https://nicholasjohnson.ch/tags/siue/Nicholas Johnson2020-09-21T00:00:00ZNicholas Johnsonnick@nicholasjohnson.chHugo -- gohugo.ioCopyright 2020-2024 Nicholas Johnson. CC BY-SA 4.0.Online journal about autism, computing, economics, environmentalism, philosophy, privacy, society, and spirituality.https://nicholasjohnson.ch/2020/09/21/siue-unauthenticated-smtp-server/SIUe Unauthenticated SMTP Server2020-09-21T00:00:00Z<h1 id="email-server">Email Server</h1>
<p>During my last semester at <a class="link" href="https://siue.edu" rel="noreferrer">SIUe</a>, one of my professors demonstrated spoofing an email using an unauthenticated SMTP server (smtp.siue.edu) on the university network. I believe the server is still present on the network despite being reported multiple times to IT. It isn’t accessible on the public internet, only through the university’s network that all students have easy access to. Non-students could also gain access to the network fairly easily while at the university and therefore have access to the email server.</p>
<p>The email server has no authentication whatsoever. You don’t have to offer any credentials to send emails. You can’t read others’ emails, however. This means you don’t even need to be a student to send emails. As a non-student, you can access the email server through Telnet and send emails as any student, professor, faculty or staff member. With that, you can send out emails to any email lists. This unauthenticated server has been present on the network for years according to other students I have talked to.</p>
<p>I hope the server gets taken off the network, but this underscores a larger issue. American colleges and universities are institutions with some of the weakest cybersecurity where you would expect better. This makes them easy targets for hackers. The reason is they don’t have strong incentives to do better. Unless having poor cybersecurity is going to lose money, business as usual will continue and unauthenticated email servers will stay online.</p>
https://nicholasjohnson.ch/2020/09/09/networked-ev-charging-stations/Networked EV Charging Stations2020-09-09T00:00:00Z<p>Eventually I want to write a separate post on why mass surveillance is stupid, dangerous, and incompatible with democracy. For those that read my blog, I’m probably preaching to the choir though. I’m going to write the rest of this post assuming the reader already understands why mass surveillance is bad, or at least sees how it could be. If you don’t understand why massive government surveillance is a problem, you think that “privacy is dead”, or “I have nothing to hide” comes to mind, you should do more research on mass surveillance before continuing. With that, I’ll continue.</p>
<h1 id="electric-vehicle-charging-stations">Electric Vehicle Charging Stations</h1>
<p>I want to quickly cover some basics about EV charging stations for those who don’t know. There are two types of EV charging stations: networked and non-networked. The networked ones require you to sign up on the web with your real name, credit card information, address, and car make and model. You have to agree to the terms of service and privacy policy. After signing up, you receive a swipe card in the mail. Because you have to swipe an ID card to use networked charging stations, the network (Chargepoint) knows who you are, where you charged your car, when, and for how long. Non-networked charging stations don’t require you to use an ID card, so they can’t collect any personalized data on you.</p>
<h1 id="gas-stations">Gas Stations</h1>
<p>EV charging stations are worse for your privacy than gas stations. With gas stations, you can pay anonymously in cash. No form of ID is necessary. While you can pay with a credit card, it’s not necessary. EV charging stations don’t allow you to pay in cash. At a minimum, there is a record of your credit card transaction to the charging network. Also, due to the swipe card you have to use for the charging station, every single charge is tied to your real identity. This means the network (Chargepoint) creates an extensive dossier on everywhere you’ve been and sells that information to data brokers. You must agree to all this or you can’t even use the charging station. You can still charge your electric vehicle at home or at non-networked charging stations, but non-networked stations are far less common than networked ones. So if your EV doesn’t have much range or you are in a rural area, you’ll definitely be going out of your way to avoid the networked stations. The only way around this is reverting back to using a gas station, if you have a hybrid car. If you have a fully electric vehicle, then you’re just out of luck.</p>
<h1 id="the-infrastructure-of-surveillance">The Infrastructure of Surveillance</h1>
<p>The bad news is the worst is still yet to come. There’s not a huge opposition to networked charging stations and the issue is even lesser known than that of mass surveillance. And in the United States, if EVs are the way of the future and demand increases for them, there will need to be many more charging stations than there are now. This is bad because it’s almost certain that these new charging stations are going to be proprietary and networked, selling customer data. It will become increasingly difficult to resist the privacy invasion of our location data once the infrastructure is already in place. What are you going to do, not charge your car? Once infrastructure is already paid for, there needs to be a very strong incentive to change it. The best course of action now is to oppose the networked charging stations before they are deployed and avoid using them, even if it’s inconvenient. That’s because most of the charging stations that are going to be deployed have not yet been deployed. So, there’s still time to stop the surveillance infrastructure before it expands.</p>
<h2 id="how-to-fight-back">How to Fight Back</h2>
<p>If your school or workplace wants to install a networked charging station, tell them you oppose this decision and would instead be in favor of a more privacy-respecting option such as a non-networked station. If you own an EV yourself, tell them that you will refuse to use the networked charging station because you don’t want to encourage proprietary surveillance infrastructure. You could also stick fliers on the networked charging stations calling for EV drivers not to use the networked stations, or at least to become informed about the problem and organize. <a class="link" href="https://www.chargepoint.com/blog/7-reasons-why-non-networked-charging-non-starter/" rel="noreferrer">Chargepoint puts out their own propaganda trying to spin the surveillance off as a good thing</a>, a myth we must dispel. The fact is all of the items on their list are doable with non-networked charging stations running free software. If you want analytics or access controls, you could imagine a cryptographic system that uses secure private tokens to protect EV driver privacy while also making analytics possible without any sign up or extra hassle to the driver. Proprietary charging station phone apps could also be avoided and replaced with free software alternatives.</p>
<p><a class="link" href="https://web.archive.org/web/20201108115340id_/https://amatas.com/news/view/schneider-electric-s-vehicle-charging-station-could-be-hacked" rel="noreferrer">Vulnerabilities in networked charging stations</a> have been found in the past. As everyone should know, any time there is a database containing personal data, it becomes the target of hackers. The only way to completely prevent data from being stolen or leaked in the long run is by not collecting the data in the first place. Luckily with EV charging stations, storing location data is completely unnecessary. With enough public pressure we can just do away with it entirely. We just have to show that privacy is the priority.</p>
<h1 id="siue">SIUe</h1>
<p>When I was attending SIUe, I emailed the parking services staff in October of 2019 about the privacy concerns I had about the new Chargepoint stations that were being installed and encouraged them to install a non-networked station instead. The reply explained that while they understood my concerns, Chargepoint is what all the public universities in Illinois are using and they determined that it would be in the best interest of their constituents to install it. I was not able to change their decision, but I got the parking services staff to at least think about the issue because a well thought-out critique demands a well thought-out response. I don’t want to see the United States turning into a nightmarish big brother surveillance hellscape where privacy is impossible and the government has such strong surveillance capability on everyone that it’s “turnkey tyranny”, as Snowden would say. Networked charging stations are one step closer to that bleak reality. Don’t doubt for a second that the government can access EV charging station location data from networked charging stations. They absolutely can. Collecting the locations on millions of law-abiding citizens is a capability no government or private entity should be allowed have. Of course companies and governments get the same location data through smartphones anyway, but that must end too. One injustice doesn’t justify another. That just means we have more work to do.</p>
<h1 id="national-security-and-privacy">National Security and Privacy</h1>
