There exist wifi systems where setting a cookie "paid=1" will save you $15. You might think there are no legal consequences for "writing a text file on your own computer." I strongly suggest not testing that.
Safari even has a 'Develop' menu that lets me switch user agents in 2 clicks (without having to install anything first).
It's not like the author 'cracked his way in'. He got a cheaper price because he learned something from a friend and tried an experiment, which worked. Using something you've learned to get a better price seems fine with me. Especially, if it's 'ok' for someone stumbling around with the wrong user-agent.
To me, it just feels like a form of arbitrage.
(a) a representation made of some fact
(b) the materiality of that fact (the fact has to matter)
(c) the representation has to be false
(d) the person making the representation has to know it's false
(e) and they have to lie with an intent that someone else act on it
(f) and someone else has to actually be be fooled
(g) and rely on the lie
(h) and the lie has to be about something they had a right to ask (ie, not about marital status in a job interview)
(i) and thus incur damage.
You weaken a fraud case by saying the dispute is over an opinion and not a fact (a), or that the person who got something for nothing didn't realize they were lying (b), or they lied, but without intent (maybe they always lie about this question) (e).
But if all the elements fit, as they do in this case, you do not in fact have a weak case. You can, oh yes, you can, have "paid=true" in your URL and count on fraud statutes to have your back.
A lot of legal stuff becomes clearer when you realize that the court do not buy --- not even a little bit --- the nerdly tenet that "there is no way to prove intent because you can't really know what someone was thinking and maybe they weren't intending to do anything wrong". The courts have 2 centuries of case history of judging intent.
> Especially, if it's 'ok' for someone
> stumbling around with the wrong user-agent.
But if you think changing the user agent is somehow wrong, you could also go all the way of emulating the iPad browser on your laptop, and use that to sign in for the service.
It seems a little arbitrary otherwise espeically since people use the word ipad synonymously with "tablet" like "ipod" for mp3 player.
If you change the user agent and then see that you get a different price, then you have clearly seen that user agent affects money.
As an example I remember years ago when people say fit to create "secure areas" in websites by using a JS username/password prompt which meant that you could easily bypass this by viewing the source.
Now at the point you have done that perhaps you have knowingly done something to bypass the security.
Question is, what happens if you had JS disabled in your browser (or were using a browser that did not support it) which would be something you are clearly within your rights to do and therefor had no idea that such a security mechanicism was in place anyway?
Here in Israel free wifi access is the norm, but in DE? They charge an arm and a leg. Switzerland (if we're talking about Swisscom anyway)? They are _insane_. The hotels already rip you off with prices like there's no tomorrow and charge for internet on top.
I fire up iodine on my client. If it works: Great. The network was obviously created by morons (it could easily be prevented). Morons won't be able to track me down the short while I'm on their network, on a trip, with a mac address like 'deadbeef' or somesuch nonsense.
If it doesn't work? I don't go online and leave to have a couple beers..
Strongly depends on where you are, apparently. When I was in Berlin, there was free Internet all over the place. In our hostel, the hotel across the street, just about any coffee bar, pub, sandwich stand, pizzeria ... Sometimes you had to ask for a password, other times you could just connect, and other times you had to catch some air network from the place next door.
Or maybe that was just Berlin Mitte?
Though I went to some places near Cologne and I didn't have to donate a kidney to get online either.
Connectivity in the more rural areas can be pretty bad though.
My problem in DE was usually related to trips to customers, to the ~end of the world~. In CH it was more prevalent: I stayed in roughly 20 different hotels in Bern so far and most of them, ignoring the decoration from 50 years ago, were charging for internet access. On top of a very high room rate.
And - enjoy, have fun. Don't spoil the fun for all of us by writing an article in a big newspaper about it. :)
A friend of a friend runs an independent midsize hotel here in Germany.
They used to offer free internet access. Then one of their guests used the connection to download copyrighted stuff.
In due course a nasty letter from a lawyer arrived, demanding payment of around 1000€ and as fighting and losing would have been much more expensive, they payed.
They were unable to recover the money, because there was no way to prove which of their guests at that time was responsible.
The very next thing they did was to shut down the free internet and bring in an outside company to provide it (with per day and per hour fees for the guests).
1) By having someone else legally responsible for the internet connection, they don't have any liability for future copyright violations.
2) All guests are now "helping" to pay back the money they lost.
That's exactly why in all likelihood, they would've won. It's the perfect setup and - in germany - an argument for securing the wlan not better than the default-setting suggests.
I am always surprised by the "there is a chance we might loose and pay more, so we will pay"-attitude that seems to be common in such cases.
By choosing to pay €1000 this month they save a lot of money.That small amount of a settlement is pocket change for a hotel compared to the lengthy legal process that may be drawn out for months, and cost them much more and be without a guaranteed win in sight.
EDIT: Forgot that the hotel was independent, but my point still stands, especially for a hotel without the insurance of being in a hotel chain.
I still think that it would now be a better idea to fight. It's a sure 1000€-loss + the unhappy customers (cause of missing free wlan) vs a maybe-loss and a chance to continue the free wlan. But I understand the tought-process you described, and it was maybe a different legal situation.
