55
submitted 6 months ago* (last edited 6 months ago) by coffeeClean@infosec.pub to c/cybersecurity@infosec.pub

I plugged into ethernet (as wifi w/captive portal does not work for me). I think clearnet worked but I have no interest in that. Egress Tor traffic was blocked and so was VPN. I’m not interested in editing all my scripts and configs to use clearnet, so the library’s internet is useless to me (unless I bother to try a tor bridge).

I was packing my laptop and a librarian spotted me unplugging my ethernet cable and approached me with big wide open eyes and pannicked angry voice (as if to be addressing a child that did something naughty), and said “you can’t do that!”

I have a lot of reasons for favoring ethernet, like not carrying a mobile phone that can facilitate the SMS verify that the library’s captive portal imposes, not to mention I’m not eager to share my mobile number willy nilly. The reason I actually gave her was that that I run a free software based system and the wifi drivers or firmware are proprietary so my wifi card doesn’t work¹. She was also worried that I was stealing an ethernet cable and I had to explain that I carry an ethernet cable with me, which she struggled to believe for a moment. When I said it didn’t work, she was like “good, I’m not surprised”, or something like that.

¹ In reality, I have whatever proprietary garbage my wifi NIC needs, but have a principled objection to a service financed by public money forcing people to install and execute proprietary non-free software on their own hardware. But there’s little hope for getting through to a librarian in the situation at hand, whereby I might as well have been caught disassembling their PCs.

you are viewing a single comment's thread
view the rest of the comments
[-] normonator@lemmy.ml 13 points 6 months ago

Their terms require a phone so yes, on their terms. Why would they make an exception for anyone?

Their captive portal requires wifi and thats all that matters. And why would they want to deal with paper agreements for WiFi?

You don't have to be a member to use WiFi, someone else could have given you the password if there even is one, so ya even if you did agree when signing up it would make sense to still require that.

I implement these kind of setups including a couple libraries and while I would have Ethernet ports available if within budget, I would not allow you to bypass captive portal, the agreement, or traffic filtering. I don't care what you are doing but I am required to try not to allow easy access to questionable content. If someone is doing something illegal it's gonna involve the library if you get caught (that's why the phone number but maybe they are just being shitty with it). Not worth the risk. Also a lot of those decisions are made by a board so being upset with the staff won't accomplish anything. Wifi is cheap, pulling cable can be very costly in comparison and depending on building type can be hard, damaging or, not feasible. Those ports could also be broken because people don't respect shit, that could also be the reason for their reaction.

This is all I got for you, good luck but if you want your privacy you're likely going to have to go somewhere else.

[-] coffeeClean@infosec.pub -1 points 6 months ago* (last edited 6 months ago)

Their terms require a phone so yes, on their terms.

I keep a copy of everything I sign. The ToS I signed on one library do not require a mobile phone. It’s an ad hoc implementation that was certainly not thought out to the extent of mirroring the demand for a mobile phone number into the agreement. And since it’s not in the agreement, this unwritten policy likely evaded the lawyer’s eyes (who likely drafted or reviewed the ToS).

Why would they make an exception for anyone?

Because their charter is not: “to provide internet service exclusively for residents who have mobile phones”.

And why would they want to deal with paper agreements for WiFi?

Paper agreements:

  • do not discriminate (you cannot be a party to a captive portal agreement that you cannot reach)
  • are more likely to actually be read (almost no one reads a tickbox agreement)
  • inherently (or at least easily) give the non-drafting party a copy of the agreement for their records. A large volume of text on a tiny screen is unlikely to even be opened and even less likely to save it. Not having a personal copy reduces the chance of adherence to the terms.
  • provide a higher standard of evidence whenever the agreement is litigated over

You don’t have to be a member to use WiFi, someone else could have given you the password if there even is one

That’s not how it works. The captive portal demands a phone number. After supplying it, an SMS verification code is sent. It’s bizarre that you would suggest asking a stranger in a library for their login info. In the case at hand, someone would have to share their mobile number, and then worry that something naughty would be done under their phone number, and possibly also put that other person at risk for helping someone circumvent the authentication (which also could be easily detected when the same phone number is used for two parallel sessions).

If someone is doing something illegal it’s gonna involve the library if you get caught (that’s why the phone number but maybe they are just being shitty with it). Not worth the risk.

Exactly what makes it awkward to ask someone else to use their phone.

this post was submitted on 29 Apr 2024
55 points (63.8% liked)

cybersecurity

3249 readers
9 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS