Since I own my own web domain, I'm able to use unique email addresses for every service I sign up for. I do this so I can see how these services "share" or lose my email address. I've had obvious and outright spam email, some containing virus attachments, sent to the email addresses of some surprising sites.
I'm not sure how the spammers get the email addresses. For some of the sites, I receive no other emails except for those directly related to the service. So, I don't think the sites are selling the addresses to marketers in general. It might be internal employees harvesting and selling the info for extra money. It might be hackers. It might be those same things, but at some third-party mailing list management company.
I've tried contacting a few of the companies. I typically don't hear back from them. It's likely their customer service has no idea what to do with the information. Some of the companies probably don't have dedicated network security staff that can investigate. Many probably don't understand how I'm using email addresses in this way. I've been asked if I'm an employee because they saw their company name in part of the email address, but it was before the @ instead of after, which makes a huge difference technically.
So, this will be a running list of companies, web sites, and services that have somehow passed my email address to spam/malware emailers:
Atterberry Auction - auction company in Columbia MO. Created an online bidder account.
Longevity - welders. I sent a question to their customer service dept via their web site.
Equifax - two different addresses from the free annual credit reports they are required to provide. I'm still getting spam often, but the email addresses are ones I used a few years ago -- nothing recent.
zoneedit.com - I saved some off from a few years ago. I haven't noticed anything recent.
AOPA (Aircraft Owners and Pilots Association) - A few years ago, nothing recent
Zappos (two different email addresses)
Dropbox - This could be from some other app or site I gave access to my dropbox profile.
CMP Technology, formerly CMP Media. Published Infoweek magazine. An email address that I gave them in 2008 is receiving spam with virus attachments.
1/18/2016: Karma has fundamentally changed their Neverstop plan. Unless for minimal usage, it's no longer suitable for home use: Neverstop Changes
1/7/2016: Karma has started throttling without warning. I would hold off signing up until they figure out their service. Speeds dropped to 1.5Mbps (see comments at the bottom)
A Semi-Organized Brain Dump
On November 5th, a company named Karmaannounced their new Neverstop cellular data plan. I'd never heard of Karma, but the announcement was echoed on several tech sites I follow. Karma had previously offered a pay-as-you-go plan, now called Refuel, but Neverstop promises unlimited data at a capped speed of 5Mbps. Good Karma. They have their own custom hotspot called Karma Go that has a somewhat unique selling point: other Karma users can connect to your hotspot and you get a credit: either 100MB of data or $1, depending on your plan (thus, the name 'Karma'). This benefit doesn't interest me, but since my current and only Internet option is 3Mbps DSL from Centurylink, the unlimited 5Mbps made me look at Neverstop closer and sign up. It took about 2 weeks for the hotspot to ship, then another week in transit. The day before its scheduled delivery, I found that Amazon Prime has it.
My intent is to basically replace my DSL modem with the Karma hotspot. Since the hotspot is wifi only, I knew I'd need a wireless bridge from the hotspot to my router's WAN. I had this hardware already. Connecting all my devices to the hotspot directly isn't possible since I have many wireless devices and some devices that are wired only.
The Cell Network
Karma is a MVNO that uses Sprint's 4G LTE network with fallback to 3G CDMA. I've seen people complaining about this due to Sprint's infamous coverage issues, but Karma makes no secret about which network they use. They have conspicuous links to coverage maps, and the Karma Go hotspot has a 45 day free returns policy. In my case, I have line-of-sight to a Sprint cell tower about 1 mile from my house, so getting a strong cell signal isn't an issue for me.
Connected Device Limit
The other limit they make apparent is Neverstop only allows you to connect 3 devices at a time to the hotspot. When a fourth device connects, one of the other devices can be disconnected. This also wasn't a big concern for me since my intention was to use a wireless client bridge to connect my wireless router to the hotspot (more on this below). Then all of my dozen+ devices, wired and wireless, would connect to my wireless router as they do currently. I'd still be limited to 5Mbps, but Karma's hotspot would only have a single device connected: the wireless bridge. Prior to knowing the additional limitations below, I asked Karma on Facebook if it was possible to connect a wireless bridge. They replied "As for using a WiFi bridge, you technically can, but they don’t work very well in our experience. We extensively tested them in combination with Karma Go but it is more frustrating than helpful." I figured even lackluster performance would still be able to handle 5Mbps. It was worth a try.