<p>In a democracy, the people have the power to self-govern. Democracy is incompatible with mass government surveillance in the long term. What you have to realize is mass corporate surveillance is mass government surveillance. In the United States, the federal government has the authority to force companies to turn over customer data and then not tell customers about it. The data collection and analysis often happens automatically. It is impossible to meaningfully oppose a government that has near omniscience about the entire population. All it takes is one competent, evil politician to convert a heavily surveilled democracy into a dictatorship. Obviously, networked charging stations aren’t going to do that on their own. But they are a stepping stone on a path whose destination is nigh-impossible to pull back from. Worse, foreign governments can purchase and use this location information on high-profile individuals driving electric vehicles to gain influence. Massive data collection of Americans’ location is not only incompatible with American democracy by giving government far too much power (knowledge is power), but it’s also a national security threat. The very existence of a database with real-time location data points on millions of Americans is a national security threat because foreign governments and hackers will find a way to get access. The only full solution is to make sure the data is never collected in the first place, by opposing networked charging stations and organizing and informing EV drivers around the issue.</p>
https://nicholasjohnson.ch/2020/07/02/why-i-left-its/Why I Left ITS2020-07-02T00:00:00Z<h1 id="background">Background</h1>
<p>In October of 2018, I was hired to work at <a class="link" href="https://www.siue.edu/its" rel="noreferrer">information technology services at SIUe</a>, where I also studied. I worked there until early this year. I worked part time and met many good people there and learned how the university works and is organized. The job was well-suited for students because we usually have some free time to do our studies. I worked at the <a class="link" href="https://www.siue.edu/its/helpdesk" rel="noreferrer">help desk</a> answering calls for a while before I eventually moved to a labs and classrooms technician position. The duties of the labs and classrooms student workers were essentially to do anything technology-related that needed done in the labs and classrooms. This included taking inventory for all the items, imaging computers, assisting professors and students if something broke during class time, setting up projectors, conference areas, replacing hardware, and responding to support calls. It was a good first job for learning common workplace skills.</p>
<h1 id="learning-about-free-software">Learning About Free Software</h1>
<p>Everyone that is passionate about free/libre software has a story. Most students and teachers working with computers have never even heard about free software, even in computer science courses. It’s one of the biggest social issues people are completely ignorant about. Part of that is because the ideas are misunderstood because “open source” has replaced free software in the classroom and workplace. Another reason is programmers don’t get into programming because they want to grapple with the ethical implications of computing. What I’m saying is the kind of person who studies programming oftentimes is uninterested in ethics. Obviously this isn’t true for every programmer out there, but the point I’m making is this: If you have any values at all, everything you do either moves you closer to your values, farther away from them, or is neutral. Whether you like it or not, this implies an ethical dimension to everything, including computing.</p>
<p>When I took my job at ITS, I had never heard about free software. I still used GNU/Linux though. And I had heard of open source at the time. I knew who Linus Torvalds was, but had never heard of Richard Stallman until one day at the help desk my coworker told me about a disagreement between Linus Torvalds and Richard Stallman. I wasn’t given any details besides that. We probably got on the subject after talking about Linus or Linux. Anyway, this piqued my interest. So when I returned home that day, I researched about it and found the Free Software Foundation. I remembered watching a Computerphile video about free software months prior, but the ideas didn’t stick. I only completely understood after watching some of Richard Stallman’s lectures. After listening to Stallman explain free software from the ground up and seeing examples of how proprietary software is used to mistreat users, and my own past experiences, his ideas about how computing should be rang true for me. Stallman’s ideas gave me a whole new model to understand software. Everything came together and past experiences with proprietary software suddenly made more sense. I acquired an ethical framework for computing overnight.</p>
<h1 id="reduced-hours">Reduced Hours</h1>
<p>Adjusting to my new understanding of free software was a gradual, effortful process. Over the course of several months, I slowly stopped using proprietary applications I had been using and moved over to free software instead. Nearly 100% of my job was working with proprietary software though. If I had refused to use proprietary Windows or fix Windows machines at my job, I would most certainly have been let go for refusing to do the work. The whole university IT department wasn’t going to change the way they did things because I didn’t want to use the proprietary software. In my personal life, I was using almost exclusively free software. I was struggling very hard to do so in my classes and to promote free software. Yet at my job, I was being completely inconsistent. I was going around all day working on and fixing Windows machines. I was supporting proprietary software on university computers, sometimes imaging entire classrooms of 30 computers with Windows. I knew that Windows was an evil platform, and I was installing it. Every week I went in to work, I became increasingly bothered by what I was participating in while trying to advocate for the opposite outside of work. Outside of ITS, avoiding proprietary software while completing my coursework took up so much of my time. I was falling behind on assignments, so I asked for reduced hours at ITS.</p>
<h1 id="quitting">Quitting</h1>
<p>I found that even with reduced hours, I could not get all my work done. I was already extremely demotivated from jumping through hoops no other students had to jump through emailing professors back and forth to avoid the proprietary software my courses were pushing on me while still trying to complete assignments. But I also had the feeling that I couldn’t go on every day supporting Windows machines and Microsoft software. It wasn’t just Windows either. There were multiple proprietary systems that we had to interact with. It started really getting to me. It did take a long time, but eventually I couldn’t avoid the feeling that I was doing a harm to the world. I gave my 2 weeks notice and then resigned from my position at ITS in early 2020. The larger reason I resigned was due to the proprietary software. But a smaller part of it was that I needed more time to focus on studies. So it wasn’t a decision based purely on ethics.</p>
<p>Some readers are going to think resigning (partially) over ethical reasons was a mistake because some other student would just take my place and the job would be done anyway. But I don’t find that convincing. For one, even if someone else took my place, at least it wouldn’t be me. Leave someone else to cross that line. It’s too psychologically burdensome for me to work with proprietary software knowing I’m doing the world a harm. It’s likely that whoever would take my place would not know about free software and would not feel so bothered by the work they are doing because of that. Also, this kind of thinking is a self-fulfilling prophecy. If everyone thinks this way, then everyone will reason that they should just accept the injustice because someone else will if they don’t. That’s a good way of keeping giant evil corporations like Microsoft in power. Microsoft prefers you to think that way. I’m not saying it’s necessarily untrue. Maybe someone has already taken my place. But I’m saying to keep in mind that it’s self-fulfilling. That kind of thinking is exactly the kind that discourages challenging existing power structures.</p>
<p>Another objection readers might have to me leaving my job over free software is that even if I find another job where I don’t have to use any proprietary software, I might be contributing to other social harms. In other words, it’s hard to find a place to work that is without ethical problems. I can’t deny this is true. Some people work at jobs where they have to use Windows, but they have kids to take care of. If they don’t go in to work, they might not be able to support their family. I’m not trying to suggest everyone should do what I did. I’m definitely not trying to take the moral high ground compared to those people. I’m just explaining why I did what I did. But there are less “nuclear” options for people who can’t quit their job. Spread the word about free software to friends, family, and coworkers. Set an example for others by being a mindful consumer. For example, don’t buy home assistants with proprietary software such as the Amazon Alexa or Google Home. Don’t buy “smart” devices like smart TVs, smart fridges, smart light bulbs, etc. These are small sacrifices consumers can make right now. With collective effort, we can create a large market for ethical tech and eliminate the market for unethical tech if only enough of us refuse to buy it. If the relatively small sacrifices aren’t made now, the sacrifices required in the future to turn the tide will be much, much greater. Living without proprietary software is already far more inconvenient than most people will accept. And it’s only going to get worse unless we reject proprietary products today.</p>
