David Pogue wonders if the concern about Wi-Fi security is at too high a pitch for home users: Pogue's email column, archived online, this week questions whether there's too much focus on security. Now, I'm the first to agree with him that people with home wireless networks that aren't near neighbors have nothing to fear. Even if you have near neighbors, enabling WEP or WPA, as Pogue recommends, lowers your risk from low to nil. (WEP's key weakness that enables a cracker to break a key and access a network could require weeks of network monitoring to extract enough data to carry that out. It's only a quick crack on high-usage business Wi-Fi networks.)
But Pogue doesn't separate out different risk scenarios. My colleague and co-author on The Wireless Networking Starter Kit, Adam Engst, wrote an excellent essay on how to decide the level of exposure you have and how to mitigate it which parallels Pogue on the home networking side, but is more granular on risks outside the home network.
Pogue opens his piece talking about public Wi-Fi: "It's just so glorious to be standing in an airport, hotel lobby or city street, open your laptop, and discover that you can go online at cable-modem speeds without hooking up a single cable." But the rest of his column focuses on home networking risks where I generally agree with his take and his recommendations.
Out in the wild, the risks are quite high that someone could be monitoring an open free or fee-based Wi-Fi hotspot network -- it's probably 1,000 to 10,000 times more likely that someone is using software to monitor a hotspot than a home network. I have a piece of software that I can run that automatically captures all passwords passing over any network connection, Wi-Fi or otherwise, that requires me to press a single keystroke to activate. You should never conduct unsecured transactions over public hotspots using FTP, email, or the Web for this reason: it requires no effort to capture those passwords, and people may capture them idly.
At the very least, your email password should be secured via APOP (authenticated POP), which creates a one-time use token for access. Your email would still pass in the clear, but your password would be protected. Better, try to use SSL for email (POP and SMTP), or read your email with a Web browser using an SSL connection. Fastmail.fm and Google's beta Gmail both allow secure email reading; some ISPs certainly must offer SSL-based Webmail, too. Community wireless group NYCWireless now offers SSL Webmail, IMAP, POP, and SMTP to its dues-paying members.
Pogue focuses on the data that's being transferred as being at risk and not being very interesting. My colleague Adam does the same. They're both right. What sniffers want it isn't your private email but your passwords because then they can break into email accounts, conduct transactions using your eBay account (your password is probably the same, right?), and otherwise hijack parts of your life that allow them to commit fraud. These sniffers are, in fact, well advised to haunt Wi-Fi hotspots because they can harvest that information so readily.
Pogue does quote a Linksys product manager saying that only a skilled hacker could access files on your system, which is quite strange. Even under Windows XP, you can set up password-free shared folders that anyone can access on a local network, whether a home network or a public Wi-Fi network. It doesn't require special software to mount those shares, and many people seem to still use this option for their own ease.
Pogue closes the column with sensible advice for protecting one's computers on a local network, and this advice goes towards protecting it from attacks over the Internet, from crackers who hop on your home Wi-Fi network, and from ne'er-do-wells at public hotspots: turn off services you don't need, choose good passwords, keep your system patched.
His concern seems to be that users could wind up too anxious about using Wi-Fi networks when most of the security advice is better aimed at roaming users or corporate users. And he's right. The best advice should differentiate between simple steps for home users, and more sophisticated advice for others at higher risk as in this Jiwire article on security.