Word to the wise: "circumventing the access restriction was easy to do, Your Honor, so I assumed it was OK" is not something you ever want to have to say.
There exist wifi systems where setting a cookie "paid=1" will save you $15. You might think there are no legal consequences for "writing a text file on your own computer." I strongly suggest not testing that.
I think the difference is knowledge and intent. He knew that they were using the User Agent string to differentiate iOS devices, and he used that knowledge to get a cheaper price. It would be different if he were randomly browsing the web with that User Agent for kicks, and didn't realize that he had gotten a deal.
It's not like the author 'cracked his way in'. He got a cheaper price because he learned something from a friend and tried an experiment, which worked. Using something you've learned to get a better price seems fine with me. Especially, if it's 'ok' for someone stumbling around with the wrong user-agent.
In most states, the to make a fraud case, you need some combination of:
(a) a representation made of some fact
(b) the materiality of that fact (the fact has to matter)
(c) the representation has to be false
(d) the person making the representation has to know it's false
(e) and they have to lie with an intent that someone else act on it
(f) and someone else has to actually be be fooled
(g) and rely on the lie
(h) and the lie has to be about something they had a right to ask (ie, not about marital status in a job interview)
(i) and thus incur damage.
You weaken a fraud case by saying the dispute is over an opinion and not a fact (a), or that the person who got something for nothing didn't realize they were lying (b), or they lied, but without intent (maybe they always lie about this question) (e).
But if all the elements fit, as they do in this case, you do not in fact have a weak case. You can, oh yes, you can, have "paid=true" in your URL and count on fraud statutes to have your back.
A lot of legal stuff becomes clearer when you realize that the court do not buy --- not even a little bit --- the nerdly tenet that "there is no way to prove intent because you can't really know what someone was thinking and maybe they weren't intending to do anything wrong". The courts have 2 centuries of case history of judging intent.
It wouldn't matter, because you can't convince a reasonable judge or a reasonable jury that tampering with a computer system that puts (for instance) a credit card form in front of you for service in order to not pay for service doesn't constitute "intent".
I don't think those cases are even comparable. Lying that you paid (through whatever means) is different from using a different user agent, which has no (direct, expected) relation to money.
But if you think changing the user agent is somehow wrong, you could also go all the way of emulating the iPad browser on your laptop, and use that to sign in for the service.
You'd still have trouble explaining that to a judge. The hotel has a reasonable expectation that if the traffic says it is coming from an iPad, it's actually coming from an iPad, and you don't have any non-infringing excuses to be using an iPad browser on your laptop.
If they advertised the plan as an ipad plan, there would be a point. But if the plan is advertised as all-purpose, but only offered to certain user agents, i don't think there's any legal issue.
This is an interesting point and I wonder where the line would be drawn.
As an example I remember years ago when people say fit to create "secure areas" in websites by using a JS username/password prompt which meant that you could easily bypass this by viewing the source.
Now at the point you have done that perhaps you have knowingly done something to bypass the security.
Question is, what happens if you had JS disabled in your browser (or were using a browser that did not support it) which would be something you are clearly within your rights to do and therefor had no idea that such a security mechanicism was in place anyway?
I was on a train with paid wifi and I discovered that if you went to pay via PayPal, the paywall was temporarily lifted completely and you could access any site you liked for 30 minutes or so, after which you simply needed to repeat the procedure. I wonder what the legal consequences of doing that are?
I'm looking forward to the day when I stay in a 100$/night hotel and I don't have to pay for my fricking internet. Every motel/hostel has it for free as it should. To me charging for internet (in hotels/resturatns) in 2012 is the same as charging for using the shower or lights.
I run iodine[1] on my server. Maybe it's illegal, maybe it's a grey area - I don't care.
Here in Israel free wifi access is the norm, but in DE? They charge an arm and a leg. Switzerland (if we're talking about Swisscom anyway)? They are _insane_. The hotels already rip you off with prices like there's no tomorrow and charge for internet on top.
