response to a question about sniffing images out of thin air:
yeah.
packet sniffing on open networks (no password) on unencrypted traffic (no https) is easy enough with the carnivore processing library, but re-assembling the individual files from the packets you collect is a little more involved.
etherpeg used to do this. and the wonderful Chris Lightfoot made a linux version called driftnet that did this too.
just googling for etherpeg now I came across this:
http://tcpxtract.sourceforge.net/
not tried it, but it seems like it could pull out images easily enough.
see also airpwn which uses two wifi cards in one computer to go a step further and replace images (in their case with goatse).
there’s another project which talked about replacing the text of news stories in cafes using the same principle:
http://newstweek.com/
protect yourself slightly from sniffing with https everywhere from the excellent EFF.