Eric Butler hits out at hacking claims and at Microsoft for classifying Firesheep as malicious

News by Dan Raywood

Firesheep creator claims that there is nothing malicious about the software and says it was not designed for hacking.

Firesheep creator claims that there is nothing malicious about the software and says it was not designed for hacking.

In a blog posting, creator Eric Butler said that he had ‘received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention'. However he claimed that following questions over its legality, he felt that it was a user's choice about what software they ran on their computer and like any tool, Firesheep can be used for many things.

He said: “In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is ‘is it legal to access someone else's accounts without their permission?'

“While the answer to this question is likely dependent on many variables and will almost certainly be debated for months or years to come, it should not matter to anyone reading this. It goes without saying that harassing or attacking people is a terrible thing to do. To suggest Firesheep was created for this purpose is completely false; Firesheep was created to raise awareness about an existing and frequently ignored problem. As I have said before, I reject the notion that something like Firesheep turns otherwise innocent people evil.”

The Firesheep software was one of the hottest talking points in security when it was launched two weeks ago. It can be used for sniffing HTTP sessions that are unencrypted and can be used for hijacking online services that require a login. The plug-in makes it possible for an interested party to impersonate users by hijacking their sessions.

He also claimed that in addition to questions about Firesheep's legality, some people had debated the ethics of its release. He said that similar tools have existed for years and big online companies like Facebook and Twitter ‘cannot claim they are unaware of these issues' as ‘they have knowingly placed user privacy on the back burner'.

Butler was also critical of Microsoft for its anti-virus detecting Firesheep as a threat. He said: “By installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer.”

He was full of praise for Mozilla though, claiming that it ‘understands being a dictator is not their role and instead offers information about new features coming in the next version of Firefox that companies can use to further protect their users'.

Paul Ducklin, head of technology for Sophos Asia Pacific, said that ‘Butler wants to have his cake and eat it'. He said: “He's suggesting that anyone who consents to install his tool, even though its primary function is to hijack other people's accounts, should be free to do so. Indeed, he offers the viewpoint that ‘code is a form of speech, and the freedom of speech must remain protected'. As it happens, I don't disagree.

“He vigorously denies the right to Microsoft and all other security companies to express an opinion about his software when they come across it. That, opines Butler, is tantamount to censorship.

“In Butler's world, a network administrator who decided to scan his network for potentially unwanted software, including tools that can be used for hacking purposes (the category in which Microsoft, rather reasonably, has placed Firesheep), would have to accept that his security tools could not report openly on what they find, because that would be censorship. Seems that Butler has a rather one-sided view of free speech.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews