The Times mades a big blooper, mistaking a login bypass for an attack: The Times Online has this story about how Starbucks in the UK are being targeted by hackers (phishers and simply criminals, really) who are setting up evil twins, which are computer-based hotspots that masquerade as the legitimate local network. The evil twin itself connects to the legitimate network to provide backhaul. Evil twins are useful at harvesting information sent in the clear, as well as providing fake DNS coupled with locally hosted phishing Web sites that might convince a user to enter private data.
Unfortunately, the Times's information, uncovered in a chat room, points to a method by which hackers are bypassing paying for T-Mobile's Starbucks-based service. The chatroom discourse begins with someone asking about man-in-the-middle (MitM). In classic MitM, an intruder inserts themselves between two parties, relaying information while listening in. In cryptographic circles, MitM is defeated by using effective key exchange with out-of-band confirmation through certificate authorities, reading a fingerprint to one another, or other methods.
The next chatroom messages the Times discusses, however, are about tunneling Internet traffic from DNS (domain name service). DNS is used to take a domain name and retrieve the associated Internet Protocol (IP) address. Because the login process for a hotspot requires DNS to work, DNS requests are generally passed through without restriction. However, DNS requests can return loads of other information in special resource record types. With the right kind of software on both ends--on your laptop and a remote server--you could perform an end run around authentication and tunnel your traffic over DNS just like a virtual private network connection tunnels all its traffic via the VPN connection. Devicescape uses DNS to retrieve authentication information in its lightweight device-oriented hotspot login environment.
The chatroom participants pretty much state this outright: "I am now able to tunnel my way around public hotspot logins...It works GREAT. The dns method now seems to work pass starbucks login." In fact, there are two popular DNS tunneling packages available.
Hotspots can throttle DNS traffic, or filter queries, but there are clever ways around this, including returning data as part of the alias for a domain name that's requested (a CNAME or canonical name record). So much of DNS requires passthrough of arbitrary data that I don't know how large a problem this is. One of the quoted chatroom messages in the Times article notes that the user was only able to get a few kilobits per second, which could be a result of either throttling or overhead. It's possible T-Mobile has throttled DNS traffic to a very low speed, which would make sense.