Hotel WiFi Passwords — 2018 edition (aka what a snore fest)

Yet again, I am in a hotel using their wifi. Again, after being asked during check-in if I wanted wifi access, I was curious about how their wifi password would stand up to any kind of security test as they handed me a slip of paper with the information.

Sigh, it is a terribly obvious password that would only barely pass a “security by obscurity” test by virtue that by and large, people don’t have wifi guessing software with standard dictionaries ranging from a normal library dictionary to a hacker dictionary that anyone’s 11 year old could probably compile, certainly with the help of their friends. In fact, while there are no doubt dozens, no hundreds, no thousands of “obvious” word combinations that would meet the following criteria, it in fact is obvious that it is intended to be very easily remembered by an overwhelming majority of people, be they a typical everyday-anyone-off-the-street person, or a tech savvy person, or a forgetful person, or children, or “even your mom” (I am trying to delicately refer to my mother, who is both not tech savvy in the least, and very experienced in life, if you take my meaning.)

Back in 2015, I was on the subject again, having been impressed at least that the wifi password given to me appeared to be auto-generated at check-in, and obviously not susceptible to simple dictionary attacks.

I started this rant on hotel passwords in 2009 during a series of business trips in which I was at a lot of hotels, and was frustrated for the innkeepers that their wifi would have been so easy to steal for the cost of a night at the hotel and a series of repeaters in the bushes.

Since then, however, I came to realize that my concerns were a bit overrated. Firstly, the potential of signal theft in that fashion was only really was useful for neighbours of the hotels. Secondly, the technical aspects of providing multiple repeaters and power cords down the street (or as the case may be, through the woods) make the cost, both financial and in terms of maintenance, somewhat impractical beyond a few hundred feet.

This is based on some personal experience of the legitimate variety: Since about 2011, my neighbour at the cottage has had internet provided through, I believe, line-of-sight microwave service; it includes VOIP service to provide telephone service, which apparently is prioritized within the router setup. He kindly gave me the wifi password. After about a year, I installed a wifi repeater so that it could be useful within the house, since there was only about one location within the house within a usable radius of the neighbour’s router (a solid two to three hundred feet away); fortunately, I could plug in the repeater at that location. I have since also been giving him some money annually in appreciation.

What have I found?

The repeater is useful. It itself provides constant signal, although it has been susceptible to things like weather, tree foliage, and the like. And, unfortunately, the general service seems to be susceptible to the same, plus things like mountains, and probably the dozens of customers just on my lake and neighbouring lakes. (Yes, people keep on complaining, and no doubt the suppliers’ techies just shift “prioritizing” their services to each successive round of complaining customers, at the expense of the rest of their customers.)

But to wit, the quality of service, at least on the repeater we have, is only barely useful for things like YouTube and the like under the best of conditions; the speed drop from beside the router to our repeater is such that we were able to demonstrate to our neighbour that even if we were consuming such services, we could not be the source of the fluctuating service affecting his internet service (see above.) In any case, by and large we respect a request from him that we not use it to stream video and download large files, since his usage is also metered.

My brother has been wanting to improve our end of the signal for years by setting the repeater near the edge of the property, closer to our neighbour, with things like “waterproof boxes”, electrical extensions, and Ethernet cable through the woods a bit, and then hanging in the air above the clothesline. I have been responding bah humbug, it seems far too susceptible to the elements. As a former geocacher, the notion of a “waterproof” container left out in the woods is no simple feat, and even were it to remain locked, it — and the power cable, and the Ethernet cable too — likely would become susceptible to the elements in short order, and not worth the maintenance effort. It seems to be a challenge beyond most commoners such as myself and even I suspect my brother, more along the lines of the phone company or electric utility face on a daily basis. Remember how annoying it is when the power goes out or the telephones (landlines or cell network) don’t work? Why do they have local teams on the ready 24 hours a day to deal with this? Such outages are regular due to trees falling, water infiltration, and the like.

Is it really worth going to all this trouble in order to have a series of repeaters going down the street for free wifi? I doubt it would be useful to any real degree except to demonstrate proof of concept to your friends for bragging rights.

So … does it really matter how easy it would be to hack a hotel’s free wifi?

Obviously, to the hotel and any costs incurred, of course. The reduction in service and inconvenience that in principle such a signal theft may cause to the hotel and its guests? Of course. And, any illegal activities in which such illicit users may be engaging (kiddie porn, spam, financial fraud, etc.), of course it matters.

