[UperSpaceGuru]

Wow, this was an amusing read. I actually helped architect part of the system that was bypassed at LiveTV (now Thales). We had some serious hackers on the team and discussed how much probing & prodding it would take to find vulnerabilities like this, but made the conclusion anyone doing this should be worried about more serious consequences. I for one, wouldn’t attempt this myself on the aircraft. The hacker side of me finds this Amusing, but I hope the author doesn’t face more serious consequences, primarily for having made this public knowledge. I have a sense the defense company that now owns the system being bypassed/broken will not find it amusing in the least bit.

Disclaimer: opinions above are my own. I do not speak for or on behalf of any party in the article.

[xfitm3]

We shouldn't let defense companies push around the general public. I'm glad that the author is willing to shoulder that risk, we need more people like them.

[UperSpaceGuru]

I agree with the sentiment. As a fellow geek & rebel, I can empathize. But if the author were my friend, I would point to past examples of how these things typically don’t end well for us. Not worth upending your life for karma or likes or whatever. The world needs more geeks that love what they do and can contribute significantly to society. That does not happen if you’re fighting court cases or on the run from authorities. General Public will rarely, if ever, stand up for you.

[Nextgrid]

I don’t think the fact that it’s a defense company is relevant. The company wouldn’t use the same “security” measures if actual defense was at stake.

This system was built with certain specifications and down to a certain price.

[UperSpaceGuru]

It’s relevant because it effects their “brand” and also culture plays a role in how they may perceive the situation. I have no idea if this even registers on their radar and it’s pure speculation on my part. Certainly not a sleeping bear I would poke.

[ErikAugust]

He is in high school. The defense company should offer him an internship.

[UperSpaceGuru]

I absolutely hope that’s the outcome of this whole thing. Unfortunately beyond the actual security vulnerability, companies often view these things as a “brand” or “PR” issue. I sincerely wish Kevin the best & hope this results positively as an internship or bug bounty.

[pmontra]

Definitely, but it's worth for them to defend against or go after the few people willing to use this method to get free Wi-Fi on planes? IMHO they'll spend more than what they'll gain.

[UperSpaceGuru]

I fear that this would be viewed thru the lens of “PR” & “brand”, thing companies are rightfully keen in protecting. Unfortunately there’s a legal component to all this also. The knowledge itself is cool & even actual instances of a handful of people getting “free” internet probably wouldn’t register on their radar. But the publicity from being on the top of HN... that might be of significant concern

[dehrmann]

This is a level of probing anyone with a good understanding of HTTPS could do. It's not like mac spoofing or or setting up a honeypot (have fun stopping those). I think you set your bar one or two notches too low for what someone in tech can do. Practically, though, your bar is fine because this isn't actually a "security" vulnerability in the sense that something was leaked (worry more about honeypots), just that one or two people per flight might be mooching, and that's not worth engineering for.

It's interesting that you and your team thought of legal consequences before asking if this is an edge case that's not worth engineering for.

[UperSpaceGuru]

Someone in tech can do a lot. But anonymity of the web vs being 1/~120 on an aircraft where you gave your name and other vital info before boarding is a little different. Anyone going to extremes (like using fake travel docs) likely has far more nefarious intent than getting a little free WiFi.

[ma2rten]

Lifehacker posted a similar article (linked in the OP).

https://lifehacker.com/get-free-unlimited-wi-fi-on-flights-a...

[UperSpaceGuru]

That’s not the same system or company.