
Bypassing Gogo’s Inflight Internet Authentication - superchink
http://www.bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/
======
vtail
I'm amazed by some of the comments like "Wow great article. I knew there must
be a way to avoid paying." and by author's apparent believe that contacting
the support several times via twitter and not getting a response morally
justifies sharing his recipe with other people and wishing them "Happy “free”
surfing, for now anyway".

Stealing is stealing, no matter what "justification" one may have about high
prices.

edit: grammar

~~~
samstave
I fly virgin a lot. The gogo internet used to be $8 bux. Then $15 - last week
it was now $20... for three hours.

You claim stealing is stealing, well to you, I say gouging is gouging and fuck
them.

~~~
untog
You know what you do when you want the prices to go down? Don't buy it.

In-flight internet is a new product. They are establishing what an acceptable
price point is.

------
aseidl
I've made it a habit to ping and dig my servers before signing in to a new
wireless network. Of the hundreds of coffee shops, trains, planes, airports,
etc that I've done this at, there has only been one network that
blocked/rerouted both ICMP and DNS requests: a university that shared its
network security team with a nearby national lab.

However, exploiting these holes on a wireless network is incredibly easy to
detect and block for an admin worth their salt. It's quite likely that at
least a few of the networks I've been on would start blocking traffic from an
unregistered device making tons of DNS requests.

That being said, just pay the few dollars they charge for access. If your time
is money, this small fee won't be noticed. If you just want to be able to
refresh Reddit/lurk on HN, maybe you should take this opportunity to get away
from technology for a few hours (while sitting in an aluminum tube hurdling
through the skies).

------
maxjus
You could also change your user agent to that of a mobile device and pay $5.
Dishonesty is always an (unethical) option.

The technical complexity of getting a seamless Wifi connection 30,000 feet
above ground warrants its $12.00 in my opinion.

~~~
Firehed
On my last flight, the price had been raised to $20 or so. I'm not sure if it
was holiday price-gouging or they've simply raised their prices, but in either
case I was not pleased - especially as the service quality seems to have gone
down recently.

~~~
eclipxe
I'm sure service quality being reduced has absolutely nothing to do with
people bypassing the pay wall or changing their desktop user agents to be
mobile for cheaper prices. Nah.

~~~
Firehed
You think MAC spoofing and editing your hosts file to get around a paywall has
gone mainstream?

I'd be astonished if there were two HN readers on most flights.

------
davidtgoldblatt
I've yet to find one of these types of services that you can't access by
spoofing the MAC address of a real customer.

A while back, Intel removed MAC address spoofing from some of its wireless
cards through a driver update, citing vague "security" concerns. I felt very
up in arms about it for a while (why on Earth would you hobble your customer's
products so you can make sure they can't violate your moral code!), but
eventually decided I couldn't really complain, since the only reason I could
think of that I might want such an ability would be to steal internet access.

~~~
mindslight
When you say they 'removed MAC address spoofing', do you mean that they
removed features that allow the card to work having duplicated an active
address, or do you mean that they removed the ability for you to _set_ the
address at all? The latter has _many_ uses, including simply not being tracked
across every network session. To add this kind of antifeature truly is
hobbling their customers' devices in pursuit of someone else's security.

~~~
paulgb
In fact, a story about MAC spoofing for privacy is on front page of HN today:
[http://erratasec.blogspot.com/2013/01/i-conceal-my-
identity-...](http://erratasec.blogspot.com/2013/01/i-conceal-my-identity-
same-way-aaron.html)

------
foohbarbaz
DNS tunneling is only good in theory. Ah, good old days. There was time
(2003?) when I had a T-Mobile phone with GPRS and an IR port. I connected it
to my laptop and discovered DNS lookups worked. Downloaded DNS tunnel sources,
compiled and tried. It was not usable, way way too slow. The latency of the
DNS server was the main issue. Besides, the tool was very crash prone. More of
a proof of concept than real thing. I spent a few hours reading code and
fixing bugs just to get it to the point where it somewhat worked. The DNS
traffic used by the tunnel is quite easy to identify and probably filter out
(the names looked up follow a specific pattern).

So, there was no need for ISP to get worried. Given how slow access would be
and the skill level required to get it to work, it is thousand times cheaper
to ignore the "security hole".

The Google app engine proxy looks more "useful".

------
hyperbovine
More internet! That's just what's missing from my life.

------
vinhboy
I really appreciate these types of articles. I learn a lot from them. I
actually also discovered the google thing on Gogo the last time I was on their
network. But I never made the connection that the author did. I found that
insight to be very educational. Not to mention, now I have some reading to do
about TCP over DNS, IMCP, etc...

------
michaelfeathers
Ballsy article in light the Swartz case. How many felonies is that?

------
cstone
don't blow up the spot

