April 29, 2007 14:37 | Montreal / Technology

Crippled

Sometime while I was away this winter, IleSansFil, the Montreal free community wifi service, crippled all their hotspots, by disallowing any and all traffic without login. (Or so it seems, I've only tried at 4 or 5)

The ISF service requires web/browser based authentication before they let any traffic through from your *device* to --or from-- the network.

Previously, they allowed email to pass through without authentication. This is no longer the case. I have gotten no clear reason for this, or any clear indication of at what level this was done. I've heard wishywashy mealy-mouthed eyes averted mumblings about "precluding the sending of spam email".

For me personally, this renders the ISF service totally useless, as I relied on it to be able to do data transactions on my mobile device. Authenticating via a web browser in this context is a non-realistic and non-surmountable barrier to use.

Their argument might be "well our whole purpose for creating the ISF network was not to blanket the city in WiFi but rather to provide community web portals." That's all fine and dandy, and when I am sitting with my laptop, that's great, really. But ISF just silenced my mobile capacity to express myself and stay in touch with my FTIC. And it hurts. Badly. Especially with the extortionate cellular data rates in this country.

Isn't ISF's tagline "free | wireless | internet"?

In any case, I'd like a clear statement as to what happened and why. And who I can talk to figure out a better solution than treating every Montrealer as a criminal.

Comments

Forced authentication is the principle reason I didn't get involved with ISF early on in the first placed, and why I left and started [the now defunct] Laval Sans Fil.

I've only been saying since - what, 2002? - that forced browser authentication in a community context is far from the best way to provide community web portal services, not the least of all because it immediately restricts the use of the network to ISF's definition of "a computer". In 2002 - 2003, that was shortsighted. Today, it's just foolish.

As successful as any of the wifi community groups are who've embraced browser-based sessions, I wonder aloud whether they'd have exponentially more impact on the community at large if they'd followed an open-access model from the start.


gauntlets down!

10 paces gentlemen!


No gauntlets Hugh. It's a valid question. Albeit it, as Steven points out, a bit late. That's also why I am not directing this at Michael, at least not personally.


hmm... i meant that positively, not that it's a fight, but a challenge: it's an intellectual & operational challenge that ISF ought to answer ...I hope they do.


I don't have the same problem as you -- my wireless device has a Web browser, so I can do the Web authentication before using other Internet services.

The whole no-spamming thing is obviously specious -- nothing stops a spammer from getting a free login and sending email to their heart's content. It seems to me the real reason is that ISF is about creating wireless communities, and you can't participate in a community without some kind of identification.

Here's a suggestion for WiFiDog: what if they had a way to assign a particular MAC address to your ISF account? Then you wouldn't ever need to log in -- your MAC address would be enough to identify you.


Evan, with all due respect... that is spoken like a true geek. ;)

I *can* launch a browser (Opera!) on my device too, enter the URL (or select it from the bookmarks), enter my authentication credentials (key key key key key key key key key key key, scroll scroll, key key key key key key key), switch to email, send.

The point is it is unfriendly/unuseable by "normal people" standards. You know, people who don't do things just because they are technically or geekily "cool". Or people with better things to do then use a webbrowser on a mobile device. I actually want to *use* the network as part of my life. I'm not "playing along" or "conducting usability studies". Been there done that.

MAC addresses? Are you nuts? What is the sound of barrier to entry hitting the ceiling?

As for spam senders...
1- Serious spammers more than likely have way better ways to do their things than to sit in a café and launch a campaign from their laptop and
2- punish the many (99.9999999999999999%) for the incredibly unlikely actions of the incredibly few? Did Spock really die for nothing?

Yes, community means identification of some sort. But what of anonymity? And what of "free internet access"? These are two different things. Again, when I want to access the ISF community content (if it ever becomes digestible), I'll run a web-browser to do so (or whatever delivery application protocol). But when I want to email a snapshot of my bavette de veau dans son jus to my FTIC, I want to just click and be done with it.

I hate to say it, but I'll have to go back to GPRS to satisfy my needs. It's sad really because the WiFi was so much faster and cheaper.

Also, one last thing: don't think the less savvy haven't noticed. The access points now lose your IM sessions and do not allow email sending of any sort. Patrons (at Laika at least) felt that immediatly. You try to explain to a stylist or a photographer that they need to get their own mail server and set up custom ports (or change their email config when ever they are "mobile") so they can email again from their café office. It's just a matter of time before ISF hotspot owners, now addicted to their throngs of connected customers, simply go out and buy a new router and ditch ISF altogether. Bye bye community... :\


i hope ISFers are reading ... to at least be aware of this problem... are they?


