Wednesday, October 27, 2010

I Hacked Your Facebook Today, and I'm Sorry

I'm fairly computer savvy, although not a hacker by any means. I never really had any interest in breaking into other people's accounts, computers, or identities. Until today, when the barrier for doing it was lowered so much that anyone could do it. I was curious: if I could hack into anyone's account, they could do it back to me. I wanted to see how easy it was.

And man, is it easy. Yesterday, some guy announced the release of Firesheep, an add-on to the Firefox Browser that allows you to 'sniff' around in a public WiFi channel for logins, passwords, etc. It turns out, that when you are sitting in a coffee shop, or an airport, enjoying the WiFi access, certain websites (most notably Facebook and Twitter) send your username and password 'in the clear' - that is, without encryption. When they do that, Firesheep can read it and use it.

It is incredibly easy to use. I went to Starbucks to check it out. I downloaded the software, installed it, and re-started Firefox in about 90 seconds. Then I ran the program and immediately, it found Grace's Facebook account. A quick scan found Grace on the other side of the shop - typing unaware onto her laptop. This was a complete and utter violation of her privacy - it wasn't just that I could see her pages, I was actually logged in to her account as her. I could see photos, chats, messages, everything. I could have sent nasty mails to her friends, her boss, her mom. It was crazy that it was so easy to hijack her account.

My view of security and privacy is typically kind of lax - I call it the bicycle lock theory. I used to only buy cheap bike locks -- it keeps out the casual thief, but if someone really wants to steal my bike they will, no matter how expensive a lock I have. I enjoy the internet and social networks too much to worry about obscure security leaks that only sophisticated hackers can exploit. Even when people got enraged at Facebook's privacy policies I was ambivalent - I mean I get all of Facebook for free, so if they want to profile me to target some ads so be it.

But now I feel different. The barrier is too low. If I can do it, anyone can. And apparently, they are. News reports of how to protect against Firesheep attacks are not easy to understand for the lay person. I applaud the developer of the software, he is trying to expose the security problems, and thought this was the most effective way (he was right!). In fact, in a followup blog post, he explains, in pretty common language, what the problems are, and what you can do about it. Apparently, the fixes aren't hard, but it takes the Facebooks and Twitters of the world to change (apparently they need to use something called SSL). He should win some kind of security Nobel Prize as far as I'm concerned.

So, until Facebook adopts SSL, no more Facebook on public WiFi for me. And as for Grace, I'm sorry, I really am.