Feeds

Software engineer blogs own Starbucks wiretap

Firesheep theatre

The essential guide to IT transformation

Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre.

Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary LosHuertos fired up Firesheep at his local Starbucks and started nabbing identities.

"I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar," he writes on his personal blog. "Around half an hour later, I'd collected somewhere between 20 and 40 identities."

Most were Facebook identities. So Gary started sending people messages from their own Facebook accounts warning them he had just hijacked their Facebook accounts. "Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their accounts' exposure," he says.

After a few minutes, he decided he had done some good. Some names disappeared from Firesheep. Then the names appeared again. So he logged into their Facebook accounts a second time. "Did they receive the first message?" he says. "Surely enough, they had."

So then he sidejacked somebody's Amazon account. "One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a 'no, seriously' message on Facebook from his account including the fun fact about his music choices."

The Amazon man vanished. So Gary logged back into more Facebook accounts. "I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts," he writes. After twenty minutes, he wasn't sure if they had gotten his second message, so he logged into their accounts again.

They had.

Then he left. But he gave one final lesson for his fellow coffee drinkers. "I packed my things, I walked around the store, and recognized several of the people I'd just introduced to their own vulnerability. I included no clues as to my identity, less because of fear of retribution, and more because invasion of privacy is all the more frightening when it is committed by an absolute stranger with no chance of discovering their identity."

When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open. Just another demonstration: we're all walking around with vulnerabilities we have yet to discover."

Yet another demonstration: if you blog about Firesheeping people in your local Starbucks, you're publically admitting to a felony.

Bootnote

A tip of the hat to privacy guru Chris Soghoian.

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.