Firesheep: A Repudiation Issue
I recently posted on some of the hype surrounding the new Firesheep FireFox extension. Today, ComputerWorld (http://www.computerworld.com/s/article/9194159/Is_it_legal_to_use_Firesheep_at_Starbucks_) had an article discussing the legal issues around the use of the tool. I believe the legal aspect is important, but could be very difficult to prove. I am more interested in the implications that this tool can have of the authenticity of the information found on some of the social sites.
We have all heard stories about employers checking Facebook or MySpace regarding their current or future employees. Some people have been fired or not hired based on content on their social sites. Relationships have been dissolved because of the information found on a spouse’s network. Most recently, cyber bullying has become a huge problem among school age users.
I will use Facebook as the example because it is one of the most known and understood social networks. If there is a tool that exists that makes it fairly simple for others to post to your wall (Firesheep), then to what extent can the information on your wall be trusted? Does this new tool make it easier for the offender to say that they did not post that message and that it must have happened while on a public hotspot? If the message was actually posted while at a public place, is it possible to prove whether or not the actual user posted it or not? I guess you could review the logs to look at the user-agent and look for anomalies, but a savvy user could defeat that very easily. It would be pretty difficult to show which computer actually did the post.
What does this effect? Remember that employee that got fired for posting something offensive or against corporate policy? Did he post it? Did an attacker post it? We run into an issue of repudiation. If they cannot prove the user did or did not post the material then you cannot find them guilty. This could make it difficult for employers, or other entities from relying on information on these sites.
I understand the point of the tool is to show the weaknesses in the security for these sites. I believe that it should also show that the information found on these sites may not necessarily be as accurate as we once thought. Use the information with caution, as it could come back to haunt either party.



