ornoth

A world-changing piece of software was released recently, and you need to know about it. It’s called Firesheep, and it makes stealing your login information for the web sites you visit as easy as: point, click, done. I strongly urge you to Google it and educate yourself about it.

It shouldn’t surprise anyone that your login credentials have never been secure. After all, email, the world wide web, and the underlying packet switching protocols: none of them were designed to carry encrypted communications. And it’s not in the interest of commercial web sites to spend more time and effort than the absolute minimum necessary to convince you that that their sites are “secure”.

Still, up til now you’ve been able to reassure yourself with the belief that only people with very specialized knowledge and tools had the ability to hijack your web sessions.

Firesheep has changed that forever by putting those techniques behind a point-and-click interface that anyone from a four year old child to an eighty year old grandmother could operate.

All someone needs to do is (1) download the Firefox plugin, (2) connect to a public network, and (3) when presented with a list of other users’ sessions on that network, click the one they want to log in as. With no more skill or effort that that, they’ve got instant access to your account on Amazon, Twitter, Facebook, Gmail, Yahoo, Foursquare, Wordpress, and so forth. The rest, as we say, is YFN.

This is doubly bad news for anyone with a smartphone, because most of those devices automatically and indiscriminately connect to public WiFi networks, then send your login credentials to any sites you regularly monitor, without your knowledge or involvement.

There are solutions to this problem, and the people who create and maintain web sites have known about them for years, but balked at putting the extra security measures into practice. Firesheep was actually intended to bring this vulnerability to everyone’s attention, so that the problem might finally be addressed. How quickly do you think that’ll happen?

So here we are. After decades of playing fast and loose on the web, keeping your head in the sand about the risks, it’s finally time to get serious about securing the information you send over the public channel.

If you’re like most people, you probably don’t even take your username and password seriously. How often do you change it? How hard would it be for a human to guess? How long would it take a password guessing computer to crack? Do you use the same username and password for several sites?

The username/password security that we’ve gotten used to is largely just a placebo. It wrongly makes people think they’ve taken an effective security measure. But if your network traffic isn’t encrypted, Firesheep makes it easy for everyone else on the network to hijack your login.

Ideally, all public web sites would immediately transition to sending all web traffic via SSL. But deployment will certainly be extremely slow and spotty.

So what are your options? The first is obviously to carefully regulate your use of public networks. Another is to use a tool like Blacksheep, which might alert you when someone on the network is running Firesheep.

You can also ensure that all your traffic is encrypted by setting up a virtual private network (VPN). The problem there is that you need a trusted host to serve as a gateway, and if you use someone like your workplace, you might discover that they block the sites you want to visit on your personal time, like Facebook and YouTube.

In the meantime, it also makes sense to review your password policy.

I’ll admit my own culpability there: up til now, I’ve only had two passwords. I had one password that never changed, that I used for dozens of sites I didn’t consider that important; and I had another that I changed annually for sites that needed an extra level of “security”, like brokerage and bank accounts.

Needless to say, I’ve decided to fix that. My first change is to start using purely random generated passwords, making use of the full gamut of permitted characters (e.g. mixed case letters and special characters). I’m also using as long a password as each site allows (many allow passwords to be 15, 20, 40 or more characters). These measures are all designed to make my passwords harder to break.

The second change I’m making is that I’m assigning a different password for every single site I use. That ensures that if someone does break one of my passwords, they can only use it for one site, containing any possible damage they can cause.

My third change: turn off all password caching in my web browsers, and remove the existing memorized passwords. This has always been a huge, gaping security hole, and one that should never be used in the first place.

You might think those sound like a big pain in the ass. While it is some extra effort, it’s a lot better than handing a fifteen year old Russian hacker unlimited access to my bank accounts, yanno?

And actually, it’s not that much of an inconvenience if you use one of the many specialized password database managers that are out there. I started using KeePass, which—now that I’ve got it set up—seems like a no-brainer. Look into it.