~~~
mindslight
Sheesh, kids these days. 'Responsible disclosure' used to be about not
screwing over the numerous people running a piece of software. Then it became
about helping websites implementing software to regress us back to centralized
computing. And now it's apparently about helping preserve clunky business
models by helpfully suggesting exploiting weaknesses in TLS. What's up next,
volunteer implementations of using nmap for client OS fingerprinting so
they're even better able to extra money from more-capable device owners? Or
helping to conceal the latest government trojan? Sigh.

~~~
vtail
I'm wondering (honest question) why do you believe that Gogo business model is
clunky?

~~~
mindslight
It's a bunch of little niggling aspects that add up into just feeling the
whole thing is yet another gimmicky disposable income scoop for out of touch
spendthrifts.

1\. Fifteen different prices depending on what alleged type of device you're
using, and _gasp_ whether you have more than one.

2\. Internet access is only required for most tasks due to people's laziness
of using webapps.

3\. Alternatively, "yay, I can refresh reddit on a plane"

4\. Partial Internet access given before payment, to make it as disruption-
free as possible, even though it will necessarily end up admitting things like
the original article.

5\. These whole "enter your credit card" wifi networks in general. Network
access is infrastructure. Yeah, it takes a bit of work to backhaul a plane.
But it also took quite a bit of work to build the plane. Just make the
infrastructure universal so we can rely on it instead of clouding the thing
with massive transaction overhead.

6\. Why give the spineless airlines any more money than you have to? This
attitude is subject to change when they start sticking up for their customers
by giving the TSA the boot.

But honestly I'm doubt I'm going to win any points for these views on HN. I
should probably just turn my commenting threshold back down.

~~~
deelowe
Huh? Where do you get this from?

> 1\. Fifteen different prices depending on what alleged type of device you're
> using, and gasp whether you have more than one.

The device type is a good indicator of bandwidth usage. It's sensible to bill
using this model for now. They could use metered bandwith, but something tells
me you'd complain about that too.

> 2\. Internet access is only required for most tasks due to people's laziness
> of using webapps.

What does this have to do with anything? People use the internet for all sorts
of stupid stuff. I happen to use it mainly for vpn and ssh, but why does it
matter?

> 3\. Alternatively, "yay, I can refresh reddit on a plane"

So? Again, who cares?

> 4\. Partial Internet access given before payment, to make it as disruption-
> free as possible, even though it will necessarily end up admitting things
> like the original article.

Partial access is given due to exclusivity deals and that sort of thing. Would
you prefer the alternative of just not giving you anything? Who the hell
complains about free? Seriously.

> 5\. These whole "enter your credit card" wifi networks in general. Network
> access is infrastructure. Yeah, it takes a bit of work to backhaul a plane.
> But it also took quite a bit of work to build the plane. Just make the
> infrastructure universal so we can rely on it instead of clouding the thing
> with massive transaction overhead.

You do realize that Boeing, Detla, and GoGo are different companies right?
Also, it takes a lot more than a "little bit of work to backaul." It took GoGo
many many years working with the FAA, ISPs, and others to only just recently
get this setup and approved. Look at what's happening with the dreamliner if
you want an example of what can go wrong if you do this incorrectly. Finally,
most of the planes in a typical airline's fleet are decades old. You can't
just bake this cost into the price of the plane (as if that makes sense
anyways. not all 747s are passenger planes). With your proposal, we'd maybe
get wifi in 2030 (assuming this proposal would be possible at all, which I
doubt it would).

> 6\. Why give the spineless airlines any more money than you have to? This
> attitude is subject to change when they start sticking up for their
> customers by giving the TSA the boot.

OK, seriously, W.T.F. are you talking about? The TSA is employed by the
airport, not the airline.

~~~
vtail
Re: 6 - I should also say that to "give the TSA the boot", it is the US
government who should stick up for its customers and end this security
theater.

~~~
tehwebguy
His post is all over the place, but what I believe he meant with that line was
that the Airlines should lobby to privatize airport security.