But, is anyone beyond the immediate neighbours going to bother with the series of repeaters and power lines through the bushes and/or down the street, possibly spanning several blocks and neighbourhoods?

I have to say “Poppycock!”

PS The “snore fest in the title” was not meant as a pun, but realizing that it unintentionally is — well, I like dumb jokes and puns, especially the dumb ones. 🙂 So, keeping it is intentional.

Fedora Linux spotted on 60 Minutes

Just watching 60 Minutes on CBS this evening, and the piece is on “hackers and cell phones”, air date 17 April 2016.

At one point, the reporter is calling, from Berlin, a person to whom she’d sent a cell phone. You see them switch to the hackers being interviewed for the piece, and their computer screen. On it, a command line shell with a bunch of code and output were displayed, and, whaddya know, in the upper left hand corner, there was a Fedora Linux logo. Offhand, because of the positioning of the logo, I’m guessing that they use XFCE.

Cool!

More on hotel passwords

Back in 2009, I was ranting about hotel passwords and the lack of any serious consideration most gave to their wifi access,
Hotel internet access passwords — Here’s a case for Captain Obvious
and Well Hallelujah! Big Brother has finally acted!

Well here I am in 2015 writing again on the subject. As you can guess, I’ve used plenty of motels and hotels in the intervening almost six years. As you can guess again, I’ve pretty much given up on my rant since then. And, as you can guess yet again, I’m currently sitting in a motel, using their WiFi.

And can you guess what comes next?

Well, when I checked in, they asked me “Would you like WiFi access?” which tipped me off to ask about whether or not the passwords are auto-generated each time someone checks in. Of course the poor lady was bewildered by the question, to which I responded, “Don’t worry, I’ll have the answer to my question when you hand me that ticket.” And whaddya know, it had a wifi access code that was obviously created on the spot after she’d clicked once or twice on her keyboard and looked at the screen before writing on the ticket. Not too too strong at only five alphanumeric characters, but it wasn’t a dictionary word. The sign in page said that the code was case-insensitive. My untrained eyes would guess it would only come up in a brute force attack, if someone were willing to try all 60,466,176 possible combinations, assuming it’s just the 26 letters in the alphabet and the 10 digits, with no special characters, and they only give out codes five alphanumeric units in length. Of course this ignores the fact that only the “currently active” codes are, well, active, that the system probably has some kind of maximum tries per period of time per mac address, and the like.

Of course, it would probably be cheaper and easier to rent a room, but then I don’t really know how easy or difficult

Of course this story’s postcript is that when I entered the code, it didn’t work — so I called to the front desk to report this and ask for a new one. Whaddya know, Big Brother not only has finally acted, he keeps records — the nice lady asked “Is it such and such?” I answered “not quite, here’s what’s written.” Turns out, the handwritten part of the code that said “U1” sure looked like a “W”.

Hallelujah, indeed.

My participation at FUDCon Tempe 2011

(I know, I’m a month late on this.)

I went to FUDCon for the first time this year; it was the first large gathering of Linux / Fedora /Computer people I’d attended, and I’m glad I went. I was also pleased to finally see so many Fedora desktops — over time I’ve become mildly frustrated being the only Fedora / Red Hat person in the room, often in a sea of Ubuntu.

One of the more difficult things was figuring out in advance how the nuances of how things would work: Not ever having been to a BarCamp style event, I had no clue how or whether a presentation I had prepared would be accepted, let alone inserted into the schedule.

My participation:

Friday

After a day of touristy stuff in downtown Phoenix, I showed up about 5:30pm ish to the courtesy room at the Courtyard in Tempe. After helping stuff nametags into plastic nametag holders on neckstraps, I actually managed to regale people with my stories about crossing the Canada/US border and get plenty of belly laughs. Harish and I managed to exchange a quip to the order of “Oooh, I get to meet the myth!” — first by my stating amazement at finally meeting someone who had once actually installed SLS Linux, and in turn being on the receiving end from Harish when I confirmed that I’m one of the Trekkie myths. In between, the two of us held court on the subject of rotary phones, much to the amazement of Ryan — a university student under 20 — at the anachronism. In the meantime, opensource.com was celebrating its first birthday and supplied pizza, beer and cake.

