This reminds me of a conference, attendees were having sporadic problems with accessing the Internet and eventually I was able to capture a trace of the problem: when the main lease network filled up, it started allocating IPs from another block, but with the same gateway. I got a lease for something like 10.1.1.69/24 with a gateway address of 192.168.1.1.
I went to the support person and she offered to reset the WiFi, but I explained that she needed to escalate it because it was a configuration problem, resetting it was only a temporary solution.
She did, it got solved in a couple hours, once I was able to nail down the exact problem. It's hard when random attendees are only able to give reports of "it's not working", when it's something tricky like this. I think it took the better part of a day to nail the problem down, maybe longer (my memory is spotty on it).
Companies should work out a way to incentivise low-level workers to escalate and chase up "difficult to tackle" issues. Ignoring problems rarely work long-term and it's companies best interest to know and solve issues.
We went into these hotels telling them "I know you offer WiFi, but we are a tech conference, we're going to be using the WiFi harder than your normal event." They'd all say "It's fine", but they'd quickly learn it wasn't fine.
There wasn't really the option to use the cellular network for data at that time.
We eventually ended up running our own WiFi for quite a few years, because the venues consistently would just end up a smoking crater. The first year in Chicago the venue had this fancy centrally controlled wifi that was supposed to be all smart, but even after a field upgrade because the central CPU couldn't keep up, it was just a disaster.
Ended up going with a bunch of relatively inexpensive APs all set on low RF power, where the venues always wanted to have one or two APs on high power. Basically solved our problems.
And indeed, would have probably thought that people at a conference would be better being human beings and talking to each other, rather than staring into a laptop screen.
This was the conference where Ka-Ping Ye could be found huddling in the back of the room, and then a few hours later give a presentation on "look what I just did". So, I hear what you're saying, but there is also value in being on your computer in that environment.
Except that our contract with the venue included that they would provide Internet access, so we were collecting these problem reports and in several cases money was withheld due to poor performance.
PyCon had a conference planning company heavily involved from fairly early on, and that ended up avoiding, to the best of my knowledge, much of that sort of thing. The contracts ended up being fairly well negotiated. But *THAT* process was quite the hair-pulling exercise.
This is adjacent to the classic free WiFi hack on airplanes, which is to boot another client off of their DHCP lease by spoofing their MAC.
It’s unfortunate that, below HTTPS and a light smattering of WiFi encryption, there’s essentially no authenticity controls on LAN management protocols.
I work on SPR, http://github.com/spr-networks/super, we make it easy to use distinct WiFi 3/ WPA2 passwords to authenticate devices on the network for policy based access
Great project, a lot of APs themselves support VLAN segregation using RADIUS, has SPR ever considered the scenario where it might be ideal if it were just the router and it controls APs (and even switches) that way?
SPR supports receiving VLAN tagged packets over a wired LAN interface today.
Soon we are planning to support an OpenWRT package that will allow people to link up into SPR from lots of APs, provided the AP card supports AP/VLAN mode which is critical for the segmentation.
We have no plan to work more closely with managing RADIUS right now, enterprise wifi authentication is difficult to deploy securely without client-side certificates for authentication. So that makes it less appealing due to our goal of supporting any kind of wifi capable device.
Lastly, SPR does have an upsell feature where we support leaf node APs running SPR that have backhaul into a primary instance.
Yeah I already do some combination of MPSK and MAC-based Security on Aruba AP-555 and AP-655 at home with a couple hundred IOT devices, OPNsense and FreeRADIUS. I segment by (vendor, device model) instead of /30 per individual device but that’s more setup convenience than anything (it’d be possible to uniquely dot1q every device, too).
I think SPR looks neat, it’s a more well-packaged version of essentially what I already do (albeit in a kludgey way), hence the curiosity about ambition.
Yes, this is part of the story of how SPR achieves this.
So the hostapd configuration for SPR has the following components:
- ap_isolate=1
- per_sta_vif=1
- unique passphrases for devices
- firewall rules
ap_isolate stops the AP from doing L2 forwarding between clients using the pairwise keys. the per_sta_vif=1 will also ensure that each client has a unique GTK so they can't use group key encryption to communicate without the AP.
Next, unique passphrases are used. Without this, it's possible for a malicious device to decrypt WPA2 traffic passively or spin up a Rogue AP to capture traffic from peers.
