Installed!

LOL, I like kiernan’s comment :)

I do believe my coworkers and I will be playing with this tomorrow on the new AP we are setting up.

@kiernan Double that.

It does not do ARP poisoning, but there are tons of tools out there

What do we have to do to provide these individuals with enough INTERESTING things to play with so that they don’t bother repeating this boring old shit over and over again?

Oh WOW! You’ve noticed my updates about my CAT aren’t encrypted! You’re so CLEVER! Clearly now we should all waste processor cycles (and therefore battery life) and export regulator’s time and debugging time (ever tried to debug a protocol that uses SSL? No? It isn’t fun.) and encrypt it all! Whew. Close one there! Thanks for pointing out our collective stupidity in not encrypting all this crap.

First thing it does on OSX is ask for an admin password. So do you type it in like a good little sheep?

Downloaded!

@Audin
Allow me to enlighten you. Sit in a cafe for a few hours during lunch, or near a hotel in the evening, sniffing packets. You will collect vast amounts of data.
What this tool allows you to do is hijack a session. What’s that mean? Well, once you’ve hijacked their session on their cat’s facebook account, you can see all the private data within. Probably an address, phone number, etc. You’re half way to identity theft, or just major harassment. Lolcats need privacy too!
Seriously though, debugging things with SSL is not that difficult (which is irrelevant anyway, we’re not talking about a new PROTOCOL, we’re talking about using HTTPS, which is trivial to enable), and this attack is quite legitimate given the amount of personal information people keep in places like this.

Oct 31st?

“We would love to see someone port this to an iPhone or Android app that could check and log open Wi-Fi points.We’ll leave the foot work to the experts out there, but do be sure to give us a heads up if anyone manages to make it happen, okay? ”

How far up (and into what?) did you want to stick your head? This functionality is already built into “commercial” android devices. Google uses it to determine your position. Apple is doing this as well now. The information is correlated with GPS and cell-tower statistics, and i assure you, each and every open AP that has been accessed by an android phone has been reported back to the folks at “Do no Evil(tm)” land; In many cases, open access points are a faster and better source of (~200′ range) location information than GPS.

Privacy is not quite dead yet, but I assure you that anonymity is long past pining for the fjords. The public is just catching on, but this has already become SOP for microsoft, apple and goofle. The phone companies already had cell-tower fixes from the E911 legislation.

And if anyone thinks that SSL accomplishes anything more than making it hard to read your data while sniffing on the fly, you’re out of date, mate. Go ahead, look at all the certs installed on your browser. HTTPS is about as secure as a yale lockset.

Got IPV6? I’ll bet you have it even if you think you have it turned off. It’s magic! Well, I’ll just stop here. No sense in letting all of the cats out of the bag in one sitting. It sort of wrecks it for the tinfoil hat crowd…

I love it! a user friendly graphical UI for packet filtering, and it filters just what you want! :D I’ve already used wireshark before for this kind of stuff, but this is great! now I can steal your amazon password with little work at all! ship everything to an empty house with an alias’s name and then drive by to pick up my free package!

I don’t get it – how the fuck do I use this? Open it in Firefox 3.6.11. Configured for Airport in the preference pane and … nothing.

@bilbao bob

First, those lazy bastards must implement HTTPS. Afterwards there will be hacks aimed at why it still allows reading data on the fly. And — surprise! — this time online banking will automatically become a convenient target (due to same certificates in browser), therefore the pressure to make things work at last will be way, way stronger.

@bilbao bob

I really shouldn’t lower myself to respond to you but my morning caffeine hit hasn’t kicked in yet so I’m half the man I normally am.

The location-awareness functionality offered by Android handsets is very different to the WiFi sniffing James was writing about in this article.

Android merely looks at the access point names and triangulates your location back at their HQ based on the visible SSIDs which they collected when they were snapping up Street View imagery. This works irrespective of the security settings of the hotspots in question since no connection is made to them. The lsit of SSIDs is sent back and forth via your 3G connection if you are not connected to a WiFi network.