Agree with Hugh, would like to know how many people are aware of the issue and hear more thoughts on it from ISFers. Personally, I fit into the less savvy category, but I noticed this change as soon as it happened because email stopped sending and chat stopped working without the sign-in. I've been a little pissed about it. Without any (or very little) understanding of the technology behind it, my impression HAD been "damn cool - email and chat works". Didn't know why, didn't much care - just happy about it. Now.. not so happy... a little freedom lost. And that would be the perspective of a (more or less) normal user. :)


The real reason for mandatory authentification is the police requests it. that simple.


Ahahaha, that's pretty funny. Care to back that up? Care to identify yourself? Care to share with us what life philosophy you have that allows you to just comply blindly with what the police requests of you? :)


Hello, i'm Alexis, current director of operation.

Francis Daigneault post a mail on the volonteers list talking about you. Well, at first, i feel angry at some of the comments. Isf is a volonteers base organisation, many of us put tremendous effort for that free service and we've always tought that the people would have bring their comments directly to the organisation and not post their comment on some blog that we could or couldn't find.

First of all, you must understand that being able to send an email from ISF without being authentificate is a bug and not a feature. The soon to be release license agreement (available on the website) say that nothing is bloc exept smtp traffic. We've been told is to block the spam sending. So if the smtp mail has work for some of you, it wasn't suppose to... So the post is talking about a bug that has been fixed.

I was recently been inform about the fact that many of other community didn't like the fact that we've ask for authentification on our service. Seems that we're kind the black sheep with that way of doing thing.

The reason for authentification is to create the community. The lately add profile that we've work hard on are there to be improve but the response from the user as been tremendous without any publicity about it. It is not something that the police ask for, but we will provide them with all the information they need if they come with a mandate and good reason to hand them that info (a user name, a mac adress and a path of where you've been).

I don't know if some of you read the volonteers list but that service that you all use from what i've understand is maintain by a bunch of people (10-15) that put free time without having any benefit from it exept maybe the anonymous love of 37000 user.

Maybe your comment, your tought, your time could be better spent by helping us (improving my english) or the network, our accounting, our communication, our visibility with stickers in window, by adopting one hotspot (being the middle man between isf and that hotspot).

It is no purpose for us to not try to show you content on the portal page, it may help bring idea and people to the organsism with better talent, new idea, new way of doing thing. Boris make pretty hard comment on ISF and a very negative prediction about the service. Do i need to remember you that a bunch of geek stand and negate the effort of big telco to implant a business model where you have to pay for your access? that isf is the biggest wifi network on the city with 130 hotspot, 37000 (and rising) users, around a 1000 user daily. All that without you putting any penny in that except the coffee that you would have pay anyway? maybe it's time to bring yourself to the organisation and maybe change those thing instead of just posting comment on a blog, probably from an isf hotspot.

Alexis Cornellier


12- François Rousseau

Hi,

At first, I was agaist the block of email but after a few experience (offside of ISF) with infected PC I agree with this rule.

For example: A compromised Laptop could send many many spam in a few minutes/hours. If few people complain to the ISP about it, the ISP could block the Internet access for this Hotspot(very bad), or at least, the ISP will contact the Hotspot Owner...

Also, the IP of the Hotspot could be Blacklisted (very bad) and the internet connection could be slow down by the flow of email.

Yes it's true, it's only a few people but few people can cause alot of trouble.

Maybe, maybe ISF can implemant something like no more then X smtps connection in X minutes but that let a problem, you can send many email in one smtp connection.

Maybe another possibility can be to have one specific smtp server for all hotspot and this server can be filtered for outgoing spam. The problem with this solution is that way you will have to change your settings every time you will use a ISF Hotspot.

For the login, maybe we could try to build a "lite" version of the login page but you will still have to use a browser. The identification by MAC address is not really a good things because is really easy to spoof the identity of anyone.

If ISF receive many request for a specific type of device, maybe they could open the port to one specific service. ISF alredy do it with TeliPhone.

*I'm a sysadmin for ISF but I talk personnaly in this post.
*Sorry for my english


13- Benoit Grégoire

All right, I won't try to actually defend ISF policies on some blog. But I do want to straighten a few facts.

-Our user policy (http://www.ilesansfil.org/ModalitesServiceUsagers) is currently being updated to be put on the portal and signup page, but hasn't really changed at all since 2005. when it was approved by the entire group. Unfortunately, it was never shown preeminently, leading to lot's of misconception about the purpose and chosen policies of the service.