And lastly -- firewall rules with default deny connect devices by policy.
That ap_isolate alone is not enough is kind of interesting, as it's possible to instead push packets to the router that will then forward to the client destination. Most off the shelf routers have forwarding on without a default deny policy, enabling this. The subtlety here is the attacker uses the router as the L2 destination instead of the other wireless client. At the very least attackers can send UDP packets to bypass the intended isolation. This bypass is especially powerful when changing mediums between Wireless and Wired as the Wired victim receiving packets will be responding back to the router, and on many consumer routers a full TCP connection will be possible then.
Yes, although it is part of our upsell and not in the core FOSS project. We need to update our documentation to be more clear as we have been getting this question more often.
I poked around the site, and it was entirely unclear to me that one could buy this feature or how it works.
Can it make it painless to manage multiple APs and to get fast roaming, etc working? UniFi pulls this off nicely — there’s nothing particularly fancy under the hood AFAICT, but it all just works. A more intelligent solution where clients got assigned to appropriate VLANs would IMO be extra nice.
(The enterprise vendors seem to have decent ACL and maybe even anti-spoofing measures for their wired networks, and they have some security features for wireless, but I haven’t seen anyone with a nice solution that makes wired and wireless security cooperate. I haven’t looked that hard.)
Every time I have to interact with a "captive portal", I'm annoyed at the hack implemented through DNS hijacking, rather than implementing and extending 802.1X and/or another layer-2 authentication scheme. The idea seems to have been tossed aside entirely. Instead, every device has to have a web browser. There's not even a way to do surrogate registration for devices that don't have browsers, with Apple TV and Nintendo Switch at launch (added later) being prime examples. IoT and headless gear is also a pain. On trips, I end up bringing my own travel router and using my laptop to auth it by proxy, but it's another thing to remember to bring.
I have a work laptop (government) that hates captive portals. It has a security system that won't let it connect using the local DNS. So it doesn't get captured. Those of us with such laptops all have tricks for getting to a hotel's wifi login page using IP addresses. But we have to do it fast, before the security software fully wakes up and blocks the hack.
We used to just login on our phones, then tether the work laptop to the phone over USB. The security people caught up to that a couple years ago and disabled USB tethering. So now I alter my laptop's MAC to be the same as that from the work laptop. That tricks about 90% of hotel wifi into allowing the work laptop to connect without need of a splash page. But for the other 10%...
(Not a joke, I do this) I sometimes login to the hotel wifi on my personal phone, tether that phone to my personal laptop, then setup that laptop as a router. The work computer can then connect to the wifi from the personal laptop, which tethers into the phone, which is on the hotel wifi. All of this just avoid another ridiculous wifi login page.
Why not just get a travel router and be done with all the “hacks”. They are so small these days they take up very little space. With mine I get connected to hotel WiFi then all my family devices just connect to it, just like they are at home. I even tunnel all hectic traffic back home though a Tailscale exit node.
> I have a work laptop (government) that hates captive portals. It has a security system that won't let it connect using the local DNS.
Does the OS not pay attention to DHCP option 114:
This document describes a DHCP option (and a Router Advertisement
(RA) extension) to inform clients that they are behind some sort of
captive-portal device and that they will need to authenticate to get
Internet access. It is not a full solution to address all of the
issues that clients may have with captive portals; it is designed to
be used in larger solutions. The method of authenticating to and
interacting with the captive portal is out of scope for this
document.
It is more layered than that. The work machine initiates a VPN automatically at login. Once that VPN is up, all traffic goes through the VPN, including DNS. It will actively ignore/block anything that isn't coming from the VPN. So we do tricks to get to the hotel splash page before the VPN software wakes up. These are corporately-managed windows machines. The boot/login process isn't exactly quick.
Why do you try to solve the problem at all? Wouldn't it be better to say "sorry I can't do any work from this location because of our IT policy" and let your organisation sort it out if they need you to work from a hotel?
> I sometimes login to the hotel wifi on my personal phone, tether that phone to my personal laptop, then setup that laptop as a router. The work computer can then connect to the wifi from the personal laptop
Why go through a laptop? Isn't this exactly what generating a hotspot from the phone does?
