Posted by & filed under Cloud Computing, Cyberforensics, IS ethics, Privacy, Security, WI-Fi, wireless networks.

Description: Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots.

Source: NYTimes.com

Date: Feb 17, 201

You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.  Read rest of story

Questions for discussion:

  • “It points out the lack of end-to-end encryption.”  What does this statement describe?
  • Why are web sites Web sites  not encrypting all communication?
  • Is Eric Butler, a freelance software developer in Seattle who created the program doing the industry a favor or is he malicious in his intent?

24 Responses to “New Hacking Tools Pose Bigger Threats to Wi-Fi Users”

  1. John

    Although not using end-end- encryption slows down website loading times and might force us to wait a few more seconds for our facebook profile to load, I fully believe this type of encryption is needed especially since many popular sites, like facebook, have personal information on them. You don’t want your cell number or address available to everyone on the net, and you don’t want the guy sitting beside you are the coffee shop to go ahead and buy that fancy supercharger for your car you were looking with your credit card, because you don’t have the money! This is a very scary issues that seems to be becoming more frequent and more dangerous. It should be every websites policy to encrypt all information. This guarantees privacy for the website’s users as well as making local wifi hotspots safe places to browse and enjoy the internet. Butler’s intent may have been well, but with the release of this program he might have exposed many unknowing people to attack.

  2. Oloff Dreyer

    The lack of end to end encryption may make the user of a site wiat longer for a page to load, I think it would be greatly beneficial for any site to use. The reason being that if your not protected, especially places like social networking sites, anyone will be able to hack your information. The fact that this would cost great amounts in re-engineering your site are just a consequence of attaining more users. If more and more individuals come to realize how unsafe their accounts are online, the users will just delete their accounts and the loss of users will result in loss of revenues therefore the cost hit must be taken by the site builders to fix the issues. The fact that web sites don’t encrypt all the communication is simply to speed up the system, in a world where almost anything is attainable at the snap of your finger it is obvious that speed will be more highly regarded than safety. I think Butler may have positive intentions but the fact that he released the software that can potentially harm so many may have been an after thought to him.

  3. Mark McKee

    As the article states it is more expensive to encrypt all communication on a website and makes for a longer load time. However, programs like firesheep have established that surfing the web in hot spots or even at home may not be as secure as you think. I do think that websites like facebook, e-bay, twitter, amazon etc. need to have end-to-end encryption to secure websites. I do not think Butler should have launched this program to the public. Perhaps he should have alerted authorities of the issue and possibly been able to work on a way to secure the internet rather then establish its insecurity. I’m surprised there was not a mention of any legal issues of launching that program to the public on Butler’s behalf. To me launching such a program would have legal implications. If this was a marketplace, firesheep would be the first mover which means because of Butler there will be more software programs to follow that may be greater, smarter and more hazardous.

  4. Brett Quinton

    There is no doubt that the intentions of the hacker(software developer) are malicious. Any person that finds a vulnerability and then releases it out to all is not trying to the right thing. He is obviously looking for fame by releasing it out to all users. He is now famous in the hacker world, and he got an interview or two. The truth is that no matter how safe you think something is, it isn’t. All of the encryption tools we have now have been generated from humans and there will always be a different human that is wanting to undo or steal the work of others. WEP has been hacked for a while now and it can be done in a minute or less, it is only a matter of time until WPA is cracked just as easily. WPA2 is now gaining popularity and it will continue to evolve as long as humans are creating the encryption systems.

  5. Kevin Beauchamp

    A lack of end to end encryption means that the cookies that storage sensitive password data can be easily assessed by other users. Programs such as firesheep allow hackers to do this to unsecured networks almost effortlessly. The lack of security from websites seems to come from a lack of anticipation in the growth of technology. Some websites couldn’t have imaged the increased security threats that come with increased growth and now that thought has become reality. These companies that run websites need to treat the re-engineering process as an investment that will increase the number of users as more people feel secured. I believe that Eric Butler’s idea may have been good in intent but should have been used more productivity. Releasing firesheep exposes the security weaknesses of wi-fi but also damages innocent users. If he introduced his program to the federal government, a more productive reaction would have followed.

