While interesting, I would have an uneasy feeling messing with the WIFI AP on an airplane. Perhaps there is a U.S. law this type of conduct would fall under specific to being on an airplane?
While in general bypassing Wi-Fi restrictions is indeed dubious from legal standpoint, it’s most likely as safe on an airplane as anywhere else. If in-flight Wi-Fi provider’s AP was in any way part of aircraft control system network, I would be surprised if overseeing such a design flaw weren’t a crime.
The author does not "mess with the WIFI AP on the plane", they exploit a weakness in the design (failure by viasat to maintain an checksum IP mapping to their domain for the captive service) to simply bypass a trivial TLS header check in order to tunnel their traffic.
This is hacking under federal law, as it should be. Likewise that if I break into your house by merely exploiting a weakness in the design of the lock, I am still committing a crime.
If someone charges for tours of part of their house, has two prices of tour, and you change the colour of your badge to let you access the part you haven't paid for, is that a crime?
Sounds like some form of fraud to me. What's the difference between that and simply forging a ticket to an event instead of buying one? Or forging a currency note?
OK, the better example from further down. You realise your badge lets you into areas of the premium tour, it opens all doors, not just the ones you paid for it to open.
And even if it is fraud of some kind, the bar for charging someone with fraud (instead of just suing for damages) is fairly high...
Well yes, but bandwidth is practically free anyway. I'm not actually stealing computer resources. It's more akin to looking at the Mona Lisa through one of the Louvre's windows using a pair of binoculars.
The person I'm replying to specifically said "mess with the WIFI AP" in order to present this as harmful or dangerous (FUD), it is not. It's a trivial header check bypass - whether or not that is "hacking" is a question for lawyers and a judge.
I was just bypassing a some trivial key check on the door. To say I was "messing with the door" is FUD, and whether I was breaking and entering is a question for lawyers and a judge.
The owner gave me a key to the lobby so I could pay to get an all-access key. As it turns out, I can just walk past the lobby and that key actually opens all doors in the building. Whether or not it's illegal to use it to access whatever I want is a question for lawyers and a judge.
That's not what's happening here. This is more like trying the key on every door, finding a cleaning closet unlocked and crawling through the ventilation ducts to get in.
I think it's pretty close to the reality. The lobby is wide open (viasat's payment gateway), but if you just use the viasat lobby key (viasat.com SNI) on any other door (IP address) it allows you access. They could prevent you from getting to the doors in the first place (whitelisting MAC address to access anything other than a whitelist of IPs instead of just TLS SNI whitelisting) but they don't, as it's especially evident when they allow other protocols when the connection is not encrypted.
The lobby is not locked. Neither are any of the doors leading out from it. There is a cashier in the lobby and a sign with ticket prices for the different doors.
In that situation, opening the doors without paying is illegal. It would be treated as trespassing or theft of services. You don't have the right to use other peoples' stuff without permission just because it's easy to do.
Judges tend to be less impressed by technicalities than seems to be commonly believed. If you know that a network operator intends to route traffic only for paying customers, and you intentionally trick its router into routing your traffic without payment, the judge will probably see that as intentional unauthorized access.
I think that's legally reasonable, almost. It's the intent that matters here; if my use of Cloudflare DNS instead of what your DHCP server provides for performance and privacy reasons happens to bypass your insecurely implemented captive portal that asks for payment, there's no intent. If I employ a complex tunneling scheme specifically designed to bypass your payment check, that's theft.
Where I do have a problem with the law is that its digital nature is given special treatment and greatly enhanced penalties. If I walk into a store and steal a USB Wifi adapter worth $20, I have committed a misdemeanor. If I'm caught, I'll probably be given a summons, not arrested, and my penalty will probably be a fine or community service. If I use that adapter to steal access to $20 worth of in-flight Wifi, I've committed a felony, for which the penalty includes loss of civil rights, and probable incarceration.
