I’ve been watching Tim Berners-Lee’s Do lecture, and it has crystallised something for me about IT, education, and a little bit about gender.

The other week on I-forget-which lefty/feminist/big hippy blog, there was another round of the usual flap about women in IT – how there weren’t enough of them, and the culture is bad, and we don’t do enough to encourage them, and we don’t give them an appropriate education to prepare them.

Without wishing to bore you all with a long personal history, I’m going to have to ask you to take my word for the fact that I got a dreadful IT education, and was fairly actively discouraged from pursuing it by my school. My one attempt to get an IT education was an absolutely dismal failure. Please, just trust me when I say: whatever you think an education that doesn’t prepare people to go into IT was, I got it. By the end of my formal education, I’d been taught that what a computer was for was word processors and spreadsheets, and how to use versions of them that were so primitive they were out of date before I left school. And a little bit about Charles Babbage that I don’t really remember any more, although I very clearly remember studying IT in soporifically hot classroom without any computers in it. I trust you see my point: school taught me that computers were dull and boring, and while they may not have taught me it because of my gender, they did very effectively teach me that computers were Not For Me.

In other words: I got exactly the sort of education that people talk about young women getting when the subject comes up in relation to gender. So obviously, these young women are just slackers, who aren’t trying hard enough.

No. Don’t be ridiculous. The difference, of course, is in my home life. (But not quite in the way you think.)

Even at home I wasn’t the image of the teenage male geek (in this respect – I had all the others down pat). Sure, I had a computer in the house from a young age, but what I used it for was games. I shoved a disk in the drive, double clicked an icon, and grabbed a joystick, and off I went. (I also used it for homework, from time to time.)

But.

I remember my Uncle building his first computer from a kit, and I remember the little basic program he and my cousin wrote on it so that we could play spaceship – not so that we could play space invaders, you understand, but so that we could play spaceship. It didn’t do much more that ask us to “Turn on Artificial Gravity”, “Plot Course”, flash up the odd “Life Support Emergency” warning and generally beep and cause the screen to flash every so often, but it made our childish pretence of being interstellar explorers much more exciting, as we dashed around the living room, shooting imaginary lasers at mostly-imaginary bug-eyed monsters, before getting back in our spaceship, engaging the artificial gravity, and blasting off to some other world, hampered only by a life support emergency or two en route.

And as I grew up, I remember my Dad programming applications to track Christmas turkey orders at my Grandfather’s butcher’s shop, or, in my teenage years, applications to help record competitors times at triathlon events, and so on and so forth.

We got the intertubes plumbed in when I was 17, and a year or so after that I got into HTML because I wanted a web page of my own, like half my internet friends had, and from there into actual programming. And it was at this point, that the lessons I had unknowingly learned about computers sprang into life.

It wasn’t that computers were easy (I still find them hard), or that computer programming was intrinsically fun, worthwhile, or rewarding (I still don’t think it is, which is what separates me from the “proper” computer geeks – give me a way to avoid programming, and I’ll probably take it). It was simply this: that you can make a computer do anything. I learned that programming computers is a fundamentally creative act, and that the only limit on what you can make a computer do (assuming that you’re willing to put in the time and effort) is the limit of your imagination.

Even though I hadn’t programmed a damn thing in my life, I’d been around others who did. They did it for all sorts of reasons, and they built all sorts of things. And so when I finally decided to do it myself, it never occurred to me that it wasn’t for me, and not because I was a bloke, but just because my conception of what you did with a computer was akin to my conception of what you did with pen and paper, or a guitar, or camera. Only more so. I absolutely understood that a computer was a tool to enable my imagination, right from that that first experience of my uncle’s starship simulator. (I’m not saying that my gender was irrelevant – I do appreciate that society casts computers as a boys thing, and I wasn’t going to be discouraged from sitting at a computer, just because of my gender – I’m saying that it was irrelevant to my personal conception of the reasons to sit at a computer).

It’s not about demystifying them. It’s not about not teaching girls that computers are a boys thing, or that they’re not hard or boring. (Well, it is, but not quite in the way you think…)

It’s not just about the contents of the education, it’s about the context that education occurs in (especially when realistically, the content of that education will be out of date by the time they come to apply most of it). It’s about teaching girls and boys alike that computers are a creative thing. If I’d been taught that in school, I’m fairly sure I’d have stayed awake in IT lessons. I was lucky, and got that context in spite of the content.

Taking them out of the realm of maths and science (which shouldn’t be seen as gendered anyway, but that’s another thing for another time), and casting computers as creative tools instantly makes it harder to gender them as “for” one gender more than another. I’m not saying it makes it impossible, and I obviously have no idea what these things are like for women, but at the same time, a quick look around my female friends suggests that while many, if not most of them may have been taught that computers weren’t for them, very few of them seem to have been taught that “creativity” wasn’t for them. Almost all of them write (even if it’s “only” a blog) or take photos (even if it’s “only” holiday snaps) or draw (even if it’s only “doodling for fun”. Why should they (and of course, all my male friends) not also program (even if it’s only “so I can let my kids fly a spaceship”).

(I hate to close on a parenthetical aside, but I know if that I don’t, some well-meaning person will take me up on it: many of my female friends do far, far more in those various fields than the “even it’s only” stuff I’ve listed at the end there, and I’m not seeking to suggest that women are limited to “hobby” level creativity, I’m simply setting an inclusively broad base.)

