problem here is that someone telling them they're vulnerable isn't enough because they are just that ignorant. They don't understand how it could possibly do them harm. Sure, some of them may not care, even if they understand the potential harm, but as a technologist I can tell you from experience that showing someone they are open to attack doesn't educate them to the harm. Now, when I've show non-tech folks what could happen if they ignore the fact they're vulnerable, the vast majority have their jaws drop to the floor. They are utterly amazed that people know how to do things like that with computers.

You don't have to be uber-security-conscious to be smart. Leaving your doors unlocked in a strange city is simply asking for harm to come knocking eventually. And, doing so willfully is most definitely stupid and ignorant.

Re:From TFA: "my fly had been wide open"

[nacturation]

Google for "computer trespass" and click on the "Statutes by State" link -- you'll have something in five seconds with the law quoted for you. For non-US jurisdictions, do some more googling or pay your lawyer to quote the law for you.

Re:The problem is not theirs, they think.

[h4rr4r]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

Sounds like you are the problem.

Re:They need a simple guide or something to click!

[Anonymous Coward]

If the site doesn't support HTTPS, there's not an easy fix. The users could set up a VPN connection, but that's not as simple as clicking to install a tool. We need to start asking all sites that use cookies to store authentication credentials, which is pretty much any site that allows you to log in and remembers that you've logged in, to allow the HTTPS to access all their pages. Let's start with Slashdot. Slashdot, please provide HTTPS support on all pages on the site! StartSSL certificates are free!

Re:Denial is bliss

[joe_frisch]

Life is full of risk management. I fly a single engine private plane - under some conditions if that engine fails, I am likely to die. I could reduce that risk by spending money (multi-engine plane), or not flying. I've decided to accept the risk in return for the benefits of flying.

I could learn about computer security (which would take time), go to significant effort to protect myself against hacks (which would cost more time as I need to find work-arounds for the problems the extra security will cause me). I need to decide if the decreased risk of being hacked is worth the cost in time.

Re:The problem is not theirs, they think.

[Seumas]

EXACTLY.

I've tried to make the point repeatedly under this story that we wrongly excuse people's regard toward technology in a way we would never do toward other aspects of life. If you ignored the "idiot lights" in your car and even ignored the fuel gauge, to the point that you found yourself on the side of the highway with an empty tank or you left your kid in the car on a hot summer day or you left your car running on the sidewalk while you ran into the convenience store -- we'd label you an ignorant idiot who lacked any common sense whatsoever and deserved the problems you attracted to yourself.

However, replace "car" with "computer, and we suddenly excuse that mentality. You are no longer a stupid fool exhibiting a lack of common sense or at least interest in understanding things (for example "I should check the manual to see what this idiot light means"). No, when it's a computer -- you're suddenly *the victim*. A victim of complex, baffling, impossible to understand (because you willfully refuse to try), scary technology.

Re:Some people don't care

[Local ID10T]

You're a nice rural family sitting around the coffee table, and a nice man sticks his head in your door and says "just wanted to let you know, your door is unlocked." Do you expect the folks to get up and run around and lock every door in the house?

In most truly rural areas, you would be invited in, offered coffee or a coke, and asked who you are, what you are doing there, and would you like to stay for dinner, and do you need a ride back to town. Rural people aren't typically scared of strangers -that's a city dweller response.

Re:Some people don't care

[evanism]

Security doesn't reduce your stupidity. Nor does paranoia increase your security. Check the USA today. Post a toner cartridge and the whole country shuts down. QED. (Bet the guys at newegg are looking at their policy on combo parts shipments.) (Apologies to the nice Americans here)

An example of socially sick geek being smug

[Anonymous Coward]

And people here wonder complain about the stereotype "geek" are always portrayed as socially inept to point of almost being sick. Unfortunately, that part of the stereotype fits this blogger perfectly.

What would you think if you encounter these incidents:-

• When leaving a public washroom, somewhere dropped a polaroid picture of you just peeing, with helpful note reminding you that "you were in the public washroom at XXX, you forgot to check the window above you is slightly ajar and someone can easily snap pictures of you peeing, just like this."
• (assume you were a girl) In a library, somewhere dropped a picture of your panties, with a helpful note telling you that "your skirt is too short, people can easily take underskirt pics of you just like this"
• You return home and found a note saying "you forgot to lock your door, someone can easily come in and steal your stuff"
• In the office, you being responsible for buying coffee this time, open the honor-system can that holds the coins people deposit when getting coffee, and found a helpful note saying "your honor system is too insecure, anyone can steal the coins here."
• After chatting with a friend about his new girl friend, you found a note next to you saying "Your phone conversation is totally insecure, I can hear every word you said. P.S. I think your friend should dump that girl."

I guess it will be a BIG revelation to the author of TFA when (if?) he realize that a LOT of things in our life is not secured by technical means, but rather social norms. Girls don't wear steel skirts to avoid people lifting it, social norms dictate that people don't do it (although some would still do it). Girls don't always wear pants to keep people from peeking underskirt, and most people don't. People talking on mobile phone don't carry white noise devices to block people eavesdropping, and yet most of the time nobody will eavesdropping on your phone conversations.

Similarly, people using public networks except human decency to prevent those with technical means to eavesdropping or hijack their Facebook traffic (their banking traffic, however, is another story). I guess having human decency is too much to expect from this blogger.

Congratulations on showing your technical powers to the ignorant masses, those people will go on their lives knowing they just encountered a stupid jerk that is not worth the time to respond to.

P.S. I write programs for a living and I am ashamed to be working in the same field as that blogger. I hope more people would understand not all programmers are sick like that.

Re:The Best Plan

[RichiH]

And after that, go back into your Mom's basement, erm, I mean the Bat Cave, and feel all smug about the ten kinds of awesome that you are.

Re:The problem is not theirs, they think.

[Anonymous Coward]

But they didn't have to be the one spending 20h+ trying to rescue what was left after 50+ different virus and adware fighting over the control of the computer.

There's a term for this - "enabling behavior". If you don't want to have to deal with this, the only thing you can do is to refuse to do it; tell your folks in advance that they'll either stick with your recommendations, or they'll be on their own.

And then stick with that. You'll be surprised how quickly they'll adopt to Firefox, a firewall and all that. (Well, most likely; there is also a chance that they won't. But if they don't, then by definition, it won't be your problem anymore.)

Wow. Highly questionable activities.

[Compulawyer]

I question the intelligence of those who do not take appropriate steps to safeguard their personal information. I have *NO* doubts, however, about the intelligence of someone who would commit almost 50 violations of the Electronic Communications Privacy Act (each one of those violations a felony) and then blog about it.