Right. I think all he’s trying to say is that it might be worse to hack something on a plane vs some other kind of computer system. I don’t think they were implying harm was being done to the ap. Colloquially I would definitely call this messing with the ap :)
IANAL and all that, but my perception is that "hacking" is usually about breaking into someone else's computer / breaching someone else's privacy / accessing data that isn't yours / etc. If that perception is accurate, then I think it's really a stretch to call this "hacking". You're just moving bits around on network infrastructure designed to move bits around. Maybe I'm just looking for a loophole because wishful thinking, but this seems like a decent argument to me.
Now, you could be violating their terms of service. But in this case there may be a good argument that you never accepted their terms of service since you wouldn't have had to click the "accept" button to do what the post describes.
Was going to write the same. Prosecutors would have easy time convincing judge that hacking+ doing so while airborne should result in many years behind the bars, especially knowing how punitive the legal system in the US can be. The article itself is very interesting though.
They'd have your stunnel server IP, so if they were really, really determined they could probably track you down by forcing your ISP/VPS provider to identify you.
I doubt they'd bother for $45 worth of WiFi, but personally I would err on the side of caution.
My guess would be that getting caught doing this could get you federal terrorism charges. I don't even think it's a safe assumption that the network is isolated or properly insulated from pilot instrumentation.
If that assumption isn't safe, then neither is the plane.
Having ANY access AT ALL whether via "hidden" backdoor or authorized login to plane instrumentation from the WiFi would be an insane setup. Just because they're both invisible to you doesn't mean they're connected in some way.
Could you imagine the attack surface?
We'd be hearing about terrorist attacks leveraging that design flaw.
Thanks for this. This solves my tmux / history problem. Commands from one open terminal were not available in the history command for the other terminal, if I had two terminals open.
Western society may be a large consumer, but you are educating the wrong crowd if you want to make a difference. Higher income countries tend to do a much better job of recycling. This illustrates the problem:
Two thoughts. The GP was talking about reducing not only because it’s better for the environment but because it’ll make you better off. Recycling was downplayed in the comment.
The comment was not addressed to westerners specifically. I’d be willing to bet a lot of the travel that is increasingly occurring is happening in the developing world as people leave their communities to find work.
I'm responding to a post, not choosing a crowd to educate, but in any case, your link in your post below shows that per capita the US and UK (probably most HN readers) rank high. Quoting your source,
> plastic waste generation tends to increase as we get richer. Per capita plastic waste at low incomes tends to be notably smaller.
Great work -- something you should be very proud of. I was last there in 2006. I remember the tour guide telling me the building would be completed within 10 years. It is such a massive collection of both art and science I can see why it is taking many years to complete. My wife and I plan to visit it again once it is finished -- it was one of the first places we vacationed together.
I use ESXi and one of the VMs is pfSense. pfSense has an additional software package called pfBlocker, which is highly configurable and just plan awesome for blockings ads/trackers/etc for the LAN. pfSense has tons of other options - I setup a vLAN and all of my IoT devices are segregated onto it. That way they can't interact with the rest of the devices on the LAN.
Yep... my pfSense is virtualized, too. I need to get pfBlocker configured, but pi-hole works so well, I'm too lazy to do anything about it! I'm also working on an IoT VLAN - that Ring doorbell is a chatty Kathy!
The no commission model RH is providing is awesome and if they found a way to sustain that business model, great. The amount they have saved me (an avg trader with 25-50K) is well worth them selling my trade data to other firms. Sometimes their system is a bit glitchy. I'm sure as time goes by things will get tightened up. I mostly trade derivatives. If I open a 4 legged trade with 400 contracts that would cost me $300 in commissions on my old broker (TD Ameritrade) to open and an additional $300 to close it. Totally free with RH.
They're selling your trades not your trade data. They sell the orders you place to HFT firms which arbitrage them and kick back a commission to Robinhood to fund their business. It kinda costs you, actually, you just don't see it. [1] With low trade volumes/order sizes you may end up ahead but I don't have data to back that up.
