Why BT are a bag-of-fail

Posted on September 29th, 2010 by Luke Sheldrick.
Categories: Fail, IT / Tech.
Tags: , , , , .

29 09 2010

So BT, arguably the UKs biggest ISP/telco, in my opinion are a complete bag of fail. Now I guess writing this means, that I’ll probably never work for them, but hey, who would want to?

I’ve dealt with BT whilst working at $dayjob-1, and the incompetence I saw there, was shocking to say the least. That I can deal with, I got paid to deal with it, but when it’s in my time it’s a different story.

BT or rather BTOpenzone serve a huge amount of establishments with their Wifi ‘Cloud’ offering. Most places like Starbucks, if you have a registered account with them, will happily let you use it for free.

However before you can do this, you need to go through the authentication process with BT. This basically hijacks any DNS request you send, and redirects you to a the auth page. That’s kind of ok, for most users.

However most times when I use it, it’s a complete failure.

  • They use port 8443 for SSL, instead of the standard 443. This can play havock with local firewalls.
  • The certificate they use for www.btopenzone.com is not valid for that domain, so most browsers will flag a massive security warning.
  • Their DNS often is broken.
  • If it is working, the webserver you try to connect to, isn’t running (connection refused).

The last two are especially annoying, like today, in Starbucks (Whitechappel Road). I switch the macbook on, join their wifi, get an IP and DGW, then any page I go to, should redirect me to their auth page. However seems it is slightly broken, as normal.



So this is telling me that Safari cannot connect to the server. This can be a bit vague, so you need to dig a bit deeper. Open up your terminal and try to simulate what the browser is doing.



So you telnet to www.btopenzone.com on port 8443. You get a connection refused. This means that from my macbook, I got over their network, right to the end server, which is saying ‘Hey, that port is open, but I don’t have anything running on it’.

I’ve no idea what is on the backend of btopenzone.com however looking at the DNS resolution:
Luke-Sheldricks-Mac-4:~ luke$ dig www.btopenzone.com
; DiG 9.6.0-APPLE-P2 <<>> www.btopenzone.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15147
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.btopenzone.com.        IN    A
;; ANSWER SECTION:
www.btopenzone.com.    17378    IN    A    217.41.225.106

It’s only returning a single IP, which could be the IP of a load balancer, and then a number of servers behind that IP. However I wouldn’t expect all of them to fail.

With the helpful tool nmap, we can see:

PORT     STATE SERVICE  VERSION
80/tcp   open  http     SunONE WebServer 6.1
442/tcp  open  ssl/http SunONE WebServer 6.1
443/tcp  open  ssl/http SunONE WebServer 6.1
8443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1

So using an old Solaris 8 server (the current version is 10) to run their authentication services. Can’t say for sure, but I wouldn’t be surpised if there is only one server back there. The amount of times I’ve seen this, really does go to show how under speced their ‘solution is’. I look after massive solutions in $dayjob, and this kind of thing would never happen, and if it did, certainly wouldn’t for long.

To sum up: BT you suck.

</rant>

6 comments.

1 of 11