Courtyard Marriott in Times Square is spying on and manipulating your Internet
April 5, 2012 7:06 PM   Subscribe

Web developer Justin Watt was staying at the Courtyard Marriott in Times Square, New York and using the hotel wifi to access the Internet. He noticed some strangeness on his website... and on every other website he visited (not to mention YouTube was broken.)
In short, Marriott is injecting JavaScript into the HTML of every webpage its hotel customers view for the purpose of injecting ads (and in the meantime, breaking YouTube). Marriott’s wireless internet service provider is a third-party company called Hotel Internet Services, so it is possible, though unlikely, that Marriott doesn’t know what’s going on. But it’s crazy to me that I’m paying $368 a night for a hotel room, and this is how I get treated.

It turns out he found out that the Internet provide at the Courtyard Marriott in Times Square was injecting JavaScript and CSS into his website via the Revenue eXtraction Generator network gateway. (Who in their right mind would name a spying software with such a name!)

What can you do to make sure that your Internet experience is not controlled by the owner of a public network (such as a hotel or cafe) that you may be using? Either bring your own connectivity (3G modem or other mobile network access device) or make sure to use a VPN to encrypt all your data so that the public network cannot spy on your traffic. In this case it is the network owner that is manipulating the user's Internet but on an insecure WiFi network, any user can watch the traffic of other users of the network with a packet sniffer (i.e. you have no security at all. Use a VPN!)
posted by gen (106 comments total) 64 users marked this as a favorite
 
I saw this on Andy Baio's Twitter feed today. What a bunch of jerks.
posted by spitefulcrow at 7:07 PM on April 5, 2012 [2 favorites]




I have pointed out here before that in my experience the more you pay for a hotel room the worse the service, the worse the amenities and the fewer freebies you will get.

Stay in the Holiday Inn: $69

Stay in the Fancy Pants: $199 + $10 wifi + $30 parking + $18 breakfast...

(I realize that isn't quite the point of the post, I'm just venting really)
posted by Cosine at 7:17 PM on April 5, 2012 [44 favorites]


It's not as robust as a VPN, but HTTPS Everywhere forces Firefox and Chrome to use the encrypted version of a site whenever possible. Most big sites like Google, Twitter, Facebook, and Wikipedia support site-wide SSL.
posted by djb at 7:18 PM on April 5, 2012 [4 favorites]


Venting? $3.68 service charge. We'll just add it to your bill.
posted by sneebler at 7:19 PM on April 5, 2012 [16 favorites]


I think this sort of thing is only going to escalate. Arm yourself with a VPN. Bring your own Internet if you can. Use a public network only when you have to and ALWAYS with a VPN. If network providers are going to manipulate/spy on my Internet experience, I'm going to take control myself.

I suggested a few other tools to Justin to help secure his Internet experience:

HTTPS Everywhere: a browser addon provided by the Electronic Frontier Foundation which forces every site that provides SSL to serve via SSL (and thus makes those sites immune to injection.)

Ghostery: a very powerful browser addon which can block cookies (both first and third party) as well as other web beacons and tracking JavaScript.

Mozilla Collusion: an experimental addon by Mozilla which helps you visualize how these 3rd party sites are tracking you.
posted by gen at 7:19 PM on April 5, 2012 [36 favorites]


We were staying there in December and having all sorts of trouble with the Internet! Surprise! They did take the charges off our account, though.
posted by duvatney at 7:19 PM on April 5, 2012


Wait, web developers are staying in $368 dollar per night hotel rooms? What is this, 1999 again?
posted by Joakim Ziegler at 7:22 PM on April 5, 2012 [30 favorites]


I saw this on Andy Baio's Twitter feed today

I saw it on Scott Baio's law blog.
posted by Bunny Ultramod at 7:22 PM on April 5, 2012 [29 favorites]


Cosine: "I have pointed out here before that in my experience the more you pay for a hotel room the worse the service, the worse the amenities and the fewer freebies you will get.

Stay in the Holiday Inn: $69

Stay in the Fancy Pants: $199 + $10 wifi + $30 parking + $18 breakfast...
"

This has been my experience also. Except for a Holiday Inn for $69. Never seen that before.
posted by Big_B at 7:23 PM on April 5, 2012


This just seems like such a mind-boggling bad business decision. I mean, everyone with enough computer competency to catch it will think you're a bunch of cheap bastards, and it doesn't take a lot of computer skill to notice extra ads. Probably at least 1 in 20 people can do it. A couple of those people hit you with bad reviews, and it could do real damage - and you're specifically pissing off the people who know how to write those reviews.

Besides, it can't possibly pay very well. There aren't that many users and the ads are not going to be well targeted or placed.
posted by Mitrovarr at 7:26 PM on April 5, 2012 [7 favorites]


Also, don't ever believe it when a hotel offers you a free 'Continental Breakfast.' They don't tell you that the continent is Antarctica. Walrus sausage and penguin eggs are not as tasty as you'd think.
posted by jonmc at 7:28 PM on April 5, 2012 [25 favorites]


I have pointed out here before that in my experience the more you pay for a hotel room the worse the service, the worse the amenities and the fewer freebies you will get.

Kimpton hotels give you a free wine tasting, free internet, and a $10 coupon for the minibar when you check in....

Nothing better than getting to your hotel room and cracking open a free beer.
posted by empath at 7:29 PM on April 5, 2012 [17 favorites]


there appears to be OS cooperation with some of these captive portal things

Hmm... that I highly doubt. If it was true and that got out in the public, it would cause real outrage.

I think those "services" do a lot of testing to see what works to get around browser popup blockers, etc.
posted by gen at 7:30 PM on April 5, 2012 [1 favorite]


This has been my experience also. Except for a Holiday Inn for $69. Never seen that before.

Look harder, I found $79 online pretty quickly, call the hotel direct and an additional $10 is all but guaranteed.
posted by Cosine at 7:31 PM on April 5, 2012


I've been noticing that there appears to be OS cooperation with some of these captive portal things.

