Firesheep, the Mozilla Firefox add-on released about a week ago that enables the spotting of users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame.
More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts.
(Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to websites like Facebook and Twitter, and allows the user to take on those visitors' log-in credentials.)
Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that features lots of bold wording for emphasis and reads in part:
"I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: ‘Is it legal to access someone else's accounts without their permission'."
Butler emphasizes that "Firesheep was created to raise awareness about an existing and frequently ignored problem," not to encourage online attacks.
But some have raised questions about whether it's even legal to use the software at locations such as Starbucks. More specifically, the issue is whether wiretapping laws are being violated and whether users of sites such as Twitter and Facebook should have an expectation of privacy even on wide-open WiFi networks, experts say.
Butler also addresses reports that anti-virus software, including that from Microsoft, is pegging Firesheep as a threat. "Firesheep poses absolutely no threat to the integrity of the system it's installed on, and as mentioned earlier, has many legitimate uses," Butler says.
The developer writes that if Microsoft really wants to safeguard its customers it should work to secure websites that expose user information. Network World blogger "Ms. Smith" has suggested likewise, noting that Microsoft's Bing and Live sites could badly use an upgrade to end-to-end encryption.
Butler praises Mozilla for taking on the issue more directly and shedding light on upcoming Firefox features that can protect users. Mozilla has said it won't provide a kill switch for Firesheep, according to a Computerworld article.
The Firesheep author ends his post by taking a swipe at popular websites like Twitter and Facebook for not taking user privacy more seriously: "They have knowingly placed user privacy on the back burner, and I’d be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep."
Don't be sheepish about following Bob Brown on Twitter at www.twitter.com/alphadoggs
Read more about anti-malware in Network World's Anti-malware section.