  6. Corey Bedard

    End-to-end encryption is the process of encrypting not only the passwords that people type in, which websites already do, but also encrypting the cookies that are created when logging into a site. Many websites refrain from doing this as it is known to slow down websites and that can be frustrating to many users. Eric Butler’s attempt was malicious. No matter how many times he might say it’s for the greater good, to help protect websites so they know what they’re doing wrong, or whatever excuses he might try to feed people, he is hacking, and helping other people hack as well. If he really wanted to help these websites protect themselves better, he could have taken his computer expertise and obvious excess of time on his hands and tried to create a form of end-to-end encryption that can be used without sacrificing download speed or something along those lines.

  7. Warren

    It’s easy to assume once you input “remember my password” that only you should be able to access your information. Don’t be susceptible to hackers by not protecting your computer to the best of your ability. It’s too easy if they’re not protected just looking through cookies and getting all the passwords they can find. It is hard to say if I could put up with a slower Eric Butler is in a controversial light in this matter. On the one hand I see his attempts to be right and just. He is attempting to demonstrate flaws in the system to improve them and make them better. I would rather have him break in and have the system be made stronger for outside enemies like terrorist groups to take advantage of. On the other hand because he distributed Firesheep for free as long as he makes zero dollars the man proves his point in a hardnosed way. This is a very strong message to send considering it could have several complications.

  8. AS

    End-to-end encryption is the encyping not only the passwords so that they are safe but also enctypting the cookies that are created when logging into a site. Right now the website encryptes the password but not the cookies making it unsafe to log on to commoly used sites like facebook. Discovering how easy it was for access to password hacking software was eye opening and slightly overwelhming. Not all websaites are encrypting their communications because it can drastically slow down the speed of theit website. Another downside would be the expensive setup costs. Eric Butler’s attempt was malicious. He enabled the techy savy individual to be able to hack as easily as he can. Although he has made website creaters aware of how easy it was, it did not help as it enabled more password encryption. I do think that new developments need to be made in our to make our internet experiences more password safe in order to accomidate our increased use of the internet.

  9. J.E.

    I think the excuse of saying that fully encrypting our websites slows them down too much is not the real reason behind it. Encrypting a web site and making sure it stays secure can be a full time job and that I believe is the real reason for some sites not doing it, the money issue. Sites such as facebook though were they have so much of your personal information should be making their site as safe as they possibly can. There will always be someone out there who is one step ahead or who can find a hole in your security systems if you are not willing to spend the extra money and hire on an actual team whose sole duty is to protect the information of the people it has. If governments and banks can do it than so can websites who have just about as much info on you like facebook.

  10. Wendy Rivers

    End-to-end encryption is the encrypting process used to secure passwords and cookies that are created when logging into a web site. A lack of end to end encryption means that the cookies that store sensitive password and data can be easily accessed by other individuals. I believe this end-end- encryption is needed on many popular sites that contain personal information.
    Butler may have had positive intentions by bring awareness to the possibility of accessing other’s information, but by releasing the software he has allowed others who might have alternative motives to have this same access. However, by releasing this software other web site creators are aware of the simplicity of accessing private information which will enable them to create better encryptions.

  11. Rob C

    It`s amazing to think about how much trust we have in the internet today, wherein citizens think that information that they enter or have posted online cannot be intercepted by an external party. At times, I know I am definitely guilty of this belief due to the fact that the internet today has become such a common ground for our everyday lifestyle. From opening and sending emails to checking bank information and even making online purchases, we have all adopted the internet as our new platform of how we structure our everyday lives.

    In regards to encryption, all web designers sites are not encrypted due to the associated costs that come along with encryption. In essence, this helps companies or designers avoid additional expenses. Eric Butler, software developer of Seattle is definitely doing the industry a favour as he is actually showing the company that there are holes in their system that need to be fixed or altered. In a sense, with Butler showing this fault in the system he can be considered somewhat of a consultant, as he is creating awareness on an issue that could be devastating down the road if done by someone with bad intentions.