I fire up iodine on my client. If it works: Great. The network was obviously created by morons (it could easily be prevented). Morons won't be able to track me down the short while I'm on their network, on a trip, with a mac address like 'deadbeef' or somesuch nonsense.
If it doesn't work? I don't go online and leave to have a couple beers..
If you think allowing unrestricted DNS is moronic, you haven't seen anything ;) One of our major ISPs has paid wifi networks in many cities here in Portugal, but they allow connections to any server on port 443 (HTTPS).
You don't even need a server, there are free VPNs that use that port to ensure compatibility with more restricted networks.
Strongly depends on where you are, apparently. When I was in Berlin, there was free Internet all over the place. In our hostel, the hotel across the street, just about any coffee bar, pub, sandwich stand, pizzeria ... Sometimes you had to ask for a password, other times you could just connect, and other times you had to catch some air network from the place next door.
Or maybe that was just Berlin Mitte?
Though I went to some places near Cologne and I didn't have to donate a kidney to get online either.
Connectivity in the more rural areas can be pretty bad though.
I've to admit my experience in DE is limited to certain ~weird~ places. I _lived_ in CGN and rarely needed wifi outside of my own home. Got no experience w/ Berlin, but I might move there in a year.
My problem in DE was usually related to trips to customers, to the ~end of the world~. In CH it was more prevalent: I stayed in roughly 20 different hotels in Bern so far and most of them, ignoring the decoration from 50 years ago, were charging for internet access. On top of a very high room rate.
It seems there are projects to improve on iodine. Heyoka [1] seemed interesting for a while, but the authors seem to have abandoned it now. If DNS is not an option: You can tunnel stuff via icmp as well. Still looking for a decent solution (needs to work cross-platform at least for the client) as a fallback if DNS is restricted.
And - enjoy, have fun. Don't spoil the fun for all of us by writing an article in a big newspaper about it. :)
It's always interesting how the really cheap accomodation (hostels etc.) have free internet, but the expensive accomodation have expensive internet. It's a great example of price being based on what the market can bear. People who stay in cheap hostels will just go without internet, or stay at another hostel that has free internet. People who stay in fancy hotels don't care about €15 (or the company is paying)
A friend of a friend runs an independent midsize hotel here in Germany.
They used to offer free internet access. Then one of their guests used the connection to download copyrighted stuff.
In due course a nasty letter from a lawyer arrived, demanding payment of around 1000€ and as fighting and losing would have been much more expensive, they payed.
They were unable to recover the money, because there was no way to prove which of their guests at that time was responsible.
The very next thing they did was to shut down the free internet and bring in an outside company to provide it (with per day and per hour fees for the guests).
The reasons:
1) By having someone else legally responsible for the internet connection, they don't have any liability for future copyright violations.
2) All guests are now "helping" to pay back the money they lost.
>They were unable to recover the money, because there was no way to prove which of their guests at that time was responsible.
That's exactly why in all likelihood, they would've won. It's the perfect setup and - in germany - an argument for securing the wlan not better than the default-setting suggests.
I am always surprised by the "there is a chance we might loose and pay more, so we will pay"-attitude that seems to be common in such cases.
I don't know about the current climate for copyright cases in Germany, but I don't think that the board of a hotel chain will have or want any stake in the copyright fight as that is so far from their own business interests.
By choosing to pay €1000 this month they save a lot of money.That small amount of a settlement is pocket change for a hotel compared to the lengthy legal process that may be drawn out for months, and cost them much more and be without a guaranteed win in sight.
EDIT: Forgot that the hotel was independent, but my point still stands, especially for a hotel without the insurance of being in a hotel chain.
You are not wrong. And there was a time when such cases were very unclear, even for those with more knowledge than typical known.
I still think that it would now be a better idea to fight. It's a sure 1000€-loss + the unhappy customers (cause of missing free wlan) vs a maybe-loss and a chance to continue the free wlan. But I understand the tought-process you described, and it was maybe a different legal situation.