That fails enough smell tests to be a Turing Test for artificial noses.
posted by yerfatma at 7:36 PM on April 5, 2012 [1 favorite]


Also, don't ever believe it when a hotel offers you a free 'Continental Breakfast.' They don't tell you that the continent is Antarctica. Walrus sausage and penguin eggs are not as tasty as you'd think.

You may be staying in the wrong places... in the past month:

Ramada Inn San Diego: amazing, free, hot breakfast (sausage, real eggs, biscuits and gravy plus all the usuals)

Red Lion Eureka CA: free breaky even included a dude making waffles (yes, at a Red Lion! The bedding was also shockingly good)

Franciscan Inn Santa Barbara: even had nice oatmeal.

A good free breakfast is the best holiday money saver I know of, find the good ones online, ask politely if they will let you take a couple items for the road, bingo, lunch too!
posted by Cosine at 7:36 PM on April 5, 2012 [3 favorites]


This reminds me of the guy with the neighbor stealing his WIFI, so he hacked the service to make every picture upside down.
posted by StickyCarpet at 7:37 PM on April 5, 2012 [12 favorites]


On a mac, for instance, connecting to APs at most hotels and some Starbucks immediately pops up an app-less window with the particular registration page auto-loaded.

OS X Lion borrowed the captive portal thing from iOS. When you connect to an open wifi connection and the Mac can't access the interwebs it brings up that special browser window to allow you to accept the T&C and/or enter your login credentials. From what I remember reading about it, it works by OS X looking for a page on apple.com and if the page fails (like it would if you're behind a captive portal) it brings up the captive portal's page for you to log in or accept T&Cs.
posted by birdherder at 7:42 PM on April 5, 2012 [10 favorites]


How to Hack a Hotel Room. (And more... premium channels are actually being broadcast all the time; the TV just can't tune into them until the guest pays. If a someone brings in a TV--the laptop and USB TV tuner will do fine--and connects it, they're set.)
posted by twoleftfeet at 7:53 PM on April 5, 2012 [29 favorites]


This reminds me of the guy with the neighbor stealing his WIFI, so he hacked the service to make every picture upside down. - Upside-Down-Ternet
posted by crunchland at 7:56 PM on April 5, 2012 [14 favorites]


crunchland: "This reminds me of the guy with the neighbor stealing his WIFI, so he hacked the service to make every picture upside down. - Upside-Down-Ternet"

damn, beat me to it.
posted by ArgentCorvid at 7:57 PM on April 5, 2012


Stay in the Holiday Inn: $69

LOL. Been to New York lately? The only Manhattan Holiday Inn is in midtown (57th) and the rack rates start at around $200 a night for a single on a weeknight. Marriott Courtyard is hardly a high end hotel, either. $368 is a mid priced Manhattan hotel.
posted by spitbull at 7:57 PM on April 5, 2012 [1 favorite]


Burhanistan: "> Stay in the Fancy Pants: $199 + $10 wifi + $30 parking + $18 breakfast...

I think this is mainly because many of the guests are staying on business expense accounts and won't blink at the extra charges.
"

This explains most of it: by self-selecting yourself into a medium or high end hotel, you are essentially letting that hotel know that you are "willing to pay" a premium. And if you are willing to pay a premium for the room, you are more likely to pay an additional fee for free wifi.

Low-end hotels and motels are dealing with a more competitive customer so they are more willing to bundle the wifi price into their total cost.

There was a decent academic paper about this, but I can't find it now, but here's a decent NYT link.
posted by stratastar at 8:00 PM on April 5, 2012 [4 favorites]


In the comments on Justin's site is a guy who claims to run a startup that is doing advertising on WiFi networks (without JavaScript injection.)
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
posted by gen at 8:09 PM on April 5, 2012


There are no walruses in Antarctica.
posted by rtha at 8:09 PM on April 5, 2012 [10 favorites]


Related thread on Hacker News...
posted by gen at 8:10 PM on April 5, 2012


The internet is stupid. I never use it.
posted by clvrmnky at 8:15 PM on April 5, 2012 [8 favorites]


I have pointed out here before that in my experience the more you pay for a hotel room the worse the service, the worse the amenities and the fewer freebies you will get.

Stay in the Holiday Inn: $69


Um, I lurv me the Holiday Inn Express. But they do this, too. Pretty much every hotel chain proxies all your traffic through third party providers.
posted by 3.2.3 at 8:27 PM on April 5, 2012


There are no walruses in Antarctica.

Well, not any more.

jonmc eats a lot of sausage.
posted by Etrigan at 8:28 PM on April 5, 2012 [8 favorites]


Last time I stayed at a Marriott was in Memphis, Tennessee, several years ago. The toilet didn't flush right, and it took, I'm not kidding, almost an ENTIRE DAY before someone finally showed up to fix it. Then they only half fixed it. I vowed never to stay again at a Marriott, and this is but another reason I'm glad I haven't.
posted by flapjax at midnite at 8:30 PM on April 5, 2012


I am the walrus.

(you are the eggmen)
posted by flapjax at midnite at 8:31 PM on April 5, 2012 [1 favorite]


flapjax at midnite: "Last time I stayed at a Marriott was in Memphis, Tennessee, several years ago. The toilet didn't flush right, and it took, I'm not kidding, almost an ENTIRE DAY before someone finally showed up to fix it. Then they only half fixed it. I vowed never to stay again at a Marriott, and this is but another reason I'm glad I haven't."

How does a toilet half flush? Nevermind. I just ate some walrus.
posted by Splunge at 8:34 PM on April 5, 2012


I love the Upside-Down-Ternet, but I wonder how hard it would be to avoid the temptation to build up fake news stories for CNN, etc... to screw with people's heads. Food shortages, stock market crashes, pandemics, local crime wave, etc...
posted by BrotherCaine at 8:38 PM on April 5, 2012


While we are hating on hotels - stay the hell away from Hilton too. It isn't possible to unsubscribe from their spam list, and they shoot shit at you all the time.

After weeks of trying to unsubscribe, (because a reputable company like Hilton should respect the unsubscribe link, right?), I finally marked them as spam. Months later, they managed to weasel past the spam filter and ask why I wasn't booking any hotels with them.