  12. Kim Berger

    I personally think Eric Butler is a bit of a troublemaker, and in creating and releasing firesheep free to the public, is being melodramatic in regards to bringing people’s attention to the issue of lack of end to end encryption. If he wanted to bring this issue to the public’s attention, isn’t there better ways of doing it than creating a program that anyone can use to in essence steal or borrow passwords? This seems a tad immoral to me, as Eric is basically saying, hey this is out there and it is wrong, but with my free program you can do it so go ahead and get all those passwords with my free downloaded application! If Eric really wanted to help people out, he would find another way to bring it to people’s attention, or better yet, create a cheap program that websites can use to encrpyt ALL their data and can be used to turn the site from http to https and secure the website,

  13. Nyle Watts

    It’s incredible to realize how vulnerable we really are when we’re on the internet and many of us are not even aware of it. I’ve been guilty of this as well, and probably because I use the internet everyday and its become so commonplace, such a part of everyday life that it’s hard to remember that there are certain risks involved.

    But the need for end-to-end encryption on sites personal information is easily accessible, such as Facebook, is vital. People for some reason think that their personal information on their accounts is safe because their account is inaccessible from other people, and the privacy settings that have been activated on the account have been properly used to keep all unauthorized users from accessing it. But since you leave cookies behind and they are not always encrypted, all those safety setting you set are irrelevent. So in other words, BE CAUTIOUS!!

  14. Ashley H

    I think that Eric Butler went about this hacking issue in an interesting way but he definitely got what he intended; awareness. People do not react when they are simply informed about an issue; people are more motivated by fear. I was well aware of the possibility of hackers getting into my accounts but I figured it was difficult and why bother tapping into my boring student life? But now realizing but it’s not just hackers but everyday coffee shop regulars and much easier that I expected it to be, I would be more inclined to do something about my protection from these individuals. Eric Butler went about it in a malicious way and scored a few interviews out of his actions but I would bet that if he just gave society a friendly memo informing us of this issue we would most likely ignore it until it happened to us.

  15. Kendra

    I do not think that Eric Butler’s actions were intended as malicious when he released the program. It was like a parent grounding their kid: The punishment is the lack of privacy by allowing other people to access what they’re doing. And the lesson that people are supposed to learn is to use protected wi-fi networks, and for the creators of websites to better protect their users by using “https” because they (themselves as users) are just as likely to be subject to hackers as everyone else.
    However pure his intentions were, I think that actually releasing this program was reckless. Attempting to prove a point while putting hundreds of thousands or even millions of people’s information at risk is negligent. Especially when not all websites are set up to protect their users, and the change to protect these websites will not occur overnight.
    I think Butler should have chosen a more secure way to prove how bad the current (overall) security of the internet is. There should have been some selective on who got to use his program. Such as only demonstrating this program to companies that have websites, holding seminars, doing presentations… Rather than simply releasing this program so that anyone could snoop.

  16. Travis Sedrovic

    I don’t think that Eric Butler himself is malicious in his intent, but someone who downloads the program to use may be (and some people ARE malicious in their intent with the program). But I don’t think we can blame Eric Butler for this, if he didn’t release the program someone else would have made a similar one. It worries me that SO MANY websites have yet to change to https:, and the main ones are the most popular of that (facebook brining the biggest concern). Some may say, who cares, it’s not like facebook is a life or death situation. But the fact is, people are not smart with their passwords. If a hacker can get onto your facebook and act as you, he/she can then obtain your password. The problem is that most people have the same password for facebook as they do for other sites (like online banking). Although it is cleary stated many times when you sign up for a website to use a difficult, alphanumberic password, many people still use the same one for everything. I am not worried for my own safety on the internet, but after reading this article and seeing how easy it is to hack, I will surely be telling my mom to change her passwords!

  17. Abiola Ogunyemi

    In my opinion, Eric Butler might not be malicious in his intent, but he plays a role of a devils advocate. As the article states it is more expensive to encrypt all communication on website and speed is affected in terms of longer load time. However, the introduction of firesheep by Eric is a testimony that this malicious software does really exist. With this in mind, since we all have choice on weather to utilize the Internet or not. Protecting vital information should be a high priority to every individual.

