In last week’s Part 1, I commended the Wall Street Journal for its investigation into Internet privacy through its multi-part “What They Know” series. This week, I am turning my attention to someone, in my opinion, who has earned a “bad guy” award. While he certainly sees himself as a “good guy,” you can decide for yourself.
Hackers are usually divided into “white hats” and “black hats.” These roughly correspond to their motives — are they hacking for fun or for profit? Are they breaking into a computer just to prove they can do it, or are they actually stealing information?
For example, white-hat hackers are often rewarded — and sometimes employed — by companies needing to uncover security holes.
What about someone who writes a tool that allows others to break into your Facebook account? They can learn all your personal details posted there – even some that you asked that no one else be permitted to see, such as your birth year.
What if that same tool did this not just for Facebook, but also for Flickr, Amazon.com, Dropbox, Evernote, and a growing number of other sites?
Well, there is a program like that. It is designed to be used in public wifi hotspots, and the first thing it does is to display what others in that hotspot are currently doing.
Behind the Scenes
Here, for example, is a demonstration screen that the author has on his website.
If you look at the left column, you can see that Eric is accessing Google, Ian is in Facebook, Net9 is on Twitter, and Cdine is looking at photos on Flickr.
That’s scary enough, but if you click on any of the entries on the left, Firesheep actually takes you right into the site being accessed, and that site will actually think that you are the person listed.
How It Works
You may have noticed that websites go into a higher security mode, called HTTPS, when you are entering your user name and password. Fine. So you log into Facebook, which accepts your credentials and shows your personal news feed and wall.
Facebook assigns you a unique session ID and passes that back to your PC in the form of a cookie. When you make your next request, such as clicking on the “message” screen or your friend’s profile, your browser includes that session ID, so Facebook can associate the request with your information and not someone else’s.
Until you either log out, or the session times out, anyone who knows that session ID can use it to break into your account.
The Problem Is Firesheep
The “bad guy” individual I am discussing is Eric Butler, a freelance web application and software programmer in Seattle. His motivation is to demonstrate a problem with the login security of a great many websites, including Facebook. He did so by writing Firesheep, and it has already been downloaded nearly one million times.
Mr. Butler released Firesheep to call attention to the problem. Fine. But he did so in a way that clearly violates peoples’ privacy. Then he made the tool widely available for free, with no apparent concern, or at least control, over how it will be used.
Is this white hat or black hat? You can judge for yourself.
For me, I grant that Mr. Butler’s motives are probably OK, but his methods, I believe, cross the line. There are other ways to demonstrate the risk that he is calling attention to, without endangering anyone’s privacy. So I would call it “gray hat.”