If this is true I'm pretty sure it's illegal (based on some stuff I've seen previously on Metafilter it's a violation of the confusingly named CAN-SPAM act) -- I don't know what you should do about it but if they're actually not letting you unsubscribe I think there probably are steps you can take.
posted by Mrs. Pterodactyl at 8:38 PM on April 5, 2012


I for one am _DELIGHTED by this story. It is truly _DELIGHTED that hotels would do a thing like this to their CIALIS CHEAP CHEAPclientelhey guys i found a new site wiht cheap cialis lol _e.
posted by No-sword at 8:49 PM on April 5, 2012 [13 favorites]


Seriously, use your own provider if you are angered by a hotel monetizing their services.
posted by Ironmouth at 8:54 PM on April 5, 2012


Pretty much every hotel chain proxies all your traffic through third party providers.

I just came back from Florence, where I can recommend the fantastic Residenza del Pucci.

A stone's throw away from del Duomo, it's right in the heart of the historic centre, and while they do have one of those annoying log-in pages, if you go and speak to the wonderful Marina, she'll just give you the hotel's wifi log-in details, ensuring you have free internet access for the whole of your stay.

And the cost? Less than 100 euros per night.
posted by PeterMcDermott at 8:56 PM on April 5, 2012 [9 favorites]


And if you are willing to pay a premium for the room, you are more likely to pay an additional fee for free wifi.
This is incredibly short-sighted thinking, and its consequences are why I now avoid Marriott whenever possible. The extra cost of being nickel-and-dimed (or five-and-ten-dollared, thanks inflation) isn't the extra few bucks, it's the feeling of having been misled, trapped, and, well, nickel-and-dimed.

Adding man-in-the-middle-attacked is not an improvement. Calling that "internet access" is fraud.
posted by roystgnr at 9:00 PM on April 5, 2012 [9 favorites]


Never trust hotel or airport networks. Some of the most mismanaged, greediest bunch of IT fuckers on the planet. If you're lucky enough to get a signal and IP then your webpage is wrapped in a FRAME with ads on the top, or like this guy found out adulterated with injected ads.

Not to mention that your computer is now in the equivalent of an unlicensed brothel. The next IP over is some jet setter who probably never patches his machine, opens every email attachment, and has been on 20 different networks in the last week. Hello virus.

I always make sure my computers firewall is enabled and that I'm browsing through a secured SOCKS proxy (ssh -D 8080 FTW).
posted by sbutler at 9:01 PM on April 5, 2012


I'm only surprised that this kind of man in the middle attack injection advertising isn't more prevalent. There are so many soul-sucking dignity-draining invasive marketing gimmicks that we all suffer daily... thank god this one is still rare enough that it evokes outrage.

And on the hotel review derail: Last week the Arlington Hilton charged me $6 for a bottle of water that I thought was complimentary. Fuck you, Arlington Hilton. One star. (I complained and they took it off the bill without a fight... which sort of confirms that they're just trying to gouge business customers who won't notice)
posted by qxntpqbbbqxl at 9:04 PM on April 5, 2012 [2 favorites]


I wonder if this guy's problem would have been solved by just using an ad-blocker.
posted by crunchland at 9:32 PM on April 5, 2012


He presumably was using an adblocker, which is why he just saw a thin colored box on the top of his screen and not, y'know, ads.
posted by Holy Zarquon's Singing Fish at 9:34 PM on April 5, 2012 [1 favorite]


Well, with all the ones I ever used, he could easily right-click on the element, and filter out the box if it so offended him. No need for an internet tantrum.
posted by crunchland at 9:37 PM on April 5, 2012


But when I go to a Motel 6 or Super 8 that advertises "Free WiFi," that wireless access was usually provided by the owner going to Best Buy one day, buying a cheap wireless router, plugging it in and forgetting about it. No cost, no password, no ad injections. (And no help if it's not working that evening.) It's only the expensive hotels that have the resources to set up scams like this one.
posted by Harvey Kilobit at 9:39 PM on April 5, 2012 [8 favorites]


And for that matter, what the heck is he doing running a browser without no-script installed?
posted by crunchland at 9:40 PM on April 5, 2012 [1 favorite]


Wait, web developers are staying in $368 dollar per night hotel rooms? What is this, 1999 again?

Jesus F Christ! That's almost 1/3 more than the Courtyard Marriott Tokyo Ginza! I checked. Hell, I once walked into the Tokyo Shinjuku Hilton with no advance reservation and got a room for half of what he paid. What the hell kind of amenities do they give you in a Times Square hotel, hot and cold running whores?

If you can afford a $368 hotel room, you can afford your own 4G cellular modem.
posted by charlie don't surf at 9:43 PM on April 5, 2012 [3 favorites]


Dude, the hotel he was paying three-hundred-freaking-dollars to stay at and use their shitty internet literally ran a man in the middle attack on him. Whether or not a net-savvy user can mostly avoid it (but still be prevented from using YouTube by their shitty Javascript!), that's still worth a bit of rage.
posted by Holy Zarquon's Singing Fish at 9:44 PM on April 5, 2012 [5 favorites]


I was staying at a hotel once and got on their wifi. All the ads I saw were for La Quinta. They didn't seem to be injecting new ads, but rather replacing the ads with ones for their hotel.

And the thing is it was every ad. seemed kind of pointless but it didn't bother me that much.

Then, I leave the hotel, and every ad was still for that hotel. It was bizarre. I deleted google's ad cookies and disabled tracking on my machine through google, and that took care of most of it.

but I was still seeing ads for the hotel. It was so weird, and a little unnerving. I ended up just installing ad-block and removing all ads entirely. I already had it on my desktop, just hadn't bothered with the laptop.

I guess it had something to do with advertisers tracking the fact that you'd logged on through a hotel wifi. Obviously, people who choose hotel X are likely to choose hotel X again, so if you, as an ad broker are aware of that they make the perfect people to advertise too in order to make it look like your ad campaign is effective.

The only problem is, if you advertise to the people least likely to not use the product, you're not actually boosting revenue at all, just appearing to.
posted by delmoi at 9:46 PM on April 5, 2012 [2 favorites]


literally ran a man in the middle attack on him.

