Tech & Science
Technology and Science news from Boulder, Colorado
OSMP needs raptor monitors for next season
Nov 19th
Cookie Monster zaps your files Web developers read this Boulder
Nov 14th
Programming and human factors
by Jeff AtwoodNov 13, 2010
The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works:
- Connect to a public, unencrypted WiFi network. In other words, a WiFi network that doesn’t require a password before you can connect to it.
- Install Firefox and the Firesheep add-in.
- Wait. Maybe have a latte while you’re waiting.
- Click on the user / website icons that appear over time in Firesheep to instantly log in as that user on that website.
Crazy! This guy who wrote Firesheep must be a world-class hacker, right?
Well, no. The work to package this up in a point-and-click way that is (sort of) accessible to power users is laudable, but what Firesheep actually does is far from magical. It’s more of an art project and PR stunt than an actual hack of any kind. Still, I was oddly excited to see Firesheep get so much PR, because it highlights a fundamental issue with the architecture of the web.
The web is kind of a primitive medium. The only way websites know who you are is through tiny, uniquely identifiying strings your browser sends to the webserver on each and every click:
GET / HTTP/1.1
Host: diy.stackexchange.com
Connection: keep-alive
User-Agent: Chrome/7.0.517.44
Accept-Language: en-US,en;q=0.8
Cookie: diyuser=t=ZlQOG4kege&s=8VO9gjG7tU12s
If-Modified-Since: Tue, 09 Nov 2010 04:41:12 GMT
These are the typical sort of HTTP headers your browser sends to a website on every click. See that little cookie in bright red? To a website, that’s your fingerprint, DNA, and social security number all rolled into one. Some part of the cookie contains a unique user ID that tells the website you are you.
And guess what? That cookie is always broadcast in plain text every single time you click a link on any website. Right out in the open where anyone — well, technically, anyone who happens to be on the same network as you and is in a position to view your network packets — can just grab it out of the ether and immediately impersonate you on any website you are a member of.
Now that you know how cookies work (and I’m not saying it’s rocket surgery or anything), you also know that what Firesheep does is relatively straightforward:
- Listen to all HTTP traffic.
- Wait for HTTP headers from a known website.
- Isolate the part of the cookie header that identifies the user.
- Launch a new browser session with that cookie. Bam! As far as the target webserver is concerned, you are that user!
All Firesheep has to do, really, is listen. That’s pretty much all there is to this “hack”. Scary, right? Well, then you should be positively quaking in your boots, because this is the way the entire internet has worked since 1994, when cookies were invented.
So why wasn’t this a problem in, say, 2003? Three reasons:
- Commodity public wireless internet connections were not exactly common until a few years ago.
- Average people have moved beyond mostly anonymous browsing and transferred significant parts of their identity online (aka the Facebook effect).
- The tools required to listen in on a wireless network are slightly … less primitive now.
Firesheep came along at the exact inflection point of these three trends. And mind you, it is still not a sure thing — Firesheep requires a particular set of wireless network chipsets that support promiscuous mode in the lower level WinPcap library that Firesheep relies on. But we can bet that the floodgates have been opened, and future tools similar to this one will become increasingly a one-click affair.
The other reason this wasn’t a problem in 2003 is because any website that truly needed security switched to encrypted HTTP — aka Secure HTTP — long ago. HTTPS was invented in 1994, at the same time as the browser cookie. This was not a coincidence. The creators of the cookie knew from day one they needed a way to protect them from prying eyes. Even way, way back in the dark, primitive ages of 2003, any banking website or identity website worth a damn wouldn’t even consider using plain vanilla HTTP. They’d be laughed off the internet!
The outpouring of concern over Firesheep is justified, because, well, the web’s cookie jar has always been kind of broken — and we ought to do something about it. But what?
Yes, you can naively argue that every website should encrypt all their traffic all the time, but to me that’s a “boil the sea” solution. I’d rather see a better, more secure identity protocol than ye olde HTTP cookies. I don’t actually care if anyone sees the rest of my public activity on Stack Overflow; it’s hardly a secret. But gee, I sure do care if they somehow sniff out my cookie and start running around doing stuff as me! Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me.
I’m not holding my breath for that to happen any time soon, though. So here’s what you can do to protect yourself, right now, today:
- We should be very careful how we browse on unencrypted wireless networks. This is the great gift of Firesheep to all of us. If nothing else, we should be thanking the author for this simple, stark warning. It’s an unavoidable fact of life: if you must go wireless, seek out encrypted wireless networks. If you have no other choices except unencrypted wireless networks, browse anonymously — quite possible if all you plan to do is casually surf the web and read a few articles — and only log in to websites that support https. Anything else risks identity theft.
- Get in the habit of accessing your web mail through HTTPS. Email is the de-facto skeleton key to your online identity. When your email is compromised, all is lost. If your webmail provider does not support secure http, they are idiots. Drop them like a hot potato and immediately switch to one that does. Heck, the smart webmail providers already switched to https by default!
- Lobby the websites you use to offer HTTPS browsing. I think we’re clearly past the point where only banks and finance sites should be expected to use secure HTTP. As more people shift more of their identities online, it makes sense to protect those identities by moving HTTPS from the domain of a massive bank vault door to just plain locking the door. SSL isn’t as expensive as it used to be, in every dimension of the phrase, so this is not an unreasonable thing to ask your favorite website for.
