So I’m at the DevSum conference in Stockholm and yesterday afternoon was busily preparing for my talk, Hack Yourself First. It’s a talk I’ve done many times before and it always rocks not just based on the attendee feedback, but because frankly I just have a lot of fun doing it (you can watch a recording from Yow! in December if you’re interested).
I always prepare meticulously and no matter how many times I do a talk, I run through the whole thing from end to end multiple times in the day leading up to the talk. This is what I tried to do yesterday, until this:
So my wifi pineapple has gone to solid red / green / blue and can't reflash per this: https://t.co/Fyds2Kh5Nx - ideas? /cc @hak5darren
— Troy Hunt (@troyhunt) May 25, 2015 The Wifi Pineapple is a neat little device that demonstrates the value of SSL like nothing else can. You can read about it more in that link but per the tweet above, mine was dead. Four minutes later I had Sebastian Kinne from Hak5 (the makers of the Pineapple) helping out on Twitter. Ten minutes after that we were on email troubleshooting. 45 minutes after that I had a DHL tracking number for another one that was already on its way.
Wait – what?! That’s right, exactly 59 minutes after tweeting that my Pineapple was now a cactus, a new one was being fast-tracked to Stockholm from their European reseller. I get up the next morning, have breakfast and this is waiting for me in advance of my 10:30 talk:
20 hours ago my Pineapple died while preping for today's #DevSum talk. Now this - thanks @sebkinne & @hak5darren! pic.twitter.com/p2Cz5he9HS
— Troy Hunt (@troyhunt) May 26, 2015 That tweet was 19 hours and 31 minutes after my first one. It gave me enough time to unbox, power up, reflash with the latest firmware and then configure it for my talk. That is simply awesome and deserves recognition.
For those interested in the Pineapple, they start at $100 on the Hak5 shop. IMHO, there is no better way of demonstrating the risk of unsecured data in transport than by showing how effective the Pineapple is and how easy it is to use. In fact it’s so effective, I sometimes see feedback like this:
@JohnnoNolan @mat_mcloughlin @troyhunt @nmerrigan It's a fucking script kiddy tool
— OfficialDerpMagnet (@RobAshton) May 26, 2015 Rob is exactly right – it’s a tool that someone with next to no technology awareness (let alone security awareness) can be immediately effective with. This is precisely the point and I make that crystal clear in all my talks: here is a device you can go and buy on the web right now and begin intercepting insecure traffic from those around you. Yes, you can go and build this up yourself from various hardware and software parts but that’s not really the point, in fact it’s completely counterintuitive to the message about how easy it is for traffic to be hijacked.
For completeness of this post, if you’re a developer, go and check out the OWASP Top 10 entry on Sensitive Data Exposure, use the Qualys SSL Labs test tool to look at the effectiveness of your implementation and browse through the SSL tag on this blog for general transport layer encryption advice. If you’re a consumer (which is all of us), get yourself a good VPN service like F-Secure’s Freedome.
I’ve been using this exclusively on all my travels the last 10 days and as you can see, that’s a heap of data that has been encrypted between my devices (I’m also running it on iPhone and iPad) and F-Secure’s VPN exit nodes so well out of the reach of rogue network connections.
Unsecured transport layers are risky, getting HTTPS right is essential, Freedome rocks and Hak5 are, without doubt, absolutely awesome.