I think the bit I'm referring to would be covered by § 15 paragraph (4), which Google translates to "To comply with existing legal, statutory or contractual retention periods, the service provider may block the data." I think "block" here means "store", in the sense that the user data which includes "Information on the beginning and end and the extent of each use" (paragraph 1) needs to be recorded (and retained) for a period of time required by a different statute.
I feel like I only understand about 30% of those documents, I might make more progress with a better translation!
>(4) Der Diensteanbieter darf Nutzungsdaten über das Ende des Nutzungsvorgangs hinaus verwenden, soweit sie für Zwecke der Abrechnung mit dem Nutzer erforderlich sind (Abrechnungsdaten). Zur Erfüllung bestehender gesetzlicher, satzungsmäßiger oder vertraglicher Aufbewahrungsfristen darf der Diensteanbieter die Daten sperren.
This informally translates to:
"The provider may use data about the usage after the usage, if those data are necessary to calculate the billings. He may save those data to fulfill existing deadlines, coming from law or contract"
There don't seem to exist an english translation of that law.
If you stay at a hotel with paid wifi and it is full of people who are either tethering from their phones or not using the internet then it will be fast.
Stay at a posh hotel where everyone pays out of their expense account and it's likely to be just as slow as if it was free.
Not to mention that you only need one person streaming 1080p to put serious strain on the bandwidth.
You are being charged for the lights and the shower when you pay the bill. Or was that you're point and I missed it?
It will come, give it some time. Hotels (imho) charge one for the internet because it's a separate utility, the onsite staff are not capable of fixing it  when it breaks. Which happens a lot. So they outsource it.
When 'internet' is as common a utility as water and light, and as reliable, it will be in the bill, you'll never see it.
this is some other link shortening service, which the admins haven't gotten around to banning yet. but it's just a matter of time.
I will help you out. What happens when you go to cld.sg? Or what happens when you append a plus sign to the link above?
What's more important a consistent approach to privacy or "knowing how much interest someone's HN link received"?
 Conspiracy theory: jcloud is an astro-turfing account for sigma cloud. The jcloud account was created 377 days ago the same day a sigma cloud story was posted. Jcloud's first post was on the sigmacloud story and was complimentary of sigma cloud:
"Just discovered these guys. Nice interface actually.
Investigating a bit more but so far so good."
In relation to the legal questions raised elsewhere on this thread, I'm guessing that it's a non-issue when it's a built-in feature of the device. I think the argument could be logically extended to using plug-ins that switch user agent strings?
So I thought that, since I had permission to access this network anyway, I would break in -- just to see if I could. And I'd tell them about my results the next morning as we turned in our keys and headed off.
Actually since there wasn't any encryption there isn't much to say after that -- it was obvious that their system wasn't too sophisticated, so I just guessed "they check MAC addresses, don't they?"
Using the airotools-ng package for Ubuntu, I set my wireless card into "monitor mode", which (I'm not an expert) I guess is a fancy way of saying "it stopped ignoring everything it saw flying through the air in my hotel room." Normally your computer treats all of these other signals as noise relative to its own goal of connecting to the Internet -- but it's absolutely trivial to start listening to it. With the tool airodump-ng, I was able to see all of the routers at my hotel and MAC addresses of real users connecting to those routers. So I put one of those into my "Connect to the Internet" dialog box under "Cloned MAC address," and hey look, I just saved the desk clerk some time.
I mentioned that I'd done it the next day to the desk clerk as I checked out -- that any competent neighbor could steal their wireless access. I'll never forget his response: "yes, but they're all incompetent."
A similar experience: when I first came to live at my present household, I knew that we had shared WiFi but I didn't know the password -- and the guy who did know had just stepped into the shower. But it was using "WEP", a very old encryption policy which is vulnerable whenever you are transmitting data. So I fired up these same tools, found out that I was lucky -- he'd left a download running when he stepped into the shower or so -- and I captured a couple thousand data transactions. I didn't have to wait for him to finish showering before I had broken into my own Internet.
I'm always surprised by this sort of thing. The other day I had accidentally clobbered my sudo permission when reconfiguring Wireshark (something which can also listen to Internet traffic) to be more secure, and suddenly had no more root permissions. In about half an hour I had downloaded a live CD and burned it and broken into my own box with chroot magic to usurp root permissions to re-add myself to that group. (I have an encrypted disk, and I couldn't have done this without being able to decrypt it. However, most people that I know don't use disk encryption, so the point still stands.)
The lesson to take away: If some half-geek amateur like me can do these things, the professional inbreakers must have absolutely terrifying skills.
Except the difference here is that there is nothing to "break into" as there is no pretense at security..
I remember with Windows XP a friend had a failing hard disk that would no longer boot Windows and they asked if I could try and recover some data from it.
I plugged the disk into my tower and booted my own copy of Windows and tried to access the "My Documents" folder of the broken disk from there. It gave me some theatre about not being allowed to access the files there because I didn't have permission.
Then I rebooted my computer into Linux and mounted it with the NTFS drivers and of course all the files were there to be accessed. As an experiment I rebooted to my Windows XP again and logged into my local administrator account, this also let me access the files.