Saturday:

BarCamp pitches, voting, and State of Fedora Address

The pitches were an interesting experience — Of the 170 or so actual participants, it seemed as though at least a third if not half the room got up to pitch their presentation! During the voting process, near the end, I was quite pleased to note that approximately 30-40 people had voted for my presentation. Afterwards, Jared from Red Hat give his “State of Fedora” address, the audio of which can be found here (here’s my archive). His main messages dealt with growth and working together; Fedora is strong, not just because of the bits on the CD but because of the people. His ultimate message was that “Fedora will be stronger tomorrow because of the work today.”

Presentations:

Open Source Anthropology / Diana Harrelson

This was one of the more interesting presentations I attended. Diana did some research for her master’s degree on online communities, and chose the Fedora community as her test subjects. Some of the things that we as linux users — both Fedora and the greater Linux community — know about ourselves were confirmed. One such point that she underlined was the

Future Fedora and Reducing Bureaucracy / Max Spevack and the Fedora Board

This was an “interesting” session — perhaps not the best for me. What I found most interesting was how bureaucratic the meeting felt, and not just because of the subject being discussed. Of course it discussed how frustrated people are with how to get others involved in the Fedora project.

Fedora Security Lab and Securing Linux / Joerg Simon and Donald Buchan

Joerg’s presentation was interesting — he talked about one of Fedora’s spins, tailored to include a bunch of tools on how to test system security by measuring all sorts of parameters — open ports, security holes, and the like. I’ve downloaded it and plan on taking a look at how it operates.

My presentation worked out ok; people seemed (at least politely) receptive to my talk, the subject, and my suggestions. The most contentious issues? Root access, root passwords vs. keys, and su vs. sudo.

Juicy Software Repo Management with Pulp / Jason Connor and Jay Dobies

Even though it would have gone over my head as much as software repo management did, I wish I had have gone to Jeff Darcy’s Cloud Filesystem presentation since he’d been telling me about it on Friday evening. Unfortunately I don’t think I got anything out of this presentation, however well it was presented.

I Want to Keep on Hacking but my Hands Hurt / Mel Chua and Sebastian Dziallas

This was a fun presentation — Mel and Sebastien brought a bunch of ergonomic toys related to relieving and avoiding stresses related to using a computer. There were a lot of defacto visual gags as a result of people using the toys or assuming less harmful positions and ways to use your computer better.

FUDPub

Well as usual I showed off how horrible I am at games by agreeing to be beaten by, er play against Clint at ping pong. Food was great; burrito night! There also was plenty of liquid refreshment. I got to meet a computer science professor from Seneca College in Toronto, and thank him for the wiki he’d put up for his students’ participation in FUDCon, which can be found here (here’s my archive). Although I only found it the day before I left home, this was invaluable for framing and gelling all the little details about my participation.

Sunday

Designing UI mockups in Inkscape / Máirín Duffy

This presentation was a bit more amusing for me; at least it wasn’t over my head. 🙂 MáirĂ­n proved to be a true mistress when it comes to Inkscape, even though I suspect that for her and most Inkscape users what she was doing was basic stuff to be expected by anyone in graphic design. The coolest thing about her presentation? Her hot dog wallpaper! hotdog here too

IP Law for Hackers / Pam Chestek and Richard Fontana

This was an interesting, two hour session on how Red Hat lawyers have to deal with open licenses such as the GPL, and trademark issues related to the Fedora project. One of the main things I remember is to “keep the name of your project simple, memorable, and generic, ie. unrelated to your product.”

Lightning Talks!

Covered in another area, the lightning talks were apparently a new entry into the FUDCon format. I think that there should be a couple of such sessions, given a sufficient number of presentations. The most interesting talk? Mel talking about baking (here’s my archive). Seriously.

I did not attend the hackfests per se but I spoke with Simon about OLPC. I found his recounting of the successes of the OLPC in Bolivia (?) interestubg: The response to “we should be sending food and textbooks, not computers” criticisms is “Getting textbooks out is hard, but teachers can easily distribute educational resources with OLPC. And, the kids’ parents come back to the school in the evening to use the internet, and learn reading skills while also finding out the true price of their crops instead of being taken advantage of by unscrupulous purchasers hoping that uneducated, uninformed farmers won’t know any better.” As for having a static base (such as Fedora 7) creating a security risk, Simon reminded me that the likelier security risk is to the order of “Give me your computer, you little (censored)!”

I helped with clean up; after that I made an impromptu organization for a group of us to go to Gordon Biersch’s, a local brewpub. The whitbeer was good, and the chicken parmesan was good too. And a bunch of us organized a road trip for the next morning.

