1. Disconnect from ap by option+click status bar wifi icon
2. Write down your current wifi mac address
ifconfig en0 | grep ether
sudo ifconfig en0 ether [apple tv mac address]
5. Switch back to original mac address
sudo ifconfig en0 ether [original macbook mac address]
I use Hootoos when travelling. They combine a powerbank with a tiny MIPS device creating a wifi hotspot. Then upstream it can either connect to a wifi network or ethernet. It does NAT etc between the two.
The massive advantage is that my devices all know about the hootoo wifi network. I then just have to connect the hootoo to the upstream network which is easy, and you can do browser logins etc from behind it.
This is the model I like: https://www.hootoo.com/hootoo-tripmate-ht-tm05-wireless-rout...
Have fun with that...
Doesn't the party on the other side of the transaction – i.e. you and I who do not want to pay for an Internet connection – have the same attitude?
This would seem to constitute "piggybacking", which is of questionable legality in many places:
Given the dubious legality, seems odd to see this on HN.
If this profession had a board of ethics, this is the sort of thing that it would take action against.
If people want you to use their networks, they will offer you access via any one of several convenient mechanisms, including
not using encryption
putting a sign on the wall with a password
handing you a card with credentials
telling you a password
If my boss needs some peace and quiet he closes his door. It is not locked, but people know not to enter. If it is open I can walk in and have a chat.
A WIFI password is a social convention asking you to not share. Everyone knows that it is not secure. But it is much easier than having a captive portal login system. By respecting the social convention we make life easier for everyone. Respecting a social convention is far less onerous than over zealous security mechanisms that annoy the customer.
Conversely, I also think I understand the rationale for distilling the digital network security flaws and laying them open with the goal of changing and updating the social conventions which can now be completely bypassed and still accomplish a successful intrusion.
I rotate my home WiFi passwords regularly. A business with revenue can’t afford to do this?
This is the crucial part you're wrong about. Most people assume Wi-Fi with password is secure, only us nerds know better.
As an example, in Copenhagen airport there is free WiFi but you have to go to wifi.cphairport.com to access it and if you don’t see one of the signs around the airport you won’t figure it out. Some handy guide that has URL, ID of the WiFi and password is super helpful in situations like this.
I would find a scheme where I am simply allowed to help myself to any goods or services I wish to consume, for free and without permission, helpful, too.
I didn’t explain that well, but maybe you get the point. There’s a balance to be struck.
If a hotel room uses old fashioned keys, can one customer make a copy of the key and start handing it out on the street to anyone who wants to go into the room? Just because many other people have paid to use it before?
People pay for access to the lounge, at least in part, for the better, less congested, more reliable wifi.
To take your hotel analogy, I agree it's not right for customers to make copies of room keys. But if it were as easy to copy a hotel room key as it is to copy a wifi password, the hotel would not be in a position to describe those keys as adequate security.
Though the analogy is poor because a hotel room is intended to be a private and secure area where I can store valuable item, whereas wifi access is more like the soda dispenser at an American restaurant—other customers are equally inconvenienced whether you paid or not.
What is a problem is that the networks are password protected and not meant for use by the general public. Airline lounges are providing WiFi for customers who have paid for access (either through the type of ticket or by spending enough to have status to access the lounges). Depending on the location, unauthorized access to the networks can either be categorized as theft of service or unauthorized access to a network.
A "security engineer" who is promoting illegal activity isn't actually concerned with security.
I do not approve nor disapprove of this. It could be unethical, could be even illegal but still - it also may force to not rely on this security-through-obscurity approach and maybe actually start doing things right. Sadly, many people don't learn from theoretical implications - they just ignore those and don't implement any security. They only start reacting when their passwords are posted in the open.
E.g. if you want only paying customers to access your WiFi, generate unique passwords and print them on their receipts (or tickets or whatever) to look up.
On the other hand, they probably don't want to use some complicated individualized password scheme because that's a headache for everyone.
So they pick a happy medium that keeps out the casual web surfer out on the concourse and, if a few people get it, who cares? But if a static password ceases to be much of a deterrent, then they've got no choice but going to a system that places more burden on everyone.
We had plaintext Internet once, but as it grew, it started to fail.So, now most of us cheer for TLS everywhere and believe it's a good idea. Don't see how this is any different.
If they just want to hack other people's shit, they should own up to the antipathy that comes with that. Instead they act like extorting companies over undisclosed vulnerabilities, emptying *coin exchange accounts, posting credential dumps on the internet or exfiltrating gigabytes of data are somehow noble or academic endeavors.
I agree but wanted to point out that what you are saying is exactly what parent commenter is saying too.
Not a viable option, this would allow anyone to intercept traffic.
(To be fair, a lot of wifi routers are broken and will forward you all decrypted traffic from other users anyway on request. Try running WireShark on public wifis.)
The big problem is that Wifi with no password provides no privacy. Ideally we would have a wifi mode that is encrypted, but does not require a password. Just like Https.
For wifi without password you should look at WPS.
The "coffee shop" scenario, where a WPA2 Personal password is written where anyone can see it, is essentially as insecure as non-encrypted wireless.
WPA2 Personal is only secure if the password is very strong and never given to untrusted parties.
The only wireless security I put any real trust in is WPA2 Enterprise with 802.1x certificate-based authentication specifically.
 Otherwise it's possible to mount a hash-cracking attack after capturing the four-way handshake for clients that have the password.