-Indeed, allowing any traffic at all without being logged-in was just a bug at some hotspots.

-Blocking port 25 (yes, even when logged in) was decided by a unanimous vote of the group (no one spoke out against it at the time) in late 2004 early 2005 but roll out was never completed. The policy was there for two reasons:
1-It's a tech support nightmare, since many ISPs force you to use their own servers, and most users don't understand that. Furthermore no one volunteered to create and maintain a list of all ISPs used by our 130 hotspots, and the SMTP address for each.
2-Could get the cafe in trouble with their ISP in some circumstances.
How strongly ISF really feels about that policy these days is debatable, and circumstances have changed. But so far no one championed changing that policy.

-Boris, stating that "The access points now lose your IM sessions" is profoundly unfair considering your were there and talked to me when I installed the patch to fix that exact timeout issue on april 30th. I presume that if the issue still persisted and you knew about it, you would have notified us by now.
For everyone's information, since January Laïka was running an alpha version to improve the radio signal in their busy radio environment (with good success). We solicited feedback on the portal page, got a sizable amount notifying us of the timeout problem. We implemented a temporary fix, which we assumed worked, since we got no further feedback in the next two weeks, so we took down the notice. We learned that the problem wasn't entirely fixed when we got an email from the manager. Less than four days later we had developped a (hopefully) permanent fix to the underlying issue, and physically went to Laïka to install it and verify that it works.

-Supporting devices with no web browser is ... complicated. The ethical issue itself is complicated (For example: if we decide to let users with devices with no web browser get their email without authenticating, how is it fair to users of laptops that just want to go directly to gmail/hotmail to do so? There's a lot more of the later than the former...) see this thread where it was discussed at length http://listes.ilesansfil.org/pipermail/wifidog/2006-February/thread.html
. As for the equally complicated technical side, see: http://dev.wifidog.org/wiki/doc/developer/SupportingDevicesWithNoWebBrowser. So far, no one offered to help implement any of these features.

-We most definitely don't ask for a email because the police demanded it! (and we wouldn't give what we do have to them without a valid warrant, and then only for the time period covered by the warrant). It does indeed make it easier to identify unique users to implement more complex Content delivery scenarios, profiles and the like, that wasn't the original intent (I've been told), just a very convenient side effect. This policy dates from the very beginnings of ISF, before my time. But as far as I know we ask it to
1-Make is inconvenient to generate a bunch of fake accounts to abuse the service from home
2-Make it possible to contact the user and ask nicely to stop (which has so far worked well enough that we didn't have to implement more drastic measures, but we won't be able to continue to manage it manually very long now that we have lot's of external antennas).
3-Get the cafe owners off the hook if someone does something really nasty. We don't actually care that you use weird_dude_123@hotmail.com (i'd say we encourage it), and spoof your MAC adress. Just that it doesn't become our or the hotspot owner's problem.

-We don't open a port for teliphone, we whitelist a specific server, very different! Same for the MDCN sensors.

-Hugh, yes, we are aware of "this problem". We are also aware of a great many others, but we have limited resources and we depend on volunteers. That being said, we usually learn about problems when our users email us about it, when we notice them ourselves, or when our systems tell us.

I know there are points and counter-points for just about everything above. If anyone wants to change our policies, get involved with ISF and vote. Or help us fix our problems. Or at the very least propose workable alternatives that won't destroy what we are trying to build in the process.

Forcing François who was working a new firmware tonight, me who was working on Wifidog, and Alexis...who is always working on something ISF related to take time away from that to respond on some public blog if we don't want a bunch of rumors and false information to spread is just not the most productive way to improve the situation.


What follows isn't an official ISF position, but simply some random thoughts from someone who has been with ISF from (almost) the very beginning.

To "who cares": yeah, I'd also want to remain anonymous if I was talking out of my ass. With that out of the way, let's address a lot of the valid questions that have been raised.

First off, I don't think people realise how much thought and discussions went into creating ISF policies. We spent a *lot* of time debating back and forth the pros and cons of requiring authentication, its impact on usability and our future plans for community apps such as network wide chatting, etc. Mobile devices, both with and without browsers were considered. VoIP was a specific concern and ISF actually implemented a special patch so that users of the Téliphone service could make and receive VoIP calls over ISF's network on their browserless devices.