I'm assuming there's some kind of protection for ISPs, or it'd be impossible to run one in Germany. Couldn't they apply to the same rules, since they're effectively an ISP?
The idea of ISP protection is to say that some particular other person is responsible, instead of the ISP, so that they can get sued/fined/imprisoned instead. Looks like these guys were not tracking that.
My German isn't good enough to understand those articles, and I'm finding it a bit tricky to understand the Google translation. The jist I'm getting from those two pages is that the access provider isn't liable for what is transmitted if the transfer is initiated by another user.
I think the bit I'm referring to would be covered by § 15 paragraph (4), which Google translates to "To comply with existing legal, statutory or contractual retention periods, the service provider may block the data." I think "block" here means "store", in the sense that the user data which includes "Information on the beginning and end and the extent of each use" (paragraph 1) needs to be recorded (and retained) for a period of time required by a different statute.
I feel like I only understand about 30% of those documents, I might make more progress with a better translation!
Sorry, i oversaw your reply. That paragraph is about what a provider may store, and it is pretty rigid. As far as i know, in practice they save more (that law is not fully followed).
>(4) Der Diensteanbieter darf Nutzungsdaten über das Ende des Nutzungsvorgangs hinaus verwenden, soweit sie für Zwecke der Abrechnung mit dem Nutzer erforderlich sind (Abrechnungsdaten). Zur Erfüllung bestehender gesetzlicher, satzungsmäßiger oder vertraglicher Aufbewahrungsfristen darf der Diensteanbieter die Daten sperren.
This informally translates to:
"The provider may use data about the usage after the usage, if those data are necessary to calculate the billings. He may save those data to fulfill existing deadlines, coming from law or contract"
There don't seem to exist an english translation of that law.
Every motel/hostel that I've been to with free internet has ended up with internet so slow that its unusable. I'm happy to pay for it to be able to access at faster than dialup speeds. As for why they charge it's because they can. Their target markets are already paying a premium for a room so a small extra charge for internet isn't that much of a deal. People looking for the savings of a hostel are just as likely to go to Starbucks/McDonalds for free internet.
Just because they charge does not mean they re-invest any of that in infrastructure.
If you stay at a hotel with paid wifi and it is full of people who are either tethering from their phones or not using the internet then it will be fast.
Stay at a posh hotel where everyone pays out of their expense account and it's likely to be just as slow as if it was free.
Not to mention that you only need one person streaming 1080p to put serious strain on the bandwidth.
To me charging for internet (in hotels/resturatns) in 2012 is the same as charging for using the shower or lights.
You are being charged for the lights and the shower when you pay the bill. Or was that you're point and I missed it?
It will come, give it some time. Hotels (imho) charge one for the internet because it's a separate utility, the onsite staff are not capable of fixing it [1] when it breaks. Which happens a lot. So they outsource it.
When 'internet' is as common a utility as water and light, and as reliable, it will be in the bill, you'll never see it.
I love that people get up in arms about the change to google's privacy policy but have no trouble funneling traffic through bit.ly and other link shorteners...
I recently started using bit.ly for administering surveys over the internet. We had a really crummy randomisation system where we had a ridiculously long link (approx 300 characters), so I used them. It was really useful, especially being able to see where the traffic had come from and monitor it in real time from my browser. While I agree somewhat on the general point, there are some real uses for link shorteners.
I guess it gives the original sharer some feedback on the link otherwise they would never really know what interest it got? Looking at traffic I think the link was picked up off Twitter originally hence the URL shortener too.
The original sharer is not sigma cloud (the bitly link creator).[1] Ostensibly the OP actually visited the site before posting it on HN so its not like the OP was only aware of the shortened link.
What's more important a consistent approach to privacy or "knowing how much interest someone's HN link received"?
[1] Conspiracy theory: jcloud is an astro-turfing account for sigma cloud. The jcloud account was created 377 days ago the same day a sigma cloud story was posted. Jcloud's first post was on the sigmacloud story and was complimentary of sigma cloud:
"Just discovered these guys. Nice interface actually.
Investigating a bit more but so far so good."
