• Menu
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Before Header

  • About Us
  • Lexicon
  • Contact Us
  • Our Store
  • ↑
  • ↓
  • ←
  • →

Balloon Juice

Come for the politics, stay for the snark.

A snarling mass of vitriolic jackals

… among the most cringeworthy communications in the history of the alphabet!

That’s my take and I am available for criticism at this time.

Imperialist aggressors must be defeated, or the whole world loses.

Second rate reporter says what?

If you’re pissed about Biden’s speech, he was talking about you.

An unpunished coup is a training exercise.

Let there be snark.

Whatever happens next week, the fight doesn’t end.

Speaking of republicans, is there a way for a political party to declare intellectual bankruptcy?

Just because you believe it, that doesn’t make it true.

So it was an October Surprise A Day, like an Advent calendar but for crime.

The party of Reagan has become the party of Putin.

If you are still in the GOP, you are an extremist.

Following reporting rules is only for the little people, apparently.

He seems like a smart guy, but JFC, what a dick!

Republicans are radicals, not conservatives.

“Squeaker” McCarthy

Meanwhile over at truth Social, the former president is busy confessing to crimes.

“What are Republicans afraid of?” Everything.

Come on, media. you have one job. start doing it.

rich, arrogant assholes who equate luck with genius

He imagines himself as The Big Bad, Who Is Universally Feared… instead of The Big Jagoff, Who Is Universally Mocked.

We’ll be taking my thoughts and prayers to the ballot box.

Mobile Menu

  • Winnable VA House Races
  • Donate with Venmo, Zelle & PayPal
  • Site Feedback
  • War in Ukraine
  • Submit Photos to On the Road
  • Politics
  • On The Road
  • Open Threads
  • Topics
  • COVID-19 Coronavirus
  • Authors
  • About Us
  • Contact Us
  • Lexicon
  • Our Store
  • Politics
  • Open Threads
  • War in Ukraine
  • Garden Chats
  • On The Road
  • 2021-22 Fundraising!
You are here: Home / Science & Technology / PSA: Firesheep

PSA: Firesheep

by $8 blue check mistermix|  October 31, 201010:20 am| 26 Comments

This post is in: Science & Technology

FacebookTweetEmail

If you use wireless in public location (like Starbucks), it’s possible that someone else can use a Firefox extension called Firesheep to “sidejack” your Amazon, Facebook, Twitter or Google account (among others). This allows them to do things in your name on those accounts, and perhaps even steal your password (under rare circumstances).

Though the vulnerabilities exploited by Firesheep have been around for a while, once an easy-to-use tool is released, it’s pretty common for jackasses to make heavy use of those tools for malicious purposes. The simplest cure is this tool from the good people at EFF. Here’s a more lengthy explanation of how Firesheep works and what it can do.

FacebookTweetEmail
Previous Post: « Fear and Self-Loathing
Next Post: Hey Now! »

Reader Interactions

26Comments

  1. 1.

    jwb

    October 31, 2010 at 10:50 am

    Hadn’t heard about Firesheep, so thanks for the tip.

  2. 2.

    adolphus

    October 31, 2010 at 10:50 am

    Quick question I did not see addressed in linked article. Can this Firesheep hijack your account only if you also are using Firefox, or can it do this if you are using another web browser?

  3. 3.

    jwb

    October 31, 2010 at 11:01 am

    @adolphus: Not an expert here, but I think Firesheep sniffs all internet traffic for cookies it recognizes. I took that to mean it’s not browser specific.

  4. 4.

    mistermix

    October 31, 2010 at 11:11 am

    @adolphus: jwb is right.

  5. 5.

    Xecky Gilchrist

    October 31, 2010 at 11:13 am

    Thanks! Installed. I don’t use public networks often, but nice to know I can armor up a bit when I do.

    …for some reason, the thread title made me think this would be about FDL.

  6. 6.

    soonergrunt

    October 31, 2010 at 11:17 am

    Thanks for the link to the EFF tool. Here’s an idea–the profit-making enterprises involved, Amazon, Facebook, Twitter, Google, and others would spend a little capital on repairing/remediating their security holes.
    Since the internet is almost completely unregulated, however, there is no reason for them to spend the money to do this. It’s not their personal information being compromised after all.
    A great example of the major downsides to the Libertarian anti-regulation attitude.

  7. 7.

    bemused

    October 31, 2010 at 11:28 am

    Make sure your home wi-fi nets are configured to use WPA2 session encryption. It isn’t only “public” networks that put you at risk.

  8. 8.

    MikeJ

    October 31, 2010 at 11:37 am

    @adolphus: Firesheep is just a generic packet sniffer with an easy to use xul wrapper. A person using firesheep can sniff packets from any browser, any OS.

