I'm slightly tongue in cheek with that subject line, however something has come to pass this week which may change everything. So for many years, security for typical online users has only been a passing thought, if a thought at all - so many users use the web via non end-to-end encrypted http. This week at Toorcon 12 (hacker conference), a developer Eric Butler release a Firefox add-on called Firesheep that has put many major site engineers in a tizzy. Using this quick, easy add-on a user can easily hijack the authenticated Facebook sessions of people sharing the same wi-fi network. Or any site's session, not just Facebook, if it's unencrypted. Basically, you can control another users Facebook account if they are logged into Facebook on the same wifi network as yourself. Or you can Twitter as them. Or be on Amazon or Google. All by downloading this little plug-in. Think your information's safe at the airport, using their wifi network? Think again. I've downloaded the plug-in and know that it works. So, my interest leads to these kinds of questions: how is this going to change our society's view on security? It only takes one incident in the news - say a tragic event befalls someone who had a stalker - before the lawsuits begin flying and no amount of tight legal EULA will stop this digital economy from slowing way down. Will Mom and Pop Wilson get to understand what an encrypted http is? Are we growing up in our society's education & understanding of technology? Would love some feedback on these thoughts. Firesheep can be found here: http://codebutler.com/firesheep Cheers, @SharonG [Non-traditional undergraduate student still looking for an Anthropology or Experimental, Applied, or Social Psychology graduate program to call home. Suggestions welcome.]
To resolve this security issue, youd need to use an 802.1x solution which unfortunately is overkill, and quite honestly too complicated for an average home user to use on their home wifi routers. This of course isnt about home users, but rather anyone who chooses to implement a "standard" setup of a home router. The problem is that our "standards" are quite lax, and to be frank, are too low. I have skimmed over some blog posts about using TLS to resolve the issue, but I have not had a chance to dive into this further. It is our responsibility as educated and fluent industry professionals, ethically and otherwise, to not only educate but simplify the complexities of IT security to our laymen counterparts. It is also the due diligence of major hardware vendors such as Netgear, Linksys (Cisco) et al to make the complexities of their software simple enough for novice users to secure devices (or internet access) in such a manner that protects the users whom are unable to protec t themselves. It by no means is a legal obligation, but I dare anyone to contest that its not the right thing to do.Some corporations use dot1x, some do not. It requires some type of intermediaty authentication mechanism such as RADIUS or TACAS. In short its an identity based security solution which secures your connection to the internet.I will investigate further but my schedule is absolutely slammed this week.HTH, -- Thomas Joneshttp://www.ThomasAllenJones.comhttp://twitter.com/OtherTomJoneshttp://www.li... should guard against preaching to young people success in the customary form as the main aim in life. The most important motive for work in school and in life is pleasure in work, pleasure in its result, and the knowledge of the value of the result to the community.-- Albert Einstein, On Education --Sent with Sparrow On Wednesday, October 27, 2010 at 10:31 PM, live wrote: I'm slightly tongue in cheek with that subject line, however something has come to pass this week which may change everything.So for many years, security for typical online users has only been a passing thought, if a thought at all - so many users use the web via non end-to-end encrypted http.This week at Toorcon 12 (hacker conference), a developer Eric Butler release a Firefox add-on called Firesheep that has put many major site engineers in a tizzy.Using this quick, easy add-on a user can easily hijack the authenticated Facebook sessions of people sharing the same wi-fi network. Or any site's session, not just Facebook, if it's unencrypted. Basically, you can control another users Facebook account if they are logged into Facebook on the same wifi network as yourself. Or you can Twitter as them. Or be on Amazon or Google. All by downloading this little plug-in. Think your information's safe at the airport, using their wifi network? Think again.I've downloaded the plug-in and know that it works.So, my interest leads to these kinds of questions: how is this going to change our society's view on security? It only takes one incident in the news - say a tragic event befalls someone who had a stalker - before the lawsuits begin flying and no amount of tight legal EULA will stop this digital economy from slowing way down. Will Mom and Pop Wilson get to understand what an encrypted http is? Are we growing up in our society's education & understanding of technology?Would love some feedback on these thoughts.Firesheep can be found here: http://codebutler.com/firesheepCheers,@SharonG[Non-traditional undergraduate student still looking for an Anthropology or Experimental, Applied, or Social Psychology graduate program to call home. Suggestions welcome.]