Of the three stories jcloud posted two were shortened with sg.cd and the third was a sigma cloud press release.
My point was that the first hit on the article is on Twitter and was from CloudSigma. So I'm guessing the URL was copy pasted from there. Looking at jclouds account, submissions do generally come from CloudSigma tweets but it seems to relate generally to wider things not that company. The residual value of a URL shortening isn't clear to do to the lengths you suggest. Your post gives more advertising than the submissions thus far ;-) The three submissions made by jclouds-fan seem to be of a high quality. The first relating to the same blog as this latest one so looks like a user with a narrow interest base!
LOL, this is the second story where you have defended sigma cloud in regards to astroturfing. A bunch of your early posts where all sigmacloud stories. Are you affiliated with sigma cloud?
I had a similar experience on a US Airways flight last December. The Kindle Fire browser allows the user to choose whether to optimise for mobile or desktop, and this resulted in two different prices.
In relation to the legal questions raised elsewhere on this thread, I'm guessing that it's a non-issue when it's a built-in feature of the device. I think the argument could be logically extended to using plug-ins that switch user agent strings?
I was staying with my brothers at a hotel in Amsterdam and I had brought my laptop; the hotel offered free unencrypted WiFi for guests. Since it's in a big city, as you might imagine, you don't want the neighbors stealing all of your bandwidth, so even though it was free for us, there was a sign-in page -- you had to go downstairs and request that the desk official give you a token, then use that token to register with the system.
So I thought that, since I had permission to access this network anyway, I would break in -- just to see if I could. And I'd tell them about my results the next morning as we turned in our keys and headed off.
Actually since there wasn't any encryption there isn't much to say after that -- it was obvious that their system wasn't too sophisticated, so I just guessed "they check MAC addresses, don't they?"
Using the airotools-ng package for Ubuntu, I set my wireless card into "monitor mode", which (I'm not an expert) I guess is a fancy way of saying "it stopped ignoring everything it saw flying through the air in my hotel room." Normally your computer treats all of these other signals as noise relative to its own goal of connecting to the Internet -- but it's absolutely trivial to start listening to it. With the tool airodump-ng, I was able to see all of the routers at my hotel and MAC addresses of real users connecting to those routers. So I put one of those into my "Connect to the Internet" dialog box under "Cloned MAC address," and hey look, I just saved the desk clerk some time.
I mentioned that I'd done it the next day to the desk clerk as I checked out -- that any competent neighbor could steal their wireless access. I'll never forget his response: "yes, but they're all incompetent."
A similar experience: when I first came to live at my present household, I knew that we had shared WiFi but I didn't know the password -- and the guy who did know had just stepped into the shower. But it was using "WEP", a very old encryption policy which is vulnerable whenever you are transmitting data. So I fired up these same tools, found out that I was lucky -- he'd left a download running when he stepped into the shower or so -- and I captured a couple thousand data transactions. I didn't have to wait for him to finish showering before I had broken into my own Internet.
I'm always surprised by this sort of thing. The other day I had accidentally clobbered my sudo permission when reconfiguring Wireshark (something which can also listen to Internet traffic) to be more secure, and suddenly had no more root permissions. In about half an hour I had downloaded a live CD and burned it and broken into my own box with chroot magic to usurp root permissions to re-add myself to that group. (I have an encrypted disk, and I couldn't have done this without being able to decrypt it. However, most people that I know don't use disk encryption, so the point still stands.)
The lesson to take away: If some half-geek amateur like me can do these things, the professional inbreakers must have absolutely terrifying skills.
> [I] suddenly had no more root permissions. In about half an hour I had downloaded a live CD and burned it and broken into my own box with chroot magic to usurp root permissions to re-add myself to that group
Except the difference here is that there is nothing to "break into" as there is no pretense at security..
Very true, if you don't encrypt data (with a strong algorithm + key) then it will always be accessible to anyone with hardware access.
I remember with Windows XP a friend had a failing hard disk that would no longer boot Windows and they asked if I could try and recover some data from it.