<p>That was my short call to action. If you’ve made it this far, thank you for reading. If you find my ideas valuable, then please consider making a donation. Details are on my <a class="link" href="/about">about page</a>.</p>
https://nicholasjohnson.ch/2020/06/10/siue-eid-creation-and-maintenance-problems/SIUe e-ID Creation and Maintenance Problems2020-06-10T00:00:00Z<h1 id="arbitrary-password-rules">Arbitrary Password Rules</h1>
<p>I’ll go over them one at a time. They are found at <a class="link" href="https://eid.siue.edu/am/change_password" rel="noreferrer">https://eid.siue.edu/am/change_password</a>.</p>
<ul>
<li>The previous 6 passwords cannot be reused.</li>
</ul>
<p>I don’t have much to say about this one. It only reduces the password space by 6, so it doesn’t make brute-forcing easier.</p>
<ul>
<li>A password must contain at least seven characters (letters or numbers) but no more than eight characters.</li>
</ul>
<p>Cringe! The <a class="link" href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf" rel="noreferrer">2017 NIST guidelines</a> say passwords must be at least 8 characters. SIUe seems to have gotten this advice backwards with a maximum of 8 character passwords.</p>
<ul>
<li>A password must contain at least five unique characters.</li>
</ul>
<p>This goes against the 2017 NIST guideline against imposing composition rules for passwords. It also reduces the already small password space.</p>
<ul>
<li>A password must contain at least one letter (A-Z or a-z) and at least one number (0-9).</li>
</ul>
<p>Again imposing an arbitrary composition rule that reduces the password space.</p>
<ul>
<li>A password must start with a letter or a number.</li>
</ul>
<p>Do I even need to say it a third time?</p>
<ul>
<li>A password cannot contain any of the characters $&@=+"/[]:;|*,?<>~’ or a space.</li>
</ul>
<p>Throw out the NIST guideline on using all printable ASCII characters and Unicode. In fact, it doesn’t support Unicode. I tried inserting a Unicode character only to get errors. From a security perspective, this rule is extremely concerning. I’m not sure what it’s trying to do, but some of the characters are used in SQL commands. Could this indicate a <a class="link" href="https://www.wikipedia.org/wiki/SQL_injection" rel="noreferrer">SQL injection</a> vulnerability? Since SIUe has to update the password across multiple systems (Blackboard, Outlook, etc.), it could be due to a compatibility issue. This could also be a security concern.</p>
<p>I’m going to lump the last 4 together because the only thing I have to add is that they reduce the password space again and are composition rules.</p>
<ul>
<li>A password cannot be a person’s name, an e-ID or any word found in the dictionary.</li>
<li>A password cannot be any of the following spelled backwards: a person’s name, an e-ID or any word found in the dictionary.</li>
<li>A password cannot have a repeating pattern (e.g. ababab or abcdefg).</li>
<li>A password cannot have a pattern like ‘ccNNNNNc’ where ‘c’ represents any character and ‘N’ represents any number. (These are National Insurance numbers and are widely known on the web.)</li>
</ul>
<h2 id="60-day-reset">60 Day Reset</h2>
<p>Every 60 days, you are required to <a class="link" href="https://web.archive.org/web/20201026122131/https://www.siue.edu/its/eid_faq.shtml#expired" rel="noreferrer">reset your password</a>. The NIST password policy guidelines say users shouldn’t be required to change their passwords regularly or arbitrarily. If an account is compromised, then it makes sense. But otherwise, you’ll just be making everyone increment the last digit in their password every time. Almost no one will create a completely different password when they can just change one character.</p>
<p>Furthermore, all these password rules make it much more difficult to analyze the number of possible passwords. To do that, you would need every e-ID and every word in “the dictionary”. Who knows what words are included even. I’m certain that even the administrators have no idea how big the password space is, but it’s definitely insufficient. This brings me to my next point.</p>
<h1 id="auto-generated-password-patterns">Auto-generated Password Patterns</h1>
<p>If your password is reset using your security question, or you get your password generated for you at the help desk, there seems to be patterns to the passwords. I’ve noticed after testing this out by resetting my password that the generator always seems to prefer 2 digits and 6 letters. The generator seems to prefer 3 letter sequences with a consonant followed by a vowel followed by another consonant. This makes it easy to pronounce. It always uses lowercase. I don’t think I have ever seen it use uppercase. This is why I do not recommend using passwords auto-generated by SIUe. They have patterns. If you obtain an auto-generated password, change it as soon as possible. Since the generator algorithm is closed off, there’s no way to know how secure it is. Your best bet is to generate a password yourself using a password manager and memorize that.</p>
<h1 id="annoying-user-interface">Annoying User Interface</h1>
<h2 id="looks">Looks</h2>
<p>Take a look at the <a class="link" href="https://eid.siue.edu/am/e-ID" rel="noreferrer">creation and maintenance</a> page. I myself am not great at designing graphical user interfaces, but this one is bad. There was a class I had where the professor went over how awful the creation and maintenance page was during the class, but I won’t mention who. Some things they noticed on the face of it: For some strange reason, the table has four columns, but the third and fourth column only have one item. The radio buttons get their own separate cells which look awful with the borders. Everything is at the top of the page, not centered. The gray background is very bland and it looks like not much thought was put into the color scheme. And it definitely isn’t going to look nice on mobile.</p>
<h2 id="input-ambiguity">Input Ambiguity</h2>
<p>The date of birth on the “I want to get an e-ID” option and the “I have an e-ID but I forgot my password” option have 3 separate input boxes! The day and month are dropdowns while the year is a text box. It doesn’t indicate how you should enter the year either, as 2 digits or 4 digits. It wants 4. But, if you enter 2, it gives you a generic error message saying the account information is not correct.</p>
<p>The new password and confirm new password fields on the <a class="link" href="https://eid.siue.edu/am/change_password" rel="noreferrer">change password page</a> allow you to input in your browser 9 characters, but the server just rejects anything more than 8. It also has text above the input field saying it only allows 8 characters.</p>
<h2 id="invalid-html">Invalid HTML</h2>
<p>After seeing the poor quality of the subdomain’s web pages, I got curious and clicked view source. They were using XHTML 1.0 and the legacy windows-1252 character encoding. After checking all the pages reachable from the radio buttons with the HTML validator at <a class="link" href="https://validator.w3.org/" rel="noreferrer">https://validator.w3.org/</a>, the results were as expected. Every URL I checked had invalid HTML at the time of this writing:</p>
<ul>
<li><a class="link" href="https://eid.siue.edu/am/e-ID" rel="noreferrer">https://eid.siue.edu/am/e-ID</a> (85 errors)</li>
<li><a class="link" href="https://eid.siue.edu/am/get_e-ID" rel="noreferrer">https://eid.siue.edu/am/get_e-ID</a> (16 errors)</li>
<li><a class="link" href="https://eid.siue.edu/am/reset.pl" rel="noreferrer">https://eid.siue.edu/am/reset.pl</a> (19 errors)</li>
<li><a class="link" href="https://eid.siue.edu/am/change_password" rel="noreferrer">https://eid.siue.edu/am/change_password</a> (91 errors, 2 warnings)</li>
<li><a class="link" href="https://eid.siue.edu/am/bid_lookup" rel="noreferrer">https://eid.siue.edu/am/bid_lookup</a> (14 errors)</li>
</ul>
<p>The landing page for the university at <a class="link" href="https://www.siue.edu" rel="noreferrer">https://www.siue.edu</a> also had invalid HTML yielding 13 errors from the validator. Other URLs under the SIUe domain also had errors. These errors are less severe than the creation and maintenance page but still deserve to be addressed. The HTML looks like it was written in an editor, not by a human.</p>
<h2 id="usability">Usability</h2>
<p>After you submit the <a class="link" href="https://eid.siue.edu/am/change_password" rel="noreferrer">change password form</a>, you are redirected to a webpage where you have the option to change your secret phrase. You can use the secret phrase to reset your password if you forget it. The problem is the secret phrase works the opposite way than you think it does. You don’t select a question and input the answer. You input both the question and answer manually. And then when you go to reset your password, it will give you the answer to the secret phrase and you have to come up with the question. If you think about it for a while, it’s not hard to see that some answers correspond to really only one question. So this is not a good scheme.</p>