Unless this was happening on https sites it wasn't a true 'man in the middle' attack.

Seems really unlikely that they would mess with those connections, as they would raise 'invalid certificate' warnings for every web page. It's really only the kind of thing you can do if you are a government, and even then, it's hard. When Iran hacked DigiNotar, and stole a root certificate, browsers still gave warnings that the certs had changed unexpectedly. They were caught, and the certs revoked.
posted by delmoi at 9:50 PM on April 5, 2012


I just came back from Florence, where I can recommend the fantastic Residenza del Pucci.

You must have been so enchanted by this idyllic land, you forgot to mention that in Italy anyone who uses the Internet, anywhere is required to identify themselves so they can match you to your surfing history. Want to hop into an Internet cafe? They'll have to photocopy your passport first.

Italy is a horribly draconian state. This is all but invisible to tourists on their Tuscan holidays.
posted by vacapinta at 9:56 PM on April 5, 2012 [9 favorites]


Marriott Courtyard is hardly a high end hotel, either. $368 is a mid priced Manhattan hotel.

To say nothing of the fact that for $368, you get a room the size of the bed that fits in it.
posted by Melismata at 9:56 PM on April 5, 2012


To say nothing of the fact that for $368, you get a room the size of the bed that fits in it.

Yes, but at least the bedbugs are free.
posted by Kraftmatic Adjustable Cheese at 10:00 PM on April 5, 2012 [4 favorites]


Unless this was happening on https sites it wasn't a true 'man in the middle' attack.
Sure it was. "This IP packet says that address X sent me message Y" is a trivially corruptable form of authentication, but it's still a true message that's getting replaced with a false message by someone in the middle of the channel.
posted by roystgnr at 10:29 PM on April 5, 2012 [2 favorites]


Ironmouth:

> Seriously, use your own provider if you are angered by a hotel monetizing their services.

No one is complaining about them "monetizing" anything - they're complaining about the fact that the hotel has installed software that, quite literally, reads the web pages that you as a guest request, and rewrites them with extra content in them.

There is no way they can do this properly in general - and if you read the article, this breaks many pages, including all of YouTube.

Imagine they did the same thing with TV - where they put their own commercials on top of the broadcast ones, and sometimes they ran a little long or at the wrong time and covered some of the show. Would you say, "Use your own provider if you're angered by a hotel monetizing their services" then?

delmoi:

> Unless this was happening on https sites it wasn't a true 'man in the middle' attack.

That's not so - any attack on a communication system where your opponent gets to intercept and rewrite a message is called a man in the middle attack.

There's a famous example from WWII where a censor in the British telegraph office saw a telegram saying simply, "FATHER IS DEAD" and thought, "That's just too short, no one would say that," so he changed the message to "FATHER IS DECEASED" and sent it on - almost immediately, there came an answer, "IS FATHER DEAD OR DECEASED".
posted by lupus_yonderboy at 10:32 PM on April 5, 2012 [3 favorites]


I think this sort of thing bothers me so much because the non-internet parallel it suggests to me is that any phone call on the hotel's lines would be periodically interrupted by a another voice, imitating whoever I'm calling, shilling for whiskey or tourist traps or whatever.
posted by hattifattener at 10:43 PM on April 5, 2012 [2 favorites]


hattifattener: "I think this sort of thing bothers me so much because the non-internet parallel it suggests to me is that any phone call on the hotel's lines would be periodically interrupted by a another voice, imitating whoever I'm calling, shilling for whiskey or tourist traps or whatever"

Personally, I'd go out of my way to stay at a hotel that did this.
posted by Joakim Ziegler at 10:59 PM on April 5, 2012 [2 favorites]


Hey folks, I wrote the javascript injection post, and I just thought I'd chime in here and respond to a few of the comments with some clarifications and corrections.

"Courtyard Marriott in Times Square is spying on and manipulating your Internet"

First off, I suppose with some artistic license you could call running regexes on HTML that block some ads and inject others "spying", but I just want to make it clear that I never said that Marriott was spying on the internet, just that they are manipulating the HTML.

"the Revenue eXtraction Generator network gateway"

There was a typo (now corrected) in my original post. RXG stands for Revenue eXtraction Gateway, not Revenue eXtraction "Generator".

Joakim Ziegler (and others): "Wait, web developers are staying in $368 dollar per night hotel rooms?"

That's kind of the way it goes when your client is located in Times Square. Client says stay at hotel X, we stay at hotel X. Shit's expensive in NYC. As spitball added, "$368 is a mid priced Manhattan hotel." I mentioned the price simply because I think it makes the fact that they're resorting to sleazy JavaScript injection all the more incredulous. It's the type of thing I'd expect at low-rent hotel, not Courtyard. Yeah, I know the high-end hotels tend to nickel and dime you more, but in this case the wifi was complimentary (and Courtyard is not "high-end"). However, that should not make a difference as to the baseline quality of service.

Holy Zarquon: "He presumably was using an adblocker, which is why he just saw a thin colored box on the top of his screen and not, y'know, ads."

Actually I don't use an adblocker (just a habit from working 4 years at Federated Media). In this case, the RXG system just wasn't serving up any ads. But their CSS added some padding that made my background color leak through. In fact their code is such a hodgepodge of JavaScript, I'm surprised it wasn't doing more damage to the HTML. It was destroying the YouTube embeds/iframes, with was majorly annoying.

lupus_yonderboy and hattifattener, you hit the nail on the head. For some reason people seem to allow liberties with hotel wifi that they'd never allow with hotel cable tv or telephone or a hundred other amenities we take for granted. IMHO, this is no different than SOPA or PIPA: "If I request a webpage, please do not modify or censor it en route."
posted by justincwatt at 11:17 PM on April 5, 2012 [38 favorites]


Or another analogy would be reading a magazine and someone's standing over your shoulder and inserting different ads into the magazine instead of the ads that were there when the magazine was printed. Not only do you lose all privacy about what you're reading, the new ad inserter has information about who you are (where you live, what company you work for, how much you're paying for the hotel, etc.) and changes the ads based on that information.
posted by gen at 11:17 PM on April 5, 2012


Or another analogy would be reading a magazine and someone's standing over your shoulder and inserting different ads into the magazine instead of the ads that were there when the magazine was printed.