  18. mike

    I think many of these companies are not encrypting all communication because of several reasons. First of all it has to be expensive to keep up with the skills of computer hackers. It seems that as soon as people are finding new ways of protection and security there is someone on the other side trying to find ways around it. To keep up with the latest security measures has to be time consuming and costly. Websites also may have a reactive attitude as opposed to being proactive. Maybe they feel that the majority of the people are not too tech savvy and the need to keep up to date with encryption only after people start to recognize these flaws when people like Butler develop software to penetrate the lack of security. The article also states that the methods of security make it harder for hackers, not impossible. This could be another reason sites are not taking all the necessary precautions in protecting is clients.

  19. Katelynne Swenson

    I feel that it should be the website’s responsibility to use end to end encryption to increase it’s security, but with that being said, it is highly doubtful that this will ever happen. As said in another comment, it is not about the website being slow that companies are worried about, but the money issue. It would be very costly to keep it up to date, so why do it if they don’t have to. I also feel the it is up to the user to keep themselves up to date with the internet. People need to be cautious and aware of these issues. I don’t think that Eric Butler intended to be malicious, but by making this software, I’m sure he caused many more hackers to emerge. I always find it interesting when reading these types of articles, that they always list the programs to make it easy to hack and sometimes even tell you how. In this case, they even told you some of the prices!

  20. Dylan B

    Although in a perfect world all websites would protect you from e-fraud, this isnt realistic. People are hearing about the capacity of individuals to steal their information and are becoming afraid, but the fact remains that some prices simply must be paid. The internet is (generally speaking) a free system. People will violate the system and steal information if they wish, and to protect yourself is YOUR responsibility. If it costs $18 a month to keep your information safe then so be it. Either pay the money or stop using the internet. Fraud exists. The sooner we come to terms, stop blaming the websites, and start protecting ourselves, the better we will be.

  21. A.S.

    The lack of end-to-end encryption basically entails that while the password you initially enter on sites such as Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie (a bit of code that that identifies your computer), and settings on the site or other private information, is often not encrypted.
    Websites such as these may not be encrypting all communication because it may slow down the speed while navigating through the web page, and companies are not willing to spend the time or extra capital in order to secure their websites.
    Personally, I believe Eric Butler has good intentions in trying to make the industry and the public aware of such programs that invade privacy, but at the same time he is also indirectly encouraging existing hackers who have a desire or motive in indulging in these activities.

  22. N.P

    I personally would rather wait a little bit longer for my page to load to ensure the security of my passwords and information. End to end encryption would help keep all of my information safe. Like the article had stated, it is extremely easy for anyone and everyone to hack into your accounts, it so much easier than it was before and I could be an easy target. If end to end encryption means that I am waiting longer periods of time to get into an account that I value as important and valuable then its definitely worth the wait.

  23. Megan

    “Lack of end to end encryption” in this case means that the data traveling across networks has no end user encryption of any kind, meaning that anyone on that network can grab your info and see it (Having to do with cookies also being encrypted and not just using a password). If that info that got sent had been encrypted, then only the intended receiver of that info would have been able to see it. The fact that most WiFi isn’t protected by some kind of encryption process is surprising. I had no idea that there were such easy ways of hacking into someone’s network information. I feel that hackers can keep up with technological advancements faster than the companies cranking out the advancements realize. I think that Eric Butler’s system could be viewed as either helpful or harmful, but it would depend who you ask. I think it is a good thing because he is showing the whole industry of internet technology where the problem areas are, and potentially, how to fix them. I definitely feel less trustworthy towards the internet after reading this, and feel naive not to have realized it before.

  24. M.lee

    I don’t believe that all websites should have end-end encryption, this could be costly for small companies and be used as a selling tool by large organizations to gain market share. As we live in a technology era, I believe that security of our personal information is something people need to consider and be conscious of. Butler’s program was brilliant and I believe people like him force people like me to be more aware of the threat and opportunities of the internet. People could argue that his intent was malicious, but I believe it would have been malicious for him to ignore the problems. Many software developers have brought issues to the surface, but usually change doesn’t occur unless there is an immediate threat. With all the technology people out there who is to say that someone was not already exploiting this weakness without presenting the problem to the public. Although I am rather protective of my personal information this article made me re-evaluate what I thought was safe.

Leave a Reply

Your email address will not be published.