[Owasp-Malaysia] Fwd: [apwg] Website Sidejacking

David Fetter david at fetter.org
Wed Oct 27 20:14:29 EDT 2010

On Thu, Oct 28, 2010 at 07:45:34AM +0800, Muhammad Najmi Ahmad Zabidi wrote:
> On Thu, Oct 28, 2010 at 7:21 AM, David Fetter <david at fetter.org> wrote:
> > On Thu, Oct 28, 2010 at 07:14:18AM +0800, Muhammad Najmi Ahmad Zabidi
> > wrote:
> > >
> > > Many of you have probably heard in the news about the new add-on
> > > for Firefox called Firesheep.  This add-on makes it incredibly
> > > easy to sidejack non-‘HTTPS’ log in sites (for example Facebook
> > > and Twitter) if you connect to them over an open wireless
> > > network.  While the ability to sidejack is nothing new this
> > > add-on makes it feasible for anyone to do it with one click.  No
> > > programming or “hacker skills” are needed.  As of this morning
> > > this add-on has been downloaded over 312,000 times and has only
> > > been available since Sunday.
> > >
> > > We know many of you have personal Facebook accounts and wanted
> > > to get this information to you as soon as possible.
> >
> > OK, stop right there.
> >
> > Facebook is a much, much bigger threat to your privacy than any
> > Firefox plugin could ever be.
> >
> > If you're going to warn people about threats to their privacy,
> > warn them about Facebook, not some amateurish little gizmo
> When we log in to social networking and agreed for their T & C we
> already agreed to say "privacy is long gone".  What does privacy
> looks like when we tweet our location, enable Google Latitude etc.

If you imagine that Facebook is doing less to invade your privacy than
Firesheep is, you're just not getting what they take in a billion
dollars a year doing.  They don't stop invading your privacy when you
leave the web page.  They don't stop when you leave their service
entirely.  They don't stop when you and all your friends leave.  They
just plain don't ever stop.

With some silly little browser plugin, it's at least in principle
possible to take some individual action and make it go away.

With Facebook, it's going to take direct action by governments: laws
and treaties.  And it's going to take at least one privacy disaster
with a large body count to get those governments to act.  Now's the
time to start making sure they have a not-crazy set of ideas for what
to do when these disasters strike, because they *will* act, and

David Fetter <david at fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter at gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

More information about the Owasp-Malaysia mailing list