This was the reason why I bought a travel router/wifi repeater. You connect your corp laptop to the travel router then use your phone to log into the hotspot. Hotels are now using Meraki Air Marshal to block them on 2.4Ghz networks though
I wasn't familiar with Air Marshall. I understand it complicates your work-around, but I'd probably pay extra to stay in a hotel that cared enough about security to deploy it
Does the laptop also prevent wireless tethering to your phone? Turning your phone into a hotspot is pretty trivial, at least on iOS. I often have to do it due to similarly arcane security configuration settings on my work laptop.
Yes, but unless you have a phone with two wifi connections then you will have to use your cellphone's data plan rather than the hotel wifi. When traveling, doing a teleconference or having your work laptop perform a windows update over your cellphone data connection isn't cheap. We used to just tether to our work phones, but they locked that down after seeing the international roaming bills.
Connecting to wifi and enableing the hotspot at the same time works on my phone (pixel 5), it probably just uses different bands. It's pretty useful to avoid typing passwords twice.
I don't know if it's more or less ridiculous, but I bring a small travel router running OpenWrt to do said bridging so I don't need to have my laptop running so I can use my Chromecast on the hotel TV.
The Nintendo Switch actually had a browser either at launch or close to it, then removed it in an update, and didn't add it back until about 3 years later.
It's really hilarious that a device that touted its portability from the beginning was literally incompatible with most public Wi-Fi for years.
> Every time I have to interact with a "captive portal", I'm annoyed at the hack implemented through DNS hijacking, rather than implementing and extending 802.1X and/or another layer-2 authentication scheme. The idea seems to have been tossed aside entirely.
It has not: it's simply easier (less infrastructure) to not implement 802.1X.
Basically every corporate / enterprise-y password where you use your AD/LDAP credentials to log into Wifi has gone through the effort. Not everyone wants (or needs) to do that. (Source: recently implement 802.1X as IT when we moved to a new work office.)
How does one learn about this stuff? I learned about basic networking in college (the TCP layers) etc but people doing such stuff sounds like Greek to me.
If I want to learn more about what the author is doing, is there a resource like a udemy course or YouTube channel you guys can recommend?
Back before cellular data coverage as ubiquitous and cheap, getting on an using shoddy wifi was an essential skill for anyone with a laptop. The ability to lock onto a stable wifi router, piggyback on another network, or syphon some bandwidth from a network you shouldn't ... those with such abilities managed to book tickets or hotel rooms within seconds of a flight being cancelled. Or, if you were really evil, you kicked everyone in the terminal off the router, hogging all the bandwidth for yourself. At school I had a script to randomize my laptops MAC ever few minutes then reconnect to the school's network. Mine was the only laptop that never got throttled by the wifi police for using too much data in a given session.
I used to have a little wifi antenna on my car. Some called it "wardriving" but I called it being able to check my email while traveling.
Back in the day you needed to know this stuff to get things working. It was not that uncommon for routers not to have DHCP so you had to input the IPs by hand. I think this may have been even the default and DHCP had to be explicitly enabled (e.g. in Linux installing and configuring dhclient).
Also it wasn't that uncommon to expose a computer to internet through the router, so you had to make sure that computer didn't change its IP.
I think having to set these up yourself is the best way of learning them.
The vagueries of DHCP can be learned best with a home lab, IMO
Back in the day, setting up random hardware or VMs on an isolated subnet taught you everything you needed to know about low level network protocols like DHCP, STP, BOOTP, ARP, RARP, and how to sniff it all with wire shark when you weren’t getting a lease
Containers have largely hidden this plumbing from us at a test/dev layer
I'd suggest a book. I was pretty happy with "Computer Networking: A Top-down Approach" by Jim Kurose. I find it more appealing that it starts with the upper layers (http), because I was more familiar with them.
“You can't buy a hard copy of the 8th edition, but instead can rent (and then choose/pay to keep the hardcopy if you want a hard copy book). You can rent a copy or subscribe to Pearson+ from our publisher, or rent a hard copy or purchase a Kindle version from Amazon, or rent a hard copy from VitalSource.”
Nice to see the name Jim Kurose here. Many years ago, I learned networking and C programming in his computer networks course at UMass. Such a great teacher and a real breakthrough class for me in understanding not just networks, but low level systems programming, computer architecture, and other things tangentially related to networks, I'm not surprised to hear his book is good.
Don't know about video courses, but Internet standards like DHCP are open and available on IETF.org. There are explanations on Wikipedia too. Also, if you're into Linux the HOWTO section on tldp.org can also be a big help for more practical stuff.
