Firesheep not evil, says snooping tool's maker
He blasts Microsoft for tagging packet sniffer as malware
Computerworld - The security researcher who created the Firesheep snooping tool defended his work today, saying it's no one's business what software people run on their computers.
He also criticized Microsoft for adding detection of Firesheep to its antivirus software, calling the Redmond, Wash. company's move "censorship."
Eric Butler, the Seattle-based Web applications developer who released Firesheep more than a week ago, took to his blog Tuesday to counter claims that the tool, or more precisely, using the tool, is unethical and perhaps illegal.
Firesheep, which was released Oct. 24 and has been downloaded nearly 550,000 times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network -- such as a coffee shop's public Wi-Fi hot spot -- who are visiting an unsecured Web site. A double-click in Firesheep gives its handler instant access to the accounts of others accessing Twitter and Facebook, among numerous other popular Web destinations.
Legal experts have split over Firesheep legality, with some believing using it to hijack accounts violates U.S. federal wiretapping laws while others see it differently. All agreed that the law is "unsettled" before the courts.
Others have said there is virtually no chance that Butler would face charges for distributing Firesheep, since creating tools like it are not illegal.
Butler said essentially the same thing today, although in much stronger language. "It is nobody's business telling you what software you can or cannot run on your own computer," he said, noting that Firesheep can be used for legitimate purposes, including security testing.
"A much more appropriate question is: 'Is it legal to access someone else's accounts without their permission?'" he wrote.
Butler again argued that he built Firesheep to raise awareness about sites that don't encrypt all traffic between users and Web services. "As I've said before, I reject the notion that something like Firesheep turns otherwise innocent people evil," said Butler.
In the eyes of the law, Butler's rationale is misplaced, said Joe DeMarco, a former Assistant U.S. Attorney and now a partner with the New York City-based law firm DeVore & DeMarco LLP. "Motive, as distinct from intent, generally is not an element of federal crimes, including federal computer crimes," said DeMarco.
"You can't rob a bank, give [the money] to the starving, and then claim you are not guilty of robbery," he said. "By the same token, you can't help others commit cybercrimes and escape liability. If you make software which enables unauthorized access to other people's accounts with the intention of facilitating that crime, you may very well be liable for violating the Computer Fraud and Abuse Act under established principles of aiding and abetting and conspiratorial liability."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts