A stealthy startup named Republic Wireless has launched, based on a concept that’s enough to grab anyone’s attention, at least momentarily: unlimited voice, data, and texting for $19 a month. The company says it’s going to make that possible by routing as much stuff as possible over Wi-Fi networks, and utilizing Sprint’s cellular network where necessary.

There are several catches. For one thing, Republic will only support one phone at first: LG’s Android-based Optimus, running Republic’s custom software. (The first-month fee of $199 gets you the Optimus.) For another, the service won’t offer international calling for now. Republic cheerfully concedes these points.

But there’s another gotcha which the company’s site tapdances around: It claims it’s offering unlimited service, but also says that it’s possible to use the service in a manner that isn’t “reasonable” and which violates a “fair use threshold.”

In one place on its site, Republic seems to say that the $19 gets you unlimited everything over both Wi-Fi and Sprint:

Do I need to buy minutes from Sprint or anyone else?
No. We’re the first-ever wireless provider to bundle Wi-Fi calling with access to cellular whenever you need it. Your republic wireless membership includes unlimited calling, texting and data over Wi-Fi and Sprint’s cellular network.

But then it introduces the concept of a Cellular Usage Index that it expects you to monitor:

The best way to know how you’re doing is by checking out your Cellular Usage Index (CUI). If it’s too high, we’ll let you know and give you tips to bring it down. You have plenty of time. But meanwhile, you still pay a flat fee of $19/month no matter what.

[snip]

Everyone’s entitled to a bad day, week or month. Kicking the cell habit, however, isn’t for everyone. Membership here is a privilege. So, over time, if you don’t bring your CUI back into a reasonable range, we’ll help you find a more suitable, traditional cellular carrier.

Okay, so if I use too much Sprint, Republic may apparently ask me to leave. But the company apparently isn’t ready to define what “too much” is:

How much cellular usage is too much?
It depends. Even assuming 0% wifi usage, for example, you could consume 550 minutes, send 150 texts, and download 300 megabytes of data without crossing the community’s fair use threshold. Everyone’s usage patterns will be different, but we’re confident you’ll be amazed at how little cellular you actually use when you have a phone that makes it easy to leverage the power of your Wi-Fi networks.

All right, now I understand. We may not know what “too much” is, but we do know that there is such a thing as using excessive Sprint cellular. Right?

So this isn’t really an unlimited plan?
It is in fact an unlimited plan. We’ll never charge you overages, limit your download speeds, or restrict you to calling circles. Hybrid Calling makes it easy to stay within the community’s fair use guidelines.

It’s unlimited. Except if you exceed the limits. And yet Republic says that it doesn’t cap your service:

What am I buying?
Freedom from calling plans, overages, caps, tiers and termination fees. Members of the republic wireless community get an Android-powered smartphone and unlimited use of it for calls, texts and data. Your phone comes with built-in Hybrid Calling technology that leverages the Web whenever Wi-Fi is available, and uses cellular as a fallback when needed.

Republic Wireless, your service sounds interesting. It could be a good fit for plenty of people. But why introduce yourself to the world by playing word games that might leave prospective customers skeptical about the whole idea? You can claim to offer unlimited service. Or you can place limits on some types of usage and fire members who exceed them. But you can’t do both. Or at least you shouldn’t.

Just what is so disagreeable about being up-front and telling us that you offer unlimited voice, data, and texting over Wi-Fi and supplementary, limited service over cellular? Why not tell us what you offer rather than repeatedly claiming to deliver something which you clearly don’t intend to provide?

Qualcomm Atheros created this art to celebrate 802.11 day, a holiday it invented.

I bet you didn’t know it, but today is 802.11 day. (I didn’t know it either until a PR person for Qualcomm Atheros–the Qualcomm division formed after Qualcomm acquired Wi-Fi chipmaker Atheros–e-mailed me.) Not because of any scientific milestone involved in creating the IEEE standard more commonly known as Wi-Fi, but because, well, it’s really 8.02.11. Get it?

The folks at Qualcomm Atheros seized upon the tech equivalent of a bad pun to update a group of journalists about what’s next for the popular connectivity technology–and although the excuse may have been lame, what they had to say was interesting. The last big upgrade, 802.11n, delivered speeds on the order of 100mbps Ethernet, so the standard now in the works is going for the next speed hurdle–1 gigabit.

