marahmarie: Sheep go to heaven, goats go to hell (Default)

If I'd only checked for more news on BlackSheep last night I could have written a much more vitriolic and dismissive post without even singling you and TechCrunch out! So I'm handing out mea culpas now: So sorry! As it turns out, Mashable, AOL's Switched, and ubergizmo, just to name a few websites, also wrote completely misleading posts about Blacksheep. So it's not just you guys. Whew! That was awfully close.

So...should I be comforted - or horrified - by the fact that getting the story wrong is just so...common?

There's an upside, though: at least the truth is finally coming out (but even PCMag screws it up: at no point does BlackSheep warn you to log out when it detects Firehseep activity - it simply notifies you that Firesheep activity is present on your network by showing you the IP of the person doing the sidejacking).

marahmarie: Sheep go to heaven, goats go to hell (Default)

It isn't rocket science. You're paid to write for a blog, so you read other blogs for ideas and follow-ups to what you wrote for the blog that you write for, right?

So the question becomes: Alexia: CAN YOU READ? And by the way, Alexia, you rock, you're the only female writer on TechCrunch whom I like, but you can't be serious: How in the name of all that is tech did you get this:

Firesheep accesses your Facebook, Foursquare, Twitter and other logins through cookies — Blacksheep subverts this by tricking Firesheep with a fake login cookie [emphasis mine] and alerting the user when Firesheep is detected, displaying the IP address of the person using it (see below), and warning the user to log off.

Out of this?

BlackSheep detects the active connection made by Firesheep. It does this by making HTTP requests to random sites handled by FireSheep every 5 minutes (configurable) with fake values. BlackSheep then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.

Use Firesheep to combat.... Firesheep!

BlackSheep is based on the Firesheep source code. It reuses the same network listening back-end and the list of sites and corresponding cookies, etc. This ensures that the fake traffic generated by BlackSheep is what Firesheep is expecting.

At no point does Zscaler, the makers of the BlackSheep Firefox extension, say that "fake login cookies" are used [edit: actually, this was said in Zscaler's video, which I didn't get to watch until after I published this post], only "corresponding cookies". And just once every five minutes (configurable) which means, according to the screen shot on Zscaler's post, that the most BlackSheep can check for Firesheep is once every minute, which is not frequently enough to keep your log-ins from getting sidejacked. Nor does Zscaler claim that BlackSheep will "warn you to log off".

Why do I have to sit here pounding out this post in a state of almost complete fury to try to get these points across? BlackSheep does not "protect" you from Firesheep, it simply warns you of its presence, but not often enough to do much good, nor does it "warn you to log off" before any sidejacking occurs. Those are important points that Alexia missed.

Between the misleading headline on TechCrunch, followed by the article, which leads you to believe that BlackSheep is THE ANSWER to Firesheep, when it is only the INDICATOR, I'm fit to be tied. Good luck using an indicator to protect your log-ins from being sidejacked!

Say someone broke into your house, so you install a silent alarm that can ring your cell phone to alert you when other break-ins occur. This alarm won't scare off intruders; it won't stop them from breaking in; nor will it stop them from robbing you blind. All it will do is alert you to the problem. That's it. That's all BlackSheep is: a silent alarm for Firesheep. Seriously.

You build up trust in a website like TechCrunch, which is read by nearly everyone, then they get the facts wrong on this sort of scale, and you realize that the unquestioning faith you have in them will trip you up. That's not the sort of mistake TechCrunch can afford to make.