Or, it's like you're reading the hotel's magazines and they have taped their own ads over the ones in the magazine.
posted by mrnutty at 11:32 PM on April 5, 2012 [2 favorites]


> I suspect a part of some wifi standard, perhaps?

There's a draft update to the HTTP standard for exactly this; but I don't think it's deployed anywhere yet. Given the apparent technical sophistication of most of the captive portals out there, you'll probably see this in operation right around never.
posted by bbuda at 11:35 PM on April 5, 2012


LOL. Been to New York lately? The only Manhattan Holiday Inn is in midtown (57th) and the rack rates start at around $200 a night for a single on a weeknight. Marriott Courtyard is hardly a high end hotel, either. $368 is a mid priced Manhattan hotel.

How anyone stays in NYC hotels without exercising some serious Priceline/Hotwire artistry is beyond me.
posted by billyfleetwood at 11:46 PM on April 5, 2012


Neat, bbuda. HTTP really seems like the wrong network layer for this to live at. An ICMP message would be more appropriate. I guess as a "mitigate the damage caused by captive portals" proposal it's not bad though.
posted by hattifattener at 11:52 PM on April 5, 2012


Hmm, I was thinking of "Man in the middle attack" as the attack on public key crypto. Looking at Wikipedia, the term is a little broader then that.
How anyone stays in NYC hotels without exercising some serious Priceline/Hotwire artistry is beyond me.
Not only that, something like air b'n'b may be illegal under NYC law.
posted by delmoi at 12:05 AM on April 6, 2012


You must have been so enchanted by this idyllic land, you forgot to mention that in Italy anyone who uses the Internet, anywhere is required to identify themselves so they can match you to your surfing history.

Aside from the usual deal about showing your passport when you sign in to a hotel, there wasn't any attempt made to match my ID to my browsing history that I could see. The concierge just gave me the hotel's WAP password and let me connect my iPad in the same way that the hotel's computer (and presumably all the other guests) were connected.

I can't see how they'd be able to identify my browsing history or distinguish it from any of the other guest's activity.

I was enchanted by the idyllic nature of the city though.
posted by PeterMcDermott at 12:13 AM on April 6, 2012


Hmm. I've used internet cafe's in Italy before. I don't recall having to show my passport. I wonder if I've just forgotten it?
posted by PeterMcDermott at 12:17 AM on April 6, 2012 [1 favorite]


Coincidentally, I took a copy of Liars and Outliers on holiday with me. If I'd gotten around to starting it, I might have known that.
posted by PeterMcDermott at 12:26 AM on April 6, 2012


This is definitely a US corporate culture "monetize everything" phenomenon. As I write this, I am sitting in the Hotel Metropole in central Brussels, finishing off an enormous free breakfast. The hotel also has free wifi, lovely art nouveau decor, and cost me significantly less than $368 a night. The only issue I have is that I keep striking my head on the ornate chandelier in my room.
posted by TheWhiteSkull at 12:32 AM on April 6, 2012


Can anyone recommend a good VPN to use?
posted by JiffyQ at 12:39 AM on April 6, 2012


All that really tells me, TheWhiteSkull, is that, somehow, I've lived my life wrong.
posted by darksasami at 12:42 AM on April 6, 2012 [4 favorites]


3.2.3: "Pretty much every hotel chain proxies all your traffic through third party providers."

This is because pretty much every hotel chain requires that the franchise owner use one of a few approved solutions for Internet access. They can roll their own solution if they're willing to pay a large fee and meet a stringent (read: $$$) set of requirements dictated from on high.
posted by wierdo at 1:03 AM on April 6, 2012


Thanks for the Airbnb tip, Delmoi. I had not heard of them. Looks very promising.

My current hotel favorite complaint is the cheap-ass nature of Novotel. Fancy-shmancy Nesspresso machine, in the room! Fancy wooden box with capsules! And paper cups with wooden sticks! LOL! Not that Novotel tries to be fancy. Also, they couldn't even provide a wash cloth on request, much less have them available in all rooms. Dirty nasty Novotel. That's just total failure at hospitality, which is supposed to be their business.
posted by Goofyy at 1:45 AM on April 6, 2012


Recently stayed at a Sheraton in Chicago. While it was more than I wanted to pay (with a group discount rate!); I almost fell over when the water was actually complimentary. I am so used to the $6 water thing that I was more than a bit surprised. But I couldn't get Wifi to work so it was a wash.
posted by [insert clever name here] at 2:07 AM on April 6, 2012


Regarding the question of how Windows knows "additional login information may be required" when you hit a captive portal such as at a hotel, the method is fairly simple. Windows simply tries to retrieve a known text file from a Microsoft server and, if it cannot despite a network connection established, it assumes you are in a captive portal.

This is a self-link but there is more information about this in a column I used to write here: http://www.wi-fiplanet.com/tutorials/ask-the-wi-fi-guru-episode-40.html (second question).

I assume, but do not know firsthand, that the Mac implementation is similar.

Sadly, it does seem that the more expensive a hotel is, the more they assume the guest is insensitive to add-on fees like Internet access, which are probably being charged to an expense account anyway. With the increasing proliferation of 4G personal Internet access, I would expect hotels to invest less, rather than more, in the quality (or lack thereof) of their bundled Internet offerings in the future.
posted by thebordella at 2:54 AM on April 6, 2012 [4 favorites]


I travel often on business trips, and two of my core requirements when I'm on the road is to equip me with a decent-enough prepaid mobile (200 minutes between topups; need to be able to call home) and one of them 3G dongles. Best if I can get a prepaid with a generous bandwidth; I can tether with my phone.

I've been burned so often by hotel wifi's that I've all but given up on them; just as I do with the mini-bar, room phone room service and the big hamper of chocolates they put out for you, I completely glaze over them and set up my own thing.

