In that sense, it implies that we were encroaching on his space, when in fact he entered this thread (like his handle: a bulldozer) to demand that people recognize an approach to sysadministration that does not respect equal rights, privacy, or the environment, and ultimately undermines human rights and promotes consumerism to ease his job at his competency level, as if the public is expected to serve him. It’s not his lawn in either sense of the meaning.
He made it quite he expects everyone to go through hoops to make his job convenient when he said:
“That doesn’t change the fact that Networks and Systems are not configured for your convenience”
I can imagine that the guy wants to secure his network and is maybe paranoid about people breaking in which seems fair to me,
It would be a malpractice of security. Security is about confidentiality, integrity, and availability. To reduce availability needlessly is to work against security. If availability were not essential to security, then you would just unplug the all machines, making the internet unusuable to everyone, and call it “secure”. A competent admin can securely offer internet service to people without phones, and people without a wifi card.
It’s a good point about the irrational Tor hostility. But note the more perverse absurdity with his comment: that a public library is “his lawn”. If his inability and unwillingness to equally serve the whole public would be just in the private sector, there would be no issue because everyone he disservices can refuse to do business with him.
What’s sickening here is he said “I’m someone in IT for a Public Library”. So he is operating a public service in an exclusive manner telling people /get off his lawn/, which was financed with public money. And ~7+ of 8 people are okay with that.
I had a faraday phone case at one point. They also make jackets with faraday inside pockets. I quit using the faraday pouch because if you use that as a convenient off switch, the phone works harder to find a tower, draining batteries. So to save juice you need airplane mode. There’s probably still reason to use a faraday bag along with airplane mode, but since I’ve parted with a GSM chip as well, it’s just not worth it unless you’re someone like edward snowden.
That’s insufficient. Mobile providers are not even getting your location through that Google mechanism that feeds Google. Their towers track your location even if you have GPS off.
I always tap “disagree” to location svcs when turning GPS on and take a hit on slow positioning. But that only cuts Google off. To cut the mobile carriers off, I keep my phone in airplane mode and also keep the GSM chip slot empty. In fact I don’t even carry a gsm chip. I believe in this state I can make emergency calls (IIRC, airplane mode automatically gets disabled when an emergency number is dialed).
Yet a vast majority of people have no problem when people are forced to subscribe to mobile phone service:
https://infosec.pub/post/11658371
This kind of information should be startling enough to at least see the merit in not having a mobile phone subscription. But no, people will just say “that sucks” and continue to being the sucker while also expecting others to be equally naive or cavalier too.
from the article:
AT&T told The Register said it should not be blamed for the failure of those buying its data to obtain proper consent, and said it will fight the fine.
Private investigators are treated as legitimate consumers of that location data. An angry ex-boyfriend or ex-husband hired a PI to find out where his ex was, who then simply bought the location data from a mobile carrier. The guy used the info to find her and shoot her dead on the spot (headshot while she was driving a car). The data sharing was “legit” in that case, in the US where privacy laws are generally non-existent.
It’s strange how that murder case gets omitted in these articles about mobile carriers selling location data.
I see a lot of downvotes on your comments on this thread and I wonder if it’s due to differences in nationality/geography/jurisdiction.
Guess I should answer this. The enormous class of people with mobile phones (likely 100% of those in this channel) are happy to be in the included group and amid any chatter about expanding the included group to include those without a phone (a segment they do not care about), they think: “that extra degree of egalitarian policy to support a more diverse group will cost more and yield nothing extra to me; yet that extra cost will be passed on to me.”
Which is true. And very few people among them care about boycott power because it’s rarely used by willful consumerist consumers of tech and telecom svc. But the ignorance is widespread failure to realise that as mobile phones become effectively a basic requirement for everyone, the suppliers will have even less incentive to win your business. The duopolies and triopolies can (and will) increase prices and reduce service quality as a consequence of that stranglehold. Most people are too naïve to realise the hold-out non-mobile phone customers are benefiting them even from the selfish standpoint of the mobile phone customers. And the fact that they are paying an invisible price with their data doesn’t occur to most people either, or how that loss of privacy disempowers them.
They will pay more in the end than if they had supported diversity and egalitarian inclusion.