_______________________________________________The Air-L@listserv.aoir.org mailing listis provided by the Association of Internet Researchers http://aoir.orgSubscribe, change options or unsub scribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.orgJoin the Association of Internet Researchers:http://www.aoir.org/
Thanks for the response Thomas! I still believe that it's not a hardware network issue, but rather a site specific issue - especially, as many tend to share wifi networks in public spaces (think coffeeshop, airport.) I think this is something the Amazons, Googles, and Facebooks of the world must close on themselves and serve sites that are fully encrypted https. The futures I see, as we grow in data encryption this year (especially with cloud computing becoming so big) makes me feel like I'm in Bladerunner. -Sharon On Oct 27, 2010, at 7:56 PM, Thomas Jones wrote:
To resolve this security issue, youd need to use an 802.1x solution which unfortunately is overkill, and quite honestly too complicated for an average home user to use on their home wifi routers. This of course isnt about home users, but rather anyone who chooses to implement a "standard" setup of a home router. The problem is that our "standards" are quite lax, and to be frank, are too low.
I have skimmed over some blog posts about using TLS to resolve the issue, but I have not had a chance to dive into this further.
It is our responsibility as educated and fluent industry professionals, ethically and otherwise, to not only educate but simplify the complexities of IT security to our laymen counterparts.
It is also the due diligence of major hardware vendors such as Netgear, Linksys (Cisco) et al to make the complexities of their software simple enough for novice users to secure devices (or i nternet access) in such a manner that protects the users whom are unable to protect themselves. It by no means is a legal obligation, but I dare anyone to contest that its not the right thing to do.
Some corporations use dot1x, some do not. It requires some type of intermediaty authentication mechanism such as RADIUS or TACAS. In short its an identity based security solution which secures your connection to the internet.
I will investigate further but my schedule is absolutely slammed this week.
HTH,
-- Thomas Jones http://www.ThomasAllenJones.com http://twitter.com/OtherTomJones http://www.linkedin.com/in/TheOtherTomJones
One should guard against preaching to young people success in the customary form as the main aim in life. The most important motive for work in school and in life is pleasure in work, pleasure in its result, and the knowledge of the value of the result to the community. -- Albert Einstein, On Education --
Sent with Sparrow
On Wednesday, October 27, 2010 at 10:31 PM, live wrote:
I'm slightly tongue in cheek with that subject line, however something has come to pass this week which may change everything. So for many years, security for typical online users has only been a passing thought, if a thought at all - so many users use the web via non end-to-end encrypted http.
This week at Toorcon 12 (hacker conference), a developer Eric Butler release a Firefox add-on called Firesheep that has put many major site engineers in a tizzy. Using this quick, easy add-on a user can easily hijack the authenticated Facebook sessions of people sharing the same wi-fi network. Or any site's session, not just Facebook, if it's unencrypted. Basically, you can control another users Facebook account if they are logged into Facebook on the same wifi network as yourself. Or you can Twitter as them. Or be on Amazon or Google. All by downloading this little plug-in. Think your information's safe at the airport, using their wifi network? Think again. I've downloaded the plug-in and know that it works.
So, my interest leads to these kinds of questions: how is this going to change our society's view on security? It only takes one incident in the news - say a tragic event befalls someone who had a stalker - before the lawsuits begin flying and no amount of tight legal EULA will stop this digital economy from slowing way down. Will Mom and Pop Wilson get to understand what an encrypted http is? Are we growing up in our society's education & understanding of technology?