But yes, concur entirely on how service sucks worse the higher you go.
posted by the cydonian at 5:05 AM on April 6, 2012


I think I'll be able to use this to convince the partners to let me upgrade the firm's VPN. Thanks!
posted by charred husk at 5:49 AM on April 6, 2012 [1 favorite]


Last hotel I stayed in (in DC) didn't seem t be injecting anything, but the wifi didn't extend past the third floor so I had to use the wired connection in the room. It was some ancient DSL connector, and (I shit you not) had directions printed on it for getting online with Win95 or OS9. This was in November, last year. Frickin' weird.
posted by caution live frogs at 5:52 AM on April 6, 2012


This is definitely a US corporate culture "monetize everything" phenomenon. As I write this, I am sitting in the Hotel Metropole in central Brussels, finishing off an enormous free breakfast. The hotel also has free wifi, lovely art nouveau decor, and cost me significantly less than $368 a night. The only issue I have is that I keep striking my head on the ornate chandelier in my room.

Sad to say, I have to disagree here. I just left the Hotel Metropol in Basel, where I did have to pay for internet access at fairly outrageous rates (imo). You get enormous free breakfast at practically every US hotel chain. And my worst experiences with hotel internet gateways are always outside of the US (especially in India). I try to rely on my own data cards whenever possible, but I don't always have time to order a rental before I travel.
posted by me & my monkey at 6:03 AM on April 6, 2012


I've stayed at that courtyard by marriott in NY and at a nearby holiday inn and they cost the same and basically are the same. The courtyard by marriott is the holiday inn express of marriott. It is not high end. Which is not to say it wasn't nice.

I only used the wifi on my ipod touch. I actually found it hard to find free wifi that really works anywhere in Manhattan.
posted by interplanetjanet at 6:08 AM on April 6, 2012


Imagine they did the same thing with TV - where they put their own commercials on top of the broadcast ones

Ummm...cable companies do this ALL THE TIME. It's why you'll occasionally see a commercial for a local car dealer on a nationwide channel like Comedy Central or whatever. Often, there is a tell-tale "snippet" of the end of the "national commercial" after your local commercial ends, indicating that the timing of the overlay wasn't precise.
posted by ShutterBun at 6:15 AM on April 6, 2012 [2 favorites]


Having a Linux box in the basement that is semi-exposed to the web is a great thing. I was staying at a hotel in Dallas that offered free wifi, in common areas and in rooms. Having some downtime, I tried watching some YouTube clips and noticed that after the first or second video, the overall speed of the connection would be drastically reduced. I suspected they were throttling "non business" data, because after I would reconnect to the wifi, it would be speedy until I paid a visit to YouTube. SSH tunneling traffic back into my home connection made the problem go away. Granted, it wasn't as fast, as all traffic had to go back to NJ, but the odd fluctuations in speed went away.

The problem was with not just YouTube - Skype was also throttled, which made for some problems as I use that to call back into classrooms and talk to students when I'm away. I can do without YouTube, but when you offer Internet access and then manipulate the way people use it, that's a big problem for me.

To me, internet access isn't entertainment, so the analogies to replacing ads on TV or in magazines work, but it's more disturbing than that. No one gets paid to watch TV while they travel. I often need 'net access to work on projects while I'm away. This is akin to hotels flavoring all the water (in the shower, too) because a company paid to have their new flavored water product promoted at the hotel.
posted by johnjreiser at 6:22 AM on April 6, 2012 [3 favorites]


More info on cable commercial co-opting here

Granted, this appears to be more or less a case of "this is how the system is designed to work" as opposed to a last-minute hijacking of a cable channel.
posted by ShutterBun at 6:26 AM on April 6, 2012 [1 favorite]


If you're fairly technically ept, and you have reasonable upload bandwidth at home, you can run your own VPN service, just for yourself. I've found OpenVPN to be moderately easy to set up, especially if you use a pre-shared key (aka a "password" or "passphrase" -- it's a term that implies complexity where there is none.)

OpenVPN, at least according to the developers, when using passworded access, is completely immune to traffic analysis and deep packet inspection; all your network provider can see is a random string of bytes, with no visible structure whatsoever. This should make you immune to analysis, even by repressive governments like China's. They can see there's a fair bit of traffic between the two endpoints, but shouldn't be able to get anything else useful.

Using SSL certs is the alternative; in that case, the setup session is visibly SSL, so automated tools can see/report that a secure connection was made. You're still snoop-proof, but what you're doing is obvious to any analysis tool.

A completely different approach is to run Squid, a web proxy, on a machine at home, connect to that machine with SSH, and use SSH to forward a port on a local machine to a port on the remote one. In other words, your local 127.0.0.1:8080 is pointed at [yourhomeserver]:8080. Then you tell your browser to use a proxy at 127.0.0.1:8080. There is no proxy there, it's not running locally, but SSH invisibly forwards the packets to the remote machine, and then returns replies. So you're talking to the remote Squid like you're sitting on the same machine, and everything works. (Note that if you're running Firefox, it's critical to go into about:config, and set network.proxy.socks_remote_dns to TRUE. If it's false (the default) then all DNS lookups are done locally, instead of going over the proxy. This is insecure, and gives away exactly what you're doing, even what sites you're visiting. It's a very bad default setting for Firefox to have.)

This is much easier to set up than OpenVPN, although the free command-line SSH tools use really gnarly syntax for setting up a port forward. But the SSH handshake is visible, so it's obvious what you're doing, and this type of VPN deals very poorly with packet loss. You're layering TCP on TCP, so whenever a packet gets dropped, both layers try to recover the error. If you're losing very many packets, this can rapidly cascade into glacial slowness or complete failure.

OpenVPN layers TCP over UDP... UDP has no error recovery. Either a packet gets there or it doesn't. The TCP layer on top does all the error-detection and correction, so it generally works pretty well, even on a fairly crappy connection. But it's harder to set up.

The big issue with either setup is that your remote download speed becomes limited by your upload speed at home. Home uplink speeds are getting fast enough that this may not be as much of an issue, but if you've got, say, 512K of upload, then you'll have 512K of download speed for any remote client. If you've got a weak home connection, this can be frustrating.

