I told the flight attendant "the WiFi isn't working"(twitter.com) |
I told the flight attendant "the WiFi isn't working"(twitter.com) |
I went to the support person and she offered to reset the WiFi, but I explained that she needed to escalate it because it was a configuration problem, resetting it was only a temporary solution.
(edit: PyCon 2006 IIRC, DFW)
Don't keep us hanging!
That was the biggest fluster cluck I've ever seen.
The hotel sabotaged the DSL line that provides Internet access until thousands of dollars in previously undisclosed fees were paid.
It’s unfortunate that, below HTTPS and a light smattering of WiFi encryption, there’s essentially no authenticity controls on LAN management protocols.
If only we could get the industry to move to this model, we could dramatically reduce the amount of congestion due to APs broadcasting multiple SSIDs.
We used to just login on our phones, then tether the work laptop to the phone over USB. The security people caught up to that a couple years ago and disabled USB tethering. So now I alter my laptop's MAC to be the same as that from the work laptop. That tricks about 90% of hotel wifi into allowing the work laptop to connect without need of a splash page. But for the other 10%...
(Not a joke, I do this) I sometimes login to the hotel wifi on my personal phone, tether that phone to my personal laptop, then setup that laptop as a router. The work computer can then connect to the wifi from the personal laptop, which tethers into the phone, which is on the hotel wifi. All of this just avoid another ridiculous wifi login page.
The Nintendo Switch actually had a browser either at launch or close to it, then removed it in an update, and didn't add it back until about 3 years later.
It's really hilarious that a device that touted its portability from the beginning was literally incompatible with most public Wi-Fi for years.
It has not: it's simply easier (less infrastructure) to not implement 802.1X.
Basically every corporate / enterprise-y password where you use your AD/LDAP credentials to log into Wifi has gone through the effort. Not everyone wants (or needs) to do that. (Source: recently implement 802.1X as IT when we moved to a new work office.)
If I want to learn more about what the author is doing, is there a resource like a udemy course or YouTube channel you guys can recommend?
Why isn't the solution as simple as, "Reset the Internet at every flight turnover"? Once the plane lands and (almost) everyone deplanes, hit the button as another step in crew handover.
They called their manager, who was also suprised but decided to go along with it and restarted the modem, solving the problem. I remember all the employees were looking at me for the rest of my visit (which was few hours because at that time I was working from Starbucks).
Glad I wasn't the only one :)
Btw back then, Microsoft was suggesting to get the certifications after few years in the industry. I received most certifications because my employers required them for some projects or customers. The last (MS) certification I got was around 2009, and I didn't need any of those during my developer years.
What exactly, in this fictional universe, is the restoration flow if it is pressed?
The plane usually tells you if the WiFi is provided by viasat, anuvu, or any of the other big players.
These companies program this stuff before it goes into the aircraft and the airline IT has no access to this stuff.
Without the missing info, it’s almost impossible to trace this.
If this debugging is true... I'd guess Panasonic from experience working there.
Things like an office scavenger hunt usually took priority over actual work.
I worry that this is actually part of a RESTful interface. In that case it probably garbage collected erratarob et al, replacing them with a fresh version of our universe's page that had working internet for that plane.
Until someone proves me wrong we probably shouldn't press that button again...
We replaced the router, but the problem turned out to actually be that a construction worker had accidentally cut our fiber line.
Absolutely no clue how my laptop got to the internet. It must have failed over to some other WiFi network or something
Or just hit the 'internet reset' before each boarding, why are they over complicating this?
(Yes, I know they’re not actually hacking tools, but try explaining that to a random flight attendant.)
Question would be how high in the management chain did that have to go before a "internet reset" button was added to a plane.
I wasn't sure how to debug it.
I used to have a little wifi antenna on my car. Some called it "wardriving" but I called it being able to check my email while traveling.
Also it wasn't that uncommon to expose a computer to internet through the router, so you had to make sure that computer didn't change its IP.
I think having to set these up yourself is the best way of learning them.
Back in the day, setting up random hardware or VMs on an isolated subnet taught you everything you needed to know about low level network protocols like DHCP, STP, BOOTP, ARP, RARP, and how to sniff it all with wire shark when you weren’t getting a lease
Containers have largely hidden this plumbing from us at a test/dev layer
“You can't buy a hard copy of the 8th edition, but instead can rent (and then choose/pay to keep the hardcopy if you want a hard copy book). You can rent a copy or subscribe to Pearson+ from our publisher, or rent a hard copy or purchase a Kindle version from Amazon, or rent a hard copy from VitalSource.”