Monday

During the little road trip and on the topic of Fedora and Red Hat, I remember Brian (thank you for the driving!), a Red Hat employee, telling me about working at Red Hat and the RHEL sales model. It felt like tactics similar to a competing product.

After returning from the road trip, the hackfests on Monday were what I would consider “boring” — definitely not my thing.

The bright light for me was unfortunately at the expense of people who were stranded in Phoenix due to winter storms keeping their flights from leaving Phoenix — the Monday night party in the hotel lobby was quite a lot of fun, and even on Tuesday evening there were a few people still waiting around. I on the other hand had planned to stay sveral days later, so of course I was supposed to be there.

My thanks go to Jared, Robyn, Ryan, Southern Gentleman, Simon, Harish, Joerg, Ian, Clint, Chris, Máirín, Mel, and everyone else.

FUDCon 2011 — after my presentation

So I’ve just given my presentation at FUDCon on some basic security strategies to install on your system.

People seemed receptive. A couple of the ideas that came up was the use of denyhosts before I mentioned it, and a bit of controversy over the root user. People were suggesting the use of keys instead of passwords for the root user, and using sudo instead of allowing direct access to root.

The pairing with someone else worked ok for me — I started at 14:30 and got through all my slides in 20 minutes, including a few questions and comments; I did have to go a mile a minute though. The other person, who did an exposĂ© on the Fedora Security Labs spin, however, had to skip a few of the things he wanted to do and talk about. His presentation was nonetheless interesting.

As I said people were generally receptive and respectful, and people generally recognized that my presentation covers basic security that anyone and everyone should do, and that it’s not necessarily intended to cover all cases or massive networks.

FUDCon 2011

Here I am at FUDCon in Tempe, Arizona.

First off, on a side note, I knew that Arizona was warm. But I left late January and came to early September. I’m blown away that I don’t even need a light jacket let alone a parka. This is the kind of weather that would be nice all year long, but I hear that Phoenix is a bit too warm, certainly for me, in the summer … 🙂

Currently I’m in a Fedora Board Meeting or whatever where things along the line of discussing the future of Fedora and how people can get more involved. Jared, the current Fedora leader, has 15 “short list” goals up on the screen, basically discussing general lines of how people can contribute and how the project can get the right people to the right job, as well as “how to get there”.

This morning I attended a talk given by an anthropologist who studied the Fedora community, such as through a previous FUDCon, and discussed her findings and how people were involved, why, and all sorts of interesting stats.

During the next session I’ll be giving my presentation on Strategies to Secure a linux system, but given the number of talks, the BarCamp style voting, and the available time & rooms, I’ve been paired with another presenter who will be discussing general security practices; his presentation is supposed to be general in nature, while mine is technical and a specific list of things to do, so perhaps this will work out nicely since he’ll presumably talk about “you should allow this and disallow that” while I discuss “go here and do this, and here are the menus to click or the command line how”. The person seems quite nice and we’ve agreed to speed up our presentation speeds and divide the time more or less equally amongst ourselves.

To be followed.

FUDCon 2011 — Tempe, Arizona

Well, here I am, I finally did it. I’m going to FUDCon 2011 in Tempe, Arizona.

After months of saying to myself and friends “Oh I think I’d like to go do this” and asking my brother if he’s interested, and telling all sorts of people “Yep I’m doing it, I’m thinking about doing it, I’m still in the talking about it stage; I just haven’t committed to it yet”, I bought my airline tickets a couple of weeks ago to go to Phoenix, Arizona, and made reservations at the hotel. (Yes, the nice people at the hotel, months after the block was “closed”, graciously gave me the Red Hat Group rate for 6 out of 7 nights — quite the savings!)

So I’ve been working for the past few weeks at translating, updating, revising, rationalizing, etc. a presentation on System Security I presented at my local LUG a couple of years ago. (Of course it’s not in English, silly, why do you think I’ve had to work on translating it?) I’ve also been following the wiki page for the event (here’s my archive of the page).  I even have my Fedora Friend Finder (here’s my archive of the page, since the webpage disappeared) ready to bring with me.

But … apart from a few blog posts here and there, and of course the availability of the administrative notices / minutes from the planning meetings, I haven’t found what appears to be, let’s say, an online forum where FUDCon is being discussed. (Yes, I know, there’s Planet Fedora — however, it seems to discuss pretty much everything under the Red Hat sun.) The kind of place where people discuss what they’re doing outside of the formal event structure, when they’re arriving, asking questions of participants of previous such events, and so on. Basically, chatter.