Get yourself a router that supports OpenWRT, install that on it and figure out what every configuration option does. Bonus points: setup WPA Enterprise on it and a DNS resolver.
Most computer networks 101 class teach how their state machine is designed only.
If you want to know "how to use them in real world", some universities has courses with "System Administration" would be more suitable. or learning the certificate program (CCNP, CCIE, JNCIP and others) materials with their lab.
What do they teach you at university nowadays??? When I was in university studying computer engineering (almost 20y ago) we were taught networking a very thoroughly! Not only every technology involved but even the small details of how everything worked (from Ethernet cable based network using csma/cd to WiFi). We even studied in details ALOHAnet!
Back in the day you would just follow The Linux Documentation Project's HOWTOs and set up each kind of software on a little computer on your home network and play around with things. Today there's nothing like that unfortunately. HOWTOs were abandoned for individual blog posts written for one specific use case at a time, and I know of no index of such blog posts.
I learned a lot at my student job in the university IT department troubleshooting why I could boot from my Xserves NetBoot server in one room but not another.
The rest I learned in the last year by switching to pfSense/Opnsense for my router/firewall.
I would take courses oriented towards getting your CCNA (Cisco Certified Network Administrator). It covers the basics while also teaching you a bit about navigating through a Cisco switch.
But think about it from the end user perspective. Literally the most simple instruction; near fault proof. On an airplane that is thousands of feet from remote IT support (plus "costs").
The instruction to staff; problem with "the Internet"? - press the "Interest Reset" button.
Far better than "router restart", "renew DHCP leases" or "reboot IT"
What's interesting is that the button need not actually reset the Internet right away. It's actually a user signal that "customers are complaining the Internet does not work". The button could initiate a whole series of diagnostics and target a fix.
Honestly, that should be the mindset of IT experts in general. Any reset/reset should fix everything and bring the system to a known functional state before doing any work.
Obviously you don't want to have to restart to fix issues, but having that as a fallback (especially for issues you didn't predict during development) is great UX.
agreed. It’s a great solution for a flight crew that is most likely unable/unwilling to troubleshoot stale DHCP leases or bouncing ifaces. The only disadvantage is that if the Internet reset button doesn’t work for whatever reason, the FAs will mark the entire system INOP for your entire six hour cross country flight that you planned to work on...
I'm a priest who was a software engineer for twenty years. This morning during the service in a small semi-rural church, the bluetooth speaker broke. I paused the service briefly, joked that I knew what to do, and turned it off and on. The IT Crowd got that part of the industry right!
it's a complicated answer: faith is at the heart of it, of course. In Christianity there's the idea of vocation, which applies to all, not just the clergy. A simple way to think about it is to consider the things you're good at, the things you can do that will serve others, and what you enjoy: imagine that as a Venn diagram, and try to discern what lies in the middle for you.
My software skills still play a part in what I do. But seven or eight years ago now I felt drawn to explore a vocation in ordained ministry – after study, a formation programme, completing a Masters degree in Divinity, and a lot of thought and prayer, here I am. It's the happiest I've ever been. Which isn't to say that it hasn't been difficult: being a cleric is not easy work.
Intentional discernment about vocation really has made my life a lot happier, and it's something I talk about a little because it's of value to other people as well.
(I'm in the Anglican [in the states, Episcopalian] tradition, but the process of ministerial formation is very broadly similar between the various mainline protestant denominations and Roman Catholicism.)
I don’t remember seeing a button on the internet when watching a documentary about an IT team that gave their manager the box that controls the internet. Only had a red led. This must be a new version of the internet.
This must be something language/culture dependent. To a native Finnish speaker, labeling the button that resets the internet connection as "internet reset" makes perfect sense. Just like the power button only switches the power on/off for that particular device but not for the rest of the world.
The entire commercial aviation industry operates using the english language. All pilots communicate with all airports via english. I'm sure FAs are most proficient in english too. Its the lingua franca of the biz.
I meant that I would label the button that resets the internet connection "internet reset", and there would be nothing weird or amusing about that. Because my native language is Finnish, English words often have subtly different meanings to me than to a native English speaker, even when we agree on the literal meaning of the word.
Internet is not working
Solution: Set it again to working condition, thus reset Internet.
Sometimes it is pointless to go to technical details. I was on flight with issues with infotainment systems, they fixed it by restarting them. Or reset.