<p>For example, “The Incredibles” is the hint. You can guess the question “What is your favorite movie?”. On the other hand, picking a question from a dropdown box and having a normal security question challenge setup would be a better scheme. If a student isn’t aware of how the system works, it might leak sensitive information about them to hackers, especially since they can define their own question and answer.</p>
<h1 id="data-stored-in-plaintext">Data Stored in Plaintext</h1>
<p>When it lets you change the secret phrase and answer, it literally shows you the existing secret phrase and answer. That means that the question to your secret phrase is not hashed and salted. SIUe has a big database of questions of ~13k active students. And don’t forget all past students’ questions and answers going back years are still in the system. And their answers to those questions are just sitting on a server somewhere ready for a data breach. This is pure negligence and should be fixed as soon as possible. There’s no reason to have personal questions and answers of students sitting on a server somewhere in plain text.</p>
<h1 id="denial-of-service-vulnerability">Denial of Service Vulnerability</h1>
<p>There is a denial of service vulnerability related to the <a class="link" href="https://eid.siue.edu/am/change_password" rel="noreferrer">change password form</a>. If you unsuccessfully reset your password more than 5 times, your ability to reset your password will be locked for 24 hours. This password reset attempt limit persists across browsing sessions and IP addresses. It must be stored on SIUe servers. That means anyone can use the <a class="link" href="https://www.siue.edu/search/people.shtml" rel="noreferrer">people search feature</a>, which I covered previously, to scrape for e-ID’s. Then, they can spam the password reset form with every e-ID scraped from the search feature. Since it’s only necessary to do this once every 24 hours per account, anyone can effectively break the password reset feature for all active students, faculty and staff with a simple Python script.</p>
<p>Of course, students can make a call to the help desk to get the password reset limit fixed so they have 5 more attempts within the 24 hours. But it’s possible to run this attack continuously with such high volume that even students who call the help desk and get a reset on the attempts cannot change their password. I’m not encouraging or condoning denial of servicing the change password feature. I’m only pointing the attack vector exists in the hope that it gets fixed.</p>
https://nicholasjohnson.ch/2020/06/06/siue-cyberstalking-feature/SIUe Cyberstalking Feature2020-06-06T00:00:00Z<p><a class="link" href="https://www.siue.edu/search/people.shtml" rel="noreferrer">https://www.siue.edu/search/people.shtml</a></p>
<p>This lesser-known feature has existed for at least 2 years and probably much longer than that. I emailed their <a class="link" href="mailto:help@siue.edu">help desk</a> several times pointing out the search feature could be abused by cyberstalkers and data mined. I pointed out that it should require authentication and not be open to the public internet. It’s a huge risk for student privacy and safety. Anyone can find any student’s full name, area of study, rank, home address, phone number and university email. A week later, I still have no response.</p>
<p>A quick search reveals that other university’s student directories generally don’t include the student’s rank, home address, or phone number. SIUe should at least remove the home address and phone number fields from public view.</p>
https://nicholasjohnson.ch/2020/04/30/rejecting-visual-studio/Rejecting Visual Studio2020-04-30T00:00:00Z<h1 id="background">Background</h1>
<p>This semester I took Intro to Artificial Intelligence at <a class="link" href="https://www.siue.edu" rel="noreferrer">SIUe</a>. Artificial Intelligence is a senior level course. I’ll call the professor, “Professor X” to preserve anonymity.</p>
<h1 id="story">Story</h1>
<h2 id="assignment-one---cats">Assignment One - Cats</h2>
<p>Since my time giving in to using Visual Studio in software engineering class and seeing the inner conflict that caused, I was much more prepared to stand up for my beliefs in A.I. class. The very first assignment we got was to write an A.I. that solves a “cat in the hat” problem involving finding certain values for the height of the cats and number of cats in each hat (each cat has a hat with more cats except the cat at height one). I was intrigued. I could have written a program that simulates the cats, but I instead went for an analytical approach and derived two single logarithmic equations that yielded the values efficiently. I still wasn’t sure how to solve both equations, so I developed a binary search algorithm for the right value instead. I was disappointed however when after reading the specification I discovered the project had to be completed using Visual Studio and written in C++. Visual Studio is proprietary software made by Microsoft that requires users to agree to a license agreement (which I read) and submit themselves to privacy-invading telemetry. Ew.</p>
<p>I was not thrilled about this, so I opted to write my program using a different IDE and compile it with the gnu-c++ compiler. I wanted to get ahead of this so there wouldn’t be any issue, so I emailed Professor X explaining why Visual Studio is proprietary malware, or at least potential malware. Professor X responded that he did not believe it is malware and I should use it anyway. So I responded over email again explaining my beliefs about free software and why students ought not be required to use Visual Studio. He said he would consult with his colleagues about it and the grader as well. Professor X and the grader got back to me explaining that they couldn’t change the assignment just for me as there were over thirty students in the class and allowing students to submit their work differently would be too much hassle. Maybe don’t ask students to use proprietary software?</p>
<p>After I had already written my program, I spent over four extra hours learning how to use <a class="link" href="https://cmake.org/" rel="noreferrer">CMake</a> so hopefully it would open in Visual Studio when the grader went to grade it. This was extra work I did that no one else in class had to do because I refused to use proprietary software. After I submitted it, I got a grade of zero because the grader was unable to run my program in Visual Studio. As a side note, it seems ludicrous to me that we were demanded to submit our C++ programs in the form of Visual Studio project files. That is just not a sane way to submit a project. But anyway, I sent a long email to the professor again explaining that my program did compile and run and that I spent four hours trying to use CMake to get it to work for the grader. He emailed back saying how me using CMake was a huge waste of everyone’s time, and if I had such a strong problem with Visual Studio, then maybe I should go talk to the dean about it instead of talking to individual professors about my beliefs. I guess his point was if the dean didn’t agree that the university should only use free software then I should just accept proprietary software?</p>
<p>The professor and grader agreed, just for this one time, to regrade my program to reflect the work I put in instead of my willingness to agree to Microsoft’s insane licenses and run proprietary malware just to write a C++ program, and I got a 90% losing 10% only because I submitted a day late. For the next two programs, the professor and grader agreed that I can submit only the source code cpp files because the grader had figured out how to run them in Visual Studio.</p>
<h2 id="assignment-two-and-three">Assignment Two and Three</h2>
<p>The second assignment was Huarong Path, also called <a class="link" href="https://www.wikipedia.org/wiki/Klotski" rel="noreferrer">Klotski</a>. It is a sliding puzzle where you try to get a particular piece into a particular spot on the board by sliding all the tiles around until you have the piece in the destination spot. There are many heuristics you can develop for this, but I found that implementation was just as important as heuristics. The third assignment was Fore & Aft where you try to reverse the positions of the differently colored pegs. Imagine a large square broken into four quadrants, but two quadrants that are diagonal to one another are missing, and there is one empty center peg and the quadrants have differently colored pegs. The rules are that you can move any peg into an empty adjacent peg or jump over pegs like in the game checkers. I ended up using <a class="link" href="https://www.wikipedia.org/wiki/A*_search_algorithm" rel="noreferrer">A*</a> to solve the puzzle. I was able to submit these two assignments with only the source code files, so I didn’t have to use Visual Studio and there was no problem.</p>
<h2 id="assignment-four---n-queens-puzzle">Assignment Four - N Queens Puzzle</h2>
<p>Fast forward to the fourth assignment. It was an N Queens puzzle. For N=8, this is better known as the <a class="link" href="https://www.wikipedia.org/wiki/Eight_queens_puzzle" rel="noreferrer">8 Queens Puzzle</a>. This was my favorite puzzle to write a solution for. I found a simple <a class="link" href="https://www.wikipedia.org/wiki/Hill_climbing" rel="noreferrer">hill-climbing algorithm</a> from our textbook that was much faster at finding solutions than was asked of us. We had to find three unique solutions. I just allowed my program to take as input the board size as well as the initial position of the first queen. For some reason it was stipulated that we had to enable one queen in the solution to be “fixed” to a certain square so she was guaranteed to be there. It didn’t take me long to have this solution written up and submitted, but my grade unexpectedly returned with a failing grade for the assignment. It was because gnu-c++ allowed specifying C arrays without a size, but the standard C++ compiler didn’t, so it didn’t compile in Visual Studio.</p>
