The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
I sometimes reminisce about the things we did, but even if you refuse to race to the bottom, you get dragged down by a Linksys router and consumer grade internet connection even if the experiences for guests is markedly lower. I'm much happier to now be working in and industry where our customers, and our customers' customers, value the work that is done and pay accordingly.
WiFi is just as much part of the service a modern hotel provides as a clean bed, nice breakfast and whatever else they might advertise. Why isn't it treated like that? Why aren't they putting ads on my pillow?
The reason for the extortionate costs? Probably to make up for the lost revenue streams from people not using the in-room phones any more. I hope at that at least in this instance the guy wasn't paying for the internet access, that would be taking the p*ss!
For those of you in the UK then the show is here:
Why watch expensive in-room pr0n from Lodgenet (and have to explain the charge on your bill) when a browser will serve up similar at a lower cost?
At a recent resort stay, they provided a catalogue that allowed one to purchase the same linens and toiletries provided in the suite.
Thought exercise: If you took away the WiFi, you would still have a hotel. If you took away the bed, you would have ____.
By "fair price", I mean a similar cost per megabyte transferred to what I could reasonably expect to pay for home or business internet service in that area. They can meter it and add it to my bill. So I can go nuts on bittorrent, but at a fair price. If I don't go nuts on bittorrent, I'd expect that the total should be very cheap for a typical hotel visit, especially compared to the rest of the bill.
By "good network service" I mean comparable in bandwidth and latency to residential or business service offered by ISPs in the area (e.g. cable or DSL), with good wifi coverage, and no port blocking or any other kind of filtering or traffic shaping beyond what's necessary to fight spam and provide good service to all the guests using the network.
Also, please don't restrict the number of devices. I've had hotels insist on one device to a room, or demand unreasonable feeds for extra devices. If each person has a phone, a tablet and a laptop, that's pretty inconvenient. Please bill for total bytes transferred instead.
I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
You get many details about the hospitality space dead wrong.
First, in direct réponse to "GMs are responsible for contracting their own networking services"...
GMs are managed across several MBOs, including occupancy and REVPAR (revenue per available room).
There are 3 major players in the hotel space:
1) People who own hotels, 2) People who manage hotels, and
People who brand hotels. Two or even three of these may be a single party. From this you quickly learn that "Hilton" is a brand, and that, while Hilton owns some of the hotels with it's brand on top, it also owns hotels without a Hilton brand, and manages hotels on behalf of 'ownership groups' with a mixed set of brands.
At the end of the day, it is the owner, not the GM, who decides which vendor gets a particular contract. Sometimes the owner will defer to the management team (which may, remember, be a separate entity).
Yes, WiFi (with Internet access) is the single-most requested amenity. I come from the bad old days, before the dot.com bust, when hotels were full, and the GM would look at me and explain, "My hotel is full, you should pay me to install this, and give a split of the revenue to me."
Ad injection is bullshit, pure and simple. It's XSS by another name.
> I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
> You get many details about the hospitality space dead wrong.
Surely you meant to say "Wow it's interesting to see how different your experiences are from mine, working in that same industry".
Because, you know, I don't think either of you is making stuff up or is "dead wrong". And in such quite a large industry, with several different quality segments it's very possible that there's more than one way to do it.
Like you said, the GM, the owner, and the franchise group is a fuzzy designation at best. The contract is always with the owning entity, but management will most likely select the provider.
It's not a fuzzy designation, it's what happens when the backroom guys are literally playing Monopoly with real world objects.
I was with Wayport (now AT&T). Who are you with?
Some here are dismissing js-alternatives to their products (e.g. html only) with the rhetorical question "who surfs without js nowadays anyway?".
How do you take care of aforementioned problem?
But seriously, you're just as screwed if they inject HTML that changes the form submit URL for your password to an attacker-controlled site. The real answer to this problem is HTTPS, everywhere.
My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user".
I'm sure that there are better answers than three letter acronyms.
It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
How is this possible?
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.
Thought, the network is open which is a danger within itself, the network asks you to accept an invalid security certificate(which means their MiTM everything from the get-go), and then they took the time to make your read/accept an agreement stating in bold that this is an insecure network, and that everything you do over it will be audited, and monitored(SsL-STRIPING). As a juror, you must then sign-in using your badge#.
It defeats the purpose of any of these post associated protections, if an attacker simple injected his own certificate, or java-script frame. Even creating a Honeypot-Rouge-AP using any number of wireless capable devices such as, smartphones, and mobile routers, even wristwatches &sunglasses.
Compromising a jury from an attackers stand-point would be too, sit in the cafeteria, and literally eat-cake.
Receiving spam ads is the least of your worries.