In January of 2005 I wrote Are You Naked? and again in July of 2007 Are you *still* naked in a coffee shop?. My objective was to try and elevate the discussion about the fact the overwhelming majority of us who use free wireless internet access in public hotspots are completely "naked" since it’s trivial to capture your wireless packets as they fly through the air.

There are certain things I never do in a coffee shop: use File Transfer Protocol (FTP) but instead the Secure FTP; never access my banking or stock sites; set my firewall and more (for best practices, see that second post on the subject here).

Managing eight email addresses through the Google Gmail interface, I’ve always made certain that I access Gmail through Secure Socket Layer (SSL) which is the encrypted security protocol used by banks, stock sites, ecommerce and any other transactional site with security (you know you’re using SSL when you see the little padlock in your browser and an "s" after "http" in your browsers address bar). Felt pretty good about it too and I’ve trusted the big brains at Google to be 110% on top of security issues.

Now comes word that there is a security hole in Google’s Gmail javascript (used in Gmail for the fancy-shmancy Ajax interface framework and elements):

When Robert Graham demonstrated how Web 2.0 wasn’t safe
at last year’s Blackhat, it was thought that at least the SSL mode
(HTTPS) of Google Gmail would be spared from sidejacking.  That
presumption now appears to be false according to this updated blog posting
from Graham.  Even with SSL enabled, Gmail sessions can still be
hijacked by Graham’s Hamster and Ferret (or less easily with Wireshark
and Mozilla’s cookie editor).

This is just great. If me, Mr. Security and Web Application Awareness, has an opening for his laptop and Gmail session to be compromised, what about everyone else?

My daughter logs on to any wifi hotspot with her iPhone or Macbook and sees zero harm — though I’m trying to educate her on how to be safe (which feels to me like havng a safe sex discussion and we know how effective THAT has been globally…but I digress). This means, for example, a "packet thief" could sit in a coffee shop, log in to the free wifi and setup a rogue hotspot (it’s simple to set up your own laptop to pretend it’s a wifi access point and lure in the unsuspecting) and then fire up the tools on their laptop and capture my daughter’s packets that come through the packet thief’s own laptop. Voila! The packet thief now has her username, password — or in the case of Gmail’s cookie security hole — the cookies with temporary credentials in them.

With a temporary cookie session initiated, the packet thief can now change her password and have complete control over her email (and, God forbid, her banking, stock trading, or any ecommerce transactions executed while accidentally logged on to a thief’s laptop).

Fix this Google…now.

Next week sees Steve Jobs on stage giving his Macworld 2008 keynote. Some things are obvious (new Mac Pro announcement this week shows machines starting at $2,798 so there’s a huge gap to be filled below it, probably with a midlevel, headless machine) and rumor speculation is rampant with an ultraportable Mac near the top of the list.

I still have an Apple Newton with an Apple fixed asset tag on it (they didn’t want it back when I left the company in 1999). While I didn’t like it well enough to have paid money for it (even with my employee discount), the handwriting recognition in the 2.0 software was excellent and not rivaled for several years until Microsoft debuted the Tablet PC.

In the spirit of yesterday’s post of how slooowly things move — and that each of us should be grateful and amazed by how far we’ve come in such a short time — let’s pay a little homage to the Newton by viewing this getting started video for the device. Seeing how archaic it seems today will surely make you appreciate the ease-of-use of a touch-enabled iPhone or iPod Touch all the more and get you ready for whatever "one more thing" happens next Tuesday.

I bet it will be "touchy".

For the last month I’ve been hacking my iPhone with iFuntastic. Adding ringtones, moving stuff around and so on is fun…but I want more. I want applications. Why? Because as much as I enjoy and truly love my iPhone, I’m bored. I’d love to be able to buy an application, for instance, that would allow me to have a To Do list that is useful (that little note pad is pretty worthless).

The problem is that the hacks don’t work well and few developers are willing to invest in application development if the runtime is dependent upon a hack to make it work. For example, iFuntastic allows icons alone or icons with captions…but not all turn off. It’s a little thing but it ruins the aesthetic of the iPhone when it’s all kludgy looking. An Apple update for the iPhone often removes the hack and a restore is necessary…not something a developer would be to keen on.

This post on Lifehacker is one I’ll try next.

Whether or not you have an iPhone or if you’ve hacked it or not, the energy around trying to arm-wrestle this device into submission is one in which I delight. There are people just like me — bored but with the technical acumen to actually hack the device — that are providing ways to customize it. The recent SIM card hack is one example of how people are figuring out how to make it more useful, including having it run in places Apple would prefer it doesn’t at this time.

What is interesting about this phenomena is how companies try to position and control technology and its release…but people mold, bend and shape it to their own ends. With the instant access to news and information (and how-to’s) flying around the internet at the speed of electrons, control is being lost and quickly.