 WPA2 Enterprise with per-user password-based authentication is vulnerable to an "evil twin attack" unless the password is very strong, which is usually not the case, because organizations typically have it authenticate against Active Directory or another LDAP.
802.1x with a certificate for Radius server (TTLS mode, which simply layers the plaintext password via TLS) and plain passwords for users is also good enough.
Whether it's ethical to hand out passwords to people who haven't paid for WiFi is another question entirely, but wouldn't it be sweet if businesses just let anyone join their WiFi? Bike repair shops always leave a pump outside for anyone to use, not just customers.
That's a flawed analogy. It'd be sweet if I could do any prohibited thing whenever I feel like it.
How frequently is the pump oversubscribed that it causes a queue and blocks the sidewalk? If this happened, the repair shop would soon stop leaving a pump outside.
With a WiFi network in an airport you have regular situations where demand outstrips capacity. This isn't something that is discovered later, it's common sense before you even operate the service. Users attempt to download movies at the last minute for their flights, and in many cases each person will attempt to connect multiple devices to the hotspot. The hotspot provider setup things to support their clientele. They'd have set it up differently if they wanted it available for use by all.
This information is not public. It is a set of shared secrets. And now it has been shared to everyone in the world, rather than those who the owners wanted it to be shared with.
That's like you coming to my house, I give you the password to the wifi, and then you go tell all the neighbors about it so they can get "free wifi".
To use this you have to stand outside a restaurant / lounge and hope to acquire the weak signal (and hope the password hasn't changed). Why not just buy a coffee and you get to sit down and a have better signal.
Everything becomes a bit more inconvenient for everyone if every establishment has to protect against this kind of thing.
If you owned a coffeeshop, you would want your Wi-Fi users to be for customers only.
Perhaps would work better if you severely slow piggybackers down instead of outright blocking them. If they think your connection is just bad they won't know they need to escalate.
Now give me my million dollars!
Let’s be real. You can’t have your cake and eat it too.
Changing the password everyday is an acceptable compromise.
Another solution would've been to implement WPA2 Enterprise, where employees could have their own, permanent credentials while visitors get temporary ones.
Or maybe make it as easy as possible, never changing the password and thereby getting repeat trade. I am sure a firewall can be opted into with the ISP to make sure nobody is downloading ISIS kiddie porn, Trump tweets etc.
In my home country, almost all airports administration companies offers time-restricted-but-free-wifi too.
There are many reason why a hotspot provider in the US wouldn't want the liability of anyone other than a know user accessing their service. These issues are probably more limited elsewhere in the world, although it's probably the case that they are just lagging in coming up with better security practices/policy. Some home internet providers in the US like Comcast have a public WiFi service, but you have to authenticate to use it.
Even if they all do add some other security then it's just like going back to a time before this site so no great loss. The alternative is to not share the passwords on this site which is effectively the same to anyone trying to get on the wifi for free.
I feel like this doesnt need an app. just give me a list of tuples and I can script a grep for the AP im looking for.
This looks to me as the best use of having a public git wit info out there.
It is not. The majority of the world doesn't function anymore without WiFi, which makes it more of a human necessity than a convenience to pay for. Not offering free WiFi is like not offering passengers free toilets at an airport. Unless you want everyone to piss in a corner you must offer a toilet, especially when you also require passengers to arrive at least two hours prior departure.
In India I wasn't allowed to enter airports without showing them my boarding ticket at the entrance. However I didn't have a boarding ticket because I needed to go to the counter inside, which I wasn't allowed (standard in India). So they demand from tourists to log in their email and show the booking confirmation but don't give you free WiFi. Fuck this shit!
Going to the taxi stand and they ask me for my reservation number. Same story again, no WiFi no luck.
In some countries there is no taxis or taxis are widely considered extremely dangerous (Johannesburg, etc.) and you MUST use Uber. How are you going to do it without WiFi?
Long story short, don't fucking build your entire infrastructure reliant on the internet and then don't give your customers an opportunity to connect to the internet.
WiFi is a necessity, it should be free of charge everywhere.
(I've done a few projects crowd sourcing and distributing information like this and I'm currently thinking about some tools in this space, hence my curiosity.)
It allows messages tied to locations to be written to the Bitcoin Blockchain. The database is public, anyone can add information and it is uncensorable.
"It works by simply replacing the action URL from the login form on the web page to a local HTTP server which redirects the request to the original destination. The local HTTP server saves the request, so the app can reproduce the same call next time you connect to the same WiFi network."
Uhh... Time to move to iOS, I think.
I guess I'm just a bit exasperated about how the lesser-used parts of Android have far less attention to detail (there's no reason this couldn't be a built in feature)
You're already essentially doing MITM by redirecting form actions.
The ones I've used recently all capture DNS/HTTP, but use it to redirect to an HTTPS page with the actual form - which you'd have to MITM.
Yes, but inside a single webview, not system-wide!
example Toronto Pearson
Do I really need to explain how not everyone knows everything?
HN is made up of many people with many different skill sets. While you might put emphasis and assign an ideal to the "Hacker" in Hacker News, you are ignoring the large audience of people here that come here from different backgrounds and offer different view points. You also ignore what knowledge people may or may not have. Not everyone understands network security where such things are obvious.
> I see it quite unfair to get a downvote for this.
Do I need to explain why complaining about unfairness of downvotes will get you downvotes?
Rather than whine about how smarter people than you might not know something you do, you could take the time to share knowledge rather than come off as a member of "r/iamverysmart".