Maybe they’ll call it gigabit Wi-Fi. But for now, the embryonic standard is simply another IEEE alphanumeric: 802.11ac. (They went through the entire alphabet for various other Wi-Fi related technologies–some of which no one ever cared about–so after 802.11z they started over again with two letters, and 802.11aa and 802.11ab are already taken.)

Qualcomm Atheros technology vice president Bill McFarland estimates it will be a good year and a half before we see actual 802.11ac products, but that would be downright speedy compared to the many years it took 802.11n to get from the IEEE drawing board into my living room. Anyway, here are some things I learned at the briefing:

• It will operate only in the 5ghz band, so it will not be backwards compatible with the vast majority of current Wi-Fi gear that only supports 2.4ghz Wi-Fi (802.11b/g and 2.4ghz 802.11n). Only 802.11a and 5ghz 802.11n gear will work with 802.11ac radios–but McFarland anticipates that at least initially, vendors won’t release products that don’t support 2.4ghz at all.  What we’ll probably see are products that support 802.11ac and 2.4ghz 802.11n.
• To attain gigabit speeds 802.11ac will be able (among other things) to use wider bandwidth channels to send data streams. Today’s Wi-Fi products use either 20mhz or, at most, 40mhz channels; in contrast, 802.11ac gear must support 80mhz channels–or, optionally, 160mhz channels. And its radio waves will support denser data transmissions than 802.11n, so that one 802.11ac stream will be able to carry roughly the same amount of bandwidth as three 802.11n streams.
• Access points can send and receive up to 4 8 spatial data streams, twice as many as 802.11n. And 802.11ac devices will be able to intelligently parcel out the streams based on the capabilities of simultaneous clients. If you have two smartphones on the network, each with one 802.11ac antenna (this is typical for smartphones) and one notebook with two antennas, a 4-antenna 802.11ac access point can simultaneously direct one stream to each smartphone and two to the notebooks. An 802.11n device cannot divide streams up this way, so it communicates with one device at a time, which slows things down. Of course, this means that on a network with lots of clients operating simultaneously, nobody will get top speed: the gigabit bandwidth will be divvied up.

How will 802.11ac stack up against WiGig, another high-bandwidth standard in development that operates on the 60ghz band? Basically, WiGig will be faster–but only at relatively short distances where walls and ceilings aren’t involved, making it more suitable for cable-replacement applications. McFarland says he believes the two will co-exist nicely.

Given the generally leisurely pace of new Wi-Fi technology adoption, I imagine it will be several years before 802.11ac becomes as familiar as 802.11n is now. But migration from 2.4ghz, which simply doesn’t have the bandwidth capacity required for the many wireless devices it is called on to support, is long overdue. Ask anyone who’s tried to stream media over a 2.4ghz Wi-Fi network in a big city. I just wish notebook and smartphone makers would be more proactive in supporting 5ghz Wi-Fi: even today, most don’t. Perhaps with gigabit Wi-Fi as a carrot, more people will make sure to demand 5ghz Wi-Fi, with or without support for legacy 2.4ghz gear.

Hang in there–the Wi-Fi Alliance is working on a cure for hotspot overload. Sometime in the first half of next year, if the current timetable stands, the Alliance–the trade group that certifies Wi-Fi networking gear from different vendors for interoperability–will start certifying hotspots, along with the devices that access them.

Among the benefits of the program for consumers will be streamlined network discovery, account setup and login: Your device will automatically figure out which hotspots you already have accounts with and log you in based on your preferences. Certification will also require use of the strongest available Wi-Fi encryption, WPA2.

The Alliance isn’t doing this entirely out of the goodness of their members’ hearts. As more devices support both cellular networks and Wi-Fi, carriers have a vested interest in simplifying or (even better) automating the handoff of data services from their increasingly bandwidth-strapped cellular networks to Wi-Fi hotspots. The more people use hotspots, the faster 3G and 4G will be for everyone else.

In fact, the Alliance’s stated goal is to make moving between hotspots as transparent to users as cellular roaming is now. (After all, you don’t have to log in to roam.) For many devices, the technology–once deployed–should be an easy upgrade via firmware.