I see that the relevant websites (FCC and lifelinesupport.org) both block Tor so you can’t be poor in need of the Lifeline and simultaneously care about privacy. Many parts of the US have extremely expensive telecom costs. I think I heard an avg figure of like $300/month (for all info svcs [internet,phone,TV]), which I struggle to believe but I know it’s quite costly nonetheless. One source says $300/month is the high end figure, not an avg. Anyway, a national avg of $144/month just for a mobile phone plan is absurdly extortionate.
About Lifeline:
Lifeline provides subscribers a discount on qualifying monthly telephone service, broadband Internet service, or bundled voice-broadband packages purchased from participating wireline or wireless providers. The discount helps ensure that low-income consumers can afford 21st century connectivity services and the access they provide to jobs, healthcare, and educational resources.
So they get a discount. But you say free? Does the discount become free if income is below a threshold? Do they get a free/discounted hardware upgrade every 2-3 years as well, since everyone is okay with the chronic forced obsolescence in the duopoly of platforms to choose from? In any case, I’m sure the program gets more phones into more needy hands, which would shrink the population of marginalized people. That’s a double edged sword. Shrinking the size of a marginalized group without completely eliminating it means fewer people are harmed. But those in that group are further disempowered by their smaller numbers, easier to oppress, and less able to correct the core of the problem: not having a right to be analog and be unplugged (which is an important component of the right to boycott).
This topic could be a whole Lemmy community, not just a thread. In the US, you have only three carriers: AT&T, Verizon, and T-Mobile. I’ve seen enough wrongdoing by all 3 to boycott all 3. I would not finance any them no matter how much money I have. T-Mobile is the lesser of evils but it’s wrong to be forced to feed any of the three as an arbitrary needless precondition to using the library’s public wifi. It’s absolutely foolish that most people support that kind of bundling between public and private services.
US govs do not (AFAIK) yet impose tech on people. I think every gov service in the US has an analog option, including cash payment options. That’s not the case in many regions outside the US. There are already govs that now absolutely force you to complete some government transactions online, along with electronic payments which imposes bank patronisation, even if you boycott the banks for investing in fossil fuels and private prisons. And if you don’t like being forced to use their Google CAPTCHA (which supports Google, the surveillance advertiser who participates in fossil fuel extraction), that’s tough. Poor people are forced to use a PC (thus the library) to do public sector transactions with the gov, as are a segment of elderly people who struggle to use the technology. There is also a segment of tech people who rightfully object, precisely because they know enough about how info traverses information systems to see how privacy is undermined largely due to loss of control (control being in the wrong hands). It’s baffling how few people are in that tech segment.
So the pro-privacy tech activists are united with the low-tech elderly and the poor together fighting this oppression (called “digital transformation”) which effectively takes away our boycott power and right to choose who we do business with in the private sector. A divide and conquer approach is being used because we don’t have a well-organised coalition. Giving the poor cheaper tech and giving assistance to the elderly is a good thing but the side effect is enabling the oppression to go unchallenged. When really the right answer in the end is to not impose shitty options in the first place. It’s like the corp swindle of forced bundling (you can only get X if you also take Y). You should be able to get public wifi without a mobile phone subscription.
The UDHR prohibits discrimination on the basis of what property you have. The intent is to protect the poor, but the protection is actually rightfully bigger in scope because people who willfully opt not to have property are also in the protected class.
It’s all quite parallel to Snowden’s take. The masses don’t care about privacy due to not really understanding it.
“Ultimately, arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” ― Edward Snowden
The idea that activists need both free speech and privacy in order to fight for everyone’s rights is lost on people making the /selfish/ choice to disregard privacy. All those mobile phone users who don’t give a shit about mobile phones being imposed on everyone are missing this concept. The choice to have a mobile phone is dying. It’s gradually and quietly becoming an unwritten mandate.
Banking is also becoming bound to having a mobile phone. There are already banks who will not open account for those without a mobile phone. So we are losing the option to have a bank account but not a mobile phone.
You edited in the “wait five or ten minutes” after I had already replied.
I know five min was in the original version. Not sure if I added the ten but certainly it was not after you posted this. You are seriously paranoid and should get help for that.
Why are you even in the library to begin with if you’re so opposed to how they manage their network?