Would love some feedback on these thoughts. Firesheep can be found here: http://codebutler.com/firesheep
Cheers, @SharonG
[Non-traditional undergraduate student still looking for an Anthropology or Experimental, Applied, or Social Psychology graduate program to call home. Suggestions welcome.] _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http:// aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
Hi Sharon,If you understand layered communications, it all starts with network hardware. It has to before you even reach a website. Its the network hardware that allows you to perform ARP poisoning, view TCP sessions, man in the middle attacks, etc, especially over wireless networks. Your connection to the internet, and the sites therein begin with network hardware and how they handle, encrypt, and establish sessions with your computer, before even reaching sites on the internet. The exploitation by Firesheep requires an unsecured network. That security is the responsibility of the network device providing you service to the Internet itself. HTH, -- Thomas Joneshttp://www.ThomasAllenJones.comhttp://twitter.com/OtherTomJoneshttp://www.li... with Sparrow On Wednesday, October 27, 2010 at 11:06 PM, live wrote: Thanks for the response Thomas!I still believe that it's not a hardware network issue, but rather a site specific issue - especially, as many tend to share wifi networks in public spaces (think coffeeshop, airport.) I think this is something the Amazons, Googles, and Facebooks of the world must close on themselves and serve sites that are fully encrypted https.The futures I see, as we grow in data encryption this year (especially with cloud computing becoming so big) makes me feel like I'm in Bladerunner. -SharonOn Oct 27, 2010, at 7:56 PM, Thomas Jones wrote: To resolve this security issue, youd need to use an 802.1x solution which unfortunately is overkill, and quite honestly too complicated for an average home user to use on their home wifi routers. This of course isnt about home users, but rather anyone who chooses to implement a "standard" setup of a home router. The problem is that our "standards" are quite lax, and to be frank, are too low. I have skimmed over some blog posts about using TLS to resolve the issue, but I have not had a chance to dive into this further. It is our responsibility as educated and fluent industry professionals, ethically and otherwise, to not only educate but simplify the complexities of IT security to our laymen counterparts. It is also the due diligence of major hardware vendors such as Netgear, Linksys (Cisco) et al to make the complexities of their software simple enough for novice users to secure devices (or i nternet access) in such a manner that protects the users whom are unable to protect themselves. It by no means is a legal obligation, but I dare anyone to contest that its not the right thing to do.Some corporations use dot1x, some do not. It requires some type of intermediaty authentication mechanism such as RADIUS or TACAS. In short its an identity based security solution which secures your connection to the internet.I will investigate further but my schedule is absolutely slammed this week.HTH, -- Thomas Joneshttp://www.ThomasAllenJones.comhttp://twitter.com/OtherTomJoneshttp://www.li... should guard against preaching to young people success in the customary form as the main aim in life. The most important motive for work in school and in life is pleasure in work, pleasure in its result, and the knowledge of the value of the result to the community.-- Albert Einstein, On Education --Sent with Sparrow On Wednesday, October 27, 2010 at 10:31 PM, live wrote: I'm slightly tongue in cheek with that subject line, however something has come to pass this week which may change everything.So for many years, security for typical online users has only been a passing thought, if a thought at all - so many users use the web via non end-to-end encrypted http.This week at Toorcon 12 (hacker conference), a developer Eric Butler release a Firefox add-on called Firesheep that has put many major site engineers in a tizz y.Using this quick, easy add-on a user can easily hijack the authenticated Facebook sessions of people sharing the same wi-fi network. Or any site's session, not just Facebook, if it's unencrypted. Basically, you can control another users Facebook account if they are logged into Facebook on the same wifi network as yourself. Or you can Twitter as them. Or be on Amazon or Google. All by downloading this little plug-in. Think your information's safe at the airport, using their wifi network? Think again.I've downloaded the plug-in and know that it works.So, my interest leads to these kinds of questions: how is this going to change our society's view on security? It only takes one incident in the news - say a tragic event befalls someone who had a stalker - before the lawsuits begin flying and no amount of tight legal EULA will stop this digital economy from slowing way down. Will Mom and Pop Wilson get to understand what an encrypted http is? Are we growing up in our societ y's education & understanding of technology?Would love some feedback on these thoughts.Firesheep can be found here: http://codebutler.com/firesheepCheers,@SharonG[Non-traditional undergraduate student still looking for an Anthropology or Experimental, Applied, or Social Psychology graduate program to call home. Suggestions welcome.]_______________________________________________The Air-L@listserv.aoir.org mailing listis provided by the Association of Internet Researchers http://aoir.orgSubscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.orgJoin the Association of Internet Researchers:http://www.aoir.org/
while hardware level encryption would be nice... and it could in theory solve this problem... using it as a solution is sort of like... 'oh the water is polluted, let's route it through a sealed viaduct' solution. Sure, it works, but it doesn't address the cause, which is poor session management in browsers and other tools. This is a software problem at its base. you could have the same problem with a multi-link serial network, you could have the same problem on an ethernet network, or basically any broadcast level network with multidimensional routing. making the network itself stronger so people can't get on it, is one option, but as i said it doesn't address the direct problem which is that two computers which are trusting each other, are not using sufficient credentials to establish and maintain that trust. a session is basically a system of trust, one computer trusts the other computer to be what it says. also keep in mind that... you could always watch people's open traffic and insert date into open streams, so the question is whether or not this is new or whether the system is actually broken at all. some of you may remember i demonstrated logs and insertions back at ir 2.0 as part of my 'scare the living daylights out of you over internet security' talk. this tool just makes that talk easier it seems.