Alternately, of course, you can pay someone $25 or $30 a month for a VPN service. This will just work, it's very easy, and it will probably have more bandwidth available than your machine at home. But it costs money every month, where running the VPN yourself means you get the service for the money you're already spending.
posted by Malor at 6:26 AM on April 6, 2012 [25 favorites]


Let's just coin the phrase "there's no such thing as free WiFi" and go from there. Everything's gonna be tethered or have its own built in 5G network access within another couple of years anyway.
posted by ShutterBun at 6:31 AM on April 6, 2012 [1 favorite]


Good thing he didn't say their wifi service was "fucking gross"
posted by terrapin at 6:51 AM on April 6, 2012 [1 favorite]


I stay in hotels all the freakin' time as part of my job. I usually use whatever Marriott brand is cheap enough and close enough to the job site. As a result, I'm in Courtyards (and Fairfield Inns, and Springhill Suites, and Residence Inns . . .) pretty regularly. From my experience:
  1. I've never seen the behavior described at any hotel I've stayed at (although of course that doesn't mean it hasn't happened).
  2. I've never seen the specific provider that this hotel was using.
My guess would be that it's the provider that's engaged in slimy behavior, not the hotel. Not that the hotel should be let off the hook - if any hotel I was in did engage a provider that did this, I'd definitely would let the hotel management know how I felt about it.

Re: wifi performance, I'd agree that the price of the hotel does not correlate to the performance and reliability of the hotel's Internet access. I've been in full-scale Marriotts ($200 or more a night) which charged for their access on top of the room fee, and which were close to unusable. On the other hand, the best performance I've ever seen at a hotel was in Bridgeport, WV, at a Fairfield (more like $70 a night), which had something like 30Mb down/10 Mb up. And, of course, it was provided as a part of the room, no extra charge.
posted by deadcowdan at 7:00 AM on April 6, 2012 [1 favorite]


the Hotel Metropole in central Brussels, finishing off an enormous free breakfast.

Miserable, fat Belgian bastards...
posted by ShutterBun at 7:00 AM on April 6, 2012 [1 favorite]


I'm a big fan of cheap hotels precisely because the wifi is free, better and unfettered along with stuff like free breakfasts and free parking.

There is, I think, a threshold over which expensive hotels don't charge for that stuff (well out of my price range) but you still get the internet interference problem.
posted by dickasso at 7:27 AM on April 6, 2012


lupus_yonderboy: "There's a famous example from WWII where a censor in the British telegraph office saw a telegram saying simply, "FATHER IS DEAD" and thought, "That's just too short, no one would say that," so he changed the message to "FATHER IS DECEASED" and sent it on - almost immediately, there came an answer, "IS FATHER DEAD OR DECEASED"."

For those, like me, who were intrigued by this, details are available in this handy Google Book excerpt!
posted by subbes at 7:37 AM on April 6, 2012 [2 favorites]


One thing to add to Malor's excellent writeup: Put your OpenVPN server and web proxy on a cloud server. It's definitely faster and these days may even be cheaper than the electricity to keep your box on at home.
posted by whuppy at 7:40 AM on April 6, 2012 [4 favorites]


Whenever I travel to big cities, I usually am put up by internet friends who know of my curious vacation hobby of obsessively cleaning the kitchens and bathrooms in other peoples' houses, cooking elaborate breakfasts for my hosts, and organizing elegant dinner parties, but when I have ended up in fancy hotels, I'm always shocked by how crappy and expensive the internet service is. You have to go through that stupid login page, it's slow, and it costs money, which seems ridiculous when you've just spent two hundred bucks on a shitty little room.

When I travel on my own, which essentially means driving/riding up and down the states that border the Atlantic, I look for the cheapest motel with the strongest aroma of curry in the motel office, because "patels," as they're sometimes called, invariably have great, free, fast wifi without filtering or ads or megacorporate bullshit. Those places have the extra benefit of often having a lovely older woman around who cooked the delicious-smelling curry that's wafting out from the back room and who is so delighted that a visitor can recognize and correctly name the dish she's cooked that she'll often generously offer up a portion. In those cases, I tend to break out my maid tools from the trunk and give the bathroom in my room a nice shine, as well as tightening the toilet seat bolts, which are always loose.

In my brief sojourn as consort to a big deal Hollywood talent executive, I got to ride along on trips where we were in fancy hotels with all sort of electric jacuzzi 700 count Pashtung sheeted magical bed giant TV accouterments, and the internet always either didn't work at all or sucked, all in rooms that cost almost as much as my monthly rent. They fleece those guys, because it's all just money in the chain, bouncing around between departments filled with middle-managers who just don't give a crap, as long as they can check off an item in their spreadsheet. Nice soaps and lotions to snag there, with lemon grass and tea tree oil and such, but those places leave my security blanket with a strange smell.

Fortunately, I'm not cursed with an excess of cash, so I'm content to troll the secret pleasures of Route 301, stopping in at Emporia for the night in a place where they know me and make a mattar paneer that'll just about make you want to stay there forever. Full internet, the room's $22 a night, and there's a dirty little secret to the place that'll one day end up in a book I'm working on.
posted by sonascope at 7:43 AM on April 6, 2012 [11 favorites]


Don't log into the WiFi at the Country Inn in Beaver, Utah. Your computer will catch some nasty viruses. Also, avoid the nearby Chinese Restaurant. Better yet, just don't visit Beaver, Utah.
posted by kozad at 7:52 AM on April 6, 2012


I've had pretty good luck, by the way, with many of the WiFis in Best Western motels. Most of the ones I've stayed at were run well, and Internet service tended to be quite good. In the BW in Athens, Georgia, the internet is freaking incredible, better than most home connections, and you can connect either wired or wirelessly.
posted by Malor at 8:15 AM on April 6, 2012


The biggest problem about this kind of Internet tinkering is that it fucks stuff up. I'm grudgingly willing to look at an ad or two if it means I get free Internet access, although it seems offensive. But it's never just looking at an ad. Inevitably the router also rewrites some other HTTP requests in a way that breaks some fancy AJAX site, or it blocks port 22 so I can't use ssh, or it interposes a login every 15 minutes forcing me to reconnect to everything. The end-to-end principal has no exceptions. VPNs are the only way an individual can protect himself; just hope the captive portal stuff doesn't break that, too.

