Revisiting the Free Wifi on Destination Gotland

I'm on the boat from Gotland again after having spent a week there with my family. Again I find myself in need of some preferably free Wifi. Although with a new linux OS, I find myself having to find the new command ip as opposed to the ifconfig command last time.

So this is one way of getting "free" Wifi on the Marlink Internet at Sea service found on the Destination Gotland ferry and I guess other ferries.

The attack is very simple, again all we need to do is spoof the mac address of an authenticated device. We can find an authenticated device quite easily using a wireless sniffer. I use Wireshark for this. Look for any packets going to an external network. I suggest filtering for TLS or HTTP, all we need is the MAC-address.

Once you have what looks like authenticated device, bring the device down, spoof for the mac you want. These are the ip commands used. Where <device> is the name of your wireless interface. In my case wlp4s0.

ip link set <device> down
ip link set <device> [MAC ADDRESS TO SPOOF]
ip link set <device> up

Take this post as a good reminder to RTFM every now and then. It's a bit of a challenge to do stuff without the almighty Google, but the man command and some patient reading does a good job when you are stuck offline :)

Teaching

Disclaimer: Some thoughts on reason, ethics, and teaching. There is probably more refined philosophy on this somewhere, but I figured I would write down my thoughts. This post might be subject to change in the future. I might also move these types of posts to a separate feed/blog to separate it from computer science stuff.

Consider the following ethical problems. Forget about possible sidetracks and just answer yes if you think it is morally right and no if you think it is morally wrong.

First problem: You have a button, when you press the button it gives you a
 minor happiness, but at the same time it causes a lot of unhappiness for
 someone else. Is it morally right to press the button?

I think most people would answer no in this first question, You could rephrase it as question whether it is right or wrong to steal from someone. Now consider the same question, but without the bad part.

Second problem: You have a button, when you press the button it gives you a
 minor happiness. Is it morally right to press the button?

Obviously it does not matter morally speaking, right? If we assume full knowledge of consequences then there is no wrongdoing. From a utilitarian standpoint it would be a good thing to press that button; our utility would go up. However, what if the consequences aren't actually that well known, and this is your perception whenever you push that hypothetical button? Out of curiosity, you pressed the button one day to see what would happen. It gave you that minor boost of happiness and had no other effects to your knowledge.

Third problem: You have a button, when you press the button it gives you a
minor happiness. After a few turns of having pressed the button, you learn that
every time you press the button someone is killed. Is it now morally right to
press the button?

No, right? You might be forgiven for having pressed the button before, but now you don't have the same excuse for doing so. Killing someone for a minor gain is hard to justify morally.

I would argue that the knowledge of the consequences very much depends on the ability to reason and our perception. Do we hold someone liable when they don't know what they're doing is wrong? In many cases, no. However, we could say that negligence is wrong, and that the person should have known that there were bad consequences to his actions. The knowledge of the bad consequences will likely make you reason that continued pressing of the button is bad.

Fourth problem: Your friend has found this same button and has started pressing
it to get happiness. However, she does not know of the bad consequences. Should
you inform her of them?

I think yes. If we go by the reasoning from the previous problem, then we help our friend understand that what she is doing is wrong and so she will likely stop pressing the button.

So finally, where am I trying to get with this? I find the flux between knowing and unknowing interesting. It opens up for further questions. What is your responsiblity for knowledge within your field? Obviously, for someone like a doctor knowledge might impact lives more directly and therefore a doctor has a higher responsibility than say a mailman. Another question, which was supposed to tie into the title of this blogpost, is when are we responsible for informing others? Clearly there is some limit to this, depending on your own self confidence and what not. If we went about informing everyone about every single little wrongdoing they might be doing then we would quickly lose friends. Unsolicited advise is gets old quick.

However, going by this logic where knowing the consequences seems to give a higher moral responsibility, there are some nice conclusions. Learning and teaching become good things.

Show people the consequences of their actions and perhaps they are more likely to do the right thing. In this sense teaching/learning feels like it is an instrumental way to goodness.

Url Secrets

Found a neat little hack using "World Wide Web URLs"

A reference to a particular part of a document may, including the fragment identifier, look like

  http://www.myu.edu/org/admin/people#andy

in which case the string "#andy" is not sent to the server, but is retained by the client and used when the whole object had been retrieved.

Reference.

This gave me an idea of using the "fragment identifier", aka what's behind the #, to send secrets which can be seen by other browsers, but not the server. Secrets like for example passphrases which can be used for cryptographic purposes.

I made a small proof of concept project using this idea for a service to share secret message. Using clientside crypto, the user can submit an encrypted message to the server. The server returns with a uuid to identify the message. The client side script then creates a url containing the uuid and encryption key. Like so:

http://domain.tld/[uuid]#encryptionkey

The user sends this url to his friend. When the friend opens the url, the server sends back the encrypted message. The client side script grabs the encryption key and decrypts the message. The plaintext message is never seen by the server.

pretty diagram

You can find a demo here (note unsigned https) and the github repo here.

Obviously, this idea implies trusting the clientside script that is sent by the server. If the server was adversarial he could easily modify the script to remove the encryption or send the encryption key to the server.