What information about a user is passed on or stored in the service provider network while a user access internet using wifi
If you're talking about the internet service provider then it doesn't matter whether you're using wifi or a wired connection, these are the sorts of things that will typically be logged:
your IP Address
Page visited
Overall downloaded amount
Overall uploaded amount
Related
I am trying to configure JDBC but kept getting the same error I am getting using snowsql:
250001 (08001): Failed to connect to DB. Verify the account name is correct: JG3409.canada-central.azure.snowflakecomputing.com:443. 000403: 403: HTTP 403: Forbidden
If the error message is unclear, enable logging using -o log_level=DEBUG and see the log to find out the cause. Contact support for further help.
Goodbye!
I have configured the config file, and I have double checked the account, company, region, reset password to only use alphanumeric.
I have used both forms of the URL
The only possibility is that I am using a trial account, but I can't imagine that this would limit external non-browser connections?
I use a simple user/password, I have whitelisted my IP and I don't have a problem with a proxy or a firewall. I can successfully connect using a browser.. using:
https://app.snowflake.com/canada-central.azure/jg63409
Important contents of the config file:
[connections]
accountname=JG3409
#accountname=uegxydq-pz20606
region=canada-central.azure
username=ASHSNOWFLAKE
any ideas?
Your account is not JG3409 but JG63409 based on this link:
https://app.snowflake.com/canada-central.azure/jg63409
Try in your browser:
https://jg63409.canada-central.azure.snowflakecomputing.com
I found out using snowcd that my computer could not connect via my home router.
When I used my personal hotspot on my (5G) phone, snowcd passed all the tests immediately. The problem then arose how to adjust the network security policy to allow a CIDR block of network addresses through since my phone uses a new address every time I connect, and I can't edit the policy to allow my phone while connected via my phone (for obvious reasons)
Catch 22
123.45.0.0/16 is not accepted in the new Snowflake UI, and 0.0.0.0 doesn't work for me, but the documentation gave me a clue.. the new UI doesn't separate by commas, so I switched to the old UI and voila!
Incidentally the OLD UI uses the same URL as SnowSQL so I picked up my error in my account number there as well (although I should have seen it earlier).
Diabolical but thanks #Sergiu too!
I visited a website today from work in a private browser session (no other cookies stored). I have never visited the site before and our company does not have an account with them. After the page loaded, an animated greeting said "Welcome XXX" where XXX is the name of company I work for. I don't understand how this is possible.
How can I get the company or person name that was issued the IP, from an IP address?
Note that answers from here are giving the name of the issuer of the IP address. For example the issuer of our IP address is the cable company just like a non-business customer. When i do a lookup with http://ipinfo.io or similar services, I get the name of the company that issued and manages the IP address (cable company) and not the name of the person or company that uses it.
Note that one idea that came to mind for how someone got this data from our IP address is companies like https://segment.com. I saw this in the "BuiltWith" data for the website I visited. Segment has enough tooling to be able to map an IP address to a company name through matching data from other services. For example our company has accounts as our company name with 3rd parties that may also use Segment.
Data from multiple segment accounts would easily allow building a database with valid user names and other data that could be sensitive and matching it with an IP addresses. But as far as I can see, Segment does not offer this directly as a feature. So i'm still lost as to how a website knew the company I was working for just by me visiting the page.
Some IP geolocation providers such as Ipregistry or Ipinfo provide a field that includes a company name for a given IP address. It works well in some contexts but it can fall back to the ISP or ASN organization in charge of connection as you noticed.
How can websites spy you even when you are using incognito mode? It's not because you are using a private browser session and that cookies are not stored there is no means to identify you. There exist methods known as Browser Fingerprinting:
https://en.wikipedia.org/wiki/Browser_fingerprint
Besides, as you noticed, there are companies that collect a lot of data from authenticated users (including IP address and company name as entered by the user). Based on this information you can create a model that correlates data from authenticated users with an IP address: if an unknown user A connects from IP X and more than 70% authenticated users in the past that belongs to company C used the same IP X, then A is most probably working for or connecting from company C. Again, this is not perfect but works pretty well depending of the context.