How does one know how they manage their network before entering the library? The libraries that have ethernet /never/ advertise it. Only wi-fi is ever advertised. I have never seen a library elaborate on their wifi preconditions (which periodically change). This info is also not in OSMand, so if you are on the move and look for the closest library on the map, the map won’t be much help apart from a possible boolean for wifi. Some libraries have a captive portal and some do not. Among those with captive portals, some require a mobile phone with SMS verification and some do not. But for all of them, the brochure only shows the wifi symbol. You might say “call and ask”, but there are two problems with that: you need a phone with credit loaded. But even if you have that, it’s useful to know whether ethernet is available and the receptionist is unlikely to reliably have that info. Much easier to walk in and see the situation. Then when you ask what will be blocked after you get connected, that’s another futile effort that wastes time on the phone. It really is easier and faster to pop in and scope out the situation. Your device will give more reliable answers than the staff. But I have to wonder, what is your objection to entering a library to reliably discover how it’s managed in person?
Stop lying.
I said “wait five or ten minutes”. I’m seeing a 9m1s span. I don’t really feel compelled to be more accommodating than that. Maybe you can write to Jerry and ask to configure it so edits are blocked after 1 minute if it really bothers you. Otherwise if you don’t like the policy of the node, you are free to leave.
My client says it was created at 21:24:02 GMT and modified at 21:25:12. Instead of using a stopwatch which you somehow screwed up, just mouse over the time. The popup will show you a span of 1 minute and 10 seconds.
(edit) strange; after I refresh the screen the /create/ timestamp changed. Surely that’s a bug in Lemmy. The creation timestamp should never change. nvm.. just realized I was looking at the wrong msg.
Calm down. It’s a new comment that just came in so of course I’m going to edit it a few times in the span of the first minute or two as I compose my answer. If you wait five or ten minutes you’ll get a more finished answer.
The proof is in the money trail. If the library’s funding traces to a tax-funded government, it is a public service that encompasses all services offered by that institution. It’s also in state or national law that legislates for libraries to exist, which differs from one state to another.
If you want to find a clause that says “only people with wifi hardware may access the internet, and only if they have a mobile phone”, I suspect you’ll have a hard time finding that. At best, I could imagine you might find a sloppily written law that says “libraries shall offer wifi” without specifying the exclusion of others. But if you could hypothetically find that, it would merely be an indication of a national or state law that contradicts that country’s signature on the UDHR. So it’s really a pointless exercise.
Yeah I’ve done the same in one case. Librarian green lit me plugging into the rj45 but it turned out to be a dead port. I might have been able to get permission to hijack an occupied port to an unoccupied machine but just opted to bounce instead.
The wifi is for public use. The Ethernet isn’t. How is that so hard to understand?
How is it hard to understand that those two undisputed facts are actually a crucial part of my thesis? Of course I understand it because it’s the cause for the problems I described and my premise. It’s why this thread exists.
If that weren’t the case, the only notable problem would be with the mobile phone precondition on captive portals.
Time to wake up to reality. Everyone has access, the method of access isn’t discriminating, nor do you have any say in it.
That’s not reality. The reality is everyone has partial access (Firefox on a shared Windows PC only), while some people have full access via both public resources.
If you want to gain anything from this conversation, try to at least come to terms with the idea that Firefox is not the internet. The internet is so much more than that. Your experience and information is being limited by your perception that everything that happens in a browser encompasses the internet.
In other words, it’s public, free for all, and the way they set it up.
It’s not free. We paid tax to finance this. The moment you call it free you accept maladministration that you actually paid for.
If you don’t like the free service, don’t use it. It not being how you like it isn’t wrong in any way, that’s your problem.
You’re confusing the private sector with the public sector. In the private sector, indeed you simply don’t use the service and that’s a fair enough remedy. Financing public service is not optional. You still seem to not grasp how human rights works, who it protects, despite the simplicity of the language of Article 21.
Could I be in the wrong? No, it must be literally everyone else in this entire thread / national library network.
Is your position so weak that you need to resort to a bandwagon fallacy?
Grow up.
and an ad hominem?
You demonstrate being a grown up by avoiding ad hominems in favor of logically sound reasoning.
Their terms require a phone so yes, on their terms.
I keep a copy of everything I sign. The ToS I signed on one library do not require a mobile phone. It’s an ad hoc implementation that was certainly not thought out to the extent of mirroring the demand for a mobile phone number into the agreement. And since it’s not in the agreement, this unwritten policy likely evaded the lawyer’s eyes (who likely drafted or reviewed the ToS).
Why would they make an exception for anyone?
Because their charter is not: “to provide internet service exclusively for residents who have mobile phones”.
And why would they want to deal with paper agreements for WiFi?