People also have to realise that four years ago things were different than today. WiFi was still a bit of an unknown in Canada. Early businesses we approached thought we were freaks for providing a free service and suspected some kind of scam. After all the work we had to do to gain their trust, the last thing we wanted was for them to get blacklisted by their ISP. Hence from the get go SMTP was a policy no-no. I say "policy", because we didn't actually block it initially. Depending on the version of the firmware, some Hot Spots may be blocking it today, but don't quote me on that, as I'm not part of the ISF Ops team. By the way, ISF has had to deal on occasion with abusers, not so much spammers, but rather bandwidth hogs who can access the signal from home and have servers connected to file sharing services 24/7. For users, this makes for an extremely slow connections and for businesses with download limits on their accounts, this adds up to a nasty surprise at month's end. So far we've dealt with these abusers on an ad hoc basis. There aren't many of them, but they do exists and they can ruin it for everyone.

There was also the liability question. Could ISF or the cafés' be held accountable for a user doing nasty stuff over an open network? Users may not care, but these are the kinds of questions that small business owners want answered: might they lose their livelihood because they hosted this wacky free service? We tried to get answers from law enforcement, but they weren't able to help us at the time. We tried to get lawyers to review our position and User Agreements, but guess what? It turns out it's a lot harder to get good lawyers to volunteer their time than good geeks. A law professor at one point put one of his students on it, but nothing came of it. Operating on a negative budget (in the early days volunteers paid for stuff out of their own pockets in order to provide free WiFi for others) we couldn't afford to pay someone to look at the issue, so we just said screw it, we'll ask people to register, but all we want is a valid email address. If law enforcement ever shows up, we'll just turn that stuff over to them and hope that we don't end up in court.

Along with the authentication and which services, if any, should be restricted debates, we also had a debate on whether or not it was fair to force users to go through a portal page. In the end, the main reason the portal was retained, was because it was the core around which you could build an organisation. That's where many of the tech and non-tech challenges were. If all ISF were doing was plugging in a Linksys, setting the SSID to "Free" and walking away, ISF wouldn't have lasted, more than a few months. Steve's claims concerning forced browser authentication ("In 2002 - 2003, that was shortsighted. Today, it's just foolish.") are short sighted, as they ignore the reality of building a volunteer organisation. Might we have more users without a portal? No, because we would not have been able to attract and retain volunteers; we would have ended up right where Laval Sans Fil did.

Now all that being said, I must say that ISF is far from perfect. We suck at communicating with our users. Our portal UI is a disaster, to say nothing about the signup process. Service is flaky in some hotspots. The list goes on. But hey, we are doing the best we can with the volunteers, the knowledge and the time we have.

There are some great comments on this page, but the tone is rather condescending. The reality is, we considered most of these issues years ago. Given our partners' concerns, issues of liability, the need to recruit and retain volunteers, real user data on abuse and usage patterns, we often arrived at different conclusions than what some of our users would like. Some of these comments are bang on however. ISF is aware of them, but we've just had more pressing matters to attend to. Instead of assuming we are idiots, it would be much more constructive to show up at an ISF meeting to discuss what you don' like about the service, or even better, volunteer your time to help fix these issues.


Thank you Daniel for your comment. I didn't have the energy for it but you spoke for me too.


16- Benoit Grégoire

I sent a long reply Wednesday night, but it seems to be held up in moderation or something.


Sorry for being quiet last few days. Too busy to leave a comment on "some blog" ;)
Benoit, sorry your comment was caught by spam filter. It is published now.

Benoit, the issue I was there at Laika talking about with you was just Laika's router misbehaving. AFAIR, we did not talk about blocking of port 25 or the blocking of al traffic pre-auhtentication.

There's way too much here to repsond to everything. Here's what ran through my mind scanning though your comments (which I thank you very much for!)

a) I am not "attacking" ISF, or it's volunteers. Please stop crying. Something I regard as hurtful to ISF has happened and I am voicing my opinion. Address it, but please without pointing to your laurels, which I know, and which you are now quite comfortably, it appears, sitting on.

b) I know Michael personally since the beginning of ISF, I know quite a bit about the operational aspects etc. I have two WRTs running WiFiDOG that François helped me set up. I've helped define the Portal site (and will do so again tomorrow afternoon.. maybe I shouldn't?) I am not "some guy complaining". I've been one of your biggest outside cheerleaders and salesmen for years. Globally.

c) Alexis, I know all about how you techy volunteers are horribly horribly sensitive to criticism from non-volunteers. It makes me wonder: who are you doing this for? Your own feelings or "for the community"? Do you feel it is fair that when "the community" says "hey um, we don't like this aspect of ISF", your repsonse is "shut up and be a volunteer!"? En d'autres mots: merci infiniment pour le service ISF, à toi et à tous les volontaires. Mais défendre une décision avec des histories de "sais tu combien d'heures de bénévolat j'ai mit là dedans"... on s'en crisse. Address the issue at hand. I do not care one iota about how you feel right now or how "big and powerful" ISF is become.

d) "we took a decision in 2004"... ok? so what? does that mean your decision is right? does it mean it is final and unchangeable? Sounds like the U.S. Constitution... Daniel you keep saying "back then back then"; yes, back then. This is now. What about now?