That’s just… odd!
Admittedly, it run on much fewer platforms - meaning Raspberry Pi for me.
If you want to know "how to use them in real world", some universities has courses with "System Administration" would be more suitable. or learning the certificate program (CCNP, CCIE, JNCIP and others) materials with their lab.
The rest I learned in the last year by switching to pfSense/Opnsense for my router/firewall.
But think about it from the end user perspective. Literally the most simple instruction; near fault proof. On an airplane that is thousands of feet from remote IT support (plus "costs").
The instruction to staff; problem with "the Internet"? - press the "Interest Reset" button.
Far better than "router restart", "renew DHCP leases" or "reboot IT"
Explicit, non ambiguous and without technobabble.
Brilliant.
Obviously you don't want to have to restart to fix issues, but having that as a fallback (especially for issues you didn't predict during development) is great UX.
Internet is not working Solution: Set it again to working condition, thus reset Internet.
Sometimes it is pointless to go to technical details. I was on flight with issues with infotainment systems, they fixed it by restarting them. Or reset.
The "internet reset" message makes sense in all languages that I know. Same with the power button.
What do you think they mean in other languages?
It's like "why do recursing DNS servers spam queries if they don't get an answer within 10 milliseconds?" To give you an idea how shortsighted this is, a production grade DNS server doing this also supports response rate limiting (warfighting capability which treats the spamming as spam), and the recursing DNS server is supposed to be caching and should be trying to optimize "whole of page" to achieve so-called "happy eyeballs".
To give you a somewhat more technical explanation, a MAC address can be permanently tethered to an IP address (so that each time it connects it always gets that address on that particular network). When that is not done (when there is no association for a particular MAC), an address is assigned from a (finite) pool. In some deployments the finitude of the pool provides a "fusible link" for defense in depth against some forms of resource exhaustion.
The MAC address is visible regardless of whether or not a device is connected to a network: it is an address (it has broadcast and multicast too). When devices are not connected to a network and want to go around mumbling "notary sojack" (with a major 0) to every man + dog + keyhole to see who/what responds there's no downside for them doing it; at least, I haven't seen any hostapd option for running a tarpit like we do for some level 3/4 services (the first attempt is rejected; sometimes the entire TCP handshake is completed and at the app level the server says "not now, try later").
Once they're connected to a network there's a network stack with DHCP, ARP and server state. The set of MAC addresses is orders of magnitude larger than the set of IP addresses in a DHCP pool. It doesn't "hand out an address" as the first order of business; it records your MAC address and gives you an address from the pool. Addresses return to the pool when the lease expires or when they're observed not to be in use. (There is a DHCPRELEASE op but crappy software so defense in depth doesn't rely on clients cleaning up after themselves.)
Once you've got an IP address associated with a MAC address associated with your network interface it looks like a LAN segment on the internet. If somebody on the segment wants to send a packet to that IP address they use ARP to ask what hardware machine code (MAC) do I address a packet to this IP address to? (IP addresses are a layer of indirection)
Beyond that the LAN segment is connected to other segments with a router. The router knows things about topology that you're not supposed to know, and more importantly that random peers elsewhere on the internet aren't supposed to know. If you were on a LAN segment connected with a hub, you'd have some idea what other internet addresses were active on that segment. You can make an educated guess about what addresses are allowed (by the router) on that segment based on the broadcast mask; you could perhaps ping addresses within the broadcast range to see which ones are / aren't in use and hijack one of them.
What happens to packets which are part of a session which are in-flight when an IP address changes? Quite frankly, many applications very wrongly presume that an address (or DNS name, but that's out of scope) is some form of identity. TCP has no way to change one of the addresses mid-session. So you're not going to be changing the IP address with garden variety cloud services.
Now we've got the problem defined: what happens if the MAC address associated with an address changes? First off, packets coming from the router destined for the old MAC address based on the cached IP -> MAC association are going to start dropping. Or be intercepted: what's to stop some joker from grabbing such an address and claiming the "legitimate" holder is the impostor?
(I wouldn't be so sure that you can't see wifi traffic which isn't addressed to your MAC if you've successfully authenticated to a wifi network. It's more like a hub, at least if you're connected to the same AP.)
It's bullshit.
My software skills still play a part in what I do. But seven or eight years ago now I felt drawn to explore a vocation in ordained ministry – after study, a formation programme, completing a Masters degree in Divinity, and a lot of thought and prayer, here I am. It's the happiest I've ever been. Which isn't to say that it hasn't been difficult: being a cleric is not easy work.
