

How I hacked Gogo inflight wireless Internet with Chrome - jetcom
http://blog.andrewboni.com/how-i-hacked-gogo-inflight-wireless-internet-with-chrome/

======
patio11
Issue spotter: I think we've got him on trespass to a protected computer
system used in interstate commerce, common law fraud, and theft of services.
What _other_ crimes did he just admit to that I missed? (We'll ignore that he
hacked a computer while on an airplane, a detail which I would _not expect the
government to be neutral about_.)

Seriously, kids: this is an _astoundingly_ bad idea.

~~~
fiatmoney
I'm not seeing how this is at all legally problematic. AFAICT there's no TOS
violation, and if there were, TOS violations don't make it a crime. The user
agent is totally discretionary on the part of the browser and price-
discriminating based on one is in no way an access control mechanism.

It seems equivalent to saying "red computers get charged half price", and then
objecting when someone snaps a red shell on their laptop.

~~~
patio11
Do you want me to start quoting Title 18 U.S.C Section 1030 (the Computer
Fraud and Abuse Act) or can you Google it yourself? There is no _possible_
reading of these facts that does not run afoul of that law, among others.

There is no affirmative defense "But it was really easy for me to exceed my
authorized privileges because their security sucked" provided for in the law.

~~~
mindcrime
So what? Everyone of us probably runs afoul of hundreds or thousands of bogus
laws every day. It's time to start encouraging people to be bolder and violate
_more_ laws, as far as I'm concerned.

Now excuse me while I go listen to some Judas Priest... \m/

~~~
tptacek
The idea behind computer fraud laws, and fraud laws in general, is that
tricking people to obtain valuable services at the expense of the victim is
dishonest. People and companies should be able to offer services assuming that
their counterparties are honest. When dishonest people abuse company
offerings, they impose a cost on everyone in the market. In this specific
case, the prospect of fraudulent access requires the wireless ISP to spend
money strengthening their security controls; the costs associated with that
are passed on to the market, as are the inconveniences associated with new
controls.

In other words: the law sees it as a bad thing that ISPs should have to
bulletproof their offerings so that when they make a service available to
phones, it isn't easy to trick those systems into providing service to
computers. The law says, "it is silly that the market should have to bear the
cost of that engineering, because it's undertaken solely to prevent dishonest
people from obtaining undue benefit".

The only question you really have to ask here is, "am I tricking a business
into offering me something with a dollar value without paying for it?" Yes?
That's fraud. It's the definition of fraud.

People probably do violate all sorts of stupid laws all the time. But that's a
very different point than "people commit all sorts of frauds all the time".
They do not. Fraud is invariably wrong.

~~~
lowboy
> The only question you really have to ask here is, "am I tricking a business
> into offering me something with a dollar value without paying for it?" Yes?
> That's fraud. It's the definition of fraud.

What services did he steal? He paid for wifi services for the duration of the
flight. The device by which he enjoys that service should be of no
consequence.

~~~
tptacek
He paid for wifi services for his computer for the duration of the flight. The
fact that you do not recognize the legitimacy of a commercial offering does
not give you the right to invent your own terms; you take the terms as
offered, or you don't do business at all.

~~~
lowboy
He received what he paid for: wifi services for that flight.

I still don't see fraud here.

~~~
jahewson
He paid for a WiFi connection between a _phone_ and the internet. He received
a connection between a _laptop_ and the internet.

~~~
lowboy
He paid for a WiFi connection between a _device_ and the internet. He received
a connection between a _device_ and the internet.

If GoGo can't tell the difference between a laptop and a mobile phone, that's
their problem. And no, the UA string doesn't guarantee that and there is no
law that I've heard of that prevents users from altering their UA string (or
anything for that matter). They showed him a price for a service on his
device, and he bought that service.

~~~
jahewson
Ha, good luck trying to argue that. The Gogo website makes it clear that there
are separate services for phones and laptops. Their website automatically
detects what kind of device you have, if they make a mistake then it's their
problem if they don't offer you the means to correct it. But if you
_deliberately_ circumvent their system to save money, then you're committing a
fraud.

I'd urge you to learn a little more about the law if you think that a UA
string specific law is needed, or even a computer-specific law. _Intent_ and
_personal gain_ are more an enough.