  9. 9.

    uila

    October 31, 2010 at 11:58 am

    I have long suspected that Starbucks customers were a bunch of packet sniffers. Where is the extension that lets me expose these deviants?

  10. 10.

    Alwhite

    October 31, 2010 at 12:05 pm

    I have been working in IT security for about 20 years & there is nothing in firesheep that could not – and has not – been done before. The only difference is that it can now be done by someone with no technical knowledge. I demonstrated wireless hijacking for friends years ago & it is possible with encrypted wireless connections but it requires some knowledge & skill.

    We are “safe” for the same reason that most wildebeests are safe – too many of us in a pack & too few lions. If you do a lot of business on line get a VPN services.

  11. 11.

    Knocienz

    October 31, 2010 at 12:24 pm

    @bemused: I knew someone who would leave an open wifi connection just to screw with people who tried to use it. Things like changing the resolution on all images so they’d think there monitor went bad or sending them to a fake CNN site they had set up showing an asteroid on course to hit New York.

  12. 12.

    jman

    October 31, 2010 at 12:25 pm

    The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database.

    Wonder what 26 sites those are?

  13. 13.

    Sentient Puddle

    October 31, 2010 at 12:30 pm

    Yeah, back when public networks were really starting to crop up places, I was scared straight by watching a friend grab a packet sniffer and seeing what kind of trouble he could get himself into (plenty).

    It baffles the hell out of me that we’ve seen an explosion of public unencrypted networks, and not a goddamned improvement in security of these things. It’s insane, and I can only hope that something like this will scare the pants off enough people that we can give more attention to security.

  14. 14.

    sparky

    October 31, 2010 at 12:42 pm

    thanks for the useful post–i was not aware of the tor-EFF collaboration on this point. without regard to the browser/OS someone uses, people may also want to consider installing one of the personal VPNs that can provide more security in public. i’m not familiar with enough of them to make a recommendation.

  15. 15.

    RareSanity

    October 31, 2010 at 12:45 pm

    For those that use public wifi pretty often, you probably owe it to yourself to by some type of VPN router for your home connection, or use a reputable VPN provider. If the VPN is configured to “route all traffic”, everything you are doing, even on an open wifi connection is encrypted.

    I forget what the computing power required to try and crack a suitable VPN connection, but, it is enough to require enough time and actual computers, that no one will try to crack yours to try an get something free off Amazon.

  16. 16.

    monkeyboy

    October 31, 2010 at 12:49 pm

    @jman:

    Wonder what 26 sites those are?

    from here:

    Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.

  17. 17.

    bemused

    October 31, 2010 at 1:01 pm

    @Knocienz:
    Weird. I didn’t write that comment. I know nada about encryption.

  18. 18.

    MikeJ

    October 31, 2010 at 1:33 pm

    @RareSanity:

    For those that use public wifi pretty often, you probably owe it to yourself to by some type of VPN router for your home connection, or use a reputable VPN provider.

    I run an ssh server my internet facing computer at home. Then when I’m on my laptop, either at a coffee shop or at a client’s office, all my traffic is encrypted and bounced off my machine at home. There’s no reason to believe you can trust our corporate overlords any more than you trust random people in a coffeehouse.

  19. 19.

    Joe Buck

    October 31, 2010 at 1:47 pm

    At least in the case of Facebook, you can get an encrypted session (and keep safe from snoopers) by using https: instead of http:. If you just type “facebook.com” in the location bar you get http: by default.

  20. 20.

    RareSanity

    October 31, 2010 at 1:53 pm

    @MikeJ:

    I run an ssh server my internet facing computer at home. Then when I’m on my laptop, either at a coffee shop or at a client’s office, all my traffic is encrypted and bounced off my machine at home. There’s no reason to believe you can trust our corporate overlords any more than you trust random people in a coffeehouse.

    I use an Endian firewall and openvpn…my comment was more directed toward simplicity of setup and maintenance for an “average” user. Any type of encryption would be better than none. Not only that, I would find random hackers at a coffee shop to be a far worse threat to my accounts than a big corporation. I am not rich enough, or dealing with sensitive enough information for any corporation to give a flip about what I’m doing.

  21. 21.

    demimondian

    October 31, 2010 at 2:00 pm

    @soonergrunt: (Ob disc — I work for Google, and work closely with the security team.) For what it’s worth, Google has permitted you to use SSL for all communication with our servers since July of 2008. In GMail (or any other Google property, including apps), go to settings…general settings, and, under browser connection, select “always use https”, then click “save changes” at the bottom of the page. This is also supported for accounts serviced by Google over Google Apps for Your Domain.

  22. 22.

    Tim in SF

    October 31, 2010 at 2:26 pm

    Hi! I’m the webmaster for EFF (and long time B-J lurker & occasional commenter).

