In this case, frankly, I’m appalled. This is absurdity at its best. Lets all get on the paranoia choo-choo with Jennifer Van Grove and the silly website she’s blogging about, cancel our foursquare accounts, and go hide at home in fear. Sorry to call you out like this Jen, but this is purely knee-jerk baseless paranoia. If someone sees me IN THE PARKING LOT AT THE GROCERY STORE, then they also know I’m not home. This isn’t anything new.

The common complaint I have with blogposts and arguments like this is that people never think two steps ahead. Nobody ever considers engaging their foresight muscle and actually thinking this sort of thing through to conclusion.

I’m a security-minded person. That means I have to very often think like an attacker. I have to plan out “missions”, I have to completely exhaust all nefarious ideas and plotting in an effort to fortify the clients that hire me to make them more secure. This exercise allows me to put on an attackers hat and logistically consider courses of action in an effort to understand things like the frame of mind and context of an attacker.

In the last few weeks I’ve seen a lot of folks all of the sudden “realize” that when checking into foursquare this tells the internet that “you’re not at home”. Disappointingly enough the first thing that short-sighted people think is “OH GOD THIS MEANS EVERYONE KNOWS I’M NOT HOME. I’M GOING TO GET ROBBED!”. I cannot articulate using text exactly the style in which I face-palmed. To bring some clarity to those who have chosen to forego foresight, I’ve made this handy flow-chart. Have a look:

Simply put: If you’re going to rob someone, you have to put a little thought into it. You may be shot. You may be caught on camera. You may have to deal with nosy neighbors. Do you even know who this person is or where they live? Think about it for more than 30 seconds. If you’re still convinced that foursquare will get you robbed, print this chart out, and put it over your display using a stapler.

Stop being paranoid. Stop following the crowd. Wake up.

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!