This is very broad advice, and there are a whole host of technical caveats to the above. But it’s a starting point toward evangelizing the risks and responsible use of open wireless networks. Firesheep may indeed have broken the web’s cookie jar. But it was kind of an old, beat up, cracked cookie jar in the first place. I hope the powers that be will use Firesheep as incentive to build a better online identity solution than creaky old HTTP cookies.
Posted by Jeff Atwood
CU STUDY DISCOVERS THE FOUNTAIN OF YOUTH?
Nov 10th
The experiments showed that when young host mice with limb muscle injuries were injected with muscle stem cells from young donor mice, the cells not only repaired the injury within days, they caused the treated muscle to double in mass and sustain itself through the lifetime of the transplanted mice. “This was a very exciting and unexpected result,” said Professor Bradley Olwin of CU-Boulder’s molecular, cellular and developmental biology department, the study’s corresponding author.
Muscle stem cells are found within populations of “satellite” cells located between muscle fibers and surrounding connective tissue and are responsible for the repair and maintenance of skeletal muscles, said Olwin. The researchers transplanted between 10 and 50 stem cells along with attached myofibers — which are individual skeletal muscle cells — from the donor mice into the host mice.
“We found that the transplanted stem cells are permanently altered and reduce the aging of the transplanted muscle, maintaining strength and mass,” said Olwin.
A paper on the subject was published in the Nov. 10 issue of Science Translational Medicine. Co-authors on the study included former CU-Boulder postdoctoral fellow John K. Hall, now at the University of Washington Medical School in Seattle, as well as Glen Banks and Jeffrey Chamberlain of the University of Washington Medical School.
Olwin said the new findings, while intriguing, are only the first in discovering how such research might someday be applicable to human health. “With further research we may one day be able to greatly resist the loss of muscle mass, size and strength in humans that accompanies aging, as well as chronic degenerative diseases like muscular dystrophy.”
Stem cells are distinguished by their ability to renew themselves through cell division and differentiate into specialized cell types. In healthy skeletal muscle tissue, the population of satellite stem cells is constantly maintained, said Olwin.
“In this study, the hallmarks we see with the aging of muscles just weren’t occurring,” said Olwin. “The transplanted material seemed to kick the stem cells to a high gear for self-renewal, essentially taking over the production of muscle cells. But the team found that when transplanted stem cells and associated myofibers were injected to healthy mouse limb muscles, there was no discernable evidence for muscle mass growth.
“The environment that the stem cells are injected into is very important, because when it tells the cells there is an injury, they respond in a unique way,” he said. “We don’t yet know why the cells we transplanted are not responding to the environment around them in the way that the cells that are already there respond. It’s fascinating, and something we need to understand.”
At the onset of the experiments the research team thought the increase in muscle mass of the transplanted mice with injured legs would dissipate within a few months. Instead, the cells underwent a 50 percent increase in mass and a 170 percent increase in size and remained elevated through the lifetime of the mice — roughly two years, said Olwin.
In the experiments, stem cells and myofibers were removed from three-month-old mice, briefly cultured and then transplanted into three-month-old mice that had temporarily induced leg muscle injuries produced by barium chloride injections. “When the muscles were examined two years later, we found the procedure permanently changed the transplanted cells, making them resistant to the aging process in the muscle,” he said.
“This suggests a tremendous expansion of those stem cells after transplantation,” Olwin said. Fortunately, the research team saw no increase in tumors in the transplanted mice despite the rapid, increased growth and production of muscle stem cells.
As part of the research effort, the team used green fluorescent protein — which glows under ultraviolet light — to flag donor cells in the injected mice. The experiment indicated many of the transplanted cells were repeatedly fused to myofibers, and that there was a large increase in the number of satellite cells in the host mice.
“We expected the cells to go in, repopulate and repair damaged muscle and to dissipate,” Olwin said. “It was quite surprising when they did not.
“It is our hope that we can someday identify small molecules or combinations of small molecules that could be applied to endogenous muscle stem cells of humans to mimic the behavior of transplanted cells,” Olwin said. “This would remove the need for cell transplants altogether, reducing the risk and complexity of treatments.”
But Olwin said it is important to remember that the team did not transplant young cells into old muscles, but rather transplanted young cells into young muscles.
The research has implications for a number of human diseases, Olwin said. In muscular dystrophy, for example, there is a loss of a protein called dystrophin that causes the muscle to literally tear itself apart and cannot be repaired without cell-based intervention. Although injected cells will repair the muscle fibers, maintaining the muscle fibers requires additional cell injections, he said.
“Progressive muscle loss occurs in a number of neuromuscular diseases and in muscular dystrophies,” he said. “Augmenting a patient’s muscle regenerative process could have a significant impact on aging and diseases, improving the quality of life and possibly improving mobility.”
Olwin said the research team is beginning experiments to see if transplanting muscle stem cells from humans or large animals into mice will have the same effects as those observed in the recent mouse experiments. “If those experiments produce positive results, it would suggest that transplanting human muscle stem cells is feasible,” he said.