My main concern is that all this seamless roaming doesn’t wind up surprising me with a big bill at the end of the month. Using a public hotspot can cost upwards of $10 an hour. I would hope that somewhere in the process I get to veto hotspot use that charges more than I want to pay. Even AT&T sends me a text message when I am in a new country reminding me how much they are going to charge me for roaming data usage (a lot), which gives me a chance to buy a data roaming package (still expensive, but not quite as outrageously so).

Unfortunately, there’s something not quite right with their Internet connection in relation to Twitter. As you can see, I wasn’t the only one in my account:

The interloper acted in the same manner I would have. Not entirely benign, but mostly benevolent as far as I can tell by merely firing off that lone alert. I’m not so concerned about anything in my archived Twitter direct messages, as it’s mostly boring stuff. I operate under the assumption that everything/anything online can become public at any time. Internet privacy is an easily shattered illusion.

Now it’s possible this person swiped my credentials off the network using something like Firesheep. But I’d expect a person dabbling in such affairs to more proudly proclaim I’d been p0wned. Followed by additional mayhem. So I’m taking him/her at face value and suspect somehow the packets were unintentionally crossed. And at the time there was super high latency on the network. Combined with Southwest’s proxy and framing of every web page (see below, left), I guess anything is possible. Although it shouldn’t be.

At the time of discovery, two hours after the fact, I was obviously startled and the only action I came up with was to delete the tweet. In retrospect, I should have left it be so as to not impact any possible forensic research. And to provide a more compelling post. But the screen grab will have to suffice. Once I deplaned, I changed my unique Twitter password, as a precaution, via aircard.

So consider this post a public WiFi PSA in addition to a security vulnerability notification to Southwest and Twitter. I’ll provide updates if either of them choose to respond.

(Thanks for alerting me, Steve!)

(This post republished from Zatz Not Funny.)

One Very Serious Threat

There’s a pervasive, serious Facebook and Twitter exploit that leaves you wide open to any and every hacker who can download a simple-to-use, free tool called Firesheep. It’s a threat if you’re using an unsecured, public Wi-Fi network, typically available at an Internet cafe, airport, hotel, or RV campground.

Last week TechBite paid subscribers got the first dispatch about this in the Extra newsletter; here’s a more detailed version.

The Hacking Tool

Firesheep is an HTTP session hijacker that runs as a Firefox extension and sniffs around for cookies on any unsecured Wi-Fi connection.

When you log onto Facebook, Twitter, or any of over 26 other social networking sites, your computer sets a session cookie. A person running Firesheep can read the cookie and log onto your Facebook page. Then he (okay, or she) can do anything from your Facebook account, such as send e-mail or write on a wall.

Every browser is vulnerable to the exploit.

The one saving grace is that Firesheep doesn’t have access to your password — that’s encrypted and safe. If the hacker tries to change it from within Facebook, you’ll get an e-mailed alert. But everything else on Facebook is fair game.

Download and try Firesheep if you don’t believe me. There’s nothing as shocking as reading a stranger’s Facebook or Twitter account without their knowledge or consent. It might actually motivate you to do something to protect yourself.

Who’s Behind Firesheep?

Firesheep’s author has an open agenda: to force social networking sites to make the entire online session secure, just as the online banking sites do. (When you’re on PayPal or your bank’s site, you’ll see an icon of a lock somewhere on your browser, and the link will start with “https” rather than just “http.”)

I think it’s a dang stupid way of getting people to see the problem, but what do I know?

Are You at Risk?

Sure, but you always were: HTTP and packet sniffers are nothing new. The first one I tried was in 1999. The problem now is that any knucklehead with a modicum of computing skills can sit at Starbucks, latte in hand, and poke around your Facebook account. (I know how boring your page is, and stay away from it, but hackers aren’t always so bright.)

Is it wiretapping? Kinda. Illegal? Yep. Has that stopped anyone from using Firesheep? Probably not.

Three Sure-Fire Solutions

It was difficult to find a product to defeat Firesheep that I liked and trusted. Most of the tools I tried — VPNs with proxy features — were either difficult to use or half-baked. I’ll get to those in a minute. But first, three recommendations for safer Wi-Fi journeys:

• Hide My Ass! Pro VPN (known in polite circles as HMA) creates an encrypted Internet connection, so Web browsing, using Skype, sending e-mail, chatting — whatever — is protected. HMA can change your IP address so you can browse anonymously (test it with WhatsMyIPAdress). The site has freebies, too – a file upload hosting service, Web proxies, anonymous e-mail, and search and link anonymizers.

