Beware: Wi-Fi has a security weakness
Wi-Fi security: A few of you challenged my assumption that it's not such a big risk to send unencrypted e-mail while using a Wi-Fi hotspot to wirelessly connect to the Internet. I said that if my e-mails contained vital secrets, I'd be worried, but as it is an intruder would be pretty bored with my data.
Not so.
One reader, Kyle Jones, wrote, "The problem is that when you log into your Internet Service Provider to check your mail, you are likely sending your username and password over the air unencrypted. If I fish this information from the air (there are free tools available to do this), then I can log in and read your mail, send mail in your name, and maybe even dial up to your ISP and get Internet access on your dime."
He continued, "To take this scenario further, I can now release the shiny new Internet worm I've just written, using your ISP account. The worm spreads, wreaking havoc far and wide. When the feds figure out where the worm originated, you get the fun of explaining that you had nothing to do with it, while some plank-faced agent shouts in your face that you're a liar and threatens you with 25 years of imprisonment. Oh, you'd convince them of your innocence, eventually, but you'd have a bad couple of weeks at least. Then again, your discomfort might last much longer if I linked the worm to al-Qaida.
"So while you can be careless about your e-mail contents, you need to be very careful with your username and password. Most users are not this careful. I see a lot of trouble brewing unless Wi-Fi is deployed with strong encryption that is always enabled."
Those were sobering thoughts in my e-mailbox, and worthy of passing on.
I asked him about wireless encryption protocol (WEP), which another reader suggested could solve the problem, and he responded that the hotspot service I was using at Starbucks disables WEP, so username and password are transmitted in clear text.
I asked him how likely it is for someone to be lurking around Starbucks and other access points, just waiting for people to send username and password information.
He replied, "There's a geek activity called 'wardriving,' where you cruise around with your laptop looking for open Wi-Fi networks. It's easy to get free Internet access this way as people often configure their home wireless nets with either no WEP encryption or with a default, well-known encryption key. The existence of this sort of activity is another indication that there are a lot of people around sniffing the airwaves."
My colleague, Glenn Fleishman, told me a new standard called Wi-Fi Protected Access (WPA) may protect public hotspots that disable encryption. (Evidently, they disable it so people won't have to enter a special key, and because anyone with the key can view all network traffic.)
He explained that with WPA — which will start showing up in firmware upgrades and new hardware in the next few months — a password generates an individual key for each packet of data transmitted. That should make it a lot harder for crackers to get in.
To learn more about wireless networks, read Glenn's book, "The Wireless Networking Starter Kit" (wireless-starter-kit.com).
Spyware and adware: The columns about spyware and adware also prompted interesting mail.
An anonymous reader described a phone system that can record a private conversation that occurs near a phone — even one that's hung up — and relay it to a computer in another room.
Another reader, Jeff Strand, wrote that after downloading a spyware removal program, he found 100 snooping programs installed on his computer.
Philip Palm told me about the icon sitting in his system tray that identifies itself as Support.com, which "seems to be a software company that collects information for undisclosed parties." He couldn't get rid of it using Windows' Add/Remove, and because there are probably other similar programs installed on his PC, I suggested he download a free copy of Ad-Aware (www.lavasoftusa.com) to clean them out.
However, when Michael Goldendranz used Ad-Aware to purge his system, his son discovered that Kazaa file-sharing service wouldn't work after that. He had to reinstall the software. While many programs allow you to discard the offensive add-ons that come with them, Kazaa does not. If you want to use the service for free, you have to keep everything.
Besides readers who wrote to share experiences or advice, one reader surprised me by asking how much spyware cost and how to get it. I also received e-mail from companies that wanted me to try their spying software. Ha!
Linda Knapp: lknapp@seattletimes.com. To read other Getting Started columns, go to: www.seattletimes.com/gettingstarted