This is my final paper for my professional ethics course. I decided to write it on the ethics of Firesheep. The course is structured around the VCR approach–basically, that most ethical issues can be better understood when the stakeholders’ values, virtues, consequences, contingencies, rights, and responsibilities are revealed. It is written for a decidedly non-technical audience, so most of yummy geekiness is toned down. Enjoy!
Jessica Dickinson Goodman
Ethical Issues in Professional Life
3 December 2010
Firesheep, What Color is Your Hat?
To understand Firesheep1 you must understand the Wall of Sheep.2 The Wall of Sheep is a sideshow at DefCon, one of the largest hacker3 conventions in the world. Running the sideshow are a group of security expert volunteers gather yearly and project the logins and passwords of attendees using the unsecured conference network to access their social media, bank, or other accounts.4 In other circumstances this public shaming would be cruel; but in the company of thousands of the world’s leading security minds, it is a light-hearted reminder to be wary on unencrypted networks.5 Many of the hackers at DefCon could grab those passwords easily, but choose not to. Equally capable are thousands of less morally restricted, people. With these two assumptions—that insecure networks leave our logins vulnerable and there are many nefarious people willing to exploit that fact—it is perhaps unethical to decline to educate users to protect themselves.
This was the logic behind Firesheep, a Firefox plugin which allows relatively unskilled computer users to sidehack into open sessions on Facebook, Amazon, and other websites. Eric Butler, the creator of Firesheep, saw that there are security flaws in many commercial websites which allow this type of attack6. While these flaws are painfully visible to experts, they are obscured from those novices who are most vulnerable. Firesheep was his attempt to help hammer on these flaws, forcing large commercial websites to address them to mollify their newly informed and rightfully scared users.
Without getting too far into the technical weeds, the security flaw Firesheep exploited is that many websites encrypt logins and passwords when a user first enters them, but once that user is inside they are given an unencrypted token which can be copied and used in another session. Website designers as essentially passing identity-theft risk onto their users rather than securing all user interaction on their websites. For example, if a student at Carnegie Mellon logs into Facebook, someone using Firesheep can slide in, copy that token, and post a “Party In the USA/Party and Bullshit” mashup7 to their grandmother’s wall.8:
Public embarrassment is not the only danger—if the victim of the hack was logged into Amazon the Firesheep user could order $1000 in troll dolls to be delivered to the victim’s house.9
Mr Butler was not the first person to identify this security flaw; it is a well-known issue that has been discussed within the security community for at least the past six years.10 What propelled Firesheep to the top 10 searched terms on Google on the day of its release and kept it in Twitter’s trending topics for hours was its ease of use. Firesheep took a complex concept from industry presentations and academic papers and made it about keeping friends out of each other’s Twitter accounts. What follows is a VCR analysis of Mr Butler’s choices in designing and releasing Firesheep. The stakeholders are novice users, website designers, and security professionals.
Security Hacker’s Code of Ethics
There is no one ethical code for hackers. Below are several prominent attempts to codify the often contradictory impulses of that community:
|“New Hacker Ethic,” Steven Mizrach.||“Hacker Ethic,” Steven Levy’s Hackers: Heroes of the Computer Revolution (1984).||“Hacker Ethic,” MIT.|
|“Above all else, do no harm”
Do not damage computers or data if at all possible. Much like the key element of the Hippocratic Oath.11
Most hackers value elegant, straightforward, functional solutions. However, beyond these values there is a wide range of moral approaches to hacking. These can very grossly be grouped into: non-harmful, potentially harmful, and damaging. Colloquially, those in the first category are white hats, and second category red hats, and the third category black hats.14 White hats would require those solutions to be victimless. Red hats would balance the rights of potential victims against those of the people who would benefit from their hack. The values of black hats are even more difficult to determine because they are generally amoral. I believe Mr Butler might accurately be considered a red hat.