For years, you’ve gotten away with not putting any serious thought or effort into your internet security. Like the companies that run the world’s major web sites, you did the bare minimum, and, like an ostrich, buried your head in the sand.

That was then, but this is now. Armed with weapons like Firesheep, there are lots of ostrich hunters out there now. People who continue to keep their heads in the sand will soon be meat on the table.

Don’t be one of them. Start taking care of your shit.

I’ve needed a new laptop for years. I bought my Vaio back in June of 2000, and five years equates to three or four generations in laptop-years. Of course, I was out of work for three of those years, so I didn’t feel I could afford to buy a new machine.

All that changed after I started work innovating buses last year at Bus-Innovation. By autumn, my financial house was in order enough so that I felt I could finally swing a (by now desperately needed) laptop upgrade.

After a lot of research, I ordered a Dell last November. It was a very sweet machine, but it wouldn’t run off battery power. After talking to no less than 15 CSRs—at first to fix the problem, then later in a vain attempt to get Dell to honor their “no questions asked” return policy—I finally gave them their accursed machine back and was refunded my money.

Of course, that wasted a couple months of time, both in the research I’d done and the new research necessary to decide on a new machine (there was, of course, absolutely no way in hell I was ordering anything from Dell).

Earlier, I’d dismissed IBM because they didn’t make a single widescreen notebook model, but I learned that they’d recently come out with one that looked pretty reasonable. So on December 20th I ordered one, reveling in the substantial discount that I got through my IBM employee friend, pookfreak.

I had to place my order by phone because I wanted a configuration that wasn’t available via their web site. At that time, I was told that it’d be “at least four weeks” before the machine could be shipped, because it was a very popular model. Okay, well… I’ll live.

Of course, four weeks later, the ship date was pushed out another four weeks, which placed it in the middle of my Seoul trip. I was hoping it would arrive while I was out of the country, but instead, they extended the ship date another fortnight. At that point, I sent an email to my sales rep, stating that they shouldn’t be taking orders for laptops if they couldn’t deliver them within three months of order.

Eight days later—Friday—I received my order: a shiny new Lenovo (IBM) StinkPad Z60m. 2 Ghz, 2 GB memory, 100 GB hard drive, 15.4“ LCD operating at 1680 x 1050 px. The machine appears to be getting good reviews.

Of course, given my experience with the Dell, I’m being a bit cautious about migrating to the StinkPad before I’ve done a full system acceptance test. In the two days I’ve had it, I’ve verified that it’s generally working well. There have been a couple system hiccups, but for the most part it’s being fully functional.

My biggest concern is the keyboard, which is surprising since IBM is renowned for the quality of their keyboards. However, there are some issues. It suffers the same problem of the Dell of having the Insert/Delete and Home/End and PgUp/PgDn keys buried in an unintuitive utility section at upper right. And for some blazingly stupid reason, they decided to make the Fn key the leftmost key in the bottom row. That displaces the frequently-used Ctrl key, which makes using Ctrl-key based editing a royal pain. Basically, the keyboard is going to take some real getting used to.

However, everything else seems fine, and so far it’s passing the burn-in test. And I’ve enjoyed finally having a capable machine again. A good example of that is the fact that I’m writing this entry from my couch rather than my desk. See, the Vaio stopped working off battery power some years ago, so it’s tethered to the AC power outlet at my desk. Just being able to run off battery is an immense gain, but on top of that, even if I shut the Vaio down and moved it to another outlet, I’d lose Internet connectivity because it lacks a wireless LAN card. The StinkPad, of course, comes with wireless networking by default, which is another huge benefit, and the reason why I can post this entry from my couch, or the kitchen, or the bedroom… finally! And let’s not even mention the potential for actually playing DVDs…

So although I’m still taking my time and making sure everything about the new machine is going to work out, so far it’s going well, and I’m pretty happy with the box. Considering how much time I spend on the computer, this should have a very substantial impact upon my quality of life. Happy day!

Entries tagged with wireless

Changing the Way the World Works

What’s that Stink?

Ornoth's profile

Links

Frequent topics