> So by selling its customers’ orders to market makers, Robinhood is actually stealing from two sets of “the rich”: Rich market makers like Citadel are paying it directly for the orders, while rich hedge-fund managers are getting worse execution on public stock exchanges so that Robinhood customers can get better executions off those exchanges. Big institutions are paying to subsidize free trades for Robinhood’s customers. It feels pretty Robin-Hood-y! If I were Robinhood I would advertise that!
The profits MMs take here aren't zero sum between you and the MM, because there are other participants in the market. An MM can profitably quote a more generous spread to a retail trader, because retail order flow isn't going to wipe out their book and expose them to inventory risk.
Essentially: you are cheaper to make a market for than a giant fund is, and you, Citadel, and Robinhood can split the savings.
Why would they pay for the order flow and create smaller spreads which makes them less money? They have no reason to do so. I don't see what you mean by savings - if they're making less money, how does that translate into savings for anyone?
> Why would they pay for the order flow and create smaller spreads which makes them less money?
Competition. Why does Coca-Cola spend money on advertising, driving up their costs and (seemingly) ensuring they make less money? Retail order flow is essentially free money for the market maker who gets it, and they compete with each other to obtain it. That competition shows up in a mixture of tighter spreads (ie, better than the "best price" for the customer), and payment for order flow. And payment for order flow, in turn, shows up as some mixture of lower fees or higher margins for the broker.
At a big picture level, retail orders are valuable, and that value will be split between the market maker, the broker, and the customer, with the exact split depending on a number of factors.
> I don't see what you mean by savings - if they're making less money, how does that translate into savings for anyone?
Keep in mind, market makers make money by being extremely efficient at buying stocks when people want to sell, and selling them when people want to buy, minimising the stocks they hold at any given moment, making a tiny amount on every transaction, and making it up on volume. If the incoming orders are "uninformed", ie, it's just a dentist in Milwaukee daytrading his retirement account, then this is very safe. If the incoming orders might be "informed", ie, it might be the first indication of a fundamental shift in the value of the stock, then this is not safe, because every trade could just be noise, or it could be the start of some hedge fund shifting a billion dollars into or out of the stock.
The NBBO (National Best Bid and Offer) is the best available price for "mixed" order flow, that captures the risk to the market maker that, if they fill the order, they might be about to get run over by a bus. The more they can get order flow which is safer than that, the more they can afford to beat that "best price". They do this because they believe that, on average (and after adjusting for risk), they will be making more money, not less.
This is all pretty concrete, nothing here is new, every broker does this, and it's all very well understood. If the current best ask is $X, and you can promise that you're an uninformed idiot who has no clue what's going on and just wants to buy 50 shares, then you can find someone who'll give you a better rate than $X. If you're Bridgewater and you want to buy 50 million shares, you won't.
A market maker sets a bid (the price at which they buy) and an offer (the price at which they sell).
The offer will always be higher than the bid, and they make the spread between the bid and offer price.
If buy and sell orders are roughly balanced, they will not lose money. The idea behind purchasing flow such as Robinhood's is that the traders are random noise traders, with a balance of buys and sells as such.
There is another kind of market maker whose job is to provide liquidity by always staying in the market. The exchange pays them some fraction of a penny per share bought and sold.
In this case, the proposed tax is meaningless because it's fantasy headline legislation (it exists solely as vote-stirring propaganda) that has no shot at passing. The never-passing proposal will have no effect on Robin Hood's business model.
I was under the impression that pretty much all retail brokerages (especially online discount brokerages) sell your trades (i.e. "payment for order flow") so I'm not sure if this would create a material difference whether you went with RH or some other retail brokerage?
Nothing is ever free. Robinhood sells order flow, meaning your trades are executed by a real market maker but with slower fills, larger spreads and more restrictions on trades.
> meaning your trades are executed by a real market maker but with slower fills, larger spreads and more restrictions on trades.
Incorrect. Retail customers who have their orders routed like this obtain instant execution at prices at least as good as, and sometimes better, than the best available price on public markets, and in the case of Robinhood, they also pay zero fees.
