Wednesday

02010-10-27 | Uncategorized | 2 comments

Eric Butler – Software Developer in Seattle WA
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Does that mean that anyone sitting in Starbucks with a laptop can sidejack cookies from customers who are updating their Twitter or Facebook account? If that sounds cool to you, Firesheep is a free Firefox plugin, it’s open source, and is available now for Mac OS X and Windows. Linux support is on the way… Who needs Big Brother when the populace can spy on each other!

Senegalese Bike Tricks (YouTube)

The scariest sentence I’ve read today

Ektopia: PeaceBOMB Bracelets and Direct Link

I thought so, and said so a few weeks ago. Having a big website is sooo five years ago:

How to disappear (almost) completely
For new artists, any discussion of a band name is likely coupled with a domain name search to make sure the URL is available, since they are constantly being told how to have an effective online presence. But there is an interesting phenomenon emerging: in a world where all information is a click away, some artists are choosing to be deliberately difficult to find on the Internet.

Racing up Pikes Peak (Vimeo)

Drummers immitate drummachines and painters immitate jpg glitches

2 Comments

  1. steve

    Regarding Firesheep/sidejacking and (closely related, but different) clickjacking, you just need to fight back. Use a secure http connection (https).

    You can get an application from the EFF called https everywhere. This will keep your session in an SSL connection all the time. Donate to ’em: they do great work.
    https://www.eff.org/https-everywhere

    You also want to protect your data by using a stronger scheme than standard WEP if you use wireless. Use WPA2/AES. http://louisville.edu/it/services/network/wireless/help.html

    Finally, avoid clickjacking and use a plug-in like No-Script. Of course this assumes you use Firefox. If you use Chrome, I don’t know what to advise. I guess Chrome has something similar, but I don’t know what it http://noscript.net/

    DON’T use Internet Explorer, it’s too unsecured, and you are just playing Russian Roulette with your data.

    If you use a wide open wireless network, best advice is to keep your session under SSL as much as possible. Again, back to https_everywhere.

    Reply
  2. Ottmar

    Thank you Steve!

    Reply

Submit a Comment

Your email address will not be published.

Archives

Images

Social

@Mastodon (the Un-Twitter)