Paper agreements:
- do not discriminate (you cannot be a party to a captive portal agreement that you cannot reach)
- are more likely to actually be read (almost no one reads a tickbox agreement)
- inherently (or at least easily) give the non-drafting party a copy of the agreement for their records. A large volume of text on a tiny screen is unlikely to even be opened and even less likely to save it. Not having a personal copy reduces the chance of adherence to the terms.
- provide a higher standard of evidence whenever the agreement is litigated over
You don’t have to be a member to use WiFi, someone else could have given you the password if there even is one
That’s not how it works. The captive portal demands a phone number. After supplying it, an SMS verification code is sent. It’s bizarre that you would suggest asking a stranger in a library for their login info. In the case at hand, someone would have to share their mobile number, and then worry that something naughty would be done under their phone number, and possibly also put that other person at risk for helping someone circumvent the authentication (which also could be easily detected when the same phone number is used for two parallel sessions).
If someone is doing something illegal it’s gonna involve the library if you get caught (that’s why the phone number but maybe they are just being shitty with it). Not worth the risk.
Exactly what makes it awkward to ask someone else to use their phone.
You have, throughout your comments, repeatedly spoken down toward librarians and libraries.
Again, you’re not quoting. You’ve already been told it’s not the case. You need to quote. You replied to the wrong message.
but you’re certainly not painting them as “trying their best”
There are many librarians with varying degrees of motivation. I spoke to one yesterday that genuinely made an effort to the best of their ability. I cannot say the same for all librarians. When I describe a problem of being unable to connect, some librarians cannot be bothered to reach out to tech support, or even so much as report upstream that someone was unable to connect.
“worth having an adult conversation with instead of misrepresenting my situation intentionally”
This is a matter of being able to read people. I don’t just bluntly blurt out a request. I start the conversation with baby steps (borderline small talk) describing the issue to assess from their words, mood, and body language the degree to which they are likely to be accommodating whatever request I am building up to. Different people get a different conversation depending on the vibe I get from them. Even the day of week is a factor. People tend to be in their best mood on Fridays and far from that on Mondays.
You’ll have to quote me on that because I do not recall calling them baddies. I have spotlighted an irresponsible policy and flawed implementation. It’s more likely a competency issue and unlikely a case of malice (as it’s unclear whether the administration is even aware that they are excluding people).
If they are knowingly and willfully discriminating against people without mobile phones, then it could be malice. But we don’t know that so they of course have the benefit of any doubt. They likely operate on the erroneous assumption that every single patron has a mobile phone and functional wifi.
I plugged into ethernet (as wifi w/captive portal does not work for me). I think clearnet worked but I have no interest in that. Egress Tor traffic was blocked and so was VPN. I’m not interested in editing all my scripts and configs to use clearnet, so the library’s internet is useless to me (unless I bother to try a tor bridge).
I was packing my laptop and a librarian spotted me unplugging my ethernet cable and approached me with big wide open eyes and pannicked angry voice (as if to be addressing a child that did something naughty), and said “you can’t do that!”
I have a lot of reasons for favoring ethernet, like not carrying a mobile phone that can facilitate the SMS verify that the library’s captive portal imposes, not to mention I’m not eager to share my mobile number willy nilly. The reason I actually gave her was that that I run a free software based system and the wifi drivers or firmware are proprietary so my wifi card doesn’t work¹. She was also worried that I was stealing an ethernet cable and I had to explain that I carry an ethernet cable with me, which she struggled to believe for a moment. When I said it didn’t work, she was like “good, I’m not surprised”, or something like that.
¹ In reality, I have whatever proprietary garbage my wifi NIC needs, but have a principled objection to a service financed by public money forcing people to install and execute proprietary non-free software on their own hardware. But there’s little hope for getting through to a librarian in the situation at hand, whereby I might as well have been caught disassembling their PCs.
IMO this is a #netneutrality issue due to lack of access equality. People with old phones are discriminated against.
cross-posted from: https://infosec.pub/post/11021006
> …
> TLS-encumbered captive portal (transit service)
> ---
> A transit service offered wi-fi but the network forcibly redirected me to a
> captive portal that triggers this error:
> > net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH >
> I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.
>
> It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:
>
> * I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).
>
> * Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.
>
> I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.
>
> Bypass methods
> ---
> I guess I need to study:
> * ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
> * SSH tunnel
> * others?