Did you know that when the U.S. Founding Fathers showed their draft of The Consitution to Ben Franklin, then the most respected man in the nation, he said "hrmm, yeah, well... this is... oof... good enough and what we need right now but it will need to be revised within one generation cause it's really quite aweful." They never revised it. Adapt or die.

e) liability. Daniel and Benoit, you ask "could someone be liable?" I ask that too. So? Who has answers? This goes a long way to solving the issue. Blocking the port because you think maybe there is a chance that perhaps someone might get sued... is just as shortsighted as not doing anything. "We gave it to lawyers and nothing came of it." Poke em again. Fer chirssakes, Mike, stick it under Geist's eyes!

f) is it a bug or a feature? I consider it a feature, you consider it a bug. You control the network, so you win. I lose. Me and the community. Potentially punish 99.99999% of your community for the theoretically technically possibly imaginable action of an infinitly small potential group of malfaisants. Smells bad.

h) Benoit I do not undertsand your logic on your explanation of blocking port 25. Now that it is blocked, it is also a tech suport nightmare as all your non-webmail and non-ISP email using users are freaking out cause they can't send email anymore... I am talking about people who are advanced enough tot have their own domains hosted but not enough to know or ever want to know how email works. No, saying "well they should" is not an answer. Do you know how to fix your washer and dryer?

j) Michael, you sat at the bar with me the other night and you talked about how municipal wifi does not equal Internet. It is about ubiquitous computing. And here we are arguing about web-browser based authentication? This is ABSURD.

:)

Merci à tous. Je vous aime et j'apprécie le travail énorme que vous faites. Absolument. BUT YOU HAVE CRIPPLED ME AND THE NETWORK, out of FUD, AND THAT HURTS.


entk. Blog comments *suck* for debates. :)


from the Laika ISF hotspot portal "Citywide" shoutboard (in reverse chrono of course):

* 03/05/07
R1chard :
smtp.gmail.com ssl

* 03/05/07 smarty36:
hey est-ce qu'il y a un relais-smtp [1]

* 30/04/07 oliverlavery:
all of my base are belong to you

[1] "hey is there an SMTP relay?"

----
Again, I am not atacking ISF. I am saying that what you consider correcting a bug and complying to non-existant laws and bending to fears, I call crippling.

:)


I think that this is a good point to publicly thank Boris for the help on the Wifidog profile yesterday (he met with Francois and I to give us a hand). Just so we all know that you are not only a critic, but also someone who has helped out ISF.


Thanks Mike.
Like I said yesterday, and everytime I've been exposed to the WiFiDog portal system, Benoit and François (and whoever else helped out) have built the most incredibly flexible CMS I have ever seen. While that flexibilty, based in a profound humanist and sociably responsible desire, introduces potentially off-putting complexity, it is certainly something to inspire awe. :)


I find it interesting to see your (ISF) the talk about community and then being pissed that Boris didn't come to the flaming stronghold of your mailing list to raise his issue. Community does not equal just your recognized list, it's people expressing themselves "out there", might not be the easiest for you to find that way but it's the same attitude as "volunteer or shut up", you concentrate on a (admitedly remarquable) group of people and look almost exclusively inwards.

In terms of put up or shut up, I gave up on the portal stuff I was doing a while back and unsubscribed from both lists I was on because I was tired of the flamish answers people kept spewing. I have in mind barrages towards Mike and others, I was only ever barely a target myself and on a separate issue. The atmosphere in there and the outlook on the outside is far far from positive.

It's interesting to see how fantastic a job you've all done with the technology and expanding the service and contrast it with the attitude that often comes with and within it.

Anyway, thanks for the service (and the great answers from Benoit and Daniel) guys and maybe look into not only the issue Boris brought up but also the flamewall some have put around the group.


word up Patrick. I think there are a number of us out here who are longstanding & ardent ISF supporters but who nevertheless lack the time/1337 skillz/interest to be regular volunteers. I agree that it would be significantly more productive to actually address the concerns of the actual users rather than just getting super defensive and saying that one must volunteer in order to have the right to proffer any opinion.