------
swdunlop
Not sure what's less impressive. A pricing model based on browser headers, or
a 10,000 word article on "hacking gogo inflight" based on changing a browser
header.

~~~
ajross
Indeed. I clicked this expecting to find an interesting description of a
authentication vulnerability, or a novel way to spoof, or a hidden tunnel, or
something.

tl;dr: GoGo implements price discrimination in a naive way. Author "hacks" it
with equally naive mechanism to save $8US.

------
RandallBrown
On a flight to a conference we once set up our own wifi hotspot using two
laptops.

We had one company gogo subscription. They connected and shared their internet
through ethernet to another laptop. That laptop shared it out through wi-fi.
We had 4 people using the Internet. It was awesome but fairly impractical. At
least I could tweet from the clouds.

------
JonnieCache
This is unbelievably lame. The whole thing could have been related in under
100 words. Plus he is defrauding a perfectly legitimate service. $15 is not a
ripoff. This isn't the MPAA.

It would have been acceptable if the author was 13 or something but they
appear to be an adult who works for google.

What next, spoofing referer to get into porn sites? l33t d00d!

------
jonny_eh
You can get internet on a flight?! We live in the future!

Oh, it's $15? Nevermind.

~~~
shimsham
Never mind, you can order a $20 Pepsi.

------
arnarbi
TL;DR: Wifi was cheaper for mobile so he changed the User-Agent header.

~~~
raverbashing
Should have tried the Lynx user agent

------
alttab
Really clever. Also really stupid to post it on the internet. I hope nothing
bad comes your way because of it.

------
enigmabomb
I understand the proof of concept is cool, but why do this? High speed
Internet at 35k feet isn't worth $15 to you? You said yourself it was going to
be a long flight. Why hussle them out of what is one beer on a plane?

~~~
pkill17
It's basic capitalism; if this "vulnerability" wasn't built into their code,
would you submit to a more expensive price on your laptop when you could just
as easily get half off (for the same product) on your phone?

If there were no 'hack', and I went on that plane knowing full well that I was
going to purchase internet access, I would buy the half-off solution and
tether to my phone.

As a user, this is a valid set of decisions. Since they're implementing this
in a stupid way, it's perfectly valid to exploit their method and pay for the
cheaper item.

If you went to the supermarket and found an item at $10, but you had the
option of doing 5 jumping jacks to lower the price to $5, what would you do?
Is it immoral to do jumping jacks?

~~~
majormajor
"Since they're implementing this in a stupid way, it's perfectly valid to
exploit their method[...]"

Really?

If you went to buy something on Amazon, and found they had a "stupid"
vulnerability you could exploit in order to get half off of your order—maybe
some Javascript hack that made the part of their system that calculated the
price you pay think you actually ordered a smaller version of the product—is
that immoral?

Is leaving your house or car unlocked a sufficiently stupid vulnerability to
become "perfectly valid to exploit"?

~~~
pkill17
Your examples break federal law; I'm exploiting Amazon's proprietary codebase
to lower my prices / someone is still breaking and entering into my home.
Those aren't moral because federal laws are being broken.

If Amazon charged $20 for a book if I were to buy it on my laptop, but $10 for
that same book if I buy it with my phone, why in the hell would I buy it on my
laptop? How is that immoral? I'm presented with two options: $10 or $20 for
the same item. The company has offered me a contract of payment and I am to
choose one, or I can take my patronage elsewhere. This is not a matter of
breaking into a server and SQLi'ing until you can make an item free; this is
the company offering me something for cheaper, depending on how I buy it.

------
jtokoph
From September 2010: [http://lifehacker.com/5650175/how-to-get-cheap-or-free-
in+fl...](http://lifehacker.com/5650175/how-to-get-cheap-or-free-in+flight-
wi+fi)

------
shimsham
This explains why the Internet is more expensive everyday. I shall hack my
mobile so it presents as a desktop browser so I can pay full price. Every
little bit helps.

Oh, and what a seriously lame article in almost every respect. Awesome
interface etc etc. This was the gentle reminder I needed to push me from these
mind-numbing articles. Good luck and good night.

------
saturn7
Would it be illegal to connect to the internet with your phone (pay mobile
price) then tether your phone to your laptop?

------
southphillyman
I'm flying to san fran from the east coast next week and specifically booked a
Gogo flight in order to get work done by mile high. I saw the pricing
structure on the airlines website though and I agree that it's shady. Where
I'm from the law of Shade for Shade applies, shall try your method.

------
slewis
Discuss: How do you feel about Gogo's pricing model? According to this article
they charge $9.95 if they detect you're on mobile. $15.95 otherwise.

------
butner
GoGo sucks. Their service has been unusable on recent SFO/JFK flights. At $18
a pop, you can't even get the google home page to respond. What a joke of a
company...