I trying to implement a very basic auth system that will grant internet through a non-password router (TP Link TL-WR841ND) on a form post to a URL. The TP Link has openWRT installed.
I have searched around and have evaluated a few options such as chilli, coova-chilli, wifidog, but as far as I can understand they do require radius on an external server to perform auth which I would like to avoid since it's more complicated than what I am willing to take on.
I was wondering if it is possible to achieve this using iptables or traffic rules,
The desired flow:
Users connect to non-password wifi
Users try to access any url
Users get redirected to the router www/ where the html form live
Users post form to url [myauthservice.com] (only permitted ip)
Response is received from url [json, xml]
Router allow users to browse freely over the internet for its session
Any ideas, suggestions are welcome!
Have you tried Nodogsplash?
The authentication part:
https://github.com/nodogsplash/nodogsplash#51-site-wide-username-and-password
Installation:
http://wiki.openwrt.org/doc/howto/wireless.hotspot.nodogsplash
https://github.com/nodogsplash/nodogsplash#51-site-wide-username-and-password
nodogsplash - can be captive portal user and password mode but cant be voucher and each user time limit internet access. sell voucher for each user by time limit or data usage and more futures bandwidth limit, multiple login, time + bandwidth. any one can be recommended me.
try wifidog
Is is possible to authorize users at a machine level. For example, only when using authorized computers (my personal laptop or other managers' pcs) can one get access to the admin page? Any other computers should either get a denial of access message or something else. Authorized computer may still provide their own admin username and password in case people could fake a machine's identity, maybe. I'm not a security expert though.
Correct me if I misunderstand, but you are asking to only allow visitors on specific machines to access your website?
Jumping right into a solution here. The first question is how do you know which machines are "manager's" machines? Do you have a list of their IP addresses? Do you have some other ID on them?
If you have their IP addresses, then IP Whitelist them, and block all other ip addresses.
If you do not have their IP address, then you are limited. There is no machine ID that can be accessed through a web browser, so you'll need to create your own ID by setting a long lived cookie and a registration process.
Since you already have a login process, this next part is fairly easy. You've used this solution before. When you sign in to google mail and click "remember me" and don't need to sign in the next time your computer restarts, google has basically marked (set a cookie) your machine as yours.
Now, if you want to get super fancy, enterprises have NAC setup. Every system is identified before being allowed to connect to the network. Certain systems are given more access than others. For example, at a software development company, engineers may be given access to a production network while sales staff is not. When they connect, sales staff are move to a restricted vlan after identifying who they are and who the machine belongs to. If that were the case for your company, then you would whitelist an entire subnet block.
Last point. Chase bank uses the machine cookie concept like so: The first time you login they ask your username and password. Then the send a code to your phone or some third-party channel. After you enter the code, the set a machine cookie (same old cookie). The next time you login, they ask for username and password, then look for the machine cookie. If the machine cookie is there, then they don't make you enter the code again.
You could make that your registration process, except you provide the manager with a code they can enter. I don't think you want to get much more complex than a static password to register the machine, but if you did, you can generate one time tokens following the spec in rfc 4226.
You can't restrict access to specific computing device (as there are many types of devices used and there's no universal thing to bind to) but depending on your application design you still can solve your problem. You need to bind not to computer, but to other hardware device which is not possible to duplicate.
One of such devices is a hardware cryptotoken or cryptocard with the certificate and a private key in it. The user plugs the device to USB or to card reader respectively, then he authenticates on the server using the certificate and private key stored on this device). Client-side authentication using certificates is a large but well-known topic so I don't discuss it here.
While it's possible to move the cryptographic device to another computer system, it's not possible to duplicate it or extract the private key from it. So you can (with certain high level of reliability) assume that there exists only one copy of the private key and it's stored on certain particular device.
Of course you would need to create another certificate for each device, but this is not a problem - the only purpose of these certificates is to be accepted by the server, so the server can issue new certificates when needed.