> Obviously, one solution to the problem is that DHCP leases on planes should be drastically shorter, like at 1 hour intervals. Secondly, the number of leases should be drastically increased.
Why isn't the solution as simple as, "Reset the Internet at every flight turnover"? Once the plane lands and (almost) everyone deplanes, hit the button as another step in crew handover.
That would help, but I can imagine that on larger planes, especially if people connect their phone, then later their laptop, and so on, you could hit the limit of a 192.168.x subnet even during a flight.
15+ years ago, I had the same problem at a Starbucks. I asked the cashiers to reboot the modem, but they didn't understand why. Then I showed my new Microsoft certification card which has MCSE and few others and told them that "trust me, I know what I'm doing".
They called their manager, who was also suprised but decided to go along with it and restarted the modem, solving the problem. I remember all the employees were looking at me for the rest of my visit (which was few hours because at that time I was working from Starbucks).
That's adjacent to "Do you know who I am?" The problem with certifications are that they aren't a very good signal of quality employees because A+ and MCSx were on every resume along with SQL and Java. The best technical people I've know/n have few to no certifications to please HR, but maybe a Master's or PhD in CS or CCIE. Mostly, certifications have fallen by the wayside since 2008 apart from low-productivity businesses that aren't technology-focused.
I agree with this. Likewise, I unfortunately witnessed some colleagues who got certified through test leaks, and they sucked at their job.
Btw back then, Microsoft was suggesting to get the certifications after few years in the industry. I received most certifications because my employers required them for some projects or customers. The last (MS) certification I got was around 2009, and I didn't need any of those during my developer years.
I find it really tedious when people just post direct paragraphs written by ChatGPT. I mean, we could all just go and ask chatGPT to write that right? It doesn’t add anything to the conversation.
Sorry if that sounds harsh but I can’t think of a better way to post it and honesty felt like the best approach.
Back when my company was a tiny startup the old nyc building door had an intercom buzzer and physical keys. To make it easier to get in I wired a raspberry pi w/relay into the intercom and built a web UI. The pi setup wasn’t solidly reliable for weeks at a time, but fortunately it was plugged into an outlet with a light switch so everyone knew to turn it off and back on again. But since it was by the door, no matter the labeling from time to time we’d come in to find it turned permanently off.
DHCP is broken all of the time in these inflight WiFi systems. After they reset, you need to wait forever for the portal to turn up after which point there's a storm of clients trying to create or re-establish an Internet session which usually saturates the super small link unless it's satellite-based (and sometimes even then)
It’s fun how a sorta absurd term like “reset the internet” now has an obvious meaning, usually resetting whatever access point type device is nearest the person resetting it.
> Apparently in the front near the entrance/exit, there's a button simply labeled "INTERNET RESET" that she presses whenever a customer complains.
I worry that this is actually part of a RESTful interface. In that case it probably garbage collected erratarob et al, replacing them with a fresh version of our universe's page that had working internet for that plane.
Until someone proves me wrong we probably shouldn't press that button again...
Reminds me of when our router failed at work. Every machine got booted off the network, except mine. Digging in, my machine somehow got assigned an IP that looked like our public facing IP, not a local address.
We replaced the router, but the problem turned out to actually be that a construction worker had accidentally cut our fiber line.
Absolutely no clue how my laptop got to the internet. It must have failed over to some other WiFi network or something
Devices tend to support randomization by default these days but it comes in multiple types: scanning, persistent, per ssid, or full random. Full random is not typically used, particularly if a captive portal is detected, because it breaks connectivity.
Probably because no desktop OS I know of randomizes MAC addresses by default. How many people are gonna enable that manually? At least android (and I think iOS) default to random addresses
Because they're connected to the network. Seriously.
It's like "why do recursing DNS servers spam queries if they don't get an answer within 10 milliseconds?" To give you an idea how shortsighted this is, a production grade DNS server doing this also supports response rate limiting (warfighting capability which treats the spamming as spam), and the recursing DNS server is supposed to be caching and should be trying to optimize "whole of page" to achieve so-called "happy eyeballs".
To give you a somewhat more technical explanation, a MAC address can be permanently tethered to an IP address (so that each time it connects it always gets that address on that particular network). When that is not done (when there is no association for a particular MAC), an address is assigned from a (finite) pool. In some deployments the finitude of the pool provides a "fusible link" for defense in depth against some forms of resource exhaustion.