I plugged the disk into my tower and booted my own copy of Windows and tried to access the "My Documents" folder of the broken disk from there. It gave me some theatre about not being allowed to access the files there because I didn't have permission.
Then I rebooted my computer into Linux and mounted it with the NTFS drivers and of course all the files were there to be accessed. As an experiment I rebooted to my Windows XP again and logged into my local administrator account, this also let me access the files.
I can't help but feel that some of these measures perhaps give an illusion of security.
I also wonder with say computer forensics whether something like a file timestamp could be used as evidence in court since these could be easily tampered with by someone using a non standard FS driver.
There are a few international sim-card providers, but I don't think any of them are really good. It is a business opportunity for sure, but it's also somewhat complex.
I usually try to get my hands on a local card when I travel, but the rates (and availability) varies significantly between countries.
If you know of any source of such SIM cards, please post it here!
I've seen plenty of international-travel SIM cards that give cheap[er] texts and voice calls, but none that include any data. And trying to set up a pre-pay data SIM from a foreign ISP in a language you don't speak/read is a nightmare ...
I'm surprised there's still much money in selling wifi internet access.
People who want to use their internet on the move are very likely to have a smartphone or at least a dongle and 3G is usually fast enough.
Here in the UK the train services used to provide free wifi to travelers but recently they decided to charge for it and give the option of a free trial.
On my last journey I tried the free trial and found that it was just as slow as it had always been but was now £5 an hour.
I would have been seriously disappointed if I had paid for that service. Luckily I could just use my mobile phone tethering and get nice fast access.
Surely a better model would be to provide access for free but use some DNS redirection of the popular ad services to redirect the ads to ones of your choice and reap the benefits of those clicks.
I also let a lady in the carriage use my connection for a few minutes to check her emails so it's not like you necessarily need your own connection either.
It looks like all the criteria for it to be fraud are met.
However, it also looks like legislation in the UK disallows (and renders void) concerted practices which may affect trade within the United Kingdom, and have as their effect the distortion of competition within the United Kingdom, applying, in particular to practices which apply dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage. See http://www.legislation.gov.uk/ukpga/1998/41/section/2
A concerted practice of charging the owners of well-known brands of smartphones less than the owners of less-known brands for an equivalent transaction would have the effect of lessening competition, because people might eschew a lesser known smartphone (increasing the barriers of entry to the smartphone market in the UK).
So there appears to be a good defence that price discrimination practices like this are illegal and void, and therefore circumventing it is not fraudulent.
Of course, out of an abundance of caution, I don't think it would be wise to volunteer to be a test case for this.
The wifi network never asked him what device type he was using, it just made an assumption based on something as unreliable as a user agent string. How is it fraud?
He knowingly manipulated their device detection system. Yes, it's true their device detection system is trivial to manipulate, but that doesn't change the legality. If a bank forgets to lock their vault, you still wouldn't want to clean them out and admit to it on your blog.
What if you just choose to change your user agent to something different because you prefer the experience? If you then get different offers as a result you can't be held liable.
In that case, you're right. Fraud requires knowledge and intent. This guy, knowing that changing the UA would result in lower fees, did just that. He also (presumably) knew the reason for the different price points--that mobile users are likely to use less data than laptop users* .
On the other hand, if he had simply forgotten to change his UA back to the default (say, after doing some development work), then he couldn't possibly know that he was benefiting from the lower price, and it wouldn't be fraud at that point.
Personally, I have no problem with breaking trivial locks on otherwise non-sensitive networks. The word "fraud" usually conjures up much more serious crime.
* This is very quickly becoming a false assumption I think. Between listening to music from remote servers and watching video on my phone, I think mobile data use, especially in a vacation situation, is fast approaching that of "traditional" data use.
If there were an expensive nightclub which had a cheaper bar round the corner that only admitted people with the first name of "Dan", who then get full access to the nightclub and cheaper drinks all night, would it be criminal fraud to lie about your name to the doorstaff?