Hey all - just going to point out this article,which mentions two other firefox plugins that can be used to prevent yourself from being firesheep'd. The war continues... http://techcrunch.com/2010/10/25/firesheep/ On Thu, Oct 28, 2010 at 6:31 AM, jeremy hunsinger <jhuns@vt.edu> wrote:
while hardware level encryption would be nice... and it could in theory solve this problem... using it as a solution is sort of like... 'oh the water is polluted, let's route it through a sealed viaduct' solution. Sure, it works, but it doesn't address the cause, which is poor session management in browsers and other tools. This is a software problem at its base. you could have the same problem with a multi-link serial network, you could have the same problem on an ethernet network, or basically any broadcast level network with multidimensional routing. making the network itself stronger so people can't get on it, is one option, but as i said it doesn't address the direct problem which is that two computers which are trusting each other, are not using sufficient credentials to establish and maintain that trust. a session is basically a system of trust, one computer trusts the other computer to be what it says. also keep in mind that... you could always watch people' s open traffic and insert date into open streams, so the question is whether or not this is new or whether the system is actually broken at all. some of you may remember i demonstrated logs and insertions back at ir 2.0 as part of my 'scare the living daylights out of you over internet security' talk. this tool just makes that talk easier it seems. _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
Agreed. I'm no network engineer, as Thomas pointed out, but I do think that locking down hardware doesn't address the root of the issue. Especially in this day and age when internet usage is expanding, but the costs of home connection has not; this pushes lower incomed people to open connections much like a library asset, indeed sometimes they actually are. A small town I live near markets their downtown area as having 'free wifi coverage', to encourage people to visit. Hence, there are a lot of open networks in day to day living for a reason. I'd love to see a video of your IR demonstration. The tool is easy enough even for a social science geek; that's scary. On Oct 28, 2010, at 3:31 AM, jeremy hunsinger wrote:
while hardware level encryption would be nice... and it could in theory solve this problem... using it as a solution is sort of like... 'oh the water is polluted, let's route it through a sealed viaduct' solution. Sure, it works, but it doesn't address the cause, which is poor session management in browsers and other tools. This is a software problem at its base. you could have the same problem with a multi-link serial network, you could have the same problem on an ethernet network, or basically any broadcast level network with multidimensional routing. making the network itself stronger so people can't get on it, is one option, but as i said it doesn't address the direct problem which is that two computers which are trusting each other, are not using sufficient credentials to establish and maintain that trust. a session is basically a system of trust, one computer trusts the other computer to be what it says. also keep in mind that... you could always watch people' s open traffic and insert date into open streams, so the question is whether or not this is new or whether the system is actually broken at all. some of you may remember i demonstrated logs and insertions back at ir 2.0 as part of my 'scare the living daylights out of you over internet security' talk. this tool just makes that talk easier it seems. _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
participants (4)
-
jeremy hunsinger -
live -
Pete[r] Landwehr -
Thomas Jones