<p>When I turned on warnings when compiling with gnu-c++, I immediately saw what the grader was talking about and fixed it. The grader allowed me to fix it since it was just an issue with the compiler compatibility and not my code. I got full points back for this assignment. I was told after the first assignment that it would be my responsibility to make sure my code worked in Visual Studio and if it didn’t, I would be graded accordingly. But the grader was willing to allow this to slide since it was such a minor issue and strictly to do with compiler compatibility.</p>
<h2 id="encounter-with-professor-x">Encounter with Professor X</h2>
<p>I talked with Professor X in person outside of class about proprietary Visual Studio. The first thing I remember that he mentioned was how hard it would be for me finding employment with my philosophy about software. This is undeniably true. There is far less money in creating free software than proprietary freedom-destroying software. So I explained to him that my primary focus isn’t just employment or living the easiest life possible.</p>
<p>If I wanted to live an easy life and disregard my ethics totally then yes I could do that. But I need to do something to make the world a better place, or at least not worse. There’s already enough people making it worse. Also, it’s obvious that I’ll have to work somewhere that is going to allow me to work within my free software values. I’m not going to be working at AT&T, Google, or Microsoft. If I’m not able to make a living with free software, I’ll do some job unrelated to computer science for an income and write free software on the side. It would be much easier to sleep at night doing that instead.</p>
<p>He then suggested I use the university computers instead of my own. I explained to him how this doesn’t solve the issue because Visual Studio is still proprietary and I would have to use the Windows malware that is installed on campus computers as well. He said that the university has a deal with Microsoft in which Microsoft deactivated their surveillance features for university computers. SIUe does have a deal with Microsoft (which is why they use so much Microsoft software), but I seriously doubt Microsoft deactivates the spying (telemetry) features for their programs at SIUe. Even if they do, Windows and Visual Studio are still proprietary so there’s no way to confirm that.</p>
<p>There was also the extremely common confusion about how software companies will make money producing only free software. Beforehand, I had emailed Professor X supporting links from the <a class="link" href="https://www.fsf.org" rel="noreferrer">FSF</a> website explaining about free software. I tried explaining that it’s not about price, but freedom. I could have been misreading the situation so don’t take this as fact, but it seemed to me that he didn’t have any interest in learning about free software or the ethical implications. He seemed more interested in getting me to conform to using Visual Studio so that it would make his and the grader’s job easier. The reason I think that is because throughout our entire prolonged exchange, emails and in person, he didn’t mention ethics once and expressed his sentiment that the conversation was “pointless”. I don’t think conversations about ethics are “pointless”. I think a conversation about ethics is important before starting any project, not just writing software.</p>
<h1 id="conclusion">Conclusion</h1>
<p>I have seen this theme again and again having conversations with professors. Perhaps I just don’t explain free software well enough, which is why I provided links and video resources to Professor X. One thing I often see, which is true of anyone changing their mind in general, is that people won’t do it on the spot in real time. Reading a post like this you may think that I wasted my time. But people do change their minds and it almost always happens in private, not under the pressure of a real-time conversation. And even if people don’t change their minds completely, they can often be nudged in the right direction. So don’t lose hope just because someone doesn’t immediately see things your way. Many professors at SIUe that I’ve talked to just aren’t accustomed to thinking about software freedom as an important issue. I expressed my frustration to Professor X about how the issues he was bringing up were peripheral to me, and that if he really wanted to convince me to use Visual Studio and Windows he would have to show me why my ethical beliefs are wrong.</p>
<p>The truth is unless someone is very brave and intellectually honest, they’re not going to change their mind (admit they were wrong) on the spot. Especially professors because they would have to rewrite entire assignments to use different software and restructure their coursework which is potentially a lot of work. I think they are also strongly encouraged from above to use particular proprietary software because of the university’s deal with Microsoft. They would have to go against that. But I have seen professors use their own computers in class, so it’s still very feasible. It’s a lot of work that professors aren’t required to do and for reasons most of them aren’t accustomed to considering. I’m not defending their decisions to continue using proprietary software, just explaining why they don’t change things. I’d like to engage with a professor and see them realize my point on the spot and decide then and there to restructure their course to be more ethical, but that never happens.</p>
<p>Nonetheless, I do think the conversations I’ve had do have an impact. And most of that impact I’m not seeing because it happens in private after a lot of thought given to ethics, but it does happen. As a matter of strategy, my advice to anyone trying to spread the word about free software at work or universities is twofold.</p>
<h2 id="advice-1">Advice 1</h2>
<p>Keep having conversations with people about free software, every opportunity you get that seems appropriate. Especially have conversations with those with the most authority to do something to make change. Don’t worry about looking like a fool because times are desperate and if free software philosophy doesn’t spread more, we risk losing more ground to encroaching proprietary software. We cannot let the free world disappear.</p>
<h2 id="advice-2">Advice 2</h2>
<p>Encourage others to reject proprietary software and reject it yourself. Get a few people who agree with you and form a club or pact to reject it. There’s not always free software that perfectly replaces proprietary software, in which case you must reject the proprietary software entirely with no substitute. At SIUe and any other universities, professors aren’t going to take much notice if you go off on your own trying to create little workarounds for the proprietary software they want you to use. The only action which they have to respond to is when you outright refuse to use the proprietary software and most importantly tell them why you’re rejecting it. It’s helpful to propose free software at the same time, but most important is telling them you refuse to use proprietary software and stand behind that decision with unflinching stubbornness. The only way to slow the encroachment of proprietary software in schools, universities and workplaces is to refuse to use or develop it, demand alternatives, and spread the word.</p>
https://nicholasjohnson.ch/2020/03/30/inception-rejecting-discord-drawio-and-visual-studio/Inception - Rejecting Discord, Draw.io, and Visual Studio2020-03-30T00:00:00Z<h1 id="background">Background</h1>
<p>In the spring of 2018, I took software engineering at <a class="link" href="https://www.siue.edu" rel="noreferrer">SIUe</a>. Software engineering is a junior level CS course. In my view, it serves as preparation for the more demanding two semester development effort that is the senior project. I’ll call the professor, “Professor X” to preserve anonymity.</p>
<h1 id="story">Story</h1>
<h2 id="project-i">Project I</h2>
<p>The first project was for the purposes of getting everyone accustomed to using Git and Redmine and working in a team as well as doing some documentation. We were put in groups of three to four and given the task of writing a fairly simple program with a GUI and some basic functionality in C#. I remember being very anxious upon forming a group because I knew my group members would likely want to use <a class="link" href="https://slack.com" rel="noreferrer">Slack</a> or <a class="link" href="https://discordapp.com/" rel="noreferrer">Discord</a> or some other popular proprietary walled garden messaging platform. Luckily for the first project of the class, my three group members were not thrilled, but were willing to undergo the inconvenience of downloading and using <a class="link" href="https://riot.im/" rel="noreferrer">Riot.im</a> / <a class="link" href="https://matrix.org" rel="noreferrer">Matrix</a>.</p>
<h3 id="communication">Communication</h3>