"You are"? It's just a browser "identification". It's widely known to be approximate, random and unreliable. It's common to try different agents because the web is full of bad pages which try to use it for something inappropriate. That's why user agent switching is a feature in all these browsers in the first place. It's like disabling CSS.
Is it fraud to use a battery charger or electrical plug with an adapter? After all, the particular plug is a way of "identification", even when easily circumvented. How about using aftermarket parts for your car or camera. They are implying by their similarly spaced and shaped connections that they are genuine parts after all... What about console cartridge identification chips?
These are somewhat interesting questions, if the HN crowd could have other opinions between "fraud" and "not fraud".
A restaurant offers a 25% discount to seniors (65+), but you're only 60. You copy your friend's AARP card, changing the name, and present the cloned card to receive the discount. Is this fraud?
When they get your identifying information and feel like hassling you.
The only immoral thing here is the wifi provider increasing the complexity of the transaction to extract as much money as possible. Should one be required to tell the supermarket their net worth so they can be charged "appropriately" for their food? Anonymity is the basis for a shared existence.
Two parties whose sole interaction consists of sending signals back and forth certainly don't need the outside law to mediate between them - if one party finds the relationship unfavorable, simply stop talking. It's a shame that people have been so brainwashed into thinking it's their responsibility to enforce someone else's desired business rules.
I find it a bit amusing that someone on this site, where so much of the content is about optimization and business models, is acting so morally offended by the concept of price differentiation.
So many of the articles are about business model optimization because it's not the primary nature of hackers - they need to be reminded. The major difference is that the businesses here are new and the market and product are uncertain (inherently complex); Internet access, by definition, is a solved commodity.
Really, it is? How come in 2012, I, who live in decent sized US city (Metro area is about 140k), still pay about $40 for 10Mbit connectivity, barely better than I could get 10 years ago?
Because utilities tend to plateau when they provide "enough" capacity? The house I'm in has the original water main and electrical service from 1900 and 1940. Being a commodity says nothing of the price (/trend), just the fungibility.
No, it's common for highly technical web developers to do this. For 99.99% of the internet population, they do not even know what "user agent string" is or how to change it, or what to put in.
It's legal to price discriminate based on age (discounted cinema tickets for children and pensioners), gender (free entry to certain nightclubs for women), occupation (teachers get educational discounts on some software, even when they only use it at home), not to mention the tricks aeroplane/train companies pull. So why not legal to price discriminate net access based on the device you're accessing it with?
>occupation (teachers get educational discounts on some software, even when they only use it at home) //
Suppose they say "teachers" and you have a teaching license but aren't currently teaching. You present your teaching license and say "is this acceptable" and they say yes, you only need a teaching license to get the discount.
That seems pretty analogous to the current situation. You possess the token they request and that they subsequently use to give you a lower price. You've not committed fraud because you're legally allowed to use that UA string. It's up to the provider to decide if their requirement is "passes us this UA string" or "declares ownership of this device" (I don't consider those things identical by a long stretch).
Now if they say when you pass a particular UA string "do you confirm you're owner of $deviceType" or "this service is only for users of $deviceType" then I think things switch around in the direction of [rather minor] fraud.
I'm using regularly the same trick to use free tethering with my phone. As I didn't buy some incredibly expensive option that explicitly allows it, simply declaring my firefox as a mobile browser allow to bypass the artificial limitation.
I certainly don't abuse it; simply from time to time you need some internet access (to check an email, to download some piece of software, to google for a technical problem) and I wouldn't pay 39 euros/month for a 3G "key" that I'd use maybe once a month, no thanks.
I'd suggest using Opera with Turbo proxy instead — it'll compress all textual content and re-encodes images as WebP. That's likely to give you bigger savings than just a UA switch.
And if you can't trust Norwegian folk with your data, then you can roll your own "Turbo" with Ziproxy or at least SOCKS proxy over gzipped connection.
There exist wifi systems where setting a cookie "paid=1" will save you $15. You might think there are no legal consequences for "writing a text file on your own computer." I strongly suggest not testing that.