These days, half of us carry some kind of wifi capable device around with us – laptop, phone, MP3 player, swanky new iPad. We own something that we can browse the net on via wifi, that we can use while out and about.

And we’re all familiar with the experience of agreeing to meet someone in a pub or café, and finding that either we’re running early, or they’re running late, at which point we pull out this device and do something with it. Check Twitter. Check our email. Log in to Facebook and see who it is that’s been pissing on our wall, or whatever it is that Facebook users do these days. In any event, the point is this: we hook out little boxes of digital magic up to the wifi that’s available and start using it. Sometimes we might have to pay for the privilege, sometimes we might just have to give the username and password that’s written on a sign behind the counter, and in some places, we can just start surfing away.

We don’t stop think about the danger.

You see, most of these networks aren’t secured – even the ones that require a username and password to log on to, often only require the username and password as an authentication system – a confirmation that you have the right to be using the system – not as a method of securing communication. (How you can tell: if you try and get to a website, but then get an extra screen in between from BT Openzone, or The Cloud, or 02 or T-mobile or whatever, asking you for a username and password, or your phone number, without leaving your browser, then it may well just be authentication, and not security, that the wifi is checking.)

And then along comes Firesheep. I’m not going to link to it – if you’re really interested, you can Google it. What Firesheep does is exploit a technique called session sidejacking. Up until Firesheep, this was something it required a little skill to know how to do. Not a lot, but some – you needed to put a few different tools that most people would know nothing about together on a laptop, and know how to fiddle with some fairly advanced settings in your browser. Firesheep, on the other hand, makes it possible in two or three clicks. And it’s a Firefox extension that you install like any other. My not-very-tech-savvy mother could do it, if she wanted.

One of the often-unspoken truths of security is that there is no such thing as true, 100% unbreakable security. There is just “enough security that it’s more trouble than it’s worth to get around it”. It’s why we secure our houses with simple locks on doors, and not three different biometrics and a machine-gun turret. It’s the same on-line. With enough time and effort, any system can be hacked. It’s just about making it hard *enough* to hack that most people don’t bother – a good username and secure password will keep 99% of hackers out, and the odds of being targeted by the remaining 1% are quite small. This is why Firesheep is bad – because it’s made the effort involved in this hack so trivial.

So what is session sidejacking?

We’re all familiar with logging into websites – you stick in your username and password, and presto, you’re logged in. If you’re very tech savvy, you might even know that it’s important to check for https:// at then front of the URL and not just http:// when you log in. That’s the sign that the data you’re exchanging with the website is encrpyted – that your password isn’t just being sent through all the dozens of computers between your laptop and the website you’re using, in plain text for anyone to eavesdrop on. You see that, and you feel secure.

But there are plenty of websites out there – Facebook is one example, but they’re not even close to alone in this – I think Gmail even does it, if you don’t configure some settings just right, and apparently Twitter is vulnerable to, and that’s just a few quick big names, never mind all the other small sites – where once you’ve logged in, they stop using the https:// bit. The theory being that the thing it’s important to be secure about is the authentication. And up until Firesheep, they were probably right.

Now, the way you stay logged in on most websites is that they set a thing called a cookie. You’ve probably all heard of them. They’re ones of the things that get ditched when you clear your cache and cookies because you’re trying to fix a problem. Clearing your cookies means that you suddenly find yourself logged out of loads of websites, and you have to go to all the hassle of trying to remember your password to log back in.

That cookie contains a little bit of information (actually, it might contain quite a lot, but there’s only one thing that’s relevant here) – it contains what’s called your Session ID. When you log into a website, you get assigned a Session ID, and when your browser requests pages from that website, it says (roughly) “Hi – I’m a browser with Session ID 12345, and I’d like this webpage please.” And the site goes away and works out what webpage you want and what content Session ID 12345 should get, according it it’s records. Your session ID essentially *becomes* your username and password, and it’s sent back and forth with every request you make to that website.

And if the website isn’t using https:// and if you’re using a wifi network that’s not secure, then people using the same network as you can listen in. They won’t be able to get your username and password – that got sent over https://, after all. But they will be able to find your Session ID. And once they’ve got that, they can pretend to be you.

And Firesheep does all this, in three clicks, in a really easy to use manner.

And so they can pretend to be you. And get into your Facebook, or your Gmail, and discover all sorts of things about you.

So how can you make sure you’re safe?

Well, in the first place, don’t use unencrypted Wifi, unless you have no other choice. Key terms that will tell you it’s encrypted are things like WEP or WPA. And when you’re asked for password to go along with those, they won’t be in your web browser – it’ll be your operating system asking for them.

Secondly: if you are using unencrypted wifi, make sure everything you request is over https://.

As soon as you log in to Google or facebook, or any other site, if you don’t see the little ‘s’ in the URL, add it in yourself, and hit return to reload the page. This won’t be 100% foolproof on all sites, but it’s a good first step. And you’ll find that a lot of really secure sites – bank websites and that sort of thing, do everything over https:// already, even once you’ve logged in.

Other than that, well, there’s not a lot you can do. Sorry, folks. Fixing this one is going to require companies, and people like me to do something. They haven’t in the past, because the security we used to have was good enough. But as of last week, it isn’t, so we need to get on with fixing it. But in the meantime, do please be careful when using unsecured wifi.

(Just in closing, I should probably note that the chap who wrote and released Firesheep wasn’t doing it just to cause trouble – or rather he was, but with noble motives. He wasn’t doing it to make hacking easy, he was doing it to force companies to make exactly this kind of change, and improve their security all round.)