I’m wondering a few things, and hope that perhaps this post will help me out in at least finding a nudge in the right direction:

– Is there a forum where people are virtually gathering and discussing the plans and attendance and logistics and so on surrounding going to FUDCon? You know, chatter?
– Assuming that my presentation isn’t tossed for being too long, too technical, too boring, out in left field, or targeted to the wrong audience (it’s sysadmin stuff, not development), will there be a projector available? Will I need my laptop — which I’ll of course have anyway — or just a USB memory stick with the presentation on it? (OO.o format, or PDF? Of course I’ll be ready for all of these circumstances.)
– Regarding my presentation, will someone be wanting it to be submitted in advance for the part about “Refereeing for technical sessions”? Or will “in advance”, in keeping with the “so do not worry about competition” part, mean half an hour before the “Orientation, BarCamp pitches and scheduling” at 9:00am Saturday?
– I signed up after the 140 cut-off mark for food and swag. I don’t have a problem with the basic concept per se: you snooze, you lose, you should have signed up earlier. However, I’m just wondering what the real implications to this are — to what food is being referred? Breakfast, lunch, and supper throughout all the event? Snacks in the hospitality suite — no green stamp on your name tag, no food? A few chits for free meals, given to the first 140 people, at the Student Union cafeteria where a lot of people presumably will eat during the breaks? Food during the FUDPub, at which Red Hat “will be treating everyone to food”? (Or just the first 140 — everyone else with a differently-marked name tag will have to pull out their wallets?) I’m just trying to figure out logistics, that’s all; I’m trying to find the ad for the advertised food, so that I know what’s being discussed. Money isn’t the issue; I’m just looking for some kind of indication, that’s all.

Well, that’s off my chest.

In other directions, I guess I now have to prepare my laptop for going through customs:
– set up an automatic login (a warning against which is in my presentation);
– do a bit of a system cleanup (a suggestion about which is in my presentation);
– remove some privileged information and make sure that it’s really wiped;
– realize that US Customs probably won’t care about my computer, and that the only people who might will be the airline — and hopefully only be amused at the XRay area when they see the square, plastic bucket I carry it in (but hopefully not say that’s it’s oversized, which it shouldn’t be. The primary airline’s limits are 23 cm x 40 cm x 55 cm; the secondary airline’s limits are 23cm x 35cm x 56 cm. I’ve just checked, and it fits.)

ASP and Windows centric web pages slow

I am at another hotel on business. (Ho-hum, they have a password, I don’t care at this point to find out how long it’s been in place, I’m sure it’s good odds that it’s been a while. Shall we say that it’s named after a good ship. I suppose I could be wrong.)

Surfing is, often enough, slow. A good number of pages hang and time out. At first, I don’t notice much because the main one I visit is always slow, always hangs and occasionally times out.

At first I was wondering if it’s because I’m in a hotel using their internet — you know, bottlenecks due to lots of people using the internet hookup at the same time (what, at 6AM?), people setting up repeaters in the bushes stealing signal because there is an insecure password that at worst would cost them a night’s stay to figure out, etc.

I also have the company laptop with me, to do company work (of course, I have my own laptop to do personal stuff, the company policy on personal usage of the computers is getting to be much like closed source licences that make you wonder whether you may use the software at all, even for its apparently intended purpose.) It uses windows on a Centrino Core 2 with something like 2.8GHz or more. For the fun of it I type in le web page du jour. It loads quite speedily, while the page load on the same web page on my F11 ACER Aspire One is still hanging.

And I notice something interesting: le web page du jour is in ASP. So is the historically slow site. Last night the site that was impossible to properly log into using my laptop, the work email server — such that I logged into my own web email to send the message to the home office — is, you got it, on a windows server. A fourth site this morning timed out in the middle of a survey I agreed to take; I hope it’s a linux server, it’s for a magazine I subscribe to on a little topic called linux (the publishing house also has a PC magazine, so go figure.)

I’m wondering: Am I having difficulties with these pages because I’m using Firefox? Linux? A slower machine? Is it Fedora’s implementation of Firefox 3.5 Beta 4 or whatever? Some combination of the above? Is this an ASP compatibility problem? Or an ASP discrimination problem? Or are the pages in question themselves biased against non-windows computers? Or non-IE browsers? (Never heard that one before!) (here’s my archive)

Ă€ suivre …