this post was submitted on 29 Apr 2024
55 points (63.8% liked)

cybersecurity

3030 readers
2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

I plugged into ethernet (as wifi w/captive portal does not work for me). I think clearnet worked but I have no interest in that. Egress Tor traffic was blocked and so was VPN. I’m not interested in editing all my scripts and configs to use clearnet, so the library’s internet is useless to me (unless I bother to try a tor bridge).

I was packing my laptop and a librarian spotted me unplugging my ethernet cable and approached me with big wide open eyes and pannicked angry voice (as if to be addressing a child that did something naughty), and said “you can’t do that!”

I have a lot of reasons for favoring ethernet, like not carrying a mobile phone that can facilitate the SMS verify that the library’s captive portal imposes, not to mention I’m not eager to share my mobile number willy nilly. The reason I actually gave her was that that I run a free software based system and the wifi drivers or firmware are proprietary so my wifi card doesn’t work¹. She was also worried that I was stealing an ethernet cable and I had to explain that I carry an ethernet cable with me, which she struggled to believe for a moment. When I said it didn’t work, she was like “good, I’m not surprised”, or something like that.

¹ In reality, I have whatever proprietary garbage my wifi NIC needs, but have a principled objection to a service financed by public money forcing people to install and execute proprietary non-free software on their own hardware. But there’s little hope for getting through to a librarian in the situation at hand, whereby I might as well have been caught disassembling their PCs.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 36 points 6 months ago (2 children)

Good luck with that here. No port you can access will give you a IP If its hot at all. We don't allow patron machines to use Ethernet since it bypasses the QOS setting for the public WiFi. We also don't have any requirements to connect to our WiFi.

The reason for not allowing this is simple. We had several people come in and abuse usage of wired connections. Specifically people with consoles that thought it was okay to come in and kill our Patron vlan to download that fifty gig update for their console.

[–] [email protected] 5 points 6 months ago (2 children)

Meh. So my point of view is that qos for Internet is better done at layer 3. Layer 2 qos has its place, but layer 3 is going to let you prioritise services better.

Moreso, if you do it at layer 3 you don't need to worry about people using ethernet. Every person using ethernet is one less using the extremely finite resources WiFi has. Every active station puts a load on WiFi, less so with the latest versions but they still exhibit a lot of the same problems that mean many workstations can kill WiFi performance.

If you setup your network right (you can actually, although I've not seen it too often, setup guests networks on ethernet before WiFi, such that stations cannot see eachother directly) there's no reason at all to fear ethernet.

[–] [email protected] 2 points 6 months ago

Its gonna change soon anyway since we are getting new service with four times the bandwidth. For the first time I will be able to get netflow data since our current train wreck ISP(Windstream) wouldn't give me so much as a read only snmp string on their managed routers. I will have all kinds of options after I replace them with something I can manage. They have this product called weconnect that give you all kinds of information only its hours out of date and sometimes not sequentially timestamped.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

If you setup your network right (you can actually, although I've not seen it too often, setup guests networks on ethernet before WiFi, such that stations cannot see eachother directly) there's no reason at all to fear ethernet.

Sure but this isn't a corporate office with an IT team on call, this is a public library. They could hire someone who will go the extra mile to manage all of this and set the security up correctly, but they're not likely to get that person or keep them around. Their patrons are not going to be so opposed to wifi that expending all this effort to keep the ethernet ports active will be worth that effort. Maybe in a college library, or a public library in a city center, but not your run of mill local branches.

As for finite wifi resources, I seriously doubt most public libraries would be so frequently at capacity that this becomes an issue, especially when many of them only allow clients for a couple hours at a time without renewing. They just need to scale up for their needs.

[–] [email protected] 1 points 6 months ago

I would have expected a public library, run by the city to either use the existing Internet infrastructure from the city (e.g security already is handled) or be installed and maintained by some common city IT team.

Independent libraries sure can have a basic setup, but I'd still say one guy setting up the security outside of WiFi security would mean there's no reason to fear ethernet connections, as they would provide the same level of security to their network, and likely more to the user (assuming it's an insecure AP with portal).

In the case of the OP, I would find it far more likely that the actions of the staff member was more down to (understandable) ignorance of what they were doing and assuming connecting a wire means they're trying to do something nefarious, just because noone else is, and/or hacking in all the movies looks just like that.

[–] [email protected] 2 points 6 months ago (1 children)

I apply QoS at the edge so wired or wireless doesn't matter to us for performance but either one is still going to our Captive Portal and forcing you to agree to our ToS.

Fun Fact: I started applying QoS at the edge because of the people dragging their laptops in so they could Torrent. They'd blow out our bandwidth for everyone else and we were racking up DMCA warnings from our ISP.

[–] [email protected] 1 points 6 months ago

At the moment I have no control of the edge router. Its managed by windstream. The qos on the wireless is just on the guest wifi. Like I said soon I will have my own routers and then I can start to control traffic.