Meanwhile, James was suggesting an app which scans for unsecured hotspots, connects to them, sniffs for Facebook authentication data and logs it for later exploitation.

Hope that’s cleared it up for you, old timer ;)

@alex

They’re talking about MAC addresses maybe (BSSID), they are relatively static. Otherwise it’s like you said.

Though google is still telling me I’m at my previous apartment, because I took my AP with me.. so a few drawbacks.

@SD
Adding to what you said, it’s also a feature that YOU TURN ON.

With Android, pretty much everything privacy related is asked of you before installation. Google asks if it’s ok to collect certain data, apps say that they need GPS locations, etc…

Privacy isn’t dead. We’re willingly giving it away in some cases & in others we choose to hold onto it for dear life. Like anything else in life, it’s all about the context.

hi,
when i try to use this extension this error is shown:
ReferenceError: Cc is not defined

Nurse! I think Bob needs his dosage increasing…

I already installed it but it seems like it doesn’t work because it does NOT capture any interface in my network!!! any suggestions!!!??

how do i install the application?

This is how to install Firesheep to hack Facebook or Twitter accounts. This is disseminated for educational purposes only and not recommended for general use. However, I have posted already earlier how to protect your account information from this hacking software that can hack Facebook, Twitter or other accounts.

Source: http://www.bazics.net/2010/10/how-to-install-firesheep-that-can-hack.html

Given that most people dont know jack squat about arp spoofing, this tool wont do them much good, its still going to get the media, at least online hyped up when they dont know anything about how it works and they’ll be scream omg we are being haxxored. /sigh

After installing WinPcap, the Preferences dialog box seems to be working. That is I no longer have the “Cc is not defined” messages. I also see my WiFi card in the Capture Interface

@SD -
The drive around stuff was before they realized that android users could do it for them much better than rolling around their little cars… which are being redone to be much less noticeable, btw. This caused no small amount of friction between verizon and google, largely because verizon hadn’t made much money off the data yet.

BTW, the access point triangulation is still in beta stage. The data is being gathered very quickly by using cell tower fixes, even if this is somewhat behind the scenes.

…and you knew that Google is in the process of doing UAV evaluations, right? Google was founded by a couple of bright guys, but that wasn’t how they succeeded in becoming the biggest thing since sliced bread. They succeeded because the guys who work behind the door marked “THEY” had some serious money available [pallets of it, evidently], in exchange for a big piece of the action and access to all that raw information.

I’m not a tinfoil hat guy – this stuff is all common sense, and as I said, I’m all for it… I just want it to be common knowledge to everyone not paying attention.

Apple has recently embraced this – you cannot connect to the mother ship in itunes without acknowledging that you explicitly give them the right to track and use your location information. Why does apple make you agree [even though you lose access to the apple world if you decline] by checking a box when google just presumes?

And the google privacy stuff you’re agreeing to? Look closely – that’s just you agreeing to give your data to third parties and apps. Google still gets and keeps everything, regardless of your settings. Oh, it may split into separate tables, but it can be associated with a single query.

@piipi – yes, basically wireless protocol mac addresses. Rename as you like – the info stays the same.

Well, from the smell of it, I’ve spread enough FUD on the garden for one day. :)

Caution: Everything I write is obviously fictional, and any resemblance to actual people, places or activities which are going on as I write this, is pure coincidence.

Of course, the fact that you can comb the rulings and legislation of your own state(s) and the feds/DOJ websites and discover that legislation is already in place to protect these applications from SCOTUS review should be no cause for alarm.

And as they say, only shoplifters turn their heads up to look for the cameras.

I fixed up a working version for linux here

http://deauththis.com/forum/index.php?action=downloads;sa=view;down=5

Just be sure to run it in firefox earlier than 4.0 and start up ettercap with arp poisoning and your in business