I can't help but feel that some of these measures perhaps give an illusion of security.
I also wonder with say computer forensics whether something like a file timestamp could be used as evidence in court since these could be easily tampered with by someone using a non standard FS driver.
I have wondered about easily obtaining prepaid cards for travel, might be a business opportunity if there is no good solution yet?
I usually try to get my hands on a local card when I travel, but the rates (and availability) varies significantly between countries.
He is basically a one man shop owner but is very knowledgable and reliable.
I've seen plenty of international-travel SIM cards that give cheap[er] texts and voice calls, but none that include any data. And trying to set up a pre-pay data SIM from a foreign ISP in a language you don't speak/read is a nightmare ...
People who want to use their internet on the move are very likely to have a smartphone or at least a dongle and 3G is usually fast enough.
Here in the UK the train services used to provide free wifi to travelers but recently they decided to charge for it and give the option of a free trial.
On my last journey I tried the free trial and found that it was just as slow as it had always been but was now £5 an hour.
I would have been seriously disappointed if I had paid for that service. Luckily I could just use my mobile phone tethering and get nice fast access.
Surely a better model would be to provide access for free but use some DNS redirection of the popular ad services to redirect the ads to ones of your choice and reap the benefits of those clicks.
I also let a lady in the carriage use my connection for a few minutes to check her emails so it's not like you necessarily need your own connection either.
The article mentions it is in the UK.
Relevant fraud statute appears to be this:
It looks like all the criteria for it to be fraud are met.
However, it also looks like legislation in the UK disallows (and renders void) concerted practices which may affect trade within the United Kingdom, and have as their effect the distortion of competition within the United Kingdom, applying, in particular to practices which apply dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage. See http://www.legislation.gov.uk/ukpga/1998/41/section/2
A concerted practice of charging the owners of well-known brands of smartphones less than the owners of less-known brands for an equivalent transaction would have the effect of lessening competition, because people might eschew a lesser known smartphone (increasing the barriers of entry to the smartphone market in the UK).
So there appears to be a good defence that price discrimination practices like this are illegal and void, and therefore circumventing it is not fraudulent.
Of course, out of an abundance of caution, I don't think it would be wise to volunteer to be a test case for this.
Edit: and IMO, it's toxic to the hacker spirit to be too quick in condemning ideas as illegal or immoral
On the other hand, if he had simply forgotten to change his UA back to the default (say, after doing some development work), then he couldn't possibly know that he was benefiting from the lower price, and it wouldn't be fraud at that point.
Personally, I have no problem with breaking trivial locks on otherwise non-sensitive networks. The word "fraud" usually conjures up much more serious crime.
* This is very quickly becoming a false assumption I think. Between listening to music from remote servers and watching video on my phone, I think mobile data use, especially in a vacation situation, is fast approaching that of "traditional" data use.
Is it fraud to use a battery charger or electrical plug with an adapter? After all, the particular plug is a way of "identification", even when easily circumvented. How about using aftermarket parts for your car or camera. They are implying by their similarly spaced and shaped connections that they are genuine parts after all... What about console cartridge identification chips?
These are somewhat interesting questions, if the HN crowd could have other opinions between "fraud" and "not fraud".
It's interesting to think when a hack becomes a fraud or stealing.
The only immoral thing here is the wifi provider increasing the complexity of the transaction to extract as much money as possible. Should one be required to tell the supermarket their net worth so they can be charged "appropriately" for their food? Anonymity is the basis for a shared existence.
Two parties whose sole interaction consists of sending signals back and forth certainly don't need the outside law to mediate between them - if one party finds the relationship unfavorable, simply stop talking. It's a shame that people have been so brainwashed into thinking it's their responsibility to enforce someone else's desired business rules.
No, it's common for highly technical web developers to do this. For 99.99% of the internet population, they do not even know what "user agent string" is or how to change it, or what to put in.
Switching user agent is perfectly legal.
Suppose they say "teachers" and you have a teaching license but aren't currently teaching. You present your teaching license and say "is this acceptable" and they say yes, you only need a teaching license to get the discount.
That seems pretty analogous to the current situation. You possess the token they request and that they subsequently use to give you a lower price. You've not committed fraud because you're legally allowed to use that UA string. It's up to the provider to decide if their requirement is "passes us this UA string" or "declares ownership of this device" (I don't consider those things identical by a long stretch).
Now if they say when you pass a particular UA string "do you confirm you're owner of $deviceType" or "this service is only for users of $deviceType" then I think things switch around in the direction of [rather minor] fraud.
In the UK, price discrimination by gender (e.g. by nightclubs) is illegal: see http://www.equalityhumanrights.com/advice-and-guidance/your-...
I certainly don't abuse it; simply from time to time you need some internet access (to check an email, to download some piece of software, to google for a technical problem) and I wouldn't pay 39 euros/month for a 3G "key" that I'd use maybe once a month, no thanks.
And if you can't trust Norwegian folk with your data, then you can roll your own "Turbo" with Ziproxy or at least SOCKS proxy over gzipped connection.