The good thing about that $10,000 user intercepting router is it has some useful router features. For instance, it offers per-user traffic shaping. I can't tell you how often I try to use some crappy hotel wifi only to find it's got the bandwidth of a piece of spaghetti and packet loss like passing chunky tomato sauce through a strainer. Part of the problem is some other guest connecting his virus-fountain laptop into the network. Traffic shaping helps with that.

It's absolutely true that the more expensive the hotel, the more likely they are to charge for wifi. I think they assume if you're rich enough to pay $400 a night for a room you don't notice if it's another $20 for Internet. We're lucky they don't charge per toilet flush, too. The only saving grace is usually the for-pay networks work better.
posted by Nelson at 8:58 AM on April 6, 2012


You must have been so enchanted by this idyllic land, you forgot to mention that in Italy anyone who uses the Internet, anywhere is required to identify themselves so they can match you to your surfing history. Want to hop into an Internet cafe? They'll have to photocopy your passport first.

Ah, the Pisanu law, guaranteed to send me into a rant from 2005-2010...
It's marginally better now. As of 2011, if your primary business is not providing Internet access (es. hotels, bars, coffee shops, etc), then you no longer have to do the whole ID rigmarole. Baby steps...

posted by romakimmy at 10:24 AM on April 6, 2012


On my last big cross-country drive, we made a point of staying only in cheap-ass roadside motels, largely because they always had the best free WiFi (and we kinda dug them). Best of all was when the motel's night manager was a young guy, because that usually meant he was going to be up late raiding in WoW, and if the WiFi went out, he fixed it with a quickness.
posted by ThatFuzzyBastard at 12:19 PM on April 6, 2012 [1 favorite]


A completely different approach is to run Squid, a web proxy, on a machine at home, connect to that machine with SSH, and use SSH to forward a port on a local machine to a port on the remote one.

Unless you particularly need the caching part of Squid, why not just use the built-in SOCKS proxy in ssh:

user@laptop ~ $ ssh -D 1080 user@server.home


It's quick and simple with no planning needed other than an SSH shell somewhere on the internet.
As a bonus, just about every non-trivial network program is SOCKS-aware, so using the proxy is generally a painless process.
In Firefox, the socks proxy is located with the http proxy settings, for example.
posted by madajb at 12:44 PM on April 6, 2012 [6 favorites]


Wow, thanks, madajb, I'll have to check that out. I've been using that SSH-to-Squid trick for more than a decade, and apparently they added something to SSH when I wasn't looking. :-)
posted by Malor at 1:11 PM on April 6, 2012


25 to 30 per month seems excessive for a vpn. A quick google and I couldn't find one past 15, and most were around 10 or less, with discounts for longer.
posted by Sparx at 1:20 PM on April 6, 2012


Seconding the request for (budget-friendly-priced?) VPN recommendations. My home internet access is so notoriously flaky and drop-heavy that it's unreliable for hosting an OpenVPN connection AND I end up doing most of my browsing at coffee shops & the like, so I'm doubly screwed there.
posted by nicebookrack at 3:16 PM on April 6, 2012 [1 favorite]


subbes writes "For those, like me, who were intrigued by this, details are available in this handy Google Book excerpt!"

Amazing that at one time people would mail blank sheets of paper to places that had a paper shortage.
posted by Mitheral at 6:35 PM on April 6, 2012


Stay in the Fancy Pants: $199 + $10 wifi + $30 parking + $18 breakfast...

The Fancy Pants probably assumes you're on business, not paying for yourself, aren't price conscious and won't think twice about paying the extra.

If you must stay at the Fancy Pants and pay for it yourself, look for deals that are aimed at leisure travelers.

But if the Fancy Pants thinks that getting a reputation for screwing around with people's internet is no big deal, it is abysmally stupid. That is going to be up there with getting a reputation for food poisoning.
posted by philipy at 11:40 AM on April 7, 2012


That's probably not really true yet, philipy. The generation of people that truly expect the Net to work well, all the time -- in other words, the kids who grew up with it -- won't be in positions of real power for another ten years or so. By 2022, it'll be a very bad idea to have poor network access, but in 2012, that's only a problem if you're trying to attract techy professionals.

Right now, in other words, an awful lot of people just don't notice if the Net is bad in a hotel, because they don't use it when they're traveling very much. That will become less true with each passing year, and in another decade, I suspect bad 'Net access in a hotel will be a great way to go out of business.
posted by Malor at 3:39 PM on April 7, 2012


For what it's worth, when I'm traveling for work at a fancypants hotel, it doesn't bother me a bit to pay for wireless. So that part of the marketing works out.
posted by craven_morhead at 11:02 PM on April 10, 2012


That's probably not really true yet, philipy. The generation of people that truly expect the Net to work well

It doesn't take much for senior, non-techie people to freak out if they hear that something their employees use might be insecure. My feeling is the less you know, the greater the FUD factor. It just takes some headlines in the newspaper the CEO reads for them to issue an edict that henceforth we don't use hotel chain X any more.
posted by philipy at 10:28 AM on April 11, 2012


Also, bear in mind that the idea of taking your personal electronics to a building and needing to use their connection in order to reach the Internet is already going away - if you're connecting with a smartphone or cellular-enabled tablet you can use your own wireless plan, which is likely faster than the hotel's anyway, and if you're using a laptop but have a smartphone, you can tether it and do the same thing. If you can't afford a smartphone (but do have a laptop) you're dependent on the hotel, but if you can't afford a smartphone you're probably not staying at the distinguished (read: ridiculously expensive) institutions that we're talking about here.
posted by Holy Zarquon's Singing Fish at 12:00 PM on April 11, 2012


« Older Weatherscan Music Station   |   This is not a (necessary) test Newer »


This thread has been archived and is closed to new comments