    When you are in a public space, always, ALWAYS make sure any website with which you are exchanging sensitive info* has https, not just http in the address bar, on each and every page of that site while you are on it. You can often physically change it to make your session secure.

    We at EFF wrote this article that may shed light on some of the mechanics and risks involved, as well as fixes. In short, encourage every site you frequently use to employ an https version, if they can.

    (“sensitive info” can be though of as your login, password, or anything else you wouldn’t want written in a sticky and put on your laptop case for all to see)

  23. 23.

    tom

    October 31, 2010 at 2:30 pm

    I use a vpn service called HotSpotVPN. It’s installation instructions are (or were – haven’t seen them lately) rather cryptic for the average user, but I’ve been happy with the service.

  24. 24.

    demimondian

    October 31, 2010 at 3:18 pm

    @Tim in SF: For what it’s worth, many sites store stuff in their cookies that is more sensitive than many users realize. For instance, my cookie jar for “www.balloon-juice-com” contains a cookie called “comment_author_email_. That cookie is used to fill in the “Mail” field on my browser, and it points to a real account on a real server.

  25. 25.

    moops

    October 31, 2010 at 3:44 pm

    @demimondian:

    comment_author_email_ and other private information in cookies really should be put through a hash function. It doesn’t have to be a fancy kind. heck, rot13 would stop most firesheep types, but a simple feature like that would help people out a lot.

  26. 26.

    adolphus

    October 31, 2010 at 6:19 pm

    Thanks for answering my question above.

    I am not a computer professional and much of what you guys are talking about is way over my head. Does anyone have a link that explains this simply? The EFF link was helpful, but even it seemed to assume a certain level of knowledge.

    From what I can gather VPN software will help me with this problem. I have had a VPN client on my desktop since I returned to graduate school. My university has always required it to connect to various school services, especially, for my purposes, research databases and library services. I am scouring their website now and can find no literature on how this helps with security. Does it?

    No need to hold me hand on this, but if you know where I can get simple explanations to stupid questions, I would be grateful. Meanwhile I will continue to look through my university’s IT department websites.

Comments are closed.

Primary Sidebar

VA Purple House Delegates

Donate

Political Action

Postcard Writing Information

Recent Comments

  • eversor on Prime Time Viewing Open Thread: ProPublica Interviews President Biden (Oct 3, 2023 @ 3:07am)
  • 🐾BillinGlendaleCA on Prime Time Viewing Open Thread: ProPublica Interviews President Biden (Oct 3, 2023 @ 2:48am)
  • AlaskaReader on War for Ukraine Day 586: The Starlink Snowflake Continues to Be the Poster Boy for Reflexive Control (Oct 3, 2023 @ 2:36am)
  • Shalimar on Monday Evening Open Thread: Tragedy Tomorrow — Comedy Tonight! (Oct 3, 2023 @ 2:34am)
  • Shalimar on Monday Evening Open Thread: Tragedy Tomorrow — Comedy Tonight! (Oct 3, 2023 @ 2:30am)

🎈Keep Balloon Juice Ad Free

Become a Balloon Juice Patreon
Donate with Venmo, Zelle or PayPal

Balloon Juice Posts

View by Topic
View by Author
View by Month & Year
View by Past Author

Featuring

Medium Cool
Artists in Our Midst
Authors in Our Midst
We All Need A Little Kindness
What Has Biden Done for You Lately?

Balloon Juice Meetups!

All Meetups
Talk of Meetups – Meetup Planning

Fundraising 2023-24

Wis*Dems Supreme Court + SD-8

Calling All Jackals

Site Feedback
Nominate a Rotating Tag
Submit Photos to On the Road
Balloon Juice Mailing List Signup
Balloon Juice Anniversary (All Links)
Balloon Juice Anniversary (All Posts)

Twitter / Spoutible

Balloon Juice (Spoutible)
WaterGirl (Spoutible)
TaMara (Spoutible)
John Cole
DougJ (aka NYT Pitchbot)
Betty Cracker
Tom Levenson
TaMara
David Anderson
Major Major Major Major
ActualCitizensUnited

Join the Fight!

Join the Fight Signup Form
All Join the Fight Posts

Balloon Juice for Ukraine

Donate

Cole & Friends Learn Español

Introductory Post
Cole & Friends Learn Español

Site Footer

Come for the politics, stay for the snark.

  • Facebook
  • RSS
  • Twitter
  • YouTube
  • Comment Policy
  • Our Authors
  • Blogroll
  • Our Artists
  • Privacy Policy

Copyright © 2023 Dev Balloon Juice · All Rights Reserved · Powered by BizBudding Inc

Share this ArticleLike this article? Email it to a friend!

Email sent!