>
> Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:
>
> * MultiVNC - VNC over SSH
> * AVNC - VNC over SSH
> * ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
> * VX ConnectBot - same as connectBot but expanded
>
> I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.
>
> My to-do list of things to tinker with so far:
> * Captive Portal Controller
> * CaptivePortalLogin (AOS 6+, and no Izzy archives on this)
> * Hotspot Login
>
> Legal options
> ---
> If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.
>
> And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.
This is likely a Lemmy bug but infosec.pub is related because there are so many Android communities that are federated from bad places so I thought I would mention it here as well.
cross-posted from: https://infosec.pub/post/11060800
> The cross-post mechanism has a limitation whereby you cannot simply enter a precise community to post to. Users are forced to search and select. When searching for “android” on infosec.pub within the cross-post page, the list of possible communities is totally clusterfucked with shitty centralized Cloudflare instances (lemmy world, sh itjust works, lemm ee, programming dev, etc). The list of these junk instances is so long !android@hilariouschaos.com does not make it to the list.
>
> The workaround is of course to just create a new post with the same contents. And that is what I will do.
>
> There are multiple bugs here:
> ① First of all, when a list of communities is given in this context, the centralized instances should be listed last (at best) because they are antithetical to fedi philosophy.
> ② Subscribed communities should be listed first, at the top
> ③ Users should always be able to name a community in its full form, e.g.:
> * !android@hilariouschaos.com
> * hilariouschaos.com/android
>
> ④ Users should be able to name just the instance (e.g. hilariouschaos.com) and the search should populate with subscribed communities therein.
The cross-post mechanism has a limitation whereby you cannot simply enter a precise community to post to. Users are forced to search and select. When searching for “android” on infosec.pub within the cross-post page, the list of possible communities is totally clusterfucked with shitty centralized Cloudflare instances (lemmy world, sh itjust works, lemm ee, programming dev, etc). The list of these junk instances is so long !android@hilariouschaos.com does not make it to the list.
The workaround is of course to just create a new post with the same contents. And that is what I will do.
There are multiple bugs here: ① First of all, when a list of communities is given in this context, the centralized instances should be listed last (at best) because they are antithetical to fedi philosophy. ② Subscribed communities should be listed first, at the top ③ Users should always be able to name a community in its full form, e.g.:
!android@hilariouschaos.comhilariouschaos.com/android
④ Users should be able to name just the instance (e.g. hilariouschaos.com) and the search should populate with subscribed communities therein.
cross-posted from: https://infosec.pub/post/11021006
> …
> TLS-encumbered captive portal (transit service)
> ---
> A transit service offered wi-fi but the network forcibly redirected me to a
> captive portal that triggers this error:
> > net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH >
> I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.
>
> It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:
>
> * I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).
>
> * Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.
>
> I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.
>
> Bypass methods
> ---
> I guess I need to study:
> * ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
> * SSH tunnel
> * others?
>
> Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:
>
> * MultiVNC - VNC over SSH
> * AVNC - VNC over SSH
> * ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
> * VX ConnectBot - same as connectBot but expanded
>
> I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.
>
> My to-do list of things to tinker with so far:
> * Captive Portal Controller
> * CaptivePortalLogin (AOS 6+, and no Izzy archives on this)
> * Hotspot Login
>
> Legal options
> ---
> If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.
>
> And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.
The red padlock (at a cafe) --- The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously.
Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not.
So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them.
TLS-encumbered captive portal (transit service)
---
A transit service offered wi-fi but the network forcibly redirected me to a
captive portal that triggers this error:
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.
It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:
-
I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).
-
Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.
I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.
Bypass methods --- I guess I need to study:
- ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
- SSH tunnel
- others?
Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:
- MultiVNC - VNC over SSH
- AVNC - VNC over SSH
- ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
- VX ConnectBot - same as connectBot but expanded
I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.
My to-do list of things to tinker with so far:
- Captive Portal Controller
CaptivePortalLogin(AOS 6+, and no Izzy archives on this)- Hotspot Login
Legal options --- If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.
And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.
update (phones bought last year already obsolete) --- TLS 1.3 was not introduced until Android OS 10 (sept.2019). That was the release date of AOS 10. Older devices like AOS 9 would still be sold at that time and continuing at least into 2023. Shops do not pull their stock from the shelves when the end of support arrives. This means people buying new COTS Android devices just last year or even this year are already too out of date for the TLS 1.3 captive portal to function.