<p>It was awkward and uncomfortable to be the only person in the group refusing to use Discord when everyone else very quickly came to a consensus on it. Peer pressure is a real thing. But after explaining my reasons, I was able to win over the group after a few days and get everyone using Riot. I even got everyone to exchange their device keys over email so we could all have an encrypted group chat. The peace of mind of having an encrypted room and using free software instead of having our group messages data mined and sold as would have been the case with Discord cannot be overvalued for me. I didn’t really win the group over by convincing them with the benefits of encryption and free software. I think they just wanted to get the project moving along and saw the easiest way forward was to adapt to me. So I got past the first hurdle.</p>
<h3 id="ide">IDE</h3>
<p>I don’t recall the specifics of the program, but it probably had some buttons and text boxes and would have been similar in difficulty to a graphical desktop calculator application. Our group did the required UML diagrams. The only thing left was to code the classes we diagrammed. This is where the trouble started for me. Professor X’s project specification I believe was handed down from Professor Y who died unexpectedly. So Professor X was standing in for Professor Y teaching with his slides. Unfortunately I’ve heard Professor Y had a love for Windows and his project specification required everyone to use Visual Studio.</p>
<p>At this point I got worried because Visual Studio is proprietary software, and it was a battle with my conscience to use it or not. I definitely wasn’t willing to install it on my personal machine. So instead, I found Monodevelop and was able to use it to complete project I. We still had to use Winforms for the GUI part which was awful, but at least I was able to avoid Visual Studio. The members of my group installed and used Visual Studio on their personal computers. So far, I had been able to completely avoid proprietary software.</p>
<h2 id="project-ii">Project II</h2>
<p>Project II was a similar story to project I except that I was in a group of three instead of four. This time, we were assigned a project called Cougar Delivery. The specifications outlined a delivery service we had to make software for. The delivery service software had to perform tasks such as tracking shipments, generating performance reports and cost of business charts, allow clients to order shipments and generate routes for shipping packages for the shipping business. It had many more requirements, so I won’t list them all. But the idea was a single graphical application that enabled all the business operations related to running a delivery business. Realistically, this would have been divided up into several applications that handled general aspects of business such as finances, tracking, client and employee login systems and permissions, and more. But the point of the class was documentation and design rather than implementation.</p>
<h3 id="communication-1">Communication</h3>
<p>Again, it was awkward asking everyone to use Riot when they had never heard of it. I had a hard time finding a soft way to propose using it when I wasn’t willing to accept a proprietary alternative. But my two group members were willing to use it. I again was able to convince them to exchange device keys in person for an encrypted room. So far, all was well.</p>
<h3 id="documentation">Documentation</h3>
<p>Edit (31-10-2023): Please disregard the part in this section where I claimed that draw.io was proprietary software. It has been brought to my attention that draw.io is free software and was at the time of writing as well. I don’t recall what led me to believe otherwise. I apologize for any confusion I may have caused over this.</p>
<p>And so we began our documentation. This time, I was not our project lead. Another team member had more time to work on the project, so he took the initiative. He was very diligent and before we had even started writing code, we ended up with an estimate of close to eighty classes total. We had polished UML diagrams for all those classes including package diagrams and UML class diagrams and a three tier architecture established before a single line of code was written. I was very satisfied with that. For my diagrams, I used <a class="link" href="http://dia-installer.de/" rel="noreferrer">Dia</a> and my teammates used <a class="link" href="https://app.diagrams.net/" rel="noreferrer">draw.io</a>. Dia was difficult and annoying to use as far as alignment goes. It might have been due to my inexperience never having used it before, but I used it anyway for freedom. Draw.io is not free software. It uses proprietary JavaScript and requires a software license to purchase the app. Nevertheless my teammates were able to at least export their diagrams in png format so I could see them using free software. Our project lead claimed to have used Dia before and said it was too inconvenient usage-wise.</p>
<p>The deliverables for the project were scheduled in such a way that we had to do all the documentation before starting the project, and continually revise documentation as the project went along. Our documentation was so effective that I trust we could’ve handed it to any other group in the class, and they would have been able to implement our entire design. Some of the documents were done using Google Docs regrettably. I strongly suggested using <a class="link" href="https://sandstorm.io/" rel="noreferrer">Sandstorm</a> instead since it is free software and doesn’t require proprietary JavaScript in the browser. That did not end up happening since I had other classes to worry about and we were crunched for time. If I could retake the class, I would have created a separate shared repo for documentation and used a word processor for editing instead. Our team lead did not see this as viable since he felt we needed to be able to see everyone else’s changes in real time. There was a lot of talk about using Sandstorm, but I was never able to make it happen.</p>
<p>Another possible free software self-hosting alternative to Google Docs would have been an <a class="link" href="https://etherpad.org/" rel="noreferrer">Etherpad</a> instance, but public Etherpad instances did not have the plugins necessary for nicely formatting documents unless I self-hosted and installed them myself. And I guess I didn’t have the time to set up an instance or something. But I did put a few hours of work in trying to get it working. It was very discouraging to be working so hard on something very tangentially related to our actual project. I wasn’t able to move the group toward using Etherpad either. I ultimately ran out of time trying to make it work. I was the one pushing to use something besides Google Docs mainly due to its proprietary JavaScript.</p>
<p>After I had been defeated unable to move the group to something besides Google Docs, I gave in to using Google Docs which I was able to use anonymously without an account. I just used the shared link. But I still had to run the proprietary JavaScript in the browser which I now regret giving in to. This failure was very discouraging and harmed my motivation for doing the project. I discussed this extensively with the project lead but we weren’t able to bypass the issue. After this failure, I didn’t know the worse was still yet to come.</p>
<h3 id="testing-framework">Testing Framework</h3>
<p>We had to use a testing framework for the current project iteration to test our code. Of course our professor’s hand-me-down specification and slides insisted that we use MSTest. I did some background research because it sounded proprietary. I found it was available for MonoDevelop, but when I went to install it, it asked me to read and sign a license agreement first. I believe it was proprietary based on the terms it was asking me to agree to when I tried to install it through MonoDevelop. I clicked decline. Instead of installing it, I dug in my heels and went to the professor after class. Regrettably, I did not mention the idea of free software very explicitly. Instead I talked about how I wasn’t willing to agree to the terms so MonoDevelop could run the tests. He chuckled when I mentioned I wasn’t using Visual Studio as the project requirements laid out, preparing for a potentially awkward conversation. And then when I mentioned not wanting to use the testing framework, he seemed perplexed. He told me I could write the unit tests and have a team member who has Visual Studio run them, thus bypassing agreeing to the license. This didn’t satisfy me though, because it just passes the buck off to someone else. I definitely wasn’t going to rely on my team members to agree to something I myself wouldn’t. I let him know that I felt his idea didn’t really solve the issue for me. I asked Professor X if I could use the NUnit testing framework instead, a libre library. He told me to ask the grader.</p>
<p>So I emailed the grader explaining in detail my ethical concerns about MSTest. He got back to me promptly admitting that he did not know about the ethical issue and would be willing to accommodate me given that NUnit could work in Visual Studio. It could, so I wrote my tests for our code using NUnit. I even rewrote some of our tests that had been written in MSTest into NUnit to increase the freedom of our project which wasn’t too difficult. I had successfully dodged what could have became a freedom issue. I also discussed this with our group. They continued writing the unit tests using MSTest.</p>
<h3 id="ide-1">IDE</h3>