The MAC address is visible regardless of whether or not a device is connected to a network: it is an address (it has broadcast and multicast too). When devices are not connected to a network and want to go around mumbling "notary sojack" (with a major 0) to every man + dog + keyhole to see who/what responds there's no downside for them doing it; at least, I haven't seen any hostapd option for running a tarpit like we do for some level 3/4 services (the first attempt is rejected; sometimes the entire TCP handshake is completed and at the app level the server says "not now, try later").
Once they're connected to a network there's a network stack with DHCP, ARP and server state. The set of MAC addresses is orders of magnitude larger than the set of IP addresses in a DHCP pool. It doesn't "hand out an address" as the first order of business; it records your MAC address and gives you an address from the pool. Addresses return to the pool when the lease expires or when they're observed not to be in use. (There is a DHCPRELEASE op but crappy software so defense in depth doesn't rely on clients cleaning up after themselves.)
Once you've got an IP address associated with a MAC address associated with your network interface it looks like a LAN segment on the internet. If somebody on the segment wants to send a packet to that IP address they use ARP to ask what hardware machine code (MAC) do I address a packet to this IP address to? (IP addresses are a layer of indirection)
Beyond that the LAN segment is connected to other segments with a router. The router knows things about topology that you're not supposed to know, and more importantly that random peers elsewhere on the internet aren't supposed to know. If you were on a LAN segment connected with a hub, you'd have some idea what other internet addresses were active on that segment. You can make an educated guess about what addresses are allowed (by the router) on that segment based on the broadcast mask; you could perhaps ping addresses within the broadcast range to see which ones are / aren't in use and hijack one of them.
What happens to packets which are part of a session which are in-flight when an IP address changes? Quite frankly, many applications very wrongly presume that an address (or DNS name, but that's out of scope) is some form of identity. TCP has no way to change one of the addresses mid-session. So you're not going to be changing the IP address with garden variety cloud services.
Now we've got the problem defined: what happens if the MAC address associated with an address changes? First off, packets coming from the router destined for the old MAC address based on the cached IP -> MAC association are going to start dropping. Or be intercepted: what's to stop some joker from grabbing such an address and claiming the "legitimate" holder is the impostor?
(I wouldn't be so sure that you can't see wifi traffic which isn't addressed to your MAC if you've successfully authenticated to a wifi network. It's more like a hub, at least if you're connected to the same AP.)
> Obviously, one solution to the problem is that DHCP leases on planes should be drastically shorter, like at 1 hour intervals. Secondly, the number of leases should be drastically increased.
Or just hit the 'internet reset' before each boarding, why are they over complicating this?
All the WiFi vendor had to do was use a properly-sized subnet like 10.N.0.0/16, but no, they couldn't provide something better than a shitty retail home router with an aviation-grade reset button panacea.
For what it’s worth, dual stack with IPv6 + DNS64/NAT64 would be a great solution here, as well. SLAAC and a /64 would make it pretty unlikely for this kind of failure mode to occur.
I used to work at one of the larger IFE providers and we always being asked to make the system as dumb as possible because flight crews hating supporting them. Not surprising to see this exists.
Interesting. The "minimum F/A's required: 5" sticker suggests it's a pretty big plane that holds around 250 passengers. So it probably happens less often on smaller planes.
I had a Internet connectivity problem on a JetBlue flight recently that I couldn't figure out. I could see the captive portal, with a URL like "planSelectionPage". I would check the agreement and hit "Let's go", and some JavaScript would trigger and look like a new page was loading, but would just stay on the same page. It happened on both Firefox and Chrome. My phone connected without a problem.
Note that what the author did could have been done in a purely passive way, just by capturing packages and seeing the DHCP responses others got. I don't think that qualifies as "hacking".
The ignorant masses demonize what they don't understand. If you don't appreciate the subtleties of passive investigation vs. offensive intrusion, then why are you even here?
Define a hacker tool - is the whole computer a hacker tool because it could be used by a hacker? How do we define tools that can be used both legitimately and illegitimately. The tools used were common network diagnostics tools.
I went to the support person and she offered to reset the WiFi, but I explained that she needed to escalate it because it was a configuration problem, resetting it was only a temporary solution.
(edit: PyCon 2006 IIRC, DFW)