By David Colker
Times Staff Writer
April 22, 2007
No one in the evening crowd at a Starbucks in Pasadena knew Humphrey
But Cheung, quietly sipping hot chocolate and working on his laptop,
knew things about them.
Several tables away was a guy sitting alone with his own laptop. "He's
starting a business," Cheung said. And the young couple in the far
corner? "They're getting married," he confided.
Cheung isn't psychic. He had hacked into the coffee shop's wireless
Internet connection on his Toshiba laptop. It took him all of about five
minutes to do so, using free software available online.
Public Wi-Fi is very handy for perusing the Internet away from the
office or home. Just remember that you may have company while surfing.
Once hooked into the system, Cheung was able to monitor the online
activity of other laptops in the shop.
Luckily for the people around him, he wasn't snooping for any reason
except to make a point: As wireless hot spots proliferate, the tools for
secretly monitoring these Internet connections are becoming more
"When people are on a public wireless connection, they have the same
expectations about privacy as when they are on the Internet at home,"
said Cheung, 32, a computer security expert and an editor for TG Daily,
a technology news website.
"But it doesn't work that way. Someone could be listening in."
Cheung was using a "sniffer" program that intercepted online signals as
they flew back and forth from the laptops to a wireless modem hidden
somewhere amid the coffee paraphernalia.
Mostly, the monitoring was limited to tracking the websites being
visited. Numbers correlating to Web addresses flew across Cheung's
computer screen, allowing him to see that the couple were viewing pages
belonging to a wedding planning site.
The man a few tables away started with sites selling high-speed
broadband service. He went from there to a page about managing websites.
Like in a mystery yarn, the clues kept coming in. "You start to get a
story about someone," Cheung said.
Suddenly, the line "LLCs in the state of California" popped up on the
screen. An LLC is a limited liability company, a type of business
structure often used by small-business owners.
"He's in Google," Cheung said. "That's a search he typed in."
Sure enough, the next stop was a California secretary of state site with
information about forming LLCs.
When approached, the man, Alex Auzers, 20, of Pasadena, confirmed that
he was doing research on starting a business.
Asked if he had searched the exact phrase, "LLCs in the state of
California," Auzers looked stunned. Then he shook his head.
"Is someone using a sniffer program?" he asked.
Auzers also is in the computer field he hopes to start a business that
would service residential setups.
"I feel kind of stupid," he said, "because I know that kind of thing can
The company that provides wireless fidelity, or Wi-Fi, signals at
Starbucks is T-Mobile USA Inc. It manages about 7,600 HotSpots
nationwide, including in coffee shops, hotels and airports.
On its website, the company warns that communications in the HotSpots
"may be subject to unauthorized interception and are not inherently
But good luck in finding that security warning. The link to it is in
small print at the bottom of T-Mobile's HotSpot Web page, grouped with
18 other links to various company Web pages.
T-Mobile offers a free software program, Connection Manager, to improve
browsing security, said Mike Selman, the service's marketing director.
"You can use this to make sure you are connected properly to our
network," Selman said, "and that communications are encrypted from the
But the security program also seems to be more or less a secret. Not
only does the name of the program not mention security, but the link to
download it also is grouped with several other items in a dropdown menu.
And if you have a Macintosh computer, you're out of luck: The software
comes only in a Windows version.
Asked whether customers at a HotSpot should be told about the software
as they sign on, Selman answered, "Not a bad suggestion."
At least Cheung couldn't read e-mails. Except in one case.
Most major e-mail sites on the Web such as those run by AOL, EarthLink,
Google and Yahoo are protected by encryption. This is signified by the
site address beginning with "https" instead of "http."
Major banking and e-commerce pages that ask for financial information
are https, too. But the Web e-mail page for Internet service provider
Charter Communications Inc. is plain old http and therefore not secure.
Cheung tuned into a Charter e-mail page being viewed in a Starbucks and
began to read, "In an oiled casserole dish ."
It was a recipe for yam enchiladas.
"You definitely want to make sure that if you are using Web e-mail on a
wireless connection," Cheung said, "that it's on an https page."
In response to questions about its non-secure service, Charter said in
an e-mail that it was "currently exploring an https implementation as
well as other security options."
On home Wi-Fi setups, password protection can be implemented on the
modem, which offers a lot of security although some hackers say they can
break through the most basic protection regimen, known as WEP.
Public Wi-Fi setups, whether paid or free, don't have the luxury of
using passwords. That would defeat the purpose of allowing a great many
people to use them.
T-Mobile, which charges about $10 a day for HotSpot use, is working to
get more people to use them. Last month, the company finished installing
a system at Los Angeles International Airport that covers 3.8 million
square feet of space, making it one of the largest Wi-Fi deployments in
Also, free Wi-Fi hot spots are being added to more outdoor areas by
cities. Fullerton and Long Beach already have them, and there are plans
to install a system at Pershing Square in downtown Los Angeles.
So, enjoy the freedom of Wi-Fi. But maybe you shouldn't surf to sites
you wouldn't want people to know you're visiting.
"If you watch where people go, one site after another," Cheung said,
"it's almost like you can read their minds."
Subscribe to InfoSec News