VCR Table Analyzing the Firesheep case:
|Values||Ease of browsing, comfort, privacy||Elegance, straightforwardness, competence||Ease of website use|
|Virtues||Information security awareness||Consideration of risks||Simple design, initial security, long-term security|
|Contingencies||Losing personal information to an unpublicized version of Firesheep, having secure commerce||Publish another ignored paper, steal people’s information||No protection, major breach|
|Consequences||Possibly revealing personal information||Possible prosecution if someone’s identity is stolen, perpetuating negative stereotypes of hackers||Encouraged Firesheep by declining to provide real protection|
|Rights||Having secure personal information||Freedom of speech||?|
|Responsibilities||Keeping their personal information secure||Not stealing personal information, using their skills to help people be more secure||Using their skills to help people be more secure, keeping their customers’ information secure|
Mr Butler’s approach to the token problem is elegant, straightforward and functional, while encouraging transparency and honesty about common security flaws. Firesheep does not provide users the tools they need to protect themselves, but Mr Butler’s blog and comments in the media do provide that information. (Programs like Blacksheep do allow an average user to protect herself, by notifying her if Firesheep is on the network.15) But user-victims were not the audience Mr Butler sought to educate. He wanted to use their outrage as fulcrum to tip website managers into buffing up their security. In his blog post announcing Firesheep, Mr Butler says:
Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.16
He does not acknowledge the potential damage Firesheep could enable, only the benefit of average users’ reaction to that damage. This is rather like lowering the national standard to meat quality down to Taco Bell’s level, and hoping the bellyaching of newly sick citizens will make restaurants take meat quality more seriously.
Myopia and bluntness are often considered virtues for hackers. The ability to focus entirely on one’s project or goals, and constant clarity to the point of rudeness can be marks of excellence for hackers. Mr Butler’s blindness to the potential victims of his tools reflects that community acceptance of political tunnel vision. His approach in exposing this security flaw is idealistic and potentially destructive.
It is not immediately apparent who, if anyone, has actually been harmed by Firesheep. It is also unclear if Facebook or Amazon or any of the other dozens of websites have rebuilt their security, or plan to. This kind of broad change was Mr Butler’s goal:
The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.
The major and measurable consequence was the high level of media coverage this episode brought to the issue of user information security on insecure networks.17 Mr Butler’s program got him mentions on some of the top18 security19 and technical20 blogs. For the currently 860,000+ downloads, some proportion of those downloaders are perhaps now better informed about their own security on unsecured networks.21 Some may also be malevolent black hats who are using his exercise in outsized protest to sidehack people’s Twitter, Facebook, or Amazon sessions.
Consider if Mr Butler had merely written yet another paper on this security flaw, and not provided his audience and 860,000+ people testable proof. Perhaps those people who are now better informed about their information security would not be. Perhaps then, during Christmas shopping season, someone developed Firesheep but did not announce it to the world. Instead, they went to airports and cafes and public libraries and collected identities to steal. Without publicity, perhaps none of the victims would know why they had been scammed. And large corporate websites would not have been given notice that their users deserve better security. With no Firesheep, there would be no Blacksheep to detect this kind of sniffing. But then again, perhaps Mr Butler’s tool is even now being used for this purpose.
The Firesheep case is essentially that of one security professional seeing it as his responsibility to blow the whistle on other security professionals who he believes are not doing their jobs. He and other hackers see the systematic buck-passing of web designers as an abdication of their responsibility to keep their users safe and their commerce secure. In this view, it is the responsibility of website designers to help users limit their exposure to identity theft while they are shopping on their site. It therefore might be Butler’s responsibility as a capable programmer to care for those users, and ensure they have the best long-term security possible even if it means sacrificing some of their current security.
Butler also has a responsibility to not cause harm to undeserving people. While the aims of Firesheep are honorable, there were other, just as dramatic, ways to publicly pressure large websites to enhance their security. Going on the Colbert Report and hacking into Colbert’s Facebook profile, or presenting to Congress, or even presenting about Firesheep but not releasing the code. It is not clear that Mr Butler had to endanger the privacy of countless users to prove his point.
The rights of users to keep their private correspondences private is violated by Firesheep. But those rights are also threatened by the web designer’s apathy. They are also threatened by those user’s own ignorance. As Mr Butler says:
People forget things. It’s easy to be logged in to many of these services, sleep your laptop, and wake it up somewhere where it will instantly associate with an open access point and start spewing your cookies over the air. Hackers even fall victim to this at hacker conferences where everyone knows they shouldn’t be doing anything on the wifi. The DEFCON Wall Of Sheep is a prime example of this.22
Mr Butler also has a right to free speech—his presentation on this flaw and his blog posts about it are core protected speech. However, the first amendment does not protect actions, so someone using Mr Butler’s code to sidehack a stranger’s Facebook account is not defended by the Bill of Rights. What is troubling in this case is that no one is protecting the user’s rights particularly well. The large websites are sacrificing user privacy for enhanced performance. Users are sacrificing their privacy out of ignorance or apathy. And Mr Butler is sacrificing their rights in a bid to for those first two groups of stakeholders to protect those very rights more effectively in the future.