The issue I found is that disconnecting devices doesn't seem to work. When my fourth device attempted to connect, I was given a list of 'connected' devices, each with a 'Pause' button. The first issue is that the hotspot only had 1 active wifi connection; The other devices listed were not actually connected. Even worse, the 'Pause' button doesn't work: the page seems to reload, but the same devices are still listed and my fourth device still can't connect in place of another device. So, I'm currently unable to connect another device to the hotspot. I've emailed Karma support but haven't found a solution. (Update: After several days, they remotely cleared all the sessions/MACs from my hotspot.)
I typically shouldn't need more than 3 devices connected to the hotspot, but my fourth device is my cell phone, which is needed to run the hotspot's limited administration app and must be connected directly to the hotspot's wifi for full functionality. The app only allows very limited admin of the hotspot: turn off, restart, and allows the wifi SSID to be changed to 1 of 4 canned names that have combinations of your registered first name and 'Karma' (default: "Karma WiFi"). It shows status info like currently connected devices (which is flakey and updates slowly), the hotspot's battery level, and cell signal level. So, the device limit wouldn't be an issue if it actually worked.
Web Browser Requirement
This limitation surprised me and I didn't discover it until after receiving my hotspot: Devices must have a web browser to connect to the hotspot. After connecting to the hotspot, devices have to log in to a Karma account to get Internet access. This isn't really a 'secret', but they don't advertise this like the details above. It's mentioned if you dive into their full FAQ, but it's not disclosed in their announcement, their sign-up process, the main page, nor their How It Works page, which has an abbreviated FAQ. Karma states that one of Neverstop's appropriate uses is streaming, which to me suggests the option of a dedicated device like Roku or Chromecast, neither of which have browsers. I feared this requirement would prevent me using a wireless bridge, despite Karma's Facebook response indicating it was possible.
Yeah, wow, a big surprise. The hotspot's wifi is completely open: no WPA/WPA2. I haven't found this disclosed in any of Karma's information, other than "Use HTTPS for sensitive stuff". Most of the warnings about using public wifi at coffee shops, hotels, airports, etc apply here: unencrypted wireless signals can be captured and viewed by evil-doers. When I contacted Karma about this, they explained that the lack of encryption is needed to allow their hotspot sharing and that I should use HTTPS to access sensitive sites. No thank you. Even if a site does it correctly, HTTPS will hide passwords, but the site I'm connecting to (bank.com, etc) will still be visible. Also, I'm not sure someone 'sniffing' the wireless connection during the HTTPS connection negotiation couldn't still do something nefarious. Regardless, I find this irresponsible, at best. I don't plan on travelling with the hotspot, so someone would have to be near my house to sniff my connection. There is a workaround though: VPN. This probably isn't for inexperienced users. It will be an additional charge from a VPN provider, and your connected device has to support it. However, it's an option to encrypt communications through the hotspot. I don't have experience with this type of VPN, but I've found a couple of providers with local VPN servers that I will probably try. My hope is that I can get something in the $5 / month range without impacting my connection speeds. Fortunately, my router (ASUS RT-N66U Merlin firmware) has support for several types of VPNs, including OpenVPN, so this should be transparent to my network devices. Karma's marketing spiel on their website makes a big deal about transparency, no fine print, and no asterisks. They follow this for the network coverage and device limit, but fail on what I consider big ones: limits on types of wifi devices (web browser) and this complete lack of encryption. Bad Karma. (Update: more reasons HTTPS isn't always safe)
After a bit of experimentation, I have some idea of how it works. It's not made apparent, but as is standard with routers, the hotspot uses MAC addresses to track connected devices, aka MAC filters. When a new device connects, it's initial web access gets redirected to hotspot.yourkarma.com, which resolves to IP 192.168.1.1 -- the local IP of the hotspot itself. After logging in with your Karma account credentials, your device's MAC is 'registered' on the hotspot. Also, your device then shows up in Karma's mobile app as a connected device with the name "Your [description]". I'm fairly sure the description is being scraped from the HTTP user-agent header when connecting to hotspot.yourkarma.com. For example, my Windows laptop is "Your Windows". My cell phone is "Your LG D800". These terms appear in the device's user agent strings. You can see what your browser is sending here. The fun part is that the user agent strings can be modified with browser add-ons, more on that below. I've not found any way of removing a MAC from the hotspot's list, or even viewing the list of saved devices.
