The Café Sting
Hotspot traps, timing windows, and blending into background noise.
The café opened early. So did the sniffer two tables over. Captive portal. No TLS on the login page. New clients got a welcome DNS response that wasn’t exactly DNS. Most people never noticed. That was the point.
What went wrong
- Open Wi‑Fi + captive portal. Traffic in the clear before tunnel.
- DNS replies massaged to leak queries through a “helpful” resolver.
- Identities bleeding: personal mail, then work chat, then admin panel.
How it should have gone
- Bring your own tunnel: initialize Network Cloak before any browser launches.
- Force‑TLS boot path: system resolver pinned; block plain‑DNS leaks.
- Compartment discipline: the device for this stop only touches compartmented accounts.
Tool references
- Network Cloak (establish tunnel at boot)
- Password Manager (no shared creds between compartments)
- Encrypted Email (separate identities, separate inboxes)
Lesson: Don’t let the environment decide your security state. Arrive already quiet.