When the great physicist Richard Feynman was a researcher as Los Alamos laboratories, he had a safe-cracking habit23. He would go around to the employee safes and desks and filing cabinets and try to crack them—saying, “now, one of my diseases, one of my things in life, is that anything that is secret I try to undo.”24 Some co-workers had kept the factory combination. Others never changed their locks. He brought up this insecurity in meetings, and removed paper from his co-worker’s desks and hand them to them to prove his point. His aim was not merely to be obnoxious; he had a basic belief that security is important and if he could he should improve his coworkers’ and governments’ ability to keep confidences. It is also worth remembering that at the same time Mr Feynman was hunched over his coworker’s desks, four Soviet spies had been roaming the halls perhaps planning to do just the same.25 But without his good intentions.
1Butler, Eric. “Firesheep” http://codebutler.com/Firesheep
2“Wall of Sheep.” http://www.wallofsheep.com/
3This term is problematic because it can imply anti-social and criminal behavior to outsiders. However, within the community, the term is more acceptable, though some prefer to be called “security professionals.” For simplicity, I will use hacker to describe technically skilled security volunteers and professionals.
4McMillan, Robert. “Wall of Sheep: Coming to Your Company?” IDG News. http://www.pcworld.com/businesscenter/article/149619/wall_of_sheep_coming_to_your_company.html
5 Unless proactively protected, passwords and logins can be lifted as they pass through an unsecured network by any interested hacker. Although there are technical solutions, such as only accessing the internet through a Virtual Private Network or installing Tor to obscure your location, behavioral modifications are important as well. The Wall of Sheep’s goal is to shame and scare novice users inappropriately who trust the networks and websites they use into being more cautious. And make fun of them.
6 Schneier, Bruce. “Firesheep.” Schneier on Security http://www.schneier.com/blog/archives/2010/10/firesheep.html
7 tandemunicycle. “Party and Bullshit in the USA Video Mash Up.” http://www.youtube.com/watch?v=9PwLg-FxF7Y
8 “Hacking made easy: Protecting yourself from the Firesheep extension.” Insecuriosity. November 11, 2010. http://www.insecuriosity.com/hacking-made-easy-protecting-yourself-from-th
9 Though Amazon requires login details for some kinds of purchases, it appears that Firesheep can get into one-click purchases. “AirHeads Online > Technical Discussions > EducationFiresheep.” http://airheads.arubanetworks.com/vBulletin/showthread.php?
10 Butler, Eric. “Firesheep, a day later.” Codebutler. http://codebutler.com/Firesheep-a-day-later
11 Mizrach, Steven. “Is there a Hacker Ethic for 90s Hackers?” http://www2.fiu.edu/~mizrachs/hackethic.html
12 “The Hacker’s Ethics” http://project.cyberpunk.ru/idb/hacker_ethics.html
13 “The Hacker Ethic” Massacheusits Institute of Technology. http://hacks.mit.edu/misc/ethics.html
14 “Types of Hackers.” Urban Dictionary. http://www.urbandictionary.com/define.php?term=red%20and%20white%20hat
15 “Blacksheep.” http://www.zscaler.com/blacksheep.html
16 Butler, Eric. “Firesheep” http://codebutler.com/Firesheep
17 Butler, Eric. “Firesheep, a day later.” Codebutler. http://codebutler.com/Firesheep-a-day-later
18 Rusli, Evelyn. “Lazy Hackers Unite: Firesheep Boasts +104,000 Downloads In 24 Hours.” Oct 25, 2010. http://techcrunch.com/2010/10/25/lazy-hackers-twitter-firesheep-boasts-100000-downloads-faceboo/
19 Schneier, Bruce. “Firesheep.” Schneier on Security http://www.schneier.com/blog/archives/2010/10/firesheep.html
20 Fleishman, Glenn. “Liar, Liar, Sheep on Fire.” BoingBoing. Oct 27, 2010 http://boingboing.net/2010/10/27/sheep.html
21 “Firesheep.” https://github.com/codebutler/firesheep/downloads
22 Butler, Eric. “Firesheep, a day later.” Codebutler. http://codebutler.com/Firesheep-a-day-later
23 Feynman, Richard. “Los Alamos From Below: Reminiscences 1943-1945.” http://calteches.library.caltech.edu/14/2/FeynmanLosAlamos.htm
25“Spies.” Los Alamos National Laboratory. http://www.lanl.gov/history/wartime/spies.shtml