I do the same at public Wi-Fi hotspots. As I don't have a corporate VPN to use, I subscribed to:

http://www.personalvpn.com/

...and only pay $39.50 per year for the service. Works great, though it does slow your speed somewhat, but nothing that's really noticeable.

Another question / concern.

At home I just hook up to the internet through a Linksys Router - that should keep my traffic local - right. Somebody running a packet sniffer shouldn't be able to see my email or am I fooling myself?

Whomever noted that you should not do anything that you don't want to catch in the paper is spot on. That said, I run my work stuff thru a VPN, read my personal e-mail via SSH on a shell account (remember those?), and when the need arises, bounce off an SSL proxy that a personal friend has.

That said, I don't really care if joe hacker knows that I'm reading cnn.com and the like.

Do I hear a vote for pine, and socks?

If you're hard wired to the router (i.e. not using wireless/802.11), you are slightly more secure, as someone would have to compromise a point upstream in the Internet to read your traffic. That's not impossible, but its much harder to crack a Telco or ISP router than it is to capture packets going wireless to an 802.11 access point 15 feet away.

Log on to public web sites via the HTTPS (secure) option if available. DON'T do banking or anything else critical if there isn't a secure option. Use VPN or SSL connections wherever possible.
If you must download email via POP or another "in the clear" protocol, you're probably OK if you are using a wired connection at home straight to a DSL router to your ISP, as the only compromise points are at major ISP/telco locations that are generally well monitored and secure. Having said that, I wouldn't do it myself.

On the other hand, I'm posting this via unencrypted wireless to an 802.11 AP, but if someone did sniff it all they'd get would be my flyertalk logon/password. Not a big deal.

That brings up another good security point. DON'T USE THE SAME PASSWORD EVERYWHERE. Especially don't use the same password at secure sites (like your bank) and insecure sites (like this chat room). If someone gets your password from one site, they'll try it at others.

Bob
PS: I know I'm vastly oversimplifying everything above, but it would be much too complex to explain really good Internet hygiene here. But if anyone's curious, I've been a 'Net user since it was the Arpanet running POP instead of TCP/IP, and I've been building network management and security products since 1988, so I really do know what I'm doing, even if my posts don't make that clear :-)

Something like that .

Pine is good stuff. I don't know if I'll ever be able to switch. I simply cannot manage e-mail as quickly with any GUI based mail clients.

If you want to keep your email safe then ask your ISP if they support secure POP, which they should. Then it is a simple config change in your e-mail client.

However, as other have pointed out, e-mail is just plane insecure. If you want to sure it up a bit there are encryption programs (OpenPGP, etc) but they require that each user has the program yadda yadda... and there is very little preventing that email from being forwarded once decrypted. You can also get a personal certificate from someone like registerfly.com which will allow outlook to encrypt email.

But banking and shopping online, as long as you see the little padlock, is very very safe.

Wireless at home is a tricky beast. The only strong protection is WPA. WEP (on older models) and MAC filtering are 100% worthless. In other threads others have pointed out "yeah, but who is going to bother when there are tons of open APs around?".... anyone 12 year old with free software is who!
Turn on WPA on your router and you are golden (of course Steve Gibson would suggest a 63bit password from www.grc.com/pass... which is what I do and keep it on a network share on my lan and on a usb stick)

If it's wireless, you should enable encryption.

FREAK

WIFI or not, all your data is available for packet capture to anyone upstream. What should you do? The same thing as always. Use SSH, SSL and HTTPS. If you packets are encrypted it does not matter who is looking at them.

This depends on who is operating the AP. It is possible to intercept ssl (https). The user would probably get a message about the key not being issued by the provider, but those are common enough messages that most people would probably just click, "OK."

Even if you have WEP and MAC filtering it's still easy to crack? I'm not a techie, so I didn't know that.

Could you tell me how WPA differs and why it's stronger? I've got a 2-3 year old Linksys router, and don't remember seeing it on there.

Mac filtering can be defeated by changing your mac address to match what is expected by the router.

There are numerous sites with WEP hacks posted.

WPA uses better encryption and key-exchange methods and so is more difficult to defeat. Organizations where security is important run WPA and also use a VPN over the encrypted link.

but you have to live in mountain view to get it...

MAC filtering is pretty simple to crack. Basically- as you probably know- the MAC address is just a unique ID assigned to each network device (Be it wired or wireless). MAC filtering tells the AP to only allow certian wireless devices. However when signals go out from the AP, the MAC address info is sent in the clear. Basically its out there yelling "HEY, I've got a web page here for 123abc, who is 123abc? anyone? anyone?" All someone has to do is intercept that message, change their MAC to 123abc and they are on the AP.

WEP's weakness gets tricky, someone else can probably explain this better than I can. But basically there is a pre-shared key that is used to generate the cryptography. The AP sends its part of the key and a request for the response to any device trying to connect. Widely available software can even stimulate the AP into sending even more data which. After there is enough data sent cracking software can determine the master key from all the peices.

WPA uses the same cryptography, but it takes the key and hases it something like 1024 times then changes it fairly often. It also encapsulates the key itself where as WEP sends it in the clear. Basically with WPA, once the secure connection is established, the key changes faster than it can be cracked. WPA CAN be cracked, but it requires someone to capture a LOT of data and use a powerful computer to run a brute force crack against it. So if you WPA password is something like "We Love Paris" even though it seems strong b/c its a sentence, all the words are in the dictonary so its subject to such an attack.

What I do, and Steve Gibson has recomended the same thing on a podcast, is use a random 63bit password. I keep it stored on an encrypted network share and on a USB key (that I keep locked in my wine fridge - only so I'll remember where it is). www.grc.com/pass has the best algorthim that I know of. WHat I HAD used wa something I downloaded for OS X, but I think Gibson's is probably a tad stronger. When you use a 63bit password WPA is uncrackable- mathmatically speaking.

Of course I'm also a freak- I don't want guests on my LAN so I have a seperate wireless subnet with an open access point that only uses MAC filtering. I have some WiFi phones that don't support WPA. So even if its cracked (and I craked it myself several times just to learn) then people can only get out to the internet and are not on my network. I'm not thrilled with that solution at all currently... but it means my phones work and my LAN is safe. On my LAN I use WPA2 with the affore mentioned 63bit password. So far I've never needed to have anyone join my LAN WiFi so the USB key is still next to the Turley and Martinelli zinfendels...

-N