It’s seriously disgusting how many people expect consumers to upgrade this chronically fast.
Looking for a SIP provider for my very low usage. So I’m after:
- prepaid without monthly fee, pay per unit time (no DID needed)
- security (TLS or SRTP)
- caller ID control (I have no inbound voice line; I have an inbound fax line I prefer to use; freetyping CID info nanny-free is the best)
- web portals must support Tor, no Cloudflare
- (not critical) support for lightweight codecs like speex, gsm, or bv16
The closest provider to satisfying that criteria I’ve found so far is leap.tel, but they lack TLS/SRTP and only support G.711. DID Logic supports TLS/SRTP, but they only have plans with monthly fees.
cross-posted from: https://infosec.pub/post/10262373
> Question for people willing to visit Cloudflare sites: > > How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication. > > Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?
Share quickly the Internet connection of your Linux PC with your Unrooted Android smartphone via a common USB cable
There are apparently only two documented ways to reverse tether an Android via USB to a linux host:
OpenVPN dead I really wanted the #openVPN method to work because I’m a fan of reducing special-purpose installations and using Swiss army knives of sorts. In principle we might expect openVPN to be well maintained well into the future. But openVPN turns out to be a shit show in this niche context. Features have been dropped from the Android version.
Gnirehtet dying
Gnirehtet works but it’s falling out of maintenance. It’s also unclear if #Gnirehtet really works without root. There is mixed info:
- Ade Malsasa Akbar from Ubuntubuzz claims root is not needed (and devs agree).
- OSradar claims root is needed. (edit: they are mistaken)
If anyone has managed to reverse tether an unrooted Android over USB to a linux host using free software, please chime in. Thanks!
update on Gnirehtet --- Gnirehtet indeed works without root. But some apps (like VOIP apps) fail to detect an internet connection and refuse to communicate.
#askFedi
Question for people willing to visit Cloudflare sites:
How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.
Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?
An HTML-only email from a gov agency has a logo referencing an URL that looks like this:
https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png
It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.
The output of torsocks curl -LI looks like this:
HTTP/2 200 date: (exactly now) content-type: image/png accept-ranges: bytes
That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel -- it’s a logo.
The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?
Are there any other checks to investigate this?
I installed NetGuard about a month ago and blocked all internet to apps, unless they’re on a whitelist. No notifications from this particular system app (that can’t be disabled) until recently when it started making internet connection requests to google servers. Does anyone know when this became a ...
The technical mechanism:
https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock
update --- To be clear, I am not the OP who experienced this problem. I just linked them from here.
It's official. After 3 months of back and forth, a major medical provider has elected to drop me as a patient for not having a Google or Apple device. It is unclear if this is legal, but it is very clearly discriminatory and unethical. Any tech journalists or lawyers interested in this? I would...
There used to be no problem archiving a Mastodon thread in the #internetArchive #waybackMachine. Now on recent threads it just shows a blank page:
https://web.archive.org/web/20240318210031/https://mastodon.social/@lrvick/112079059323905912
Or is it my browser? Does that page have content for others?
I received several machine-generate e-mails which are all mostly the same: a notification. They are HTML emails with no plaintext MIME part. Yikes! And to complicate matters further, the messages traversed my anonaddy forwarding account which PGP encrypts every message to me before forwarding it to my normal email account.
The gov wants me to give them an “unaltered copy” of these e-mails. This gov office actually blocks my mail server so I am generally unwilling to send them email. This means I will be giving them the emails on paper hardcopy.
So wtf, this is tricky. They want an “unaltered copy”. If I were to print the MBOX files, it would be useless to them because it’s a base64 blob that only I can decrypt. My mail client is mutt so the HTML is detected and piped through w3m to give me a text version that is readable enough.
But in general, how do you give unaltered copies of an HTML email on paper form? This is not necessarily for a court but it could go down that path. Would a court want to see raw HTML tags? Or do courts prefer the HTML to be rendered for readability?
Normally I copy the w3m-rendered text of email into LaTeX and typeset it to look pretty and copy-paste the useful headers into a well-styled header in a monospaced font. And I omit the useless headers. But I get the impression my way of working would not pass for “unaltered”.
I could perhaps try to feed the HTML into wkhtmltopdf. In the end, HTML rendering always varies depending on the rendering tool. Normies use MS Outlook, and I have to figure that the gov is normally dealing with normies. So maybe I should install Evolution or Thunderbird. Any suggestions for a tool that is particularly good at making HTML email presentable on paper without looking too custom?