My primary router is an ASUS RT-N66U running Merlin firmware. For a wireless client bridge, I'm using an old router, a Linksys WRT54GL with Tomato firmware, configured to run as a wireless client bridge instead of a wireless router. I think most wireless routers may support this mode, especially since there's no wifi security. It doesn't seem to impact performance, but note there's 3 levels of NAT: the hotspot, the Linksys, and the ASUS. It works despite feeling dirty; A future to-do.
I bypassed the web browser requirement by 'registering' my wireless client bridge (the Linksys) prior to connecting it to my primary router. I connected my laptop to the Linksys router via an ethernet cable to configure its wireless client mode and connect it to the Karma WiFi. With my laptop still connected via a cable, I could then go to hotspot.yourkarma.com with my laptop web browser and login to my Karma account. The hotspot saw the MAC of the connected wireless client bridge, so that's what it registered. Per above, I also changed the browser's user agent string to have the model number of the router, "WRT54GL" in place of "Windows", but the registered device description shows up as "Your Compute" (sic). This was the second wireless client bridge I'd registered (I'd used a different older router first, don't judge) but I hadn't changed the user agent the first time; It showed has "Your Windows". I initially suspected they may have a dictionary of common device names, like "Windows", but I can't imagine they would have every cell phone models like "LG D800" that was displayed for mine. Oh well.
After logging in to my Karma account on the laptop via the wireless client bridge, I then simply unplugged the ethernet cable from the laptop and plugged it into the WAN port of my primary router in place of the DSL modem. No configuration changes to my primary router were necessary. It pulled a DHCP IP from the wireless client bridge, and Bob's your uncle.
So, what about browser-less devices that already have wifi, like a Roku or Chromecast? I haven't tried this, but it should work in theory: spoof the device's wireless MAC address on a device that has a browser. This is for advanced users, obviously, and not all wireless devices allow MAC addresses to be changed. My Windows laptop allows the wired MAC to be changed, but is finicky about the wireless MAC generally. I think this depends somewhat on the Windows version. Google is your friend. Linux is probably an easier option if you have it, even if it's a desktop with a cheap USB wireless dongle. Or, a Linux virtual machine with network bridging on a Windows machine that has wireless. Changing the wireless MAC on a wireless client bridge may also be an option, especially if it has custom firmware. MAC spoofing is usually an option on the router WAN port, but I'm not sure on the wireless interface. Just be sure to change the MAC back to the default so that it doesn't collide with the MAC of whatever device you're spoofing. As I said, not for the faint of heart. (Clarification: Note that MAC address spoofing is only needed if you're connecting a browser-less device directly to the hotspot. I did not do that, so I did not have to spoof MACs)
My setup has been running for less than 24 hours, so total system performance experience is limited. My speed tests didn't seem to suffer when connected to the primary router vs the hotspot directly. It's only 5Mbps, so I wouldn't expect it to. Best case average over the past few days with speedtest.net is probably around 70ms ping time, 4.8 - 4.9 Mbps down and 4.9 Mbps up. The speed limit appears definitely artificial, because it will bounce well above 5Mbps for very brief periods during a speed test, especially during upload tests. The speed tests aren't consistent though, so no decision if this is a worthy replacement for 3Mbps DSL. Netflix performance will probably be the ultimate decider.
Exercise for the Reader
Per above, the hotspot is wifi only; There's no wired network port. I'm curious if the chipset that the hotspot uses supports a wired connection. The FCC ID is P46-MXL655. There's internal photos of the device but I can't make out the part numbers on the ICs. Maybe someone more familiar with FCC filings knows how to track down this info. Or, someone is willing to open the device and take good photos. Ideally, an ethernet port could be added to the hotspot to eliminate the need for the wireless client bridge.
Update 12/30/2015: Karma has performed very well. It's now my sole Internet provider for my home. Netflix has worked well, consistently streaming at least 720 (which, to be fair, I got with Centurylink DSL also).