In other words, everything you said is wrong. They don't get slower fills, they get tighter spreads, and lower fees. This is strictly good for the retail investors.
The good news is that the broker isn't screwing them.
The bad news is that the reason for that is because the broker doesn't have to screw them; they're uninformed noise traders buying and selling in basically equal measure. The traders buy at $1.001 and sell at $0.999 as much as they want until they're blinded out by the spread, which the broker keeps.
The "savings" being passed along is just a reduction in the portion of the spread that the broker would normally use to protect itself against informed traders.
Sure, there's only a few companies that control all the flow but paying fees usually results in smaller spreads and faster execution. It also seems to result in better software and support. Maybe not everyone needs it, RH is good if you just buy and hold, but I wouldn't say fees are for nothing.
I don't understand why you believe paying fees "usually" results in smaller spreads. Most of the brokerages you pay trading fees to are doing what Robinhood does, because retail order flow is made to be internalized, and firms like Citadel do a better job of it --- for customers --- than the firms that run the brokerages do; the job of a typical brokerage is to make a pretty web UI, keep some servers running, staff a bunch of brick-and-mortar locations, and answer the phones, and the job of actually executing trades is specialized in a different direction. More likely, the firm you're paying trading fees to is handing your order off to an internalizer, getting rebated for it, and pocketing both the rebate and the trade fee.
It's from my experience and I've heard the same from many others. Maybe better spread is from better speed, and maybe the speed is a result of better software platform. The fees are also negotiable though, and responsive support is good to have and helped when I needed it.
If it was that simple then I find it strange that these brokers don't offer free starter accounts to new users to compete against Robinhood. They must know something we don't about the real value of the company and how much competition they're adding.
"If it was that simple then I find it strange that these brokers don't offer free starter accounts to new users to compete against Robinhood. They must know something we don't about the real value of the company and how much competition they're adding."
Or it just may be an example of how changes don't happen instantly. If they lose enough customers, they may cut commissions, even to zero. As long as it isn't a big problem, they won't.
It seems to me that a lot of brokers are providing an increasing number of commission-free securities, and you also see promotional deals where a new account of sufficient size gets several hundred free trades.
Doubly true if it's outside market hours. Unlike every other broker Robinhood doesn't (always) warn you when the markets are closed. I've had fills come in dollars off the last trade simply because the market order was placed before or after hours.
Robinhood also makes it harder to use limit orders than other brokers. I suspect it's because they receive more payment for order flow when it's a market order.
> Investors are assuming the stock is on sale and this only impacts Boring for, what, a few weeks?
Reminds me of the Equifax breach. Stock tumbles then recovers. Overall, it validates that breaches are not a liability; therefore, additional resources to address future problems could be seen as a moot point.
Same with Boeing. If there is no impact to the company, then why change the business model?
Equifax is not comparable to this. The difference with Equifax is that there has been little actual damage compare to how much data got compromised. With Boeing we've had hundreds who got killed.
Perhaps the steep climb has to do with how the incident airports were setup?
“Data released by the Sweden-based service suggested the aircraft had climbed almost 1,000 feet after taking off from Addis Ababa, a hot and high-altitude airport whose thinner air requires extra effort from an aircraft's engines.”
https://af.reuters.com/article/worldNews/idAFKBN1QR07Z
Extra effort from the engines? That sounds a little silly, like they just need to be motivated to work a little harder. Take-off power is take-off power.
Reduced air density just means the engines don't produce as much power and the wings don't generate as much lift; a double-whammy of lower available engine thrust and greater speed required for the same takeoff roll.
I don't think it is anymore - not with noise abatement rules. You can take off in X meters with 100% throttle, or 2X with 80% - but the runway is 4X meters, so you takeoff with reduced throttle to make things quieter for the neighbors.
I don't know whether there are really regulations for that but as a pilot (which I am not) I would not want this as this would lower the decision velocity (I think it's v2) after which the start can't be aborted.
