Since When Are Hacker Tools Covered By Freedom Of Speech?

There’s been an interesting follow-up to the Firesheep incident, in which an attack tool was released which allows “sidejacking” of Firefox sessions.

Eric Butler and Ian Gallagher created the extension to draw attention to the risky practice whereby many sites do not encrypt cookies. With Firesheep installed, a user could potentially capture cookies from other users of an open Wi-Fi network, and use them to hijack their sessions at supposedly secure sites such as Facebook and Twitter.

Sites should just get more secure?

The answer to this is for sites to get secure, and use HTTPS or SSL. This is something that should be happening anyway, but the existence of a sidejacking tool just increased the urgency of the job, and Butler and Gallagher are pleased with themselves.

But they seem to have a strange view of the inherent value of Firesheep.

Microsoft has updated its malware database to label Firesheep as a potential threat, which of course, from the point of view of the system it is installed on, is untrue. Firesheep does not actually harm the system it runs on – but it can be used to harm other systems.

So Microsoft is removing temptation rather than danger – and the Firesheep authors don’t like it.

“Censorship does not offer a solution to these underlying issues,” said Cutler in his blog, “and will only cause further problems. For many people, code is a form of speech, and the freedom of speech must remain protected. If Microsoft wants to improve security with censorship, it would be more appropriate to block the insecure websites that are exposing user information in the first place.”

Code and free speech

Seems to me it’s pretty sensible for Microsoft to offer IT people a way to remove this tool from the systems they look after – as their company might be responsible for any misbehaviour by staff using it.

The right to free speech doesn’t extend to inciting criminal action, or providing tools to help break the law. Cutler claims there are plenty of legitimate uses of Firesheep – though he doesn’t provide an actual list. We know that sidejacking is possible, and it doesn’t need to be checked more than once.

Sophos’ Paul Ducklin pointed out in a blog, the original Firesheep tool somewhat over-achieved if its aim was to increase awareness of a security risk.

“Just because you can write code to prove a point doesn’t mean you have to release it,” said Ducklin. “If you do release it, you don’t have to package it with a one-click install and a use-it-without-understanding-it GUI.”

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

View Comments

  • Perhaps he should not have released it and made it such an easy tool to use. However, he is also showing how easy it is to sniff traffic! And how easy it is to fool people into believing that they are safe, and how easy it is to defeat this tool (TLS).

    But MS, FB, and others are definitely not reacting the way they should be reacting. And websites are definitely not built the way they should be built. and security is definitely not taken seriously enough.

Recent Posts

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

3 mins ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

33 mins ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

1 hour ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

2 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

2 hours ago

Nvidia Asked SK Hynix To Advance Next-Gen AI Memory Production

SK Hynix says Nvidia chief executive Jensen Huang asked if production of next-gen HBM4 memory…

3 hours ago