« Now it Can Be Told | Main | This is the End »

It's 2006. Do you know where your passwords are?

Today I met with one of my M.A. students. She is developing an interpretive model that complicates the gender dynamics Clover details in “Her Body, Himself,” with an aim to offset Clover's emphasis on masochistic and sadistic spectator positions for men who watch horror films. My student also has identified at least two distinct subgenres of horror films that current critical approaches cannot fully explicate.

Doing my own research on zombie films, I am more than slightly curious about what motivates me now—and what motivated me when I was thirteen—to watch movies that once gave me nightmares for three years. Perhaps masochism is a means of mastering trauma.

During our meeting, pipsqueak captured packets from Donkey's WiFi network using Ethereal. I'd logged packets prior to today just as an experiment. I inspected the capture files but did not analyze the packets in any systematic way. Until today, my curiosity has taken the form of voyeuristic possibility. However, possibility becomes inevitability given enough time and boredom. First, I want to establish I have no intention of mining the information I've obtained for purposes that are unethical or illegal.

The data that traverses a computer connected to an unswitched and populated network are massive in aggregate. Forty minutes yielded nearly 100 MB of data, much of which was unencrypted. Inspecting packets reveals what websites people are visiting, the email they are reading and sending, and the chats they are having. I focused on the first instant message exchange I found, culling from the capture file messages sent to and from one particular IP address.

With virtually no experience mining capture files, it took me an hour to extract the data I wanted and another hour to format it in human-readable form. Should I get the mind to do so again, the process would take between ten and twenty minutes, tops. What follows is a brief excerpt of a conversation between two people. 1 I've changed their screen names and have omitted any identifying information.

odma: burgers tonight

essi: yeah?

odma: you decide about this weekend yet?

essi: i dunno what i'm doing tonight

essi: yeah

essi: i

odma: lol

essi: m coming home friday night

odma: cool cool

odma: going to the wedding shower with [. . .] ?

essi: then driving uyp to the lake on sat and spending the night

odma: oh

odma: ok

essi: what wedding shower?

essi: so no

odma: [. . .]

essi: ew no

essi: hahaha

odma: im sure as shit not going

essi: i hate wedding showers

essi: hahha

odma: i hate weddings

odma: and showers

odma: lol

odma: makes it sound like I am a dirty hippy

What strikes me about this conversation is how personal it is though it is not particularly revealing. Both participants likely have no idea that their typed conversation is as “audible” as a conversation between people seated in front of each other. This is a serious problem, especially in an age of increasingly casual and ubiquitous computing. It took only another five minutes for me to find the real names of both participants, which would not have been possible except for the fact that one of them used her real name as the basis for her online identity.

My online avatars are easily connected to me and with five minutes of searching, I would be easy enough to find in meatspace. For the last eight months, I have been using encrypted communications for email and password exchange. I don't spend much time online in public places. Even so, I'm very worried about the ease with which sensitive data might be culled by ne'er do wells.

Here's a scenario: a “friend” who knows your paypal ID and knows what you look like is in a WiFi coffee shop with you. You both are using the free WiFi, while your friend's laptop is capturing the packets transmitted on that free WiFi network, your packets included. Your “friend” visits Paypal and uses the form to request forgotten passwords to request that your password be sent to you. If you are using Outlook, Eudora, Mulberry, or Apple's Mail (or another client, including web browsers) without encryption and you check your email while in the coffee shop, your “friend” is going to get a plain-text version of your login information.

Partly because the Internet was built by hard-core and trusting nerd types to facilitate communication, encrypted Internet communication is the exception when it should be the rule. Hard-core geeks know that Internet traffic is like a postcard: anyone who cares to look can read what's written. However, non-core normal types don't realize that their communications are not private, accessible to anyone with a mind to download the right software.

Even with encryption, one's Internet communications are not crack proof. Using the Internet without encryption is a security risk whose extent most people don't understand. Of course, defrauding people is much more profitable on a large scale, and obtaining the login information of dozens of people on a WiFi network is nothing compared to the logins of hundreds of users that a phishing scheme might yield. Still, the risk is real and given personal grudges, penny ante criminals, and heavily-trafficked public WiFi networks, someone will eventually be victimized as a result of using unencrypted communications on a public WiFi network.

Hopefully, this someone will not be you. end of article


1 If you are one of the participants in this conversation and would rather this conversation not be posted here, please contact me.