Hide My Ass Pro VPN protecting me

Tech Note: There’s no bandwidth limitation; connection slowdown is minimal; and HMA’s servers are mostly in the U.S., with some in Europe, Canada, and elsewhere.

It met my criterion: It’s easy to use. After you download and install it, one click is all you need to start it cooking. And it provides all-inclusive, non-intrusive online protection.

Of course, it’s not free — but I think it’s a reasonable pay-as-you-go deal at $11.50 a month. If you don’t travel much, the month-to-month is appealing. If you’re out and about often, it makes sense to pop for the yearly payment of $79, just a little over $6 per month.

• If you have a PC at home and are on the road with your notebook, use LogMeIn Free. It’s a VPN, a program that lets you securely connect to your home computer. Once you log in, you’re using your home PC. Every application — including the browser — is on an encrypted connection. And with a fast connection at both ends, there’s minimal slowdown.

• Most important, if you travel often, don’t use public Wi-Fi. Bite the bullet and invest in a portable — and secure — Sprint or Verizon hotspot card. To date, there are a gazillion plans and providers, but they generally run about $40 to $60 per month with a set amount of bandwidth use. An neat alternative is Boingo, with 125,000 hotspots around the world, for about $10 per month.

Protection That Won’t Cost a Dime

I tried dozens of free tools, but rejected them because they were difficult to use or didn’t offer enough protection. (Well, except for LogMeIn Free.) The apps below — two are Firefox add-ons — offer protection, but have limitations.

• ForceTLS, a Firefox add-on, changes regular links to secure links (including Firefox and Twitter). The problem is convenience: You have to add each link you want changed to its database. It’s hit or miss because not all links can be made secure.

• HTTPS Everywhere forces about 30 sites into a secure https condition. For me, that’s half-baked, because to add a site you need to learn Bulgarian (well, okay, Rulesets).

HTTPS Everywhere forces sites to be secure

• Hotspot Shield (an ad-supported freebie) failed the Bass International Sniff Test. It protected me, sure, but the intrusive toolbar was littered with ads.

Hotspot Shield's toolbar is loaded with ads--and intrudes on my browser

Even if I didn’t use the toolbar, the product tried to change my home page and attempted to switch my search engine. And I wasn’t keen on the product’s cozy relationship with advertisers. (Privacy Notice: “third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Hotspot Shield …[including the use of] cookies, JavaScript, or web beacons”.) No thanks.

Hotspot Shield's behind-the-scenes shenanigans

[This post is excerpted from Steve's TechBite newsletter. If you liked it, head here to sign up--it's delivered on Wednesdays to your inbox, and it's free.]

The Wi-Fi Alliance announced just over a week ago that it would begin certifying products under the new Wi-Fi Direct standard. Now, according to the organization’s own certification list, the first smartphone has qualified for new point-to-point Wi-Fi communications. The Samsung GT-I9000, aka the Galaxy S, received Wi-Fi Direct certification on November 1st. It’s eighth in a list of certified devices, but the first smartphone to make the cut. As a reminder, Wi-Fi Direct facilitates device-to-device wireless 802.11 communication without requiring a wireless access point or going out to the web. Best of all, only one device has to be Wi-Fi Direct certified to enable wireless networking with any other Wi-Fi gadget. That means Galaxy S owners will, in theory, be able to share photos, music, video, and other files over a localized network. It’s like Bluetooth, only you probably have a few more Wi-Fi devices lying around.

(This post republished from Zatz Not Funny.)

The article doesn’t really live up to the headline: The closest it gets to evidence that Wi-Fi “may” be banned is a reference to an alarmed explosives expert saying it might be too dangerous.

Seems like a ludicrous overreaction to me. The in-air Wi-Fi I’ve used–Gogo–requires the user to log in and enter a CAPTCHA, and while I don’t discount the possibility of terrorists being smart enough to build a Wi-Fi-based bomb triggering device that can autonomously log into an in-flight network designed to be accessed by humans, it seems like it would require an awful lot of work on their part. Wouldn’t a plain old-fashioned timer produce much the same results with far less effort and technical knowledge required, and less likelihood that the device would fail or be detected?

Remember when a bunch of news organizations suggested that laptops might be banned from airplanes, period? Let’s hope this theory is just as solid as that one…