#askFedi
Just like catcatnya, infosec.exchange just gives a black page. Up, but broken, at least in my browser.
(update) browser issue. Downvoted myself on this to lessen the visibility although some may still find that interesting so I’ll let the thread live.
cross-posted from: https://infosec.pub/post/9936059
> I would like to collect the scenarios in which people are forced to enter Google’s #walledGarden (that is, to establish and/or maintain an account). > > If someone needs a Google service to access something essential like healthcare or education, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: > > * right to life > * healthcare > * freedom of expression > * freedom of assembly and of association > * right to education > * right to engage in work and access to placement services > * fair and just working conditions > * social security and social assistance > * consumer protection > * right to vote > * right to petition > * right of access to (government) documents > * right to a nationality (passport acquisition) > * right of equal access to public service in his country > > Below is what I have encountered personally, which serves as an example of the kind of experiences I want to hear about: > > * Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as: > * emergency apps (e.g. that dial 112 in Europe or 911 in the US) > * banking apps > * apps for public services (e.g. public parking) > * others? > * (education) Google docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped in pursuit of education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects. > * (education) A public university’s wi-fi network involved a captive portal and the only way to gain access was to supply credentials for a Google or Facebook account. > > I’ve noticed that when creating an account for a public service I often have the option to supply credentials for Google or Facebook to bypass the verification process. In all cases of this kind of registration shortcut being used for public service, there was an alternative Google-free way to open the account. But in the private sector, I’ve seen this style of registration that absolutely required a proxy login via some shitty walled garden (like the university wi-fi). So I wonder if there are any situations where a government (anywhere in the world) requires a Google account in order to get service. >
I would like to collect the scenarios in which people are forced to enter Google’s #walledGarden (that is, to establish and/or maintain an account).
If someone needs a Google service to access something essential like healthcare or education, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list:
- right to life
- healthcare
- freedom of expression
- freedom of assembly and of association
- right to education
- right to engage in work and access to placement services
- fair and just working conditions
- social security and social assistance
- consumer protection
- right to vote
- right to petition
- right of access to (government) documents
- right to a nationality (passport acquisition)
- right of equal access to public service in his country
Below is what I have encountered personally, which serves as an example of the kind of experiences I want to hear about:
- Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as:
- major medical provider (megathread)
- emergency apps (e.g. that dial 112 in Europe or 911 in the US)
- banking apps
- apps for public services (e.g. public parking)
- others?
- (education) Google docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped in pursuit of education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects.
- (education) A public university’s wi-fi network involved a captive portal and the only way to gain access was to supply credentials for a Google or Facebook account.
I’ve noticed that when creating an account for a public service I often have the option to supply credentials for Google or Facebook to bypass the verification process. In all cases of this kind of registration shortcut being used for public service, there was an alternative Google-free way to open the account. But in the private sector, I’ve seen this style of registration that absolutely required a proxy login via some shitty walled garden (like the university wi-fi). So I wonder if there are any situations where a government (anywhere in the world) requires a Google account in order to get service.
catcatnya.com just gives a black page. Up, but broken, at least in my browser.
(update) browser issue. Downvoted myself on this to lessen the visibility although some may still find that interesting so I’ll let the thread live.
Images do not get mirrored from one Lemmy instance to another. Understandably so. But there is a harmful side effect: if SourceNode is behind an access-restricted walled-garden and an image from that node is cross-posted to a DestinationNode that is not inside the same access-restricted walled-garden, then some readers on DestinationNode see posts where the image is inaccessible.
All variants of walled gardens are can trigger this problem but the most common is Cloudflare. So posts that contain images coming from instances like sh.itjust.works and lemmy.world are exclusive and do not include all people who infosec.pub includes.
How can this be fixed?
- infosec.pub could defederate from all Cloudflare nodes. This would prevent CF pawns from pushing exclusive content onto infosec.pub, but infosec.pub users could probably still post links to the exclusive venues.
- infosec.pub could block just cross-posts from CF nodes that contain images.
- infosec.pub could mirror images when the image is in a known exclusive walled garden.
- infosec.pub could accept posts that contain images in walled gardens and then immediately hide those posts. Perhaps a bot could populate a community designated for exclusive walled gardens with links to hidden posts so users not excluded by the walled garden can still reach the content.
Some of those options might require changes to lemmy code.