The event was ToorCon, San Diego's homegrown hacker conference at the San Diego Convention Center. In a 20-minute, tag-team presentation on Oct. 24, the two programmers powered through their headaches and congestion to systematically shatter all illusions of privacy on so-called Web 2.0 sites such as Facebook, Twitter and Foursquare.
“We're just kind of mad at companies for not providing proper security for all these fancy new web apps,” Gallagher, a tall redhead with glasses, told the audience of a few hundred enrapt computer programmers.
They explained that hackers have known for years how to intercept unprotected “cookies” (the digital keys that allow users to remain logged into their accounts without having to reenter passwords) over wi-fi networks. They're just floating in the air, unencrypted, free for the taking and as good as a password when it comes to accessing accounts.
“Maybe people just don't understand,” Butler said. “Maybe making it a little easier will help.”
Then the two hackers released Firesheep into the wild, a program that makes hijacking a person's Twitter, Facebook, Flickr, Foursquare (and many, many others) as easy as sending an instant message. The plug-in for the Firefox web browser creates what looks like a list of “buddies” in the window. It's not. If you're connected to an open wi-fi network, it lists every account you can hijack with a double click of the mouse.
A few hackers in the crowd chuckled. Then, as the implications of hijacking for the masses sank in, the audience erupted in applause. Butler and Gallagher's motives are more activism than mischief: Their hope is that the software's very existence will force companies to finally protect their users from log-in to log-off.
The tech blogs were instantly all over Firesheep. Within 24 hours, the plug-in went mainstream with coverage by The Wall Street Journal, The Washington Post, Forbes and The Guardian. TechCrunch.com reported it was downloaded more than 104,000 times in the first day.
The debut was a positive boost for Toor- Con. The event started out 12 years ago with a dozen or so attendees in a room at UCSD. Now ToorCon has become one of the more elite conferences in the hacker circuit. Sponsorship coordinator George “Geo” Spillman says developers like to test their lectures at ToorCon before presenting at larger conferences like DefCon (the Las Vegas-based hacker equivalent of San Diego ComicCon).
“It's not about maliciousness, it's not about being a 15-year-old trying to hack NORAD, despite what every single Hollywood movie has said,” Spillman says. “It's really about just doing the research and discovering the vulnerabilities and figuring out how something works.”
Spillman defines hacking not in terms of computers, but as an active curiosity that leads people to try to figure out cool ways to modify existing technology. In the hallways of the convention center, ToorCon teams wielded everything from scalpels to clothing irons as they attempted to screw with supposedly tamper-proof devices—including evidence bags—for prizes. At a table in the vendor area, hackers taught each other lock-picking techniques (a common hacker hobby). Even the conference badges were designed to be hacked; a worktable was overflowing diodes, LEDs, soldering irons and glue guns for attendees to create their own nerd bling. Other presentations taught users how to manipulate pink text-message devices designed for children and how to defend against PDFs containing evil code.
“Really, the most interesting thing about this whole culture and community of ToorCon is that people are happy to tell you exactly how they did it, exactly what the vulnerability is and how can you do it yourself, because their objective isn't to be nefarious or evil—it's to have fun,” Dan Tentler, who runs the San Diego-based security consultant firm Aten Labs, told CityBeat. Tentler presented his lecture on “Peoplehacking” (using facial expressions and mannerisms to manipulate people in personal encounters) immediately after the Firesheep presentation.
Technology companies recognize the need to recruit hackers to test their products, Spillman says. Microsoft slapped its name on the convention's Saturday-night party, and San Diego-based telecommunications giant Qualcomm ran a full page recruiting ad in the official program, listing email@example.com as the primary e-mail. (Messages sent to that address go to Alex “Dr. Evil” Gantman, head of Qualcomm's Product Security Group.)
Corporate backing may legitimize what some might consider irresponsible behavior. Hackers argue that keeping this stuff secret is more dangerous than publicizing it.
“If I can figure something out, there are a ton of people out there that are a lot smarter than I am that can probably figure out the same thing, and some of them have malicious intent,” Spillman says. “Rather than putting your head in the sand, it's probably better to make people aware of a lot of these vulnerabilities.”
Justin Brookman, a senior fellow at the Center for Democracy and Technology, doesn't believe Firesheep's developers should be held liable. However, he says there is a strong, but not completely airtight, argument that using Firesheep to hijack accounts and read a user's messages violates federal wiretap laws.
Tentler disagrees, saying the law is too vague to enforce.
“The people that make the laws are completely computer illiterate,” Tentler says. “Morally, sure, it's probably a bad idea to log into your ex-girlfriend's account and change her sexual preference and start hitting on women. Assuming you get caught, what law have you broken?”
Brookman agrees that's a good question. Courts and Congress have not delved deep into these issues and that could be the scariest vulnerability of all.