<p>I thought I would be able to use MonoDevelop as before without any issues. I had solved the issue of the testing framework. What more issues could arise? The database. The instructions for the database in the database tier of our three tier architecture were written to explain how to use the SQL database in Visual Studio. It used libraries that only worked in Visual Studio if I recall correctly. This caused an inner conflict for me. I had never failed a class before, but I knew the professor wasn’t going to rewrite the specifications in the middle of the project and it would be too much for the grader to try to get something else working and too much for me to research another solution. I talked about this issue ad nauseum to our group lead, who was sympathetic but tried to still convince me to just write the database anyway. I wasn’t able to get him to really make sense of the freedom issue despite sending supporting links from the FSF website to explain my position. After heated debate, we eventually came to the compromise that I would only work on the part of our program that did not include the database. I would work on the other two tiers; the controller and graphical interface. I now regard this compromise as a mistake.</p>
<p>This still did not resolve the issue because I was unable to compile our program without having the SQL database that only worked in Visual Studio. I painfully forced myself to use Visual Studio in the university computer lab to write the project. This occurred with our team late at night all of us working furiously before the due date to get as much coded as possible and submitted. We were doing rapid trio programming because none of us had time until the last moment to work on the project. I was glad to have finished the project, but still giving in to using proprietary software did not sit well with me. I was ashamed of having given in but also understood my teammates would have had to give me a bad performance report if I outright refused to work on the project due to the database tier. So practically the choice was between failing and tacitly condoning Visual Studio by using it. I made the mistake of choosing to use Visual Studio to pass instead of putting my foot down and refusing and going to the professor again about the ethical issue. I think I didn’t go to the professor again because I didn’t want to inconvenience him too much to avoid another awkward conversation. I ought to have went immediately to the professor again to discuss the freedom issue. I passed the class with a good mark and accomplished the project, but still felt gross about giving in to proprietary software.</p>
https://nicholasjohnson.ch/2020/03/30/rejecting-discord-and-google-colab/Rejecting Discord and Google Colab2020-03-30T00:00:00Z<h1 id="background">Background</h1>
<p>This semester I took Deep Learning at <a class="link" href="https://siue.edu" rel="noreferrer">SIUe</a>. Deep learning is a senior level CS elective course. I’ll call the professor, “Professor X” to preserve anonymity.</p>
<h1 id="story">Story</h1>
<p>In Deep Learning class, after the lectures, we had to get into groups for our class project. The class project consisted of designing and implementing our own neural network which would do some novel task. It didn’t take me long to get into a group. The issue as always was finding a communication platform that we could all use that was free software. Since most students opt for proprietary walled gardens instead such as <a class="link" href="https://discordapp.com/" rel="noreferrer">Discord</a>, I had a lot of difficulty because I wasn’t willing to use Discord. Our whole group of four agreed on using Discord except for me. Email wouldn’t be viable. It’s not great for real time communication and file sharing. Even after I explained that I don’t use proprietary software, the group still did not want to budge as I expected. So the admin of the Discord “channel” and I got together and set up a <a class="link" href="https://matrix.org/bridges/" rel="noreferrer">Matrix bridge</a>. I was surprised at how easy this was. Because Matrix has a <a class="link" href="https://github.com/Half-Shot/matrix-appservice-discord" rel="noreferrer">Matrix-Discord bridge</a> available and there is a public bot called <a class="link" href="https://t2bot.io/" rel="noreferrer">t2bot</a>, I was able to use Riot.im client instead of Discord. Riot.im is free software and Matrix is an open protocol which is more acceptable than the proprietary walled garden of Discord. The bot allowed me to create a Matrix room which bridged Discord and the Matrix network. It took less than ten minutes to set up. Now that I got the hang of using it, I’m able to get it working in less than five minutes. There are a few quirks but overall it works fantastically and it’s completely free. I recommend <a class="link" href="https://t2bot.io/donations/" rel="noreferrer">donating</a> if you use the bot since there is no charge for using it. It’s a great tool for avoiding proprietary Discord and Slack.</p>
<p><a class="link" href="https://colab.research.google.com" rel="noreferrer">Google Colab</a> is a service Google offers that gives researchers and students a free GPU. It can be used for things like training neural networks in Python. It wasn’t required for this course per se, but if you didn’t have one you had better have a GPU or be in a group with a member that had a GPU. I have a computer with a GPU, but it is AMD, not Nvidia so it wouldn’t work with the Python libraries like Keras and Tensorflow we were using to train the neural networks. I discovered this after I had already set up the machine for class unfortunately. I really took issue with Google Colab being basically required. If students didn’t agree to the Google terms of service, how would it be possible to do the project? You could have relied on a group member to have an account and train the networks, but that just pushes the problem back a step to your team member agreeing to the terms of service. Worse, Colab requires proprietary JavaScript in the browser so you would have to run proprietary code to use it. And you know Google is collecting your experiment data in case you find something of interest because that’s their whole evil business model.</p>
<p>I ended up emailing Professor X about the issue explaining that students shouldn’t have to agree to Google’s terms of service and run proprietary JavaScript just to take Deep Learning class. He responded saying unfortunately that while he understands my concerns that’s the only way the class could exist and also it was in the syllabus. I don’t believe that at all. If it was within budget, the school could offer students GPUs in a lab to train the neural networks the same way the networking lab has special networking equipment for each student. Of course SIUe isn’t going to do that because it costs lots of money and using a service from an evil data collecting company costs only your soul. Besides, no one except me in the whole computer science department would care about the ethical advantage of students having their own dedicated GPUs, so it wasn’t in SIUe’s interest to purchase GPUs for each student.</p>
<p>There were other problems with the class as well not related to proprietary software. I believe the average grade on the midterm was below 50%. There was a lot of background needed to understand the concepts in class that many students didn’t have. I felt like my time was being wasted every day in the class because too much material was being covered way too quickly to really learn anything. I don’t say that about many classes because there’s always the student responsibility to study, but if you ask me that class was a mess. So after I found out my GPU wouldn’t work and I couldn’t train our group’s network myself, I completely lost motivation for the project. There was no way for me to run the code since I refused to sign up to Google Colab. I couldn’t even check if my code ran and due to COVID-19, I couldn’t get with any group members who had a GPU. The only option was to rent a VPS with a GPU and neural network training capabilities. I decided ultimately that I shouldn’t have to and wasn’t going to rent a VPS just to pass a class. Despite having our midpoint report finished and a working neural network, I wasn’t really learning anything to the depth I wanted to in that class, and the proprietary Google Colab had me discouraged, so I dropped the class.</p>
https://nicholasjohnson.ch/2020/03/30/the-tipping-point-rejecting-windows-zoom-lockdown-browser-and-the-lockdown-monitor/The Tipping Point - Rejecting Windows, Zoom, Lockdown Browser, and the Lockdown Monitor2020-03-30T00:00:00Z<h1 id="background">Background</h1>
<p>This semester I took networking at <a class="link" href="https://www.siue.edu" rel="noreferrer">SIUe</a>. Networking is a senior level CS course. I’ll call the professor, “Professor X” to preserve anonymity.</p>
<h1 id="story">Story</h1>
<h2 id="windows">Windows</h2>
<p>The first software freedom issue I had in this class had to do with the Wiresharks labs. <a class="link" href="https://www.wireshark.org/" rel="noreferrer">Wireshark</a> is free software that can be used to capture and analyze network traffic. So there was no issue with Wireshark. Actually, the issue was with the assignment instructions. The instructions were written so that some tasks had to be performed outside of Wireshark and screenshotted. If I remember correctly Professor X said he did not make any changes to the assignment before giving us the assignment. The assignments were actually obtained from the <a class="link" href="https://gaia.cs.umass.edu/kurose_ross/wireshark.htm" rel="noreferrer">University of Massachusetts, Amherst</a>. The DHCP Wireshark lab contained instructions that only work on Windows.</p>