Intentional discernment about vocation really has made my life a lot happier, and it's something I talk about a little because it's of value to other people as well.
(I'm in the Anglican [in the states, Episcopalian] tradition, but the process of ministerial formation is very broadly similar between the various mainline protestant denominations and Roman Catholicism.)
Software engineer turned priest, perfect story for HN on Christmas Day, do tell!
Can it make it painless to manage multiple APs and to get fast roaming, etc working? UniFi pulls this off nicely — there’s nothing particularly fancy under the hood AFAICT, but it all just works. A more intelligent solution where clients got assigned to appropriate VLANs would IMO be extra nice.
(The enterprise vendors seem to have decent ACL and maybe even anti-spoofing measures for their wired networks, and they have some security features for wireless, but I haven’t seen anyone with a nice solution that makes wired and wireless security cooperate. I haven’t looked that hard.)
Soon we are planning to support an OpenWRT package that will allow people to link up into SPR from lots of APs, provided the AP card supports AP/VLAN mode which is critical for the segmentation.
We have no plan to work more closely with managing RADIUS right now, enterprise wifi authentication is difficult to deploy securely without client-side certificates for authentication. So that makes it less appealing due to our goal of supporting any kind of wifi capable device.
Lastly, SPR does have an upsell feature where we support leaf node APs running SPR that have backhaul into a primary instance.
I think SPR looks neat, it’s a more well-packaged version of essentially what I already do (albeit in a kludgey way), hence the curiosity about ambition.
So the hostapd configuration for SPR has the following components: - ap_isolate=1 - per_sta_vif=1 - unique passphrases for devices - firewall rules
ap_isolate stops the AP from doing L2 forwarding between clients using the pairwise keys. the per_sta_vif=1 will also ensure that each client has a unique GTK so they can't use group key encryption to communicate without the AP.
Next, unique passphrases are used. Without this, it's possible for a malicious device to decrypt WPA2 traffic passively or spin up a Rogue AP to capture traffic from peers.
And lastly -- firewall rules with default deny connect devices by policy.
That ap_isolate alone is not enough is kind of interesting, as it's possible to instead push packets to the router that will then forward to the client destination. Most off the shelf routers have forwarding on without a default deny policy, enabling this. The subtlety here is the attacker uses the router as the L2 destination instead of the other wireless client. At the very least attackers can send UDP packets to bypass the intended isolation. This bypass is especially powerful when changing mediums between Wireless and Wired as the Wired victim receiving packets will be responding back to the router, and on many consumer routers a full TCP connection will be possible then.
You just need the state set to “good”, regardless of which bits need to change and current state. Hit the button and it makes it “good”.
FYI, The word you're looking for is idempotence (EYE-dem-poh-tense).
I stand my ground on using quotes.
"Reset" "Internet".
I can imagine the hospitality industry would not want the WiFi sporadically going down for their guests; that's not a very hospitable experience.
There’s a reason why many conferences deploy their own wifi infrastructure
She offered a solution, customer refused it. She had no obligation to act further (assuming no such requirements set by company policy).
Typing too fast and not paying attention.
Although I do like your interpretation. Maybe I’ll call poorly implemented or useless functions impotent from now on.
Does the OS not pay attention to DHCP option 114:
This document describes a DHCP option (and a Router Advertisement
(RA) extension) to inform clients that they are behind some sort of
captive-portal device and that they will need to authenticate to get
Internet access. It is not a full solution to address all of the
issues that clients may have with captive portals; it is designed to
be used in larger solutions. The method of authenticating to and
interacting with the captive portal is out of scope for this
document.
Why go through a laptop? Isn't this exactly what generating a hotspot from the phone does?
You used the wifi, you didn't tether to your Nokia 6650.
We went into these hotels telling them "I know you offer WiFi, but we are a tech conference, we're going to be using the WiFi harder than your normal event." They'd all say "It's fine", but they'd quickly learn it wasn't fine.
There wasn't really the option to use the cellular network for data at that time.
We eventually ended up running our own WiFi for quite a few years, because the venues consistently would just end up a smoking crater. The first year in Chicago the venue had this fancy centrally controlled wifi that was supposed to be all smart, but even after a field upgrade because the central CPU couldn't keep up, it was just a disaster.
Ended up going with a bunch of relatively inexpensive APs all set on low RF power, where the venues always wanted to have one or two APs on high power. Basically solved our problems.