Assume that you have complete programmatic control over a wireless router (running say OpenWrt or DD-WRT - linux). The router is configured to broadcast an ssid, and the network is wide open.
A mobile user (iPhone/Android/BB) walks up.
1) on iPhone, if the device is not currently wifi connected, a dialog appears that offers to connect to available SSIDs. The user picks my ssid and connects. Is there a way, from my router (say using Bonjour or ??) to trigger the iPhone to launch the web browser and try to load the home page, or an autoconfig url automatically?
2) any different answer for Android/BB?
The reason is that in a 'walled garden' application I need to be able to pop up a greeting page and don't want the user to have to fumble around loading a default page first.
Any and all thoughts appreciated!
Thanks
RM.
Update - I think the answer may lie in either 802.21 or UMA. I read somewhere that ATT uses this with iPhones for authentication.
On iPhone there is a switch called 'autologin' when connecting to a wifi gateway. If you turn that on, the iPhone sends an HTTP request, and receives a redirect from my hotspot, and then I send the welcome page. (the spot is totally open). Problem is that iPhone seems to be waiting for something specific - it doesn't change from '3G' to wifi and may eventually time out. Also it still displays the 'Login' banner docked to the top of the window.
Anyone know of documentation for the frames I need to send to do a proper autologin?
What you're describing is a captive portal system (hotspot, walled garden, etc). This functionality can be implemented with several application on openwrt. Check out another answer for details on each specific option offered in openwrt Answer.
There are a few common techniques to implement a captive portal
HTTP 302 Redirect
The most common technique is to simply block all out bound traffic on the network and then redirect any port 80 traffic to your own portal page, either local or remotely hosted. This portal page would then provide the means to "authenticate" the user (by poking a hole in the firewall). There are layer 2 methods such as chillispot which provide all the same functionality and can be authenticated against a radius server if you wanted to get fancy.
DNS Rewrite
Another technique is to use dns rules to rewrite any dns query to resolve to your own webserver which will then present the user with a login page, once the user has "authenticated" you simply updates their dns, or allow the dns request from that user to pass upstream.
IP Redirect
This technique often times overlaps a bit with the HTTP redirect. Essentially you redirect their requests to a new destination IP. You could setup a squid proxy to then handle these requests.
Both iOS and android devices will detect for captive portals by simply checking for a standard URI resource (eg: http://www.apple.com/library/test/success.html) and if that resource is blocked then you're offline, if that resource gets 302 or 307 redirected then it assumes there is a captive portal in place and they will open a browser. If that resource is found then they assume you are online and no browser is auto opened.
Android will open the standard browser on the phone or tablet to allow the user to authenticate. iOS devices will however open a pseudo browser which is a limited application which doesn't allow things like video playback popups etc.
The WISPr protocol I believe was originally intended for devices which do not have a web browser to accept the terms and conditions and thus allowing these devices a generic protocol to accept and authenticate against a captive portal. I'm not even sure that the WISPr protocol was ever really accepted. (perhaps they redrafted it)
(Didn't realize how old this originally was, sorry)
Ok, solved it.
The protocol is called WISPr - now version 2.0
some links
http://erratasec.blogspot.com/2010/09/apples-secret-wispr-request.html
and traces
http://coova.org/node/4346
HTTP 302 Redirect
The most common technique is to simply block all out bound traffic on the network and then redirect any port 80 traffic to your own portal page, either local or remotely hosted. This portal page would then provide the means to "authenticate" the user (by poking a hole in the firewall). There are layer 2 methods such as chillispot which provide all the same functionality and can be authenticated against a radius server if you wanted to get fancy.
// Working on creating a wifi Hotspot, which would automatically trigger mobile browsers(directly to my shop's link) when the mobile device is connected to the wifi.. This would serve as an interesting factor to user's, get noticed something special about our Hotspot when they cross across it..
I think what you're looking for is the ability to create a standard wifi "hotspot".
There are several very good tutorials online about how to do this, several using DD-WRT.
For example, check out this one: http://www.hotspotsystem.com/en/hotspot/install_guide.html
which gives some examples.