<p>It wouldn’t have been hard for me to find the equivalent commands on GNU/Linux, but by this point I realized that me doing all the legwork to get things working on GNU/Linux ultimately doesn’t do much good. It gets me by but it doesn’t help other students or have any effect moving coursework toward using free software. So instead, I decided I wasn’t going to do the extra work myself, and instead included a note in my completed assignment submission stating that I don’t own a Windows machine and wouldn’t use it. So I downloaded the Wireshark trace from the University of Massachusetts (the assignment said we could do this if we couldn’t get Wireshark to capture). I imported it into Wireshark and used it for the duration of the assignment.</p>
<p>Back in class after the assignment was graded, Professor X announced that students would no longer be permitted to download the trace from the University of Massachusetts. It would have to be captured manually by following the Windows-only instructions. This swiftly closed the loophole I used to bypass using Windows. Therefore, it is no longer possible to take networking with Professor X without using Windows unless you want to do extra work. And by the way, this is one of, if not the most ardent GNU/Linux professors at SIUe based on my experience. He said in class that he uses <a class="link" href="https://www.archlinux.org/" rel="noreferrer">Arch</a> and is comfortable doing things in the terminal. The point I’m trying to get across is that if you want to only use free software, do not study at SIUe. It is not a free software friendly university and you will struggle trying to work around that.</p>
<h2 id="zoom">Zoom</h2>
<p>After the corona virus lockdown was declared in Illinois and the university shut down all classes on campus, the lectures needed a way to continue. Professor X went for <a class="link" href="https://zoom.us/" rel="noreferrer">Zoom</a>. Zoom is proprietary crapware. You can download Zoom on your computer or use it through the browser which probably requires proprietary JavaScript and camera and microphone access. I emailed Professor X if there was another way I could watch the lectures. To accommodate me, he began recording the meetings and emailing them to everyone. However, he said he was still taking attendance with Zoom unfortunately. So I found out it’s possible to use <a class="link" href="https://www.wikipedia.org/wiki/Session_Initiation_Protocol" rel="noreferrer">SIP</a>. I attempted to set up an SIP account so I could use Zoom, but then I quickly gave up on that and decided on just using the recordings. I felt that I shouldn’t have to do extra legwork to avoid using proprietary software. If professors are going to suggest proprietary software to students, which they shouldn’t, then they should at least offer a free software alternative that works equally well. Of course, Zoom in the long run is turning out to be a disaster as proprietary software often does.</p>
<p>I want to elaborate a bit on how Zoom is turning out to be a disaster. Zoom is a privacy nightmare. It actually has an attention tracking feature documented in the <a class="link" href="https://web.archive.org/web/20200310192605/https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking" rel="noreferrer">knowledge base</a> which creepily allowed hosts of a Zoom meeting to track if the participants were paying attention or not. The CEO addressed <a class="link" href="https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/" rel="noreferrer">multiple issues</a>. One issue was uninvited participants joining and crashing conferences. Another was that the iOS client contained the Facebook SDK. Facebook is a surveillance monster, so of course that was an absolute privacy disaster and it had to be removed. Zoom video and audio doesn’t even have end-to-end encryption according to <a class="link" href="https://theintercept.com/2020/03/31/zoom-meeting-encryption/" rel="noreferrer">this article</a>. Hackers quickly found a way to exploit Zoom to expose Windows passwords and showed a screenshot of it on <a class="link" href="https://nitter.net/hackerfantastic/status/1245133371262619654" rel="noreferrer">Twitter</a>. Some Zoom calls may have been routed through China, where geofencing should have prevented this. <a class="link" href="https://www.businessinsider.com/china-zoom-data-2020-4" rel="noreferrer">The CEO didn’t say how many users could have been effected</a>. China does not enforce laws about personal data privacy so who knows if the calls got collected, stored, or analyzed.</p>
<p>So now some universities are rushing over to Microsoft Teams, which will also be a privacy and security disaster forced upon students yet again. They are just going from one proprietary privacy disaster to the next when the best solution is to just use free software. Teams is proprietary and the Teams website requires proprietary JavaScript and perhaps worse a Microsoft account where you must agree to their insane terms of service. So at this point you may be wondering, what free software is out there that would be reasonable for schools to use that would be better? <a class="link" href="https://jitsi.org/jitsi-meet/" rel="noreferrer">Jitsi</a> seems like a very viable alternative. It allows video calling, voice calling, meetings between an unlimited number of participants, and no sign up or account required. I’m not sure about the encryption and data privacy it has, but at least you know it doesn’t come with the Facebook SDK. Besides, there is also <a class="link" href="https://matrix.org/" rel="noreferrer">Matrix</a> which is cross-platform and has multiple clients. There are free software options available that universities should be looking into rather than all jumping onboard the Zoom train, then jumping onto the Teams train after Zoom derailed.</p>
<h2 id="lockdown-browser--monitor">Lockdown Browser & Monitor</h2>
<p>Due to corona virus, the final exam was going to have to change also. Obviously, us students couldn’t take the exam in person and this opened up doors to potential cheating. I found out we were going to have to use the intrusive proprietary Windows or Mac only garbage that is the <a class="link" href="https://web.respondus.com/" rel="noreferrer">Respondus Lockdown Browser</a>. So I contacted Professor X over email to find out if there was an alternate way to take the exam. For example, being given access to the final exam and then given a certain time window to finish and upload it. He told me this wouldn’t be possible. The browser apparently detects and does not allow usage through a VM based on the Respondus knowledge base. Since I don’t own any Windows machines and I’m required lawfully and ethically to social distance myself, the only way I know I can complete the exam without issues is by partitioning my hard drive and installing the latest Windows, just for this one exam that lasts less than two hours.</p>
<p>Furthermore, even though I could do all that, I’m not willing to. That would be using Windows and the Lockdown browser and implicitly affirming that forcing proprietary software on students is okay. Professor X emailed me a second time and informed me that it wasn’t really his choice to use Respondus Lockdown browser, that “the university” had decided on it. Whether that means there was some vote within the faculty of the computer science department or the dictate was simply handed down university-wide I don’t know. I’m not very interested in the bureaucracy. He told me that “We are under extraordinary circumstances that no one foresaw 3 weeks ago. We’ve all had to make changes and exceptions to ways we work… I highly encourage you to also be sympathetic to the situation and consider making exceptions”. After that he offered to help me repartition my machine to install Windows and mentioned that the university offers free legal Windows 10 licenses available to students. So I took the next step and contacted the chair of the CS department at SIUe. He reaffirmed what Professor X had already said and was not willing to have Professor X make an exception.</p>
<p>So I took Professor X’s advice and was sympathetic and considered making an exception. And then after two seconds of thought I decided that dropping the class and refusing to use it was as sympathetic as I can get to proprietary software. I wasn’t going to repartition my computer to install the proprietary backdoored malware operating system Windows that could rootkit my machine so that I could install a proprietary malware browser and “monitor” that purposely spies on and cripples the operating system. And then I realized it’s probable that some of my other classes would require Respondus lockdown software as well this semester for the final exam and I couldn’t in good conscience use it. Also, it’s likely that due to COVID-19 my summer classes would also require using it. Even if those classes didn’t require that proprietary software, it became clear to me that there were certainly going to be obstacles I simply couldn’t get over in the future without switching professors, retaking classes, and constantly doing extra work without much benefit or change to the software the university was using. All of that could also prolong my graduation by a year, two years, or who knows how long racking up student debt. I had already came so far as I was two semesters away from graduating after this one. However, if I dropped out of SIUe, I would free up enough time to build my portfolio, improve my programming skills, network with free software organizations and potentially get some real-world experience. So, I dropped out. It was at great personal cost to myself, but it was the only ethical option left.</p>